Skip to main content

One way to log in — Hydra

Until now, Bindu supported three different ways to handle logins: Auth0, Cognito, and Kratos. Three systems means three sets of bugs, three sets of configs, three things to test. Starting this release, Bindu uses only one: Ory Hydra. It’s open source, it speaks OAuth2, and it plays nicely with your agent’s DID. If you were using Auth0, Cognito, or Kratos — you’ll need to move over. We’ll walk you through it below.

Heads up before you upgrade

Auth0 and Cognito no longer work. Only Hydra is supported now. Any old Auth0 or Cognito setup has to be switched.
How token requests are signed changed. We now send the client secret in the request body (client_secret_post) instead of the header. This is needed because DIDs contain colons, and colons don’t play well with the older style.
Some files are gone. If your code imports from bindu/utils/auth_utils.py, bindu/server/middleware/auth/auth0.py, bindu/server/middleware/auth/cognito.py, or any Kratos/Vault/user-OAuth modules — those have been deleted.

What’s new

DID + OAuth2 working together

Here’s the idea. Your agent has a DID (a decentralized ID that proves “I am who I say I am”). Hydra gives out OAuth2 tokens (short-lived keys for API access). We connect the two. Your DID becomes the client_id in Hydra. When your agent starts up, it introduces itself to Hydra using its DID and gets registered automatically. If the credentials on disk ever get out of sync with Hydra (say, your local file is deleted), Bindu notices, re-registers the agent, and carries on. No manual fix needed.

Dependencies locked to exact versions

Every package Bindu depends on is now pinned to an exact version (==) instead of “this or newer” (>=). This means every build is the same build — no surprise updates in the middle of the night breaking your agent. 34 packages were pinned across runtime, telemetry, payments, storage, CLI, and security. A few packages we weren’t really using (openai, agno, ddgs, numpy) got removed entirely.

Web UI: cleaner building blocks

The agent’s web interface got split into focused JavaScript files — one for the HTTP client, one for state, one for chat, one for the protocol. Easier to read, easier to change.

What got better

With only one auth provider to worry about:
  • The auth config is far simpler
  • Tests don’t have to mock three different systems
  • The config validator only has to check one thing
When your agent starts up, it now prints the exact curl command to grab a fresh OAuth token, plus the path to your client secret. Testing an authenticated endpoint takes seconds.

Migration

1

Get a Hydra instance

Use the hosted one at https://hydra.getbindu.com, or run your own.
2

Swap your environment variables

Remove the old Auth0 ones:
# Delete these
AUTH0_DOMAIN=...
AUTH0_AUDIENCE=...
AUTH0_CLIENT_ID=...
AUTH0_CLIENT_SECRET=...
And add the new Hydra ones:
HYDRA__ADMIN_URL=https://hydra-admin.getbindu.com
HYDRA__PUBLIC_URL=https://hydra.getbindu.com
AUTH__ENABLED=true
AUTH__PROVIDER=hydra
3

Update your agent config

auth:
  enabled: true
  provider: hydra  # this is the only option now
4

Start your agent

On first boot, your agent signs itself up in Hydra using its DID as the client_id. You don’t have to do anything.
5

Grab a token to test it

curl 'https://hydra.getbindu.com/oauth2/token' \
  -d 'grant_type=client_credentials' \
  -d 'client_id=YOUR_DID' \
  -d 'client_secret=YOUR_SECRET'
If you’re on Cognito, there’s no shortcut — you’ll need to set up Hydra from scratch and point your agents there.