To verify an email in the response of an after registration webhook, you can modify the identity object in your webhook response. Specifically, you can set the status of the verifiable address to "completed" and mark it as verified. Here is an example of how to structure your webhook response:

json {   "identity": {     "traits": {       "email": "<mailto:john@example.org|john@example.org>"     },     "verifiable_addresses": [       {         "status": "completed",         "value": "<mailto:john@example.org|john@example.org>",         "verified": true,         "via": "email"       }     ]   } }

This will update the identity so that the email address is marked as verified before it is saved to the database. Make sure that the email in the

traits

matches the one in

verifiable_addresses

, as any additional addresses not present in the traits will be deleted. This approach is supported during the registration and settings flows only. Always ensure you return the complete data for the fields you want to update, as the entire field will be replaced by your response [Modify identities](https://www.ory.sh/docs/guides/integrate-with-ory-cloud-through-webhooks#modify-identities).

Yes, you can configure Ory to automatically verify emails provided by SSO (Social Sign-In) providers, but this requires you to explicitly carry over the verified status from the SSO provider in your data mapping configuration. To do this, you need to return the

verified_addresses

field in your Social Sign-In Jsonnet mapping snippet. For example, if the SSO provider (like Google) returns an

email_verified

claim, you can use the following Jsonnet snippet in your provider configuration:

jsonnet local claims = {   email_verified: false, } + std.extVar('claims');  {   identity: {     traits: {       [if 'email' in claims && claims.email_verified then 'email' else null]: claims.email,       given_name: claims.given_name,       family_name: claims.family_name,     },     verified_addresses: std.prune([       // Carry over verified status from Social Sign-In provider.       if 'email' in claims && claims.email_verified then { via: 'email', value: claims.email },     ]),   }, }

This will mark the email as verified in Ory if the SSO provider indicates it is verified. Note that this only works if the verified address is also present in the identity's traits and marked as a verifiable email in your identity schema [Carry over verified status from Social Sign-In](https://www.ory.sh/docs/kratos/self-service/flows/verify-email-account-activation#carry-over-verified-status-from-social-sign-in). There is no single config flag to "auto verify all SSO emails"—you must use the data mapping as shown above.

std.prune

is a Jsonnet standard library function that removes all

null

values from an array or object. In the context of Ory's social sign-in data mapping, it is used to ensure that only non-null entries (e.g., only verified addresses that actually exist) are included in the output. For example:

jsonnet verified_addresses: std.prune([   if 'email' in claims && claims.email_verified then { via: 'email', value: claims.email }, ]),

This will only add an entry to

verified_addresses

if the email exists and is verified; otherwise, the array will be empty or contain only valid entries [Carry over verified status from Social Sign-In](https://www.ory.sh/docs/kratos/self-service/flows/verify-email-account-activation#carry-over-verified-status-from-social-sign-in). Regarding the

verified_at

field: The knowledge sources do not explicitly state which date is added to

verified_at

when using this mapping. The example snippets do not set

verified_at

manually, and there is no documentation indicating that Ory will automatically set this field to a specific value (such as the current time or a value from the SSO provider). If you need to set

verified_at

, you may need to add it explicitly in your mapping, but the default behavior is not documented in the provided sources.

Based on the available knowledge sources, you can include the

verified_at

field in the

verifiable_addresses

array in the response of an after registration webhook. The API reference and webhook documentation show that

verified_at

is a valid field for verifiable addresses and can be set as part of the identity object in webhook responses. Here’s an example structure:

json {   "identity": {     "traits": {       "email": "<mailto:john@example.org|john@example.org>"     },     "verifiable_addresses": [       {         "status": "completed",         "value": "<mailto:john@example.org|john@example.org>",         "verified": true,         "via": "email",         "verified_at": "2024-06-01T12:00:00Z"       }     ]   } }

However, the knowledge sources do not explicitly confirm whether Ory will always honor a custom

verified_at

value set this way, or if it will override it with its own timestamp. The documentation only states that the webhook response can update the

verifiable_addresses

field, including all its properties [Modify identities](https://www.ory.sh/docs/guides/integrate-with-ory-cloud-through-webhooks#modify-identities), and the API reference lists

verified_at

as a valid property [Ory API Reference](https://www.ory.sh/docs/reference/api). In summary: You can include

verified_at

in your webhook response, but the documentation does not guarantee that Ory will use your provided value without modification.