In Ory Kratos, the user account is created when the registration flow is submitted—specifically, when your backend proxies the registration request (with the user's email) to Kratos. At this point, Kratos creates the identity in a "pending" or "unverified" state, and the email address is reserved for that identity. This means that once the registration flow is submitted and the email is associated with a new identity, it cannot be used by another user, even if the verification step (entering the code) has not yet been completed. Here’s how the flow works according to the documentation: 1. User submits email to sign up: Your backend proxies this to Kratos, which starts the registration flow and sends a verification code to the provided email address. 2. Email is sent with a code: The identity is already created at this point, but it is not yet verified. The email address is now reserved and cannot be used for another registration attempt until the flow is completed or expires. 3. User enters the code: Your backend verifies the code with Kratos, which marks the email as verified. 4. User sets password: After verification, you can use a settings flow to let the user set their password. This is confirmed by the documentation, which states that the verification process is started automatically when users sign up, and the identity schema must mark the email as verifiable. The account is created and the email is reserved as soon as the registration flow is submitted, not after the verification code is entered or the password is set. This prevents race conditions or duplicate registrations with the same email address during the verification process [Address verification](https://www.ory.sh/docs/kratos/self-service/flows/verify-email-account-activation). If you need to ensure that only verified users can log in, you can enforce this with the "require verified address" hook, but the account itself is created at registration submission [Allow login only with verified email](https://www.ory.sh/docs/kratos/self-service/flows/verify-email-account-activation#allow-login-only-with-verified-email). Summary: The user account is created and the email is reserved in Kratos as soon as the registration flow is submitted (step 1), before the code is verified or the password is set.

Based on the available knowledge sources, Ory Kratos does not natively support automatic expiration or deletion of unverified or incomplete accounts (e.g., accounts that have not set a password after registration) in order to free up the email address for reuse. Once the registration flow is submitted and the identity is created, the email is reserved and cannot be used for another registration, even if the verification or password setup is not completed [Address verification](https://www.ory.sh/docs/kratos/self-service/flows/verify-email-account-activation). While you can configure the lifespan of verification and recovery codes (e.g., how long the code is valid for), there is no documented feature to automatically delete or expire the underlying identity if the user does not complete the settings flow (such as setting a password) within a certain timeframe [Address verification configuration](https://www.ory.sh/docs/kratos/self-service/flows/verify-email-account-activation#choosing-the-right-strategy). To enforce that only users with a verified email and a password can log in, you can require email verification before login [Allow login only with verified email](https://www.ory.sh/docs/kratos/self-service/flows/verify-email-account-activation#allow-login-only-with-verified-email). However, the system does not automatically clean up incomplete registrations. Summary: - There is no built-in way in Ory Kratos to expire or delete accounts that do not complete the password setup after code verification, nor to automatically free up the email address in such cases. - You may need to implement a custom cleanup process outside of Kratos (e.g., a scheduled job that deletes unverified or incomplete identities after a certain period), but this is not covered in the official documentation. If you need this functionality, you would have to manage it externally to Kratos, as the knowledge sources do not describe a native solution.

Ory Kratos does not provide a dedicated API endpoint specifically to check if a user has a password set. However, you can retrieve an identity's credentials using the admin API (e.g.,

GET /admin/identities/{id}

), which returns the credentials object for the identity. By inspecting the

credentials

field in the response, you can determine if the

password

credential exists for that identity and whether it contains a valid configuration (such as a hashed password) [Kratos API Reference – getIdentity](https://raw.githubusercontent.com/ory/kratos/master/spec/api.json). Here’s what the relevant part of the response looks like:

json {   "credentials": {     "password": {       "identifiers": ["<mailto:user@example.com|user@example.com>"],       "config": {         "hashed_password": "..."       }     }     // ... other credentials   } }

If the

password

credential is present and has a

hashed_password

value, the user has a password set. If it is missing or empty, the user does not have a password set. There is no single-purpose API to check only for password presence, but this information is available via the identity details in the admin API [Kratos API Reference – getIdentity](https://raw.githubusercontent.com/ory/kratos/master/spec/api.json).

Once a user is verified via code (i.e., they enter the correct code from the email and the verification flow is completed), there is nothing else required to create a settings flow (and thus obtain a

settings_flow_id

). You can immediately initiate a settings flow for the user after successful verification. To do this, you would call the appropriate endpoint to create a settings flow. For browser-based clients, this is typically the

/self-service/settings/browser

endpoint; for API/native clients, it is

/self-service/settings/api

. The only requirement is that the user has a valid session (which is established after successful verification), but you do not need to return the auth token to the client if you are proxying the request from your backend [User and Profile Settings for Client-Side (AJAX) Browser Clients](https://www.ory.sh/docs/kratos/self-service/flows/user-settings#user-and-profile-settings-for-client-side-ajax-browser-clients). Summary: - After code verification is complete, you can immediately trigger a settings flow for the user. - No additional steps are required between verification and creating the settings flow, as long as the session is valid and managed by your backend. If you are proxying requests and not returning the auth token to the client, your backend can handle the session and trigger the settings flow as needed. The knowledge sources do not mention any additional requirements or blockers for this process.