To configure webhooks that are called when an identity is created in Ory, you need to set up an "after registration" webhook. Here's how to do it: ### Creating a Registration Webhook 1. Navigate to Authentication → Actions & Webhooks in the [Ory Console](https://console.ory.sh/projects/current/developers/actions) 2. Click on + Create new Action 3. Choose the "Registration" flow and "After" execution time 4. Configure the webhook URL, method, and other necessary parameters 5. Click on Next to configure authentication and request body details 6. Click on Save action to create your webhook ### Important Configuration Considerations When configuring your webhook, be aware of the following: 1. Hook Order Matters: If you have enabled "Sign in after registration" (which uses the

session

hook), you need to ensure your webhook runs before the session hook. This is because the session hook overwrites any hooks that run after it. As mentioned in a GitHub issue: > The session hook overwrites any other hooks that run after it which is why you don't see a response. [GitHub Issue #361](https://github.com/ory/network/issues/361) 2. Method-Specific Configuration: You can configure webhooks for specific authentication methods (password, OIDC, webauthn) or for all methods. 3. Request Body Customization: You can customize the webhook payload using [Jsonnet](https://jsonnet.org/):

function(ctx) { user_id: ctx.identity.id }

This example sends

{ user_id: {some-id} }

in the request body. ### Using the Ory CLI for Configuration For more precise control, especially to ensure correct hook ordering, use the Ory CLI:

ory patch identity-config {project_id} \   --add '/selfservice/flows/registration/after/password/hooks=[{"config": {...}, "hook": "web_hook"}, {"hook": "session"}]'

Make sure your webhook comes before the session hook in the configuration. ### Example Configuration Here's an example configuration structure:

yaml password:   hooks:   - config:       body: <base64://ENCODED_JSONNET>       can_interrupt: false       method: POST       response:         ignore: false         parse: false       url: <https://your-webhook-url.com>     hook: web_hook   - hook: session

For more details on webhook configuration options and integrations with services like Mailchimp, HubSpot, or Segment, see the [Ory Actions webhook guide](https://www.ory.sh/docs/guides/integrate-with-ory-cloud-through-webhooks).

I understand you're self-hosting Ory Kratos. In this case, configuring webhooks for identity creation works slightly differently than in the Ory Network. For self-hosted Ory Kratos, you'll need to configure webhooks directly in your Kratos configuration file. Here's how to set up webhooks that trigger when an identity is created: ## Configuring Registration Webhooks in Self-Hosted Kratos You'll need to modify your

kratos.yml

configuration file to add webhook hooks to the registration flow:

yaml selfservice:   flows:     registration:       after:         hooks:           - hook: web_hook             config:               url: <https://your-webhook-endpoint.com>               method: POST               body: <base64://ENCODED_JSONNET>               response:                 parse: false  # Set to true if you want to parse the response               auth:                 type: api_key  # Optional authentication                 config:                   name: Authorization                   value: your-api-key                   in: header

If you want to add the webhook only for specific authentication methods (like password-based registration), you can use:

yaml selfservice:   flows:     registration:       after:         password:           hooks:             - hook: web_hook               config:                 # webhook configuration here

## Available Actions For self-hosted Kratos, you have several actions available: - `web_hook`: Triggers external custom logic - `session`: Signs in the user immediately after account creation - `revoke_active_sessions`: Revokes other active sessions - `require_verified_address`: Requires verified email for sign-in [Available actions](https://www.ory.sh/docs/kratos/hooks/configure-hooks#available-actions) ## Next Steps After configuring webhooks, you might want to: - [Add Two Factor Authentication (2FA) to your App](https://www.ory.sh/docs/kratos/mfa/overview) - [Configure The Password Policy](https://www.ory.sh/docs/concepts/password-policy) - [Fork the Ory Kratos Node.js UI Reference](https://github.com/ory/kratos-selfservice-ui-node) or build a custom UI [Next Steps](https://www.ory.sh/docs/kratos/guides/deploy-kratos-example#next-steps) If you need to export or import configurations between self-hosted Kratos and Ory Network, you can use the Ory CLI:

bash # Export config from Ory Network to use with self-hosted Kratos ory get identity-config --project <project-id> --workspace <workspace-id> --format yaml > identity-config.yaml

[Ory Identities CLI](https://www.ory.sh/docs/guides/cli/identity-cli)

I can see you're encountering an error while running the Kubernetes Helm chart init container for Ory Kratos. This appears to be an issue with SQL migrations. The error suggests that there's a problem creating a unique index called "identity_credential_identifiers_identifier_idx" on the "identity_credential_identifiers" table. This typically happens when you're trying to run migrations on a database that already has some schema elements in place. Here are some steps to resolve this issue: 1. Enable auto-migration in your Helm chart values: Similar to how it's done for Hydra, you can enable auto-migration for Kratos:

yaml    kratos:      automigration:        enabled: true

[Upgrade Using Helm Charts in Kubernetes](https://www.ory.sh/docs/self-hosted/oel/oauth2/upgrade#upgrade-using-helm-charts-in-kubernetes) 2. Run migrations manually before deploying:

bash    kratos migrate sql -e --yes

This command applies SQL migrations to your database. The

-e

flag reads the database connection string from the environment variable DSN, and

--yes

automatically accepts all confirmation prompts. [kratos migrate sql](https://www.ory.sh/docs/kratos/cli/kratos-migrate-sql#kratos-migrate-sql) 3. Check your database configuration: Make sure your DSN (Data Source Name) is correctly configured in your Helm values or as an environment variable. For PostgreSQL, it should look like:

<postgres://user:password@host:port/database?sslmode=disable&max_conns=20&max_idle_conns=4>

[PostgreSQL Configuration](https://www.ory.sh/docs/self-hosted/deployment#postgresql) 4. If using Docker, you can run migrations with:

bash    docker run -e DSN="{your database URL}" oryd/kratos:<version> migrate sql -e

[Running migrations with Docker](https://www.ory.sh/docs/kratos/guides/docker#running-migrations) The error suggests that the index might already exist or there's a conflict with existing database objects. If you're upgrading from a previous version, make sure to back up your database before running migrations. If the issue persists, you might need to check if the index already exists in your database and drop it manually before running the migrations again. Remember to always back up your database before running migrations in a production environment! Would you like more specific guidance on any of these steps?

Certainly! Below is a minimal Docker Compose example for running the latest version of Ory Kratos, based on the official documentation. This setup uses SQLite for simplicity and is suitable for local development. For production, you should use a more robust database like PostgreSQL or MySQL.

yaml version: "3.7"  services:   kratos-migrate:     image: oryd/kratos:v1.1.0     environment:       - DSN=sqlite:///var/lib/sqlite/db.sqlite?_fk=true     volumes:       - ./contrib/quickstart/kratos/email-password:/etc/config/kratos       - kratos-sqlite:/var/lib/sqlite     command: -c /etc/config/kratos/kratos.yml migrate sql -e --yes    kratos:     image: oryd/kratos:v1.1.0     depends_on:       - kratos-migrate     environment:       - DSN=sqlite:///var/lib/sqlite/db.sqlite?_fk=true     ports:       - "4433:4433" # public       - "4434:4434" # admin     volumes:       - ./contrib/quickstart/kratos/email-password:/etc/config/kratos       - kratos-sqlite:/var/lib/sqlite     command: serve -c /etc/config/kratos/kratos.yml --dev --watch-courier  volumes:   kratos-sqlite:

Notes: - This example uses the

v1.1.0

tag, which is the latest stable version referenced in the documentation. Always check [Docker Hub](https://hub.docker.com/r/oryd/kratos/tags) for the latest available version and update the tag accordingly. - The configuration files are expected to be in

./contrib/quickstart/kratos/email-password

. You can obtain these by cloning the [Ory Kratos repository](https://github.com/ory/kratos) and checking out the desired version. - For production, use a production-grade database and update the

DSN

accordingly. For more details and advanced setups (including using PostgreSQL or MySQL), refer to the [official Docker guide](https://www.ory.sh/docs/kratos/guides/docker) and [quickstart documentation](https://www.ory.sh/docs/kratos/quickstart#clone-ory-kratos-and-run-it-in-docker) from Ory. If you need a Docker Compose file for a specific database or with additional services (like the self-service UI), let me know!

Certainly! Here is a Docker Compose example for running the latest version of Ory Kratos with CockroachDB as the DSN, based on the official Ory documentation:

yaml version: "3.7"  services:   cockroach:     image: cockroachdb/cockroach:v22.2.4     command: start-single-node --insecure     ports:       - "26257:26257"       - "8080:8080"     volumes:       - cockroach-data:/cockroach/cockroach-data    kratos-migrate:     image: oryd/kratos:v1.1.0     depends_on:       - cockroach     environment:       - DSN=<cockroach://root@cockroach:26257/defaultdb?sslmode=disable>     volumes:       - ./contrib/quickstart/kratos/email-password:/etc/config/kratos     command: -c /etc/config/kratos/kratos.yml migrate sql -e --yes    kratos:     image: oryd/kratos:v1.1.0     depends_on:       - kratos-migrate     environment:       - DSN=<cockroach://root@cockroach:26257/defaultdb?sslmode=disable>     ports:       - "4433:4433" # public       - "4434:4434" # admin     volumes:       - ./contrib/quickstart/kratos/email-password:/etc/config/kratos     command: serve -c /etc/config/kratos/kratos.yml --dev --watch-courier  volumes:   cockroach-data:

Instructions: - The configuration files for Kratos are expected in

./contrib/quickstart/kratos/email-password

. You can get these by cloning the [Ory Kratos repository](https://github.com/ory/kratos) and checking out the desired version. - The DSN for CockroachDB follows the format:

<cockroach://user:password@host:port/database?sslmode=disable>

as described in the [Ory documentation](https://www.ory.sh/docs/self-hosted/deployment#cockroachdb). - This setup is suitable for local development and testing. For production, review security and scaling considerations. For more details, see the [Ory Kratos Quickstart](https://www.ory.sh/docs/kratos/quickstart#next-steps) and [CockroachDB integration](https://www.ory.sh/docs/self-hosted/deployment#cockroachdb).

Certainly! Here is a Docker Compose example for running the latest version of Ory Kratos and Ory Hydra using CockroachDB as the DSN, based on the official Ory documentation and examples. > Note: > - The example below is adapted from the official Ory quickstart and CockroachDB documentation. > - You must provide the Kratos and Hydra configuration files in the appropriate directories. > - The DSN format for CockroachDB is:

<cockroach://user:password@host:port/database?sslmode=disable>

> - The latest referenced Kratos version in the documentation is

v1.1.0

and Hydra is

v1.10.6

. > - For production, review security and scaling considerations.

yaml version: "3.7"  services:   cockroach:     image: cockroachdb/cockroach:v22.2.4     command: start-single-node --insecure     ports:       - "26257:26257"       - "8080:8080"     volumes:       - cockroach-data:/cockroach/cockroach-data    kratos-migrate:     image: oryd/kratos:v1.1.0     depends_on:       - cockroach     environment:       - DSN=<cockroach://root@cockroach:26257/defaultdb?sslmode=disable>     volumes:       - ./kratos:/etc/config/kratos     command: -c /etc/config/kratos/kratos.yml migrate sql -e --yes    kratos:     image: oryd/kratos:v1.1.0     depends_on:       - kratos-migrate     environment:       - DSN=<cockroach://root@cockroach:26257/defaultdb?sslmode=disable>     ports:       - "4433:4433" # public       - "4434:4434" # admin     volumes:       - ./kratos:/etc/config/kratos     command: serve -c /etc/config/kratos/kratos.yml --dev --watch-courier    hydra-migrate:     image: oryd/hydra:v1.10.6     depends_on:       - cockroach     environment:       - DSN=<cockroach://root@cockroach:26257/defaultdb?sslmode=disable>     volumes:       - ./hydra:/etc/config/hydra     command: migrate -c /etc/config/hydra/hydra.yml sql -e --yes    hydra:     image: oryd/hydra:v1.10.6     depends_on:       - hydra-migrate     environment:       - DSN=<cockroach://root@cockroach:26257/defaultdb?sslmode=disable>       - SECRETS_SYSTEM=youReallyNeedToChangeThisSecret       - URLS_SELF_ISSUER=<http://localhost:4444/>       - URLS_CONSENT=<http://localhost:9020/consent>       - URLS_LOGIN=<http://localhost:9020/login>     ports:       - "4444:4444" # public       - "4445:4445" # admin     volumes:       - ./hydra:/etc/config/hydra     command: serve -c /etc/config/hydra/hydra.yml all  volumes:   cockroach-data:

References: - The DSN format and CockroachDB usage are described in the [Ory self-hosted deployment docs](https://www.ory.sh/docs/self-hosted/deployment#cockroachdb). - The Kratos and Hydra Docker usage and migration commands are based on the [Kratos Docker guide](https://www.ory.sh/docs/kratos/guides/docker) and [Hydra Docker deployment](https://www.ory.sh/docs/hydra/self-hosted/configure-deploy#deploy-ory-hydra). If you need more details on the configuration files or want to add other services (like the self-service UI), let me know!

Certainly! Below are example working configuration snippets for both Ory Kratos and Ory Hydra, based on the official documentation and quickstart guides. These are suitable as starting points for local development and can be adapted for production. --- ## Ory Kratos Configuration (

kratos.yml

) A minimal example for self-hosted Kratos, using the password method and a local identity schema:

yaml dsn: memory  serve:   public:     base_url: <http://127.0.0.1:4433/>   admin:     base_url: <http://127.0.0.1:4434/>  selfservice:   default_browser_return_url: <http://127.0.0.1:4455/>   flows:     login:       ui_url: <http://127.0.0.1:4455/login>     registration:       ui_url: <http://127.0.0.1:4455/registration>     settings:       ui_url: <http://127.0.0.1:4455/settings>     recovery:       ui_url: <http://127.0.0.1:4455/recovery>     verification:       ui_url: <http://127.0.0.1:4455/verification>   methods:     password:       enabled: true  identity:   default_schema_id: default   schemas:     - id: default       url: file:///etc/config/kratos/identity.schema.json

You can find a full quickstart config and schema in the [Ory Kratos quickstart](https://github.com/ory/kratos/blob/master/contrib/quickstart/kratos/email-password/kratos.yml) and [identity schema](https://github.com/ory/kratos/blob/master/contrib/quickstart/kratos/email-password/identity.schema.json) files. [Reference: Kratos Quickstart](https://www.ory.sh/docs/kratos/quickstart#next-steps) --- ## Ory Hydra Configuration (

hydra.yml

) A minimal example for self-hosted Hydra, using SQLite for quickstart (replace with your DSN for production):

yaml dsn: memory  urls:   self:     issuer: <http://127.0.0.1:4444/>   consent: <http://127.0.0.1:3000/consent>   login: <http://127.0.0.1:3000/login>  secrets:   system:     - youReallyNeedToChangeThisSecret  log:   level: info

You can find a full quickstart config in the [Ory Hydra quickstart](https://github.com/ory/hydra/blob/master/contrib/quickstart/5-min/hydra.yml) file. [Reference: Hydra Quickstart](https://www.ory.sh/docs/hydra/self-hosted/quickstart#quickstart-configuration) --- Note: - For production, you should use a persistent database (PostgreSQL, MySQL, or CockroachDB) and update the

dsn

accordingly. - Adjust the

ui_url

,

issuer

, and other URLs to match your deployment environment. - Make sure to set strong secrets and review all security-related settings. If you need a more advanced or production-ready configuration, or want to see how to connect Kratos and Hydra together (for OIDC flows), let me know!

Certainly! Here is an example of a minimal Ory Kratos configuration with the courier section included, based on the official documentation. This example uses SMTP for email delivery, which is the most common use case for the courier:

yaml dsn: memory  serve:   public:     base_url: <http://127.0.0.1:4433/>   admin:     base_url: <http://127.0.0.1:4434/>  selfservice:   default_browser_return_url: <http://127.0.0.1:4455/>   flows:     login:       ui_url: <http://127.0.0.1:4455/login>     registration:       ui_url: <http://127.0.0.1:4455/registration>     settings:       ui_url: <http://127.0.0.1:4455/settings>     recovery:       ui_url: <http://127.0.0.1:4455/recovery>     verification:       ui_url: <http://127.0.0.1:4455/verification>   methods:     password:       enabled: true  identity:   default_schema_id: default   schemas:     - id: default       url: file:///etc/config/kratos/identity.schema.json  courier:   delivery_strategy: smtp   smtp:     connection_uri: <smtp://username:password@smtp.example.com:587/>     from_address: <mailto:hello@example.org|hello@example.org>     from_name: My Company

- Replace

<smtp://username:password@smtp.example.com:587/>

with your actual SMTP server credentials and address. - The

from_address

and

from_name

fields set the sender's email address and name. For more advanced courier configuration options, such as using HTTP delivery or custom templates, see the [Ory Kratos email and SMS documentation](https://www.ory.sh/docs/kratos/emails-sms/sending-emails-smtp#send-emails-using-your-smtp-server) and [custom email templates](https://www.ory.sh/docs/kratos/emails-sms/custom-email-templates#using-custom-message-templates). If you need to use HTTP instead of SMTP, you can use the

delivery_strategy: http

and configure the

http

section as described in the documentation[Send emails using an HTTP server](https://www.ory.sh/docs/kratos/emails-sms/sending-emails-smtp#send-emails-using-an-http-server).

Certainly! Here is a sample

identity.schema.json

for Ory Kratos, directly based on the official documentation. This schema uses email as the primary identifier and includes a name object with first and last names:

json {   "$id": "<https://schemas.ory.sh/presets/kratos/identity.basic.schema.json>",   "title": "Person",   "type": "object",   "properties": {     "traits": {       "type": "object",       "properties": {         "email": {           "type": "string",           "format": "email",           "title": "Email address",           "<http://ory.sh/kratos|ory.sh/kratos>": {             "credentials": {               "password": {                 "identifier": true               },               "webauthn": {                 "identifier": true               },               "totp": {                 "account_name": true               },               "code": {                 "identifier": true,                 "via": "email"               },               "passkey": {                 "display_name": true               }             },             "recovery": {               "via": "email"             },             "verification": {               "via": "email"             }           },           "maxLength": 320         },         "name": {           "type": "object",           "required": [             "last"           ],           "properties": {             "first": {               "type": "string",               "title": "First name",               "maxLength": 256             },             "last": {               "type": "string",               "title": "Last name",               "maxLength": 256             }           }         }       },       "required": [         "email"       ],       "additionalProperties": false     }   } }

This schema requires the user to provide an email address and a last name during registration. The email is used as the login identifier and for account recovery and verification. You can further customize this schema to fit your application's needs by adding or removing fields as described in the documentation[Customize identity schemas](https://www.ory.sh/docs/kratos/manage-identities/customize-identity-schema#mandatory-fields-for-registration).

You can find the Ory Hydra API documentation at the following link: [Ory Hydra API Reference](https://www.ory.sh/docs/hydra/reference/api)<|https://www.ory.sh/docs/hydra/reference/api>.