In Ory Kratos, users can edit their identity information (like password, username, or profile details) through the Self-Service Settings Flow. This flow allows users to update their own settings and profile information in a secure way. ## Methods for Updating Identity Information Ory Kratos supports several methods for updating identity information: 1. Password method - For updating the password used to sign in 2. Profile method - For updating identity traits (like username, email, first name, etc.) 3. OIDC method - For linking/unlinking social sign-in providers These methods can be enabled in your Ory Kratos configuration:

yaml selfservice:   methods:     password:       enabled: true     oidc:       enabled: true     profile:       enabled: true

[Settings and profile updates](https://www.ory.sh/docs/kratos/self-service/flows/user-settings) ## Updating Privileged Fields When updating sensitive information like passwords, usernames, or email addresses, Ory Kratos implements security measures. If the user's session is older than the configured

privileged_session_max_age

, they will be prompted to re-authenticate:

yaml selfservice:   flows:     settings:       # Sessions older than a minute requires the user to sign in again before       # the password is changed.       privileged_session_max_age: 1m

[Settings and profile updates](https://www.ory.sh/docs/kratos/self-service/flows/user-settings) ## Implementation Approaches There are two main approaches for implementing the Settings Flow: 1. Browser-based flows - For server-side or client-side applications 2. API-based flows - For mobile apps, smart TVs, or other API clients For API clients, Ory Kratos responds with a JSON payload that includes the updated identity:

bash curl -s -X POST -H "Accept: application/json" -H "Content-Type: application/json" \     -H "Authorization: bearer $sessionToken" \     -d '{"password": "'$password'", "method": "password"}' \     "$actionUrl" | jq

[API clients and clients without browsers](https://www.ory.sh/docs/kratos/self-service/flows/user-settings#api-clients-and-clients-without-browsers) ## Administrative Updates For administrative purposes, you can also update identities using the Admin API: 1. Update Identity - Using the

PUT /admin/identities/{id}

endpoint 2. Patch Identity - Using the

PATCH /admin/identities/{id}

endpoint with JSON Patch operations For example, to update an identity schema:

go jsonPatch := []client.JsonPatch{       {Op: "replace", Path: "/schema_id", Value: toSchema},   }    _, _, err = ory.IdentityApi.PatchIdentity(ctx, identityID).JsonPatch(jsonPatch).Execute()

[Patch identity](https://www.ory.sh/docs/kratos/sdk/go#patch-identity) These operations require proper authentication with an Ory Access Token.

I see you're experiencing an issue with duplicate Cookie headers when working with Ory Kratos settings flow. This is a common challenge when working with browser-based flows in Ory. The two cookies you're seeing are both necessary: 1.

ory_kratos_session

- This is your authenticated session cookie 2.

csrf_token_*

- This is the CSRF protection token When making requests to Ory Kratos settings endpoints, both cookies need to be included to: 1. Prove you have an active session (via the session cookie) 2. Protect against CSRF attacks (via the CSRF token) For AJAX/API requests to the settings flow, you need to ensure: 1. Your request includes credentials by setting

withCredentials: true

or equivalent in your HTTP client 2. Both cookies are properly sent in the request header 3. For the settings flow specifically, you need to include the flow ID as a query parameter According to the documentation, when working with client-side browser clients: > This flow requires AJAX and you need to ensure that all cookies are sent using the appropriate CORS and

includeCredentials

configurations. Additionally, Ory Kratos and your app must be hosted on the same domain. [Initialize settings flow](https://www.ory.sh/docs/kratos/self-service/flows/user-settings#user-and-profile-settings-for-client-side-ajax-browser-clients) If you're experiencing issues with the cookies, there are a few common solutions: 1. Make sure your application and Ory Kratos are on the same domain or properly configured for CORS 2. When sending the cookies programmatically, ensure they're properly formatted with a semicolon and space between them 3. If using a custom domain, ensure it's properly configured in your Kratos settings If you're still having issues, it might be related to how the cookies are being combined in your HTTP client. Some users have found that Ory server applications only split multiple cookies sent in the Cookie HTTP header if they are terminated with a semicolon (

;

). [SubmitSelfServiceLoginFlowWithHttpInfoAsync for Aal2 fails using .NET client in SPA (browser mode)](https://github.com/ory/network/issues/36) Are you using a specific SDK or making direct HTTP requests? That information would help provide more specific guidance.

@chilly-king-10285 how can i set withCredentials: true

To set

withCredentials: true

when working with Ory, you have several options depending on which client or method you're using to make requests: ### Using the Ory SDK (JavaScript/TypeScript) When using the official Ory SDK, you can set

withCredentials: true

in the configuration:

javascript import { Configuration, FrontendApi } from "@ory/client"  const frontend = new FrontendApi(   new Configuration({     basePath: "<http://localhost:4000>", // Your Ory URL     baseOptions: {       withCredentials: true, // This ensures cookies are sent with requests     },   }), )

[Integration basics](https://www.ory.sh/docs/kratos/bring-your-own-ui/custom-ui-basic-integration#session-checks) ### Using Fetch API (Browser) If you're making direct fetch requests:

javascript fetch("<https://ory.your-custom-domain.com/>", {   credentials: "include", // This is equivalent to withCredentials: true })

[Cookie-based security model](https://www.ory.sh/docs/security-model#cross-origin-http-cookies) ### Using Axios If you're using Axios:

javascript import axios from 'axios'  axios.get('<https://your-ory-endpoint.com/self-service/settings/flows>', {   withCredentials: true })

### For Server-Side Applications When making requests from your server to Ory, you need to forward the cookies from the client:

javascript import { Configuration, FrontendApi } from "@ory/client" import { NextFunction, Request, Response } from "express"  const frontend = new FrontendApi(   new Configuration({     basePath: process.env.ORY_SDK_URL,   }), )  function middleware(req: Request, res: Response, next: NextFunction) {   frontend     .toSession({ cookie: req.header("cookie") }) // Forward the cookie from client     .then(({ status, data: flow }) => {       if (status !== 200) {         next("/login")       }       next()     }) }

[Session Checks](https://www.ory.sh/docs/kratos/bring-your-own-ui/custom-ui-basic-integration#session-checks) Remember that for cross-origin requests to work properly: 1. The server must respond with appropriate CORS headers 2. Your application and Ory should ideally be on the same top-level domain 3. All cookies must be properly forwarded in requests This setting is crucial for Ory's security model as it ensures that cookies (including session and CSRF tokens) are properly sent with your requests.

@chilly-king-10285 is it right?

curl --request GET \
  --url '<http://127.0.0.1:4455/kratos/self-service/settings/browser?withCredentials=true>' \
  --header 'accept: application/json' \
  --header 'cookie: {{oryKratosSession}}' \
  --cookie '{{oryKratosSession}}'

Your curl command has a few issues that need to be addressed: 1. The

withCredentials=true

parameter doesn't belong in the URL - this is a client-side setting for JavaScript/browser requests, not a URL parameter for curl. 2. You're including the cookie in two different ways (both as a header and with the

--cookie

flag), which is redundant. Here's the correct way to make this request:

curl curl --request GET \   --url '<http://127.0.0.1:4455/kratos/self-service/settings/browser>' \   --header 'accept: application/json' \   --cookie '{{oryKratosSession}}'

A few important notes: 1. If you have multiple cookies (like both session and CSRF cookies), you should include them all in the

--cookie

parameter, separated by semicolons:

--cookie '{{oryKratosSession}}; {{csrfCookie}}'

2. When using curl, you don't need to set

withCredentials=true

as curl will send the cookies you specify with the

--cookie

flag. 3. Make sure your cookies are properly formatted. According to the documentation, some users have found that Ory server applications only split multiple cookies sent in the Cookie HTTP header if they are terminated with a semicolon (

;

). [SubmitSelfServiceLoginFlowWithHttpInfoAsync for Aal2 fails using .NET client in SPA (browser mode)](https://github.com/ory/network/issues/36) If you're testing this in a browser environment rather than with curl, that's when you would use the

withCredentials: true

setting in your JavaScript fetch or AJAX calls. Is this for testing purposes, or are you building an application that will interact with Ory Kratos?

@chilly-king-10285 how can i set includeCredentials or withCredentials: true

I see you're asking about how to properly set

includeCredentials

or

withCredentials: true

when working with Ory. This is an important setting for browser-based authentication flows to ensure cookies are properly sent with requests. Here are the different ways to set this depending on which client or method you're using: ### Using the Ory SDK (JavaScript/TypeScript)

javascript import { Configuration, FrontendApi } from "@ory/client"  const frontend = new FrontendApi(   new Configuration({     basePath: "<http://localhost:4000>", // Your Ory Tunnel URL     baseOptions: {       withCredentials: true, // This ensures cookies are sent with requests     },   }), )

[Integration basics](https://www.ory.sh/docs/kratos/bring-your-own-ui/custom-ui-basic-integration#session-checks) ### Using Fetch API (Browser)

javascript fetch("<https://ory.your-custom-domain.com/>", {   credentials: "include", // This is equivalent to withCredentials: true })

[Cookie-based security model](https://www.ory.sh/docs/security-model#cross-origin-http-cookies) ### Using XMLHttpRequest (XHR)

javascript const xhr = new XMLHttpRequest(); xhr.open('GET', '<https://your-ory-endpoint.com/self-service/settings/flows>'); xhr.withCredentials = true; xhr.send();

### Using Axios

javascript import axios from 'axios';  axios.get('<https://your-ory-endpoint.com/self-service/settings/flows>', {   withCredentials: true });  // Or set it globally axios.defaults.withCredentials = true;

### For Server-Side Applications When making requests from your server to Ory, you need to forward the cookies from the client:

javascript const express = require("express") const cors = require("cors") const { FrontendApi, Configuration } = require("@ory/client-fetch")  const app = express()  const ory = new FrontendApi(   new Configuration({     basePath: process.env.ORY_URL || "<http://localhost:4000>",     baseOptions: { withCredentials: true },   }), )  app.use(   cors({     origin: process.env.UI_URL || "<http://localhost:8080>",     credentials: true, // <- Required for CORS to accept cookies and tokens.   }), )

[Make authenticated calls to your API](https://www.ory.sh/docs/getting-started/integrate-auth/vue#make-authenticated-calls-to-your-api) Remember that for cross-origin requests to work properly: 1. The server must respond with appropriate CORS headers 2. Your application and Ory should ideally be on the same top-level domain 3. All cookies must be properly forwarded in requests This setting is crucial for Ory's security model as it ensures that cookies (including session and CSRF tokens) are properly sent with your requests.

Yes, you can use curl to interact with Ory Kratos while properly handling cookies. Unlike browser-based JavaScript clients that need

withCredentials: true

, curl has different mechanisms for handling cookies. Here's how to use curl with Ory Kratos for common operations: ### Creating a Login Flow

bash curl -X GET \   -H 'Content-Type: application/json' \   -H 'Accept: application/json' \   -c cookies.txt \   https://$<http://PROJECT_SLUG.projects.oryapis.com/self-service/login/browser|PROJECT_SLUG.projects.oryapis.com/self-service/login/browser>

The

-c cookies.txt

flag saves cookies to a file, which is important for CSRF protection. [Integration basics](https://www.ory.sh/docs/kratos/bring-your-own-ui/custom-ui-basic-integration#create-login-flow) ### Submitting a Registration Flow

bash curl -X POST -H 'Content-Type: application/json' \   -H 'Accept: application/json' \   -b cookies.txt \   -d '{"method":"password","traits.email":"<mailto:example@example.com|example@example.com>","traits.tos":"true","password":"verystrongpassword"}' \   "https://$<http://PROJECT_SLUG.projects.oryapis.com/self-service/registration?flow=<your-flow-id|PROJECT_SLUG.projects.oryapis.com/self-service/registration?flow=<your-flow-id>>"

The

-b cookies.txt

flag reads cookies from the file. [Submit registration flow](https://www.ory.sh/docs/kratos/bring-your-own-ui/custom-ui-basic-integration#submit-registration-flow) ### Checking Session

bash curl -X GET \   -H 'Content-Type: application/json' \   -H 'Accept: application/json' \   -b cookies.txt \   https://$<http://PROJECT_SLUG.projects.oryapis.com/session/whoami|PROJECT_SLUG.projects.oryapis.com/session/whoami>

[Session Checks](https://www.ory.sh/docs/kratos/bring-your-own-ui/custom-ui-basic-integration#session-checks) ### Creating a Settings Flow

bash curl -X GET \   -H 'Content-Type: application/json' \   -H 'Accept: application/json' \   -b cookies.txt \   https://$<http://PROJECT_SLUG.projects.oryapis.com/self-service/settings/browser|PROJECT_SLUG.projects.oryapis.com/self-service/settings/browser>

### Important Notes: 1. Use

-c cookies.txt

to save cookies when creating flows 2. Use

-b cookies.txt

to send cookies in subsequent requests 3. If you have multiple cookies, they should be in the cookies.txt file or specified with multiple

-b

flags 4. For direct cookie specification (without a file), use:

bash    curl -X GET \      -H 'Cookie: ory_kratos_session=YOUR_SESSION_COOKIE; csrf_token=YOUR_CSRF_TOKEN' \      https://$<http://PROJECT_SLUG.projects.oryapis.com/session/whoami|PROJECT_SLUG.projects.oryapis.com/session/whoami>

This approach ensures that both your session cookie and CSRF token are properly sent with each request.

@chilly-king-10285 how can i set includeCredentials or withCredentials: true in curl

I understand you're asking specifically about how to set

includeCredentials

or

withCredentials: true

in curl when working with Ory. The concepts of

includeCredentials

and

withCredentials: true

are actually JavaScript/browser-specific settings and don't directly apply to curl. In curl, cookie handling works differently. When using curl with Ory, you handle cookies in these ways: 1. Save cookies to a file:

bash    curl -X GET \      -H 'Accept: application/json' \      -c cookies.txt \      https://$<http://PROJECT_SLUG.projects.oryapis.com/self-service/login/browser|PROJECT_SLUG.projects.oryapis.com/self-service/login/browser>

The

-c cookies.txt

flag saves any cookies returned by the server. 2. Send cookies from a file:

bash    curl -X GET \      -H 'Accept: application/json' \      -b cookies.txt \      https://$<http://PROJECT_SLUG.projects.oryapis.com/sessions/whoami|PROJECT_SLUG.projects.oryapis.com/sessions/whoami>

The

-b cookies.txt

flag sends cookies from the file with your request. 3. Send cookies directly in the header:

bash    curl -X GET \      -H 'Accept: application/json' \      -H 'Cookie: ory_kratos_session=YOUR_SESSION_VALUE; csrf_token=YOUR_CSRF_TOKEN' \      https://$<http://PROJECT_SLUG.projects.oryapis.com/sessions/whoami|PROJECT_SLUG.projects.oryapis.com/sessions/whoami>

For a complete flow with Ory, you typically: 1. Create a flow and save cookies:

-c cookies.txt

2. Use those cookies in subsequent requests:

-b cookies.txt

[Integration basics](https://www.ory.sh/docs/kratos/bring-your-own-ui/custom-ui-basic-integration#create-a-flow) Remember that when working with Ory's browser-based flows, both the session cookie and CSRF token cookie need to be included in your requests.

I understand you're asking about implementing the flow that requires AJAX with proper cookie handling for Ory Kratos. This is a common requirement for browser-based authentication flows. Here's how to set it up correctly: ## Setting up AJAX with proper cookie handling ### 1. Ensure same-domain setup First, Ory Kratos and your app must be on the same domain. This is crucial for cookies to work properly. For local development, you can use Ory Tunnel:

bash npx @ory/cli tunnel --dev <http://localhost:3000>

This will mirror Ory APIs on

<http://localhost:4000>

, allowing cookies to work properly during development. [Run Ory APIs on localhost](https://www.ory.sh/docs/getting-started/integrate-auth/react#run-ory-apis-on-localhost) ### 2. Configure your JavaScript client When using the Ory SDK:

javascript import { Configuration, FrontendApi } from "@ory/client"  const ory = new FrontendApi(   new Configuration({     basePath: "<http://localhost:4000>", // Your Ory Tunnel URL     baseOptions: {       withCredentials: true, // This ensures cookies are sent with requests     },   }), )

If using fetch directly:

javascript fetch("<http://localhost:4000/self-service/login/browser>", {   credentials: "include", // This is equivalent to withCredentials: true   headers: {     "Accept": "application/json"   } })

### 3. Configure CORS on the server side Make sure your Ory Kratos configuration has CORS properly set up:

yaml serve:   public:     cors:       enabled: true       allowed_origins:         - <http://localhost:3000>       allowed_methods:         - POST         - GET         - PUT         - PATCH         - DELETE       allowed_headers:         - Authorization         - Cookie         - Content-Type       exposed_headers:         - Content-Type         - Set-Cookie

[Cross-origin resource sharing (CORS) settings](https://www.ory.sh/docs/kratos/guides/setting-up-cors) ### 4. Handle CSRF protection When submitting forms, make sure to include the CSRF token from the hidden field:

javascript // When submitting a form const response = await fetch(flow.ui.action, {   method: flow.ui.method,   credentials: "include",   headers: {     "Content-Type": "application/json",   },   body: JSON.stringify({     csrf_token: getCSRFToken(flow), // Extract from flow.ui.nodes     method: "password",     password: "your-password",     // other form fields...   }), })

### Common issues to watch for: 1. Using both

localhost

and

127.0.0.1

interchangeably (stick to one) 2. Missing CSRF token in form submissions 3. Not setting

withCredentials: true

or

credentials: "include"

4. Different domains or subdomains for your app and Ory By following these steps, you'll ensure that all cookies are properly sent with your AJAX requests, allowing Ory's authentication flows to work correctly. [CSRF troubleshooting](https://www.ory.sh/docs/troubleshooting/csrf)