Based on the available knowledge sources, Ory Hydra does not natively support issuing the refresh token as a secure HTTP cookie, nor does it support accepting the refresh token via a cookie in the standard OAuth2 token refresh flow. The documented refresh token flow requires the client to send the refresh token in the request body as part of a POST request to the token endpoint, using the application/x-www-form-urlencoded content type. The refresh token is expected in the refresh_token parameter, not as a cookie. Example usage is shown as follows:

javascript const params = new URLSearchParams({   grant_type: "refresh_token",   refresh_token: refreshToken,   scope: "scope1 scope2",   client_id: clientId,   client_secret: clientSecret, }) fetch(endpoint, {   method: "POST",   headers: {     "Content-Type": "application/x-www-form-urlencoded",   },   body: params.toString(), })

This example demonstrates that the refresh token is sent in the request body, not as a cookie. While secure storage of refresh tokens in httpOnly, secure cookies is recommended for client-side security, the OAuth2 protocol as implemented by Hydra expects the token to be provided explicitly in the request body, not via cookies. There is no mention in the documentation of Hydra supporting refresh token extraction from cookies on the token endpoint [OAuth2 refresh token grant](https://www.ory.sh/docs/oauth2-oidc/refresh-token-grant#refreshing-an-access-token). In summary: - Hydra does not set the refresh token as a secure cookie by default. - Hydra does not support using a refresh token from a cookie for the token refresh endpoint; the refresh token must be sent in the request body. If you need this behavior, you would have to implement it in a custom proxy or application layer in front of Hydra, but this is not supported natively by Hydra according to the current documentation.