To use a phone number as one of the login methods in your self-hosted Ory Kratos setup, follow these actionable steps: 1. Update Your Identity Schema Ensure your identity schema includes a phone number trait and marks it as a password login identifier. Here’s an example schema snippet:

json    {      "traits": {        "phone": {          "title": "Phone",          "type": "string",          "format": "tel",          "<http://ory.sh/kratos|ory.sh/kratos>": {            "credentials": {              "password": {                "identifier": true              }            }          }        }      }    }

This allows users to log in with their phone number and password. You can also allow both email and phone as identifiers by marking both fields accordingly in your schema [Choosing between username, email, and phone number](https://www.ory.sh/docs/kratos/manage-identities/customize-identity-schema#phone-number) [Phone number and password example](https://www.ory.sh/docs/kratos/manage-identities/customize-identity-schema#phone-number-and-password). 2. Enable Password Login Method In your Kratos configuration file, ensure the password method is enabled:

yaml    selfservice:      methods:        password:          enabled: true

[Login and registration using passwords](https://www.ory.sh/docs/kratos/concepts/credentials/username-email-password) 3. Validate Phone Numbers The

"format": "tel"

field in your schema enables phone number validation using Google's libphonenumber library [Phone number](https://www.ory.sh/docs/kratos/manage-identities/customize-identity-schema#phone-number). 4. (Optional) Enable Account Recovery and Verification via SMS - To allow account recovery or verification via SMS, mark the phone trait with the appropriate extensions in your schema:

json      "<http://ory.sh/kratos|ory.sh/kratos>": {        "recovery": { "via": "sms" },        "verification": { "via": "sms" }      }

- Configure an SMS gateway for sending messages as described in the [SMS documentation](https://www.ory.sh/docs/kratos/emails-sms/sending-sms) [Phone number verification](https://www.ory.sh/docs/kratos/self-service/flows/verify-email-account-activation#phone-number-verification). 5. Apply and Test Your Configuration - Update your Kratos deployment with the new schema and configuration. - Test the registration and login flows to ensure users can log in using their phone number and password. Summary: - Update your identity schema to include a phone number as a password identifier. - Enable the password login method in your config. - (Optional) Set up SMS for recovery/verification. - Apply changes and test the flow. If you need to support passwordless or multi-factor authentication via phone number, additional configuration is required, but the above steps cover using phone number as a standard login method.

To set up phone number as a passwordless login method in your self-hosted Ory Kratos setup, follow these actionable steps: 1. Update Your Identity Schema Your identity schema must include a phone number trait and mark it as the identifier for the one-time code (passwordless) strategy. Example:

json    {      "traits": {        "phone": {          "type": "string",          "format": "tel",          "<http://ory.sh/kratos|ory.sh/kratos>": {            "credentials": {              "code": {                "identifier": true,                "via": "sms"              }            }          }        }      }    }

This tells Kratos to use the phone number for passwordless login via SMS one-time code [Passwordless one-time code login identifier](https://www.ory.sh/docs/kratos/manage-identities/customize-identity-schema#passwordless-one-time-code-login-identifier) [Custom identity schema](https://www.ory.sh/docs/kratos/passwordless/one-time-code#custom-identity-schema). 2. Enable Passwordless One-Time Code Login In your Kratos configuration, enable the one-time code method for passwordless login:

yaml    selfservice:      methods:        code:          passwordless_enabled: true

[Enable SMS one-time-code (OTP)](https://www.ory.sh/docs/kratos/passwordless/one-time-code#enable-sms-one-time-code-otp) 3. Configure SMS Delivery Set up an SMS gateway/channel in your Kratos configuration so that one-time codes can be sent to users’ phone numbers. Example for Twilio:

yaml    courier:      channels:        - id: sms          type: http          request_config:            url: <https://api.twilio.com/2010-04-01/Accounts/AXXXXXXXXXXXXXX/Messages.json>            method: POST            body: <base64://ZnVuY3Rpb24oY3R4KSB7CiAgVG86IGN0eC5yZWNpcGllbnQsCiAgQm9keTogY3R4LmJvZHksCn0>=            headers:              Content-Type: application/x-www-form-urlencoded            auth:              type: basic_auth              config:                user: AXXXXXXX                password: XXXX

[Send SMS to your users](https://www.ory.sh/docs/kratos/emails-sms/sending-sms) 4. Apply and Test - Update your Kratos deployment with the new schema and configuration. - Test the login flow: users should be able to enter their phone number, receive a one-time code via SMS, and log in without a password. Note: - SMS OTP is considered less secure than other passwordless methods (like passkeys) due to risks such as SIM swapping and interception. Use with caution [Enable SMS one-time-code (OTP)](https://www.ory.sh/docs/kratos/passwordless/one-time-code#enable-sms-one-time-code-otp). If you follow these steps, you will enable passwordless login using phone numbers in your self-hosted Ory Kratos setup.

The SMS delivery setup is crucial for passwordless login with phone numbers in Ory Kratos. Without a properly configured SMS delivery channel, users will not receive the one-time codes required to complete the login process. Ory Kratos relies on this channel to send authentication codes, recovery codes, and verification codes to users' phone numbers [Send SMS to your users](https://www.ory.sh/docs/kratos/emails-sms/sending-sms) [Enable SMS one-time-code (OTP)](https://www.ory.sh/docs/kratos/passwordless/one-time-code#enable-sms-one-time-code-otp). If you want to use your own SMS wrapper (i.e., a custom service or API for sending SMS), Ory Kratos supports this by allowing you to configure the SMS channel to point to any HTTP endpoint. You can set up the

courier.channels

configuration to use your own HTTP API, specifying the URL, HTTP method, headers, authentication, and body template as needed. This flexibility means you can integrate any SMS provider or your own SMS microservice as long as it accepts HTTP requests [Send SMS to your users](https://www.ory.sh/docs/kratos/emails-sms/sending-sms). In summary: - SMS delivery setup is essential for passwordless login via phone number. - You can use your own SMS wrapper by configuring the SMS channel to point to your custom HTTP endpoint.

I'm sorry, but the knowledge sources do not provide a direct method or CLI/API command to manually trigger an SMS for testing your SMS configuration in Ory Kratos. The documentation describes how to configure SMS delivery and how SMS is sent as part of flows like passwordless login, verification, or recovery, but it does not mention a standalone test or manual trigger feature for SMS delivery. To confirm your SMS config is working, you typically need to initiate a real flow (such as registration, passwordless login, or verification) that sends an SMS as part of its process [Send SMS to your users](https://www.ory.sh/docs/kratos/emails-sms/sending-sms) [Enable SMS one-time-code (OTP)](https://www.ory.sh/docs/kratos/passwordless/one-time-code#enable-sms-one-time-code-otp). If you need to test your SMS setup, you should: - Register or log in with a phone number using a flow that triggers an SMS (e.g., passwordless login or verification). - Check if the SMS is delivered to the provided phone number. If you are running a self-hosted setup, you can also monitor the logs of the courier process to see if SMS messages are being dispatched [kratos courier watch](https://www.ory.sh/docs/kratos/cli/kratos-courier-watch#kratos-courier-watch). If you need a dedicated test endpoint or command, this is not documented in the provided sources.

If you are using your own SMS wrapper (custom HTTP API) instead of Twilio, you can fully customize the HTTP request body that Ory Kratos sends. The body is defined using a [Jsonnet](https://www.ory.sh/docs/kratos/reference/jsonnet) template, and you can structure it to match the requirements of your SMS API. The key is that Kratos provides a

ctx

object to the Jsonnet template, which contains fields like

recipient

(the phone number),

body

(the message text), and other metadata. You can map these fields to whatever your SMS API expects. Example: Suppose your SMS API expects a JSON payload like this:

json {   "phone_number": "+1234567890",   "message": "Your code is 123456" }

You would configure the body in your Kratos config as follows (base64-encoded):

jsonnet function(ctx) {   phone_number: ctx.recipient,   message: ctx.body, }

Encode this Jsonnet template in base64 and use it in your config:

yaml courier:   channels:     - id: sms       type: http       request_config:         url: <https://your-sms-api.example.com/send>         method: POST         body: base64://<base64-encoded-jsonnet>         headers:           Content-Type: application/json         # Add auth if needed

Summary: - The body can be any structure your SMS API requires. - Use the

ctx

object to access the phone number (

ctx.recipient

) and message (

ctx.body

). - Encode your Jsonnet template in base64 and reference it in the config. For more details and examples, see [Send SMS to your users](https://www.ory.sh/docs/kratos/emails-sms/sending-sms).

If you want to access only the code (for example, the one-time login code) in your SMS body, you can use the

template_data

field provided in the

ctx

object within your Jsonnet template. For SMS templates, the code is available as a property depending on the flow: - For login:

ctx.template_data.LoginCode

- For verification:

ctx.template_data.VerificationCode

- For recovery:

ctx.template_data.RecoveryCode

Example Jsonnet for SMS body with only the code (for login):

jsonnet function(ctx) {   To: ctx.recipient,   Body: ctx.template_data.LoginCode, }

This will send an SMS where the message body is just the code itself. You can adjust the property (

LoginCode

,

VerificationCode

, or

RecoveryCode

) depending on which flow you are configuring. The available variables for each template are documented here: [Available variables](https://www.ory.sh/docs/kratos/emails-sms/custom-email-templates#available-variables). For more on configuring the SMS body, see [Send SMS to your users](https://www.ory.sh/docs/kratos/emails-sms/sending-sms).

The OTP (one-time password/code) is handled by Ory Kratos. Kratos is responsible for generating the OTP, sending it via the configured SMS or email channel, and verifying the code when the user submits it during the authentication flow. Your responsibility is to configure the delivery channel (such as your own SMS wrapper or an external provider), but you do not need to generate or validate the OTP yourself—Kratos manages the entire OTP lifecycle [Send SMS to your users](https://www.ory.sh/docs/kratos/emails-sms/sending-sms) [Enable SMS one-time-code (OTP)](https://www.ory.sh/docs/kratos/passwordless/one-time-code#enable-sms-one-time-code-otp).

I'm sorry, but the knowledge sources do not provide information or guidance on managing the OTP lifecycle (generation, validation, expiration) entirely outside of Ory Kratos. All documentation and examples assume that Kratos is responsible for generating, sending, and verifying OTP codes, while you configure the delivery channel (such as your own SMS wrapper) for sending the codes to users [Send SMS to your users](https://www.ory.sh/docs/kratos/emails-sms/sending-sms) [Enable SMS one-time-code (OTP)](https://www.ory.sh/docs/kratos/passwordless/one-time-code#enable-sms-one-time-code-otp). If you require full control over the OTP lifecycle, the knowledge sources do not explicitly mention support for this use case.

You can manage the maximum number of OTP (one-time code) submission attempts in Ory Kratos by configuring the

max_submissions

parameter for the

code

method. The default value is 5, but you can set it to any value between 1 and 255. How to configure: - Ory Console: Go to Authentication → General → Maximum number of code submissions, enter your desired number, and click Save. - Ory CLI / Config file: Download your identity config, update the value, and re-upload:

yaml   config:     selfservice:       methods:         code:           max_submissions: 3

Then update your configuration:

sh   ory update identity-config --project <project-id> --workspace <workspace-id> --file identity-config.yaml

This setting controls how many times a user can submit an incorrect code before the flow fails, helping to prevent brute-force attacks [Code submissions limit](https://www.ory.sh/docs/identities/sign-in/code-submission-limit).

I'm sorry, but the knowledge sources do not describe a built-in way in Ory Kratos to lock out a phone number (or identity) after exceeding the maximum number of OTP attempts within a specific time window (such as 1 hour). The

max_submissions

setting only controls how many incorrect code submissions are allowed per flow, after which the flow fails, but it does not lock the account or phone number for a longer period or across multiple flows [Code submissions limit](https://www.ory.sh/docs/identities/sign-in/code-submission-limit). There is discussion in the Ory Kratos GitHub issues about implementing account lockout and throttling after repeated failed login attempts, but this is not currently a built-in feature. The Ory team suggests that such logic is complex and may be better handled by external systems like a WAF (Web Application Firewall), or potentially via custom webhooks if/when such features are available [Throttling repeated login requests & account lock](https://github.com/ory/kratos/issues/3037). In summary: Ory Kratos does not currently support locking out a phone number or account after a configurable number of failed OTP attempts within a time window such as 1 hour. You may need to implement this logic externally or monitor for future updates from Ory regarding this feature.

Ory Kratos does not provide a webhook specifically for "pre-sending OTP" (i.e., before the OTP is generated and sent to the user). The available action triggers for webhooks (Ory Actions) are: - before and after login - before and after registration - before and after recovery - before and after settings - before and after verification These hooks allow you to run custom logic before or after the start or completion of these flows, but there is no documented trigger that fires specifically right before an OTP is sent out or right before OTP verification is performed by Kratos [Action triggers](https://www.ory.sh/docs/kratos/hooks/configure-hooks#action-triggers) [Overview of hooks](https://www.ory.sh/docs/kratos/hooks/configure-hooks). If you need to run logic before an OTP is sent or before verification, you would need to use the before flow hooks (e.g.,

before login

,

before verification

), but these are triggered at the start of the flow, not specifically at the OTP send or verify step. Summary: - There is no dedicated "pre-sending OTP" or "pre-verification" webhook in Ory Kratos. - The closest available are the general

before

flow hooks, which run at the start of the respective flow, not at the OTP step itself [Action triggers](https://www.ory.sh/docs/kratos/hooks/configure-hooks#action-triggers).

Yes, if you only rely on per-session or per-flow limits (such as

max_submissions

for OTP attempts), a user could potentially abuse the system by repeatedly starting new flows in incognito mode or from different browsers/devices, since each new session resets the attempt counter. This could allow a single phone number to receive an excessive number of OTPs, potentially leading to abuse or SMS spam. How to mitigate this: - Endpoint-based Rate Limiting: Ory Network provides endpoint-based rate limits that can help protect against abuse by monitoring request frequency per source IP and other factors. However, these limits are managed by Ory and are not directly configurable in self-hosted Kratos. They help prevent brute-force and credential stuffing attacks by restricting the number of requests from specific sources within a given timeframe [Endpoint based rate limits](https://www.ory.sh/docs/guides/rate-limits#endpoint-based-rate-limits). - Custom Logic (Self-hosted): The knowledge sources do not describe a built-in way in self-hosted Kratos to globally limit OTP requests per phone number across all sessions and flows. The Ory team recommends handling more advanced abuse prevention (such as account or number lockout after repeated abuse) at the infrastructure level, for example using a Web Application Firewall (WAF) or custom middleware [Throttling repeated login requests & account lock](https://github.com/ory/kratos/issues/3037). - CAPTCHA: You can enable CAPTCHA protection on registration and login endpoints to help prevent automated abuse, though this does not specifically limit OTP requests per phone number [CAPTCHAs](https://www.ory.sh/docs/kratos/concepts/security#captchas). Summary: Ory Kratos does not natively prevent abuse of OTP requests via incognito or new sessions for the same phone number. To avoid this, you should implement additional protections such as endpoint-based rate limiting (Ory Network), external WAF rules, or custom logic to track and limit OTP requests per phone number over time [Endpoint based rate limits](https://www.ory.sh/docs/guides/rate-limits#endpoint-based-rate-limits) [Throttling repeated login requests & account lock](https://github.com/ory/kratos/issues/3037).

No, you cannot use the pre-verification (

before verification

) hook to check or intervene before the verification (OTP) is sent out. According to the knowledge sources, the

before verification

hook is triggered when the user starts the verification flow, not specifically before the verification code is generated or sent. There is no documented hook or action in Ory Kratos that allows you to run custom logic immediately before the verification code is dispatched to the user [Action triggers](https://www.ory.sh/docs/kratos/hooks/configure-hooks#action-triggers). In summary, the

before verification

hook runs at the start of the verification flow, not at the point of sending the verification code, so it cannot be used to check or block the sending of the code itself.

The verification flow in Ory Kratos is used to verify a user's email address or phone number associated with their account. This process is important to prove that the user has access to the address they provided during registration or when updating their profile. When the verification flow is triggered (for example, after sign-up or when a user requests verification), Ory Kratos sends a verification code or link to the user's email or phone number. The user must then enter the code or click the link to complete the verification process. Once verified, the address is marked as verified in the user's identity record. The verification flow supports both browser and API clients and can be configured to use either a one-time code (recommended) or a magic link (legacy, not recommended). The flow ensures that only users with access to the provided address can verify it, and it can be triggered automatically or manually by the user [Address verification](https://www.ory.sh/docs/kratos/self-service/flows/verify-email-account-activation) [Verification flow](https://www.ory.sh/docs/kratos/bring-your-own-ui/custom-ui-basic-integration#verification-flow). In summary, the verification flow: - Sends a code or link to the user's address. - Requires the user to prove access by entering the code or clicking the link. - Marks the address as verified upon successful completion. - Can be configured for both email and phone number verification.

In a passwordless login flow in Ory Kratos, the process is not always treated as a verification flow. Passwordless login (using a one-time code sent via email or SMS) is a distinct self-service flow, separate from the address verification flow. In passwordless login, the user receives a one-time code to authenticate and gain access, but this does not necessarily mark the address (email or phone) as "verified" in the sense of the verification flow. The verification flow is specifically designed to prove ownership of an address and mark it as verified in the user's identity record [Address verification](https://www.ory.sh/docs/kratos/self-service/flows/verify-email-account-activation) [Passwordless one-time code authentication](https://www.ory.sh/docs/kratos/passwordless/one-time-code). However, there is some overlap: if a user logs in via passwordless and the code is sent to their email or phone, and if your configuration is set up to mark the address as verified upon successful login, then the login flow can also serve as verification. But by default, these are separate flows with different purposes. Summary: - Passwordless login is a separate flow from verification. - Verification flow is for proving and marking address ownership. - Passwordless login authenticates the user, but does not always mark the address as verified unless specifically configured to do so.

In a mobile phone passwordless login flow using Ory Kratos, the hooks (actions) that can be invoked are those associated with the login flow and specifically the code method. According to the documentation, you can configure hooks to run before and after the login flow, and you can further specify hooks for the

code

method (which is used for passwordless login via SMS). - before login: Runs when the user starts the login flow. - after login: Runs after the user is successfully authenticated, before the session is issued. - after login → code: If you define hooks specifically for the

code

method, these will override the general

after login

hooks for passwordless flows. Here’s how the trigger precedence works:

yaml selfservice:   flows:     login:       before:         hooks:           - hook: hook_1 # Runs for all login flows when started       after:         hooks:           - hook: hook_2 # Runs for all login flows after completion, except those with a method-specific override         code:           hooks:             - hook: hook_3 # Runs only for the code (passwordless) method

So, in a mobile phone passwordless flow, the following hooks may be invoked: - Any hooks defined under

before login

- Any hooks defined under

after login → code

(these override the general

after login

hooks for the code method) - If no method-specific hooks are defined, the general

after login

hooks will be used For more details, see the [trigger precedence documentation](https://www.ory.sh/docs/kratos/hooks/configure-hooks#trigger-precedence) and [action triggers](https://www.ory.sh/docs/kratos/hooks/configure-hooks#action-triggers).

To set up your own OTP (SMS) service with Ory Kratos for passwordless login using a mobile phone number, here are the actionable steps you need to take: 1. Update Your Identity Schema Ensure your identity schema includes a phone number trait and marks it as the identifier for the passwordless code strategy:

json    {      "traits": {        "phone": {          "type": "string",          "format": "tel",          "<http://ory.sh/kratos|ory.sh/kratos>": {            "credentials": {              "code": {                "identifier": true,                "via": "sms"              }            }          }        }      }    }

This tells Kratos to use the phone number for passwordless login via SMS one-time code [Passwordless one-time code login identifier](https://www.ory.sh/docs/kratos/manage-identities/customize-identity-schema#passwordless-one-time-code-login-identifier). 2. Enable Passwordless Login via Code In your Kratos configuration, enable the passwordless code method:

yaml    selfservice:      methods:        code:          passwordless_enabled: true

[Enable SMS one-time-code (OTP)](https://www.ory.sh/docs/kratos/passwordless/one-time-code#enable-sms-one-time-code-otp) 3. Configure Your SMS Delivery (OTP Service) Set up the

courier.channels

configuration to point to your own SMS wrapper (HTTP API). You can fully customize the HTTP request body using a Jsonnet template. For example:

yaml    courier:      channels:        - id: sms          type: http          request_config:            url: <https://your-sms-api.example.com/send>            method: POST            body: base64://<base64-encoded-jsonnet>            headers:              Content-Type: application/json

The Jsonnet template can access the OTP code via

ctx.body

or, for more control,

ctx.template_data.LoginCode

for login flows [Send SMS to your users](https://www.ory.sh/docs/kratos/emails-sms/sending-sms). 4. Test the Flow - Register or log in with a phone number to trigger the passwordless flow. - Confirm that your SMS service receives the request and delivers the OTP to the user. 5. (Optional) Set Security Controls - Configure

max_submissions

to limit OTP attempts per flow [Code submissions limit](https://www.ory.sh/docs/identities/sign-in/code-submission-limit). - Consider external rate limiting or abuse prevention, as Kratos does not natively lock out phone numbers across flows [Throttling repeated login requests & account lock](https://github.com/ory/kratos/issues/3037). Summary: - Update your identity schema for phone-based code login. - Enable passwordless code method in Kratos config. - Point the SMS channel to your own OTP service using a customizable HTTP request. - Test the end-to-end flow to ensure OTP delivery works as expected. If you follow these steps, you will have integrated your own OTP (SMS) service with Ory Kratos for passwordless login.

In a mobile phone passwordless login flow with Ory Kratos, the related webhooks (Ory Actions) you can configure are: - before login: Triggered when the user starts the login flow. - after login: Triggered after the user is successfully authenticated, before the session is issued. - after login → code: If you define hooks specifically for the

code

method (used for passwordless login), these will override the general

after login

hooks for flows using the code method. You can use the

web_hook

action in these hooks to call external services. For example, you might use a webhook to notify an external system when a user logs in successfully with a one-time code. However, there is **no webhook that is triggered specifically before the OTP is generated or sent out**—the hooks are tied to the flow events, not the OTP dispatch itself [Action triggers](https://www.ory.sh/docs/kratos/hooks/configure-hooks#action-triggers) [Trigger precedence](https://www.ory.sh/docs/kratos/hooks/configure-hooks#trigger-precedence) [Available actions](https://www.ory.sh/docs/kratos/hooks/configure-hooks#available-actions). Summary: - You can configure webhooks for

before login

,

after login

, and

after login → code

. - There is no dedicated webhook for "pre-sending OTP" or "pre-verification" in the passwordless flow.

No, you do not need to create your own OTP flow when using Ory Kratos. Ory Kratos handles the entire OTP (one-time code) flow for passwordless login, including generating the code, sending it via your configured SMS or email channel, and verifying the code when the user submits it. Your responsibility is to configure the delivery channel (such as your own SMS wrapper), but the OTP lifecycle and flow logic are managed by Kratos itself [Passwordless one-time code authentication](https://www.ory.sh/docs/kratos/passwordless/one-time-code) [Send SMS to your users](https://www.ory.sh/docs/kratos/emails-sms/sending-sms). If you want to customize the delivery (e.g., use your own SMS API), you only need to configure the courier channel accordingly. There is no need to implement the OTP generation, validation, or flow logic yourself.

To initiate the passwordless flow in your application with Ory Kratos, your application needs to create a login flow using the appropriate API endpoint, depending on whether it is a browser-based or native/mobile application. For native/mobile applications: Call the following endpoint to initialize the passwordless login flow:

GET /self-service/login/api

Example using `curl`:

sh curl -X GET \     -H 'Content-Type: application/json' \     https://<your-kratos-domain>/self-service/login/api

This will return a flow object containing the necessary UI nodes for your application to render the passwordless login form (e.g., phone number input for SMS OTP). Your app should then display the form, collect the user's phone number, and submit it to the action URL provided in the flow object [API flows: Native Mobile & Desktop Apps, Command Line Interfaces, Smart TVs and more](https://www.ory.sh/docs/kratos/self-service#api-flows-native-mobile--desktop-apps-command-line-interfaces-smart-tvs-and-more). For browser-based applications: Use the browser endpoint:

GET /self-service/login/browser

Example using `curl`:

sh curl -X GET \     -H 'Content-Type: application/json' \     -c cookies.txt \     https://<your-kratos-domain>/self-service/login/browser

This will redirect the browser to your login UI with the flow ID as a query parameter [Create a flow](https://www.ory.sh/docs/kratos/bring-your-own-ui/custom-ui-basic-integration#create-a-flow). Summary of steps: 1. Your app calls the appropriate endpoint to create a login flow. 2. Render the UI based on the returned flow object (show phone/email input for passwordless). 3. Submit the user’s identifier (e.g., phone number) to the action URL from the flow. 4. Ory Kratos handles sending the OTP and the rest of the flow. For more details and code examples, see the [integration basics documentation](https://www.ory.sh/docs/kratos/bring-your-own-ui/custom-ui-basic-integration) and [passwordless one-time code authentication](https://www.ory.sh/docs/kratos/passwordless/one-time-code).

For passwordless login in Ory Kratos, the following endpoints are involved: 1. Initialize the Login Flow - For native/mobile/API clients:

GET /self-service/login/api

This endpoint initializes a passwordless login flow and returns a flow object with the necessary UI nodes for your application to render (e.g., phone number or email input) [API flows: Native Mobile & Desktop Apps, Command Line Interfaces, Smart TVs and more](https://www.ory.sh/docs/kratos/self-service#api-flows-native-mobile--desktop-apps-command-line-interfaces-smart-tvs-and-more). - For browser-based clients:

GET /self-service/login/browser

This endpoint initializes the login flow for browser applications [Login flow types](https://www.ory.sh/docs/kratos/self-service/flows/user-login). 2. Submit the Login Flow - After collecting the user's identifier (phone number or email), submit it to the

action

URL provided in the

ui

object of the flow. This is typically:

POST /self-service/login?flow=<flow-id>

The payload should include the method (

code

for passwordless) and the identifier (phone/email) [API flows: Form submission](https://www.ory.sh/docs/kratos/self-service#api-flows-native-mobile--desktop-apps-command-line-interfaces-smart-tvs-and-more). 3. Enter and Submit the OTP - The user receives a one-time code (OTP) via SMS or email. They then submit the code to the same

action

URL as above, with the code included in the payload. Summary: -

GET /self-service/login/api

(for native/mobile) or

GET /self-service/login/browser

(for browser) -

POST /self-service/login?flow=<flow-id>

(to submit identifier and then the OTP) These endpoints cover the initialization and completion of the passwordless login flow in Ory Kratos [Passwordless one-time code authentication](https://www.ory.sh/docs/kratos/passwordless/one-time-code) [API flows: Native Mobile & Desktop Apps, Command Line Interfaces, Smart TVs and more](https://www.ory.sh/docs/kratos/self-service#api-flows-native-mobile--desktop-apps-command-line-interfaces-smart-tvs-and-more).

When you call the

/self-service/login/browser

endpoint, Ory Kratos returns all enabled login methods (e.g., OIDC, password, passwordless) as UI nodes in the flow response. This is by design, so your UI can present all available options to the user. If you only want to show the mobile phone passwordless option in your UI, you need to filter the nodes on the client side and render only those related to the passwordless (code) method. You can do this by filtering the nodes by their

group

or

method

property. For passwordless login via mobile phone, you should filter for nodes in the

code

group (or `webauthn`/`passkey` if using those methods). Example (React/JS):

js import { filterNodesByGroups } from "@ory/integrations/ui"  // Only render nodes for the passwordless code method (e.g., SMS OTP) const passwordlessNodes = filterNodesByGroups({   nodes: flow.ui.nodes,   groups: ["code"], // or ["webauthn"] for WebAuthn/passkey })  // Render only passwordless nodes in your form

This approach is also shown in the Ory documentation, where you can use helpers like

filterNodesByGroups

to select only the relevant nodes for your UI [Custom UI basic integration](https://www.ory.sh/docs/kratos/bring-your-own-ui/custom-ui-basic-integration#create-login-flow). Summary: - Kratos always returns all enabled login methods in the flow. - You must filter the nodes on the client side to display only the mobile phone passwordless (code) method in your UI [Custom UI basic integration](https://www.ory.sh/docs/kratos/bring-your-own-ui/custom-ui-basic-integration#create-login-flow). If you need to hide other methods for specific users, consider using [login hints](https://www.ory.sh/docs/kratos/social-signin/link-multiple-provider-account#hide-irrelevant-authentication-methods) to inform the UI which methods to show.

Ory does have rate limiting built in for its passwordless flow, but it does not have a built-in lockout policy for passwordless login. Rate Limiting: Ory Network applies endpoint-based rate limits to protect against abuse, such as brute-force and credential stuffing attacks. These rate limits restrict the number of requests from specific sources (like IP addresses) within a given timeframe. However, these rules are managed by Ory and are not directly configurable in self-hosted Kratos. The rate limits help prevent abuse of endpoints involved in flows like passwordless login [Endpoint based rate limits](https://www.ory.sh/docs/guides/rate-limits#endpoint-based-rate-limits) [Threat models and security profiles](https://www.ory.sh/docs/kratos/concepts/security). Additionally, you can configure the maximum number of OTP/code submission attempts per flow using the

max_submissions

parameter (default is 5). After exceeding this number, the flow fails, but this does not lock the user or phone number for a longer period [Code submissions limit](https://www.ory.sh/docs/identities/sign-in/code-submission-limit). Lockout Policy: Ory Kratos does not natively support locking out a user or phone number after repeated failed attempts over a time window (e.g., 1 hour). The

max_submissions

setting only applies to the current flow/session, and users could potentially bypass it by starting new flows (e.g., using incognito mode or new devices). For more advanced lockout or abuse prevention, you would need to implement external logic or use infrastructure-level protections like a WAF [Throttling repeated login requests & account lock](https://github.com/ory/kratos/issues/3037). Summary: - Rate limiting: Yes, built-in at the endpoint level and per-flow code submission. - Lockout policy: No, not built-in for passwordless login flows.

The knowledge sources indicate that Ory Kratos does not provide a built-in mechanism for implementing a custom rate limit or lockout policy at the identity (e.g., phone number) level. The built-in

max_submissions

parameter only limits the number of incorrect OTP submissions per flow/session, and there is no native support for locking out a user or phone number across multiple flows or over a time window [Code submissions limit](https://www.ory.sh/docs/identities/sign-in/code-submission-limit). Hooks (Ory Actions): While Ory Kratos supports hooks (Ory Actions) that can run before or after flows such as login or registration, the documentation does not specify that these hooks have access to the context needed to implement global rate limiting or lockout logic (e.g., tracking attempts per phone number across sessions). Hooks are typically used for validation, notifications, or integrating with external systems, but not for enforcing rate limits or lockouts at the identity level [Overview of hooks](https://www.ory.sh/docs/kratos/hooks/configure-hooks). Recommended Approach: The Ory team suggests that advanced rate limiting and lockout policies (such as locking a phone number after repeated failed attempts across sessions or time windows) should be implemented externally, for example using a Web Application Firewall (WAF) or custom middleware that sits in front of Kratos [Throttling repeated login requests & account lock](https://github.com/ory/kratos/issues/3037). This external system would track attempts and enforce lockouts as needed. Summary: - You cannot implement a robust, custom rate limit or lockout policy solely using Kratos hooks. - For advanced rate limiting and lockout, use external systems (e.g., WAF, API gateway, or custom middleware) to track and enforce these policies. - Kratos hooks are not designed for this purpose and do not provide the necessary context or persistence. If you need this functionality, you will need to build it outside of Kratos, as the knowledge sources do not describe a way to achieve it within Kratos itself.

Yes, you can return early in a pre (before) hook to interrupt the flow and prevent it from being initiated. This is achieved by configuring a webhook with

response.parse: true

, making it a flow-interrupting webhook. If your webhook returns an HTTP response code in the

4xx

or

5xx

range, Ory will interrupt the flow and return the error to the user, rather than proceeding with the flow initiation. You can also provide a custom error payload to inform the user why the flow was blocked [Flow-interrupting webhooks](https://www.ory.sh/docs/guides/integrate-with-ory-cloud-through-webhooks#flow-interrupting-webhooks). Example: If your webhook returns a

403 Forbidden

status, the flow will not proceed, and the user will receive the error message you provide. This mechanism allows you to implement custom validation or business logic (such as rate limiting, IP checks, or invite code validation) and block the flow if your conditions are not met.

I'm sorry, but the knowledge sources do not mention any hook or action in Ory Kratos that is specifically invoked after a failed OTP (verification code) attempt. The available hooks are triggered before or after the overall verification flow, but there is no documentation indicating that a hook is called on each failed OTP verification attempt or specifically after a failed verification. Hooks such as

after verification

are only triggered when the verification flow is successfully completed, not on failure. Therefore, if OTP verification fails, there is no related hook that will be invoked according to the provided documentation [Action triggers](https://www.ory.sh/docs/kratos/hooks/configure-hooks#action-triggers).

Based on the knowledge sources, you cannot fully replace the OTP mechanism in Ory Kratos with your own implementation. Ory Kratos is responsible for generating, sending, and verifying OTP codes as part of its passwordless and verification flows. Your role is to configure the delivery channel (such as your own SMS or email wrapper) for sending the OTP, but the lifecycle (generation, validation, expiration) of the OTP is managed internally by Kratos [Send SMS to your users](https://www.ory.sh/docs/kratos/emails-sms/sending-sms) [Enable SMS one-time-code (OTP)](https://www.ory.sh/docs/kratos/passwordless/one-time-code#enable-sms-one-time-code-otp). The knowledge sources do not describe a way to disable or override Kratos’s built-in OTP generation and verification in favor of a fully custom OTP system. If you require full control over the OTP lifecycle, this is not supported according to the current documentation and guidance. If you need to customize the delivery (e.g., use your own SMS API), you can do so, but the OTP itself will still be generated and verified by Kratos.