The error message you provided indicates a validation violation for the "email" field, with HTTP status 400 ("Invalid request content."). Based on the Ory Kratos documentation and related sources, here are possible reasons and ways to check why this error appears: ### Possible Reasons 1. Invalid Email Format - The email field does not match the expected email format (e.g., missing "@" or domain). - Example error:

"\"notanemail\" isn't valid \"email\""

is shown when the email format is incorrect [Settings form validation](https://www.ory.sh/docs/kratos/self-service/flows/user-settings#settings-form-validation). 2. Empty or Missing Email Field - The email field is empty or not provided in the request payload. - Example error:

"length must be >= 3, but got 0"

for missing email [Registration form validation](https://www.ory.sh/docs/kratos/self-service/flows/user-registration#registration-form-validation). 3. Malformed JSON or Incorrect Field Name - The request body is not valid JSON, or the field is not named exactly as expected (e.g., "traits.email" vs. "email"). - The API expects specific field names and structure as defined in your identity schema. 4. Additional Schema Validation Errors - The email does not meet other schema requirements (e.g., max length, uniqueness, etc.). ### Ways to Check - Check the Request Payload - Ensure the email field is present and correctly named. - Confirm the value is a valid email address. - Review the Identity Schema - Verify the schema used by Ory Kratos for the identity includes the correct format and requirements for the email field. - Inspect the Error Details - The error response may include more specific messages in the "details" array, which can help pinpoint the exact issue. - Test with Example Requests - Use the examples from the documentation to compare your request payloads and see if they match the expected structure and values [Registration form validation](https://www.ory.sh/docs/kratos/self-service/flows/user-registration#registration-form-validation), [Settings form validation](https://www.ory.sh/docs/kratos/self-service/flows/user-settings#settings-form-validation). - Check for Malformed JSON - Ensure your request is valid JSON and matches the expected structure. If you continue to see this error after checking the above, review the full error response for additional context or validation messages, as Ory Kratos typically provides detailed feedback on what went wrong with the request. > Note: The knowledge sources do not provide an exhaustive list of all possible causes, but the above are the most common reasons for this error in Ory Kratos flows.

Based on the knowledge sources, here’s what can be determined about your situation: You are receiving a validation error for the email field when posting to an external API’s /socialLogin endpoint, using an Ory-issued OAuth2 token (with the ory_ac_ prefix). You expect to receive an access_token and scope, but instead get a 400 error indicating "email is invalid". ### Possible Reasons (Based on Ory Documentation) 1. Invalid Email Format or Missing Field - The error message suggests the external API is validating the email field and finds it invalid. This could be due to an incorrect format, a missing field, or a mismatch with the expected schema. Ory’s own endpoints return similar errors when the email is not present or not formatted correctly in the payload [Registration form validation](https://www.ory.sh/docs/kratos/self-service/flows/user-registration#registration-form-validation). 2. Malformed or Unexpected Token - The ory_ac_ prefix indicates an Ory authorization code. If the external API expects a different token type (such as an access token, typically ory_at_), it may not be able to extract or validate the user’s email from the token or the associated flow. The documentation notes that the default prefixes are ory_ac_ for authorization codes, ory_at_ for access tokens, and ory_rt_ for refresh tokens [Configurable token prefix for OAuth2 tokens](https://www.ory.sh/docs/self-hosted/oel/oauth2/token-prefix). 3. Token Content or Claims - If the external API is trying to extract the email from the token’s claims and the token does not contain it (or the claims are not as expected), this could result in a validation error. Ory tokens, especially authorization codes, do not themselves contain user claims; those are typically present in ID tokens or access tokens after exchanging the code. ### Ways to Check - Verify the Token Type - Ensure you are sending the correct token type expected by the external API. If it expects an access token (ory_at_), do not send an authorization code (ory_ac_). - Check the Token Exchange Flow - If you are sending an authorization code, you may need to exchange it for an access token and ID token at the Ory token endpoint before calling the external API. - Inspect the Request Payload - Confirm that the email field is present, correctly named, and formatted in the payload sent to the /socialLogin endpoint. - Review the External API’s Requirements - The external API may have specific requirements for the structure of the request and the expected token type. ### Summary The most likely cause is that the external API expects an access token (ory_at_) or an ID token, not an authorization code (ory_ac_). Authorization codes are meant to be exchanged for tokens, not used directly as bearer tokens. Double-check the flow and ensure you are sending the correct token type and a valid, properly formatted email field if required by the API. If you need to customize the token prefix, note that this is only available for Ory Enterprise customers, but the default prefixes should work as described above [Configurable token prefix for OAuth2 tokens](https://www.ory.sh/docs/self-hosted/oel/oauth2/token-prefix). If you need more details about the external API’s requirements, you may need to consult their documentation, as the Ory knowledge sources do not provide information about third-party API expectations.