I can see that they are matching though. FXnZesBpwbplT9daaNs5rOGI0WOMJZiQOBvtfWEcgCQ= FXnZesBpwbplT9daaNs5rOGI0WOMJZiQOBvtfWEcgCQ= on both ports. 5173 and 4433/4455 . could be a silly mistake like the docker cache 😕 gosh

why is this happening. the csrf token in the cookies are same, but the one in request body is different. I found https://github.com/ory/kratos/discussions/1579 , but this is not my issue

How to debug verification mail sending. I used the config from the kratos/quickstart.yml . But email doesn't arrive

How is migrations between different ory versions handled in production. Will breaking changes be introduced? Also would like to setup a call with you guys sometime, to understand support plans. Since its a critical piece. We can manage some of the things like database cleanup, caching in redis. etc ourself. Please do let me know! 🙂

hey team, nice to meet you. i'm playing around with oauth2 from ORY IDP and i'm trying to create an identity over REST API based on this https://www.ory.sh/docs/kratos/manage-identities/create-users-identities with a token generated by /oauth2/token based on this https://www.ory.sh/docs/oauth2-oidc/client-credentials. i keep getting this response: { "error": { "code": 401, "status": "Unauthorized", "request": "c2d0eae0-5b79-93bd-bc66-27b8cd92c90d", "reason": "Access token is not active", "message": "Access credentials are invalid" } }

The token has "admin" scope and it was added in the OAuth client in the ORY console.

Hi , I'm using Kratos and I am currently trying to pass a transient_payload to the Settings flow. I'm sending this data :

{
  "method": "password",
  "csrf_token": "hSGQXu8ewpBie4kKU0UPYYP84PaB6rJ5tcYtgIF1o+QztLIoigO+W+n2ZWYeXqMshyvulaZkyS6A/wiWbzYO9g==",
  "transient_payload": {
    "last_name": "Maxime",
    "first_name": "Test",
    "birthdate": "2025-03-19T23:00:00.000Z",
    "country": "fr",
    "is_invitation_flow": true
  },
  "password": "epicBear99.",
}

Looking at the documentation, this payload is correct. Also, we have already a transient_payload with the Registration flow which is correctly transmitted to an after hook. But unfortunately, with the after hook of the Settings flow, the transient_payload is not transmitted through the hook. Here is the part of my settings kratos configuration :

...

selfservice:
  flows:
    settings:
      ui_url: SOMETHING-TO-OVERRIDE
      privileged_session_max_age: 336h
      required_aal: highest_available
      after:
        hooks:
          - hook: web_hook
            config:
              url: SOMETHING-TO-OVERRIDE
              method: POST
              body: <base64://ZnVuY3Rpb24oY3R4KSB7IGN0eDogY3R4IH0>=
              auth:
                type: api_key
                config:
                  name: X-API-Key
                  value: API_KEY_HOOK
                  in: header
        default_browser_return_url: SOMETHING-TO-OVERRIDE
  methods:
    password:
      enabled: true
    lookup_secret:
      enabled: true
    code:
      enabled: true
    link:
      enabled: true

serve:
  admin:
    base_url: SOMETHING-TO-OVERRIDE
    host: "0.0.0.0"
  public:
    base_url: SOMETHING-TO-OVERRIDE
    cors:
      enabled: true
      allowed_origins:
        - SOMETHING-TO-OVERRIDE
      allowed_headers:
        - Authorization
        - Cookie
        - Content-Type
      exposed_headers:
        - Content-Type
        - Set-Cookie
      allowed_methods:
        - POST
        - GET
        - PUT
        - PATCH
        - DELETE

session:
  lifespan: 336h

For information I use JS sdk 1.8.5 and kratos 1.3.1 Am I doing something wrong with my configuration ? Do we have something to understand really what is going on in Kratos ?

what's the canonical way to implement our own react components in a nextjs 15 app router app? the elements next app router example seems outdated, or at least the published version of

@ory/elements-react

does, and the

@ory/integrations/next

method doesn't actually work for middleware with the

.ory

route to get session data because you can't call relative urls from middleware • https://github.com/ory/elements/blob/main/examples/nextjs-app-router/app/page.tsx • https://www.ory.sh/docs/getting-started/integrate-auth/nextjs

is there a way to check whether a user exists, using the API and our API key/access token (in our backend, not client), via their phone number? like if our registration flow got interrupted before we could store the ory ID in our db, is it possible to retrieve them by phone?

I was looking through the kratos config editor when I came across this (see attached image) I could guess what this does, however I'd really like a description.

Is there a way to delete an unused Workspace & Project?

We are implementing Ory with our Custom UI and running into an issue after we complete our registration flow with an OTP. After we verify the identity, we are trying to force a password change with the recovery flow and then continue with TOTP setup. I am not seeing the documentation for this. Can you point me in the right direction?

Hello, we are using the custom ui for login and it works on staging site but we are having this issue on localhost, where can I add my localhost url to allow it on custom ui login ?,

Array ( [error] => Array ( [id] => security_csrf_violation [code] => 403 [status] => Forbidden [request] => 05af83ac-4c27-953f-8eef-8ccc4ff405d0 [reason] => Please retry the flow and optionally clear your cookies. The request was rejected to protect you from Cross-Site-Request-Forgery (CSRF) which could cause account takeover, leaking personal information, and other serious security issues. [details] => Array ( [docs] => <https://www.ory.sh/kratos/docs/debug/csrf> [hint] => The anti-CSRF cookie was found but the CSRF token was not included in the HTTP request body (csrf_token) nor in the HTTP Header (X-CSRF-Token). [reject_reason] => The HTTP Cookie Header was set and a CSRF token was sent but they do not match. We recommend deleting all cookies for this domain and retrying the flow. ) [message] => the request was rejected to protect you from Cross-Site-Request-Forgery ) )

can we allow http for localhost login?

Where can I change the url here: after verification

Do you have an idea on where we can change the url for the continue button ? I want to access verification url without logging in first, accessing it directly but it causes issue with the continue link

Is there a way to switch from single sign-on (SSO) login to login with a password using only a link?

Hello all, we're trying to add sign in with Google and having trouble deciphering the

@ory/client-fetch

code -- are there any examples? At the moment, we have the below code snippet; the

updateLoginFlow

call's network request returns a

422

with a

redirect_browser_to

parameter, but for some reason that isn't returned in the actual ory

client-fetch

call so I can't pass it back to the client to perform the redirect. Note that I'm logging things in the

handleOryCall

script (which is necessary because sometimes these calls throw errors when they actually just succeed with a 400 or similar). Any ideas? Is there a different suggested approach?

const { data: flow } = await handleOryCall<LoginFlow>(
      async () =>
        await ory.createBrowserLoginFlow({
          returnTo: '/login',
        }),
      'initialize Google login flow',
    );

    logger.info('flow');
    logger.info(JSON.stringify(flow, undefined, 2));

    const csrfTokenNode = flow?.ui?.nodes.find(
      (node: UiNode) =>
        node.attributes.node_type === 'input' &&
        (node.attributes as UiNodeInputAttributes).name === 'csrf_token',
    );

    const csrfToken = csrfTokenNode?.attributes
      ? ((csrfTokenNode.attributes as UiNodeInputAttributes).value as string)
      : undefined;

    if (!csrfToken) {
      throw new Error('CSRF token not found in flow');
    }

    const providerNode = flow?.ui?.nodes.find(
      (node: UiNode) =>
        node.attributes.node_type === 'input' &&
        (node.attributes as UiNodeInputAttributes).name === 'provider',
    );

    const providerId = providerNode?.attributes
      ? ((providerNode.attributes as UiNodeInputAttributes).value as string)
      : '';

    const response = await handleOryCall<SuccessfulNativeLogin>(
      () =>
        ory.updateLoginFlow({
          flow: flow?.id ?? '',
          updateLoginFlowBody: {
            method: 'oidc', // OpenID Connect method
            provider: providerId,
            csrf_token: csrfToken,
          },
        }),
      'update login flow to get Google auth',
    );

Heyo I'm back! I was going through the Ory Keto reference config and I came across the

serve.opl

block. I'm not entirely sure what the

serve.opl.write_listen_file

is supposed to do. I suspect that this might have something to do with the

/opl/syntax/check

HTTP endpoint, but the description of that endpoint is pretty vague. Very quickly can someone give me a quick rundown of what this config option is and what it does please :3?

Can I get some confirmation on whether the

webfinger

config block in Hydra implements the WebFinger protocol (RFC 7033) or its just a wrapper for OIDC discovery and JWKS?

Also, Hydra's config editor appears to be broken. I've tested this on safari, chrome, and edge and no dice. Can someone else replicate this to confirm?

Hello team! I am new to Ory and currently investigating how does it work and trying to figure out functionality. I started with Ory Quickstart for next.js application and it worked like a charm locally. Next, I tried to deploy it on Vercel and where I got stuck 😅 When I go to the

/

with my vercel domain I got:

GET <https://eager-franklin-3vbqv90l3p.projects.oryapis.com/sessions/whoami> 401 (Unauthorized)

so, request to whoIam returns 401 and after that I was redirected to welcome page

<https://eager-franklin-3vbqv90l3p.projects.oryapis.com/ui/welcome>

where my session is presented (because I logged in previously). For some reason, on my vercel domain, it can't find the cookie session and redirect to the welcome page (in ory console it's a default path as far as I remember). Previously I had an issue with CORS and I fixed it with this: https://www.ory.sh/docs/guides/cors#enable-cors I think, the issue is a configuration in ory console, But I couldn't figure it out 😓 If I logged out from welcome page and go again to vercel domain, I will be redirected to

<https://eager-franklin-3vbqv90l3p.projects.oryapis.com/ui/login?flow=2175c2df-d424-4497-aba1-bbed122aa473>

after successful signing in, i saw for a moment my vercel domain home page with null sessions and was redirected again to welcome page, because whoami retured 401 any ideas? 🙂 The code is the same as in quickstart:

useEffect(() => {
    // Check if the user is authenticated
    const checkSession = async () => {
      try {
        // Browser automatically includes cookies in the request
        const session = await ory.toSession()
        setSession(session)

        // Get the logout URL once we have a session
        try {
          const { logout_url } = await ory.createBrowserLogoutFlow()
          setLogoutUrl(logout_url)
        } catch (logoutError) {
          console.error("Error creating logout flow:", logoutError)
        }
      } catch (error) {
         console.error("Error ory.toSession()", error)
        // No valid session found, redirect to Ory login
        window.location.href = `${basePath}/ui/login`
      }
    }

    checkSession()
  }, [])

Hello guys a simple question, do you have any good practice on QA automated testing of a UI in the context of a (t)OTP flow ?

Hi, I am currently trying to setup ory for my React SPA using Vite. I have a context file that is wrapping my application. I am running the ory tunnel with

ory tunnel --project <site-id> <http://localhost:5173>

but am experiencing some interesting behaviour. Firstly the redirect consistently takes me to

/ui/welcome

rather than back to

localhost:5173

. I have tried numerous methods for resolving this but nothing consistently works. When I run the ory tunnel and change the base url to

<http://localhost:4000>

it fails to authenticate and send a session token. My page constantly refreshes looking to make a connection. Secondly, I recieve the following error

Property 'logout_url' does not exist on type 'AxiosResponse<LogoutFlow, any>'.

on

const { logout_url } = await ory.createBrowserLogoutFlow();

. To get the type correctly I need to use

const logoutFlow = await ory.createBrowserLogoutFlow();
setLogoutUrl(logoutFlow.data.logout_url);

You may want to update your documentation to reflect this. Hoping someone can provide some advice around the best way to resolve my issues. Thanks I have attached below some relevant code snippets

import { createContext, useContext, useEffect, useState, type JSX } from "react";
import { Configuration, FrontendApi, type Session } from "@ory/client";

interface AuthContextType {
  session: Session | null;
  logoutUrl: string | null;
  loading: boolean;
  error: string | null;
}

const basePath: string = (import.meta.env.VITE_ORY_SDK_URL);

export const ory = new FrontendApi(
  new Configuration({
    basePath,
    baseOptions: {
      withCredentials: true,
    },
  }),
);

const AuthContext = createContext<AuthContextType>({
  session: null,
  logoutUrl: null,
  loading: true,
  error: null,
});

export const useAuth = (): AuthContextType => useContext(AuthContext);

export const AuthProvider = ({ children }: { children: React.ReactNode }): JSX.Element => {
  const [session, setSession] = useState<Session | null>(null);
  const [logoutUrl, setLogoutUrl] = useState<string | null>(null);
  const [loading, setLoading] = useState<boolean>(true);
  const [error, setError] = useState<string | null>(null);

  const fetchSession = async (): Promise<void> => {
    try {
      setLoading(true);
      setError(null);

      const { data: sessionData } = await ory.toSession();
      console.log("Session data:", sessionData);
      setSession(sessionData);

      try {
        const logoutFlow = await ory.createBrowserLogoutFlow();
        setLogoutUrl(logoutFlow.data.logout_url);
      } catch (logoutError) {
        console.error("Error creating logout flow:", logoutError);
      }
    } catch (err) {
      console.error("Error fetching session:", err);
      window.location.href = basePath + "/self-service/login/browser";
    } finally {
      setLoading(false);
    }
  };

  useEffect(() => {
    fetchSession();
  }, []);

  if (loading) {
    return (
      <div className="flex items-center justify-center min-h-screen">
        <div className="animate-spin rounded-full h-32 w-32 border-b-2 border-gray-900"></div>
      </div>
    );
  }

  if (error) {
    return (
      <div className="flex items-center justify-center min-h-screen">
        <div className="text-center">
          <div className="text-red-600 text-xl mb-4">Authentication Error</div>
          <div className="text-gray-600 mb-4">{error}</div>
          <button
            onClick={() => window.location.reload()}
            className="px-4 py-2 bg-blue-500 text-white rounded hover:bg-blue-600"
          >
            Retry
          </button>
        </div>
      </div>
    );
  }

  return (
    <AuthContext.Provider value={{ session, logoutUrl, loading, error }}>
      {children}
    </AuthContext.Provider>
  );
};

export const ProtectedRoute = ({ children }: { children: React.ReactNode }): JSX.Element => {
  const { session, loading } = useAuth();

  if (loading) {
    return (
      <div className="flex items-center justify-center min-h-screen">
        <div className="animate-spin rounded-full h-32 w-32 border-b-2 border-gray-900"></div>
      </div>
    );
  }

  if (!session) {
    return (
      <div className="flex items-center justify-center min-h-screen">
        <div className="text-center">
          <div className="text-xl mb-4">Please log in to access this page</div>
          <button
            onClick={() => {
              window.location.href = basePath + "/self-service/login/browser";
            }}
            className="px-4 py-2 bg-blue-500 text-white rounded hover:bg-blue-600"
          >
            Go to Login
          </button>
        </div>
      </div>
    );
  }

  return <>{children}</>;
};

And the following is how I am attempting to access the

logout_url

for the location of my log out button

const { logoutUrl } = useAuth();

  const handleLogout = (): void => {
    ory
      .createBrowserLogoutFlow()
      .then(({ data }) => {
        if (logoutUrl) {
          window.location.href = data.logout_url;
        } else {
          console.error("Logout URL not available");
        }
      });
  };

I also have questions around configurations. I am using ory cloud and I deploy to multiple environments and I was wondering if there was some kind of config file I could use as part of my

.github/workflows

to configure these environments with a code first approach rather than configuring them in the ory dashboard.

Hi everyone! 👋 I’m working on a Next.js project where I’ve already set up UI components (like

Input

,

Button

, etc.) based on a custom design system. Now I’m planning to integrate Ory for authentication (login). I saw that there’s Ory Elements, and I’m wondering: 👉 Should I use Ory Elements and override its components with my own from the design system? Or 👉 Is there a better/recommended way to customize the UI while still using Ory? Thanks in advance for any guidance! 🙏

hi guys 👋

i am using ory cli for my project - i ahve installed ory on win 11 using scoop, which went well but

ory tunnel --project <slug-id> <http://localhost:3000>

returns below error : Error: No project found with slug or ID <slug-id>

ory use project <project-id>

shows correct projct

ory auth

also shows correct ids except this :

SELECTED WORKSPACE

none