hi I want to set verifiable_addresses[0] as verified in a post recovery webhook. I follow this guide: https://www.ory.sh/docs/guides/integrate-with-ory-cloud-through-webhooks#update-verification-or-recovery-addresses the webhook returns a 200 OK with application/json for content-type wth the following body

{
  "identity": {
    "verifiable_addresses": [
      {
        "status": "completed",
        "value": "<email-here>",
        "verified": true,
        "via": "email"
      }
    ]
  }
}

however, if I do a whoami call I see that the verifiable addresses is not updated. Have I missed something?

Iirc, that should happen automatically, once the user completed the recovery, does it not?

what does it mean to complete the recovery flow here? I've clicked on the recovery url and ended up on the recovery page we have, but not set any password or anything like that

Yes, that should already have marked the address as verified.

I'm following this guide: https://www.ory.sh/docs/kratos/manage-identities/invite-users creating an account via admin api and send the recovery link over email, then the user clicks the recovery link to end up on the recovery page

I think so, but can you try without the webhook entirely? As I said, I think it should verify the address automatically. Also can you post the Identity schema?

can you try without the webhook entirely?

Not sure what you mean here? Only other way to get verified address would be to complete a verification flow? schema:

{
  "$id": "<https://schemas.ory.sh/presets/kratos/quickstart/email-password/identity.schema.json>",
  "title": "Person",
  "type": "object",
  "properties": {
    "traits": {
      "type": "object",
      "properties": {
        "email": {
          "type": "string",
          "format": "email",
          "title": "E-Mail",
          "minLength": 3,
          "<http://ory.sh/kratos|ory.sh/kratos>": {
            "credentials": {
              "password": {
                "identifier": true
              }
            },
            "verification": {
              "via": "email"
            },
            "recovery": {
              "via": "email"
            }
          }
        },
        "name": {
          "type": "object",
          "properties": {
            "first": {
              "title": "First Name",
              "type": "string",
              "minLength": 1
            },
            "last": {
              "title": "Last Name",
              "type": "string",
              "minLength": 1
            }
          },
          "required": [
            "first",
            "last"
          ]
        }
      },
      "required": [
        "email"
      ],
      "additionalProperties": false
    }
  }
}

Only other way to get verified address would be to complete a verification flow?

No, it’s built into the recovery flow, to also verify the address See here https://www.ory.sh/docs/kratos/self-service/flows/account-recovery-password-reset#account-recovery-address (At least it should, it might not work for the admin API initiated recovery links.)

(At least it should, it might not work for the admin API initiated recovery links.)

Alright, would be nice to know if it's treated different for admin API initiated recovery links 🙂 My end goal is to make a user be verified and "ready" to use our application by clicking on the recovery link from e-mail and set up password or SSO. So I think I can perhaps verify the user during post settings webhook instead when updating the credentials, and I think I'll achieve what I want(?)

Hm, okay it’s only done for self-service recovery, as we don’t strictly have the confirmation that the user actually received an email on the address, when using the Admin API to generate the code. Can you post your webhook configuration?

>         hooks:
>         - config:
>             auth:
>               config:
>                 in: header
>                 name: Authorization
>                 value: Bearer xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
>               type: api_key
>             body: // link to jsonnet: {user_id: string}
>             can_interrupt: false
>             method: POST
>             response:
>               ignore: false
>               parse: true
>             url: // our verify login endpoint
>           hook: web_hook

under recovery.after.hooks

Yes, but Kratos doesn’t know how that link got to the user. Might’ve been via some other means, such as a chat message. So it wouldn’t be semantically correct to assume verification here. I guess ultimately the recovery hooks should be able to update the identity. If it doesn’t that sounds like a bug.

okay, makes sense. I'll try to update from the settings hook instead of recovery hook and see if that solves my issues. 🙂 Because of this info message I guess it's not currently possible via recovery

Ah, right. Yes, seems like it then. Sorry.

Just a short follow-up, so I managed to get it working a post settings webhook. Some observations: • had to set post settings password webhook. The "any" did not trigger my webhook (only when I moved it to after updating password) • Think changing webhook via the frontend https://console.ory.sh/projects/slug/developers/actions cleared the bearer token value? When I called

ory get identity-config

the value was blank. Had to update via cli to make it work • Also update webhook via the new frontend looks great, but for us with crappy GPU's the blur makes everything pretty laggy 😛

Glad to hear, that it works now. I’ll track this internally. Good to know, that the blurring is causing issues, we‘ll investigate that.