https://www.ory.sh/ logo
Join Slack
Powered by
<@U04UQ68083H> how can I start a login flow and re...
# ory-copilot
a
@chilly-king-10285 how can I start a login flow and receive a otp code via sms?
b
A message from kapa.ai
To start a login flow and receive a one-time password (OTP) code via SMS in Ory, you need to follow these steps: ### 1. Enable SMS one-time-code authentication First, you need to enable the one-time code strategy for passwordless login:
Copy code
yaml selfservice:   methods:     code:       passwordless_enabled: true
You can do this through the [Ory Console UI](https://console.ory.sh/projects/current/passwordless) or using the Ory CLI:
Copy code
ory patch identity-config <your-project-id> \ --add '/selfservice/methods/code/passwordless_enabled=true'
[Enable SMS one-time-code (OTP)](https://www.ory.sh/docs/kratos/passwordless/one-time-code#enable-sms-one-time-code-otp) ### 2. Configure your identity schema Ensure your identity schema has a phone number field marked as an identifier for the code method:
Copy code
json {   "<http://ory.sh/kratos|ory.sh/kratos>": {     "credentials": {       "code": {         "identifier": true,         "via": "sms"       }     }   } }
[Passwordless one-time code login identifier](https://www.ory.sh/docs/kratos/manage-identities/customize-identity-schema#passwordless-one-time-code-login-identifier) ### 3. Configure SMS delivery Set up an SMS channel in your Ory configuration:
Copy code
yaml courier:   channels:     - id: sms       type: http       request_config:         url: <https://api.twilio.com/2010-04-01/Accounts/AXXXXXXXXXXXXXX/Messages.json>         method: POST         body: <base64://ZnVuY3Rpb24oY3R4KSB7CiAgVG86IGN0eC5yZWNpcGllbnQsCiAgQm9keTogY3R4LmJvZHksCn0>=         headers:           Content-Type: application/x-www-form-urlencoded         auth:           type: basic_auth           config:             user: AXXXXXXX             password: XXXX
[Send SMS to your users](https://www.ory.sh/docs/kratos/emails-sms/sending-sms) ### 4. Start the login flow To start the login flow, direct users to:
Copy code
https://<your-custom-domain-or-project-slug>/self-service/login/browser
The user will be prompted to enter their phone number, and then a one-time code will be sent to that number via SMS. [User Login](https://www.ory.sh/docs/kratos/self-service/flows/user-login) ### Important security note Be aware that SMS OTP is considered less secure due to vulnerabilities like SIM swapping, SMS interception, and phishing. Many security experts and government agencies no longer recommend it for sensitive applications. Consider using more secure methods like Passkeys if possible. [SMS one-time-code security warning](https://www.ory.sh/docs/kratos/passwordless/one-time-code#enable-sms-one-time-code-otp)
a
@chilly-king-10285 how can I do that using postman?
b
A message from kapa.ai
To use Postman for starting a login flow and receiving an OTP code via SMS in Ory, you'll need to interact with Ory's API endpoints. Here's how to do it: ### 1. Initialize a Login Flow First, create a new request in Postman to initialize the login flow: - Method: GET - URL: 
https://<your-project-slug>.<http://projects.oryapis.com/self-service/login/api|projects.oryapis.com/self-service/login/api>
This will return a JSON response containing a 
flow
object with an 
id
that you'll need for the next step. ### 2. Submit the Login Flow with Phone Number Create another request to submit the phone number: - Method: POST - URL: 
https://<your-project-slug>.<http://projects.oryapis.com/self-service/login|projects.oryapis.com/self-service/login>
- Headers: - Content-Type: application/json - Body:
Copy code
json {   "method": "code",   "identifier": "+1234567890", // Replace with the actual phone number   "flow": "flow-id-from-previous-step" }
### 3. Submit the OTP Code After receiving the SMS with the code, create a final request to submit the code: - Method: POST - URL: 
https://<your-project-slug>.<http://projects.oryapis.com/self-service/login|projects.oryapis.com/self-service/login>
- Headers: - Content-Type: application/json - Body:
Copy code
json {   "method": "code",   "code": "123456", // Replace with the actual code received via SMS   "csrf_token": "csrf-token-from-flow", // If required   "flow": "flow-id-from-previous-step" }
The API will respond with a session token or cookie that you can use for authenticated requests. Note that the exact request format may vary slightly depending on your specific Ory configuration. You should refer to the [Ory API Reference](https://www.ory.sh/docs/reference/api) for the most up-to-date API specifications. Remember that SMS OTP is considered less secure than other authentication methods due to vulnerabilities like SIM swapping and SMS interception.
a
@chilly-king-10285 I am creating a new session and trying to log in, the Ory Kratos returns that message: "messages": [ { "id": 1010014, "text": "An email containing a code has been sent to the email address you provided. If you have not received an email, check the spelling of the address and retry the login.", "type": "info" } ] But my custom SMS provider is never hit for some reason
b
A message from kapa.ai
Based on the information you've provided, it appears that Ory Kratos is sending a verification email instead of an SMS code during your login flow. This is a known issue that's documented in an open GitHub issue. ## Why this is happening The issue occurs when you have both email and phone verification configured in your identity schema. When you try to log in using SMS code (OTP), Kratos is still sending a verification email instead of (or in addition to) the SMS code. According to the GitHub issue [Phone+email schema: verification email is sent when signed up with SMS code](https://github.com/ory/kratos/issues/4161), this happens because the verification hook is hardcoded in the registration flow. A user in the issue comments noted: > "I just found out that it works the other way around. If I sign up with an email code (OTP), SMS message 'Your verification code is: <code>' is sent then (but email with a verification code isn't)." ## Possible solutions 1. Check your identity schema configuration: Make sure your phone field is properly configured with the SMS code identifier:
Copy code
json "phone": {   "type": "string",   "title": "Phone number",   "format": "tel",   "<http://ory.sh/kratos|ory.sh/kratos>": {     "credentials": {       "code": {         "identifier": true,         "via": "sms"       }     }   } }
2. Verify your SMS provider configuration: Ensure your SMS channel is properly configured in the Ory configuration:
Copy code
yaml courier:   channels:     - id: sms       type: http       request_config:         url: "<https://your-sms-provider-url>"         method: "POST"         # Other configuration...
3. Check logs: Look for any SMS-related logs in your Kratos logs. There should be entries like:
Copy code
level=info msg=[DEBUG] POST <https://your-sms-provider-url> level=debug msg=Courier sent out mailer. http_server=<https://your-sms-provider-url> message_type=sms
4. Temporary workaround: As mentioned in the GitHub issue, you could try disabling email verification in your schema if you only need SMS verification:
Copy code
diff "email": {   "type": "string",   "format": "email",   "title": "E-mail",   "<http://ory.sh/kratos|ory.sh/kratos>": {     "credentials": {       "password": {         "identifier": true       }     }, -    "verification": { -      "via": "email" -    }   } }
This appears to be a bug in Ory Kratos where both verification methods are triggered regardless of which one you're using for login. Since this is an open issue, you might want to follow the GitHub issue for updates or consider contributing a fix if possible. Let me know if you need more specific help with your configuration!
a
@chilly-king-10285 Here is the logs: 2025-04-19T034430.7574120Z stderr F {"address":[{"To":"+5511986381688","Via":"sms"}],"audience":"application","level":"debug","msg":"Preparing login code","service_name":"Ory Kratos","service_version":"v1.3.1","time":"2025-04-19T034430.757246253Z"} 2025-04-19T034430.7702132Z stderr F {"audience":"audit","level":"info","login_code":"731384","login_code_id":"ba405da9-aecd-459a-8e41-9a10e633bd83","login_flow_id":"2a7280dd-b730-41a3-b59a-d92bafca4edc","msg":"Sending out login email with code.","service_name":"Ory Kratos","service_version":"v1.3.1","time":"2025-04-19T034430.770016665Z"} 2025-04-19T034430.7809913Z stderr F {"http_request":{"headers":{"accept":"application/json","accept-encoding":"gzip, deflate, br","cache-control":"no-cache","content-length":"165","content-type":"application/json","cookie":["csrf_token_557ef4cbab2830b2c93109b7a12015553e198b89de5e34ddefe8d105a2b66034=Q8gLAhX5srr/HJY7cuth/fn6jlms4fu5zr1HyLTglUY="],"postman-token":"35796681-8e8f-4c51-8b6e-102a14edc713","user-agent":"PostmanRuntime/7.43.3","x-arr-ssl":"true","x-envoy-expected-rq-timeout-ms":"1800000","x-envoy-external-address":"177.143.47.115","x-forwarded-for":"177.143.47.115","x-forwarded-proto":"https","x-k8se-app-kind":"web","x-k8se-app-name":"xmob-kratos-qa--qh6iesx","x-k8se-app-namespace":"k8se-apps","x-k8se-protocol":"http1","x-ms-containerapp-name":"xmob-kratos-qa","x-ms-containerapp-revision-name":"xmob-kratos-qa--qh6iesx","x-request-id":"41d18741-3609-48fa-b6db-250be7516b59"},"host":"xmob-kratos-qa.wonderfulhill-db1bece3.brazilsouth.azurecontainerapps.io","method":"POST","path":"/self-service/login","query":"flow=2a7280dd-b730-41a3-b59a-d92bafca4edc","remote":"100.100.0.107:57740","scheme":"http"},"http_response":{"headers":{"cache-control":"private, no-cache, no-store, must-revalidate","content-type":"application/json; charset=utf-8","vary":"Cookie"},"size":2206,"status":400,"text_status":"Bad Request","took":44275912},"level":"info","msg":"completed handling request","time":"2025-04-19T034430.780767463Z"} courier: channels: - id: sms request_config: body: base64://ZnVuY3Rpb24oY3R4KSB7CiAgVG86IGN0eC5yZWNpcGllbnQsCiAgQm9keTogY3R4LmJvZHksCn0= method: PUT url: https://webhook.site/0757f9a2-106a-4938-bb50-9e8ec65177d3 type: http { "$id": "https://schemas.ory.sh/presets/kratos/identity.email.schema.json", "$schema": "http://json-schema.org/draft-07/schema#", "title": "Person", "type": "object", "properties": { "traits": { "type": "object", "properties": { "phone_number": { "type": "string", "format": "tel", "title": "Phone Number", "ory.sh/kratos": { "credentials": { "password": { "identifier": true }, "webauthn": { "identifier": true }, "totp": { "account_name": true }, "code": { "identifier": true, "via": "sms" }, "passkey": { "display_name": true } }, "verification": { "via": "sms" } }, "maxLength": 320 } }, "required": [ "phone_number" ], "additionalProperties": false } } }
b
A message from kapa.ai
Based on your logs and configuration, I can see what's happening with your SMS verification issue. Let me analyze the problem: ## The Issue Your logs show that Kratos is preparing a login code for SMS:
Copy code
{"address":[{"To":"<tel:+5511986381688|+5511986381688>","Via":"sms"}],"audience":"application","level":"debug","msg":"Preparing login code"...
But then it's sending it via email instead of SMS:
Copy code
{"audience":"audit","level":"info","login_code":"731384","login_code_id":"ba405da9-aecd-459a-8e41-9a10e633bd83","login_flow_id":"2a7280dd-b730-41a3-b59a-d92bafca4edc","msg":"Sending out login email with code."...
And the request ultimately fails with a 400 Bad Request status. ## Analysis There are a few potential issues: 1. Courier Configuration: Your SMS channel configuration looks mostly correct, but there are a couple of issues: - You're using 
PUT
method instead of the more common 
POST
for SMS APIs - The base64 body appears to be truncated in your configuration (it has a 
<
character in the middle) 2. Identity Schema: Your schema looks correct for SMS verification, with:
Copy code
json    "code": {      "identifier": true,      "via": "sms"    }
and
Copy code
json    "verification": {      "via": "sms"    }
3. Message Routing: Despite configuring SMS, the log shows "Sending out login email with code" which suggests Kratos is trying to send via email instead of SMS. ## Possible Solutions 1. Fix the courier configuration: - Change the method from 
PUT
to 
POST
- Make sure the base64 body is correct without any truncation or extra characters - Example of a correct body (decoded):
Copy code
function(ctx) {        To: ctx.recipient,        Body: ctx.body,      }
2. Check SMS templates: Make sure you have the proper SMS templates configured:
Copy code
yaml    courier:      templates:        login_code:          valid:            sms:              body:                plaintext: "<base64://WW91ciBsb2dpbiBjb2RlIGlzOiB7eyAuTG9naW5Db2RlIH19>"
3. Verify webhook endpoint: - Test your webhook.site endpoint separately to ensure it's accepting requests - Check if it requires any specific authentication or headers 4. Check for email configuration: - Since the logs show "Sending out login email with code", make sure you don't have conflicting email configurations This issue appears similar to the one described in [GitHub issue #4161](https://github.com/ory/kratos/issues/4161), where there's confusion between email and SMS verification channels. The key difference is that in your case, it's trying to send an email even though you've only configured SMS verification in your schema. Let me know if you need more specific guidance on any of these potential solutions!
a
@chilly-king-10285 the same scenarios is working without problems ate ory network cloud but on my selfhosted no, could be that the issue?
b
A message from kapa.ai
Based on your description, the difference between Ory Network (cloud) and your self-hosted instance could indeed be the source of your SMS verification issues. This is a known distinction between the two deployment options. ## Ory Network vs. Self-Hosted Differences According to the Ory documentation, there are several key differences between Ory Network and self-hosted deployments that could affect SMS verification: 1. SMS verification and MFA: The feature comparison explicitly marks SMS verification and MFA with a warning symbol (⚠️) for self-hosted deployments, while it's fully supported () in Ory Network. This suggests there might be additional configuration or limitations in self-hosted environments. [Ory Network or self-hosted?](https://www.ory.sh/blog/ory-network-or-self-hosting-explained-use-cases) 2. Courier configuration: Self-hosted instances require more manual configuration for the courier service that handles SMS delivery. 3. Template configuration: In self-hosted Ory Kratos, you need to explicitly configure email and SMS templates, which might be causing the issue if not properly set up. [Email templates in self-hosted Ory Kratos](https://www.ory.sh/docs/kratos/self-hosted/mail-courier-templates) ## Potential Solutions for Self-Hosted 1. Check courier templates: Make sure you have properly configured SMS templates in your self-hosted instance:
Copy code
yaml    courier:      templates:        login_code:          valid:            sms:              body:                plaintext: "<base64://WW91ciBsb2dpbiBjb2RlIGlzOiB7eyAuTG9naW5Db2RlIH19>"
2. Verify template paths: Self-hosted Kratos expects templates at specific paths:
Copy code
<kratos-root>/<template-root>/verification/valid    <kratos-root>/<template-root>/verification/invalid
3. Check template override path: Make sure your configuration includes the correct template override path:
Copy code
yaml    courier:      template_override_path: /conf/courier-template
4. Verify SMS channel configuration: Ensure your SMS channel is properly configured with the correct ID (
sms
):
Copy code
yaml    courier:      channels:        - id: sms          type: http          request_config:            # Your configuration
The issue you're experiencing is similar to what's described in [GitHub issue #4161](https://github.com/ory/kratos/issues/4161), where there's confusion between email and SMS verification channels. This issue might be more pronounced in self-hosted environments where configuration is more manual compared to the Ory Network. If you continue to face issues, you might want to check your Kratos logs for more detailed error messages or consider using the Ory CLI to export a working configuration from your Ory Network project and apply it to your self-hosted instance.
a
@chilly-king-10285 The configuration contains values or keys which are invalid: 2025-04-19T035853.1379602Z stderr F courier.templates.login_code.valid.email: <nil> 2025-04-19T035853.1379691Z stderr F ^-- one or more required properties are missing 2025-04-19T035853.1379723Z stderr F 2025-04-19T035853.1380201Z stderr F time=2025-04-19T035853Z level=error msg=Unable to instantiate configuration. audience=application error=map[message:I[#/courier/templates/login_code/valid] S[#/properties/courier/properties/templates/properties/login_code/properties/valid/required] missing properties: "email"] service_name=Ory Kratos service_version=v1.3.1 2025-04-19T035853.1380254Z stderr F Error: I[#/courier/templates/login_code/valid] S[#/properties/courier/properties/templates/properties/login_code/properties/valid/required] missing properties: "email" templates: login_code: valid: sms: body: plaintext: "base64://WW91ciBsb2dpbiBjb2RlIGlzOiB7eyAuTG9naW5Db2RlIH19"
b
A message from kapa.ai
I can see the issue in your configuration. The error message indicates that you're missing a required property in your template configuration. Specifically, Ory Kratos requires both email and SMS templates to be defined for the login code, even if you're only using SMS. ## The Problem The error message states:
Copy code
courier.templates.login_code.valid.email: <nil> ^-- one or more required properties are missing
This means that while you've correctly configured the SMS template, you're missing the required email template configuration. ## Solution You need to add the email template configuration alongside your SMS template. Here's how to fix your configuration:
Copy code
yaml templates:   login_code:     valid:       sms:         body:           plaintext: "<base64://WW91ciBsb2dpbiBjb2RlIGlzOiB7eyAuTG9naW5Db2RlIH19>"       email:  # Add this section         body:           html: "<base64://PGh0bWw+WW91ciBsb2dpbiBjb2RlIGlzOiB7eyAuTG9naW5Db2RlIH19PC9odG1sPg>=="           plaintext: "<base64://WW91ciBsb2dpbiBjb2RlIGlzOiB7eyAuTG9naW5Db2RlIH19>"         subject: "<base64://WW91ciBsb2dpbiBjb2Rl>"
This is a known requirement in self-hosted Ory Kratos - you need to define both email and SMS templates even if you're only using one of them. The Ory Network handles this automatically, which is why it works there without this explicit configuration. The base64 strings in the example decode to: - plaintext: "Your login code is: {{ .LoginCode }}" - html: "<html>Your login code is: {{ .LoginCode }}</html>" - subject: "Your login code" You can encode your own custom templates using a base64 encoder. [Email templates in self-hosted Ory Kratos](https://www.ory.sh/docs/kratos/self-hosted/mail-courier-templates) explains that in self-hosted environments, you need to be more explicit with template configurations compared to Ory Network.
a
@chilly-king-10285 even after that configuration the webhook is not logging any requests
b
A message from kapa.ai
I see that despite adding the required email templates to your configuration, your webhook is still not receiving any requests when trying to send SMS codes. Let's troubleshoot this issue further. Based on the knowledge sources, there are a few potential reasons why your webhook isn't being triggered: ## 1. Session Hook Interference One common issue is that the 
session
hook might be interfering with your webhook execution. According to the troubleshooting documentation: > If an Ory Action webhook fails to trigger, verify whether the sign in after registration 
session
hook is activated. Because the 
session
hook modifies the HTTP response, no other hooks are executed after it. [Troubleshoot Ory Actions Webhook issues](https://www.ory.sh/docs/troubleshooting/troubleshoot-actions) Check your configuration to ensure that if you have a 
session
hook, it's placed after any webhook you want to execute. ## 2. Webhook Order in Configuration The order of hooks matters. In your configuration, make sure your webhook comes before the session hook:
Copy code
yaml hooks: - hook: web_hook   config:     url: <https://webhook.site/0757f9a2-106a-4938-bb50-9e8ec65177d3>     # other webhook config - hook: session
## 3. SMS Channel Configuration Your SMS channel configuration might have issues:
Copy code
yaml courier:   channels:   - id: sms     request_config:       body: <base64://ZnVuY3Rpb24oY3R4KSB7CiAgVG86IGN0eC5yZWNpcGllbnQsCiAgQm9keTogY3R>4LmJvZHksCn0=       method: PUT       url: <https://webhook.site/0757f9a2-106a-4938-bb50-9e8ec65177d3>     type: http
The base64 string appears to be malformed (it has a 
<
character at the beginning and a 
>
character in the middle). Make sure your base64 encoding is correct. ## 4. Method-Specific Hooks Make sure you're configuring the hooks specifically for the 
code
method:
Copy code
yaml selfservice:   flows:     login:       after:         code:           hooks:           - hook: web_hook             config:               url: <https://webhook.site/0757f9a2-106a-4938-bb50-9e8ec65177d3>               # other webhook config           - hook: session
## 5. Debug with Logs Enable debug logging to see if there are any errors when Kratos tries to send the SMS:
Copy code
yaml log:   level: debug
Look for logs related to the courier service and SMS sending. ## 6. Test Your Webhook Endpoint Make sure your webhook.site endpoint is accessible and working correctly by testing it with a simple HTTP request from another tool. If you continue to face issues, you might want to try a different SMS provider configuration or consider using the Ory CLI to export a working configuration from your Ory Network project to compare with your self-hosted setup. Let me know if any of these suggestions help or if you need further assistance!
a
@chilly-king-10285 I am talking about the webhook.site that I configured to Kratos call to send the SMS, it's not logging new requests whe I submit a new code flow
b
A message from kapa.ai
I understand you're specifically referring to the webhook.site endpoint that you configured for Kratos to send SMS messages, and it's not logging any requests when you initiate a code flow. Based on the logs you shared earlier, I can see that Kratos is preparing a login code for SMS but then trying to send it via email instead. This suggests there might be an issue with how the SMS channel is being used. Here are some specific things to check regarding your webhook.site configuration: 1. Check your SMS channel configuration: Make sure there are no formatting issues in your configuration. The base64 string in your config appears to have angle brackets that shouldn't be there:
Copy code
yaml    body: <base64://ZnVuY3Rpb24oY3R4KSB7CiAgVG86IGN0eC5yZWNpcGllbnQsCiAgQm9keTogY3R>4LmJvZHksCn0=    url: <https://webhook.site/0757f9a2-106a-4938-bb50-9e8ec65177d3>
Remove the angle brackets:
Copy code
yaml    body: <base64://ZnVuY3Rpb24oY3R4KSB7CiAgVG86IGN0eC5yZWNpcGllbnQsCiAgQm9keTogY3R4LmJvZHksCn0>=    url: <https://webhook.site/0757f9a2-106a-4938-bb50-9e8ec65177d3>
2. Check for SMS template issues: Your logs show "Sending out login email with code" instead of sending an SMS. This suggests Kratos might be routing the message incorrectly. Make sure your SMS templates are properly configured:
Copy code
yaml    courier:      templates:        login_code:          valid:            sms:              body:                plaintext: "<base64://WW91ciBsb2dpbiBjb2RlIGlzOiB7eyAuTG9naW5Db2RlIH19>"
3. Verify the HTTP method: You're using 
PUT
in your configuration, but most webhook services expect 
POST
. Try changing:
Copy code
yaml    method: PUT
to
Copy code
yaml    method: POST
4. Check for code hooks: According to [GitHub issue #346](https://github.com/ory/network/issues/346), there can be issues with webhooks not working for registration with the 
code
method. Make sure your hooks are properly configured for the code method. 5. Look for more detailed logs: Enable more verbose logging to see if there are any errors when Kratos tries to send the SMS:
Copy code
yaml    log:      level: trace
If you're still having issues, you might want to try a simpler webhook endpoint for testing (like RequestBin) or consider using a different SMS provider configuration to see if the issue is specific to webhook.site.
8 Views
Open in Slack
PreviousNext
Powered by