diff --git a/dev/ory/hydra.yml b/dev/ory/hydra.yml
new file mode 100644
index 00000000000..8d69cc1d243
--- /dev/null
+++ b/dev/ory/hydra.yml
@@ -0,0 +1,22 @@
+serve:
+  cookies:
+    same_site_mode: Lax
+
+urls:
+  self:
+    issuer: http://127.0.0.1:4444
+  consent: http://127.0.0.1:3000/consent
+  login: http://127.0.0.1:3000/login
+  logout: http://127.0.0.1:3000/logout
+
+secrets:
+  system:
+    - youReallyNeedToChangeThis
+
+oidc:
+  subject_identifiers:
+    supported_types:
+      - pairwise
+      - public
+    pairwise:
+      salt: youReallyNeedToChangeThis
diff --git a/dev/ory/oathkeeper.yml b/dev/ory/oathkeeper.yml
index 27510f19ce5..5f30144fcc6 100644
--- a/dev/ory/oathkeeper.yml
+++ b/dev/ory/oathkeeper.yml
@@ -19,6 +19,7 @@ authenticators:
       jwks_urls:
         - https://firebaseappcheck.googleapis.com/v1beta/jwks
         - file:///home/ory/jwks.json # ONLY FOR DEV, DO NOT USE IN PRODUCTION
+
   bearer_token:
     enabled: true
     config:
@@ -27,6 +28,11 @@ authenticators:
       subject_from: identity.id
       extra_from: identity.traits
 
+  oauth2_introspection:
+    enabled: true
+    config:
+      introspection_url: http://hydra:4445/admin/oauth2/introspect
+
   anonymous:
     enabled: true
     config:
@@ -54,7 +60,7 @@ mutators:
     config:
       jwks_url: file:///home/ory/jwks.json
       issuer_url: "galoy.io"
-      claims: '{"sub": "{{ print .Subject }}" }'
+      claims: '{"sub": "{{ print .Subject }}", card: "{{ print .Ext.card }}" }'
 
   noop:
     enabled: true
diff --git a/dev/ory/oathkeeper_rules.yaml b/dev/ory/oathkeeper_rules.yaml
index 413c8fc80f8..79d30bc469c 100644
--- a/dev/ory/oathkeeper_rules.yaml
+++ b/dev/ory/oathkeeper_rules.yaml
@@ -49,6 +49,9 @@
         preserve_query: true
         subject_from: identity.id
         extra_from: identity.traits
+    - handler: oauth2_introspection
+      config:
+        introspection_url: http://hydra:4445/admin/oauth2/introspect
     - handler: bearer_token
       config:
         check_session_url: http://kratos:4433/sessions/whoami
diff --git a/docker-compose.override.yml b/docker-compose.override.yml
index 85cc2966aae..62b4d303938 100644
--- a/docker-compose.override.yml
+++ b/docker-compose.override.yml
@@ -87,3 +87,7 @@ services:
   fulcrum:
     ports:
       - "50001:50001"
+  hydra:
+    ports:
+      - "4444:4444" # Public port
+      - "4445:4445" # Admin port
diff --git a/docker-compose.yml b/docker-compose.yml
index 60fb68629ac..dd1ff9c6550 100644
--- a/docker-compose.yml
+++ b/docker-compose.yml
@@ -21,6 +21,8 @@ services:
       - otel-agent
       - oathkeeper
       - mailslurper
+      - hydra
+      # - consent
     restart: on-failure:10
   integration-deps:
     image: busybox
@@ -371,3 +373,41 @@ services:
       - SSL_CERTFILE=/tls.cert
       - SSL_KEYFILE=/tls.key
     command: ["Fulcrum", "/fulcrum.conf"]
+  hydra:
+    image: oryd/hydra:v2.1.2
+    command: serve -c /home/ory/hydra.yml all --dev
+    volumes:
+      - type: bind
+        source: dev/ory
+        target: /home/ory
+    environment:
+      - DSN=postgres://hydra:secret@postgresdhydra:5432/hydra?sslmode=disable&max_conns=20&max_idle_conns=4
+    restart: unless-stopped
+    depends_on:
+      - hydra-migrate
+      - postgresdhydra
+  hydra-migrate:
+    image: oryd/hydra:v2.1.2
+    environment:
+      - DSN=postgres://hydra:secret@postgresdhydra:5432/hydra?sslmode=disable&max_conns=20&max_idle_conns=4
+    command: migrate -c /home/ory/hydra.yml sql -e --yes
+    volumes:
+      - type: bind
+        source: dev/ory
+        target: /home/ory
+    restart: on-failure
+    depends_on:
+      - postgresdhydra
+  # consent:
+  #   environment:
+  #     - HYDRA_ADMIN_URL=http://hydra:4445
+  #   image: oryd/hydra-login-consent-node:v2.1.2
+  #   ports:
+  #     - "3000:3000"
+  #   restart: unless-stopped
+  postgresdhydra:
+    image: postgres:14.1
+    environment:
+      - POSTGRES_USER=hydra
+      - POSTGRES_PASSWORD=secret
+      - POSTGRES_DB=hydra
\ No newline at end of file
diff --git a/scripts/hydra.sh b/scripts/hydra.sh
new file mode 100644
index 00000000000..804e9bdd6e5
--- /dev/null
+++ b/scripts/hydra.sh
@@ -0,0 +1,32 @@
+# brew install ory-hydra
+
+code_client=$(hydra create client \
+    --endpoint http://127.0.0.1:4445 \
+    --grant-type authorization_code,refresh_token \
+    --response-type code,id_token \
+    --format json \
+    --scope openid --scope offline \
+    --redirect-uri http://127.0.0.1:5555/callback
+)
+
+code_client_id=$(echo $code_client | jq -r '.client_id')
+code_client_secret=$(echo $code_client | jq -r '.client_secret')
+
+# this simulate the front end client.
+# would be mobile app for adding a boltcard
+hydra perform authorization-code \
+    --client-id $code_client_id \
+    --client-secret $code_client_secret \
+    --endpoint http://127.0.0.1:4444/ \
+    --port 5555 \
+    --scope openid --scope offline
+
+
+hydra introspect token \
+  --format json-pretty \
+  --endpoint http://127.0.0.1:4445/ \
+  TOKEN
+# OR
+curl -X POST http://localhost:4445/admin/oauth2/introspect -d token=ory_at_TOKEN
+
+curl -I -X POST http://localhost:4456/decisions/graphql -H 'Authorization: Bearer ory_at_TOKEN'
\ No newline at end of file