No, a user's password hash cannot be accessed in the settings webhook. The settings webhook in Ory Kratos is used for triggering custom logic after a user has updated their settings, such as revoking active sessions after a password change. However, it does not provide access to sensitive information like password hashes. For security reasons, password hashes are typically not exposed through webhooks or APIs. In Ory Kratos, password hashes can be imported when creating or updating an identity, but they are not retrievable through the API or webhooks. For more information, you can refer to the [Ory Kratos documentation](https://www.ory.sh/docs/kratos/session-management/revoke-sessions-hook) on session management and settings webhooks.

@chilly-king-10285 I want to detect when a user has changed their password, what's the best way to do that?

The best way to detect when a user has changed their password in Ory Kratos is to use the

after

settings hook. You can add the

revoke_active_sessions

action to the

hooks

configuration in the settings flow. This action will be triggered when a user successfully changes their account settings, including their password. Here is an example of how to configure this in your

config.yml

file:

yaml selfservice:     flows:       settings:         after:           password:             hooks:               - hook: revoke_active_sessions

This configuration will revoke all active sessions of a user after they change their password, effectively logging them out of all devices. This is a common security measure to ensure that any old sessions, potentially in the hands of malicious actors, are invalidated when the password is changed. For more information, you can refer to the [Ory Kratos documentation](https://www.ory.sh/docs/kratos/session-management/revoke-sessions-hook) on session management and settings hooks.

To send an email to a user notifying them that their password has been changed, you can use the

after

settings hook in Ory Kratos to trigger a custom action. This custom action could be a webhook that sends an email to the user. However, the specific implementation of this custom action is not detailed in the provided knowledge sources. You would need to create a custom hook that sends an email when triggered. Here is an example of how you might configure this in your

config.yml

file:

yaml selfservice:     flows:       settings:         after:           password:             hooks:               - hook: custom_email_hook

In this example,

custom_email_hook

would be a custom hook you've created that sends an email to the user when their password is changed. For more information on how to create and configure hooks in Ory Kratos, you can refer to the [Ory Kratos documentation](https://www.ory.sh/docs/kratos/self-service/flows/account-recovery-password-reset#invalidate-other-sessions) on hooks.