For implementing OAuth2 and OpenID Connect (OIDC) flows as a client, Ory recommends using well-established, open-source client libraries rather than directly using the Ory SDKs for the actual OAuth2 flow (such as authorization code or PKCE). Here are some recommended OIDC client SDKs for various languages: - JavaScript/TypeScript: [node-openid-client](https://github.com/panva/node-openid-client), [passport](http://www.passportjs.org/) - Go: [golang.org/x/oauth2](https://github.com/golang/oauth2) - Java: [Spring Security OAuth](https://spring.io/projects/spring-security-oauth) - Swift/Objective-C (iOS): [AppAuth-iOS](https://github.com/openid/AppAuth-iOS) - Android: [AppAuth-Android](https://github.com/openid/AppAuth-Android) - Python: [Authlib](https://github.com/lepture/authlib) - Other languages: See the full list at [oauth.net/code](https://oauth.net/code/) Ory's own SDKs (such as

@ory/client

for JavaScript or

ory/client-go

for Go) are primarily for managing OAuth2 clients and interacting with Ory's admin and public APIs, not for handling the OAuth2/OIDC flow itself. For the actual flow (authorization, token exchange, etc.), use the libraries above. This is explicitly recommended in the Ory documentation: "The Ory Hydra SDK doesn't provide a comprehensive API for handling OAuth 2.0 flows such as the authorization code flow and refresh flow. Use one of the many well-established libraries for this purpose, don't write your own code to interact with OAuth 2.0" [Popular OAuth2 client libraries](https://www.ory.sh/docs/hydra/guides/using-oauth2). For mobile and SPA clients, Ory specifically recommends [AppAuth](https://appauth.io/) for Android and iOS, which supports PKCE and public clients [OAuth2 with PKCE for mobile apps and single page apps](https://www.ory.sh/blog/oauth2-for-mobile-app-spa-browser). In summary: Use a standard OAuth2/OIDC client library for your language/platform to implement the OAuth2 flow with Ory. Use Ory's SDKs for client management and admin tasks, not for the OAuth2 flow itself.

For single page applications (SPAs), the recommended OAuth2 client SDKs are: - [node-openid-client](https://github.com/panva/node-openid-client): This is a popular and well-maintained library for Node.js environments. - [AppAuth](https://appauth.io/): While primarily targeted at mobile, AppAuth also supports browser-based flows and is recommended for public clients that require PKCE support. Ory documentation specifically recommends using the OAuth2 Authorization Code Flow with PKCE for SPAs, and advises against using the implicit flow. You should not store a client secret in your SPA, and your OAuth2 client should be registered with

token_endpoint_auth_method

set to

none

 [SPA and public client with PKCE](https://www.ory.sh/docs/oauth2-oidc/authorization-code-flow#spa-and-public-client-with-pkce). Ory also emphasizes using established, open-source libraries rather than rolling your own implementation [Popular OAuth2 client libraries](https://www.ory.sh/docs/hydra/guides/using-oauth2). In summary: Use a well-established OAuth2/OIDC client library such as node-openid-client or AppAuth for your SPA, and implement the Authorization Code Flow with PKCE.