Ory Hydra API — oAuth2

naftiko: 1.0.0-alpha2
info:
  label: Ory Hydra API — oAuth2
  description: 'Ory Hydra API — oAuth2. 31 operations. Lead operation: List OAuth 2.0 Clients. Self-contained Naftiko capability
    covering one Ory business surface.'
  tags:
  - Ory
  - oAuth2
  created: '2026-05-19'
  modified: '2026-05-19'
binds:
- namespace: env
  keys:
    ORY_API_KEY: ORY_API_KEY
capability:
  consumes:
  - type: http
    namespace: hydra-oauth2
    baseUri: ''
    description: Ory Hydra API — oAuth2 business capability. Self-contained, no shared references.
    resources:
    - name: admin-clients
      path: /admin/clients
      operations:
      - name: listoauth2clients
        method: GET
        description: List OAuth 2.0 Clients
        outputRawFormat: json
        outputParameters:
        - name: result
          type: object
          value: $.
        inputParameters:
        - name: page_size
          in: query
          type: integer
          description: Items per Page
        - name: page_token
          in: query
          type: string
          description: Next Page Token
        - name: client_name
          in: query
          type: string
          description: The name of the clients to filter by.
        - name: owner
          in: query
          type: string
          description: The owner of the clients to filter by.
      - name: createoauth2client
        method: POST
        description: Create OAuth 2.0 Client
        outputRawFormat: json
        outputParameters:
        - name: result
          type: object
          value: $.
        inputParameters:
        - name: body
          in: body
          type: object
          description: Request body (JSON).
          required: true
    - name: admin-clients-id
      path: /admin/clients/{id}
      operations:
      - name: deleteoauth2client
        method: DELETE
        description: Delete OAuth 2.0 Client
        outputRawFormat: json
        outputParameters:
        - name: result
          type: object
          value: $.
        inputParameters:
        - name: id
          in: path
          type: string
          description: The id of the OAuth 2.0 Client.
          required: true
      - name: getoauth2client
        method: GET
        description: Get an OAuth 2.0 Client
        outputRawFormat: json
        outputParameters:
        - name: result
          type: object
          value: $.
        inputParameters:
        - name: id
          in: path
          type: string
          description: The id of the OAuth 2.0 Client.
          required: true
      - name: patchoauth2client
        method: PATCH
        description: Patch OAuth 2.0 Client
        outputRawFormat: json
        outputParameters:
        - name: result
          type: object
          value: $.
        inputParameters:
        - name: id
          in: path
          type: string
          description: The id of the OAuth 2.0 Client.
          required: true
        - name: body
          in: body
          type: object
          description: Request body (JSON).
          required: true
      - name: setoauth2client
        method: PUT
        description: Set OAuth 2.0 Client
        outputRawFormat: json
        outputParameters:
        - name: result
          type: object
          value: $.
        inputParameters:
        - name: id
          in: path
          type: string
          description: OAuth 2.0 Client ID
          required: true
        - name: body
          in: body
          type: object
          description: Request body (JSON).
          required: true
    - name: admin-clients-id-lifespans
      path: /admin/clients/{id}/lifespans
      operations:
      - name: setoauth2clientlifespans
        method: PUT
        description: Set OAuth2 Client Token Lifespans
        outputRawFormat: json
        outputParameters:
        - name: result
          type: object
          value: $.
        inputParameters:
        - name: id
          in: path
          type: string
          description: OAuth 2.0 Client ID
          required: true
        - name: body
          in: body
          type: object
          description: Request body (JSON).
          required: false
    - name: admin-oauth2-auth-requests-consent
      path: /admin/oauth2/auth/requests/consent
      operations:
      - name: getoauth2consentrequest
        method: GET
        description: Get OAuth 2.0 Consent Request
        outputRawFormat: json
        outputParameters:
        - name: result
          type: object
          value: $.
        inputParameters:
        - name: consent_challenge
          in: query
          type: string
          description: OAuth 2.0 Consent Request Challenge
          required: true
    - name: admin-oauth2-auth-requests-consent-accept
      path: /admin/oauth2/auth/requests/consent/accept
      operations:
      - name: acceptoauth2consentrequest
        method: PUT
        description: Accept OAuth 2.0 Consent Request
        outputRawFormat: json
        outputParameters:
        - name: result
          type: object
          value: $.
        inputParameters:
        - name: consent_challenge
          in: query
          type: string
          description: OAuth 2.0 Consent Request Challenge
          required: true
        - name: body
          in: body
          type: object
          description: Request body (JSON).
          required: false
    - name: admin-oauth2-auth-requests-consent-reject
      path: /admin/oauth2/auth/requests/consent/reject
      operations:
      - name: rejectoauth2consentrequest
        method: PUT
        description: Reject OAuth 2.0 Consent Request
        outputRawFormat: json
        outputParameters:
        - name: result
          type: object
          value: $.
        inputParameters:
        - name: consent_challenge
          in: query
          type: string
          description: OAuth 2.0 Consent Request Challenge
          required: true
        - name: body
          in: body
          type: object
          description: Request body (JSON).
          required: false
    - name: admin-oauth2-auth-requests-device-accept
      path: /admin/oauth2/auth/requests/device/accept
      operations:
      - name: acceptusercoderequest
        method: PUT
        description: Accepts a device grant user_code request
        outputRawFormat: json
        outputParameters:
        - name: result
          type: object
          value: $.
        inputParameters:
        - name: device_challenge
          in: query
          type: string
          required: true
        - name: body
          in: body
          type: object
          description: Request body (JSON).
          required: false
    - name: admin-oauth2-auth-requests-login
      path: /admin/oauth2/auth/requests/login
      operations:
      - name: getoauth2loginrequest
        method: GET
        description: Get OAuth 2.0 Login Request
        outputRawFormat: json
        outputParameters:
        - name: result
          type: object
          value: $.
        inputParameters:
        - name: login_challenge
          in: query
          type: string
          description: OAuth 2.0 Login Request Challenge
          required: true
    - name: admin-oauth2-auth-requests-login-accept
      path: /admin/oauth2/auth/requests/login/accept
      operations:
      - name: acceptoauth2loginrequest
        method: PUT
        description: Accept OAuth 2.0 Login Request
        outputRawFormat: json
        outputParameters:
        - name: result
          type: object
          value: $.
        inputParameters:
        - name: login_challenge
          in: query
          type: string
          description: OAuth 2.0 Login Request Challenge
          required: true
        - name: body
          in: body
          type: object
          description: Request body (JSON).
          required: false
    - name: admin-oauth2-auth-requests-login-reject
      path: /admin/oauth2/auth/requests/login/reject
      operations:
      - name: rejectoauth2loginrequest
        method: PUT
        description: Reject OAuth 2.0 Login Request
        outputRawFormat: json
        outputParameters:
        - name: result
          type: object
          value: $.
        inputParameters:
        - name: login_challenge
          in: query
          type: string
          description: OAuth 2.0 Login Request Challenge
          required: true
        - name: body
          in: body
          type: object
          description: Request body (JSON).
          required: false
    - name: admin-oauth2-auth-requests-logout
      path: /admin/oauth2/auth/requests/logout
      operations:
      - name: getoauth2logoutrequest
        method: GET
        description: Get OAuth 2.0 Session Logout Request
        outputRawFormat: json
        outputParameters:
        - name: result
          type: object
          value: $.
        inputParameters:
        - name: logout_challenge
          in: query
          type: string
          required: true
    - name: admin-oauth2-auth-requests-logout-accept
      path: /admin/oauth2/auth/requests/logout/accept
      operations:
      - name: acceptoauth2logoutrequest
        method: PUT
        description: Accept OAuth 2.0 Session Logout Request
        outputRawFormat: json
        outputParameters:
        - name: result
          type: object
          value: $.
        inputParameters:
        - name: logout_challenge
          in: query
          type: string
          description: OAuth 2.0 Logout Request Challenge
          required: true
    - name: admin-oauth2-auth-requests-logout-reject
      path: /admin/oauth2/auth/requests/logout/reject
      operations:
      - name: rejectoauth2logoutrequest
        method: PUT
        description: Reject OAuth 2.0 Session Logout Request
        outputRawFormat: json
        outputParameters:
        - name: result
          type: object
          value: $.
        inputParameters:
        - name: logout_challenge
          in: query
          type: string
          required: true
    - name: admin-oauth2-auth-sessions-consent
      path: /admin/oauth2/auth/sessions/consent
      operations:
      - name: revokeoauth2consentsessions
        method: DELETE
        description: Revoke OAuth 2.0 Consent Sessions of a Subject
        outputRawFormat: json
        outputParameters:
        - name: result
          type: object
          value: $.
        inputParameters:
        - name: subject
          in: query
          type: string
          description: OAuth 2.0 Consent Subject
        - name: client
          in: query
          type: string
          description: OAuth 2.0 Client ID
        - name: consent_request_id
          in: query
          type: string
          description: Consent Request ID
        - name: all
          in: query
          type: boolean
          description: Revoke All Consent Sessions
      - name: listoauth2consentsessions
        method: GET
        description: List OAuth 2.0 Consent Sessions of a Subject
        outputRawFormat: json
        outputParameters:
        - name: result
          type: object
          value: $.
        inputParameters:
        - name: page_size
          in: query
          type: integer
          description: Items per Page
        - name: page_token
          in: query
          type: string
          description: Next Page Token
        - name: subject
          in: query
          type: string
          description: The subject to list the consent sessions for.
          required: true
        - name: login_session_id
          in: query
          type: string
          description: The login session id to list the consent sessions for.
    - name: admin-oauth2-auth-sessions-login
      path: /admin/oauth2/auth/sessions/login
      operations:
      - name: revokeoauth2loginsessions
        method: DELETE
        description: Revokes OAuth 2.0 Login Sessions by either a Subject or a SessionID
        outputRawFormat: json
        outputParameters:
        - name: result
          type: object
          value: $.
        inputParameters:
        - name: subject
          in: query
          type: string
          description: OAuth 2.0 Subject
        - name: sid
          in: query
          type: string
          description: Login Session ID
    - name: admin-oauth2-introspect
      path: /admin/oauth2/introspect
      operations:
      - name: introspectoauth2token
        method: POST
        description: Introspect OAuth2 Access and Refresh Tokens
        outputRawFormat: json
        outputParameters:
        - name: result
          type: object
          value: $.
        inputParameters:
        - name: body
          in: body
          type: object
          description: Request body (JSON).
          required: false
    - name: admin-oauth2-tokens
      path: /admin/oauth2/tokens
      operations:
      - name: deleteoauth2token
        method: DELETE
        description: Delete OAuth 2.0 Access Tokens from specific OAuth 2.0 Client
        outputRawFormat: json
        outputParameters:
        - name: result
          type: object
          value: $.
        inputParameters:
        - name: client_id
          in: query
          type: string
          description: OAuth 2.0 Client ID
          required: true
    - name: admin-trust-grants-jwt-bearer-issuers
      path: /admin/trust/grants/jwt-bearer/issuers
      operations:
      - name: listtrustedoauth2jwtgrantissuers
        method: GET
        description: List Trusted OAuth2 JWT Bearer Grant Type Issuers
        outputRawFormat: json
        outputParameters:
        - name: result
          type: object
          value: $.
        inputParameters:
        - name: page_size
          in: query
          type: integer
          description: Items per Page
        - name: page_token
          in: query
          type: string
          description: Next Page Token
        - name: issuer
          in: query
          type: string
          description: If optional "issuer" is supplied, only jwt-bearer grants with this issuer will be returned.
      - name: trustoauth2jwtgrantissuer
        method: POST
        description: Trust OAuth2 JWT Bearer Grant Type Issuer
        outputRawFormat: json
        outputParameters:
        - name: result
          type: object
          value: $.
        inputParameters:
        - name: body
          in: body
          type: object
          description: Request body (JSON).
          required: false
    - name: admin-trust-grants-jwt-bearer-issuers-id
      path: /admin/trust/grants/jwt-bearer/issuers/{id}
      operations:
      - name: deletetrustedoauth2jwtgrantissuer
        method: DELETE
        description: Delete Trusted OAuth2 JWT Bearer Grant Type Issuer
        outputRawFormat: json
        outputParameters:
        - name: result
          type: object
          value: $.
        inputParameters:
        - name: id
          in: path
          type: string
          description: The id of the desired grant
          required: true
      - name: gettrustedoauth2jwtgrantissuer
        method: GET
        description: Get Trusted OAuth2 JWT Bearer Grant Type Issuer
        outputRawFormat: json
        outputParameters:
        - name: result
          type: object
          value: $.
        inputParameters:
        - name: id
          in: path
          type: string
          description: The id of the desired grant
          required: true
    - name: oauth2-auth
      path: /oauth2/auth
      operations:
      - name: oauth2authorize
        method: GET
        description: OAuth 2.0 Authorize Endpoint
        outputRawFormat: json
        outputParameters:
        - name: result
          type: object
          value: $.
    - name: oauth2-device-auth
      path: /oauth2/device/auth
      operations:
      - name: oauth2deviceflow
        method: POST
        description: The OAuth 2.0 Device Authorize Endpoint
        outputRawFormat: json
        outputParameters:
        - name: result
          type: object
          value: $.
    - name: oauth2-device-verify
      path: /oauth2/device/verify
      operations:
      - name: performoauth2deviceverificationflow
        method: GET
        description: OAuth 2.0 Device Verification Endpoint
        outputRawFormat: json
        outputParameters:
        - name: result
          type: object
          value: $.
    - name: oauth2-revoke
      path: /oauth2/revoke
      operations:
      - name: revokeoauth2token
        method: POST
        description: Revoke OAuth 2.0 Access or Refresh Token
        outputRawFormat: json
        outputParameters:
        - name: result
          type: object
          value: $.
        inputParameters:
        - name: body
          in: body
          type: object
          description: Request body (JSON).
          required: false
    - name: oauth2-token
      path: /oauth2/token
      operations:
      - name: oauth2tokenexchange
        method: POST
        description: The OAuth 2.0 Token Endpoint
        outputRawFormat: json
        outputParameters:
        - name: result
          type: object
          value: $.
        inputParameters:
        - name: body
          in: body
          type: object
          description: Request body (JSON).
          required: false
    authentication:
      type: bearer
      token: '{{env.ORY_API_KEY}}'
  exposes:
  - type: rest
    namespace: hydra-oauth2-rest
    port: 8080
    description: REST adapter for Ory Hydra API — oAuth2. One Spectral-compliant resource per consumed operation, prefixed
      with /v1.
    resources:
    - path: /v1/admin/clients
      name: admin-clients
      description: REST surface for admin-clients.
      operations:
      - method: GET
        name: listoauth2clients
        description: List OAuth 2.0 Clients
        call: hydra-oauth2.listoauth2clients
        with:
          page_size: rest.page_size
          page_token: rest.page_token
          client_name: rest.client_name
          owner: rest.owner
        outputParameters:
        - type: object
          mapping: $.
      - method: POST
        name: createoauth2client
        description: Create OAuth 2.0 Client
        call: hydra-oauth2.createoauth2client
        with:
          body: rest.body
        outputParameters:
        - type: object
          mapping: $.
    - path: /v1/admin/clients/{id}
      name: admin-clients-id
      description: REST surface for admin-clients-id.
      operations:
      - method: DELETE
        name: deleteoauth2client
        description: Delete OAuth 2.0 Client
        call: hydra-oauth2.deleteoauth2client
        with:
          id: rest.id
        outputParameters:
        - type: object
          mapping: $.
      - method: GET
        name: getoauth2client
        description: Get an OAuth 2.0 Client
        call: hydra-oauth2.getoauth2client
        with:
          id: rest.id
        outputParameters:
        - type: object
          mapping: $.
      - method: PATCH
        name: patchoauth2client
        description: Patch OAuth 2.0 Client
        call: hydra-oauth2.patchoauth2client
        with:
          id: rest.id
          body: rest.body
        outputParameters:
        - type: object
          mapping: $.
      - method: PUT
        name: setoauth2client
        description: Set OAuth 2.0 Client
        call: hydra-oauth2.setoauth2client
        with:
          id: rest.id
          body: rest.body
        outputParameters:
        - type: object
          mapping: $.
    - path: /v1/admin/clients/{id}/lifespans
      name: admin-clients-id-lifespans
      description: REST surface for admin-clients-id-lifespans.
      operations:
      - method: PUT
        name: setoauth2clientlifespans
        description: Set OAuth2 Client Token Lifespans
        call: hydra-oauth2.setoauth2clientlifespans
        with:
          id: rest.id
          body: rest.body
        outputParameters:
        - type: object
          mapping: $.
    - path: /v1/admin/oauth2/auth/requests/consent
      name: admin-oauth2-auth-requests-consent
      description: REST surface for admin-oauth2-auth-requests-consent.
      operations:
      - method: GET
        name: getoauth2consentrequest
        description: Get OAuth 2.0 Consent Request
        call: hydra-oauth2.getoauth2consentrequest
        with:
          consent_challenge: rest.consent_challenge
        outputParameters:
        - type: object
          mapping: $.
    - path: /v1/admin/oauth2/auth/requests/consent/accept
      name: admin-oauth2-auth-requests-consent-accept
      description: REST surface for admin-oauth2-auth-requests-consent-accept.
      operations:
      - method: PUT
        name: acceptoauth2consentrequest
        description: Accept OAuth 2.0 Consent Request
        call: hydra-oauth2.acceptoauth2consentrequest
        with:
          consent_challenge: rest.consent_challenge
          body: rest.body
        outputParameters:
        - type: object
          mapping: $.
    - path: /v1/admin/oauth2/auth/requests/consent/reject
      name: admin-oauth2-auth-requests-consent-reject
      description: REST surface for admin-oauth2-auth-requests-consent-reject.
      operations:
      - method: PUT
        name: rejectoauth2consentrequest
        description: Reject OAuth 2.0 Consent Request
        call: hydra-oauth2.rejectoauth2consentrequest
        with:
          consent_challenge: rest.consent_challenge
          body: rest.body
        outputParameters:
        - type: object
          mapping: $.
    - path: /v1/admin/oauth2/auth/requests/device/accept
      name: admin-oauth2-auth-requests-device-accept
      description: REST surface for admin-oauth2-auth-requests-device-accept.
      operations:
      - method: PUT
        name: acceptusercoderequest
        description: Accepts a device grant user_code request
        call: hydra-oauth2.acceptusercoderequest
        with:
          device_challenge: rest.device_challenge
          body: rest.body
        outputParameters:
        - type: object
          mapping: $.
    - path: /v1/admin/oauth2/auth/requests/login
      name: admin-oauth2-auth-requests-login
      description: REST surface for admin-oauth2-auth-requests-login.
      operations:
      - method: GET
        name: getoauth2loginrequest
        description: Get OAuth 2.0 Login Request
        call: hydra-oauth2.getoauth2loginrequest
        with:
          login_challenge: rest.login_challenge
        outputParameters:
        - type: object
          mapping: $.
    - path: /v1/admin/oauth2/auth/requests/login/accept
      name: admin-oauth2-auth-requests-login-accept
      description: REST surface for admin-oauth2-auth-requests-login-accept.
      operations:
      - method: PUT
        name: acceptoauth2loginrequest
        description: Accept OAuth 2.0 Login Request
        call: hydra-oauth2.acceptoauth2loginrequest
        with:
          login_challenge: rest.login_challenge
          body: rest.body
        outputParameters:
        - type: object
          mapping: $.
    - path: /v1/admin/oauth2/auth/requests/login/reject
      name: admin-oauth2-auth-requests-login-reject
      description: REST surface for admin-oauth2-auth-requests-login-reject.
      operations:
      - method: PUT
        name: rejectoauth2loginrequest
        description: Reject OAuth 2.0 Login Request
        call: hydra-oauth2.rejectoauth2loginrequest
        with:
          login_challenge: rest.login_challenge
          body: rest.body
        outputParameters:
        - type: object
          mapping: $.
    - path: /v1/admin/oauth2/auth/requests/logout
      name: admin-oauth2-auth-requests-logout
      description: REST surface for admin-oauth2-auth-requests-logout.
      operations:
      - method: GET
        name: getoauth2logoutrequest
        description: Get OAuth 2.0 Session Logout Request
        call: hydra-oauth2.getoauth2logoutrequest
        with:
          logout_challenge: rest.logout_challenge
        outputParameters:
        - type: object
          mapping: $.
    - path: /v1/admin/oauth2/auth/requests/logout/accept
      name: admin-oauth2-auth-requests-logout-accept
      description: REST surface for admin-oauth2-auth-requests-logout-accept.
      operations:
      - method: PUT
        name: acceptoauth2logoutrequest
        description: Accept OAuth 2.0 Session Logout Request
        call: hydra-oauth2.acceptoauth2logoutrequest
        with:
          logout_challenge: rest.logout_challenge
        outputParameters:
        - type: object
          mapping: $.
    - path: /v1/admin/oauth2/auth/requests/logout/reject
      name: admin-oauth2-auth-requests-logout-reject
      description: REST surface for admin-oauth2-auth-requests-logout-reject.
      operations:
      - method: PUT
        name: rejectoauth2logoutrequest
        description: Reject OAuth 2.0 Session Logout Request
        call: hydra-oauth2.rejectoauth2logoutrequest
        with:
          logout_challenge: rest.logout_challenge
        outputParameters:
        - type: object
          mapping: $.
    - path: /v1/admin/oauth2/auth/sessions/consent
      name: admin-oauth2-auth-sessions-consent
      description: REST surface for admin-oauth2-auth-sessions-consent.
      operations:
      - method: DELETE
        name: revokeoauth2consentsessions
        description: Revoke OAuth 2.0 Consent Sessions of a Subject
        call: hydra-oauth2.revokeoauth2consentsessions
        with:
          subject: rest.subject
          client: rest.client
          consent_request_id: rest.consent_request_id
          all: rest.all
        outputParameters:
        - type: object
          mapping: $.
      - method: GET
        name: listoauth2consentsessions
        description: List OAuth 2.0 Consent Sessions of a Subject
        call: hydra-oauth2.listoauth2consentsessions
        with:
          page_size: rest.page_size
          page_token: rest.page_token
          subject: rest.subject
          login_session_id: rest.login_session_id
        outputParameters:
        - type: object
          mapping: $.
    - path: /v1/admin/oauth2/auth/sessions/login
      name: admin-oauth2-auth-sessions-login
      description: REST surface for admin-oauth2-auth-sessions-login.
      operations:
      - method: DELETE
        name: revokeoauth2loginsessions
        description: Revokes OAuth 2.0 Login Sessions by either a Subject or a SessionID
        call: hydra-oauth2.revokeoauth2loginsessions
        with:
          subject: rest.subject
          sid: rest.sid
        outputParameters:
        - type: object
          mapping: $.
    - path: /v1/admin/oauth2/introspect
      name: admin-oauth2-introspect
      description: REST surface for admin-oauth2-introspect.
      operations:
      - method: POST
        name: introspectoauth2token
        description: Introspect OAuth2 Access and Refresh Tokens
        call: hydra-oauth2.introspectoauth2token
        with:
          body: rest.body
        outputParameters:
        - type: object
          mapping: $.
    - path: /v1/admin/oauth2/tokens
      name: admin-oauth2-tokens
      description: REST surface for admin-oauth2-tokens.
      operations:
      - method: DELETE
        name: deleteoauth2token
        description: Delete OAuth 2.0 Access Tokens from specific OAuth 2.0 Client
        call: hydra-oauth2.deleteoauth2token
        with:
          client_id: rest.client_id
        outputParameters:
        - type: object
          mapping: $.
    - path: /v1/admin/trust/grants/jwt-bearer/issuers
      name: admin-trust-grants-jwt-bearer-issuers
      description: REST surface for admin-trust-grants-jwt-bearer-issuers.
      operations:
      - method: GET
        name: listtrustedoauth2jwtgrantissuers
        description: List Trusted OAuth2 JWT Bearer Grant Type Issuers
        call: hydra-oauth2.listtrustedoauth2jwtgrantissuers
        with:
          page_size: rest.page_size
          page_token: rest.page_token
          issuer: rest.issuer
        outputParameters:
        - type: object
          mapping: $.
      - method: POST
        name: trustoauth2jwtgrantissuer
        description: Trust OAuth2 JWT Bearer Grant Type Issuer
        call: hydra-oauth2.trustoauth2jwtgrantissuer
        with:
          body: rest.body
        outputParameters:
        - type: object
          mapping: $.
    - path: /v1/admin/trust/grants/jwt-bearer/issuers/{id}
      name: admin-trust-grants-jwt-bearer-issuers-id
      description: REST surface for admin-trust-grants-jwt-bearer-issuers-id.
      operations:
      - method: DELETE
        name: deletetrustedoauth2jwtgrantissuer
        description: Delete Trusted OAuth2 JWT Bearer Grant Type Issuer
        call: hydra-oauth2.deletetrustedoauth2jwtgrantissuer
        with:
          id: rest.id
        outputParameters:
        - type: object
          mapping: $.
      - method: GET
        name: gettrustedoauth2jwtgrantissuer
        description: Get Trusted OAuth2 JWT Bearer Grant Type Issuer
        call: hydra-oauth2.gettrustedoauth2jwtgrantissuer
        with:
          id: rest.id
        outputParameters:
        - type: object
          mapping: $.
    - path: /v1/oauth2/auth
      name: oauth2-auth
      description: REST surface for oauth2-auth.
      operations:
      - method: GET
        name: oauth2authorize
        description: OAuth 2.0 Authorize Endpoint
        call: hydra-oauth2.oauth2authorize
        outputParameters:
        - type: object
          mapping: $.
    - path: /v1/oauth2/device/auth
      name: oauth2-device-auth
      description: REST surface for oauth2-device-auth.
      operations:
      - method: POST
        name: oauth2deviceflow
        description: The OAuth 2.0 Device Authorize Endpoint
        call: hydra-oauth2.oauth2deviceflow
        outputParameters:
        - type: object
          mapping: $.
    - path: /v1/oauth2/device/verify
      name: oauth2-device-verify
      description: REST surface for oauth2-device-verify.
      operations:
      - method: GET
        name: performoauth2deviceverificationflow
        description: OAuth 2.0 Device Verification Endpoint
        call: hydra-oauth2.performoauth2deviceverificationflow
        outputParameters:
        - type: object
          mapping: $.
    - path: /v1/oauth2/revoke
      name: oauth2-revoke
      description: REST surface for oauth2-revoke.
      operations:
      - method: POST
        name: revokeoauth2token
        description: Revoke OAuth 2.0 Access or Refresh Token
        call: hydra-oauth2.revokeoauth2token
        with:
          body: rest.body
        outputParameters:
        - type: object
          mapping: $.
    - path: /v1/oauth2/token
      name: oauth2-token
      description: REST surface for oauth2-token.
      operations:
      - method: POST
        name: oauth2tokenexchange
        description: The OAuth 2.0 Token Endpoint
        call: hydra-oauth2.oauth2tokenexchange
        with:
          body: rest.body
        outputParameters:
        - type: object
          mapping: $.
  - type: mcp
    namespace: hydra-oauth2-mcp
    port: 9090
    transport: http
    description: MCP adapter for Ory Hydra API — oAuth2. One tool per consumed operation, routed inline through this capability's
      consumes block.
    tools:
    - name: list-oauth-2-0-clients
      description: List OAuth 2.0 Clients
      hints:
        readOnly: true
        destructive: false
        idempotent: true
      call: hydra-oauth2.listoauth2clients
      with:
        page_size: tools.page_size
        page_token: tools.page_token
        client_name: tools.client_name
        owner: tools.owner
      outputParameters:
      - type: object
        mapping: $.
    - name: create-oauth-2-0-client
      description: Create OAuth 2.0 Client
      hints:
        readOnly: false
        destructive: false
        idempotent: false
      call: hydra-oauth2.createoauth2client
      with:
        body: tools.body
      outputParameters:
      - type: object
        mapping: $.
    - name: delete-oauth-2-0-client
      description: Delete OAuth 2.0 Client
      hints:
        readOnly: false
        destructive: true
        idempotent: true
      call: hydra-oauth2.deleteoauth2client
      with:
        id: tools.id
      outputParameters:
      - type: object
        mapping: $.
    - name: get-oauth-2-0-client
      description: Get an OAuth 2.0 Client
      hints:
        readOnly: true
        destructive: false
        idempotent: true
      call: hydra-oau

# --- truncated at 32 KB (41 KB total) ---
# Full source: https://raw.githubusercontent.com/api-evangelist/ory/refs/heads/main/capabilities/hydra-oauth2.yaml