Changelog for Ory Hydra OEL

v25.4.3

Add feature flag to disable access token persistence for stateless JWT tokens

Introduces new feature flags strategies.jwt.stateless.enabled and strategies.jwt.stateless.claim_name for Hydra that skips database writes for JWT access tokens. When enabled, access tokens are issued as self-contained JWTs with a top-level claim indicating to be stateless, and operations that require token state (introspection, revocation, userinfo) return 501 Not Implemented. This optimization significantly improves performance for workloads that use JWT access tokens and don't require token revocation or introspection capabilities.

Internal Bugfixes

This release includes some internal bugfixes that are required to ensure zero-downtime upgrades of future versions. Therefore, it is highly recommended to not skip this version.

25.4.2

No changes requiring a changelog in the 25.4.2.

25.4.1

No changes requiring a changelog in the 25.4.1.

25.4.0

No changes requiring a changelog in the 25.4.0.

v25.3.9

Fix regression in refresh token UsedTimes calculation

Fixed a regression in Hydra OAuth2 refresh token handling where the UsedTimes validation was incorrectly checking the Valid flag before comparing against the graceful count limit. This caused refresh tokens to be incorrectly rejected during the grace period when the UsedTimes field was not explicitly set, even when the usage count was within acceptable limits.

The fix ensures that refresh tokens are properly validated based on the usage count alone, without requiring the UsedTimes field to be explicitly marked as valid in the database.

25.3.8

No changes requiring a changelog in the 25.3.8.

25.3.6

No changes requiring a changelog in the 25.3.6.

v25.3.5

Change of base image

The base image for OEL images is now set to "gcr.io/distroless/static-debian12:nonroot". Previously, it was "gcr.io/distroless/static-debian12:debug-nonroot", which included BusyBox (a minimal shell and basic debugging utilities). Debug images are still available using the "-debug" tag suffix.

JWK Cache

Ory Hydra OEL now supports in-memory caching of JWKs to improve performance and reduce latency. The cache is enabled by setting the db.jwk_cache.enabled configuration option to true. Other available configuration options are db.jwk_cache.size, which is the maximum number of keys to be cached, and db.jwk_cache.ttl, which is the time-to-live for cached keys. It is recommended to set a cache TTL to force regular refreshes of the keys. Updates to keys are not actively propagated to the cache, as clients are expected to accept old keys for a certain period of time.

v25.3.4

Increased Refresh Token Grace Period

The maximum duration for the Refresh Token Rotation Grace Period has been extended from 30 days to 180 days in Ory Hydra with the Ory Enterprise License (OEL). For Ory Network projects and non-OEL Hydra, the maximum grace period remains 5 minutes.

The extended 180-day period is only available when a reuse count (rotation_grace_reuse_count) is configured. Without a reuse count, the limit remains 5 minutes.

Important: The 180-day grace period is considered insecure for general use. It is offered exclusively to support legacy migration scenarios and is not recommended for production deployments.

v25.3.3

Improved tracing and metrics for the high-performance SQL connection pool

This change adds distributed tracing and advanced metrics for the high-performance SQL connection pool in all Ory OEL products.

2025-06-11

Tag: 290abca8469dc46c1ba07708849fed28fdbc1b69

Add hydra debug commands

Changes:

the hydra debug challenge <challenge> command is available in the Ory Hydra Enterprise build and offers the ability to decode various consent challenge and verifiers. Use hydra debug challenge --help for detailed documentation.
the hydra debug encrypted-session <session> command for Ory Hydra Enterprise offers the ability to decrypt encrypted session data which is kept in the database.

2025-05-09

Update OSS dependency of Hydra OEL

Changes:

fix for sql migration for Azure Postgres Flexible Server - https://github.com/ory/hydra/pull/3958
introduces implementation of OAuth 2.0 Device Authorization Grant - https://github.com/ory/hydra/pull/3912
enables "high performance pooling" parameters in the DSN for PostgreSQL and CockroachDB

2025-03-19

Reduce memory usage of Ory Hydra OEL

This change addresses high memory consumption issue by correctly initializing the sessionCheckCache

2024-12-17

Handle concurrent refreshes and improve graceful refreshing

This patch improves Ory Hydra's ability to deal with refresh flows which, for example, concurrently refresh the same token. Furthermore, graceful token refresh has been improved to handle a variety of edge cases and scenarios.

This will remove/reduce serializable errors in CockroachDB during OAuth2 token exchanges.

https://www.ory.com/docs/hydra/guides/graceful-token-refresh

2024-07-17

Disable pre-configured multi-region config in Ory Hydra

Disables the pre-configured multi-region configuration for self-hosting Ory Enterprise License customers.

v25.4.3​

Add feature flag to disable access token persistence for stateless JWT tokens​

Internal Bugfixes​

25.4.2

25.4.1

25.4.0

v25.3.9​

Fix regression in refresh token UsedTimes calculation​

25.3.8

25.3.6

v25.3.5​

Change of base image​

JWK Cache​

v25.3.4​

Increased Refresh Token Grace Period​

v25.3.3​

Improved tracing and metrics for the high-performance SQL connection pool​

2025-06-11​

Add hydra debug commands​

2025-05-09​

Update OSS dependency of Hydra OEL​

2025-03-19​

Reduce memory usage of Ory Hydra OEL​

2024-12-17​

Handle concurrent refreshes and improve graceful refreshing​

2024-07-17​

Disable pre-configured multi-region config in Ory Hydra​

Ory Network