https://www.ory.sh/ logo
Join Slack
Powered by
Hey Al.. I'm having trouble getting kratos to send...
# ory-selfhosting
b
Hey Al.. I'm having trouble getting kratos to send a verification email after registration success. What am i missing in this config
Copy code
dsn: <cockroach://root@cockroach:26257/kratos_db?sslmode=disable>

serve:
  public:
    base_url: <http://127.0.0.1:4433/>
    cors:
      enabled: true
      allowed_origins:
        - <http://localhost:5173>
        - <http://localhost:5174>
        - <http://localhost:3000>
        - <http://localhost:4455>
      allowed_methods:
        - POST
        - GET
        - PUT
        - PATCH
        - DELETE
        - OPTIONS
      allowed_headers:
        - Authorization
        - Content-Type
        - Cookie
      exposed_headers:
        - Content-Type
        - Set-Cookie
      allow_credentials: true
  admin:
    base_url: <http://127.0.0.1:4434/>

selfservice:
  default_browser_return_url: <http://localhost:5173/enrollment>
  flows:
    login:
      ui_url: <http://localhost:5173/login>
    registration:
      ui_url: <http://localhost:5173/registration>
      enabled: true
      after:
        default_browser_return_url: <http://localhost:5173/enrollment>
        password:
          hooks:
            - hook: show_verification_ui
            - hook: show_recovery_ui
    settings:
      ui_url: <http://127.0.0.1:4455/settings>
    recovery:
      ui_url: <http://127.0.0.1:4455/recovery>
    verification:
      ui_url: <http://127.0.0.1:4455/verification>
  methods:
    password:
      enabled: true

identity:
  default_schema_id: default
  schemas:
    - id: default
      url: file:///etc/config/kratos/identity-schemas/tpp.schema.json


courier:
  templates:
    verification:
      valid:
        email:
          body:
            html: file:///etc/config/kratos/email-templates/verification/body.html.gotmpl
            plaintext: file:///etc/config/kratos/email-templates/verification/body.plaintext.gotmpl
          subject: file:///etc/config/kratos/email-templates/verification/subject.gotmpl
  delivery_strategy: smtp
  smtp:
    connection_uri: <smtps://sandbox-3>:***@smtp.devmail.email:2525/
    from_address: <mailto:noreply@fapi-gateway.com|noreply@fapi-gateway.com>
    from_name: FAPI Gateway
@chilly-king-10285 can you help with this?
b
A message from kapa.ai
I'm happy to help with questions about Ory! However, your message "can you help with this?" does not specify what you need assistance with. Please provide more details or clarify your question regarding Ory, and I'll do my best to assist you based on the available knowledge sources.
b
@chilly-king-10285 'm having trouble getting kratos to send a verification email after registration success. What am i missing in this config
Copy code
dsn: <cockroach://root@cockroach:26257/kratos_db?sslmode=disable>

serve:
  public:
    base_url: <http://127.0.0.1:4433/>
    cors:
      enabled: true
      allowed_origins:
        - <http://localhost:5173>
        - <http://localhost:5174>
        - <http://localhost:3000>
        - <http://localhost:4455>
      allowed_methods:
        - POST
        - GET
        - PUT
        - PATCH
        - DELETE
        - OPTIONS
      allowed_headers:
        - Authorization
        - Content-Type
        - Cookie
      exposed_headers:
        - Content-Type
        - Set-Cookie
      allow_credentials: true
  admin:
    base_url: <http://127.0.0.1:4434/>

selfservice:
  default_browser_return_url: <http://localhost:5173/enrollment>
  flows:
    login:
      ui_url: <http://localhost:5173/login>
    registration:
      ui_url: <http://localhost:5173/registration>
      enabled: true
      after:
        default_browser_return_url: <http://localhost:5173/enrollment>
        password:
          hooks:
            - hook: show_verification_ui
            - hook: show_recovery_ui
    settings:
      ui_url: <http://127.0.0.1:4455/settings>
    recovery:
      ui_url: <http://127.0.0.1:4455/recovery>
    verification:
      ui_url: <http://127.0.0.1:4455/verification>
  methods:
    password:
      enabled: true

identity:
  default_schema_id: default
  schemas:
    - id: default
      url: file:///etc/config/kratos/identity-schemas/tpp.schema.json


courier:
  templates:
    verification:
      valid:
        email:
          body:
            html: file:///etc/config/kratos/email-templates/verification/body.html.gotmpl
            plaintext: file:///etc/config/kratos/email-templates/verification/body.plaintext.gotmpl
          subject: file:///etc/config/kratos/email-templates/verification/subject.gotmpl
  delivery_strategy: smtp
  smtp:
    connection_uri: <smtps://sandbox-3>:***@smtp.devmail.email:2525/
    from_address: <mailto:noreply@fapi-gateway.com|noreply@fapi-gateway.com>
    from_name: FAPI Gateway
b
A message from kapa.ai
Based on your configuration and the available knowledge sources, here are the key requirements for Ory Kratos to send a verification email after successful registration: ### 1. Verification Flow Must Be Enabled You need to ensure that the verification flow is enabled and properly configured in your 
selfservice.flows.verification
section. In your config, you have:
Copy code
yaml selfservice:   flows:     verification:       ui_url: <http://127.0.0.1:4455/verification>
However, you are missing the 
enabled: true
and the 
use: code
(or 
link
) fields. According to the documentation, it should look like:
Copy code
yaml selfservice:   flows:     verification:       enabled: true       use: code # or 'link'       ui_url: <http://127.0.0.1:4455/verification>
[Address verification](https://www.ory.sh/docs/kratos/self-service/flows/verify-email-account-activation) ### 2. Identity Schema Must Mark Email as Verifiable Your identity schema (referenced as 
tpp.schema.json
) must mark the email trait as verifiable. For example:
Copy code
json "email": {   "type": "string",   "format": "email",   "<http://ory.sh/kratos|ory.sh/kratos>": {     "credentials": {       "password": {         "identifier": true       }     },     "verification": {       "via": "email"     }   } }
[Address verification](https://www.ory.sh/docs/kratos/self-service/flows/verify-email-account-activation) ### 3. Registration Flow and Hooks You have the 
show_verification_ui
hook enabled after password registration, which is correct if you want to show the verification screen after registration. This is optional for sending the email, but required if you want to force users to verify before getting a session. By default, Ory will send the verification email if verification is enabled and the schema is correct, even without this hook. [Verification on sign up](https://www.ory.sh/docs/actions/require-verified-address#verification-on-sign-up) ### 4. Courier Configuration Your courier configuration looks correct, assuming your SMTP credentials and template paths are valid. ### 5. Common Pitfalls - If you do not see emails being sent, check the Kratos logs for errors related to the courier or SMTP delivery. - Make sure your SMTP server is reachable and credentials are correct. - Ensure your identity schema is loaded correctly and the 
verification
property is present for the email trait. --- Summary of what you are missing: You need to add 
enabled: true
and 
use: code
(or 
link
) to your 
selfservice.flows.verification
section. Also, double-check your identity schema to ensure the email trait is marked as verifiable. If you make these changes and still do not receive verification emails, check the logs for courier or SMTP errors, and verify that your SMTP configuration is correct. For more details, see the [Ory Kratos Address Verification documentation](https://www.ory.sh/docs/kratos/self-service/flows/verify-email-account-activation).
b
@chilly-king-10285 give me the config for courier sending email using http
b
A message from kapa.ai
Certainly! Here is an example configuration for Ory Kratos (or Ory Network) to send emails using an HTTP server (instead of SMTP) via the 
courier
section. This config can be used in your YAML configuration file:
Copy code
yaml courier:   delivery_strategy: http   http:     request_config:       url: <https://mail-sender.example.com>       method: POST       body: base64://... # Base64-encoded Jsonnet template for the payload (see below)       headers:         Content-Type: application/json       auth:         type: basic_auth # or api_key         config:           user: my-username           password: my-password           # For api_key, use:           # name: my-api-name           # value: my-api-key-value           # in: header # or cookie
Notes: - The 
body
field should contain a Base64-encoded Jsonnet template that defines the payload sent to your HTTP email provider. If omitted, a default template is used. - The 
auth
section is optional and depends on your provider's requirements. Default Jsonnet template for the payload:
Copy code
jsonnet function(ctx) {   recipient: ctx.recipient,   template_type: ctx.template_type,   to: if "template_data" in ctx && "to" in ctx.template_data then <http://ctx.template_data.to|ctx.template_data.to> else null,   recovery_code: if "template_data" in ctx && "recovery_code" in ctx.template_data then ctx.template_data.recovery_code else null,   recovery_url: if "template_data" in ctx && "recovery_url" in ctx.template_data then ctx.template_data.recovery_url else null,   verification_url: if "template_data" in ctx && "verification_url" in ctx.template_data then ctx.template_data.verification_url else null,   verification_code: if "template_data" in ctx && "verification_code" in ctx.template_data then ctx.template_data.verification_code else null,   login_code: if "template_data" in ctx && "login_code" in ctx.template_data then ctx.template_data.login_code else null,   registration_code: if "template_data" in ctx && "registration_code" in ctx.template_data then ctx.template_data.registration_code else null,   subject: if "template_data" in ctx && "subject" in ctx.template_data then ctx.template_data.subject else null,   body: if "template_data" in ctx && "body" in ctx.template_data then ctx.template_data.body else null }
You can use this template as-is or customize it for your provider, then Base64-encode it and reference it in the 
body
field. For more details and examples, see the official documentation: [Send emails using an HTTP server](https://www.ory.sh/docs/kratos/emails-sms/sending-emails-smtp#send-emails-using-an-http-server) and [HTTP based email delivery (self-hosted)](https://www.ory.sh/docs/kratos/self-hosted/email-http#configuration).
b
@chilly-king-10285 i am using an api_key
b
A message from kapa.ai
Certainly! Here is how you configure Ory Kratos to send emails using an HTTP server with API key authentication:
Copy code
yaml courier:   delivery_strategy: http   http:     request_config:       url: <https://api.your-email-provider.com/send>       method: POST       body: file:///etc/config/kratos/mail.api.request.jsonnet # or use <base64://ENCODED_JSONNET>       headers:         "Content-Type": "application/json"       auth:         type: api_key         config:           name: Authorization         # The header or cookie name for the API key           value: Bearer <API_KEY>     # The value of your API key (prefix with 'Bearer ' if required by your provider)           in: header                  # Use 'header' or 'cookie' as required by your provider
Key points: - Replace 
url
with your provider’s endpoint. - The 
body
can be a file path or a base64-encoded Jsonnet template. If omitted, the default template is used. - Set the 
name
, 
value
, and 
in
fields in the 
auth.config
section according to your provider’s requirements. For example, for Sendgrid, you would use:
Copy code
yaml auth:   type: api_key   config:     name: Authorization     value: Bearer <API_KEY>     in: header
This configuration is directly supported and documented in the Ory Kratos docs for HTTP-based email delivery with API key authentication [HTTP based email delivery](https://www.ory.sh/docs/kratos/self-hosted/email-http#configuration) and [Send emails using an HTTP server](https://www.ory.sh/docs/kratos/emails-sms/sending-emails-smtp#send-emails-using-an-http-server). If you need a sample Jsonnet template for the body, let me know!
b
@chilly-king-10285 how do i use jsonnet for the body parameter? Giuve me an example
b
A message from kapa.ai
To use Jsonnet for the 
body
parameter in your HTTP email delivery configuration, you provide a Jsonnet template that defines the payload sent to your email provider. This template can be referenced as a file (e.g., `file://path/to/template.jsonnet`) or as a base64-encoded string (e.g., 
<base64://ENCODED_JSONNET>
). Ory Kratos will pass a 
ctx
object to your Jsonnet function, containing relevant data for the email. Example Jsonnet template (
mail.api.request.jsonnet
):
Copy code
jsonnet function(ctx) {   recipient: ctx.recipient,   template_type: ctx.template_type,   to: if "template_data" in ctx && "to" in ctx.template_data then <http://ctx.template_data.to|ctx.template_data.to> else null,   recovery_code: if "template_data" in ctx && "recovery_code" in ctx.template_data then ctx.template_data.recovery_code else null,   recovery_url: if "template_data" in ctx && "recovery_url" in ctx.template_data then ctx.template_data.recovery_url else null,   verification_url: if "template_data" in ctx && "verification_url" in ctx.template_data then ctx.template_data.verification_url else null,   verification_code: if "template_data" in ctx && "verification_code" in ctx.template_data then ctx.template_data.verification_code else null }
How to reference it in your config:
Copy code
yaml courier:   delivery_strategy: http   http:     request_config:       url: <https://api.your-email-provider.com/send>       method: POST       body: file:///etc/config/kratos/mail.api.request.jsonnet       headers:         "Content-Type": "application/json"       auth:         type: api_key         config:           name: Authorization           value: Bearer <API_KEY>           in: header
Alternatively, you can base64-encode your Jsonnet file and use:
Copy code
yaml body: base64://<BASE64_ENCODED_JSONNET>
What fields are available in 
ctx
? - `recipient`: The email address of the recipient. - `template_type`: The type of template (e.g., 
verification_valid
). - `template_data`: An object with template-specific data (e.g., 
verification_url
, 
recovery_code
, etc.). For more details and a list of available fields, see the [official documentation](https://www.ory.sh/docs/kratos/self-hosted/email-http#configuration) and [Jsonnet reference](https://www.ory.sh/docs/kratos/reference/jsonnet).
b
@chilly-king-10285 give me config for totp:
b
A message from kapa.ai
Certainly! To enable and configure TOTP (Time-based One-Time Password) in Ory Kratos, you need to add the following section to your configuration file:
Copy code
yaml selfservice:   methods:     totp:       config:         # The "issuer" is the name shown in the TOTP app (e.g., Google Authenticator)         issuer: <http://ExampleIssuer.com|ExampleIssuer.com>       enabled: true
Key points: - The 
issuer
value will be displayed in the authenticator app. - Make sure 
enabled: true
is set. This configuration enables TOTP as a second-factor authentication method for your users. After enabling, users can pair their account with a TOTP app (like Google Authenticator) via the Ory Account Experience or your custom UI. For more details, see the official documentation: [Time-based one-time passwords (TOTP)](https://www.ory.sh/docs/kratos/mfa/totp) and [Self-hosted MFA configuration](https://www.ory.sh/docs/kratos/self-hosted/mfa).
b
@chilly-king-10285 how do you totp after login success. Show sample config
b
A message from kapa.ai
To require TOTP (Time-based One-Time Password) after a successful login (i.e., as a second authentication step), you need to configure Ory Kratos to enforce multi-factor authentication (MFA) with TOTP as a second factor. ### 1. Enable TOTP in your config
Copy code
yaml selfservice:   methods:     totp:       config:         issuer: <http://ExampleIssuer.com|ExampleIssuer.com>       enabled: true
This enables TOTP as a second factor and sets the issuer name that appears in authenticator apps [Time-based one-time passwords (TOTP)](https://www.ory.sh/docs/kratos/mfa/totp). ### 2. Enforce MFA after login To require users to complete TOTP after logging in, set the required Authenticator Assurance Level (AAL) for sessions and/or sensitive flows. For example, to require the highest available AAL (which includes TOTP if configured) for accessing account settings:
Copy code
yaml selfservice:   flows:     settings:       required_aal: highest_available session:   whoami:     required_aal: highest_available
With this configuration, after a user logs in with their password, they will be prompted for TOTP if they have it configured. If not, they can proceed with just their password. If you want to require TOTP for all users who have it set up, this is the recommended approach [Configure multi-factor authentication in Ory Kratos](https://www.ory.sh/docs/kratos/self-hosted/mfa). ### 3. How it works in practice - User logs in with their first factor (e.g., password). - If the session or flow requires 
aal2
(second factor), and the user has TOTP configured, Ory will prompt for the TOTP code. - Upon successful TOTP entry, the session is upgraded to 
aal2
. For more on step-up authentication and enforcing TOTP after login, see [Step-up authentication](https://www.ory.sh/docs/kratos/mfa/step-up-authentication). --- Summary: Enable TOTP in 
selfservice.methods
, and set 
required_aal: highest_available
for the relevant flows or session. This will prompt users for TOTP after a successful login if they have TOTP configured.
b
i mean google authenticator
@chilly-king-10285 i mean google authenticator
b
A message from kapa.ai
To require users to enter a code from Google Authenticator (or any TOTP app) after a successful login, you need to enable TOTP as a second factor and enforce multi-factor authentication (MFA) in your Ory Kratos configuration. Here’s a sample configuration based on the official documentation:
Copy code
yaml selfservice:   methods:     totp:       config:         # This is the name that will appear in Google Authenticator         issuer: <http://ExampleIssuer.com|ExampleIssuer.com>       enabled: true    flows:     settings:       required_aal: highest_available  session:   whoami:     required_aal: highest_available
How it works: - After a user logs in with their password, if they have TOTP (e.g., Google Authenticator) configured, Ory will prompt them to enter the code from their app. - The 
issuer
field is what users will see in Google Authenticator when they pair their account. - The 
required_aal: highest_available
setting ensures that users must complete the second factor (TOTP) for sensitive actions or to upgrade their session to AAL2. This setup is directly supported and described in the Ory documentation for TOTP and step-up authentication [Time-based one-time passwords (TOTP)](https://www.ory.sh/docs/kratos/mfa/totp) [Step-up authentication](https://www.ory.sh/docs/kratos/mfa/step-up-authentication). If you want TOTP to be required immediately after login for all users who have it configured, this is the recommended approach. If a user does not have TOTP set up, they will not be prompted for it until they do so. If you need to customize which flows require TOTP, adjust the 
required_aal
setting under the relevant flow (e.g., 
login
, 
settings
, etc.) as shown above.
b
@chilly-king-10285 How do we delete an account
b
A message from kapa.ai
To delete an account (identity) in Ory Kratos, you need to use the Ory Identities API. Specifically, you can use the 
deleteIdentityCredentials
method, which requires authentication with an Ory access token. This operation is typically performed via the admin API and is not a self-service flow exposed to end users by default. Here’s what the knowledge sources state: > To perform this operation, you must be authenticated by means of one of the following methods: oryAccessToken [Kratos API Reference](https://raw.githubusercontent.com/ory/kratos/master/spec/api.json) The documentation does not provide a full example of the API call, but the process generally involves: - Authenticating as an admin or with appropriate permissions. - Calling the relevant admin API endpoint to delete the identity. If you need to delete an account via the Ory Console or CLI, you would typically use the admin interface or CLI commands to manage identities, but the knowledge sources do not provide explicit step-by-step instructions for this process. Summary: Account deletion is performed via the admin API using an authenticated request. The knowledge sources do not provide a detailed example, but you must use an Ory access token and the appropriate API endpoint to delete an identity.
b
@chilly-king-10285 i want to show normal login then after that show a google authenticator challenge, how do i configure this with kratos
b
A message from kapa.ai
To show a normal login (e.g., password) and then, after successful login, prompt the user for a Google Authenticator (TOTP) challenge, you need to enable TOTP as a second factor and enforce multi-factor authentication (MFA) in your Ory Kratos configuration. Here’s how you can configure this: 1. Enable TOTP as a second factor:
Copy code
yaml selfservice:   methods:     totp:       config:         issuer: <http://ExampleIssuer.com|ExampleIssuer.com>  # This is the name shown in Google Authenticator       enabled: true
This enables TOTP (Google Authenticator) for your project and sets the issuer name that appears in the authenticator app [Time-based one-time passwords (TOTP)](https://www.ory.sh/docs/kratos/mfa/totp). 2. Enforce MFA after login: Set the required Authenticator Assurance Level (AAL) to require the highest available factor (which includes TOTP if configured):
Copy code
yaml session:   whoami:     required_aal: highest_available
With this configuration, after a user logs in with their password, Ory Kratos will check if the user has TOTP configured. If so, the user will be prompted for their TOTP code (e.g., from Google Authenticator) before the session is fully established at AAL2. If the user does not have TOTP set up, they will not be prompted for it. How it works: - User enters their username and password (normal login). - If TOTP is enabled and configured for the user, Ory will prompt for the TOTP code after the password is verified. - Upon successful TOTP entry, the user gains access with an AAL2 session. This approach is described in the official documentation for step-up authentication and TOTP configuration [Step-up authentication](https://www.ory.sh/docs/kratos/mfa/step-up-authentication) [Time-based one-time passwords (TOTP)](https://www.ory.sh/docs/kratos/mfa/totp). If you want to require TOTP only for specific flows (e.g., only for settings changes), adjust the 
required_aal
setting under the relevant flow (such as 
selfservice.flows.settings.required_aal
). Note: The knowledge sources do not mention a way to force TOTP for all users regardless of whether they have it configured, nor do they describe a way to force TOTP enrollment immediately after registration. Users must enable TOTP themselves in their account settings after registration [Time-based one-time passwords (TOTP)](https://www.ory.sh/docs/kratos/mfa/totp). --- Summary: Enable TOTP and set 
session.whoami.required_aal: highest_available
to prompt for a Google Authenticator challenge after normal login if the user has TOTP configured.
b
@chilly-king-10285 Do i redirect from login to TOTP screen manually within my app or will kratos do the redirection for me
b
A message from kapa.ai
Ory Kratos will handle the redirection for you as part of the self-service login flow when multi-factor authentication (such as TOTP/Google Authenticator) is required. After the user successfully completes the first factor (e.g., password), Kratos will automatically present the TOTP challenge screen if the user has TOTP configured and the flow or session requires a higher AAL (Authenticator Assurance Level). You do not need to manually redirect from the login to the TOTP screen within your app. Kratos manages the flow state and will return the appropriate UI screen (or API response) based on what is required next in the authentication process. Your UI should render the form based on the current flow state provided by Kratos. This is described in the documentation for self-service flows and step-up authentication, where Kratos manages the flow and prompts for the second factor as needed, depending on the configuration and the user's state [Step-up authentication](https://www.ory.sh/docs/kratos/mfa/step-up-authentication) [Login flow](https://www.ory.sh/docs/kratos/bring-your-own-ui/custom-ui-basic-integration#login-flow). If you are building a custom UI, you should use the flow information returned by Kratos to determine which form to display, but the transition between steps (e.g., from password to TOTP) is managed by Kratos itself.
2 Views
Open in Slack
PreviousNext
Powered by