For passwordless registration and login flows in Ory (using Ory Kratos), the main related endpoints are the same as for standard self-service flows, but the methods and UI nodes rendered will reflect the passwordless configuration (e.g., WebAuthn, passkey, or one-time code). Here are the relevant endpoints: ### Registration Flow Endpoints - Initialize Registration Flow (Browser):

GET /self-service/registration/browser

This endpoint initializes a registration flow for browser-based clients. The response includes a flow ID and UI nodes for rendering the registration form, which will include passwordless options if enabled. [Registration for client-side (AJAX) browser clients](https://www.ory.sh/docs/kratos/self-service/flows/user-registration#registration-for-client-side-ajax-browser-clients) - Fetch Registration Flow Data:

GET /self-service/registration/flows?id=<flow_id>

Use this to fetch the current state of the registration flow, including which passwordless methods are available and required form fields. [Form rendering](https://www.ory.sh/docs/kratos/self-service#form-rendering) - Submit Registration Data:

POST /self-service/registration?flow=<flow_id>

Submit the registration form, including passwordless credentials (e.g., passkey, WebAuthn response, or code). [Initialize registration flow](https://www.ory.sh/docs/kratos/self-service/flows/user-registration#initialize-registration-flow) ### Login Flow Endpoints - Initialize Login Flow (Browser):

GET /self-service/login/browser

This initializes a login flow for browser-based clients. The response will include UI nodes for passwordless login if configured. [Initialize login flow](https://www.ory.sh/docs/kratos/self-service/flows/user-login#initialize-login-flow) - Fetch Login Flow Data:

GET /self-service/login/flows?id=<flow_id>

Use this to fetch the current state of the login flow, including available passwordless methods and required fields. [Form rendering](https://www.ory.sh/docs/kratos/self-service#form-rendering) - Submit Login Data:

POST /self-service/login?flow=<flow_id>

Submit the login form, including passwordless credentials (e.g., passkey, WebAuthn response, or code). [Initialize login flow](https://www.ory.sh/docs/kratos/self-service/flows/user-login#initialize-login-flow) --- Note: - For single-page apps (SPAs) or AJAX clients, use the same endpoints but set

Accept: application/json

and ensure cookies are handled with

credentials: 'include'

and proper CORS settings. - The actual passwordless method (e.g., WebAuthn, passkey, or code) is determined by the configuration and the UI nodes returned in the flow response. - Native apps use

/self-service/registration/api

and

/self-service/login/api

instead of

/browser

. For more details on enabling and configuring passwordless methods, see [Passwordless login](https://www.ory.sh/docs/identities/get-started/passwordless).

Yes, you can create a layer between your client and Ory to implement custom logic before registering a user. This is a common pattern and is supported by Ory in several ways: 1. Custom Backend Layer: You can have your frontend communicate with your own backend API, which then interacts with Ory. This allows you to run any custom logic (such as validation, business rules, or logging) before forwarding the registration request to Ory. When doing this, ensure your backend forwards the necessary cookies to Ory for session and CSRF validation, as backend calls do not automatically include cookies from the frontend. This approach is described in the migration and integration documentation: > When the frontend makes an API call to your backend, it will include the necessary cookies. Your backend must then forward these cookies when calling the Ory API to validate the session... you must manually attach the relevant cookies to these requests. [Integrate backend](https://www.ory.sh/docs/migrate-to-ory#integrate-backend) 2. Ory Actions and Hooks: Ory also supports "before" registration hooks (Ory Actions), which allow you to run custom logic (such as webhooks or external service calls) before the registration flow is completed. This can be used to enforce invite-only registration, check IP addresses, or validate email domains: > You can use Ory Actions before events such as user login, registration, triggering account recovery or verification, and updating account settings. [Hooks Overview](https://www.ory.sh/docs/kratos/hooks/configure-hooks) > The hook runs when a registration flow starts. [Action triggers](https://www.ory.sh/docs/kratos/hooks/configure-hooks#action-triggers) In summary, both approaches are supported: you can implement your own backend layer for full control, or use Ory's built-in hooks and actions for extensibility directly within the Ory platform.

When implementing a passwordless registration flow using your own backend as a proxy to Ory, you need to pay close attention to the cookies involved, as they are essential for session management and CSRF protection. Here are the key cookies you need to be aware of: 1. CSRF Cookie - Ory issues an anti-CSRF cookie when initializing a registration flow for browser-based clients. This cookie must be included in subsequent requests to Ory, especially when fetching or submitting the registration flow. - Your backend must forward this cookie from the client to Ory when making API calls, or CSRF validation will fail and you may receive 401 or 400 errors. - Example:

set-cookie: <project>_csrf_token=...; Path=/api/kratos/public; Domain=<your-domain>; HttpOnly; Secure; SameSite=None

- [CSRF troubleshooting](https://www.ory.sh/docs/troubleshooting/csrf) 2. Session Cookie - After successful registration (if the session hook is enabled), Ory will issue a session cookie. This cookie is used to maintain the user's authenticated session. - Your backend should ensure this cookie is set in the client’s browser after registration is complete. - Example:

Set-Cookie: ory_kratos_session=...; Path=/; Domain=<your-domain>; HttpOnly; Secure; SameSite=Lax

- [Successful registration](https://www.ory.sh/docs/kratos/self-service/flows/user-registration#successful-registration) 3. Ory Session and Internal Cookies - Ory may also issue other cookies for internal purposes, such as CSRF protection, load balancing, and security features. These are typically prefixed with

ory_

(e.g.,

ory_session_

,

ory_st_

). - [Identifiable token formats](https://www.ory.sh/docs/security-compliance/token-formats) Important Implementation Notes: - When your backend receives a request from the frontend, it must forward all relevant cookies (especially CSRF and session cookies) to Ory when making API calls such as fetching or submitting the registration flow. - If you do not forward these cookies, Ory will not be able to validate the session or CSRF token, and the flow will fail. - For AJAX requests, ensure that credentials are included (e.g.,

credentials: 'include'

in fetch or

withCredentials: true

in Axios) so cookies are sent from the browser to your backend and then to Ory. Example (Node.js pseudo-code):

js // Forward cookies from client to Ory <http://router.post|router.post>('/register', async (req, res) => {   const cookies = req.headers.cookie   // Forward the registration request to Ory, including the cookies   const response = await oryApi.postRegistrationFlow({ /* ... */, headers: { cookie: cookies } })   // Handle response... })

[API reference](https://raw.githubusercontent.com/ory/kratos/master/spec/api.json) In summary, always forward the CSRF and session cookies between your client, backend, and Ory to ensure the passwordless registration flow works correctly.

For a passwordless registration flow using your own backend as a proxy to Ory, the main endpoints involved are: 1. Initialize the Registration Flow (Browser)

GET /self-service/registration/browser

This endpoint is called to start a new registration flow. It sets the necessary CSRF cookies and returns the flow ID and form fields required for registration. Your backend should forward this request to Ory and relay the response to the client, including any cookies set by Ory [Create registration flow](https://www.ory.sh/docs/kratos/bring-your-own-ui/custom-ui-basic-integration#create-registration-flow). 2. Fetch the Registration Flow

GET /self-service/registration/flows?id=<flow-id>

This endpoint retrieves the current state of the registration flow, including the required form fields (such as those for passwordless methods). Your backend should forward this request and response as well [Get registration flow](https://www.ory.sh/docs/kratos/bring-your-own-ui/custom-ui-basic-integration#get-registration-flow). 3. Submit the Registration Flow

POST /self-service/registration?flow=<flow-id>

This endpoint is used to submit the registration data (e.g., email, passkey/WebAuthn response, etc.) to Ory. Your backend should forward the client’s submission to this endpoint, including all relevant cookies and CSRF tokens [Submit registration flow](https://www.ory.sh/docs/kratos/bring-your-own-ui/custom-ui-basic-integration#submit-registration-flow). Note: - If you are building a native app or a non-browser client, you would use the

/self-service/registration/api

endpoint instead of

/browser

for initialization, but for browser-based flows (including those proxied through your backend), you must use the

/browser

endpoints to ensure CSRF protection is enforced [Browser vs. native apps](https://www.ory.sh/docs/identities/native-browser). These are the core endpoints involved in a passwordless registration flow when using your own backend as a proxy to Ory.