Based on the knowledge sources provided, there is no explicit mention of Ory Hydra supporting the OAuth 2.0 Token Exchange standard (RFC 8693). Ory Hydra does support various OAuth 2.0 flows and extensions including: 1. Standard OAuth 2.0 flows like Authorization Code, Implicit, Client Credentials, and Refresh Token [Hydra Self-hosted Configuration](https://www.ory.sh/docs/hydra/self-hosted/configure-deploy#perform-oauth-20-flow) 2. JWT Profile for OAuth 2.0 (RFC 7523) which allows: - Using JWTs as authorization grants - Using JWTs for client authentication [JSON Web Token (JWT) profile for OAuth2](https://www.ory.sh/docs/hydra/guides/jwt) 3. PKCE (Proof Key for Code Exchange) for mobile apps and SPAs [OAuth2 with PKCE for Mobile Apps and Single Page Apps](https://www.ory.sh/blog/oauth2-for-mobile-app-spa-browser) However, the specific OAuth 2.0 Token Exchange protocol (RFC 8693) is not explicitly mentioned in the provided knowledge sources. The closest related functionality appears to be the JWT bearer token exchange, but this is not the same as the full OAuth 2.0 Token Exchange specification. If you need specific information about OAuth 2.0 Token Exchange support in Ory Hydra, you might want to check the latest documentation or contact Ory directly.

Based on the knowledge sources, self-hosted Ory Kratos doesn't have a direct API endpoint for searching identities by their traits. The available methods for retrieving identities include: 1. Listing all identities using the admin API endpoint

/admin/identities

, which supports pagination but has limited filtering capabilities [Kratos API Reference](https://www.ory.sh/docs/kratos/reference/api). 2. Getting a specific identity by ID using the

/admin/identities/{id}

endpoint [Kratos Self-hosted Go](https://www.ory.sh/docs/kratos/self-hosted/go#use-identity-management-api). 3. Deleting identities by ID, with a note that to delete an identity by some selector (like recovery email address), you would need to use the list command in combination with jq [Kratos identities delete](https://www.ory.sh/docs/kratos/cli/kratos-identities-delete#kratos-identities-delete). There is a relevant GitHub issue (#305) discussing the limitation of retrieving a subset of identities through the admin API. The issue specifically mentions that the API doesn't allow filtering by IDs in a batch, and suggests workarounds like polling Ory periodically or using webhooks to keep data in sync [GitHub Issue #305](https://github.com/ory/network/issues/305). Another GitHub issue (#396) discusses the challenges of querying identity properties, noting that using the

/admin/identities

endpoint for real-time, user-facing flows can lead to rate limiting issues [GitHub Issue #396](https://github.com/ory/network/issues/396). The suggested workarounds include: - Making parallel requests for individual identities - Implementing caching (though this is noted as potentially having security implications) - Replicating necessary identity data in your application It's worth noting that these limitations apply to self-hosted Ory Kratos, while Ory Network (the managed service) might offer additional capabilities.