When you have an active session and click on a previously created recovery link, Ory's default behavior is to redirect you to the

/ui/welcome

endpoint after the recovery flow completes. If you have blocked or disabled this endpoint, users will encounter a 403 error, as you've described. How to fix this: 1. Set a Custom Recovery UI URL: Ensure that your Ory configuration points to your own recovery UI, not the default Account Experience. In your configuration (e.g.,

kratos.yml

), set the

selfservice.flows.recovery.ui_url

to your custom recovery page. This prevents fallback to the default UI if your custom UI is set up correctly. Example:

yaml    selfservice:      flows:        recovery:          enabled: true          ui_url: <https://your.custom.domain/recovery>

[Configure Ory to use your UI](https://www.ory.sh/docs/kratos/bring-your-own-ui/configure-ory-to-use-your-ui) [Recovery UI configuration](https://www.ory.sh/docs/kratos/fallback/recovery) 2. Configure Allowed Return URLs: If your flow is redirecting to

/ui/welcome

or another blocked endpoint, make sure your allowed return URLs include your custom UI endpoints. This is especially important if you are using 2FA or other advanced flows, as Ory may attempt to redirect to a UI endpoint that is not permitted, resulting in errors. [Advanced integration and redirects](https://www.ory.sh/docs/kratos/bring-your-own-ui/custom-ui-advanced-integration) 3. Disable Account Experience and Set All UI URLs: In the Ory Console, under Branding → UI URLs, set all self-service flow UI URLs (login, registration, recovery, settings, etc.) to your custom UI. When you define a custom UI base URL, you lose access to the Ory Account Experience, and Ory will use your custom endpoints for all flows. [Configure Ory to use your UI](https://www.ory.sh/docs/kratos/bring-your-own-ui/configure-ory-to-use-your-ui) 4. Check for Hardcoded Redirects: If you are still being redirected to

/ui/welcome

, check your application and Ory configuration for any hardcoded references to this endpoint. Update them to use your custom UI URLs. Summary: The issue occurs because Ory defaults to

/ui/welcome

when a custom UI is not fully configured. To fix this, ensure all relevant UI URLs are set to your custom endpoints in both your Ory configuration and the Ory Console. This will prevent Ory from redirecting users to the blocked

/ui/welcome

endpoint and instead use your custom UI, avoiding the 403 error. If you are using Ory Network, remember that once you set a custom UI base URL, the Account Experience (including

/ui/welcome

) is disabled and should not be accessible anymore. If you still see redirects to

/ui/welcome

, double-check your configuration in the Ory Console and ensure all flows are mapped to your custom UI URLs[Configure Ory to use your UI](https://www.ory.sh/docs/kratos/bring-your-own-ui/configure-ory-to-use-your-ui). If you need to allow certain redirects (e.g., to

/ui/settings

after recovery with 2FA), make sure those URLs are included in your allowed return URLs as well[redirect to /ui/settings is not allowed for recovery flow when 2FA is enabled](https://github.com/ory/network/issues/363).