< chilly king 10285> tell me step by step how do i login int Ory Community #ory-copilot

<@U04UQ68083H> tell me step by step how do i login...

faint-action-73893

07/14/2025, 3:36 PM

@chilly-king-10285 tell me step by step how do i login into ory via rest with a mfa so aal2 with code by email with examples

brief-egg-61061

07/14/2025, 3:36 PM

A message from kapa.ai

brief-egg-61061

07/14/2025, 3:36 PM

To log in to Ory via REST with multi-factor authentication (MFA) using a code sent by email (AAL2), follow these steps: --- ### 1. Start the Login Flow Initiate a login flow via the API:

Copy code

sh curl -X GET \   -H "Accept: application/json" \   "https://$<http://PROJECT_SLUG.projects.oryapis.com/self-service/login/api?aal=aal2|PROJECT_SLUG.projects.oryapis.com/self-service/login/api?aal=aal2>"

- This returns a JSON response containing an

action

URL for the next step and a

flow

ID. - Make sure to store any cookies set by the response, as you’ll need them for subsequent requests. --- ### 2. Submit the First Factor (Email Identifier) Send a POST request to the

action

URL from the previous step, providing your email and specifying the

code

method:

Copy code

sh curl -X POST \   -H "Accept: application/json" \   -H "Content-Type: application/json" \   -b cookies.txt \   -d '{"identifier": "<mailto:user@example.com|user@example.com>", "method": "code"}' \   "https://$<http://PROJECT_SLUG.projects.oryapis.com/self-service/login?flow=<flow-id|PROJECT_SLUG.projects.oryapis.com/self-service/login?flow=<flow-id>>"

- This triggers Ory to send a one-time code to your email address. - The response will indicate that a code has been sent. --- ### 3. Submit the Second Factor (Email Code) After receiving the code in your email, submit it to the same

action

URL:

Copy code

sh curl -X POST \   -H "Accept: application/json" \   -H "Content-Type: application/json" \   -b cookies.txt \   -d '{"method": "code", "code": "<code-from-email>"}' \   "https://$<http://PROJECT_SLUG.projects.oryapis.com/self-service/login?flow=<flow-id|PROJECT_SLUG.projects.oryapis.com/self-service/login?flow=<flow-id>>"

- If the code is correct, you will be authenticated with AAL2 (MFA). - The response will include your session information. --- ### Notes - The

aal=aal2

parameter ensures that the login flow requires multi-factor authentication. - Make sure the Ory project is configured to allow code-based MFA via email (

mfa_enabled: true

for the

code

method). - You must handle cookies and CSRF tokens as required by your flow and Ory’s configuration. --- References: - [Ory: Email and SMS one-time-code authentication](https://www.ory.sh/docs/kratos/passwordless/one-time-code) - [Ory: SMS and Email 2FA](https://www.ory.sh/docs/kratos/mfa/mfa-via-sms) - [Ory: Multi-factor authentication](https://www.ory.sh/docs/identities/get-started/mfa#check-aal) - [Ory: Login Flow](https://www.ory.sh/docs/kratos/self-service/flows/user-login) - [Ory: Step-up authentication](https://www.ory.sh/docs/kratos/mfa/step-up-authentication)

faint-action-73893

07/14/2025, 3:38 PM

@chilly-king-10285 i will do it as an api flow and i need the first step too, the aal1 login

brief-egg-61061

07/14/2025, 3:38 PM

A message from kapa.ai

brief-egg-61061

07/14/2025, 3:39 PM

Certainly! Here’s a step-by-step guide to logging in to Ory via the REST API using the API flow, first with AAL1 (single factor, e.g., password), and then performing step-up authentication to AAL2 (MFA with a code sent by email). --- ## Step 1: Start the Login Flow (AAL1) Initiate a login flow for native/API clients:

Copy code

sh curl -X GET \   -H "Accept: application/json" \   "https://$<http://PROJECT_SLUG.projects.oryapis.com/self-service/login/api|PROJECT_SLUG.projects.oryapis.com/self-service/login/api>"

- This returns a JSON with a

flow

ID and an

action

URL for submitting credentials. - Store any cookies if provided (for session continuity) [see example](https://www.ory.sh/docs/kratos/quickstart#perform-registration-login-and-logout). --- ## Step 2: Submit AAL1 Credentials (Password) Submit your identifier (email/username) and password to the

action

URL from the previous step:

Copy code

sh curl -X POST \   -H "Content-Type: application/json" \   -H "Accept: application/json" \   -d '{"method":"password","identifier":"<mailto:user@example.com|user@example.com>","password":"yourpassword"}' \   "https://$<http://PROJECT_SLUG.projects.oryapis.com/self-service/login?flow=<flow-id|PROJECT_SLUG.projects.oryapis.com/self-service/login?flow=<flow-id>>"

- If successful, you receive a session with AAL1 (single factor) [see example](https://www.ory.sh/docs/kratos/quickstart#perform-registration-login-and-logout). --- ## Step 3: Start Step-Up Authentication (AAL2) To require MFA (AAL2), initiate a new login flow with the

aal=aal2

query parameter:

Copy code

sh curl -X GET \   -H "Accept: application/json" \   -b cookies.txt \   "https://$<http://PROJECT_SLUG.projects.oryapis.com/self-service/login/api?aal=aal2|PROJECT_SLUG.projects.oryapis.com/self-service/login/api?aal=aal2>"

- This will prompt the user for the second factor (e.g., code sent by email) [see documentation](https://www.ory.sh/docs/kratos/mfa/step-up-authentication). --- ## Step 4: Submit the Second Factor (Code from Email) After receiving the code in your email, submit it to the

action

URL from the previous step:

Copy code

sh curl -X POST \   -H "Content-Type: application/json" \   -H "Accept: application/json" \   -b cookies.txt \   -d '{"method":"code","code":"<code-from-email>"}' \   "https://$<http://PROJECT_SLUG.projects.oryapis.com/self-service/login?flow=<flow-id|PROJECT_SLUG.projects.oryapis.com/self-service/login?flow=<flow-id>>"

- If the code is correct, your session will be upgraded to AAL2 (MFA) [see documentation](https://www.ory.sh/docs/kratos/mfa/mfa-via-sms). --- ## Summary of the Flow 1. Start login flow (AAL1) → Submit password → Get session (AAL1) 2. Start login flow with
aal=aal2
→ Submit code from email → Get session (AAL2) --- Important notes: - Make sure your Ory project is configured to allow code-based MFA via email. - Handle cookies and CSRF tokens as required by your flow and Ory’s configuration. - The code method for MFA cannot be used for passwordless login if MFA via code is enabled. --- If you need example responses or more details on the payloads, let me know!

faint-action-73893

07/14/2025, 3:39 PM

Great, now give me each step and example with curl @chilly-king-10285

brief-egg-61061

07/14/2025, 3:39 PM

A message from kapa.ai

brief-egg-61061

07/14/2025, 3:40 PM

Certainly! Here’s a step-by-step guide to logging in to Ory via REST API (API flow) with MFA (AAL2) using a code sent by email, including the initial AAL1 login. All steps are based on the official Ory documentation and include example curl commands. --- ## Step 1: Start the Login Flow (AAL1) Initiate a login flow for API clients:

Copy code

sh curl -X GET \   -H "Accept: application/json" \   "https://$<http://PROJECT_SLUG.projects.oryapis.com/self-service/login/api|PROJECT_SLUG.projects.oryapis.com/self-service/login/api>"

- This returns a JSON with a

flow

ID and an

action

URL for submitting credentials. - Example response snippet:

Copy code

json   {     "id": "f091ccf5-df85-493e-a9a3-de9b86925a45",     "ui": {       "action": "https://$<http://PROJECT_SLUG.projects.oryapis.com/self-service/login?flow=f091ccf5-df85-493e-a9a3-de9b86925a45|PROJECT_SLUG.projects.oryapis.com/self-service/login?flow=f091ccf5-df85-493e-a9a3-de9b86925a45>",       "method": "POST"     }   }

[See example](https://www.ory.sh/docs/kratos/quickstart#perform-registration-login-and-logout) --- ## Step 2: Submit AAL1 Credentials (Password) Submit your identifier (email/username) and password to the

action

URL from the previous step:

Copy code

sh curl -X POST \   -H "Content-Type: application/json" \   -H "Accept: application/json" \   -d '{"method":"password","identifier":"<mailto:user@example.com|user@example.com>","password":"yourpassword"}' \   "https://$<http://PROJECT_SLUG.projects.oryapis.com/self-service/login?flow=<flow-id|PROJECT_SLUG.projects.oryapis.com/self-service/login?flow=<flow-id>>"

- If successful, you receive a session with AAL1 (single factor). [See example](https://www.ory.sh/docs/kratos/quickstart#perform-registration-login-and-logout) --- ## Step 3: Start Step-Up Authentication (AAL2) To require MFA (AAL2), initiate a new login flow with the

aal=aal2

query parameter. Use the session cookie from the previous login if required:

Copy code

sh curl -X GET \   -H "Accept: application/json" \   -b cookies.txt \   "https://$<http://PROJECT_SLUG.projects.oryapis.com/self-service/login/api?aal=aal2|PROJECT_SLUG.projects.oryapis.com/self-service/login/api?aal=aal2>"

- This will prompt the user for the second factor (e.g., code sent by email). [See documentation](https://www.ory.sh/docs/kratos/mfa/step-up-authentication) --- ## Step 4: Submit the Second Factor (Code from Email) After receiving the code in your email, submit it to the

action

URL from the previous step:

Copy code

sh curl -X POST \   -H "Content-Type: application/json" \   -H "Accept: application/json" \   -b cookies.txt \   -d '{"method":"code","code":"<code-from-email>"}' \   "https://$<http://PROJECT_SLUG.projects.oryapis.com/self-service/login?flow=<flow-id|PROJECT_SLUG.projects.oryapis.com/self-service/login?flow=<flow-id>>"

- If the code is correct, your session will be upgraded to AAL2 (MFA). [See documentation](https://www.ory.sh/docs/kratos/mfa/mfa-via-sms) --- Notes: - Make sure your Ory project is configured to allow code-based MFA via email. - The code method for MFA cannot be used for passwordless login if MFA via code is enabled. - Always handle cookies and CSRF tokens as required by your flow and Ory’s configuration. If you need more details on the payloads or responses, let me know!

faint-action-73893

07/14/2025, 3:56 PM

@chilly-king-10285 you missed a step between 3 and 4 where i select the code method for mfa login

brief-egg-61061

07/14/2025, 3:56 PM

A message from kapa.ai

brief-egg-61061

07/14/2025, 3:56 PM

Thank you for catching that! You are correct: after starting the AAL2 login flow, you must select the

code

method (to receive the code via email) before submitting the code itself. Here is the corrected, step-by-step process with cURL examples, strictly based on the Ory documentation: --- ## Step 1: Start the Login Flow (AAL1)

Copy code

sh curl -X GET \   -H "Accept: application/json" \   "https://$<http://PROJECT_SLUG.projects.oryapis.com/self-service/login/api|PROJECT_SLUG.projects.oryapis.com/self-service/login/api>"

- This returns a JSON with a

flow

ID and an

action

URL for submitting credentials. --- ## Step 2: Submit AAL1 Credentials (Password)

Copy code

sh curl -X POST \   -H "Content-Type: application/json" \   -H "Accept: application/json" \   -d '{"method":"password","identifier":"<mailto:user@example.com|user@example.com>","password":"yourpassword"}' \   "https://$<http://PROJECT_SLUG.projects.oryapis.com/self-service/login?flow=<flow-id|PROJECT_SLUG.projects.oryapis.com/self-service/login?flow=<flow-id>>"

- If successful, you receive a session with AAL1. --- ## Step 3: Start Step-Up Authentication (AAL2)

Copy code

sh curl -X GET \   -H "Accept: application/json" \   -b cookies.txt \   "https://$<http://PROJECT_SLUG.projects.oryapis.com/self-service/login/api?aal=aal2|PROJECT_SLUG.projects.oryapis.com/self-service/login/api?aal=aal2>"

- This starts a new login flow requiring AAL2 (MFA) and returns a new

flow

ID and

action

URL. --- ## Step 4: Select the Code Method for MFA You must now select the

code

method and provide your identifier (email). This triggers Ory to send a code to your email.

Copy code

sh curl -X POST \   -H "Content-Type: application/json" \   -H "Accept: application/json" \   -b cookies.txt \   -d '{"identifier":"<mailto:user@example.com|user@example.com>","method":"code"}' \   "https://$<http://PROJECT_SLUG.projects.oryapis.com/self-service/login?flow=<flow-id|PROJECT_SLUG.projects.oryapis.com/self-service/login?flow=<flow-id>>"

- You will receive a response indicating that a code has been sent to your email address. - This step is required to initiate the code-based MFA challenge [see: "Request a login code via E-Mail" example](https://github.com/ory/kratos/issues/4052). --- ## Step 5: Submit the Code from Email After you receive the code in your email, submit it to the same

action

URL:

Copy code

sh curl -X POST \   -H "Content-Type: application/json" \   -H "Accept: application/json" \   -b cookies.txt \   -d '{"method":"code","code":"<code-from-email>"}' \   "https://$<http://PROJECT_SLUG.projects.oryapis.com/self-service/login?flow=<flow-id|PROJECT_SLUG.projects.oryapis.com/self-service/login?flow=<flow-id>>"

- If the code is correct, your session will be upgraded to AAL2 (MFA) [see: "Update Login flow using the code method"](https://raw.githubusercontent.com/ory/kratos/master/spec/api.json). --- Summary of the flow: 1. Start login flow (AAL1) 2. Submit password 3. Start login flow with

aal=aal2

4. Select

code

method (triggers code delivery) 5. Submit code from email If you need more details or run into issues, let me know!

4 Views

Open in Slack

Previous Next