I'm sorry, but the knowledge sources do not describe a direct, built-in way to use Ory Hydra to convert an Ory Kratos session into a JWT. What is supported: - Ory Kratos can convert its own sessions to JWTs using the "Session to JWT" feature. This is done by configuring JWT templates in Kratos and then calling the

/sessions/whoami

endpoint with the

tokenize_as

parameter. This process is handled entirely within Kratos, not Hydra. You can find detailed steps for this in the [Session to JWT documentation](https://www.ory.sh/docs/identities/session-to-jwt-cors) and the [API reference](https://www.ory.sh/docs/kratos/reference/api#tag/frontend/operation/toSession) [Convert Ory Sessions to JSON Web Tokens](https://www.ory.sh/docs/identities/session-to-jwt-cors) [Kratos API Reference](https://raw.githubusercontent.com/ory/kratos/master/spec/api.json). - Ory Hydra is an OAuth2 and OpenID Connect provider. It issues its own tokens (access, refresh, ID tokens) as part of OAuth2 flows, but it does not natively convert Kratos sessions to JWTs. Hydra can be configured to include custom claims in its tokens via webhooks, but this is not the same as converting a Kratos session to a JWT [Customizing claims with OAuth2 webhooks](https://www.ory.sh/docs/hydra/guides/claims-at-refresh). How to convert a Kratos session to a JWT: 1. Configure JWT templates in Kratos (not Hydra). 2. Call the

/sessions/whoami

endpoint with the

tokenize_as

query parameter set to your JWT template key. 3. Receive the JWT in the

tokenized

field of the response. Example (using REST API):

bash curl -X GET \   -H "Cookie: ory_session...=..." \   "https://$<http://PROJECT_SLUG.projects.oryapis.com/sessions/whoami?tokenize_as=jwt_example_template1|PROJECT_SLUG.projects.oryapis.com/sessions/whoami?tokenize_as=jwt_example_template1>"

The response will include a

tokenized

field containing the JWT [Convert Ory Sessions to JSON Web Tokens](https://www.ory.sh/docs/identities/session-to-jwt-cors). Summary: You cannot use Hydra to convert a Kratos session to a JWT. This conversion is a feature of Kratos itself. If you need to use JWTs issued from Kratos sessions, use Kratos' "Session to JWT" functionality as described above. If you need Hydra-issued tokens, use OAuth2 flows with Hydra. If you need to bridge the two, you would need to implement custom logic outside of the built-in features described in the documentation.

To connect Ory Kratos to use Ory Hydra as an OAuth2 server (for example, to enable "Sign in with Ory" or to use Hydra as a social sign-in provider in Kratos), you need to configure Kratos to use Hydra as an OpenID Connect (OIDC) provider. This allows users to log in to your Kratos-managed application using identities managed by Hydra. Steps to connect Kratos to Hydra as an OAuth2/OIDC provider: 1. Set up Hydra as an OAuth2/OIDC Provider: - Deploy Hydra and configure it as your OAuth2/OIDC server. - Create an OAuth2 client in Hydra for your Kratos project. You can do this using the Ory CLI or Hydra CLI, specifying the necessary redirect URIs and scopes (e.g.,

openid

,

offline_access

,

email

) [Ory Social Sign-in with Ory](https://www.ory.sh/docs/kratos/social-signin/ory). 2. Configure Kratos to use Hydra as an OIDC Provider: - In the Kratos Console, go to Authentication → Social Sign-In. - Add a new OpenID Connect provider. - Enter the following details from your Hydra setup: - Client ID (from the OAuth2 client you created in Hydra) - Client Secret - Issuer URL (the public URL of your Hydra instance) - Copy the Redirect URI generated by Kratos and add it to the allowed redirect URIs for your OAuth2 client in Hydra. - Save the configuration [Connecting a project to the SSO provider](https://www.ory.sh/docs/kratos/social-signin/ory#connecting-a-project-to-the-sso-provider). 3. (Optional) Adjust Scopes and Data Mapping: - You can customize which OAuth scopes Kratos requests from Hydra and how user data is mapped from Hydra to Kratos identities. Summary of the flow: - When a user chooses to sign in with Ory (Hydra), Kratos will redirect them to Hydra for authentication. - After successful authentication, Hydra will redirect the user back to Kratos with the necessary tokens. - Kratos will use the information from Hydra to create or update the user's identity in its own system. For more details and step-by-step instructions, see the official documentation: [Connecting a project to the SSO provider](https://www.ory.sh/docs/kratos/social-signin/ory#connecting-a-project-to-the-sso-provider)

Ory Hydra does not manage identities or user accounts itself. Instead, Hydra is an OAuth2 and OpenID Connect provider that delegates all identity management (such as user registration, login, password management, and profile updates) to an external identity provider or user management system. When a user needs to authenticate, Hydra uses a "login and consent flow" to redirect the user to your identity provider (for example, Ory Kratos or your own authentication system). After the user authenticates and grants consent, Hydra issues OAuth2 and OIDC tokens based on the information provided by the identity provider. Hydra does not store or manage user data—its role is to securely handle authorization and token issuance [Introduction to Ory Hydra OAuth2](https://www.ory.sh/docs/oauth2-oidc) [Ory Ecosystem Projects](https://www.ory.sh/docs/ecosystem/projects). In summary: Hydra does not manage identities; it relies on external systems for identity management and focuses on secure OAuth2/OIDC flows and token issuance.

Yes, it is possible to use Ory Hydra as your OAuth2 server and still configure OIDC (OpenID Connect) clients in Ory Kratos. In this setup, Hydra acts as the OAuth2/OIDC provider, and Kratos can be configured to use Hydra as a social sign-in (OIDC) provider. How this works: - Hydra issues OAuth2 and OIDC tokens and handles authorization flows, but does not manage user identities itself. - Kratos manages user identities and can be configured to allow users to sign in using any OIDC-compliant provider—including Hydra. How to set it up: 1. Set up Hydra as your OAuth2/OIDC server and create an OAuth2 client for Kratos. This client will represent Kratos as an OIDC client in Hydra. 2. Configure Kratos to use Hydra as an OIDC provider by adding Hydra as a generic OIDC provider in the Kratos configuration. You will need: - The Client ID and Client Secret from the OAuth2 client you created in Hydra. - The Issuer URL of your Hydra instance. 3. Add the redirect URI generated by Kratos to the allowed redirect URIs for your OAuth2 client in Hydra. This setup allows users to log in to Kratos-managed applications using identities authenticated via Hydra, leveraging Hydra's OAuth2/OIDC flows. The process is described in the documentation for connecting a project to an SSO provider, where Hydra (or any OIDC provider) can be used as a social sign-in provider for Kratos [Connecting a project to the SSO provider](https://www.ory.sh/docs/kratos/social-signin/ory#connecting-a-project-to-the-sso-provider). Summary: You can use Hydra as your OAuth2 server and configure Kratos to use Hydra as an OIDC provider for social sign-in. This is a supported and documented integration.

To perform a JWT token exchange using Ory Hydra, where users log in with email and password credentials managed by Ory Kratos, you need to combine both systems in a typical OAuth2/OIDC architecture. Here’s how the flow works based on the available documentation: ### 1. User Authentication with Kratos - Users authenticate using their email and password via Ory Kratos. Kratos manages the identity and authentication flows, including password-based login [Login and registration using passwords](https://www.ory.sh/docs/kratos/concepts/credentials/username-email-password). ### 2. OAuth2 Authorization Code Flow with Hydra - When an OIDC client (such as a third-party app) wants to authenticate a user, it initiates the OAuth2 Authorization Code flow with Ory Hydra. - Hydra, as the OAuth2 server, does not manage user identities. Instead, it delegates authentication to Kratos by redirecting the user to Kratos for login [Ory Ecosystem Introduction](https://www.ory.sh/docs/ecosystem/projects). ### 3. Consent and Login Flow - After successful login in Kratos, the user is redirected back to Hydra with the necessary information to complete the OAuth2 flow. - Hydra then issues OAuth2 tokens (access, refresh, and optionally ID tokens) to the client [Hydra OAuth2 Flow](https://www.ory.sh/docs/hydra/self-hosted/configure-deploy#perform-oauth-20-flow). ### 4. JWT Access Token Exchange - By default, Hydra issues opaque tokens. To have Hydra issue JWT access tokens, you must configure Hydra (or Ory OAuth2) to use the JWT access token strategy. - This can be set globally or per client. For example, to set it globally:

bash     ory patch oauth2-config --project <project-id> --workspace <workspace-id> \       --replace "/strategies/access_token=\"jwt\""

Or per client using the Ory SDK:

js     await ory.patchOAuth2Client({       id,       jsonPatch: [         { op: "replace", path: "access_token_strategy", value: "jwt" },       ],     })

[JWT Access Tokens](https://www.ory.sh/docs/oauth2-oidc/jwt-access-token#jwt-access-tokens) - Once configured, when a user completes the OAuth2 flow (after authenticating with Kratos), Hydra will issue a JWT access token. ### 5. JWT Assertion Grant (Advanced) - If you want to exchange a JWT for an access token (JWT Assertion Grant), Hydra supports the

urn:ietf:params:oauth:grant-type:jwt-bearer

grant type. You must POST to Hydra’s

/oauth2/token

endpoint with the JWT in the

assertion

parameter and the appropriate grant type [Exchanging JWT assertion for access token](https://www.ory.sh/docs/hydra/guides/jwt#exchanging-jwt-assertion-for-access-token). --- Summary: - Users log in with email/password via Kratos. - OAuth2/OIDC clients authenticate via Hydra, which delegates login to Kratos. - Configure Hydra to issue JWT access tokens. - After the OAuth2 flow, clients receive JWT tokens from Hydra. Note: The knowledge sources do not provide a step-by-step guide for wiring Kratos and Hydra together, but this is the standard integration pattern described in the Ory documentation. If you need to perform a JWT assertion grant, you must ensure the JWT is properly issued and trusted by Hydra as described in the JWT profile documentation [JWT profile for OAuth2](https://www.ory.sh/docs/hydra/guides/jwt).

When a user logs in to Ory Kratos using password credentials (without an external OIDC provider), Kratos manages the authentication and session. However, Hydra does not automatically issue a JWT in this flow. Hydra is designed to issue tokens (including JWTs) as part of OAuth2/OIDC flows, not as a direct result of a Kratos login. To obtain a Hydra-issued JWT for a user authenticated via Kratos: 1. Initiate an OAuth2/OIDC flow with Hydra: Even if the user is already authenticated in Kratos, you must start an OAuth2 flow (such as the Authorization Code flow) with Hydra. Hydra will redirect the user to Kratos for authentication if they are not already logged in. If the user is already logged in (has a valid Kratos session), Kratos will immediately complete the login step and redirect back to Hydra. 2. Hydra issues the JWT: After the user completes the OAuth2 flow, Hydra will issue an access token (and optionally an ID token). If you have configured Hydra to use the JWT access token strategy, this token will be a JWT [JWT Access Tokens](https://www.ory.sh/docs/oauth2-oidc/jwt-access-token#jwt-access-tokens). Key points: - There is no direct way for Kratos to trigger Hydra to issue a JWT just from a password login. The issuance of a Hydra JWT always happens as part of an OAuth2/OIDC flow managed by Hydra. - If you need a JWT after a Kratos login, you must redirect the user (or your application must initiate) an OAuth2 flow with Hydra, which will then issue the JWT upon successful completion. Summary: You cannot get a Hydra-issued JWT directly from a Kratos password login. You must use the OAuth2 flow with Hydra, which can leverage the existing Kratos session for seamless SSO, and Hydra will then issue the JWT as part of that flow [OAuth2 resource owner password credentials grant](https://www.ory.sh/docs/oauth2-oidc/resource-owner-password-grant) [JWT Access Tokens](https://www.ory.sh/docs/oauth2-oidc/jwt-access-token#jwt-access-tokens). If you need to convert a Kratos session to a JWT, use Kratos' own "Session to JWT" feature, but this JWT is not issued by Hydra and is not part of the OAuth2 flow [Convert Ory Sessions to JSON Web Tokens](https://www.ory.sh/docs/identities/session-to-jwt-cors).

Based on the available knowledge sources, you do not need to configure Hydra clients directly into Kratos in order to perform the OAuth2/OIDC flow where Hydra issues JWTs after a user logs in with Kratos. The integration works as follows: - Hydra manages OAuth2 clients. You create and configure OAuth2 clients in Hydra, specifying redirect URIs and other OAuth2 settings [Run your own OAuth2 Server](https://www.ory.sh/blog/run-oauth2-server-open-source-api-security). - Kratos acts as the identity provider and handles user authentication (e.g., password login). Kratos does not need to know about the OAuth2 clients registered in Hydra. Instead, Kratos is called by Hydra during the login and consent flows to authenticate users [Ory Ecosystem Introduction](https://www.ory.sh/docs/ecosystem/projects). The only configuration needed in Kratos is to ensure it is set up to handle login and consent requests from Hydra. This is typically done by setting the appropriate endpoints in Hydra’s configuration (e.g.,

urls.login

,

urls.consent

) to point to your Kratos UI or API [Hydra Self-hosted Configuration](https://www.ory.sh/docs/hydra/self-hosted/configure-deploy#perform-oauth-20-flow). Summary: You do not need to configure Hydra clients in Kratos. You only need to configure Hydra to use Kratos for authentication, and manage OAuth2 clients in Hydra itself. Kratos and Hydra communicate during the OAuth2 flow, but Kratos does not need to be aware of the individual OAuth2 clients registered in Hydra.

When you configure social providers (OIDC/OAuth2) in Ory Kratos, users can log in to your application using those external providers (e.g., Google, GitHub, etc.). The flow for exchanging these logins for JWTs from Hydra clients remains the same as with password-based logins: 1. User logs in via a social provider in Kratos: Kratos handles the authentication with the external provider and creates a session for the user. 2. Initiate an OAuth2/OIDC flow with Hydra: When an OAuth2 client (such as your frontend or a third-party app) wants to authenticate the user, it starts an OAuth2 flow with Hydra. Hydra, as usual, delegates authentication to Kratos. If the user is already authenticated (via a social provider or otherwise), Kratos will immediately complete the login step and redirect back to Hydra. 3. Hydra issues JWTs: After the OAuth2 flow is completed, Hydra issues access tokens (and optionally ID tokens) to the client. If you have configured Hydra to use the JWT access token strategy, these tokens will be JWTs [JWT Access Tokens](https://www.ory.sh/docs/oauth2-oidc/jwt-access-token#jwt-access-tokens). Key points from the knowledge sources: - Hydra does not manage identities or social providers directly; it always delegates authentication to Kratos or another identity provider [How Hydra manages identities](https://www.ory.sh/docs/ecosystem/projects). - The OAuth2 flow with Hydra is the only supported way to obtain Hydra-issued JWTs, regardless of whether the user authenticated with Kratos via password or a social provider [Connecting a project to the SSO provider](https://www.ory.sh/docs/kratos/social-signin/ory#connecting-a-project-to-the-sso-provider). - You do not need to configure Hydra clients in Kratos, nor do you need to change the OAuth2 flow for social logins. The process is the same: Hydra delegates authentication to Kratos, and after successful authentication (by any method), Hydra issues the tokens. Summary: When users log in to Kratos using social providers, you can still obtain JWTs from Hydra by running the standard OAuth2/OIDC flow. The authentication method in Kratos (password, social, etc.) does not affect the ability to exchange the login for Hydra-issued JWTs, as long as the OAuth2 flow is used [Connecting a project to the SSO provider](https://www.ory.sh/docs/kratos/social-signin/ory#connecting-a-project-to-the-sso-provider).

To identify which Hydra client a user used to log in with, you need to look at the OAuth2 flow context. When a user authenticates via Hydra, the OAuth2 client that initiated the flow is included in the consent and login requests. This information is available to your login and consent provider applications, which are responsible for handling these flows. Specifically, when your consent provider receives a consent request from Hydra, the request body contains details about the OAuth2 client, such as

client_id

,

client_name

, and other metadata. You can use this information to determine which client the user is interacting with during the login or consent process. For example, in the consent endpoint code, you can access the client information like this:

js res.render("consent", {   card: UserConsentCard({     consent: body,     csrfToken: req.csrfToken(),     cardImage: body.client?.logo_uri || "/ory-logo.svg",     client_name: body.client?.client_name || "unknown client",     requested_scope: body.requested_scope,     client: body.client,     action: (process.env.BASE_URL || "") + "/consent",   }), })

Here,

body.client

contains the client details, including the

client_id

that identifies which Hydra client initiated the login flow [Consent endpoint code example](https://www.ory.sh/docs/oauth2-oidc/custom-login-consent/flow#consent-endpoint-code-example). Summary: You can identify the Hydra client a user used to log in with by inspecting the

client_id

and related client information in the login or consent request payloads handled by your custom login/consent provider during the OAuth2 flow.

To perform first-party consent without requiring explicit user consent (i.e., skipping the consent screen) in Ory Hydra or Ory Network, you should configure your OAuth2 client to skip consent. This is intended for trusted, first-party applications where user consent is not necessary. How to enable skip consent: - When creating or updating an OAuth2 client, set the

--skip-consent

flag (CLI) or use the "Skip consent" toggle in the Ory Console. This tells Hydra/Ory Network to automatically grant consent for this client, so the user will not see a consent screen during the OAuth2 flow. Example using the Ory CLI:

bash ory create oauth2-client \   --skip-consent \   # ... other options

Or update an existing client:

bash ory update oauth2-client \   --id <client-id> \   --skip-consent

[Skip consent and logout consent](https://www.ory.sh/docs/oauth2-oidc/skip-consent) [ory create oauth2-client options](https://www.ory.sh/docs/cli/ory-create-oauth2-client#options) - In the Ory Console: Go to OAuth2 Clients, edit your client, and enable the Skip consent toggle in the Consent screen section, then save. How it works: When this flag is set, the consent UI is skipped for that client. The consent endpoint will receive a request with

skip: true

and should auto-accept the consent without showing a UI [Consent endpoint code example](https://www.ory.sh/docs/oauth2-oidc/custom-login-consent/flow#consent-endpoint-code-example). Note: This approach is recommended only for first-party (trusted) clients. Skipping consent for third-party clients is not recommended and may break OpenID Connect certification [Previous consent](https://www.ory.sh/docs/oauth2-oidc/custom-login-consent/flow#previous-consent). Summary: Set the

skip consent

flag for your OAuth2 client to perform first-party consent without user interaction.

To perform first-party consent (skip the consent screen) and also identify users with the Hydra clients they used to log in, follow these steps: ### 1. Enable Skip Consent for First-Party Clients When creating or updating your OAuth2 client in Hydra or Ory Network, set the

--skip-consent

flag. This ensures that the consent screen is automatically skipped for trusted, first-party clients:

bash ory create oauth2-client \   --skip-consent \   # ... other options

Or update an existing client:

bash ory update oauth2-client \   --id <client-id> \   --skip-consent

You can also enable this in the Ory Console by toggling Skip consent for the client in the Consent screen section and saving your changes [Skip consent and logout consent](https://www.ory.sh/docs/oauth2-oidc/skip-consent). ### 2. Identify the Hydra Client Used for Login During the OAuth2 flow, when your login or consent endpoint receives a request from Hydra, the request payload includes information about the OAuth2 client, such as

client_id

and

client_name

. You can access this information in your consent endpoint handler:

js // Example from consent endpoint res.render("consent", {   client_name: body.client?.client_name || "unknown client",   client: body.client,   // ... other data })

Here,

body.client

contains the client details, including the

client_id

that identifies which Hydra client initiated the login flow [Consent endpoint code example](https://www.ory.sh/docs/oauth2-oidc/custom-login-consent/flow#consent-endpoint-code-example). When skip consent is enabled, your consent endpoint will receive a request with

skip: true

and should auto-accept the consent, but you still have access to the client information in the request payload. --- Summary: - Enable the skip consent flag for your first-party OAuth2 clients to bypass the consent screen. - Use the

client_id

and related fields in the consent/login request payload to identify which Hydra client the user used to log in [Consent endpoint code example](https://www.ory.sh/docs/oauth2-oidc/custom-login-consent/flow#consent-endpoint-code-example).