diff --git a/.schema/config.schema.json b/.schema/config.schema.json
index 9080c7c48ae..ffbdf180f3f 100644
--- a/.schema/config.schema.json
+++ b/.schema/config.schema.json
@@ -612,6 +612,14 @@
             "DEPRECATED_HIERARCHICAL_SCOPE_STRATEGY"
           ],
           "default": "wildcard"
+        },
+        "access_token": {
+          "type": "string",
+          "description": "Defines access token type. jwt is a bad idea, see https://www.ory.sh/docs/hydra/advanced#json-web-tokens",
+          "enum": [
+            "opaque",
+            "jwt"
+          ]
         }
       }
     },
diff --git a/driver/configuration/provider_viper_test.go b/driver/configuration/provider_viper_test.go
index 286c1eaebf9..63c246349e6 100644
--- a/driver/configuration/provider_viper_test.go
+++ b/driver/configuration/provider_viper_test.go
@@ -212,6 +212,7 @@ func TestViperProviderValidates(t *testing.T) {
 
 	// strategies
 	assert.Equal(t, "exact", c.ScopeStrategy())
+	assert.Equal(t, "opaque", c.AccessTokenStrategy())
 
 	// ttl
 	assert.Equal(t, 2*time.Hour, c.ConsentRequestMaxAge())
diff --git a/internal/.hydra.yaml b/internal/.hydra.yaml
index 44da877b3db..bab6758231c 100644
--- a/internal/.hydra.yaml
+++ b/internal/.hydra.yaml
@@ -88,6 +88,7 @@ urls:
 
 strategies:
   scope: exact
+  access_token: opaque
 
 ttl:
   login_consent_request: 2h