I've managed to get to the login_challenge part. Now I'm confused

My understanding of hydra is that, I can have an app which can decide whether to authorize or not, then offload the work to hydra to generate the token etc.
i.e browser login page -> some backend API -> (checks if it meets its requirements) -> make request to hydra to generate token.

I create a instance of hydra with

docker run -d \
  --name ory-hydra-example--hydra \
  --network hydraguide \
  -p 9000:4444 \
  -p 9001:4445 \
  -e LOG_LEAK_SENSITIVE_VALUES=true \ #for testing purposes
  -e DSN=memory \
  -e LOG_LEVEL=trace \
  -e URLS_CONSENT=https://webhook.site/<id>/consent \ #echo server to see what is happening
  -e URLS_LOGIN=https://webhook.site/<id>/login \ #echo server to see what is happening
  oryd/hydra:v1.8.5 serve all --dangerous-force-http

Now, create a client.

curl --location --request POST '' \
--header 'Content-Type: application/json' \
--data-raw '{
  "client_id": "someconsumer",
  "client_name": "consumerName",
  "grant_types": [
  "scope":"additional_example_scope offline openid",
  "redirect_uris": [
  "response_types": [

Next create a login request.

curl --location --request GET '<exact_url_as_created_client_allows>&response_type=code&scope=openid&state=whatever_you_want_it_to_be_example_application_redirection_context&client_secret=somesecret' \

This would generate a login challenge appended to the redirect_url as query and can also be found at:

curl --location --request GET '<login_challenge_value>'

I believe the next part is accepting login? This I believe is done by calling the auth endpoint with the login_verifier field? But from where is this login_verifier generated?

Also, is there any way to skip the Accept and Consent forms? As on register and login, on the main website, it would make very little sense to show them these pages. (I do see a prompt keyword, but not sure where and why it is applicable.)

And lastly, is the code_challenge for PKCE to be used only on the API call with consent_verifier, and code_verifier - token call? or right from the beginning (login accept)?

You control the app, you control the UI - you can skip the screen :slight_smile:

PKCE is an optional part of the OAuth2 flow and does not have to do with login/consent challenges!

Check: https://www.ory.sh/hydra/docs/guides/login/