# Ory SSO

Use this guide when your organization signs in with Ory Network or Ory Hydra. Lettermint connects to an Ory OAuth2/OpenID Connect client.

{/* Screenshot placeholder: /docs/images/sso/providers/ory-oauth-client.png */}

## Before you start

You need access to the Ory project that should own the OAuth2 client. Create a client that supports the authorization code flow and register the Lettermint OIDC callback URL from the SSO guide as a redirect URI.

## Ory setup

1. Open the Ory Console or use the Ory CLI.
2. Create an OAuth2 client for Lettermint.
3. Enable the authorization code grant and `code` response type.
4. Add the Lettermint OIDC callback URL from the SSO guide as a redirect URI.
5. Allow the `openid`, `email`, and `profile` scopes.
6. Copy the client ID and client secret.

## Lettermint setup

In the Lettermint SSO setup screen, choose **Ory** and enter:

| Field | Value |
|-------|-------|
| Domain | Your managed email domain, for example `example.com`. |
| Metadata URL | `https://{project}.projects.oryapis.com/.well-known/openid-configuration` |
| Client ID | The Ory OAuth2 client ID. |
| Client secret | The Ory OAuth2 client secret. |

For self-hosted Ory Hydra, use the public issuer URL for your deployment.

## References

- [Ory: OAuth2 and OpenID Connect](https://www.ory.com/docs/network/hydra)
- [Ory: Run your own OAuth2 server](https://www.ory.com/blog/run-oauth2-server-open-source-api-security)