When you encounter an

Internal Server Error

(HTTP 500) on the

self-service/login/browser

endpoint while running Ory Kratos locally, but the

self-service/login/api

endpoint works fine, it typically points to issues related to browser-based flows, cookies, or misconfiguration in your local environment. Here are the most common causes and troubleshooting steps based on the knowledge sources: 1. Domain and Cookie Issues Ory Kratos browser flows rely on cookies for session and CSRF protection. Cookies will not work correctly if your app and Kratos are not on the same domain (or at least the same top-level domain). For local development, you must use the same domain (e.g., always

localhost

or always

127.0.0.1

, not a mix) for both your app and Kratos. Mixing these can cause cookies not to be sent, resulting in errors on browser flows, but not on API flows which do not use cookies in the same way. [See: Local development](https://www.ory.sh/docs/getting-started/local-development#local-development), [CSRF troubleshooting](https://www.ory.sh/docs/kratos/debug/csrf) 2. CORS and CSRF Configuration If you see CORS or CSRF errors, ensure you are using the Ory Tunnel for local development, which helps avoid CORS issues. Also, make sure you are handling CSRF tokens correctly in your UI and that cookies are sent with requests (

withCredentials: true

in axios or

credentials: "include"

in fetch). [See: Debug - CORS and CSRF](https://www.ory.sh/docs/kratos/bring-your-own-ui/custom-ui-basic-integration#debug) 3. Configuration of UI URLs The browser flow expects a UI URL to redirect to after initializing the flow. If this is misconfigured or unreachable, it can result in server errors. Check your

selfservice.flows.login.ui_url

setting in your Kratos config. [See: Initialize login flow](https://www.ory.sh/docs/kratos/self-service/flows/user-login#initialize-login-flow) 4. Dev Mode and HTTPS If you are running Kratos without HTTPS and not using

--dev

mode, cookies with the

Secure

flag will not be sent, causing issues. For local development over HTTP, always use

--dev

mode. [See: CSRF troubleshooting](https://www.ory.sh/docs/kratos/debug/csrf) 5. Check for Error Details Kratos provides user-facing error details via the error UI endpoint. If you have set

selfservice.flows.error.ui_url

, check the redirected error page or query the error details directly from the API to get more information about the cause. [See: User-facing errors](https://www.ory.sh/docs/kratos/self-service/flows/user-facing-errors) Summary of steps to try: - Ensure both your app and Kratos use the same domain (e.g., both on

localhost

). - Use the Ory Tunnel for local development and point your SDK/API calls to

<http://localhost:4000>

. - Run Kratos with

--dev

if using HTTP. - Double-check your UI URLs in the Kratos config. - Inspect the error details via the error UI endpoint for more information. If after these steps the issue persists, please provide the error details from the error endpoint or logs for further diagnosis.

Once your SPA (Single Page Application) is redirected after initializing the login flow, the next step is to fetch the login flow data using the flow ID from the URL query parameter (e.g.,

?flow=<flow-id>

). This data contains all the information needed to render the login form, including CSRF tokens, available login methods, and any additional UI nodes. Here’s what you should do next: 1. Extract the flow ID from the URL: Your SPA should read the

flow

query parameter from the URL. 2. Fetch the login flow data: Use the flow ID to call the

/self-service/login/flows?id=<flow-id>

endpoint. This will return the flow object with all necessary UI nodes and configuration for rendering the login form. Example (using fetch or your preferred HTTP client):

js    fetch(`https://<your-kratos-url>/self-service/login/flows?id=${flowId}`, {      credentials: "include", // Important: ensures cookies are sent      headers: {        "Accept": "application/json"      }    })    .then(res => res.json())    .then(flow => {      // Render your login form using flow.ui.nodes    })

3. Render the login form: Use the data from

flow.ui.nodes

to render the login form in your SPA. Make sure to include all required fields, especially the hidden CSRF token. 4. Handle form submission: When the user submits the form, send a POST request to the URL specified in

flow.ui.action

with the method in

flow.ui.method

, including all form data (identifier, password, CSRF token, etc.). [See: Submit login flow](https://www.ory.sh/docs/kratos/bring-your-own-ui/custom-ui-basic-integration#submit-login-flow) 5. Process the response: - On success, Ory will set the session cookie and respond with session data or a redirect. - On error, Ory will return error messages in the response, which you should display to the user. Example React SPA flow: - On mount, check for

flow

in the URL. - If present, fetch the flow data and render the form. - On submit, POST to

flow.ui.action

with the form data. - Handle success or error as appropriate. For a detailed code example, see the [custom UI integration guide](https://www.ory.sh/docs/kratos/bring-your-own-ui/custom-ui-basic-integration#create-login-flow). > In summary: > After redirect, fetch the login flow using the flow ID, render the form, and handle submission as described above. > [Reference: SPA browser flows](https://www.ory.sh/docs/kratos/self-service#browser-flows-for-client-side-apps-single-page-apps-reactjs-angular-nextjs-)

Yes, according to the Ory documentation, your application (UI) and Ory Kratos must be hosted on the same top-level domain for browser-based flows to work correctly. This is necessary because cookies (used for sessions and CSRF protection) are only sent by browsers to matching domains. If your app and Kratos are on different top-level domains, cookies will not be shared, and authentication flows will fail. For example, these setups will work: -

<http://ory.bar.com|ory.bar.com>

and

<http://app.bar.com|app.bar.com>

-

<http://ory.bar.com|ory.bar.com>

and

<http://bar.com|bar.com>

But this will not work: -

<http://ory.bar.com|ory.bar.com>

and

<http://not-bar.com|not-bar.com>

This requirement applies to both server-side and client-side (SPA) browser flows. For local development, you should also ensure you are not mixing

localhost

and

127.0.0.1

, as browsers treat them as different domains. If you need to support multiple domains (e.g., for multi-brand setups), Ory Network and Ory Kratos Enterprise offer features for that scenario, but even then, each domain will have its own session cookie and login flow [Docs: Cookie-based security model](https://www.ory.sh/docs/security-model) [Docs: Self-service flows](https://www.ory.sh/docs/kratos/self-service#browser-flows-for-client-side-apps-single-page-apps-reactjs-angular-nextjs-) [Docs: Multiple custom domains](https://www.ory.sh/docs/kratos/bring-your-own-ui/configure-ory-to-use-your-ui#multiple-custom-domains).

Yes, using

localhost:4433

(for Ory Kratos) and

localhost:3000

(for your app) is supported and works correctly for local development. Browsers treat different ports on the same domain (

localhost

) as the same origin for the purpose of cookies, so session and CSRF cookies will be sent as expected. However, you must ensure that you consistently use

localhost

(not mixing with

127.0.0.1

) across your configuration and in your browser, as browsers treat

localhost

and

127.0.0.1

as different domains, which would break cookie sharing [Local development](https://www.ory.sh/docs/getting-started/local-development#local-development) [CSRF troubleshooting](https://www.ory.sh/docs/kratos/debug/csrf). > Key points: > -

localhost:4433

and

localhost:3000

are considered the same domain for cookies. > - Do not mix

localhost

and

127.0.0.1

. > - For local development, using different ports on

localhost

is fine. If you encounter cookie issues, double-check that all URLs use

localhost

and not

127.0.0.1

or any other domain.

If you are getting a CORS error when fetching the

/self-service/login/flows

endpoint, it usually means that your frontend origin is not allowed by the CORS configuration of your Ory Kratos or Ory Network project. For Ory Kratos (self-hosted): - Make sure CORS is enabled and your frontend's origin is listed in the

allowed_origins

configuration. Example:

yaml   serve:     public:       cors:         enabled: true         allowed_origins:           - <http://localhost:3000>         allowed_methods:           - POST           - GET           - PUT           - PATCH           - DELETE         allowed_headers:           - Authorization           - Cookie           - Content-Type         exposed_headers:           - Content-Type           - Set-Cookie

[See: Kratos CORS settings](https://www.ory.sh/docs/kratos/guides/setting-up-cors)<source>https://www.ory.sh/docs/kratos/guides/setting-up-cors&lt;/source> For Ory Network (cloud): - You must add your frontend's origin to the CORS origins in your Ory Project settings. Ory Network does not allow

*

,

null

, or

localhost/127.0.0.1

as CORS origins. For local development, use [Ory Tunnel](https://www.ory.sh/docs/guides/cli/proxy-and-tunnel) to proxy requests through the same domain. - Example CLI command to set CORS origins:

sh   ory patch project <your-project-id> \     --replace '/cors_public/enabled=true' \     --replace '/cors_public/origins=["<http://localhost:3000>"]'

[See: Set up CORS for Ory Network](https://www.ory.sh/docs/guides/cors)<source>https://www.ory.sh/docs/guides/cors&lt;/source> For local development: - Use Ory Tunnel or Ory Proxy to ensure your app and Ory APIs are on the same domain, which avoids CORS issues entirely. [See: Local development with Ory Tunnel](https://www.ory.sh/docs/getting-started/local-development#local-development)<source>https://www.ory.sh/docs/getting-started/local-development#local-development&lt;/source> Summary: - Add your frontend's origin to the allowed CORS origins in your Ory configuration. - For local development, use Ory Tunnel or Ory Proxy to avoid CORS issues. - Do not use

localhost

or

127.0.0.1

as CORS origins in Ory Network; use the tunnel instead. If you have already set these and still see CORS errors, double-check that the origin in your browser matches exactly what is configured (including protocol and port).

If you only want to render the passwordless (e.g., passkey or one-time code) login method in your UI, you should filter the nodes in the login flow response to include only those related to the passwordless method you have enabled. For Passkey (WebAuthn/Passkey): - Filter for nodes with the group

"webauthn"

or

"passkey"

. - Render only those nodes in your form. - Make sure to include the Ory WebAuthn JavaScript if using WebAuthn/passkey, as described in the docs. Example (React, passkey/webauthn):

js {filterNodesByGroups({   nodes: flow.ui.nodes,   groups: ["webauthn", "passkey"], // Only show passwordless nodes }).map((node, idx) => mapUINode(node, idx))}

You may also need to add the Ory WebAuthn script to your page:

html <script src="/.well-known/ory/webauthn.js"></script>

[See: Passwordless authentication integration](https://www.ory.sh/docs/kratos/bring-your-own-ui/custom-ui-advanced-integration#passwordless-authentication) For One-Time Code: - Filter for nodes with the group

"code"

. - Render only those nodes in your form. Summary of steps: 1. Filter the

flow.ui.nodes

for the group(s) corresponding to your passwordless method. 2. Render only those nodes in your UI. 3. Handle the form submission as usual, posting to

flow.ui.action

. This approach ensures your UI only displays the passwordless login option and not other methods like password or OIDC. [Reference: Advanced custom UI integration](https://www.ory.sh/docs/kratos/bring-your-own-ui/custom-ui-advanced-integration#passwordless-authentication)

You can differentiate between input fields and buttons in the nodes by inspecting the

type

property inside each node's

attributes

. According to the Ory documentation, each node in

flow.ui.nodes

has an

attributes.type

that corresponds to standard HTML input types, such as

"text"

,

"password"

,

"email"

,

"hidden"

,

"submit"

,

"button"

, etc. - Input fields typically have types like

"text"

,

"password"

,

"email"

,

"hidden"

, etc. - Buttons have types like

"submit"

or

"button"

. For example, in React, you might see logic like this:

js if (isUiNodeInputAttributes(node.attributes)) {   const attrs = node.attributes   switch (attrs.type) {     case "button":     case "submit":       // This is a button       return <button ... />     default:       // This is an input field       return <input ... />   } }

This approach is shown in the official Ory integration examples, where the

type

is used to decide whether to render a

<button>

or an

<input>

element [Custom UI basic integration](https://www.ory.sh/docs/kratos/bring-your-own-ui/custom-ui-basic-integration#create-login-flow). For more details on the possible input types, see the [UI input nodes documentation](https://www.ory.sh/docs/kratos/concepts/ui-user-interface#ui-input-nodes).

After rendering the nodes (i.e., displaying the login form fields in your UI), the next step is to handle form submission. When the user interacts with the form (for example, enters their identifier and triggers passwordless authentication), you should: 1. Submit the form data to the URL specified in

flow.ui.action

using the method in

flow.ui.method

. This is typically a POST request. Make sure to include all required fields, such as the identifier and any hidden fields like the CSRF token. 2. Handle the response: - If the submission is successful, Ory will complete the login flow (e.g., set a session cookie and redirect or respond with session data). - If there are validation errors or additional steps (such as a WebAuthn prompt), Ory will return an updated flow with error messages or new nodes to render. You should update your UI accordingly by re-rendering the form with the new nodes and messages. You can refer to the following documentation for detailed steps and code examples: - [Submit login flow](https://www.ory.sh/docs/kratos/bring-your-own-ui/custom-ui-basic-integration#submit-login-flow) - [Passwordless authentication integration](https://www.ory.sh/docs/kratos/bring-your-own-ui/custom-ui-advanced-integration#passwordless-authentication) These sections provide guidance on how to handle form submission, process responses, and update your UI based on the flow returned by Ory Kratos.

Yes, Ory Kratos supports a registration flow for passwordless authentication. You can enable passwordless registration using methods such as passkeys (WebAuthn) or one-time codes. When passwordless is enabled, users can register without a traditional password by using a passkey or receiving a one-time code via email or SMS. The registration flow for passwordless is highly customizable and can be integrated into your custom UI. You can define custom fields and validation rules through the identity schema. The available methods for registration flows include

password

,

oidc

,

webauthn

, and `passkey`—with

webauthn

and

passkey

being the relevant methods for passwordless registration. When users initiate the registration flow, they can choose the passwordless option if it is enabled in your configuration [Integration basics: Registration flow](https://www.ory.sh/docs/kratos/bring-your-own-ui/custom-ui-basic-integration#registration-flow) [Passkeys & WebAuthN](https://www.ory.sh/docs/kratos/passwordless/passkeys). To enable and configure passwordless registration, you can use the Ory Console or CLI to activate the relevant methods under the Authentication settings. Once enabled, the registration flow will present passwordless options to users during sign-up [Get started: Passwordless login](https://www.ory.sh/docs/identities/get-started/passwordless).

Yes, Ory Kratos supports a registration flow using passwordless one-time codes. When you enable the one-time code strategy for passwordless in your project, users can register by entering their email (or phone number, if SMS is enabled), receive a one-time code, and complete the registration without setting a password. How it works: 1. The user starts the registration flow and enters their email address. 2. Ory sends a one-time code to the provided email. 3. The user enters the code to complete registration and is authenticated. To enable this: - In the Ory Console, go to Authentication → Passwordless login and toggle "Enable one-time code passwordless" to on, then save. - Or, using the CLI:

sh   ory patch identity-config --project <your-project-id> \     --add '/selfservice/methods/code/passwordless_enabled=true'

- Make sure your identity schema marks the email (or phone) as the identifier for the code method [Custom identity schema](https://www.ory.sh/docs/kratos/passwordless/one-time-code#custom-identity-schema). User experience: - The registration UI will prompt for an email. - After submission, the user receives a code and enters it to complete registration. You can find more details and step-by-step instructions in the official documentation: [Email and SMS one-time-code authentication](https://www.ory.sh/docs/kratos/passwordless/one-time-code) and [Get started: Passwordless login](https://www.ory.sh/docs/identities/get-started/passwordless). If you are building a custom UI, you will need to handle the registration flow similarly to the login flow, but using the registration endpoints and rendering only the nodes related to the one-time code method.

Yes, Ory Kratos supports passwordless registration using a phone number and one-time code (OTP) via SMS. To enable this, you need to: 1. Enable the one-time code strategy for passwordless: In your configuration, set

passwordless_enabled: true

for the

code

method. This can be done via the Ory Console or CLI. 2. Configure your identity schema: Your identity schema must include a phone number trait, and it should be marked as the identifier for the

code

method with

"via": "sms"

. Here’s an example:

json    {      "$schema": "<http://json-schema.org/draft-07/schema#>",      "type": "object",      "properties": {        "traits": {          "type": "object",          "properties": {            "phone_number": {              "type": "string",              "format": "tel",              "title": "Your phone number",              "minLength": 3,              "<http://ory.sh/kratos|ory.sh/kratos>": {                "credentials": {                  "code": {                    "identifier": true,                    "via": "sms"                  }                }              }            }          }        }      }    }

[See: Custom identity schema for one-time code](https://www.ory.sh/docs/kratos/passwordless/one-time-code#custom-identity-schema) 3. Set up SMS delivery: You must configure an SMS provider so Ory can send the OTP to the user’s phone number. This is done in the Ory Console or via CLI, and you can use a webhook for local development or integrate with providers like Twilio. [See: SMS delivery configuration](https://www.ory.sh/docs/kratos/passwordless/one-time-code#enable-sms-one-time-code-otp) 4. User experience: - The user enters their phone number in the registration form. - Ory sends a one-time code via SMS. - The user enters the code to complete registration and is authenticated. Note: Ory recommends using passkeys for higher security, but SMS OTP is fully supported for phone-based passwordless registration. If you follow these steps, you can offer a passwordless registration flow focused solely on phone numbers and SMS one-time codes.

The error message

Could not find a strategy to log you in with. Did you fill out the form correctly?

(error code

4010002

) indicates that Ory Kratos could not determine which login strategy to use based on the data you submitted. This usually happens if the form is missing required fields or if the identity schema and enabled strategies do not match the data provided [UI message codes](https://www.ory.sh/docs/kratos/concepts/ui-user-interface#could-not-find-a-strategy-to-log-you-in-with-did-you-fill-out-the-form-correctly-4010002). Common causes: - The form does not include the expected identifier (e.g., email, phone number) for the enabled login strategy. - The login method (e.g., passwordless code, password, passkey) is not enabled in your configuration. - The submitted data does not match any enabled strategy (for example, submitting a phone number when only email login is enabled). How to resolve: 1. Check your identity schema to ensure the field you are submitting (e.g.,

phone_number

for SMS code) is marked as an identifier for the correct strategy. 2. Verify your configuration to ensure the login method you want (e.g., passwordless code via SMS) is enabled. 3. Make sure your form includes all required fields as defined by the login flow nodes, especially the identifier and any hidden fields like CSRF tokens. For more details on this error, see the official documentation: [UI message codes: 4010002](https://www.ory.sh/docs/kratos/concepts/ui-user-interface#could-not-find-a-strategy-to-log-you-in-with-did-you-fill-out-the-form-correctly-4010002).

To include the CSRF token in your submission, you need to extract it from the login (or registration, verification, etc.) flow response and include it in your form data when submitting the flow. The CSRF token is provided as a hidden input field in the

flow.ui.nodes

array, typically with the name

csrf_token

. How to include the CSRF token: 1. Extract the CSRF token from the flow response: Look for a node in

flow.ui.nodes

where

attributes.name

is

"csrf_token"

and

attributes.type

is

"hidden"

. 2. Render it as a hidden input in your form: For example, in React:

jsx    {flow.ui.nodes      .filter(node => node.attributes.name === "csrf_token" && node.attributes.type === "hidden")      .map((node, idx) => (        <input          key={idx}          type="hidden"          name={node.attributes.name}          value={node.attributes.value}        />      ))}

[See: Hidden input node](https://www.ory.sh/docs/kratos/concepts/ui-user-interface#hidden-input-node) 3. Include the CSRF token in your submission payload: When submitting the form (either via a native form POST or an AJAX request), ensure the CSRF token is included in the request body with the key

csrf_token

. Example cURL for browser flow:

sh    curl -X POST \      -H 'Content-Type: application/json' \      -d '{"method":"password","csrf_token":"your-csrf-token", ...}' \      -b cookies.txt \      "https://$<http://PROJECT_SLUG.projects.oryapis.com/self-service/login?flow=<your-flow-id|PROJECT_SLUG.projects.oryapis.com/self-service/login?flow=<your-flow-id>>"

[See: Submit flows](https://www.ory.sh/docs/kratos/bring-your-own-ui/custom-ui-basic-integration#submit-flows) Summary: Always include the CSRF token from the flow response as a hidden field in your form and ensure it is sent in the request body when submitting the flow. This is required for CSRF protection in Ory flows.

If you are still getting the error:

Could not find a strategy to log you in with. Did you fill out the form correctly?

even though the CSRF token is present in the body, this usually means that Ory Kratos cannot match your submission to any enabled login strategy. This is not a CSRF issue, but rather a problem with the submitted data or configuration. Based on the knowledge sources, here are the most likely causes and solutions: 1. Missing or Incorrect Identifier Field The field you are submitting (e.g.,

phone_number

or

phone

) must be marked as an identifier for the

code

strategy in your identity schema, and you must submit the exact field name expected by Kratos. For example, if your schema uses

phone_number

, you must submit

phone_number

in the form data, not

phone

or any other name [Custom identity schema for one-time code](https://www.ory.sh/docs/kratos/passwordless/one-time-code#custom-identity-schema). 2. Strategy Not Enabled The

code

strategy (for one-time code login) must be enabled in your configuration. If it is not enabled, Kratos will not recognize the submission, even if the CSRF token is correct [Passwordless one-time code login identifier](https://www.ory.sh/docs/kratos/manage-identities/customize-identity-schema#passwordless-one-time-code-login-identifier). 3. Incorrect Form Submission You must submit all required fields as specified in the

flow.ui.nodes

, including the identifier (e.g.,

phone_number

), the CSRF token, and the

method

(which should be set to

code

for passwordless one-time code login). If you omit the

method

field or set it incorrectly, Kratos will not know which strategy to use. Example payload:

json    {      "method": "code",      "phone_number": "+1234567890",      "csrf_token": "your-csrf-token"    }

4. Check the Flow Nodes Double-check the nodes returned by

/self-service/login/flows?id=...

to see which fields are expected. Make sure your form matches these fields exactly. Summary: - Ensure your identity schema and form field names match. - Make sure the

code

strategy is enabled. - Include

"method": "code"

in your submission. - Submit all required fields as shown in the flow nodes. If you have verified all of the above and the issue persists, please check the exact field names and values in your flow nodes and your submission payload, as mismatches are a common cause of this error [UI message codes](https://www.ory.sh/docs/kratos/concepts/ui-user-interface#could-not-find-a-strategy-to-log-you-in-with-did-you-fill-out-the-form-correctly-4010002).

If the attribute name in your flow nodes is

identifier

, you should submit your form with the field name

identifier

, not

phone

. Ory Kratos uses the name

identifier

as a generic field for the primary login trait (which could be email, phone, or username) depending on your identity schema and configuration. You do not need to change it to

phone

unless your flow nodes specifically use

phone

as the field name. Always use the exact field names provided in the

flow.ui.nodes

attributes when submitting your form [Custom UI basic integration](https://www.ory.sh/docs/kratos/bring-your-own-ui/custom-ui-basic-integration#create-login-flow). If your identity schema is set up correctly and the

code

strategy is enabled, Kratos will map the value of

identifier

to the appropriate trait (such as phone number) internally. > In summary: > Use the field name

identifier

in your form submission if that is what is specified in the flow nodes. Do not change it to

phone

unless the flow nodes explicitly require it.

I'm sorry, but the knowledge sources provided do not explicitly show a case where the

method

field is missing from the login flow nodes in the response. In all the documented examples, the

method

field appears as an input node with

type: "submit"

and

name: "method"

, or as a hidden input with

name: "method"

and a value corresponding to the login strategy (e.g.,

"password"

,

"code"

,

"webauthn"

). For example, a typical node for the passwordless code method looks like this:

json {   "type": "input",   "group": "code",   "attributes": {     "name": "method",     "type": "hidden",     "value": "code",     "disabled": false,     "node_type": "input"   },   "messages": [],   "meta": {} }

or as a submit button:

json {   "type": "input",   "group": "code",   "attributes": {     "name": "method",     "type": "submit",     "value": "code",     "disabled": false,     "node_type": "input"   },   "messages": [],   "meta": { ... } }

[See: Submit verification flow example](https://www.ory.sh/docs/kratos/bring-your-own-ui/custom-ui-basic-integration#submit-verification-flow) If you do not see a node with

name: "method"

in your flow response, it may indicate a misconfiguration or an issue with the enabled strategies in your Ory Kratos setup. The knowledge sources do not provide troubleshooting steps for this specific scenario. I recommend double-checking your configuration and ensuring the desired login/registration strategies are enabled. If the issue persists, you may need to consult the official Ory documentation or support channels for further assistance.