To update the password using the settings flow, you need to make a

POST

request to the

/self-service/settings

endpoint. This endpoint behaves differently for API and browser flows. For API-initiated flows, you need to send

application/json

in the body of the request. The response will be HTTP 200 and an application/json body with the session token on success. If the original flow expired, you will get an HTTP 303 redirect to a fresh settings flow with the appropriate error messages set. If there are form validation errors, you will get an HTTP 400 response. If the endpoint is called without a valid session token, you will get an HTTP 401 response. If

selfservice.flows.settings.privileged_session_max_age

was reached or the session's AAL is too low, you will get an HTTP 403 response, which implies that the user needs to re-authenticate. For browser flows, the responses will be different based on the

Accept

HTTP Header. If it's not set or set to

text/*

, you will get a HTTP 303 redirect to the post/after settings URL or the

return_to

value if it was set and if the flow succeeded. If there are validation errors, you will get a HTTP 303 redirect to the Settings UI URL with the flow ID containing the validation errors. If

selfservice.flows.settings.privileged_session_max_age

was reached or the session's AAL is too low, you will get a HTTP 303 redirect to the login endpoint. If the

Accept

HTTP Header is set to

application/json

, you will get HTTP 200 and a application/json body with the signed in identity and a

Set-Cookie

header on success. If the original flow expired, you will get an HTTP 303 redirect to a fresh login flow with the appropriate error messages set. If the endpoint is called without a valid session cookie, you will get an HTTP 401 response. If the page is accessed without a session cookie or the session's AAL is too low, you will get an HTTP 403 response. If there are form validation errors, you will get an HTTP 400 response. Here is an example of how to make the request:

bash curl -s -X POST \  -H "Authorization: Bearer $sessionToken" \  -H "Accept: application/json" \  -H "Content-Type: application/json" \  -d '{    "password": "new_password",    "method": "password"  }' \  <https://playground.projects.oryapis.com/self-service/settings/api>

Please replace

new_password

with the new password you want to set and

$sessionToken

with the session token you received. For more information, please refer to the [Ory API Reference](https://www.ory.sh/docs/reference/api) and [Ory Kratos User Settings & Profile Management Documentation](https://www.ory.sh/docs/kratos/self-service/flows/user-settings).

You can obtain a session token when a user authenticates through a client other than a web browser, such as a native mobile app. When the user authenticates, for example by signing in with their username and password, they receive a session. This session can be issued in the form of an Ory Session Token. To get the session payload, you can send a request to the

/sessions/whoami

endpoint. Here's an example of how to do this using cURL:

bash curl 'https://{project.slug}.<http://projects.oryapis.com/sessions/whoami|projects.oryapis.com/sessions/whoami>' \  -H 'Accept: application/json' \  -H 'Authorization: Bearer {session_token}'

Replace

{project.slug}

with your project's slug and

{session_token}

with the session token you have. For native applications such as desktop applications, mobile applications, or terminal-based apps that do not run inside a browser, session tokens should be used instead of session cookies. You can also check the current session using the Ory SDK in Go or TypeScript. Here's an example in Go:

go package frontend      import (    "context"    "fmt"    "os"       "<http://github.com/ory/client-go|github.com/ory/client-go>"   )      type oryMiddleware struct {    ory *ory.APIClient   }      func init() {    cfg := client.NewConfiguration()    cfg.Servers = client.ServerConfigurations{    {URL: fmt.Sprintf("<https://%s.projects.oryapis.com>", os.Getenv("ORY_PROJECT_SLUG"))},    }       ory = client.NewAPIClient(cfg)   }      func CheckSession(ctx context.Context, sessionToken string) (session *client.Session, err error) {    session, _, err = ory.FrontendApi.ToSession(ctx).    XSessionToken(sessionToken).    Execute()    if err != nil {    // error revoking the session, for example due to expired token provided    return nil, err    }       return session, nil   }

Replace

{ORY_PROJECT_SLUG}

with your project's slug and

sessionToken

with the session token you have. For more information, please refer to the [Ory Session Management Documentation](https://www.ory.sh/docs/kratos/session-management/overview) and the [Ory API Reference](https://www.ory.sh/docs/kratos/reference/api).

To send

application/json

in the body of the request for API-initiated flows, you need to set the

Content-Type

header to

application/json

and provide the JSON data in the body of the request. Here is an example using cURL:

bash curl -X POST \   <https://playground.projects.oryapis.com/self-service/settings/api> \   -H 'Content-Type: application/json' \   -H 'Authorization: Bearer $sessionToken' \   -d '{     "password": "new_password",     "method": "password"   }'

In this example, replace

$sessionToken

with your session token and

new_password

with the new password you want to set. The

-H

flag is used to set the headers, and the

-d

flag is used to provide the data in the body of the request. The data is a JSON object that contains the new password and the method, which is set to

password

. For more information, please refer to the [Ory API Reference](https://www.ory.sh/docs/reference/api).

To send

application/json

in the body of the request for API-initiated recovery flows, you need to set the

Content-Type

header to

application/json

and provide the JSON data in the body of the request. Here is an example using cURL:

bash curl -X POST \   <https://playground.projects.oryapis.com/self-service/recovery/api> \   -H 'Content-Type: application/json' \   -d '{{     "email": "<mailto:user@example.com|user@example.com>",     "method": "link"   }}'

In this example, replace

<mailto:user@example.com|user@example.com>

with the email of the user who wants to recover their account. The

method

is set to

link

, which means a recovery link will be sent to the user's email. The

-H

flag is used to set the headers, and the

-d

flag is used to provide the data in the body of the request. The data is a JSON object that contains the user's email and the recovery method. For more information, please refer to the [Ory API Reference](https://www.ory.sh/docs/reference/api).

To verify the code using the API flow in the recovery flow, you need to make a

POST

request to the

/self-service/recovery

endpoint. You should include the

method

,

email

, and

code

in the body of the request. Here is an example using cURL:

bash curl -X POST \   -H 'Content-Type: application/json' \   -H 'Accept: application/json' \   -d '{"method":"code","email":"<mailto:user@example.com|user@example.com>","code":"your-code"}' \   "https://{project.slug}.<http://projects.oryapis.com/self-service/recovery?flow=<your-flow-id|projects.oryapis.com/self-service/recovery?flow=<your-flow-id>>"

In this example, replace

<mailto:user@example.com|user@example.com>

with the email of the user who wants to recover their account,

your-code

with the code the user received,

{project.slug}

with your project's slug, and

<your-flow-id>

with the ID of your recovery flow. The

-H

flag is used to set the headers, and the

-d

flag is used to provide the data in the body of the request. The data is a JSON object that contains the recovery method, the user's email, and the code. For more information, please refer to the [Ory API Reference](https://www.ory.sh/docs/reference/api).