SYSTEM Cited by 1 source

Ory Hydra

Ory Hydra is an open-source OAuth 2.0 and OpenID Connect server written in Go (github.com/ory/hydra). It implements the OAuth 2.0 Authorization Framework, token introspection, revocation, and the consent flow, delegating user authentication to a separate login provider.

Role at Cloudflare

Cloudflare deployed Ory Hydra to power its OAuth infrastructure — supporting Wrangler CLI authentication, partner integrations (e.g., PlanetScale), and the self-managed OAuth feature launched in June 2026. Hydra handles token issuance, refresh, introspection, and revocation behind a Worker-based routing layer (Source: sources/2026-06-24-cloudflare-oauth-for-all).

Major Version Upgrade (1.x → 2.x)

Cloudflare performed a two-stage upgrade:

1. 1.x latest: Required custom SQL migrations using CREATE INDEX CONCURRENTLY and a forked Hydra binary selecting explicit columns instead of SELECT *.
2. 2.x: Required a blue-green database strategy — database copied, migrations run on copy (~3 hours, 132.5M rows updated, 114.7M inserted), simultaneous cutover of Hydra service + two internal system configs.

Post-upgrade performance gains: API P95 −45%, RSS −14%, Go heap −40%, goroutines −23%, CPU −37% (Source: sources/2026-06-24-cloudflare-oauth-for-all).

Key Behaviors

• Refresh token invalidation: In 1.x, a reused refresh token invalidates the entire access/refresh chain — problematic for high-request-volume clients like Wrangler and MCP clients.
• Refresh token grace period (2.x): Allows a refresh token to be retried within a configurable window without invalidating the chain.
• Consent session API: Used by authorization services to validate active OAuth sessions.

Seen In

• sources/2026-06-24-cloudflare-oauth-for-all