To invalidate all access and refresh tokens for a single subject (user) in Ory Hydra, you should revoke the user's consent sessions. This action will automatically revoke all related access and refresh tokens for that subject. You can do this via the API or using the Ory SDK. Using the API: Send a

DELETE

request to the

/admin/oauth2/auth/sessions/consent

endpoint with the

subject

query parameter set to the user's ID:

DELETE /admin/oauth2/auth/sessions/consent?subject=<user-id>

This will revoke all consent sessions for the specified subject and invalidate all associated tokens. You can also specify a

client

parameter to limit revocation to a specific OAuth2 client, or use the

all=true

parameter to revoke all sessions for the subject across all clients. This operation does not require authentication by default in the API spec, but check your deployment's security settings. Using the Ory SDK (JavaScript example):

js import { Configuration, OAuth2Api } from "@ory/client"  const ory = new OAuth2Api(   new Configuration({     basePath: `https://${process.env.ORY_PROJECT_SLUG}.<http://projects.oryapis.com|projects.oryapis.com>`,     accessToken: process.env.ORY_API_KEY,   }), )  export async function revokeConsent() {   const { data } = await ory.revokeOAuth2ConsentSessions({     subject: "some-user-id",     // Optionally: all: true,   }) }

This will revoke all consent sessions and thus invalidate all access and refresh tokens for the user. [Revoke user consent](https://www.ory.sh/docs/oauth2-oidc/revoke-consent) [Hydra API Reference - revokeOAuth2ConsentSessions](https://raw.githubusercontent.com/ory/hydra/master/spec/api.json) Note: - Revoking consent sessions is the recommended way to invalidate all tokens for a user. - This does not invalidate login sessions; it only affects OAuth2 tokens. - If you are using access and refresh tokens as user sessions, consider revising your approach as per Ory's best practices.