Certainly! Here’s a step-by-step guide to logging in with TOTP (Time-based One-Time Password) using email as the identifier in Ory Kratos, specifically for AJAX/browser clients: --- ### 1. Ensure TOTP and Email as Identifier Are Enabled - In your Ory Kratos configuration, make sure TOTP is enabled and your identity schema uses email as the identifier for TOTP:

yaml selfservice:   methods:     totp:       config:         issuer: <http://ExampleIssuer.com|ExampleIssuer.com>       enabled: true

Identity schema (snippet):

json "email": {   "type": "string",   "format": "email",   "<http://ory.sh/kratos|ory.sh/kratos>": {     "credentials": {       "password": { "identifier": true },       "totp": { "account_name": true }     }   } }

[See details](https://www.ory.sh/docs/kratos/mfa/totp#enabling-totp-authentication) [and schema example](https://www.ory.sh/docs/kratos/manage-identities/customize-identity-schema#examples). --- ### 2. Initialize the Login Flow (AJAX) Send a GET request to initialize the login flow:

bash curl -X GET \   -H "Accept: application/json" \   https://<kratos-domain>/self-service/login/browser

- The response will include a

flow_id

and a form action URL for the login submission. - Make sure to handle cookies and CORS properly (

credentials: 'include'

in fetch/AJAX). [Reference](https://www.ory.sh/docs/kratos/self-service/flows/user-login#login-for-client-side-ajax-browser-clients) --- ### 3. Submit Email and Password (First Factor) Send a POST request to the login flow’s action URL with the user’s email and password (if required):

json {   "method": "password",   "identifier": "<mailto:user@example.com|user@example.com>",   "password": "user-password",   "csrf_token": "<csrf_token_from_flow>" }

- If TOTP is required (AAL2), the response will prompt for the TOTP code. --- ### 4. Submit TOTP Code (Second Factor) Send a POST request to the same flow action URL with the TOTP code:

json {   "method": "totp",   "totp_code": "<6-digit-code>",   "csrf_token": "<csrf_token_from_flow>" }

- The

csrf_token

is required for browser flows. - If successful, the session is upgraded to AAL2 and the user is logged in. [API details](https://www.ory.sh/docs/kratos/reference/api#updateLoginFlow) --- ### 5. Handle the Response - On success, you’ll receive session information or a redirect. - On error, handle validation or authentication errors as needed. --- Note: - Users must have already paired their account with a TOTP app (e.g., Google Authenticator) via the account settings before this flow will work. - TOTP is a second factor; the first factor is typically password or another primary method. --- If you need to enable TOTP for users or configure AAL2 enforcement, see the [TOTP setup guide](https://www.ory.sh/docs/kratos/mfa/totp) and [MFA enforcement](https://www.ory.sh/docs/kratos/self-hosted/mfa). If you need more details on AJAX integration, see the [AJAX login flow documentation](https://www.ory.sh/docs/kratos/self-service/flows/user-login#login-for-client-side-ajax-browser-clients). --- If you need a code example for the AJAX requests, let me know!