To implement a login flow with a magic link using self-hosted Ory Kratos (and optionally Ory Hydra for OAuth2), you need to configure the login flow to use the magic link ("link") method. Here’s how you can do it based on the available documentation: ### 1. Enable the Magic Link Method in Kratos Configuration In your Kratos configuration file (e.g.,

kratos.yaml

), set up the self-service login flow to use the

link

method. For login, the relevant section would look like:

yaml selfservice:   methods:     link:       enabled: true       config:         lifespan: 15m # How long the magic link is valid   flows:     login:       enabled: true       lifespan: 15m       use: link # Use 'link' for magic link login

> Note: The documentation primarily discusses the

link

method for recovery and verification, but the same method applies for login if enabled. However, Ory considers the magic link method a legacy solution and recommends using the

code

method instead, as magic links may be deprecated in future releases. Be sure to test your UI and flow if you choose to use magic links. [More details here](https://www.ory.sh/docs/kratos/self-service/flows/account-recovery-password-reset/) and [here](https://www.ory.sh/docs/kratos/self-service/flows/verify-email-account-activation/#choosing-the-right-strategy). ### 2. Implement the Login UI Ory Kratos is headless and does not provide UI out of the box. You must implement a custom UI that interacts with the Kratos self-service login flow API. The flow is: - User enters their email address. - Your UI submits the email to the login flow endpoint with the

link

method. - Kratos sends a magic link to the user's email. - User clicks the link, which contains a token or code that your UI submits to Kratos to complete the login. You can find more about integrating custom UIs with Ory Kratos here: [Custom UI Integration Basics](https://www.ory.sh/docs/kratos/bring-your-own-ui/custom-ui-basic-integration/). ### 3. (Optional) Integrate with Ory Hydra If you are using Ory Hydra for OAuth2, your login UI will be called as part of the OAuth2 login flow. You will need to handle the login challenge and, upon successful authentication via the magic link, accept the login request with Hydra. See the [Hydra custom login flow example](https://www.ory.sh/docs/oauth2-oidc/custom-login-consent/flow/#login-endpoint-code-example) for details. ### 4. Important Considerations - Deprecation Warning: The magic link (

link

) method is considered legacy and may be removed in future releases. Ory recommends using the

code

method for better reliability and security, especially since email scanners can invalidate magic links before users click them [Choosing the right strategy](https://www.ory.sh/docs/kratos/self-service/flows/verify-email-account-activation/#choosing-the-right-strategy). - UI Adjustments: If you switch from

link

to

code

, you may need to adjust your UI to handle code entry instead of link clicks. ### References - [Account recovery and password reset: Supported recovery methods](https://www.ory.sh/docs/kratos/self-service/flows/account-recovery-password-reset/) - [Address verification: Choosing the right strategy](https://www.ory.sh/docs/kratos/self-service/flows/verify-email-account-activation/#choosing-the-right-strategy) - [Custom UI Integration Basics](https://www.ory.sh/docs/kratos/bring-your-own-ui/custom-ui-basic-integration/) - [Hydra custom login flow example](https://www.ory.sh/docs/oauth2-oidc/custom-login-consent/flow/#login-endpoint-code-example) If you need a code example or further details on the API calls, please specify your tech stack or UI framework.

Based on the knowledge sources, both

webauthn

and

passkey

use the same underlying WebAuthn standard for passwordless authentication, leveraging public key cryptography for secure sign-ins. However, passkeys are described as a more user-friendly and modern implementation of WebAuthn, designed to improve the user experience and security ergonomics, especially for first-factor login. Key differences highlighted in the documentation: - Passkeys provide features like discoverable credentials and conditional UI, allowing browsers to automatically discover and suggest credentials, which is not available with the legacy

webauthn

strategy. - WebAuthn (as a method) is considered legacy for passwordless login in Ory and is recommended only for backward compatibility. The documentation explicitly states to use the passkey method instead of the legacy webauthn method for new implementations. In summary, passkey is considered the safer and more robust option moving forward, as it builds on the WebAuthn standard but with improved usability and security features. The legacy

webauthn

method is supported mainly for backward compatibility and lacks some of the modern security and UX enhancements of passkeys [Passkeys & WebAuthN](https://www.ory.sh/docs/kratos/passwordless/passkeys/) [Passkeys with the WebAuthN strategy](https://www.ory.sh/docs/kratos/passwordless/passkeys/#passkeys-with-the-webauthn-strategy). If you are starting a new project or updating your authentication flow, you should use the passkey strategy.