Your observation is correct: the lifespan of the login flow determines how long the user has to complete the login process, including submitting a code for passwordless login. If the login flow expires (in your case, after 10 minutes), it is no longer possible to submit the code, even if the code itself is valid for a longer period (e.g., 1 hour). This is expected behavior in Ory Kratos: the flow's lifespan is the upper limit for any action within that flow, including code submission. Once the flow expires, the user must initiate a new login flow, regardless of the code's validity period. How to fix this problem: If you want users to be able to submit the code for up to 1 hour, you need to increase the lifespan of the login flow to match the code's lifespan. Set the login flow lifespan to 1 hour (or whatever your code lifespan is). This way, the flow will remain valid for the entire duration the code is valid, and users will be able to submit the code as long as both the code and the flow are not expired. Summary: - The login flow lifespan must be at least as long as the code lifespan for passwordless login to work as expected. - Adjust your login flow lifespan configuration to match or exceed the code lifespan. This behavior is consistent with how Ory Kratos manages flows and their expiration: once a flow expires, it cannot be used for further submissions, regardless of the code's validity period [The login flow expired 1.00 minutes ago, please try again. (4010001)](https://www.ory.sh/docs/kratos/concepts/ui-messages#the-login-flow-expired-100-minutes-ago-please-try-again-4010001). If you need to change the login flow lifespan, you can do so in your configuration under the relevant flow settings. For example:

yaml selfservice:   flows:     login:       lifespan: 1h

After updating the configuration, users will have up to 1 hour to complete the login flow and submit their code.