If the privileged session window has expired, prompt the user to re-authenticate by starting a login flow with refresh=true (and optionally aal=aal2 if you require MFA). In a React/Next.js app, redirect the browser to the browser login flow:

ts // Next.js route handler or API route import { NextResponse } from "next/server"  export async function GET() {   return NextResponse.redirect(     `${process.env.ORY_SDK_URL}/self-service/login/browser?refresh=true`   ) }

If you require MFA during re-auth:

/self-service/login/browser?refresh=true&aal=aal2

([Refreshing user session](https://www.ory.sh/docs/kratos/bring-your-own-ui/custom-ui-advanced-integration#login), [Refresh sessions](https://www.ory.sh/docs/kratos/session-management/refresh-extend-sessions), [Refreshing a session](https://www.ory.sh/docs/kratos/self-service/flows/user-login#refreshing-a-session)) When the user completes the refresh login, Kratos will redirect back to your login UI (or your return_to URL if you set it) and the session will have a new authenticated_at timestamp, allowing you to proceed with the settings/password change flow. Ensure your privileged_session_max_age is set to the window you want; if it’s exceeded, updateSettingsFlow will return 403 and you should redirect to the refresh login as above (see behavior for 403 in updateSettingsFlow) ([Privileged sessions](https://www.ory.sh/docs/kratos/session-management/session-lifespan#privileged-sessions), [updateSettingsFlow](https://raw.githubusercontent.com/ory/docs/master/docs/reference/api.json)).

Here are minimal React/Next.js examples to trigger a privileged-session refresh and continue your settings/password change flow. - Client-side (React) redirect to refresh login:

tsx // Button that forces re-authentication (refreshes session) function ReauthButton() {   const oryBase = import.meta?.env?.VITE_ORY_SDK_URL || process.env.NEXT_PUBLIC_ORY_SDK_URL   const returnTo = typeof window !== "undefined" ? window.location.href : ""   const refreshUrl = `${oryBase}/self-service/login/browser?refresh=true&return_to=${encodeURIComponent(returnTo)}`   return <button onClick={() => (window.location.href = refreshUrl)}>Re-authenticate</button> }

(Use aal=aal2 if you must re-prompt 2FA: add &aal=aal2) ([Refreshing user session](https://www.ory.sh/docs/kratos/bring-your-own-ui/custom-ui-advanced-integration#login), [Refresh sessions](https://www.ory.sh/docs/kratos/session-management/refresh-extend-sessions), [Refreshing a session](https://www.ory.sh/docs/kratos/self-service/flows/user-login#refreshing-a-session)). - Next.js Route Handler to trigger refresh:

ts // app/api/refresh-session/route.ts (Next.js 13+) import { NextResponse } from "next/server"  export async function GET() {   return NextResponse.redirect(     `${process.env.ORY_SDK_URL}/self-service/login/browser?refresh=true`   ) }

(Adapt path/aal as needed) ([Refresh sessions](https://www.ory.sh/docs/identities/get-started/session-management#refresh-sessions)). - Handling privileged-session 403 during settings submit: If your settings submit fails with 403 (privileged session required), redirect to refresh login with return_to so the user lands back on your settings page after re-auth:

ts // Example handler around settings submission async function submitSettings(formData: FormData) {   const res = await fetch("/api/settings-submit", { method: "POST", body: formData })   if (res.status === 403) {     const oryBase = process.env.NEXT_PUBLIC_ORY_SDK_URL!     const rt = encodeURIComponent(window.location.href)     window.location.href = `${oryBase}/self-service/login/browser?refresh=true&return_to=${rt}`     return   }   // handle success/errors }

(403 implies privileged_session_max_age exceeded; redirect to refresh login) ([updateSettingsFlow](https://raw.githubusercontent.com/ory/docs/master/docs/reference/api.json), [Privileged sessions](https://www.ory.sh/docs/kratos/session-management/session-lifespan#privileged-sessions)). - Optional: Check session and show reauth CTA

tsx import { Configuration, FrontendApi } from "@ory/client"  const ory = new FrontendApi(   new Configuration({     basePath: process.env.NEXT_PUBLIC_ORY_SDK_URL,     baseOptions: { withCredentials: true },   }) )  export function SessionGate({ children }: { children: React.ReactNode }) {   const [loading, setLoading] = React.useState(true)   const [session, setSession] = React.useState<any | null>(null)    React.useEffect(() => {     ory       .toSession()       .then(({ data }) => setSession(data))       .catch(() => setSession(null))       .finally(() => setLoading(false))   }, [])    if (loading) return <div>Loading...</div>   if (!session) {     const login = `${process.env.NEXT_PUBLIC_ORY_SDK_URL}/self-service/login/browser`     return <a href={login}>Sign in</a>   }   return <>{children}</> }

(Uses session cookie and toSession) ([Using Ory Session Cookie](https://www.ory.sh/docs/kratos/session-management/overview#using-ory-session-cookie), [Session checks](https://www.ory.sh/docs/kratos/bring-your-own-ui/custom-ui-basic-integration#session-checks)). Notes: - Always pass return_to to bring the user back to your settings/password page after re-auth. ([Advanced redirects](https://www.ory.sh/docs/kratos/bring-your-own-ui/custom-ui-advanced-integration#login)). - If you require MFA during refresh, add aal=aal2 to the refresh URL. ([Refresh sessions](https://www.ory.sh/docs/kratos/session-management/refresh-extend-sessions)).

Short answer: Redirect the browser to the self-service init endpoint, which will redirect to your custom login UI URL. - In browser flows, you start login by hitting /self-service/login/browser. Kratos creates the flow and 303-redirects to your configured login UI with ?flow=<id> (e.g., your custom URL like http://localhost:3000/auth/login) ([Initialize login flow](https://www.ory.sh/docs/kratos/self-service/flows/user-login#initialize-login-flow), [Browser flow stages](https://www.ory.sh/docs/kratos/self-service#browser-flows-for-server-side-apps-nodejs-php-java-)). - You configure that UI URL (ui_url) in selfservice.flows.login.ui_url. Kratos appends the flow param to it; your UI then fetches the flow and renders the form ([Initialize login flow](https://www.ory.sh/docs/kratos/self-service/flows/user-login#initialize-login-flow)). - For SPAs, you can also initialize via AJAX by calling /self-service/login/browser with Accept: application/json and then render your custom page using the returned flow; submissions still POST to the flow.ui.action URL ([Client-side apps](https://www.ory.sh/docs/kratos/self-service#browser-flows-for-client-side-apps-single-page-apps-reactjs-angular-nextjs-), [Submit flows](https://www.ory.sh/docs/kratos/bring-your-own-ui/custom-ui-basic-integration#submit-flows)). So: don’t hardcode redirects to your custom page alone. Either: - Redirect to the self-service init endpoint and let it redirect to your custom UI URL; or - From your app, call the self-service init endpoint first, then navigate to your custom page with the ?flow=<id> it returns. Also ensure your app and Ory share the same top-level domain (for cookies/CSRF) ([Domain requirement](https://www.ory.sh/docs/kratos/self-service#browser-flows-for-server-side-apps-nodejs-php-java-)).