We’re thrilled to announce the release of **Ory Hydra 2.3.0**! This version comes packed with **graceful token refresh**, performance improvements, and fixes that enhance stability, reduce database load, and streamline the developer experience. We strongly recommend upgrading to take advantage of these enhancements and ensure the best possible OAuth2 and OpenID Connect experience with Ory Hydra. Thank you to everyone who contributed! Ory Hydra now supports graceful refresh token rotation, making OAuth2 and OpenID Connect refresh flows significantly more resilient in scenarios such as Single Page Apps and IoT. Even in highly distributed or concurrent environments, Hydra gracefully handles token refreshes reliably, ensuring tokens are not dropped or double-used. PRs: [#3860](https://github.com/ory/hydra/pull/3860), [#3895](https://github.com/ory/hydra/pull/3895) Previously, the `redirect_uri` was not required when performing flows with `scope=openid`. This release enforces the requirement to comply with the OpenID Connect standard. PR: [#3900](https://github.com/ory/hydra/pull/3900) Hydra now supports explicit SQL migration commands **`migrate sql up|down|status`** that streamline database schema management and help with zero-downtime upgrades. PR: [#3894](https://github.com/ory/hydra/pull/3894) - **Access token strategy & advanced CLI improvements** The CLI introduces new parameters and an option to specify a custom client ID on creation, making it easier to manage and script Hydra deployments. PRs: [#3718](https://github.com/ory/hydra/pull/3718), [#3725](https://github.com/ory/hydra/pull/3725), [#3874](https://github.com/ory/hydra/pull/3874) - **Built-in login & consent UI for `hydra perform authorization-code`** A minimal built-in UI for login and consent can be enabled when testing with the CLI, removing the need to spin up a separate service. PR: [#3845](https://github.com/ory/hydra/pull/3845) Unused indices have been removed, down migration scripts renamed for consistency, and all migrations are more efficient overall. PRs: [#3859](https://github.com/ory/hydra/pull/3859), [#3911](https://github.com/ory/hydra/pull/3911) - **Improve persistence logic** – Database transactions and concurrency have been improved across the authorization and token handlers. PRs: [#3756](https://github.com/ory/hydra/pull/3756), [#3763](https://github.com/ory/hydra/pull/3763), [#3886](https://github.com/ory/hydra/pull/3886) - **Support for more claims in password grant** – You can now include additional claims in the password grant flow, providing extra flexibility in advanced scenarios. Only available with an Ory Enterprise License. PR: [#3864](https://github.com/ory/hydra/pull/3864) - **Transaction Wrappers** Authorization and token issuance are now wrapped more consistently to prevent partial writes and race conditions. PRs: [#3730](https://github.com/ory/hydra/pull/3730), [#3763](https://github.com/ory/hydra/pull/3763) - **Improved Docker setup** Docker configurations have been refined, removing inconsistencies in the Compose setup and enabling a fully static binary build. PRs: [#3826](https://github.com/ory/hydra/pull/3826), [#3924](https://github.com/ory/hydra/pull/3924) - **Proper JSON round-tripping** Fixed an issue causing custom claims to break if they were nested or unexpectedly typed. JSON round-trips are now correct. PR: [#3819](https://github.com/ory/hydra/pull/3819) - **Speed up public key retrieval** Reduced overhead for the JWK public endpoint, solving CPU contention issues in large-scale deployments. PRs: [#3787](https://github.com/ory/hydra/pull/3787), [#3870](https://github.com/ory/hydra/pull/3870) - **Fix Docker Compose references** The CLI now properly references `docker compose` instead of `docker-compose`, ensuring compatibility with modern Docker setups. PR: [#3815](https://github.com/ory/hydra/pull/3815) - **Dependency upgrades** Bumped `fosite`, `ory/x`, `pgx/v5`, and various third-party libraries for improved stability and performance. - **Updated docs** Updated examples, improved JWK documentation, added notes on Docker Compose usage, and refined OpenID Connect discovery docs. - **More tracing context** Tracing calls have been consistently standardized with `otelx.End()`, and additional context ensures better observability. - **Code generation & housekeeping** Various housekeeping tasks: pinned GHA versions, fixed minor comment typos, updated newsletters/links, and more. To upgrade to 2.3.0, follow the usual steps: 1. **Back up your database** (always recommended). 2. **Update your Hydra version** in your Docker configuration, binary, or build to `v2.3.0`. 3. **Run `hydra migrate sql up`** (if using the new commands) or your usual migration procedure. 4. **Restart your services** and confirm that Hydra is up and running. Check the [migration docs](https://www.ory.sh/docs/hydra/self-hosted/upgrade) for detailed information. As always, we love hearing from our community. Here are some ways to get involved: - **Join our Slack**: [Ory Community Slack](https://www.ory.sh/chat) - **Ask questions on GitHub Discussions**: [Ory Hydra Discussions](https://github.com/ory/hydra/discussions) - **Submit bugs and feature requests**: [GitHub Issues](https://github.com/ory/hydra/issues) Thanks to all contributors for making Ory Hydra the best-in-class OAuth2 and OpenID Connect server. For Ory Hydra v2.4.0 we are looking at another highly anticipated community-contributed feature, the OAuth 2.0 Device Authorization Grant! **Full Changelog**: [v2.2.0...v2.3.0](https://github.com/ory/hydra/compare/v2.2.0...v2.3.0) *Happy building with Ory Hydra!*