The

token

in your recovery link is a part of the recovery process in Ory. It is a random string that completes the recovery request. In your case, the token is

IkIvcsiL4j1CdW2ZFPEBTcgFdk7MXMk8

. This token is usually set in a link and not used by any direct API call. If the token is invalid (e.g., expired), an error will be shown to the end-user. Here is the relevant extract from the documentation:

|Name|In|Type|Required|Description|Schema| |---|---|---|---|---|---| |token|query parameter|string|False|Recovery Token The recovery token which completes the recovery request. If the token is invalid (e.g. expired) an error will be shown to the end-user. This parameter is usually set in a link and not used by any direct API call.|{'type': 'string'}|

[Source](https://www.ory.sh/docs/kratos/reference/api)

No, the

token

in your recovery link is not a session token. It's a recovery token used specifically for the recovery process. A session token, on the other hand, is used to maintain user sessions and can be used in place of session cookies for applications that do not support cookies. Session tokens contain authentication information that is used to validate the user's identity and provide access to protected resources. In Ory, session tokens are prefixed with the

ory_st_

prefix. Here are the relevant extracts from the documentation: For session tokens:

Ory session tokens are used to maintain user sessions and can be used in place of session cookies for applications that do not support cookies. Session tokens contain authentication information that is used to validate the user's identity and provide access to protected resources. Ory session tokens are prefixed with the `ory_st_` prefix, which makes them easily identifiable and distinguishes them from other types of tokens.

[Source](https://www.ory.sh/docs/security-compliance/token-formats#ory-session-tokens) For recovery tokens:

|Name|In|Type|Required|Description|Schema| |---|---|---|---|---|---| |token|query parameter|string|False|Recovery Token The recovery token which completes the recovery request. If the token is invalid (e.g. expired) an error will be shown to the end-user. This parameter is usually set in a link and not used by any direct API call.|{'type': 'string'}|

[Source](https://www.ory.sh/docs/kratos/reference/api)

To change the password using the recovery flow and recovery token, you need to follow these steps: 1. Initiate the recovery flow: This can be done by making a request to the appropriate endpoint. For browser applications, use

/self-service/recovery/browser

and for native applications, use

/self-service/recovery/api

. Here's an example using cURL for a browser application:

bash curl -H 'Content-Type: application/json' \    -H 'Accept: application/json' \    -c cookies.txt \    "https://{project.slug}.<http://projects.oryapis.com/self-service/recovery/browser|projects.oryapis.com/self-service/recovery/browser>"

[Source](https://www.ory.sh/docs/kratos/bring-your-own-ui/custom-ui-basic-integration#recovery) 2. The system will send a recovery link or a one-time code to the recovery address defined by the user. The link or code will contain the recovery token. 3. The user must access the link or enter the code they received to confirm their identity and ownership of the account. This will lead to a privileged session and the user will be taken to their account's settings page. 4. On the settings page, the user must create a new password to regain access to their account. Remember, the recovery flow doesn't reset the user's second authentication factor. For updating the recovery flow, you can use the

POST /self-service/recovery

endpoint. This endpoint behaves differently for API and browser flows and has several states. More information can be found at [Ory Kratos Account Recovery Documentation](https://www.ory.sh/docs/kratos/self-service/flows/account-recovery-password-reset). Please note that the actual implementation may vary depending on your application's specific requirements and setup.

To retrieve the settings flow ID and the session token, you would typically use the

getSettingsFlow

and

getRecoveryFlow

methods respectively. However, based on the provided extracts, there's no direct information on how to retrieve the session token using a recovery token. Here's how you can retrieve the settings flow ID: 1. Send a GET request to the

/self-service/settings/flows

endpoint with the flow ID as a query parameter. The flow ID is usually stored in the

?flow=

URL query parameter in your application.

bash curl -H 'Content-Type: application/json' \    -H 'Accept: application/json' \    -c cookies.txt \    "https://{project.slug}.<http://projects.oryapis.com/self-service/settings/flows?id=<your-flow-id|projects.oryapis.com/self-service/settings/flows?id=<your-flow-id>>"

[Source](https://www.ory.sh/docs/reference/api) The response will contain the settings flow ID in the

id

field. As for the session token, it's typically provided when a session is created or authenticated, such as during login or registration. The session token is then used for subsequent authenticated requests. However, the provided extracts do not contain specific information on retrieving a session token using a recovery token. For more detailed information, you may want to refer to the [Ory Kratos documentation](https://www.ory.sh/docs/kratos/).