Ory is the largest open source community in the world for cloud software application security. We maintain advanced open source security software solving authentication, authorization, access control, application network security, and delegation. Ory implements a variety of industry and best-practice standards including OAuth 2.0 / OAuth 2.1, OpenID Connect, Zero Trust Networking, Google Zanzibar Policy Framework, FIDO2 U2F, WebAuthn, TOTP, and more.

Ory Community

It seems RecoveryURL has disappeared from email templates (in Kratos V1.2.0). I understand the CORS issues, I believe there is a security issue too though I am not clear what this is.
Is it likely that the ValidationURL will disappear from validation email templates also?

The variable was included for `link` recovery, but for `code`  it was never there. Nothing changed in Kratos v1.2. in that regard.

The security issue is, that we need to invalidate the link after it has been visited, because otherwise, someone could obtain the link, and get a valid session out of it. However, email scanners sometimes open links in emails to check their content, invalidating the recovery link, making recovery not possible for some users.

For verification (I assume you mean that by `ValidationURL` ), this is not the case, so it won't go away.

Thank you for explaining. Thats great - its quite possible that rather than  the feature disappearing we just had some bugs in our templates (still in the testing phase).
Thanks very much