To add a username/password credential identifier to a user in Ory, you need to: 1. Define the username as an identifier in your identity schema In your identity schema (JSON Schema), mark the username field with the following extension to indicate it should be used as a password login identifier:

json    {      "traits": {        "username": {          "type": "string",          "<http://ory.sh/kratos|ory.sh/kratos>": {            "credentials": {              "password": {                "identifier": true              }            }          }        }      }    }

This tells Ory that the

username

field can be used to log in with a password. You can also allow both username and email as identifiers by marking both fields this way in your schema[Customize identity schemas](https://www.ory.sh/docs/kratos/manage-identities/customize-identity-schema/#username-and-email-and-password). 2. Create or update the user with the username and password When creating or importing a user, include the username in the

traits

and provide the password in the

credentials

section. For example, to import a user with a clear text password:

json    {      "schema_id": "your-schema-id",      "traits": {        "username": "myuser"      },      "credentials": {        "password": {          "config": {            "password": "the-password"          }        }      }    }

This can be done using the

/admin/identities

endpoint. The password will be hashed and stored securely. The user will then be able to log in using their username and password[Importing credentials](https://www.ory.sh/docs/kratos/manage-identities/import-user-accounts-identities/#importing-credentials). Summary: - Mark the username field as a password identifier in your identity schema. - Create or update the user with the username in

traits

and the password in

credentials

. For more details and examples, see the documentation on [customizing identity schemas](https://www.ory.sh/docs/kratos/manage-identities/customize-identity-schema/#username-and-email-and-password) and [importing credentials](https://www.ory.sh/docs/kratos/manage-identities/import-user-accounts-identities/#importing-credentials).

To change their username or password, users utilize the Ory Settings Flow: - Password Change: Users can update their password by accessing the settings/profile page. They are presented with a form to enter a new password. The system validates the new password against the password policy. If the password is valid, it is updated. If not, the user receives an error message (e.g., password too short or found in data breaches). This process requires a valid session, and if the session is too old, the user may be prompted to re-authenticate for security reasons[Settings and profile updates](https://www.ory.sh/docs/kratos/self-service/flows/user-settings/#update-password-1). - Username Change: If your identity schema allows the username to be updated (i.e., it is not marked as read-only), users can change their username through the same settings flow. The updated username must be valid according to your schema. The process is similar to changing other profile traits and may also require a privileged session if configured[Settings and profile updates](https://www.ory.sh/docs/kratos/self-service/flows/user-settings/). Note: - The ability to change the username depends on your identity schema configuration. - Changing these privileged fields may require the user to re-authenticate if their session is older than the configured `privileged_session_max_age`[Settings and profile updates](https://www.ory.sh/docs/kratos/self-service/flows/user-settings/). For more details, see the documentation on [settings and profile updates](https://www.ory.sh/docs/kratos/self-service/flows/user-settings/).