Ory is the largest open source community in the world for cloud software application security. We maintain advanced open source security software solving authentication, authorization, access control, application network security, and delegation. Ory implements a variety of industry and best-practice standards including OAuth 2.0 / OAuth 2.1, OpenID Connect, Zero Trust Networking, Google Zanzibar Policy Framework, FIDO2 U2F, WebAuthn, TOTP, and more.

Ory Community

I am not sure I understand how to use the recovery code generated by  CreateRecoveryCodeForIdentity() in the admin API.
The UI needs a FlowID in order to pass in the recovery code, and this is rejected with an error if the user has not yet requested a recovery via Email,
However if we request recovery via an Email, the recovery code from the Email is valid but the one previously generated by the admin API is no longer valid (has been overwritten?)

How should I apply the recovery code generated via the Admin API?
My hope was that an Administrator could generate a 6 digit recovery code for a user and tell them this over the telephone, to allow them to regain access to their account.
We need this because some of our customers refuse to allow their systems to send Email or SMS, but still want password recovery.

To reply to myself.
It seems the admin API returns a URL which contains the FlowID for an Admin UI to use. If it is assumed that the admin interface is a browser.
This is a shame and breaks the use-case we hoped for (the password recovery side channel is a telephone call to an admin), but thats how it is.