To allow and validate a

return_to

address for proper redirection—especially when you want to skip the login flow due to an already valid session—you need to ensure that the

return_to

URL is included in your project's allow list. Ory enforces this to prevent open redirect attacks. How to validate the

return_to

address: 1. Add the URL to the allow list: In your Ory configuration, specify allowed return URLs under

selfservice.allowed_return_urls

. For example:

yaml    selfservice:      allowed_return_urls:        - <https://www.myapp.com/>

This allows dynamic redirects to any path under

<https://www.myapp.com/>

when using the

?return_to=

parameter in your self-service flows. If the

return_to

address is not on this list, Ory will reject the redirect for security reasons [Docs: HTTP redirection configuration](https://www.ory.sh/docs/kratos/concepts/browser-redirect-flow-completion#redirection). 2. Behavior when skipping the login flow: If a valid session exists and you want to skip the login flow, you can check the session and then redirect to the

return_to

address, but only if it is allow-listed. If not, Ory will block the redirect and may return a

security_identity_mismatch

error [Ory API Reference](https://raw.githubusercontent.com/ory/docs/master/docs/reference/api.json). 3. Example usage: When initializing a login flow, append the

return_to

parameter:

https://<your-project>.<http://projects.oryapis.com/self-service/login/browser?return_to=https://www.myapp.com/dashboard|projects.oryapis.com/self-service/login/browser?return_to=https://www.myapp.com/dashboard>

After successful authentication (or if the session is already valid and login is skipped), Ory will redirect to the

return_to

URL if it is allow-listed [Docs: Concepts - Browser redirects](https://www.ory.sh/docs/concepts/redirects). Summary: To validate the

return_to

address, ensure it is present in your

allowed_return_urls

configuration. Ory will automatically check this and only allow redirects to URLs on the list. If you skip the login flow due to an active session, you can safely redirect to the

return_to

address, knowing Ory will enforce this security check. If you need to programmatically check if a

return_to

is valid, you must compare it against your allow list before redirecting. For more details, see the documentation on [advanced redirects](https://www.ory.sh/docs/kratos/bring-your-own-ui/custom-ui-advanced-integration) and [redirect configuration](https://www.ory.sh/docs/kratos/concepts/browser-redirect-flow-completion#redirection).

Yes, you can call

GET /self-service/login/flows

at any time, regardless of whether you are authenticated or not. The operation does not require authentication. This endpoint is used to fetch the context of a login flow, such as form fields and error details, using the flow ID. However, for browser flows, you must include the anti-CSRF cookie in the request's HTTP Cookie header; otherwise, the request may fail. This is important for both authenticated and unauthenticated users [Ory API Reference - getLoginFlow](https://raw.githubusercontent.com/ory/kratos/master/spec/api.json). > Note: > - If the flow has expired, you will receive an error and need to initiate a new flow. > - The endpoint is safe to call for both authenticated and unauthenticated users, but the returned data will reflect the current session state (e.g., if the user is already signed in, you may get a

session_already_available

error) [Ory API Reference - getLoginFlow](https://raw.githubusercontent.com/ory/kratos/master/spec/api.json).

To check if a user is allowed to use a specific

return_to

URL (for example, when they already have a session and you want to skip the login flow), you must ensure that the URL is present in your project's

allowed_return_urls

configuration. Ory enforces this allow list to prevent open redirect attacks. How Ory handles the allow list: - When a self-service flow (login, registration, etc.) is initialized with a

return_to

parameter, Ory automatically checks if the provided URL matches any entry in the

selfservice.allowed_return_urls

configuration. - If the

return_to

URL is not on the allow list, Ory will reject the redirect and not use the URL for redirection [Docs: HTTP redirection configuration](https://www.ory.sh/docs/kratos/concepts/browser-redirect-flow-completion#redirection). Example configuration:

yaml selfservice:   allowed_return_urls:     - <https://www.myapp.com/>

With this configuration, any

return_to

URL that starts with

<https://www.myapp.com/>

will be accepted. How to check programmatically: Ory does not provide a dedicated API endpoint to check if a

return_to

URL is allowed. The validation is performed internally by Ory when the flow is initialized or completed. If you want to check this in your own application logic (for example, before redirecting a user who already has a session), you need to replicate the allow list logic in your application code, matching the

return_to

URL against the patterns in your

allowed_return_urls

configuration [Docs: Concepts - Browser redirects](https://www.ory.sh/docs/concepts/redirects). Summary: - Ory enforces the allow list automatically for all self-service flows. - If you want to check the allow list yourself (e.g., before redirecting), you must implement the same matching logic as your Ory configuration. - There is no public Ory API endpoint to validate a

return_to

URL directly; the check happens internally during flow processing. For more details, see the documentation on [redirect configuration and allow lists](https://www.ory.sh/docs/kratos/concepts/browser-redirect-flow-completion#redirection).