https://www.ory.sh/ logo
Join Slack
Powered by
<@U04UQ68083H> How do I configure `require_verifie...
# ory-copilot
p
@chilly-king-10285 How do I configure 
require_verified_address
in Kratos. I do not see it in the reference configuration.
b
A message from kapa.ai
To configure the 
require_verified_address
action in Ory Kratos, you need to add it as a hook in the login flow configuration. This action ensures that users can only sign in if they have at least one verified address (such as a verified email or phone number). You won't find 
require_verified_address
in the default reference configuration because it's an action hook that you must explicitly add to your configuration file. ### How to configure Using the Ory Console: 1. Go to AuthenticationAccount verification in the [Ory Console](https://console.ory.sh/projects/current/verification). 2. Enable Require Verified Address for Login and save. Using the CLI or configuration file: 1. Download your current identity config:
Copy code
ory get identity-config --project <project-id> --workspace <workspace-id> --format yaml > identity-config.yaml
2. Edit your configuration file to add the hook under the login flow:
Copy code
yaml     selfservice:       flows:         login:           after:             password:               hooks:                 - hook: require_verified_address
3. Update your project with the new configuration:
Copy code
ory update identity-config --project <project-id> --workspace <workspace-id> --file identity-config.yaml
Note: - The 
require_verified_address
hook currently only works with the 
password
login method, not with OIDC or WebAuthn by default. If you need it for other methods, you may need to manually add the hook for those methods as well, depending on your version and setup [[Available actions](https://www.ory.sh/docs/kratos/hooks/configure-hooks#available-actions)]. - For more details, see the [official documentation](https://www.ory.sh/docs/actions/require-verified-address) and [configuration example](https://www.ory.sh/docs/kratos/self-service/flows/verify-email-account-activation#allow-login-only-with-verified-email). If you do not see this option in your reference configuration, it is because it is not enabled by default and must be added as shown above.
p
@chilly-king-10285 This does not seem to work in my self-deployed Kratos. How can I debug this?
b
A message from kapa.ai
If 
require_verified_address
is not working in your self-deployed Ory Kratos, here are some steps and considerations based on the knowledge sources: 1. Check Hook Placement and Method Ensure that the 
require_verified_address
hook is placed under the correct login method (typically 
password
) in your configuration. For example:
Copy code
yaml    selfservice:      flows:        login:          after:            password:              hooks:                - hook: require_verified_address
The hook only works with the 
password
method by default. If you are using OIDC or WebAuthn, you may need to add the hook for those methods as well, as earlier versions and some UIs only set it for 
password
[[Available actions](https://www.ory.sh/docs/kratos/hooks/configure-hooks#available-actions)]. 2. Verify Identity Schema Make sure your identity schema marks the address (e.g., email) as verifiable:
Copy code
json    {      "traits": {        "email": {          "type": "string",          "format": "email",          "<http://ory.sh/kratos|ory.sh/kratos>": {            "verification": {              "via": "email"            }          }        }      }    }
If the address is not marked as verifiable, the verification flow will not trigger [[Address verification configuration](https://www.ory.sh/docs/kratos/self-service/flows/verify-email-account-activation)]. 3. Check Kratos Logs Set your log level to 
trace
or 
debug
in your configuration to get detailed output:
Copy code
yaml    log:      level: trace      format: json
This can help you see if the hook is being executed and if there are any errors during the login flow [[Example config](https://github.com/ory/kratos/issues/4233)]. 4. Test the Flow - Try logging in with an unverified address. You should be redirected to the verification flow or receive a 400 error with a 
continue_with
field in the response if using an API client [[Require verification on login](https://www.ory.sh/docs/actions/require-verified-address)]. - If you are not seeing this behavior, double-check that your configuration changes are applied and that Kratos has been restarted with the updated config. 5. Version and Compatibility Some behaviors (like the 
require_verified_address
hook only being set for the password method) have changed over time. If you are using an older version, consider upgrading or reviewing the [changelog](https://github.com/ory/kratos/releases) for relevant fixes [[Github Issue](https://github.com/ory/network/issues/246)]. 6. Legacy Behavior If you are using a configuration or project created before May 2025, legacy behaviors may apply. You can enable or disable legacy compatibility flags as described in the documentation [[Verification on sign up](https://www.ory.sh/docs/actions/require-verified-address#verification-on-sign-up)]. If after these steps the issue persists, please provide your configuration and logs for further troubleshooting. The knowledge sources do not provide more detailed debugging steps, so for advanced issues, consider reaching out to the Ory community or checking for open issues on GitHub.
p
@chilly-king-10285 I have updated all client libraries, ory elements, and kratos to v1.3.1, I see the hook handled in the kratos logs. I see "account address not yet verified" in the logs. but in the browser I still get the 400 response. I do not get teh error I expect. I do not get a redirect to the verification flow. What can I do?
b
A message from kapa.ai
Based on the knowledge sources, when the 
require_verified_address
hook is enabled and a user with an unverified address attempts to log in, the expected behavior depends on the type of client and how the login request is made: - Browser (HTML form submission): The user should be redirected (HTTP 302) to the verification flow. - AJAX or API client (
Accept: application/json
): The endpoint responds with a 400 error, and the response body includes a 
continue_with
field containing the verification flow information. This is not a redirect, but rather a signal to your frontend to handle the next step by redirecting the user to the verification UI yourself. Here’s an example of the 400 error response you should see for API clients:
Copy code
json {   "id": "session_verified_address_required",   "code": 400,   "status": "Bad Request",   "reason": "Your account's email or phone address are not verified yet. Please check your email or phone inbox or re-request verification.",   "details": {     "continue_with": [       {         "action": "show_verification_ui",         "flow": {           "id": "7f4dfb3b-c3cc-4e35-9f09-286b09e77beb",           "verifiable_address": "<mailto:user@example.com|user@example.com>",           "url": "https://<your-slug>.<http://projects.oryapis.com/verification?flow=7f4dfb3b-c3cc-4e35-9f09-286b09e77beb|projects.oryapis.com/verification?flow=7f4dfb3b-c3cc-4e35-9f09-286b09e77beb>"         }       }     ]   },   "message": "your email or phone address is not yet verified" }
Your frontend is responsible for parsing this response and redirecting the user to the verification flow URL provided in the 
continue_with
field. There is no automatic redirect for API/AJAX clients—this is by design [[Require verification on login](https://www.ory.sh/docs/actions/require-verified-address)]. What you can do: - If you are using a Single Page Application (SPA) or making AJAX requests, update your frontend to handle the 400 error, extract the verification flow URL from the 
continue_with
field, and redirect the user to that URL. - If you expect a browser redirect but are still getting a 400 error, ensure your login form is submitting as a regular HTML form (not AJAX/fetch/XHR) and that the 
Accept
header is not set to 
application/json
. If you are already handling the 
continue_with
field and still not seeing the expected behavior, double-check that your frontend logic is correctly implemented as described above. The knowledge sources do not mention any additional server-side configuration for this behavior in v1.3.1. If you need more details on handling the verification flow after login, see the documentation: [Require verification on login](https://www.ory.sh/docs/actions/require-verified-address) [Showing the verification flow after login](https://www.ory.sh/docs/kratos/self-service/flows/verify-email-account-activation#showing-the-verification-flow-after-settings-registration-or-login)
p
@chilly-king-10285 I am using Ory elements. I do not get an error like that. There is no id. there is no 
continue_with
. There is just a response that includes the GUI with the error message: 
Account not active yet. Did you forget to verify your email address?
b
A message from kapa.ai
Thank you for the clarification. Based on the knowledge sources, when the 
require_verified_address
hook is active and a user with an unverified address attempts to log in, Ory Kratos can return an error message in the UI: 
Account not active yet. Did you forget to verify your email address?
(error code 
4000010
) [[UI message reference](https://www.ory.sh/docs/kratos/concepts/ui-messages#account-not-active-yet-did-you-forget-to-verify-your-email-address-4000010)]. The documentation also states that, for browser-based flows (HTML form submissions), Kratos should redirect to the verification flow. For API/AJAX clients, it returns a 400 error with a 
continue_with
field containing the verification flow information [[Require verification on login](https://www.ory.sh/docs/actions/require-verified-address)]. However, if you are using Ory Elements and only see the error message in the UI (with no 
id
or 
continue_with
in the response), this suggests that the response is being rendered as a UI error node, not as a JSON error with actionable fields. This behavior is consistent with the documented error message, but the knowledge sources do not provide details on why the 
continue_with
field might be missing in this scenario. Summary: - The error message you see is a documented and expected UI message for unverified accounts [[UI message reference](https://www.ory.sh/docs/kratos/concepts/ui-messages#account-not-active-yet-did-you-forget-to-verify-your-email-address-4000010)]. - The knowledge sources do not explain why the 
continue_with
field is missing when using Ory Elements, nor do they provide troubleshooting steps for this specific case. - It is possible that Ory Elements is handling the error as a UI message rather than as a JSON error, but the documentation does not explicitly confirm this. If you need the verification flow to be triggered automatically: The knowledge sources do not contain enough information to explain or resolve this behavior with Ory Elements specifically. You may need to consult the Ory Elements documentation or community for further guidance, as this detail is not covered in the provided sources.
p
@chilly-king-10285 this appears to happen as the verifcation email was sent, but not responded to. The "status" in the "verifiable emails" in the identity data is "sent".
b
A message from kapa.ai
Yes, your observation aligns with the documented behavior in Ory Kratos. When the verification email has been sent but the user has not yet clicked the verification link, the status of the verifiable address in the identity data will be 
"sent"
. In this state, if the user tries to log in and the 
require_verified_address
hook is enabled, Kratos will block the login and display the error message:
Copy code
Account not active yet. Did you forget to verify your email address?
(error code 
4000010
) [[UI message reference](https://www.ory.sh/docs/kratos/concepts/ui-messages#account-not-active-yet-did-you-forget-to-verify-your-email-address-4000010)]. This is expected: the user must complete the verification process (i.e., click the link in the verification email) for the address status to change to 
"completed"
or 
"verified"
. Only then will login be allowed when 
require_verified_address
is enforced [[Email verification flow](https://www.ory.sh/docs/kratos/quickstart#email-verification)]. The knowledge sources do not provide additional error handling or alternative flows for this scenario. The system is working as designed: until the verification is completed, login is blocked and the user is prompted to verify their email.
p
@chilly-king-10285 is there a status I can set that would cause kratos and elements to redirect to the verification page instead of just showing the warning message?
b
A message from kapa.ai
Based on the knowledge sources, there is no documented status value you can set in the verifiable address that will cause Ory Kratos and Ory Elements to automatically redirect to the verification page instead of showing the warning message ("Account not active yet. Did you forget to verify your email address?"). The documented behavior is as follows: - If the user attempts to log in and their address is not verified, and the 
require_verified_address
hook is enabled, Kratos will block the login and show the error message in the UI [[UI message reference](https://www.ory.sh/docs/kratos/concepts/ui-messages#account-not-active-yet-did-you-forget-to-verify-your-email-address-4000010)]. - For API/AJAX clients, Kratos can return a 400 error with a 
continue_with
field containing the verification flow URL, which your frontend can use to redirect the user [[Require verification on login](https://www.ory.sh/docs/actions/require-verified-address)]. - For browser-based flows, the expected behavior is a redirect, but if the verification email has already been sent and the address status is 
"sent"
, Kratos will show the warning message until the user completes verification. The knowledge sources do not mention any status or configuration that would force a redirect to the verification flow in this scenario. The redirect to the verification flow is typically triggered when the verification process is initiated, not when the address is in the 
"sent"
state. Summary: I'm sorry, but the knowledge sources do not contain information about a status you can set to force Kratos and Elements to redirect to the verification page instead of showing the warning message. The current behavior—showing the warning message when the status is `"sent"`—is expected and documented.
3 Views
Open in Slack
PreviousNext
Powered by