The recommended approach is to create the identity without any credentials and let the user set a password later via the self-service flows. - Use the Admin API to create the identity with the desired schema and traits, but do not include a password credential in the request. For example: [[Create identities](https://www.ory.sh/docs/kratos/manage-identities/create-users-identities)]

bash curl --request POST \   --header "Authorization: Bearer <ory_personal_access_token>" \   --header "Content-Type: application/json" \   --data '{     "schema_id": "<preset://email>",     "traits": {       "email": "<mailto:user@example.org|user@example.org>"     }   }' https://<your-project-host>/admin/identities

This creates the user account without a password. They can then set their password later using Ory’s self-service flows (e.g., by directing them to your login/registration UI, or initiating a recovery or settings flow depending on your UX). [[Create identities](https://www.ory.sh/docs/kratos/manage-identities/create-users-identities)] If you are migrating users and need them to set a new password on first login (without knowing the old hash), you can alternatively import the identity with an empty password hash and enable the password migration hook, which validates the first login and stores the new hash automatically. [[Password migration hook](https://www.ory.sh/docs/kratos/manage-identities/import-user-accounts-identities#password-migration-using-a-web-hook)]

@chilly-king-10285 What self-service flow should I use for setting a password?

Use the Settings flow with the password method to let the user set or change their password. In Kratos, password changes are handled as part of the user settings flow (method: password), not registration or recovery. You initialize a Settings flow (browser or API), render the form nodes for group "password", and submit with method=password and the new password. [[Settings and profile updates](https://www.ory.sh/docs/kratos/self-service/flows/user-settings); [Settings flow payloads](https://www.ory.sh/docs/kratos/self-service/flows/user-settings#settings-flow-payloads)] Notes and caveats: - The session must be valid, and if updating privileged fields (like password), the session may need to be “fresh” according to privileged_session_max_age, otherwise re-authentication is required. [[Settings and profile updates](https://www.ory.sh/docs/kratos/self-service/flows/user-settings)] - Validation errors (missing password, password policy violations, reuse of old password) are returned in the flow’s UI nodes. [[Update password](https://www.ory.sh/docs/kratos/self-service/flows/user-settings#update-password-1); [Settings flow payloads](https://www.ory.sh/docs/kratos/self-service/flows/user-settings#settings-flow-payloads)] If you want the user to set a password after being invited/created without one, direct them to the Settings flow (password method) once they are authenticated (e.g., via a magic link or code-based recovery/login appropriate to your UX). [[Settings and profile updates](https://www.ory.sh/docs/kratos/self-service/flows/user-settings)]