Certainly! Here are all the steps for a native app recovery flow with Ory, including the relevant endpoints and example payloads. --- ## 1. Create a Native Recovery Flow Endpoint:

GET /self-service/recovery/api

Description: Initiates a recovery flow for API clients (native apps). Note: Do not use this endpoint in browser-based applications due to CSRF risks. Example Request:

bash curl -H 'Content-Type: application/json' \      -H 'Accept: application/json' \      https://$<http://PROJECT_SLUG.projects.oryapis.com/self-service/recovery/api|PROJECT_SLUG.projects.oryapis.com/self-service/recovery/api>

Example Response:

json {   "id": "f022d468-e0a4-4529-b123-228d1d0932a9",   "type": "api",   "expires_at": "...",   "issued_at": "...",   "request_url": "https://$<http://PROJECT_SLUG.projects.oryapis.com/self-service/recovery/api|PROJECT_SLUG.projects.oryapis.com/self-service/recovery/api>",   "active": "code",   "ui": {     "action": "https://$<http://PROJECT_SLUG.projects.oryapis.com/self-service/recovery?flow=f022d468-e0a4-4529-b123-228d1d0932a9|PROJECT_SLUG.projects.oryapis.com/self-service/recovery?flow=f022d468-e0a4-4529-b123-228d1d0932a9>",     "method": "POST",     "nodes": [       {         "type": "input",         "group": "default",         "attributes": {           "name": "csrf_token",           "type": "hidden",           "value": "",           "required": true,           "disabled": false,           "node_type": "input"         }       },       {         "type": "input",         "group": "code",         "attributes": {           "name": "email",           "type": "email",           "required": true,           "disabled": false,           "node_type": "input"         }       },       {         "type": "input",         "group": "code",         "attributes": {           "name": "method",           "type": "submit",           "value": "code",           "disabled": false,           "node_type": "input"         }       }     ]   },   "state": "choose_method" }

[Source: Ory Docs - Create recovery flow](https://www.ory.sh/docs/kratos/bring-your-own-ui/custom-ui-basic-integration#create-recovery-flow) --- ## 2. Submit the Recovery Flow (Request Recovery Code) Endpoint:

POST /self-service/recovery?flow=<flow-id>

Description: Submit the user's email to request a recovery code. Example Request:

bash curl -X POST \      -H 'Content-Type: application/json' \      -H 'Accept: application/json' \      -d '{"method":"code","email":"<mailto:email@example.com|email@example.com>"}' \      "https://$<http://PROJECT_SLUG.projects.oryapis.com/self-service/recovery?flow=<flow-id|PROJECT_SLUG.projects.oryapis.com/self-service/recovery?flow=<flow-id>>"

Example Payload:

json {   "method": "code",   "email": "<mailto:email@example.com|email@example.com>" }

Example Response: A new UI node will be presented to enter the code sent to the email. [Source: Ory Docs - Submit recovery flow (native)](https://www.ory.sh/docs/kratos/bring-your-own-ui/custom-ui-basic-integration#submit-recovery-flow) --- ## 3. Submit the Recovery Code Endpoint:

POST /self-service/recovery?flow=<flow-id>

Description: Submit the code received by email to complete the recovery process. Example Request:

bash curl -X POST \      -H 'Content-Type: application/json' \      -H 'Accept: application/json' \      -d '{"method":"code","code":"123456"}' \      "https://$<http://PROJECT_SLUG.projects.oryapis.com/self-service/recovery?flow=<flow-id|PROJECT_SLUG.projects.oryapis.com/self-service/recovery?flow=<flow-id>>"

Example Payload:

json {   "method": "code",   "code": "123456" }

Example Response: If the code is valid, the flow will proceed to allow the user to reset their password or complete the recovery process. [Source: Ory Docs - Submit recovery flow (native)](https://www.ory.sh/docs/kratos/bring-your-own-ui/custom-ui-basic-integration#submit-recovery-flow) --- ## 4. Handle the Result - If successful, the user can now reset their password or is guided to the next step as defined by your app. - If there are errors (e.g., invalid code), the response will include error messages in the

ui.nodes

or

ui.messages

fields, and you should prompt the user accordingly. --- ### Summary Table | Step | Endpoint | Method | Payload Example | |------|----------|--------|----------------| | 1. Create flow |

/self-service/recovery/api

| GET | - | | 2. Request code |

/self-service/recovery?flow=<flow-id>

| POST |

{ "method": "code", "email": "<mailto:email@example.com|email@example.com>" }

| | 3. Submit code |

/self-service/recovery?flow=<flow-id>

| POST |

{ "method": "code", "code": "123456" }

| --- Important: - Use

/self-service/recovery/api

only for native apps (not browser-based apps). - The flow is only available for the

code

method in native apps. - The flow ID is required for all subsequent steps after creation. [More details in Ory documentation](https://www.ory.sh/docs/kratos/bring-your-own-ui/custom-ui-basic-integration#create-recovery-flow)

After a successful recovery flow in a native app (i.e., after the user submits the correct recovery code), Ory issues a privileged session and the user is expected to proceed to the settings flow to set a new password or update authenticators. How to proceed: - For browser applications: The user is automatically redirected to the settings page. - For native applications: Your app must take the user to the settings page after recovery is complete. This means you need to initiate a new settings flow for the user, using the appropriate endpoint for native/API clients. Endpoint to initiate settings flow (native):

GET /self-service/settings/api

You should call this endpoint after the recovery flow is completed. The response will contain the form fields (nodes) for updating the password or other authenticators. You then render these fields in your app and submit the user's new password or authenticator data to the action URL provided in the response. Reference: > "When a recovery flow is submitted, a session is issued to the application. This allows the user to reset their password and update their profile information on the settings page. Browser applications are automatically redirected to the settings page, while native applications must take the user to the settings page." [Ory Docs - Recovery Integration Basics](https://www.ory.sh/docs/kratos/bring-your-own-ui/custom-ui-basic-integration#recovery) How to update the password: The settings flow response will include the necessary form fields for password update. You submit the new password to the provided action URL as described in the settings flow documentation. [Ory Docs - Update password](https://www.ory.sh/docs/kratos/self-service/flows/user-settings#update-password-1) Summary of steps: 1. Complete the recovery flow (submit code). 2. Initiate a settings flow (

GET /self-service/settings/api

). 3. Render the settings form (e.g., password update). 4. Submit the new password/authenticator to the action URL from the settings flow response. If you need more details on the exact payloads for the settings flow, refer to the settings flow documentation linked above.