To convert users who authenticate using the Ory Kratos password flow so that their sessions can be used as JWTs (for example, to integrate with Ory Hydra or other OIDC clients), you need to leverage Kratos' "Session to JWT" feature. Here’s how you can achieve this: ### 1. Enable Session to JWT in Kratos Ory Kratos does not issue JWTs by default for sessions, but you can configure it to convert sessions to JWTs using a tokenizer template. This is useful for scenarios where you want to pass a JWT to Ory Hydra or other services that require JWTs for authentication. #### Steps: - Create a JSON Web Key Set (JWKS): Generate a key set that will be used to sign the JWTs. - Create a JsonNet Claims Mapper: Define how the claims in the JWT should be mapped from the session. - Configure the Tokenizer Template: Add a tokenizer template to your Kratos configuration, referencing the JWKS and claims mapper. Example configuration snippet:

yaml session:   whoami:     tokenizer:       templates:         jwt_example_template1:           jwks_url: base64://<BASE64_ENCODED_JWKS>           claims_mapper_url: base64://<BASE64_ENCODED_JSONNET>           ttl: 10m

[See full example and details](https://www.ory.sh/docs/identities/session-to-jwt-cors) ### 2. Obtain a JWT from a Kratos Session After a user logs in using the password flow, you can convert their session to a JWT by calling the

/sessions/whoami

endpoint with the

tokenize_as

query parameter set to your configured template:

bash curl -X GET \   -H "Cookie: ory_session=..." \   "https://<kratos-url>/sessions/whoami?tokenize_as=jwt_example_template1"

The response will include a

tokenized

field containing the JWT. [API reference and example](https://www.ory.sh/docs/identities/session-to-jwt-cors) ### 3. Use the JWT with Ory Hydra If you want to use Ory Hydra as your OAuth2/OIDC provider, you typically integrate Kratos as the identity provider for Hydra. Hydra will redirect users to Kratos for authentication, and after successful login, Kratos can issue a session and (if configured as above) a JWT. Hydra can then use this JWT as an ID token or access token, depending on your flow. Note: - The JWT is only as valid as the session in Kratos. If the session is revoked or expires, the JWT should be considered invalid. - You must ensure that the JWT claims and signing keys are trusted by the consuming service (e.g., Hydra or your resource servers). ### Summary - Configure Kratos to support session-to-JWT conversion. - After password login, call

/sessions/whoami?tokenize_as=<template>

to get a JWT. - Use this JWT in your OIDC/OAuth2 flows with Hydra or other services. For more details and step-by-step instructions, refer to the official documentation: [Convert Ory Sessions to JSON Web Tokens](https://www.ory.sh/docs/identities/session-to-jwt-cors) and [Session management overview](https://www.ory.sh/docs/kratos/session-management/overview#json-web-token-jwt-support).

To use JWTs issued from Ory Kratos sessions with Ory Hydra, you need to configure both systems appropriately. Here’s what the knowledge sources provide: --- ### 1. Configure Ory Kratos to Issue JWTs for Sessions - Create a JSON Web Key Set (JWKS): Use the Ory CLI to generate a key set for signing JWTs:

bash   ory create jwk some-example-set \     --alg ES256 --project $PROJECT_ID --format json-pretty \     > es256.jwks.json

- Create a JsonNet Claims Mapper: Write a JsonNet template to define the claims in your JWT. Example:

jsonnet   local claims = std.extVar('claims');   local session = std.extVar('session');    {     claims: {       iss: claims.iss + "/additional-component",       schema_id: session.identity.schema_id,       session: session,     }   }

- Configure the Tokenizer Template in Kratos: Base64-encode your JWKS and claims mapper, then patch your Kratos project configuration:

bash   ory patch identity-config --project <project-id> --workspace <workspace-id> \     --add '/session/whoami/tokenizer/templates/jwt_example_template1={"jwks_url":"base64://'$JWKS_B64_ENCODED'","claims_mapper_url":"base64://'$JSONNET_B64_ENCODED'","ttl":"10m"}' \     --format yaml

[Full example and details](https://www.ory.sh/docs/identities/session-to-jwt-cors) --- ### 2. Obtain a JWT from Kratos After a user authenticates, call the

/sessions/whoami

endpoint with the

tokenize_as

parameter to get a JWT:

bash curl -X GET \   -H "Cookie: ory_session=..." \   "https://$<http://PROJECT_SLUG.projects.oryapis.com/sessions/whoami?tokenize_as=jwt_example_template1|PROJECT_SLUG.projects.oryapis.com/sessions/whoami?tokenize_as=jwt_example_template1>"

The response will include a

tokenized

field containing the JWT. --- ### 3. Configure Ory Hydra to Accept JWTs The knowledge sources do not provide a step-by-step guide for configuring Hydra to directly accept JWTs issued by Kratos as OAuth2 access tokens or ID tokens. However, they do describe how Hydra can be configured to issue JWT access tokens and how to validate JWTs using JWKS endpoints. If you want Hydra to accept JWTs from Kratos, you would typically: - Ensure Hydra is configured to trust the JWKS used by Kratos for signing. - Use Hydra’s JWT validation parameters and point it to the JWKS endpoint or file used by Kratos. - If using Oathkeeper as a proxy, you can configure it to convert Kratos sessions to JWTs and pass them to downstream services, which can then validate them using the JWKS. Example for configuring JWT validation in Hydra:

bash ory patch oauth2-config \   --replace "/strategies/access_token=\"jwt\""

[JWT access tokens in Ory OAuth2](https://www.ory.sh/docs/oauth2-oidc/jwt-access-token#jwt-access-tokens) For validating JWTs, Hydra expects the JWKS to be available at a URL or file path, and you can use the

/admin/keys/{set}

endpoint to manage keys. --- ### Summary - Kratos: Configure session-to-JWT conversion with a tokenizer template and JWKS. - Hydra: Configure to use JWT access tokens and ensure it can validate JWTs using the JWKS from Kratos. - Integration: After user login, obtain a JWT from Kratos and use it in your OAuth2/OIDC flows with Hydra. > Note: The knowledge sources do not provide a full, direct integration guide for using Kratos-issued JWTs as access tokens in Hydra. You may need to adapt the above steps to your architecture, possibly using Oathkeeper as a bridge if you need to convert and validate sessions as JWTs between Kratos and Hydra. For more details, see the official documentation on [Session to JWT](https://www.ory.sh/docs/identities/session-to-jwt-cors) and [JWT access tokens in Ory OAuth2](https://www.ory.sh/docs/oauth2-oidc/jwt-access-token#jwt-access-tokens).

New message text here

Based on the provided knowledge sources, you do not need to configure Hydra’s clients onto Kratos specifically for JWT access token issuance and exchange to work. The process of issuing JWTs from Hydra is managed by Hydra’s own configuration and client management. Kratos and Hydra are typically integrated so that Kratos handles user authentication (identity management), while Hydra handles OAuth2/OIDC flows and token issuance. When a user authenticates via Kratos (for example, during an OAuth2 Authorization Code flow initiated by Hydra), Hydra will issue the access (and optionally ID) tokens—including JWTs if configured—after successful authentication. The clients are registered and managed in Hydra, not in Kratos, for the purpose of OAuth2/OIDC token issuance and JWT exchange. There is no mention in the knowledge sources that Hydra’s OAuth2 clients need to be registered or configured in Kratos for JWT issuance or exchange to function. The integration point is that Hydra delegates authentication to Kratos, but client management for token issuance remains within Hydra’s configuration and APIs [JWT access tokens](https://www.ory.sh/docs/oauth2-oidc/jwt-access-token#jwt-access-tokens) [Introduction to Ory Hydra OAuth2](https://www.ory.sh/docs/oauth2-oidc). If you are using social sign-in or federated identity, you may configure OIDC providers in Kratos, but this is separate from the process of Hydra issuing JWTs to its clients. In summary: You do not need to configure Hydra’s clients onto Kratos for JWT exchange to work; client registration and JWT configuration are handled in Hydra.

To configure first-party Hydra clients in a setup with Ory Kratos, the main goal is to allow certain OAuth2 clients (your own applications) to skip the consent screen, providing a seamless user experience. This is a common pattern when both the identity provider (Kratos) and the OAuth2 client are under your control. ### How to Configure First-Party Clients 1. Mark the OAuth2 Client as First-Party in Hydra You can do this by setting the

require_consent

property to

false

when creating or updating the OAuth2 client in Hydra. This tells Hydra to skip the consent screen for that client. Example using the Ory CLI:

bash    ory create oauth2-client \      --skip-consent \      # ... other client options

Or, if updating an existing client:

bash    ory update oauth2-client <client-id> \      --skip-consent

This sets the

require_consent

property to

false

for the client, making it a first-party client and skipping the consent step in the OAuth2 flow [Skip consent and logout consent](https://www.ory.sh/docs/oauth2-oidc/skip-consent). 2. No Special Configuration Needed in Kratos There is no need to configure anything special in Kratos for first-party clients. Kratos will handle authentication as usual. The first-party logic is handled entirely by Hydra via the client configuration. 3. OAuth2 Flow When a user authenticates via a first-party client, Hydra will redirect to Kratos for login (if not already authenticated), and then, because consent is skipped, will immediately issue tokens after successful authentication. --- Summary: To make a Hydra client "first-party" (and skip consent), set

require_consent

to

false

(e.g., with

--skip-consent

in the CLI) when creating or updating the client in Hydra. No additional configuration is required in Kratos for this behavior [Skip consent and logout consent](https://www.ory.sh/docs/oauth2-oidc/skip-consent).