To enable email OTP (One-Time Password) login in self-hosted Kratos, you need to configure the "code" authentication method. Here are the steps: 1. First, update your Kratos configuration file to enable the code method:

yaml selfservice:   methods:     code:       enabled: true       config:         lifespan: 15m  # Defines how long the code is valid for (default 1h)

2. Configure your identity schema to mark email as an identifier for code-based authentication:

json {   "properties": {     "traits": {       "type": "object",       "properties": {         "email": {           "type": "string",           "format": "email",           "<http://ory.sh/kratos|ory.sh/kratos>": {             "credentials": {               "code": {                 "identifier": true,                 "via": "email"               }             }           }         }       }     }   } }

3. Configure the login flow to use the code method:

yaml selfservice:   flows:     login:       lifespan: 10m  # How long the login flow is valid

4. Set up your email courier configuration to ensure emails can be sent:

yaml courier:   smtp:     connection_uri: <smtps://username:password@smtp.example.com:587>

5. Optionally, you can customize the email templates for the OTP codes:

yaml courier:   template_override_path: /path/to/templates   templates:     login_code:       valid:         email:           body:             html: file:///path/to/template.html             plaintext: file:///path/to/template.txt

These steps will enable email OTP login in your self-hosted Kratos instance. Users will receive a one-time code via email that they can use to authenticate. For more detailed information about configuring email templates and the courier service, you can refer to [Email templates in self-hosted Ory Kratos](https://www.ory.sh/docs/kratos/self-hosted/mail-courier-templates).

I understand you're having trouble with the OTP login option not showing up in your self-hosted Kratos implementation. Let me help troubleshoot this issue. There are several reasons why the OTP login option might not be appearing: 1. Incomplete configuration: Make sure you've enabled both the code method and configured it for passwordless login:

yaml selfservice:   methods:     code:       enabled: true       passwordless_enabled: true  # This is important for login

2. Identity schema configuration: Ensure your identity schema properly marks the email as an identifier for code authentication:

json "email": {   "type": "string",   "format": "email",   "<http://ory.sh/kratos|ory.sh/kratos>": {     "credentials": {       "code": {         "identifier": true,         "via": "email"       }     }   } }

3. UI integration issue: If you're using a custom UI, you might need to check if it's properly rendering the code method option. The login flow response should include the code method if properly configured. 4. Method conflicts: Based on the knowledge sources, there might be issues when multiple authentication methods are enabled. For example, if you have both password and code methods enabled, you might need to check how they interact. 5. Check for errors in logs: Look for any error messages in your Kratos logs that might indicate configuration issues. If you're still experiencing issues, you might want to check if there are any specific error messages or review your complete configuration. Some users have reported issues with method combinations as seen in [this GitHub issue](https://github.com/ory/kratos/issues/4161). For a more detailed diagnosis, you may need to share your complete configuration and any error messages you're seeing.

You're encountering a known behavior in Ory Kratos where requesting a login code via email returns a 400 Bad Request status code, even though the request is valid and the email with the code is successfully sent. This is actually the expected behavior according to Ory's design. As confirmed in [this GitHub issue](https://github.com/ory/kratos/issues/4052), Kratos only returns a 200 OK status code when the login flow is completely successful. For intermediate steps like requesting a login code, it returns a 400 Bad Request status code, even though the request was processed successfully. From the documentation: > For API Clients, the server typically responds with HTTP 400 Bad Request and the Login Flow in the response payload as JSON. This behavior has been questioned by several developers who find it counterintuitive since: 1. It violates HTTP standards where 400 should indicate an actual client error 2. It forces developers to parse the response body to determine if the request was successful 3. It can cause confusion and make error tracking more difficult The Ory team has acknowledged this issue but mentioned that changing it would be a breaking change for existing users. They've indicated that they might consider changing this behavior in a future major version (v2), but it's unlikely to change before 2026. For now, you'll need to: 1. Expect and handle the 400 status code for email OTP requests 2. Check the response body to confirm the code was sent (look for messages indicating the email was sent) 3. Continue with your flow despite the 400 status code This is different from password login which completes the authentication in a single step and returns 200 OK when successful.

To set up AWS SES SMTP for sending OTP emails in self-hosted Ory Kratos, follow these steps: ### 1. Set up AWS SES First, you need to set up Amazon SES in your AWS account: 1. Verify your domain or email address in AWS SES 2. If your account is in the SES sandbox, verify recipient email addresses 3. Create SMTP credentials in the AWS SES console ### 2. Configure Kratos to use AWS SES SMTP Add the following configuration to your Kratos configuration file:

yaml courier:   smtp:     connection_uri: <smtps://YOUR_SES_SMTP_USERNAME:YOUR_SES_SMTP_PASSWORD@email-smtp.YOUR_REGION.amazonaws.com:465>     from_address: <mailto:your-verified-email@yourdomain.com|your-verified-email@yourdomain.com>     from_name: "Your Application Name"     headers:       X-SES-SOURCE-ARN: arn:aws:ses:YOUR_REGION:YOUR_ACCOUNT_ID:identity/yourdomain.com       X-SES-FROM-ARN: arn:aws:ses:YOUR_REGION:YOUR_ACCOUNT_ID:identity/yourdomain.com       X-SES-RETURN-PATH-ARN: arn:aws:ses:YOUR_REGION:YOUR_ACCOUNT_ID:identity/yourdomain.com

The custom headers are important for cross-account sending if you're using that feature with AWS SES, as mentioned in the [Mail courier in self-hosted Ory Kratos](https://www.ory.sh/docs/kratos/self-hosted/mail-courier-selfhosted) documentation. ### 3. Configure the courier service Make sure your courier service is properly configured:

yaml courier:   message_retries: 5  # Number of retry attempts for failed email delivery

### 4. Run the courier worker For a single-instance setup, run Kratos with the courier watch flag:

kratos serve --watch-courier

For multi-instance deployments, run the courier as a separate singleton job:

kratos courier watch

### 5. Test your configuration You can test your email delivery by initiating a login flow that requires an OTP code. Check your AWS SES console to verify emails are being sent and monitor the Kratos logs for any SMTP-related errors. If you encounter deliverability issues, check the [Email deliverability issues on Ory Cloud](https://github.com/ory/network/issues/254) discussion for common troubleshooting steps, even though it's about Ory Cloud, many of the same principles apply to self-hosted deployments. Remember that AWS SES might have sending limits if you're in the sandbox environment, so you may need to request production access if you plan to send a large volume of emails. For more detailed information about mail courier configuration in self-hosted Kratos, refer to the [Mail courier in self-hosted Ory Kratos](https://www.ory.sh/docs/kratos/self-hosted/mail-courier-selfhosted) documentation.

To set up Postmark for sending OTP emails in self-hosted Ory Kratos, follow these steps: ### 1. Set up a Postmark account 1. Sign up for a Postmark account at [postmarkapp.com](https://postmarkapp.com) 2. Verify your domain or sender email address 3. Create a server in Postmark to get your Server API Token ### 2. Configure Kratos to use Postmark SMTP Add the following configuration to your Kratos configuration file:

yaml courier:   smtp:     connection_uri: <smtps://YOUR_SERVER_TOKEN:ANYTHING@smtp.postmarkapp.com:587>     from_address: <mailto:your-verified-email@yourdomain.com|your-verified-email@yourdomain.com>     from_name: "Your Application Name"

Note: Postmark's SMTP service uses your Server Token as the username and any value as the password. ### 3. Configure the courier service Ensure your courier service is properly configured:

yaml courier:   message_retries: 5  # Number of retry attempts for failed email delivery

### 4. Run the courier worker For a single-instance setup, run Kratos with the courier watch flag:

kratos serve --watch-courier

For multi-instance deployments, run the courier as a separate singleton job:

kratos courier watch

### 5. Test your configuration Initiate a login flow that requires an OTP code to test your email delivery. Check your Postmark dashboard to verify emails are being sent and monitor the Kratos logs for any SMTP-related errors. If you need to customize the email templates for OTP codes, you can add this to your configuration:

yaml courier:   template_override_path: /path/to/templates   templates:     login_code:       valid:         email:           body:             html: file:///path/to/template.html             plaintext: file:///path/to/template.txt

For more detailed information about mail courier configuration in self-hosted Kratos, refer to the [Mail courier in self-hosted Ory Kratos](https://www.ory.sh/docs/kratos/self-hosted/mail-courier-selfhosted) documentation.