diff --git a/Makefile b/Makefile
index eec7fcabf0ff..49d4cae2379f 100644
--- a/Makefile
+++ b/Makefile
@@ -111,11 +111,26 @@ sdk: .bin/swagger .bin/ory node_modules
-g go \
-o "internal/httpclient" \
--git-user-id ory \
- --git-repo-id kratos-client-go \
+ --git-repo-id client-go \
--git-host github.com \
-t .schema/openapi/templates/go \
-c .schema/openapi/gen.go.yml
+ (cd internal/httpclient; rm -rf go.mod go.sum test api docs)
+
+ rm -rf internal/httpclient-central
+ mkdir -p internal/httpclient-central/
+ npm run openapi-generator-cli -- generate -i "spec/api.json" \
+ -g go \
+ -o "internal/client-go" \
+ --git-user-id ory \
+ --git-repo-id client-go \
+ --git-host github.com \
+ -t .schema/openapi/templates/go \
+ -c .schema/openapi/gen.go.yml
+
+ (cd internal/client-go; go mod edit -module github.com/ory/client-go go.mod; rm -rf test api docs)
+
make format
.PHONY: quickstart
@@ -135,7 +150,7 @@ authors: # updates the AUTHORS file
# Formats the code
.PHONY: format
format: .bin/goimports .bin/ory node_modules
- .bin/ory dev headers license --exclude=internal/httpclient
+ .bin/ory dev headers license --exclude=internal/httpclient --exclude=internal/httpclient-ory
goimports -w -local github.com/ory .
npm exec -- prettier --write 'test/e2e/**/*{.ts,.js}'
npm exec -- prettier --write '.github'
diff --git a/cmd/cliclient/client.go b/cmd/cliclient/client.go
index ca0bec6b773d..9c8ea40db76b 100644
--- a/cmd/cliclient/client.go
+++ b/cmd/cliclient/client.go
@@ -5,6 +5,7 @@ package cliclient
import (
"fmt"
+ "net/http"
"net/url"
"os"
"time"
@@ -17,7 +18,7 @@ import (
"github.com/spf13/pflag"
- kratos "github.com/ory/kratos-client-go"
+ kratos "github.com/ory/kratos/internal/httpclient"
)
const (
@@ -31,9 +32,22 @@ const (
ClientContextKey ContextKey = iota + 1
)
+type ClientContext struct {
+ Endpoint string
+ HTTPClient *http.Client
+}
+
func NewClient(cmd *cobra.Command) (*kratos.APIClient, error) {
- if f, ok := cmd.Context().Value(ClientContextKey).(func(cmd *cobra.Command) (*kratos.APIClient, error)); ok {
- return f(cmd)
+ if f, ok := cmd.Context().Value(ClientContextKey).(func(cmd *cobra.Command) (*ClientContext, error)); ok {
+ cc, err := f(cmd)
+ if err != nil {
+ return nil, err
+ }
+
+ conf := kratos.NewConfiguration()
+ conf.HTTPClient = cc.HTTPClient
+ conf.Servers = kratos.ServerConfigurations{{URL: cc.Endpoint}}
+ return kratos.NewAPIClient(conf), nil
} else if f != nil {
return nil, errors.Errorf("ClientContextKey was expected to be *client.OryKratos but it contained an invalid type %T ", f)
}
diff --git a/cmd/identities/definitions.go b/cmd/identities/definitions.go
index 5897cdd5bc8a..12b98b9540fc 100644
--- a/cmd/identities/definitions.go
+++ b/cmd/identities/definitions.go
@@ -6,7 +6,7 @@ package identities
import (
"strings"
- kratos "github.com/ory/kratos-client-go"
+ kratos "github.com/ory/kratos/internal/httpclient"
"github.com/ory/x/cmdx"
)
diff --git a/cmd/identities/get.go b/cmd/identities/get.go
index 1e0ad9a939f9..474067e13eac 100644
--- a/cmd/identities/get.go
+++ b/cmd/identities/get.go
@@ -6,7 +6,7 @@ package identities
import (
"fmt"
- kratos "github.com/ory/kratos-client-go"
+ kratos "github.com/ory/kratos/internal/httpclient"
"github.com/ory/kratos/x"
"github.com/ory/x/cmdx"
"github.com/ory/x/stringsx"
diff --git a/cmd/identities/import.go b/cmd/identities/import.go
index e8c8b262c595..53a8bb87dea4 100644
--- a/cmd/identities/import.go
+++ b/cmd/identities/import.go
@@ -7,7 +7,7 @@ import (
"encoding/json"
"fmt"
- kratos "github.com/ory/kratos-client-go"
+ kratos "github.com/ory/kratos/internal/httpclient"
"github.com/ory/x/cmdx"
diff --git a/cmd/identities/import_test.go b/cmd/identities/import_test.go
index 34021f7f661c..f8d91186482a 100644
--- a/cmd/identities/import_test.go
+++ b/cmd/identities/import_test.go
@@ -17,8 +17,8 @@ import (
"github.com/stretchr/testify/require"
"github.com/tidwall/gjson"
- kratos "github.com/ory/kratos-client-go"
"github.com/ory/kratos/driver/config"
+ kratos "github.com/ory/kratos/internal/httpclient"
)
func TestImportCmd(t *testing.T) {
diff --git a/examples/go/identity/create/main.go b/examples/go/identity/create/main.go
index 911da8d67dd0..4a46856b3cab 100644
--- a/examples/go/identity/create/main.go
+++ b/examples/go/identity/create/main.go
@@ -6,7 +6,7 @@ package main
import (
"context"
- ory "github.com/ory/kratos-client-go"
+ ory "github.com/ory/client-go"
"github.com/ory/kratos/examples/go/pkg"
"github.com/ory/kratos/x"
)
diff --git a/examples/go/identity/get/main.go b/examples/go/identity/get/main.go
index d4e8fefc89c4..b36cf8a30176 100644
--- a/examples/go/identity/get/main.go
+++ b/examples/go/identity/get/main.go
@@ -6,7 +6,7 @@ package main
import (
"context"
- ory "github.com/ory/kratos-client-go"
+ ory "github.com/ory/client-go"
"github.com/ory/kratos/examples/go/pkg"
)
diff --git a/examples/go/identity/update/main.go b/examples/go/identity/update/main.go
index ea840c899a10..c976e87ff799 100644
--- a/examples/go/identity/update/main.go
+++ b/examples/go/identity/update/main.go
@@ -6,7 +6,7 @@ package main
import (
"context"
- ory "github.com/ory/kratos-client-go"
+ ory "github.com/ory/client-go"
"github.com/ory/kratos/examples/go/pkg"
"github.com/ory/kratos/x"
)
diff --git a/examples/go/pkg/common.go b/examples/go/pkg/common.go
index 37fe3d0a2ab3..d2edd7f14521 100644
--- a/examples/go/pkg/common.go
+++ b/examples/go/pkg/common.go
@@ -15,7 +15,7 @@ import (
"github.com/ory/kratos/internal/testhelpers"
- ory "github.com/ory/kratos-client-go"
+ ory "github.com/ory/client-go"
)
func PrintJSONPretty(v interface{}) {
diff --git a/examples/go/pkg/resources.go b/examples/go/pkg/resources.go
index 8ded1e1c6658..556b18c82ad7 100644
--- a/examples/go/pkg/resources.go
+++ b/examples/go/pkg/resources.go
@@ -10,7 +10,7 @@ import (
"github.com/google/uuid"
- ory "github.com/ory/kratos-client-go"
+ ory "github.com/ory/client-go"
)
func RandomCredentials() (email, password string) {
diff --git a/examples/go/selfservice/error/main.go b/examples/go/selfservice/error/main.go
index f06840017efe..1c2516f1cb25 100644
--- a/examples/go/selfservice/error/main.go
+++ b/examples/go/selfservice/error/main.go
@@ -6,7 +6,7 @@ package main
import (
"github.com/ory/kratos/examples/go/pkg"
- ory "github.com/ory/kratos-client-go"
+ ory "github.com/ory/client-go"
)
// If you use Open Source this would be:
diff --git a/examples/go/selfservice/login/main.go b/examples/go/selfservice/login/main.go
index e7bd868600c7..72c8dc657271 100644
--- a/examples/go/selfservice/login/main.go
+++ b/examples/go/selfservice/login/main.go
@@ -8,7 +8,7 @@ import (
"github.com/ory/kratos/examples/go/pkg"
- ory "github.com/ory/kratos-client-go"
+ ory "github.com/ory/client-go"
)
// If you use Open Source this would be:
diff --git a/examples/go/selfservice/logout/main.go b/examples/go/selfservice/logout/main.go
index aad0ca255dbf..9842abcdc51c 100644
--- a/examples/go/selfservice/logout/main.go
+++ b/examples/go/selfservice/logout/main.go
@@ -8,7 +8,7 @@ import (
"github.com/ory/kratos/examples/go/pkg"
- ory "github.com/ory/kratos-client-go"
+ ory "github.com/ory/client-go"
)
// If you use Open Source this would be:
diff --git a/examples/go/selfservice/recovery/main.go b/examples/go/selfservice/recovery/main.go
index 1986bba60771..c39c7845e886 100644
--- a/examples/go/selfservice/recovery/main.go
+++ b/examples/go/selfservice/recovery/main.go
@@ -8,7 +8,7 @@ import (
"github.com/ory/kratos/examples/go/pkg"
- ory "github.com/ory/kratos-client-go"
+ ory "github.com/ory/client-go"
)
// If you use Open Source this would be:
diff --git a/examples/go/selfservice/recovery/main_test.go b/examples/go/selfservice/recovery/main_test.go
index 0324a4e432a1..0878735f4f66 100644
--- a/examples/go/selfservice/recovery/main_test.go
+++ b/examples/go/selfservice/recovery/main_test.go
@@ -6,17 +6,13 @@ package main
import (
"testing"
- ory "github.com/ory/kratos-client-go"
-
- "github.com/stretchr/testify/assert"
-
"github.com/google/uuid"
-
- "github.com/ory/kratos/internal/testhelpers"
+ "github.com/stretchr/testify/assert"
+ "github.com/stretchr/testify/require"
"github.com/ory/kratos/examples/go/pkg"
-
- "github.com/stretchr/testify/require"
+ ory "github.com/ory/kratos/internal/httpclient"
+ "github.com/ory/kratos/internal/testhelpers"
)
func TestFunc(t *testing.T) {
@@ -25,5 +21,5 @@ func TestFunc(t *testing.T) {
flow := performRecovery("dev+" + uuid.New().String() + "@ory.sh")
require.NotEmpty(t, flow.Id)
- assert.Equal(t, ory.SELFSERVICERECOVERYFLOWSTATE_SENT_EMAIL, flow.State)
+ assert.EqualValues(t, ory.SELFSERVICERECOVERYFLOWSTATE_SENT_EMAIL, flow.State)
}
diff --git a/examples/go/selfservice/registration/main.go b/examples/go/selfservice/registration/main.go
index 74b44c479d28..8270237c0677 100644
--- a/examples/go/selfservice/registration/main.go
+++ b/examples/go/selfservice/registration/main.go
@@ -8,7 +8,7 @@ import (
"github.com/ory/kratos/examples/go/pkg"
- ory "github.com/ory/kratos-client-go"
+ ory "github.com/ory/client-go"
)
// If you use Open Source this would be:
diff --git a/examples/go/selfservice/settings/main.go b/examples/go/selfservice/settings/main.go
index af979aa3337f..d4f4eef74f59 100644
--- a/examples/go/selfservice/settings/main.go
+++ b/examples/go/selfservice/settings/main.go
@@ -8,7 +8,7 @@ import (
"github.com/ory/kratos/examples/go/pkg"
- ory "github.com/ory/kratos-client-go"
+ ory "github.com/ory/client-go"
)
// If you use Open Source this would be:
diff --git a/examples/go/selfservice/settings/main_test.go b/examples/go/selfservice/settings/main_test.go
index 7e49b1bb9c7b..ef4865972a3c 100644
--- a/examples/go/selfservice/settings/main_test.go
+++ b/examples/go/selfservice/settings/main_test.go
@@ -6,7 +6,7 @@ package main
import (
"testing"
- ory "github.com/ory/kratos-client-go"
+ ory "github.com/ory/kratos/internal/httpclient"
"github.com/stretchr/testify/assert"
@@ -24,11 +24,11 @@ func TestSettings(t *testing.T) {
email, password := pkg.RandomCredentials()
result := changePassword(email, password)
require.NotEmpty(t, result.Id)
- assert.Equal(t, ory.SELFSERVICESETTINGSFLOWSTATE_SUCCESS, result.State)
+ assert.EqualValues(t, ory.SELFSERVICESETTINGSFLOWSTATE_SUCCESS, result.State)
email, password = pkg.RandomCredentials()
result = changeTraits(email, password)
require.NotEmpty(t, result.Id)
- assert.Equal(t, ory.SELFSERVICESETTINGSFLOWSTATE_SUCCESS, result.State)
+ assert.EqualValues(t, ory.SELFSERVICESETTINGSFLOWSTATE_SUCCESS, result.State)
assert.Equal(t, "not-"+email, result.Identity.Traits.(map[string]interface{})["email"].(string))
}
diff --git a/examples/go/selfservice/verification/main.go b/examples/go/selfservice/verification/main.go
index c6eba8114159..39229494eb4b 100644
--- a/examples/go/selfservice/verification/main.go
+++ b/examples/go/selfservice/verification/main.go
@@ -8,7 +8,7 @@ import (
"github.com/ory/kratos/examples/go/pkg"
- ory "github.com/ory/kratos-client-go"
+ ory "github.com/ory/client-go"
)
// If you use Open Source this would be:
diff --git a/examples/go/selfservice/verification/main_test.go b/examples/go/selfservice/verification/main_test.go
index 88be9b79e2af..8439c1468e71 100644
--- a/examples/go/selfservice/verification/main_test.go
+++ b/examples/go/selfservice/verification/main_test.go
@@ -6,17 +6,13 @@ package main
import (
"testing"
- ory "github.com/ory/kratos-client-go"
-
- "github.com/stretchr/testify/assert"
-
"github.com/google/uuid"
-
- "github.com/ory/kratos/internal/testhelpers"
+ "github.com/stretchr/testify/assert"
+ "github.com/stretchr/testify/require"
"github.com/ory/kratos/examples/go/pkg"
-
- "github.com/stretchr/testify/require"
+ ory "github.com/ory/kratos/internal/httpclient"
+ "github.com/ory/kratos/internal/testhelpers"
)
func TestFunc(t *testing.T) {
@@ -25,5 +21,5 @@ func TestFunc(t *testing.T) {
flow := performVerification("dev+" + uuid.New().String() + "@ory.sh")
require.NotEmpty(t, flow.Id)
- assert.Equal(t, ory.SELFSERVICEVERIFICATIONFLOWSTATE_SENT_EMAIL, flow.State)
+ assert.EqualValues(t, ory.SELFSERVICEVERIFICATIONFLOWSTATE_SENT_EMAIL, flow.State)
}
diff --git a/examples/go/session/tosession/main.go b/examples/go/session/tosession/main.go
index 61e3a81d1d8d..ab3682567914 100644
--- a/examples/go/session/tosession/main.go
+++ b/examples/go/session/tosession/main.go
@@ -6,7 +6,7 @@ package main
import (
"github.com/ory/kratos/examples/go/pkg"
- ory "github.com/ory/kratos-client-go"
+ ory "github.com/ory/client-go"
)
// If you use Open Source this would be:
diff --git a/go.mod b/go.mod
index ed09ccc2166c..70efcf1b3a53 100644
--- a/go.mod
+++ b/go.mod
@@ -6,14 +6,14 @@ replace (
github.com/bradleyjkemp/cupaloy/v2 => github.com/aeneasr/cupaloy/v2 v2.6.1-0.20210924214125-3dfdd01210a3
github.com/gorilla/sessions => github.com/ory/sessions v1.2.2-0.20220110165800-b09c17334dc2
github.com/knadh/koanf => github.com/aeneasr/koanf v0.14.1-0.20211230115640-aa3902b3267a
- // github.com/luna-duclos/instrumentedsql => github.com/ory/instrumentedsql v1.2.0
- // github.com/luna-duclos/instrumentedsql/opentracing => github.com/ory/instrumentedsql/opentracing v0.0.0-20210903114257-c8963b546c5c
+
github.com/mattn/go-sqlite3 => github.com/mattn/go-sqlite3 v1.14.7-0.20210414154423-1157a4212dcb
github.com/oleiade/reflections => github.com/oleiade/reflections v1.0.1
+
+ github.com/ory/client-go => ./internal/httpclient-ory
+
// Use the internal httpclient which can be generated in this codebase but mark it as the
// official SDK, allowing for the Ory CLI to consume Ory Kratos' CLI commands.
- github.com/ory/kratos-client-go => ./internal/httpclient
-
go.mongodb.org/mongo-driver => go.mongodb.org/mongo-driver v1.4.6
golang.org/x/sys => golang.org/x/sys v0.0.0-20220319134239-a9b59b0215f8
gopkg.in/DataDog/dd-trace-go.v1 => gopkg.in/DataDog/dd-trace-go.v1 v1.27.1-0.20201005154917-54b73b3e126a
@@ -67,14 +67,14 @@ require (
github.com/mohae/deepcopy v0.0.0-20170929034955-c48cc78d4826
github.com/montanaflynn/stats v0.0.0-20171201202039-1bf9dbcd8cbe
github.com/ory/analytics-go/v4 v4.0.3
+ github.com/ory/client-go v0.2.0-alpha.60
github.com/ory/dockertest/v3 v3.9.1
github.com/ory/go-acc v0.2.8
github.com/ory/go-convenience v0.1.0
github.com/ory/graceful v0.1.3
github.com/ory/herodot v0.9.13
- github.com/ory/hydra-client-go v1.11.8
+ github.com/ory/hydra-client-go v1.11.9-0.20221102130300-f558e85344c8
github.com/ory/jsonschema/v3 v3.0.7
- github.com/ory/kratos-client-go v0.6.3-alpha.1
github.com/ory/mail/v3 v3.0.0
github.com/ory/nosurf v1.2.7
github.com/ory/x v0.0.513
diff --git a/go.sum b/go.sum
index e44f8edc9a22..b526ba6abcee 100644
--- a/go.sum
+++ b/go.sum
@@ -1126,8 +1126,8 @@ github.com/ory/graceful v0.1.3 h1:FaeXcHZh168WzS+bqruqWEw/HgXWLdNv2nJ+fbhxbhc=
github.com/ory/graceful v0.1.3/go.mod h1:4zFz687IAF7oNHHiB586U4iL+/4aV09o/PYLE34t2bA=
github.com/ory/herodot v0.9.13 h1:cN/Z4eOkErl/9W7hDIDLb79IO/bfsH+8yscBjRpB4IU=
github.com/ory/herodot v0.9.13/go.mod h1:IWDs9kSvFQqw/cQ8zi5ksyYvITiUU4dI7glUrhZcJYo=
-github.com/ory/hydra-client-go v1.11.8 h1:GwJjvH/DBcfYzoST4vUpi4pIRzDGH5oODKpIVuhwVyc=
-github.com/ory/hydra-client-go v1.11.8/go.mod h1:4YuBuwUEC4yiyDrnKjGYc1tB3gUXan4ZiUYMjXJbfxA=
+github.com/ory/hydra-client-go v1.11.9-0.20221102130300-f558e85344c8 h1:lxE11nBH6k0DvE1GMhWnZewGLAqVMSDj7cUhdHr9BHI=
+github.com/ory/hydra-client-go v1.11.9-0.20221102130300-f558e85344c8/go.mod h1:4YuBuwUEC4yiyDrnKjGYc1tB3gUXan4ZiUYMjXJbfxA=
github.com/ory/jsonschema/v3 v3.0.7 h1:GQ9qfZDiJqs4l2d3p56dozCChvejQFZyLKGHYzDzOSo=
github.com/ory/jsonschema/v3 v3.0.7/go.mod h1:g8c8YOtN4TrR2wYeMdT02GDmzJDI0fEW2nI26BECafY=
github.com/ory/mail v2.3.1+incompatible/go.mod h1:87D9/1gB6ewElQoN0lXJ0ayfqcj3cW3qCTXh+5E9mfU=
@@ -1139,8 +1139,8 @@ github.com/ory/sessions v1.2.2-0.20220110165800-b09c17334dc2 h1:zm6sDvHy/U9XrGpi
github.com/ory/sessions v1.2.2-0.20220110165800-b09c17334dc2/go.mod h1:dk2InVEVJ0sfLlnXv9EAgkf6ecYs/i80K/zI+bUmuGM=
github.com/ory/viper v1.7.5 h1:+xVdq7SU3e1vNaCsk/ixsfxE4zylk1TJUiJrY647jUE=
github.com/ory/viper v1.7.5/go.mod h1:ypOuyJmEUb3oENywQZRgeAMwqgOyDqwboO1tj3DjTaM=
-github.com/ory/x v0.0.513 h1:45AruNHDwqhTvNtMnQy2/wYooMv+raVhuOP454mV/Os=
-github.com/ory/x v0.0.513/go.mod h1:xUtRpoiRARyJNPVk/fcCNKzyp25Foxt9GPlj8pd7egY=
+github.com/ory/x v0.0.511-0.20221108105728-3fed9bc99daf h1:sPEIGYHzmEu4tPiRUYgKfXPOAqneNuB1aaKvrT6aBXE=
+github.com/ory/x v0.0.511-0.20221108105728-3fed9bc99daf/go.mod h1:xUtRpoiRARyJNPVk/fcCNKzyp25Foxt9GPlj8pd7egY=
github.com/otiai10/copy v1.2.0/go.mod h1:rrF5dJ5F0t/EWSYODDu4j9/vEeYHMkc8jt0zJChqQWw=
github.com/otiai10/curr v0.0.0-20150429015615-9b4961190c95/go.mod h1:9qAhocn7zKJG+0mI8eUu6xqkFDYS2kb2saOteoSB3cE=
github.com/otiai10/curr v1.0.0/go.mod h1:LskTG5wDwr8Rs+nNQ+1LlxRjAtTZZjtJW4rMXl6j4vs=
diff --git a/hydra/fake.go b/hydra/fake.go
index 293261556d50..35d15d38643c 100644
--- a/hydra/fake.go
+++ b/hydra/fake.go
@@ -36,12 +36,12 @@ func (h *FakeHydra) AcceptLoginRequest(ctx context.Context, hlc uuid.UUID, sub s
}
}
-func (h *FakeHydra) GetLoginRequest(ctx context.Context, hlc uuid.NullUUID) (*hydraclientgo.LoginRequest, error) {
+func (h *FakeHydra) GetLoginRequest(ctx context.Context, hlc uuid.NullUUID) (*hydraclientgo.OAuth2LoginRequest, error) {
switch hlc.UUID.String() {
case FAKE_ACCEPT_REQUEST_FAIL:
- return &hydraclientgo.LoginRequest{}, nil
+ return &hydraclientgo.OAuth2LoginRequest{}, nil
case FAKE_SUCCESS:
- return &hydraclientgo.LoginRequest{}, nil
+ return &hydraclientgo.OAuth2LoginRequest{}, nil
default:
panic("unknown fake login_challenge " + hlc.UUID.String())
}
diff --git a/hydra/hydra.go b/hydra/hydra.go
index fcda69d25aa3..bc8455ac8026 100644
--- a/hydra/hydra.go
+++ b/hydra/hydra.go
@@ -31,7 +31,7 @@ type (
}
Hydra interface {
AcceptLoginRequest(ctx context.Context, hlc uuid.UUID, sub string, amr session.AuthenticationMethods) (string, error)
- GetLoginRequest(ctx context.Context, hlc uuid.NullUUID) (*hydraclientgo.LoginRequest, error)
+ GetLoginRequest(ctx context.Context, hlc uuid.NullUUID) (*hydraclientgo.OAuth2LoginRequest, error)
}
DefaultHydra struct {
d hydraDependencies
@@ -67,7 +67,7 @@ func (h *DefaultHydra) getAdminURL(ctx context.Context) (string, error) {
return u.String(), nil
}
-func (h *DefaultHydra) getAdminAPIClient(ctx context.Context) (hydraclientgo.AdminApi, error) {
+func (h *DefaultHydra) getAdminAPIClient(ctx context.Context) (hydraclientgo.OAuth2Api, error) {
url, err := h.getAdminURL(ctx)
if err != nil {
return nil, err
@@ -82,14 +82,14 @@ func (h *DefaultHydra) getAdminAPIClient(ctx context.Context) (hydraclientgo.Adm
}
configuration.HTTPClient = client
- return hydraclientgo.NewAPIClient(configuration).AdminApi, nil
+ return hydraclientgo.NewAPIClient(configuration).OAuth2Api, nil
}
func (h *DefaultHydra) AcceptLoginRequest(ctx context.Context, hlc uuid.UUID, sub string, amr session.AuthenticationMethods) (string, error) {
remember := h.d.Config().SessionPersistentCookie(ctx)
rememberFor := int64(h.d.Config().SessionLifespan(ctx) / time.Second)
- alr := hydraclientgo.NewAcceptLoginRequest(sub)
+ alr := hydraclientgo.NewAcceptOAuth2LoginRequest(sub)
alr.Remember = &remember
alr.RememberFor = &rememberFor
alr.Amr = []string{}
@@ -102,7 +102,7 @@ func (h *DefaultHydra) AcceptLoginRequest(ctx context.Context, hlc uuid.UUID, su
return "", err
}
- resp, r, err := aa.AcceptLoginRequest(ctx).LoginChallenge(fmt.Sprintf("%x", hlc)).AcceptLoginRequest(*alr).Execute()
+ resp, r, err := aa.AcceptOAuth2LoginRequest(ctx).LoginChallenge(fmt.Sprintf("%x", hlc)).AcceptOAuth2LoginRequest(*alr).Execute()
if err != nil {
innerErr := herodot.ErrInternalServerError.WithWrap(err).WithReasonf("Unable to accept OAuth 2.0 Login Challenge.")
if r != nil {
@@ -116,7 +116,7 @@ func (h *DefaultHydra) AcceptLoginRequest(ctx context.Context, hlc uuid.UUID, su
return resp.RedirectTo, nil
}
-func (h *DefaultHydra) GetLoginRequest(ctx context.Context, hlc uuid.NullUUID) (*hydraclientgo.LoginRequest, error) {
+func (h *DefaultHydra) GetLoginRequest(ctx context.Context, hlc uuid.NullUUID) (*hydraclientgo.OAuth2LoginRequest, error) {
if !hlc.Valid {
return nil, errors.WithStack(herodot.ErrBadRequest.WithReason("invalid login_challenge"))
}
@@ -126,7 +126,7 @@ func (h *DefaultHydra) GetLoginRequest(ctx context.Context, hlc uuid.NullUUID) (
return nil, err
}
- hlr, r, err := aa.GetLoginRequest(ctx).LoginChallenge(fmt.Sprintf("%x", hlc.UUID)).Execute()
+ hlr, r, err := aa.GetOAuth2LoginRequest(ctx).LoginChallenge(fmt.Sprintf("%x", hlc.UUID)).Execute()
if err != nil {
innerErr := herodot.ErrInternalServerError.WithWrap(err).WithReasonf("Unable to get OAuth 2.0 Login Challenge.")
if r != nil {
diff --git a/internal/client-go/.gitignore b/internal/client-go/.gitignore
new file mode 100644
index 000000000000..daf913b1b347
--- /dev/null
+++ b/internal/client-go/.gitignore
@@ -0,0 +1,24 @@
+# Compiled Object files, Static and Dynamic libs (Shared Objects)
+*.o
+*.a
+*.so
+
+# Folders
+_obj
+_test
+
+# Architecture specific extensions/prefixes
+*.[568vq]
+[568vq].out
+
+*.cgo1.go
+*.cgo2.c
+_cgo_defun.c
+_cgo_gotypes.go
+_cgo_export.*
+
+_testmain.go
+
+*.exe
+*.test
+*.prof
diff --git a/internal/client-go/.openapi-generator-ignore b/internal/client-go/.openapi-generator-ignore
new file mode 100644
index 000000000000..7484ee590a38
--- /dev/null
+++ b/internal/client-go/.openapi-generator-ignore
@@ -0,0 +1,23 @@
+# OpenAPI Generator Ignore
+# Generated by openapi-generator https://github.com/openapitools/openapi-generator
+
+# Use this file to prevent files from being overwritten by the generator.
+# The patterns follow closely to .gitignore or .dockerignore.
+
+# As an example, the C# client generator defines ApiClient.cs.
+# You can make changes and tell OpenAPI Generator to ignore just this file by uncommenting the following line:
+#ApiClient.cs
+
+# You can match any string of characters against a directory, file or extension with a single asterisk (*):
+#foo/*/qux
+# The above matches foo/bar/qux and foo/baz/qux, but not foo/bar/baz/qux
+
+# You can recursively match patterns against a directory, file or extension with a double asterisk (**):
+#foo/**/qux
+# This matches foo/bar/qux, foo/baz/qux, and foo/bar/baz/qux
+
+# You can also negate patterns with an exclamation (!).
+# For example, you can ignore all files in a docs folder with the file extension .md:
+#docs/*.md
+# Then explicitly reverse the ignore rule for a single file:
+#!docs/README.md
diff --git a/internal/client-go/.openapi-generator/FILES b/internal/client-go/.openapi-generator/FILES
new file mode 100644
index 000000000000..26dab1ea383a
--- /dev/null
+++ b/internal/client-go/.openapi-generator/FILES
@@ -0,0 +1,210 @@
+.gitignore
+.openapi-generator-ignore
+.travis.yml
+README.md
+api/openapi.yaml
+api_metadata.go
+api_v0alpha2.go
+client.go
+configuration.go
+docs/AdminCreateIdentityBody.md
+docs/AdminCreateIdentityImportCredentialsOidc.md
+docs/AdminCreateIdentityImportCredentialsOidcConfig.md
+docs/AdminCreateIdentityImportCredentialsOidcProvider.md
+docs/AdminCreateIdentityImportCredentialsPassword.md
+docs/AdminCreateIdentityImportCredentialsPasswordConfig.md
+docs/AdminCreateSelfServiceRecoveryCodeBody.md
+docs/AdminCreateSelfServiceRecoveryLinkBody.md
+docs/AdminIdentityImportCredentials.md
+docs/AdminUpdateIdentityBody.md
+docs/AuthenticatorAssuranceLevel.md
+docs/CourierMessageStatus.md
+docs/CourierMessageType.md
+docs/ErrorAuthenticatorAssuranceLevelNotSatisfied.md
+docs/GenericError.md
+docs/GetVersion200Response.md
+docs/HealthNotReadyStatus.md
+docs/HealthStatus.md
+docs/Identity.md
+docs/IdentityCredentials.md
+docs/IdentityCredentialsOidc.md
+docs/IdentityCredentialsOidcProvider.md
+docs/IdentityCredentialsPassword.md
+docs/IdentityCredentialsType.md
+docs/IdentitySchemaContainer.md
+docs/IdentityState.md
+docs/IsAlive200Response.md
+docs/IsReady503Response.md
+docs/JsonError.md
+docs/JsonPatch.md
+docs/LoginRequest.md
+docs/Message.md
+docs/MetadataApi.md
+docs/NeedsPrivilegedSessionError.md
+docs/OAuth2Client.md
+docs/OpenIDConnectContext.md
+docs/Pagination.md
+docs/RecoveryIdentityAddress.md
+docs/RevokedSessions.md
+docs/SelfServiceBrowserLocationChangeRequiredError.md
+docs/SelfServiceError.md
+docs/SelfServiceFlowExpiredError.md
+docs/SelfServiceLoginFlow.md
+docs/SelfServiceLogoutUrl.md
+docs/SelfServiceRecoveryCode.md
+docs/SelfServiceRecoveryFlow.md
+docs/SelfServiceRecoveryFlowState.md
+docs/SelfServiceRecoveryLink.md
+docs/SelfServiceRegistrationFlow.md
+docs/SelfServiceSettingsFlow.md
+docs/SelfServiceSettingsFlowState.md
+docs/SelfServiceVerificationFlow.md
+docs/SelfServiceVerificationFlowState.md
+docs/Session.md
+docs/SessionAuthenticationMethod.md
+docs/SessionDevice.md
+docs/SettingsProfileFormConfig.md
+docs/SubmitSelfServiceFlowWithWebAuthnRegistrationMethod.md
+docs/SubmitSelfServiceLoginFlowBody.md
+docs/SubmitSelfServiceLoginFlowWithLookupSecretMethodBody.md
+docs/SubmitSelfServiceLoginFlowWithOidcMethodBody.md
+docs/SubmitSelfServiceLoginFlowWithPasswordMethodBody.md
+docs/SubmitSelfServiceLoginFlowWithTotpMethodBody.md
+docs/SubmitSelfServiceLoginFlowWithWebAuthnMethodBody.md
+docs/SubmitSelfServiceLogoutFlowWithoutBrowserBody.md
+docs/SubmitSelfServiceRecoveryFlowBody.md
+docs/SubmitSelfServiceRecoveryFlowWithCodeMethodBody.md
+docs/SubmitSelfServiceRecoveryFlowWithLinkMethodBody.md
+docs/SubmitSelfServiceRegistrationFlowBody.md
+docs/SubmitSelfServiceRegistrationFlowWithOidcMethodBody.md
+docs/SubmitSelfServiceRegistrationFlowWithPasswordMethodBody.md
+docs/SubmitSelfServiceRegistrationFlowWithWebAuthnMethodBody.md
+docs/SubmitSelfServiceSettingsFlowBody.md
+docs/SubmitSelfServiceSettingsFlowWithLookupMethodBody.md
+docs/SubmitSelfServiceSettingsFlowWithOidcMethodBody.md
+docs/SubmitSelfServiceSettingsFlowWithPasswordMethodBody.md
+docs/SubmitSelfServiceSettingsFlowWithProfileMethodBody.md
+docs/SubmitSelfServiceSettingsFlowWithTotpMethodBody.md
+docs/SubmitSelfServiceSettingsFlowWithWebAuthnMethodBody.md
+docs/SubmitSelfServiceVerificationFlowBody.md
+docs/SubmitSelfServiceVerificationFlowWithLinkMethodBody.md
+docs/SuccessfulSelfServiceLoginWithoutBrowser.md
+docs/SuccessfulSelfServiceRegistrationWithoutBrowser.md
+docs/TokenPagination.md
+docs/TokenPaginationHeaders.md
+docs/UiContainer.md
+docs/UiNode.md
+docs/UiNodeAnchorAttributes.md
+docs/UiNodeAttributes.md
+docs/UiNodeImageAttributes.md
+docs/UiNodeInputAttributes.md
+docs/UiNodeMeta.md
+docs/UiNodeScriptAttributes.md
+docs/UiNodeTextAttributes.md
+docs/UiText.md
+docs/V0alpha2Api.md
+docs/VerifiableIdentityAddress.md
+docs/Version.md
+git_push.sh
+go.mod
+go.sum
+model_admin_create_identity_body.go
+model_admin_create_identity_import_credentials_oidc.go
+model_admin_create_identity_import_credentials_oidc_config.go
+model_admin_create_identity_import_credentials_oidc_provider.go
+model_admin_create_identity_import_credentials_password.go
+model_admin_create_identity_import_credentials_password_config.go
+model_admin_create_self_service_recovery_code_body.go
+model_admin_create_self_service_recovery_link_body.go
+model_admin_identity_import_credentials.go
+model_admin_update_identity_body.go
+model_authenticator_assurance_level.go
+model_courier_message_status.go
+model_courier_message_type.go
+model_error_authenticator_assurance_level_not_satisfied.go
+model_generic_error.go
+model_get_version_200_response.go
+model_health_not_ready_status.go
+model_health_status.go
+model_identity.go
+model_identity_credentials.go
+model_identity_credentials_oidc.go
+model_identity_credentials_oidc_provider.go
+model_identity_credentials_password.go
+model_identity_credentials_type.go
+model_identity_schema_container.go
+model_identity_state.go
+model_is_alive_200_response.go
+model_is_ready_503_response.go
+model_json_error.go
+model_json_patch.go
+model_login_request.go
+model_message.go
+model_needs_privileged_session_error.go
+model_o_auth2_client.go
+model_open_id_connect_context.go
+model_pagination.go
+model_recovery_identity_address.go
+model_revoked_sessions.go
+model_self_service_browser_location_change_required_error.go
+model_self_service_error.go
+model_self_service_flow_expired_error.go
+model_self_service_login_flow.go
+model_self_service_logout_url.go
+model_self_service_recovery_code.go
+model_self_service_recovery_flow.go
+model_self_service_recovery_flow_state.go
+model_self_service_recovery_link.go
+model_self_service_registration_flow.go
+model_self_service_settings_flow.go
+model_self_service_settings_flow_state.go
+model_self_service_verification_flow.go
+model_self_service_verification_flow_state.go
+model_session.go
+model_session_authentication_method.go
+model_session_device.go
+model_settings_profile_form_config.go
+model_submit_self_service_flow_with_web_authn_registration_method.go
+model_submit_self_service_login_flow_body.go
+model_submit_self_service_login_flow_with_lookup_secret_method_body.go
+model_submit_self_service_login_flow_with_oidc_method_body.go
+model_submit_self_service_login_flow_with_password_method_body.go
+model_submit_self_service_login_flow_with_totp_method_body.go
+model_submit_self_service_login_flow_with_web_authn_method_body.go
+model_submit_self_service_logout_flow_without_browser_body.go
+model_submit_self_service_recovery_flow_body.go
+model_submit_self_service_recovery_flow_with_code_method_body.go
+model_submit_self_service_recovery_flow_with_link_method_body.go
+model_submit_self_service_registration_flow_body.go
+model_submit_self_service_registration_flow_with_oidc_method_body.go
+model_submit_self_service_registration_flow_with_password_method_body.go
+model_submit_self_service_registration_flow_with_web_authn_method_body.go
+model_submit_self_service_settings_flow_body.go
+model_submit_self_service_settings_flow_with_lookup_method_body.go
+model_submit_self_service_settings_flow_with_oidc_method_body.go
+model_submit_self_service_settings_flow_with_password_method_body.go
+model_submit_self_service_settings_flow_with_profile_method_body.go
+model_submit_self_service_settings_flow_with_totp_method_body.go
+model_submit_self_service_settings_flow_with_web_authn_method_body.go
+model_submit_self_service_verification_flow_body.go
+model_submit_self_service_verification_flow_with_link_method_body.go
+model_successful_self_service_login_without_browser.go
+model_successful_self_service_registration_without_browser.go
+model_token_pagination.go
+model_token_pagination_headers.go
+model_ui_container.go
+model_ui_node.go
+model_ui_node_anchor_attributes.go
+model_ui_node_attributes.go
+model_ui_node_image_attributes.go
+model_ui_node_input_attributes.go
+model_ui_node_meta.go
+model_ui_node_script_attributes.go
+model_ui_node_text_attributes.go
+model_ui_text.go
+model_verifiable_identity_address.go
+model_version.go
+response.go
+test/api_metadata_test.go
+test/api_v0alpha2_test.go
+utils.go
diff --git a/internal/client-go/.openapi-generator/VERSION b/internal/client-go/.openapi-generator/VERSION
new file mode 100644
index 000000000000..0df17dd0f6a3
--- /dev/null
+++ b/internal/client-go/.openapi-generator/VERSION
@@ -0,0 +1 @@
+6.2.1
\ No newline at end of file
diff --git a/internal/client-go/.travis.yml b/internal/client-go/.travis.yml
new file mode 100644
index 000000000000..f5cb2ce9a5aa
--- /dev/null
+++ b/internal/client-go/.travis.yml
@@ -0,0 +1,8 @@
+language: go
+
+install:
+ - go get -d -v .
+
+script:
+ - go build -v ./
+
diff --git a/internal/client-go/README.md b/internal/client-go/README.md
new file mode 100644
index 000000000000..193b41ff05c6
--- /dev/null
+++ b/internal/client-go/README.md
@@ -0,0 +1,268 @@
+# Go API client for client
+
+Documentation for all public and administrative Ory Kratos APIs. Public and administrative APIs
+are exposed on different ports. Public APIs can face the public internet without any protection
+while administrative APIs should never be exposed without prior authorization. To protect
+the administative API port you should use something like Nginx, Ory Oathkeeper, or any other
+technology capable of authorizing incoming requests.
+
+
+## Overview
+This API client was generated by the [OpenAPI Generator](https://openapi-generator.tech) project. By using the [OpenAPI-spec](https://www.openapis.org/) from a remote server, you can easily generate an API client.
+
+- API version:
+- Package version: 1.0.0
+- Build package: org.openapitools.codegen.languages.GoClientCodegen
+
+## Installation
+
+Install the following dependencies:
+
+```shell
+go get github.com/stretchr/testify/assert
+go get golang.org/x/oauth2
+go get golang.org/x/net/context
+```
+
+Put the package under your project folder and add the following in import:
+
+```golang
+import client "github.com/ory/client-go"
+```
+
+To use a proxy, set the environment variable `HTTP_PROXY`:
+
+```golang
+os.Setenv("HTTP_PROXY", "http://proxy_name:proxy_port")
+```
+
+## Configuration of Server URL
+
+Default configuration comes with `Servers` field that contains server objects as defined in the OpenAPI specification.
+
+### Select Server Configuration
+
+For using other server than the one defined on index 0 set context value `sw.ContextServerIndex` of type `int`.
+
+```golang
+ctx := context.WithValue(context.Background(), client.ContextServerIndex, 1)
+```
+
+### Templated Server URL
+
+Templated server URL is formatted using default variables from configuration or from context value `sw.ContextServerVariables` of type `map[string]string`.
+
+```golang
+ctx := context.WithValue(context.Background(), client.ContextServerVariables, map[string]string{
+ "basePath": "v2",
+})
+```
+
+Note, enum values are always validated and all unused variables are silently ignored.
+
+### URLs Configuration per Operation
+
+Each operation can use different server URL defined using `OperationServers` map in the `Configuration`.
+An operation is uniquely identifield by `"{classname}Service.{nickname}"` string.
+Similar rules for overriding default operation server index and variables applies by using `sw.ContextOperationServerIndices` and `sw.ContextOperationServerVariables` context maps.
+
+```
+ctx := context.WithValue(context.Background(), client.ContextOperationServerIndices, map[string]int{
+ "{classname}Service.{nickname}": 2,
+})
+ctx = context.WithValue(context.Background(), client.ContextOperationServerVariables, map[string]map[string]string{
+ "{classname}Service.{nickname}": {
+ "port": "8443",
+ },
+})
+```
+
+## Documentation for API Endpoints
+
+All URIs are relative to *http://localhost*
+
+Class | Method | HTTP request | Description
+------------ | ------------- | ------------- | -------------
+*MetadataApi* | [**GetVersion**](docs/MetadataApi.md#getversion) | **Get** /version | Return Running Software Version.
+*MetadataApi* | [**IsAlive**](docs/MetadataApi.md#isalive) | **Get** /health/alive | Check HTTP Server Status
+*MetadataApi* | [**IsReady**](docs/MetadataApi.md#isready) | **Get** /health/ready | Check HTTP Server and Database Status
+*V0alpha2Api* | [**AdminCreateIdentity**](docs/V0alpha2Api.md#admincreateidentity) | **Post** /admin/identities | Create an Identity
+*V0alpha2Api* | [**AdminCreateSelfServiceRecoveryCode**](docs/V0alpha2Api.md#admincreateselfservicerecoverycode) | **Post** /admin/recovery/code | Create a Recovery Code
+*V0alpha2Api* | [**AdminCreateSelfServiceRecoveryLink**](docs/V0alpha2Api.md#admincreateselfservicerecoverylink) | **Post** /admin/recovery/link | Create a Recovery Link
+*V0alpha2Api* | [**AdminDeleteIdentity**](docs/V0alpha2Api.md#admindeleteidentity) | **Delete** /admin/identities/{id} | Delete an Identity
+*V0alpha2Api* | [**AdminDeleteIdentitySessions**](docs/V0alpha2Api.md#admindeleteidentitysessions) | **Delete** /admin/identities/{id}/sessions | Delete & Invalidate an Identity's Sessions
+*V0alpha2Api* | [**AdminExtendSession**](docs/V0alpha2Api.md#adminextendsession) | **Patch** /admin/sessions/{id}/extend | Extend a Session
+*V0alpha2Api* | [**AdminGetIdentity**](docs/V0alpha2Api.md#admingetidentity) | **Get** /admin/identities/{id} | Get an Identity
+*V0alpha2Api* | [**AdminGetSession**](docs/V0alpha2Api.md#admingetsession) | **Get** /admin/sessions/{id} | This endpoint returns the session object with expandables specified.
+*V0alpha2Api* | [**AdminListCourierMessages**](docs/V0alpha2Api.md#adminlistcouriermessages) | **Get** /admin/courier/messages | List Messages
+*V0alpha2Api* | [**AdminListIdentities**](docs/V0alpha2Api.md#adminlistidentities) | **Get** /admin/identities | List Identities
+*V0alpha2Api* | [**AdminListIdentitySessions**](docs/V0alpha2Api.md#adminlistidentitysessions) | **Get** /admin/identities/{id}/sessions | List an Identity's Sessions
+*V0alpha2Api* | [**AdminListSessions**](docs/V0alpha2Api.md#adminlistsessions) | **Get** /admin/sessions | This endpoint returns all sessions that exist.
+*V0alpha2Api* | [**AdminPatchIdentity**](docs/V0alpha2Api.md#adminpatchidentity) | **Patch** /admin/identities/{id} | Patch an Identity
+*V0alpha2Api* | [**AdminUpdateIdentity**](docs/V0alpha2Api.md#adminupdateidentity) | **Put** /admin/identities/{id} | Update an Identity
+*V0alpha2Api* | [**CreateSelfServiceLogoutFlowUrlForBrowsers**](docs/V0alpha2Api.md#createselfservicelogoutflowurlforbrowsers) | **Get** /self-service/logout/browser | Create a Logout URL for Browsers
+*V0alpha2Api* | [**GetIdentitySchema**](docs/V0alpha2Api.md#getidentityschema) | **Get** /schemas/{id} |
+*V0alpha2Api* | [**GetSelfServiceError**](docs/V0alpha2Api.md#getselfserviceerror) | **Get** /self-service/errors | Get Self-Service Errors
+*V0alpha2Api* | [**GetSelfServiceLoginFlow**](docs/V0alpha2Api.md#getselfserviceloginflow) | **Get** /self-service/login/flows | Get Login Flow
+*V0alpha2Api* | [**GetSelfServiceRecoveryFlow**](docs/V0alpha2Api.md#getselfservicerecoveryflow) | **Get** /self-service/recovery/flows | Get Recovery Flow
+*V0alpha2Api* | [**GetSelfServiceRegistrationFlow**](docs/V0alpha2Api.md#getselfserviceregistrationflow) | **Get** /self-service/registration/flows | Get Registration Flow
+*V0alpha2Api* | [**GetSelfServiceSettingsFlow**](docs/V0alpha2Api.md#getselfservicesettingsflow) | **Get** /self-service/settings/flows | Get Settings Flow
+*V0alpha2Api* | [**GetSelfServiceVerificationFlow**](docs/V0alpha2Api.md#getselfserviceverificationflow) | **Get** /self-service/verification/flows | Get Verification Flow
+*V0alpha2Api* | [**GetWebAuthnJavaScript**](docs/V0alpha2Api.md#getwebauthnjavascript) | **Get** /.well-known/ory/webauthn.js | Get WebAuthn JavaScript
+*V0alpha2Api* | [**InitializeSelfServiceLoginFlowForBrowsers**](docs/V0alpha2Api.md#initializeselfserviceloginflowforbrowsers) | **Get** /self-service/login/browser | Initialize Login Flow for Browsers
+*V0alpha2Api* | [**InitializeSelfServiceLoginFlowWithoutBrowser**](docs/V0alpha2Api.md#initializeselfserviceloginflowwithoutbrowser) | **Get** /self-service/login/api | Initialize Login Flow for APIs, Services, Apps, ...
+*V0alpha2Api* | [**InitializeSelfServiceRecoveryFlowForBrowsers**](docs/V0alpha2Api.md#initializeselfservicerecoveryflowforbrowsers) | **Get** /self-service/recovery/browser | Initialize Recovery Flow for Browsers
+*V0alpha2Api* | [**InitializeSelfServiceRecoveryFlowWithoutBrowser**](docs/V0alpha2Api.md#initializeselfservicerecoveryflowwithoutbrowser) | **Get** /self-service/recovery/api | Initialize Recovery Flow for APIs, Services, Apps, ...
+*V0alpha2Api* | [**InitializeSelfServiceRegistrationFlowForBrowsers**](docs/V0alpha2Api.md#initializeselfserviceregistrationflowforbrowsers) | **Get** /self-service/registration/browser | Initialize Registration Flow for Browsers
+*V0alpha2Api* | [**InitializeSelfServiceRegistrationFlowWithoutBrowser**](docs/V0alpha2Api.md#initializeselfserviceregistrationflowwithoutbrowser) | **Get** /self-service/registration/api | Initialize Registration Flow for APIs, Services, Apps, ...
+*V0alpha2Api* | [**InitializeSelfServiceSettingsFlowForBrowsers**](docs/V0alpha2Api.md#initializeselfservicesettingsflowforbrowsers) | **Get** /self-service/settings/browser | Initialize Settings Flow for Browsers
+*V0alpha2Api* | [**InitializeSelfServiceSettingsFlowWithoutBrowser**](docs/V0alpha2Api.md#initializeselfservicesettingsflowwithoutbrowser) | **Get** /self-service/settings/api | Initialize Settings Flow for APIs, Services, Apps, ...
+*V0alpha2Api* | [**InitializeSelfServiceVerificationFlowForBrowsers**](docs/V0alpha2Api.md#initializeselfserviceverificationflowforbrowsers) | **Get** /self-service/verification/browser | Initialize Verification Flow for Browser Clients
+*V0alpha2Api* | [**InitializeSelfServiceVerificationFlowWithoutBrowser**](docs/V0alpha2Api.md#initializeselfserviceverificationflowwithoutbrowser) | **Get** /self-service/verification/api | Initialize Verification Flow for APIs, Services, Apps, ...
+*V0alpha2Api* | [**ListIdentitySchemas**](docs/V0alpha2Api.md#listidentityschemas) | **Get** /schemas |
+*V0alpha2Api* | [**ListSessions**](docs/V0alpha2Api.md#listsessions) | **Get** /sessions | Get Active Sessions
+*V0alpha2Api* | [**RevokeSession**](docs/V0alpha2Api.md#revokesession) | **Delete** /sessions/{id} | Invalidate a Session
+*V0alpha2Api* | [**RevokeSessions**](docs/V0alpha2Api.md#revokesessions) | **Delete** /sessions | Invalidate all Other Sessions
+*V0alpha2Api* | [**SubmitSelfServiceLoginFlow**](docs/V0alpha2Api.md#submitselfserviceloginflow) | **Post** /self-service/login | Submit a Login Flow
+*V0alpha2Api* | [**SubmitSelfServiceLogoutFlow**](docs/V0alpha2Api.md#submitselfservicelogoutflow) | **Get** /self-service/logout | Complete Self-Service Logout
+*V0alpha2Api* | [**SubmitSelfServiceLogoutFlowWithoutBrowser**](docs/V0alpha2Api.md#submitselfservicelogoutflowwithoutbrowser) | **Delete** /self-service/logout/api | Perform Logout for APIs, Services, Apps, ...
+*V0alpha2Api* | [**SubmitSelfServiceRecoveryFlow**](docs/V0alpha2Api.md#submitselfservicerecoveryflow) | **Post** /self-service/recovery | Complete Recovery Flow
+*V0alpha2Api* | [**SubmitSelfServiceRegistrationFlow**](docs/V0alpha2Api.md#submitselfserviceregistrationflow) | **Post** /self-service/registration | Submit a Registration Flow
+*V0alpha2Api* | [**SubmitSelfServiceSettingsFlow**](docs/V0alpha2Api.md#submitselfservicesettingsflow) | **Post** /self-service/settings | Complete Settings Flow
+*V0alpha2Api* | [**SubmitSelfServiceVerificationFlow**](docs/V0alpha2Api.md#submitselfserviceverificationflow) | **Post** /self-service/verification | Complete Verification Flow
+*V0alpha2Api* | [**ToSession**](docs/V0alpha2Api.md#tosession) | **Get** /sessions/whoami | Check Who the Current HTTP Session Belongs To
+
+
+## Documentation For Models
+
+ - [AdminCreateIdentityBody](docs/AdminCreateIdentityBody.md)
+ - [AdminCreateIdentityImportCredentialsOidc](docs/AdminCreateIdentityImportCredentialsOidc.md)
+ - [AdminCreateIdentityImportCredentialsOidcConfig](docs/AdminCreateIdentityImportCredentialsOidcConfig.md)
+ - [AdminCreateIdentityImportCredentialsOidcProvider](docs/AdminCreateIdentityImportCredentialsOidcProvider.md)
+ - [AdminCreateIdentityImportCredentialsPassword](docs/AdminCreateIdentityImportCredentialsPassword.md)
+ - [AdminCreateIdentityImportCredentialsPasswordConfig](docs/AdminCreateIdentityImportCredentialsPasswordConfig.md)
+ - [AdminCreateSelfServiceRecoveryCodeBody](docs/AdminCreateSelfServiceRecoveryCodeBody.md)
+ - [AdminCreateSelfServiceRecoveryLinkBody](docs/AdminCreateSelfServiceRecoveryLinkBody.md)
+ - [AdminIdentityImportCredentials](docs/AdminIdentityImportCredentials.md)
+ - [AdminUpdateIdentityBody](docs/AdminUpdateIdentityBody.md)
+ - [AuthenticatorAssuranceLevel](docs/AuthenticatorAssuranceLevel.md)
+ - [CourierMessageStatus](docs/CourierMessageStatus.md)
+ - [CourierMessageType](docs/CourierMessageType.md)
+ - [ErrorAuthenticatorAssuranceLevelNotSatisfied](docs/ErrorAuthenticatorAssuranceLevelNotSatisfied.md)
+ - [GenericError](docs/GenericError.md)
+ - [GetVersion200Response](docs/GetVersion200Response.md)
+ - [HealthNotReadyStatus](docs/HealthNotReadyStatus.md)
+ - [HealthStatus](docs/HealthStatus.md)
+ - [Identity](docs/Identity.md)
+ - [IdentityCredentials](docs/IdentityCredentials.md)
+ - [IdentityCredentialsOidc](docs/IdentityCredentialsOidc.md)
+ - [IdentityCredentialsOidcProvider](docs/IdentityCredentialsOidcProvider.md)
+ - [IdentityCredentialsPassword](docs/IdentityCredentialsPassword.md)
+ - [IdentityCredentialsType](docs/IdentityCredentialsType.md)
+ - [IdentitySchemaContainer](docs/IdentitySchemaContainer.md)
+ - [IdentityState](docs/IdentityState.md)
+ - [IsAlive200Response](docs/IsAlive200Response.md)
+ - [IsReady503Response](docs/IsReady503Response.md)
+ - [JsonError](docs/JsonError.md)
+ - [JsonPatch](docs/JsonPatch.md)
+ - [LoginRequest](docs/LoginRequest.md)
+ - [Message](docs/Message.md)
+ - [NeedsPrivilegedSessionError](docs/NeedsPrivilegedSessionError.md)
+ - [OAuth2Client](docs/OAuth2Client.md)
+ - [OpenIDConnectContext](docs/OpenIDConnectContext.md)
+ - [Pagination](docs/Pagination.md)
+ - [RecoveryIdentityAddress](docs/RecoveryIdentityAddress.md)
+ - [RevokedSessions](docs/RevokedSessions.md)
+ - [SelfServiceBrowserLocationChangeRequiredError](docs/SelfServiceBrowserLocationChangeRequiredError.md)
+ - [SelfServiceError](docs/SelfServiceError.md)
+ - [SelfServiceFlowExpiredError](docs/SelfServiceFlowExpiredError.md)
+ - [SelfServiceLoginFlow](docs/SelfServiceLoginFlow.md)
+ - [SelfServiceLogoutUrl](docs/SelfServiceLogoutUrl.md)
+ - [SelfServiceRecoveryCode](docs/SelfServiceRecoveryCode.md)
+ - [SelfServiceRecoveryFlow](docs/SelfServiceRecoveryFlow.md)
+ - [SelfServiceRecoveryFlowState](docs/SelfServiceRecoveryFlowState.md)
+ - [SelfServiceRecoveryLink](docs/SelfServiceRecoveryLink.md)
+ - [SelfServiceRegistrationFlow](docs/SelfServiceRegistrationFlow.md)
+ - [SelfServiceSettingsFlow](docs/SelfServiceSettingsFlow.md)
+ - [SelfServiceSettingsFlowState](docs/SelfServiceSettingsFlowState.md)
+ - [SelfServiceVerificationFlow](docs/SelfServiceVerificationFlow.md)
+ - [SelfServiceVerificationFlowState](docs/SelfServiceVerificationFlowState.md)
+ - [Session](docs/Session.md)
+ - [SessionAuthenticationMethod](docs/SessionAuthenticationMethod.md)
+ - [SessionDevice](docs/SessionDevice.md)
+ - [SettingsProfileFormConfig](docs/SettingsProfileFormConfig.md)
+ - [SubmitSelfServiceFlowWithWebAuthnRegistrationMethod](docs/SubmitSelfServiceFlowWithWebAuthnRegistrationMethod.md)
+ - [SubmitSelfServiceLoginFlowBody](docs/SubmitSelfServiceLoginFlowBody.md)
+ - [SubmitSelfServiceLoginFlowWithLookupSecretMethodBody](docs/SubmitSelfServiceLoginFlowWithLookupSecretMethodBody.md)
+ - [SubmitSelfServiceLoginFlowWithOidcMethodBody](docs/SubmitSelfServiceLoginFlowWithOidcMethodBody.md)
+ - [SubmitSelfServiceLoginFlowWithPasswordMethodBody](docs/SubmitSelfServiceLoginFlowWithPasswordMethodBody.md)
+ - [SubmitSelfServiceLoginFlowWithTotpMethodBody](docs/SubmitSelfServiceLoginFlowWithTotpMethodBody.md)
+ - [SubmitSelfServiceLoginFlowWithWebAuthnMethodBody](docs/SubmitSelfServiceLoginFlowWithWebAuthnMethodBody.md)
+ - [SubmitSelfServiceLogoutFlowWithoutBrowserBody](docs/SubmitSelfServiceLogoutFlowWithoutBrowserBody.md)
+ - [SubmitSelfServiceRecoveryFlowBody](docs/SubmitSelfServiceRecoveryFlowBody.md)
+ - [SubmitSelfServiceRecoveryFlowWithCodeMethodBody](docs/SubmitSelfServiceRecoveryFlowWithCodeMethodBody.md)
+ - [SubmitSelfServiceRecoveryFlowWithLinkMethodBody](docs/SubmitSelfServiceRecoveryFlowWithLinkMethodBody.md)
+ - [SubmitSelfServiceRegistrationFlowBody](docs/SubmitSelfServiceRegistrationFlowBody.md)
+ - [SubmitSelfServiceRegistrationFlowWithOidcMethodBody](docs/SubmitSelfServiceRegistrationFlowWithOidcMethodBody.md)
+ - [SubmitSelfServiceRegistrationFlowWithPasswordMethodBody](docs/SubmitSelfServiceRegistrationFlowWithPasswordMethodBody.md)
+ - [SubmitSelfServiceRegistrationFlowWithWebAuthnMethodBody](docs/SubmitSelfServiceRegistrationFlowWithWebAuthnMethodBody.md)
+ - [SubmitSelfServiceSettingsFlowBody](docs/SubmitSelfServiceSettingsFlowBody.md)
+ - [SubmitSelfServiceSettingsFlowWithLookupMethodBody](docs/SubmitSelfServiceSettingsFlowWithLookupMethodBody.md)
+ - [SubmitSelfServiceSettingsFlowWithOidcMethodBody](docs/SubmitSelfServiceSettingsFlowWithOidcMethodBody.md)
+ - [SubmitSelfServiceSettingsFlowWithPasswordMethodBody](docs/SubmitSelfServiceSettingsFlowWithPasswordMethodBody.md)
+ - [SubmitSelfServiceSettingsFlowWithProfileMethodBody](docs/SubmitSelfServiceSettingsFlowWithProfileMethodBody.md)
+ - [SubmitSelfServiceSettingsFlowWithTotpMethodBody](docs/SubmitSelfServiceSettingsFlowWithTotpMethodBody.md)
+ - [SubmitSelfServiceSettingsFlowWithWebAuthnMethodBody](docs/SubmitSelfServiceSettingsFlowWithWebAuthnMethodBody.md)
+ - [SubmitSelfServiceVerificationFlowBody](docs/SubmitSelfServiceVerificationFlowBody.md)
+ - [SubmitSelfServiceVerificationFlowWithLinkMethodBody](docs/SubmitSelfServiceVerificationFlowWithLinkMethodBody.md)
+ - [SuccessfulSelfServiceLoginWithoutBrowser](docs/SuccessfulSelfServiceLoginWithoutBrowser.md)
+ - [SuccessfulSelfServiceRegistrationWithoutBrowser](docs/SuccessfulSelfServiceRegistrationWithoutBrowser.md)
+ - [TokenPagination](docs/TokenPagination.md)
+ - [TokenPaginationHeaders](docs/TokenPaginationHeaders.md)
+ - [UiContainer](docs/UiContainer.md)
+ - [UiNode](docs/UiNode.md)
+ - [UiNodeAnchorAttributes](docs/UiNodeAnchorAttributes.md)
+ - [UiNodeAttributes](docs/UiNodeAttributes.md)
+ - [UiNodeImageAttributes](docs/UiNodeImageAttributes.md)
+ - [UiNodeInputAttributes](docs/UiNodeInputAttributes.md)
+ - [UiNodeMeta](docs/UiNodeMeta.md)
+ - [UiNodeScriptAttributes](docs/UiNodeScriptAttributes.md)
+ - [UiNodeTextAttributes](docs/UiNodeTextAttributes.md)
+ - [UiText](docs/UiText.md)
+ - [VerifiableIdentityAddress](docs/VerifiableIdentityAddress.md)
+ - [Version](docs/Version.md)
+
+
+## Documentation For Authorization
+
+
+
+### oryAccessToken
+
+- **Type**: API key
+- **API key parameter name**: Authorization
+- **Location**: HTTP header
+
+Note, each API key must be added to a map of `map[string]APIKey` where the key is: Authorization and passed in as the auth context for each request.
+
+
+## Documentation for Utility Methods
+
+Due to the fact that model structure members are all pointers, this package contains
+a number of utility functions to easily obtain pointers to values of basic types.
+Each of these functions takes a value of the given basic type and returns a pointer to it:
+
+* `PtrBool`
+* `PtrInt`
+* `PtrInt32`
+* `PtrInt64`
+* `PtrFloat`
+* `PtrFloat32`
+* `PtrFloat64`
+* `PtrString`
+* `PtrTime`
+
+## Author
+
+hi@ory.sh
+
diff --git a/internal/client-go/api/openapi.yaml b/internal/client-go/api/openapi.yaml
new file mode 100644
index 000000000000..57b2cffbf9a7
--- /dev/null
+++ b/internal/client-go/api/openapi.yaml
@@ -0,0 +1,7074 @@
+openapi: 3.0.3
+info:
+ contact:
+ email: hi@ory.sh
+ description: |
+ Documentation for all public and administrative Ory Kratos APIs. Public and administrative APIs
+ are exposed on different ports. Public APIs can face the public internet without any protection
+ while administrative APIs should never be exposed without prior authorization. To protect
+ the administative API port you should use something like Nginx, Ory Oathkeeper, or any other
+ technology capable of authorizing incoming requests.
+ license:
+ name: Apache 2.0
+ title: Ory Kratos API
+ version: ""
+servers:
+- url: /
+paths:
+ /.well-known/ory/webauthn.js:
+ get:
+ description: |-
+ This endpoint provides JavaScript which is needed in order to perform WebAuthn login and registration.
+
+ If you are building a JavaScript Browser App (e.g. in ReactJS or AngularJS) you will need to load this file:
+
+ ```html
+
+ ```
+
+ More information can be found at [Ory Kratos User Login](https://www.ory.sh/docs/kratos/self-service/flows/user-login) and [User Registration Documentation](https://www.ory.sh/docs/kratos/self-service/flows/user-registration).
+ operationId: getWebAuthnJavaScript
+ responses:
+ "200":
+ content:
+ application/json:
+ schema:
+ $ref: '#/components/schemas/webAuthnJavaScript'
+ description: webAuthnJavaScript
+ summary: Get WebAuthn JavaScript
+ tags:
+ - v0alpha2
+ /admin/courier/messages:
+ get:
+ description: Lists all messages by given status and recipient.
+ operationId: adminListCourierMessages
+ parameters:
+ - description: |-
+ Items per Page
+
+ This is the number of items per page.
+ explode: true
+ in: query
+ name: per_page
+ required: false
+ schema:
+ default: 250
+ format: int64
+ maximum: 1000
+ minimum: 1
+ type: integer
+ style: form
+ - description: |-
+ Pagination Page
+
+ This value is currently an integer, but it is not sequential. The value is not the page number, but a
+ reference. The next page can be any number and some numbers might return an empty list.
+
+ For example, page 2 might not follow after page 1. And even if page 3 and 5 exist, but page 4 might not exist.
+ explode: true
+ in: query
+ name: page
+ required: false
+ schema:
+ default: 1
+ format: int64
+ minimum: 1
+ type: integer
+ style: form
+ - description: |-
+ Status filters out messages based on status.
+ If no value is provided, it doesn't take effect on filter.
+ explode: true
+ in: query
+ name: status
+ required: false
+ schema:
+ $ref: '#/components/schemas/courierMessageStatus'
+ style: form
+ - description: |-
+ Recipient filters out messages based on recipient.
+ If no value is provided, it doesn't take effect on filter.
+ explode: true
+ in: query
+ name: recipient
+ required: false
+ schema:
+ type: string
+ style: form
+ responses:
+ "200":
+ content:
+ application/json:
+ schema:
+ $ref: '#/components/schemas/courierMessageList'
+ description: courierMessageList
+ "400":
+ content:
+ application/json:
+ schema:
+ $ref: '#/components/schemas/jsonError'
+ description: jsonError
+ "500":
+ content:
+ application/json:
+ schema:
+ $ref: '#/components/schemas/jsonError'
+ description: jsonError
+ summary: List Messages
+ tags:
+ - v0alpha2
+ /admin/identities:
+ get:
+ description: |-
+ Lists all identities. Does not support search at the moment.
+
+ Learn how identities work in [Ory Kratos' User And Identity Model Documentation](https://www.ory.sh/docs/next/kratos/concepts/identity-user-model).
+ operationId: adminListIdentities
+ parameters:
+ - description: |-
+ Items per Page
+
+ This is the number of items per page.
+ explode: true
+ in: query
+ name: per_page
+ required: false
+ schema:
+ default: 250
+ format: int64
+ maximum: 1000
+ minimum: 1
+ type: integer
+ style: form
+ - description: |-
+ Pagination Page
+
+ This value is currently an integer, but it is not sequential. The value is not the page number, but a
+ reference. The next page can be any number and some numbers might return an empty list.
+
+ For example, page 2 might not follow after page 1. And even if page 3 and 5 exist, but page 4 might not exist.
+ explode: true
+ in: query
+ name: page
+ required: false
+ schema:
+ default: 1
+ format: int64
+ minimum: 1
+ type: integer
+ style: form
+ responses:
+ "200":
+ content:
+ application/json:
+ schema:
+ $ref: '#/components/schemas/identityList'
+ description: identityList
+ "500":
+ content:
+ application/json:
+ schema:
+ $ref: '#/components/schemas/jsonError'
+ description: jsonError
+ security:
+ - oryAccessToken: []
+ summary: List Identities
+ tags:
+ - v0alpha2
+ post:
+ description: "This endpoint creates an identity. Learn how identities work in\
+ \ [Ory Kratos' User And Identity Model Documentation](https://www.ory.sh/docs/next/kratos/concepts/identity-user-model)."
+ operationId: adminCreateIdentity
+ requestBody:
+ content:
+ application/json:
+ schema:
+ $ref: '#/components/schemas/adminCreateIdentityBody'
+ x-originalParamName: Body
+ responses:
+ "201":
+ content:
+ application/json:
+ schema:
+ $ref: '#/components/schemas/identity'
+ description: identity
+ "400":
+ content:
+ application/json:
+ schema:
+ $ref: '#/components/schemas/jsonError'
+ description: jsonError
+ "409":
+ content:
+ application/json:
+ schema:
+ $ref: '#/components/schemas/jsonError'
+ description: jsonError
+ "500":
+ content:
+ application/json:
+ schema:
+ $ref: '#/components/schemas/jsonError'
+ description: jsonError
+ security:
+ - oryAccessToken: []
+ summary: Create an Identity
+ tags:
+ - v0alpha2
+ /admin/identities/{id}:
+ delete:
+ description: |-
+ Calling this endpoint irrecoverably and permanently deletes the identity given its ID. This action can not be undone.
+ This endpoint returns 204 when the identity was deleted or when the identity was not found, in which case it is
+ assumed that is has been deleted already.
+
+ Learn how identities work in [Ory Kratos' User And Identity Model Documentation](https://www.ory.sh/docs/next/kratos/concepts/identity-user-model).
+ operationId: adminDeleteIdentity
+ parameters:
+ - description: ID is the identity's ID.
+ explode: false
+ in: path
+ name: id
+ required: true
+ schema:
+ type: string
+ style: simple
+ responses:
+ "204":
+ description: "Empty responses are sent when, for example, resources are\
+ \ deleted. The HTTP status code for empty responses is typically 201."
+ "404":
+ content:
+ application/json:
+ schema:
+ $ref: '#/components/schemas/jsonError'
+ description: jsonError
+ "500":
+ content:
+ application/json:
+ schema:
+ $ref: '#/components/schemas/jsonError'
+ description: jsonError
+ security:
+ - oryAccessToken: []
+ summary: Delete an Identity
+ tags:
+ - v0alpha2
+ get:
+ description: "Learn how identities work in [Ory Kratos' User And Identity Model\
+ \ Documentation](https://www.ory.sh/docs/next/kratos/concepts/identity-user-model)."
+ operationId: adminGetIdentity
+ parameters:
+ - description: ID must be set to the ID of identity you want to get
+ explode: false
+ in: path
+ name: id
+ required: true
+ schema:
+ type: string
+ style: simple
+ - description: |-
+ DeclassifyCredentials will declassify one or more identity's credentials
+
+ Currently, only `oidc` is supported. This will return the initial OAuth 2.0 Access,
+ Refresh and (optionally) OpenID Connect ID Token.
+ explode: true
+ in: query
+ name: include_credential
+ required: false
+ schema:
+ items:
+ type: string
+ type: array
+ style: form
+ responses:
+ "200":
+ content:
+ application/json:
+ schema:
+ $ref: '#/components/schemas/identity'
+ description: identity
+ "404":
+ content:
+ application/json:
+ schema:
+ $ref: '#/components/schemas/jsonError'
+ description: jsonError
+ "500":
+ content:
+ application/json:
+ schema:
+ $ref: '#/components/schemas/jsonError'
+ description: jsonError
+ security:
+ - oryAccessToken: []
+ summary: Get an Identity
+ tags:
+ - v0alpha2
+ patch:
+ description: |-
+ Partially updates an Identity's field using [JSON Patch](https://jsonpatch.com/)
+
+ NOTE: The fields `id`, `stateChangedAt` and `credentials` are not updateable.
+
+ Learn how identities work in [Ory Kratos' User And Identity Model Documentation](https://www.ory.sh/docs/next/kratos/concepts/identity-user-model).
+ operationId: adminPatchIdentity
+ parameters:
+ - description: ID must be set to the ID of identity you want to update
+ explode: false
+ in: path
+ name: id
+ required: true
+ schema:
+ type: string
+ style: simple
+ requestBody:
+ content:
+ application/json:
+ schema:
+ $ref: '#/components/schemas/jsonPatchDocument'
+ x-originalParamName: Body
+ responses:
+ "200":
+ content:
+ application/json:
+ schema:
+ $ref: '#/components/schemas/identity'
+ description: identity
+ "400":
+ content:
+ application/json:
+ schema:
+ $ref: '#/components/schemas/jsonError'
+ description: jsonError
+ "404":
+ content:
+ application/json:
+ schema:
+ $ref: '#/components/schemas/jsonError'
+ description: jsonError
+ "409":
+ content:
+ application/json:
+ schema:
+ $ref: '#/components/schemas/jsonError'
+ description: jsonError
+ "500":
+ content:
+ application/json:
+ schema:
+ $ref: '#/components/schemas/jsonError'
+ description: jsonError
+ security:
+ - oryAccessToken: []
+ summary: Patch an Identity
+ tags:
+ - v0alpha2
+ put:
+ description: |-
+ This endpoint updates an identity. The full identity payload (except credentials) is expected. This endpoint does not support patching.
+
+ Learn how identities work in [Ory Kratos' User And Identity Model Documentation](https://www.ory.sh/docs/next/kratos/concepts/identity-user-model).
+ operationId: adminUpdateIdentity
+ parameters:
+ - description: ID must be set to the ID of identity you want to update
+ explode: false
+ in: path
+ name: id
+ required: true
+ schema:
+ type: string
+ style: simple
+ requestBody:
+ content:
+ application/json:
+ schema:
+ $ref: '#/components/schemas/AdminUpdateIdentityBody'
+ x-originalParamName: Body
+ responses:
+ "200":
+ content:
+ application/json:
+ schema:
+ $ref: '#/components/schemas/identity'
+ description: identity
+ "400":
+ content:
+ application/json:
+ schema:
+ $ref: '#/components/schemas/jsonError'
+ description: jsonError
+ "404":
+ content:
+ application/json:
+ schema:
+ $ref: '#/components/schemas/jsonError'
+ description: jsonError
+ "409":
+ content:
+ application/json:
+ schema:
+ $ref: '#/components/schemas/jsonError'
+ description: jsonError
+ "500":
+ content:
+ application/json:
+ schema:
+ $ref: '#/components/schemas/jsonError'
+ description: jsonError
+ security:
+ - oryAccessToken: []
+ summary: Update an Identity
+ tags:
+ - v0alpha2
+ /admin/identities/{id}/sessions:
+ delete:
+ description: |-
+ Calling this endpoint irrecoverably and permanently deletes and invalidates all sessions that belong to the given Identity.
+
+ This endpoint is useful for:
+
+ To forcefully logout Identity from all devices and sessions
+ operationId: adminDeleteIdentitySessions
+ parameters:
+ - description: ID is the identity's ID.
+ explode: false
+ in: path
+ name: id
+ required: true
+ schema:
+ type: string
+ style: simple
+ responses:
+ "204":
+ description: "Empty responses are sent when, for example, resources are\
+ \ deleted. The HTTP status code for empty responses is typically 201."
+ "400":
+ content:
+ application/json:
+ schema:
+ $ref: '#/components/schemas/jsonError'
+ description: jsonError
+ "401":
+ content:
+ application/json:
+ schema:
+ $ref: '#/components/schemas/jsonError'
+ description: jsonError
+ "404":
+ content:
+ application/json:
+ schema:
+ $ref: '#/components/schemas/jsonError'
+ description: jsonError
+ "500":
+ content:
+ application/json:
+ schema:
+ $ref: '#/components/schemas/jsonError'
+ description: jsonError
+ security:
+ - oryAccessToken: []
+ summary: Delete & Invalidate an Identity's Sessions
+ tags:
+ - v0alpha2
+ get:
+ description: |-
+ This endpoint returns all sessions that belong to the given Identity.
+
+ This endpoint is useful for:
+
+ Listing all sessions that belong to an Identity in an administrative context.
+ operationId: adminListIdentitySessions
+ parameters:
+ - description: ID is the identity's ID.
+ explode: false
+ in: path
+ name: id
+ required: true
+ schema:
+ type: string
+ style: simple
+ - description: |-
+ Items per Page
+
+ This is the number of items per page.
+ explode: true
+ in: query
+ name: per_page
+ required: false
+ schema:
+ default: 250
+ format: int64
+ maximum: 1000
+ minimum: 1
+ type: integer
+ style: form
+ - description: |-
+ Pagination Page
+
+ This value is currently an integer, but it is not sequential. The value is not the page number, but a
+ reference. The next page can be any number and some numbers might return an empty list.
+
+ For example, page 2 might not follow after page 1. And even if page 3 and 5 exist, but page 4 might not exist.
+ explode: true
+ in: query
+ name: page
+ required: false
+ schema:
+ default: 1
+ format: int64
+ minimum: 1
+ type: integer
+ style: form
+ - description: "Active is a boolean flag that filters out sessions based on\
+ \ the state. If no value is provided, all sessions are returned."
+ explode: true
+ in: query
+ name: active
+ required: false
+ schema:
+ type: boolean
+ style: form
+ responses:
+ "200":
+ content:
+ application/json:
+ schema:
+ $ref: '#/components/schemas/sessionList'
+ description: sessionList
+ "400":
+ content:
+ application/json:
+ schema:
+ $ref: '#/components/schemas/jsonError'
+ description: jsonError
+ "401":
+ content:
+ application/json:
+ schema:
+ $ref: '#/components/schemas/jsonError'
+ description: jsonError
+ "404":
+ content:
+ application/json:
+ schema:
+ $ref: '#/components/schemas/jsonError'
+ description: jsonError
+ "500":
+ content:
+ application/json:
+ schema:
+ $ref: '#/components/schemas/jsonError'
+ description: jsonError
+ security:
+ - oryAccessToken: []
+ summary: List an Identity's Sessions
+ tags:
+ - v0alpha2
+ /admin/recovery/code:
+ post:
+ description: |-
+ This endpoint creates a recovery code which should be given to the user in order for them to recover
+ (or activate) their account.
+ operationId: adminCreateSelfServiceRecoveryCode
+ requestBody:
+ content:
+ application/json:
+ schema:
+ $ref: '#/components/schemas/adminCreateSelfServiceRecoveryCodeBody'
+ x-originalParamName: Body
+ responses:
+ "201":
+ content:
+ application/json:
+ schema:
+ $ref: '#/components/schemas/selfServiceRecoveryCode'
+ description: selfServiceRecoveryCode
+ "400":
+ content:
+ application/json:
+ schema:
+ $ref: '#/components/schemas/jsonError'
+ description: jsonError
+ "404":
+ content:
+ application/json:
+ schema:
+ $ref: '#/components/schemas/jsonError'
+ description: jsonError
+ "500":
+ content:
+ application/json:
+ schema:
+ $ref: '#/components/schemas/jsonError'
+ description: jsonError
+ summary: Create a Recovery Code
+ tags:
+ - v0alpha2
+ /admin/recovery/link:
+ post:
+ description: |-
+ This endpoint creates a recovery link which should be given to the user in order for them to recover
+ (or activate) their account.
+ operationId: adminCreateSelfServiceRecoveryLink
+ requestBody:
+ content:
+ application/json:
+ schema:
+ $ref: '#/components/schemas/adminCreateSelfServiceRecoveryLinkBody'
+ x-originalParamName: Body
+ responses:
+ "200":
+ content:
+ application/json:
+ schema:
+ $ref: '#/components/schemas/selfServiceRecoveryLink'
+ description: selfServiceRecoveryLink
+ "400":
+ content:
+ application/json:
+ schema:
+ $ref: '#/components/schemas/jsonError'
+ description: jsonError
+ "404":
+ content:
+ application/json:
+ schema:
+ $ref: '#/components/schemas/jsonError'
+ description: jsonError
+ "500":
+ content:
+ application/json:
+ schema:
+ $ref: '#/components/schemas/jsonError'
+ description: jsonError
+ summary: Create a Recovery Link
+ tags:
+ - v0alpha2
+ /admin/sessions:
+ get:
+ description: |-
+ This endpoint is useful for:
+
+ Listing all sessions that exist in an administrative context.
+ operationId: adminListSessions
+ parameters:
+ - description: |-
+ Items per Page
+
+ This is the number of items per page to return.
+ For details on pagination please head over to the [pagination documentation](https://www.ory.sh/docs/ecosystem/api-design#pagination).
+ explode: true
+ in: query
+ name: page_size
+ required: false
+ schema:
+ default: 250
+ format: int64
+ maximum: 1000
+ minimum: 1
+ type: integer
+ style: form
+ - description: |-
+ Next Page Token
+
+ The next page token.
+ For details on pagination please head over to the [pagination documentation](https://www.ory.sh/docs/ecosystem/api-design#pagination).
+ explode: true
+ in: query
+ name: page_token
+ required: false
+ schema:
+ type: string
+ style: form
+ - description: "Active is a boolean flag that filters out sessions based on\
+ \ the state. If no value is provided, all sessions are returned."
+ explode: true
+ in: query
+ name: active
+ required: false
+ schema:
+ type: boolean
+ style: form
+ - description: |-
+ ExpandOptions is a query parameter encoded list of all properties that must be expanded in the Session.
+ Example - ?expand=Identity&expand=Devices
+ If no value is provided, the expandable properties are skipped.
+ explode: true
+ in: query
+ name: expand
+ required: false
+ schema:
+ items:
+ enum:
+ - Devices
+ - Identity
+ type: string
+ type: array
+ style: form
+ responses:
+ "200":
+ content:
+ application/json:
+ schema:
+ $ref: '#/components/schemas/sessionList'
+ description: sessionList
+ "400":
+ content:
+ application/json:
+ schema:
+ $ref: '#/components/schemas/jsonError'
+ description: jsonError
+ "401":
+ content:
+ application/json:
+ schema:
+ $ref: '#/components/schemas/jsonError'
+ description: jsonError
+ "404":
+ content:
+ application/json:
+ schema:
+ $ref: '#/components/schemas/jsonError'
+ description: jsonError
+ "500":
+ content:
+ application/json:
+ schema:
+ $ref: '#/components/schemas/jsonError'
+ description: jsonError
+ security:
+ - oryAccessToken: []
+ summary: This endpoint returns all sessions that exist.
+ tags:
+ - v0alpha2
+ /admin/sessions/{id}:
+ get:
+ description: |-
+ This endpoint is useful for:
+
+ Getting a session object with all specified expandables that exist in an administrative context.
+ operationId: adminGetSession
+ parameters:
+ - description: |-
+ ExpandOptions is a query parameter encoded list of all properties that must be expanded in the Session.
+ Example - ?expand=Identity&expand=Devices
+ If no value is provided, the expandable properties are skipped.
+ explode: true
+ in: query
+ name: expand
+ required: false
+ schema:
+ items:
+ enum:
+ - Devices
+ - Identity
+ type: string
+ type: array
+ style: form
+ - description: ID is the session's ID.
+ explode: false
+ in: path
+ name: id
+ required: true
+ schema:
+ type: string
+ style: simple
+ responses:
+ "200":
+ content:
+ application/json:
+ schema:
+ $ref: '#/components/schemas/session'
+ description: session
+ "400":
+ content:
+ application/json:
+ schema:
+ $ref: '#/components/schemas/jsonError'
+ description: jsonError
+ default:
+ content:
+ application/json:
+ schema:
+ $ref: '#/components/schemas/jsonError'
+ description: jsonError
+ security:
+ - oryAccessToken: []
+ summary: This endpoint returns the session object with expandables specified.
+ tags:
+ - v0alpha2
+ /admin/sessions/{id}/extend:
+ patch:
+ description: |-
+ Calling this endpoint extends the given session ID. If `session.earliest_possible_extend` is set it
+ will only extend the session after the specified time has passed.
+
+ Retrieve the session ID from the `/sessions/whoami` endpoint / `toSession` SDK method.
+ operationId: adminExtendSession
+ parameters:
+ - description: ID is the session's ID.
+ explode: false
+ in: path
+ name: id
+ required: true
+ schema:
+ type: string
+ style: simple
+ responses:
+ "200":
+ content:
+ application/json:
+ schema:
+ $ref: '#/components/schemas/session'
+ description: session
+ "400":
+ content:
+ application/json:
+ schema:
+ $ref: '#/components/schemas/jsonError'
+ description: jsonError
+ "404":
+ content:
+ application/json:
+ schema:
+ $ref: '#/components/schemas/jsonError'
+ description: jsonError
+ "500":
+ content:
+ application/json:
+ schema:
+ $ref: '#/components/schemas/jsonError'
+ description: jsonError
+ security:
+ - oryAccessToken: []
+ summary: Extend a Session
+ tags:
+ - v0alpha2
+ /health/alive:
+ get:
+ description: |-
+ This endpoint returns a HTTP 200 status code when Ory Kratos is accepting incoming
+ HTTP requests. This status does currently not include checks whether the database connection is working.
+
+ If the service supports TLS Edge Termination, this endpoint does not require the
+ `X-Forwarded-Proto` header to be set.
+
+ Be aware that if you are running multiple nodes of this service, the health status will never
+ refer to the cluster state, only to a single instance.
+ operationId: isAlive
+ responses:
+ "200":
+ content:
+ application/json:
+ schema:
+ $ref: '#/components/schemas/isAlive_200_response'
+ description: Ory Kratos is ready to accept connections.
+ "500":
+ content:
+ application/json:
+ schema:
+ $ref: '#/components/schemas/genericError'
+ description: genericError
+ summary: Check HTTP Server Status
+ tags:
+ - metadata
+ /health/ready:
+ get:
+ description: |-
+ This endpoint returns a HTTP 200 status code when Ory Kratos is up running and the environment dependencies (e.g.
+ the database) are responsive as well.
+
+ If the service supports TLS Edge Termination, this endpoint does not require the
+ `X-Forwarded-Proto` header to be set.
+
+ Be aware that if you are running multiple nodes of Ory Kratos, the health status will never
+ refer to the cluster state, only to a single instance.
+ operationId: isReady
+ responses:
+ "200":
+ content:
+ application/json:
+ schema:
+ $ref: '#/components/schemas/isAlive_200_response'
+ description: Ory Kratos is ready to accept requests.
+ "503":
+ content:
+ application/json:
+ schema:
+ $ref: '#/components/schemas/isReady_503_response'
+ description: Ory Kratos is not yet ready to accept requests.
+ summary: Check HTTP Server and Database Status
+ tags:
+ - metadata
+ /schemas:
+ get:
+ description: Get all Identity Schemas
+ operationId: listIdentitySchemas
+ parameters:
+ - description: |-
+ Items per Page
+
+ This is the number of items per page.
+ explode: true
+ in: query
+ name: per_page
+ required: false
+ schema:
+ default: 250
+ format: int64
+ maximum: 1000
+ minimum: 1
+ type: integer
+ style: form
+ - description: |-
+ Pagination Page
+
+ This value is currently an integer, but it is not sequential. The value is not the page number, but a
+ reference. The next page can be any number and some numbers might return an empty list.
+
+ For example, page 2 might not follow after page 1. And even if page 3 and 5 exist, but page 4 might not exist.
+ explode: true
+ in: query
+ name: page
+ required: false
+ schema:
+ default: 1
+ format: int64
+ minimum: 1
+ type: integer
+ style: form
+ responses:
+ "200":
+ content:
+ application/json:
+ schema:
+ $ref: '#/components/schemas/identitySchemas'
+ description: identitySchemas
+ "500":
+ content:
+ application/json:
+ schema:
+ $ref: '#/components/schemas/jsonError'
+ description: jsonError
+ tags:
+ - v0alpha2
+ /schemas/{id}:
+ get:
+ description: Get a JSON Schema
+ operationId: getIdentitySchema
+ parameters:
+ - description: ID must be set to the ID of schema you want to get
+ explode: false
+ in: path
+ name: id
+ required: true
+ schema:
+ type: string
+ style: simple
+ responses:
+ "200":
+ content:
+ application/json:
+ schema:
+ $ref: '#/components/schemas/identitySchema'
+ description: identitySchema
+ "404":
+ content:
+ application/json:
+ schema:
+ $ref: '#/components/schemas/jsonError'
+ description: jsonError
+ "500":
+ content:
+ application/json:
+ schema:
+ $ref: '#/components/schemas/jsonError'
+ description: jsonError
+ tags:
+ - v0alpha2
+ /self-service/errors:
+ get:
+ description: |-
+ This endpoint returns the error associated with a user-facing self service errors.
+
+ This endpoint supports stub values to help you implement the error UI:
+
+ `?id=stub:500` - returns a stub 500 (Internal Server Error) error.
+
+ More information can be found at [Ory Kratos User User Facing Error Documentation](https://www.ory.sh/docs/kratos/self-service/flows/user-facing-errors).
+ operationId: getSelfServiceError
+ parameters:
+ - description: Error is the error's ID
+ explode: true
+ in: query
+ name: id
+ required: true
+ schema:
+ type: string
+ style: form
+ responses:
+ "200":
+ content:
+ application/json:
+ schema:
+ $ref: '#/components/schemas/selfServiceError'
+ description: selfServiceError
+ "403":
+ content:
+ application/json:
+ schema:
+ $ref: '#/components/schemas/jsonError'
+ description: jsonError
+ "404":
+ content:
+ application/json:
+ schema:
+ $ref: '#/components/schemas/jsonError'
+ description: jsonError
+ "500":
+ content:
+ application/json:
+ schema:
+ $ref: '#/components/schemas/jsonError'
+ description: jsonError
+ summary: Get Self-Service Errors
+ tags:
+ - v0alpha2
+ /self-service/login:
+ post:
+ description: |-
+ :::info
+
+ This endpoint is EXPERIMENTAL and subject to potential breaking changes in the future.
+
+ :::
+
+ Use this endpoint to complete a login flow. This endpoint
+ behaves differently for API and browser flows.
+
+ API flows expect `application/json` to be sent in the body and responds with
+ HTTP 200 and a application/json body with the session token on success;
+ HTTP 410 if the original flow expired with the appropriate error messages set and optionally a `use_flow_id` parameter in the body;
+ HTTP 400 on form validation errors.
+
+ Browser flows expect a Content-Type of `application/x-www-form-urlencoded` or `application/json` to be sent in the body and respond with
+ a HTTP 303 redirect to the post/after login URL or the `return_to` value if it was set and if the login succeeded;
+ a HTTP 303 redirect to the login UI URL with the flow ID containing the validation errors otherwise.
+
+ Browser flows with an accept header of `application/json` will not redirect but instead respond with
+ HTTP 200 and a application/json body with the signed in identity and a `Set-Cookie` header on success;
+ HTTP 303 redirect to a fresh login flow if the original flow expired with the appropriate error messages set;
+ HTTP 400 on form validation errors.
+
+ If this endpoint is called with `Accept: application/json` in the header, the response contains the flow without a redirect. In the
+ case of an error, the `error.id` of the JSON response body can be one of:
+
+ `session_already_available`: The user is already signed in.
+ `security_csrf_violation`: Unable to fetch the flow because a CSRF violation occurred.
+ `security_identity_mismatch`: The requested `?return_to` address is not allowed to be used. Adjust this in the configuration!
+ `browser_location_change_required`: Usually sent when an AJAX request indicates that the browser needs to open a specific URL.
+ Most likely used in Social Sign In flows.
+
+ More information can be found at [Ory Kratos User Login](https://www.ory.sh/docs/kratos/self-service/flows/user-login) and [User Registration Documentation](https://www.ory.sh/docs/kratos/self-service/flows/user-registration).
+ operationId: submitSelfServiceLoginFlow
+ parameters:
+ - description: |-
+ The Login Flow ID
+
+ The value for this parameter comes from `flow` URL Query parameter sent to your
+ application (e.g. `/login?flow=abcde`).
+ explode: true
+ in: query
+ name: flow
+ required: true
+ schema:
+ type: string
+ style: form
+ - description: The Session Token of the Identity performing the settings flow.
+ explode: false
+ in: header
+ name: X-Session-Token
+ required: false
+ schema:
+ type: string
+ style: simple
+ - description: |-
+ HTTP Cookies
+
+ When using the SDK in a browser app, on the server side you must include the HTTP Cookie Header
+ sent by the client to your server here. This ensures that CSRF and session cookies are respected.
+ explode: false
+ in: header
+ name: Cookie
+ required: false
+ schema:
+ type: string
+ style: simple
+ requestBody:
+ content:
+ application/json:
+ schema:
+ $ref: '#/components/schemas/submitSelfServiceLoginFlowBody'
+ application/x-www-form-urlencoded:
+ schema:
+ $ref: '#/components/schemas/submitSelfServiceLoginFlowBody'
+ required: true
+ x-originalParamName: Body
+ responses:
+ "200":
+ content:
+ application/json:
+ schema:
+ $ref: '#/components/schemas/successfulSelfServiceLoginWithoutBrowser'
+ description: successfulSelfServiceLoginWithoutBrowser
+ "303":
+ description: "Empty responses are sent when, for example, resources are\
+ \ deleted. The HTTP status code for empty responses is typically 201."
+ "400":
+ content:
+ application/json:
+ schema:
+ $ref: '#/components/schemas/selfServiceLoginFlow'
+ description: selfServiceLoginFlow
+ "410":
+ content:
+ application/json:
+ schema:
+ $ref: '#/components/schemas/jsonError'
+ description: jsonError
+ "422":
+ content:
+ application/json:
+ schema:
+ $ref: '#/components/schemas/selfServiceBrowserLocationChangeRequiredError'
+ description: selfServiceBrowserLocationChangeRequiredError
+ "500":
+ content:
+ application/json:
+ schema:
+ $ref: '#/components/schemas/jsonError'
+ description: jsonError
+ summary: Submit a Login Flow
+ tags:
+ - v0alpha2
+ /self-service/login/api:
+ get:
+ description: |-
+ This endpoint initiates a login flow for API clients that do not use a browser, such as mobile devices, smart TVs, and so on.
+
+ If a valid provided session cookie or session token is provided, a 400 Bad Request error
+ will be returned unless the URL query parameter `?refresh=true` is set.
+
+ To fetch an existing login flow call `/self-service/login/flows?flow=`.
+
+ You MUST NOT use this endpoint in client-side (Single Page Apps, ReactJS, AngularJS) nor server-side (Java Server
+ Pages, NodeJS, PHP, Golang, ...) browser applications. Using this endpoint in these applications will make
+ you vulnerable to a variety of CSRF attacks, including CSRF login attacks.
+
+ In the case of an error, the `error.id` of the JSON response body can be one of:
+
+ `session_already_available`: The user is already signed in.
+ `session_aal1_required`: Multi-factor auth (e.g. 2fa) was requested but the user has no session yet.
+ `security_csrf_violation`: Unable to fetch the flow because a CSRF violation occurred.
+
+ This endpoint MUST ONLY be used in scenarios such as native mobile apps (React Native, Objective C, Swift, Java, ...).
+
+ More information can be found at [Ory Kratos User Login](https://www.ory.sh/docs/kratos/self-service/flows/user-login) and [User Registration Documentation](https://www.ory.sh/docs/kratos/self-service/flows/user-registration).
+ operationId: initializeSelfServiceLoginFlowWithoutBrowser
+ parameters:
+ - description: |-
+ Refresh a login session
+
+ If set to true, this will refresh an existing login session by
+ asking the user to sign in again. This will reset the
+ authenticated_at time of the session.
+ explode: true
+ in: query
+ name: refresh
+ required: false
+ schema:
+ type: boolean
+ style: form
+ - description: |-
+ Request a Specific AuthenticationMethod Assurance Level
+
+ Use this parameter to upgrade an existing session's authenticator assurance level (AAL). This
+ allows you to ask for multi-factor authentication. When an identity sign in using e.g. username+password,
+ the AAL is 1. If you wish to "upgrade" the session's security by asking the user to perform TOTP / WebAuth/ ...
+ you would set this to "aal2".
+ explode: true
+ in: query
+ name: aal
+ required: false
+ schema:
+ type: string
+ style: form
+ - description: The Session Token of the Identity performing the settings flow.
+ explode: false
+ in: header
+ name: X-Session-Token
+ required: false
+ schema:
+ type: string
+ style: simple
+ responses:
+ "200":
+ content:
+ application/json:
+ schema:
+ $ref: '#/components/schemas/selfServiceLoginFlow'
+ description: selfServiceLoginFlow
+ "400":
+ content:
+ application/json:
+ schema:
+ $ref: '#/components/schemas/jsonError'
+ description: jsonError
+ "500":
+ content:
+ application/json:
+ schema:
+ $ref: '#/components/schemas/jsonError'
+ description: jsonError
+ summary: "Initialize Login Flow for APIs, Services, Apps, ..."
+ tags:
+ - v0alpha2
+ /self-service/login/browser:
+ get:
+ description: |-
+ This endpoint initializes a browser-based user login flow. This endpoint will set the appropriate
+ cookies and anti-CSRF measures required for browser-based flows.
+
+ If this endpoint is opened as a link in the browser, it will be redirected to
+ `selfservice.flows.login.ui_url` with the flow ID set as the query parameter `?flow=`. If a valid user session
+ exists already, the browser will be redirected to `urls.default_redirect_url` unless the query parameter
+ `?refresh=true` was set.
+
+ If this endpoint is called via an AJAX request, the response contains the flow without a redirect. In the
+ case of an error, the `error.id` of the JSON response body can be one of:
+
+ `session_already_available`: The user is already signed in.
+ `session_aal1_required`: Multi-factor auth (e.g. 2fa) was requested but the user has no session yet.
+ `security_csrf_violation`: Unable to fetch the flow because a CSRF violation occurred.
+ `security_identity_mismatch`: The requested `?return_to` address is not allowed to be used. Adjust this in the configuration!
+
+ The optional query parameter login_challenge is set when using Kratos with
+ Hydra in an OAuth2 flow. See the oauth2_provider.url configuration
+ option.
+
+ This endpoint is NOT INTENDED for clients that do not have a browser (Chrome, Firefox, ...) as cookies are needed.
+
+ More information can be found at [Ory Kratos User Login](https://www.ory.sh/docs/kratos/self-service/flows/user-login) and [User Registration Documentation](https://www.ory.sh/docs/kratos/self-service/flows/user-registration).
+ operationId: initializeSelfServiceLoginFlowForBrowsers
+ parameters:
+ - description: |-
+ Refresh a login session
+
+ If set to true, this will refresh an existing login session by
+ asking the user to sign in again. This will reset the
+ authenticated_at time of the session.
+ explode: true
+ in: query
+ name: refresh
+ required: false
+ schema:
+ type: boolean
+ style: form
+ - description: |-
+ Request a Specific AuthenticationMethod Assurance Level
+
+ Use this parameter to upgrade an existing session's authenticator assurance level (AAL). This
+ allows you to ask for multi-factor authentication. When an identity sign in using e.g. username+password,
+ the AAL is 1. If you wish to "upgrade" the session's security by asking the user to perform TOTP / WebAuth/ ...
+ you would set this to "aal2".
+ explode: true
+ in: query
+ name: aal
+ required: false
+ schema:
+ type: string
+ style: form
+ - description: The URL to return the browser to after the flow was completed.
+ explode: true
+ in: query
+ name: return_to
+ required: false
+ schema:
+ type: string
+ style: form
+ - description: |-
+ HTTP Cookies
+
+ When using the SDK in a browser app, on the server side you must include the HTTP Cookie Header
+ sent by the client to your server here. This ensures that CSRF and session cookies are respected.
+ explode: false
+ in: header
+ name: Cookie
+ required: false
+ schema:
+ type: string
+ style: simple
+ - description: |-
+ An optional Hydra login challenge. If present, Kratos will cooperate with
+ Ory Hydra to act as an OAuth2 identity provider.
+
+ The value for this parameter comes from `login_challenge` URL Query parameter sent to your
+ application (e.g. `/login?login_challenge=abcde`).
+ explode: true
+ in: query
+ name: login_challenge
+ required: false
+ schema:
+ type: string
+ style: form
+ responses:
+ "200":
+ content:
+ application/json:
+ schema:
+ $ref: '#/components/schemas/selfServiceLoginFlow'
+ description: selfServiceLoginFlow
+ "303":
+ description: "Empty responses are sent when, for example, resources are\
+ \ deleted. The HTTP status code for empty responses is typically 201."
+ "400":
+ content:
+ application/json:
+ schema:
+ $ref: '#/components/schemas/jsonError'
+ description: jsonError
+ "500":
+ content:
+ application/json:
+ schema:
+ $ref: '#/components/schemas/jsonError'
+ description: jsonError
+ summary: Initialize Login Flow for Browsers
+ tags:
+ - v0alpha2
+ /self-service/login/flows:
+ get:
+ description: |-
+ This endpoint returns a login flow's context with, for example, error details and other information.
+
+ Browser flows expect the anti-CSRF cookie to be included in the request's HTTP Cookie Header.
+ For AJAX requests you must ensure that cookies are included in the request or requests will fail.
+
+ If you use the browser-flow for server-side apps, the services need to run on a common top-level-domain
+ and you need to forward the incoming HTTP Cookie header to this endpoint:
+
+ ```js
+ pseudo-code example
+ router.get('/login', async function (req, res) {
+ const flow = await client.getSelfServiceLoginFlow(req.header('cookie'), req.query['flow'])
+
+ res.render('login', flow)
+ })
+ ```
+
+ This request may fail due to several reasons. The `error.id` can be one of:
+
+ `session_already_available`: The user is already signed in.
+ `self_service_flow_expired`: The flow is expired and you should request a new one.
+
+ More information can be found at [Ory Kratos User Login](https://www.ory.sh/docs/kratos/self-service/flows/user-login) and [User Registration Documentation](https://www.ory.sh/docs/kratos/self-service/flows/user-registration).
+ operationId: getSelfServiceLoginFlow
+ parameters:
+ - description: |-
+ The Login Flow ID
+
+ The value for this parameter comes from `flow` URL Query parameter sent to your
+ application (e.g. `/login?flow=abcde`).
+ explode: true
+ in: query
+ name: id
+ required: true
+ schema:
+ type: string
+ style: form
+ - description: |-
+ HTTP Cookies
+
+ When using the SDK in a browser app, on the server side you must include the HTTP Cookie Header
+ sent by the client to your server here. This ensures that CSRF and session cookies are respected.
+ explode: false
+ in: header
+ name: Cookie
+ required: false
+ schema:
+ type: string
+ style: simple
+ responses:
+ "200":
+ content:
+ application/json:
+ schema:
+ $ref: '#/components/schemas/selfServiceLoginFlow'
+ description: selfServiceLoginFlow
+ "403":
+ content:
+ application/json:
+ schema:
+ $ref: '#/components/schemas/jsonError'
+ description: jsonError
+ "404":
+ content:
+ application/json:
+ schema:
+ $ref: '#/components/schemas/jsonError'
+ description: jsonError
+ "410":
+ content:
+ application/json:
+ schema:
+ $ref: '#/components/schemas/jsonError'
+ description: jsonError
+ "500":
+ content:
+ application/json:
+ schema:
+ $ref: '#/components/schemas/jsonError'
+ description: jsonError
+ summary: Get Login Flow
+ tags:
+ - v0alpha2
+ /self-service/logout:
+ get:
+ description: |-
+ This endpoint logs out an identity in a self-service manner.
+
+ If the `Accept` HTTP header is not set to `application/json`, the browser will be redirected (HTTP 303 See Other)
+ to the `return_to` parameter of the initial request or fall back to `urls.default_return_to`.
+
+ If the `Accept` HTTP header is set to `application/json`, a 204 No Content response
+ will be sent on successful logout instead.
+
+ This endpoint is NOT INTENDED for API clients and only works
+ with browsers (Chrome, Firefox, ...). For API clients you can
+ call the `/self-service/logout/api` URL directly with the Ory Session Token.
+
+ More information can be found at [Ory Kratos User Logout Documentation](https://www.ory.sh/docs/next/kratos/self-service/flows/user-logout).
+ operationId: submitSelfServiceLogoutFlow
+ parameters:
+ - description: |-
+ A Valid Logout Token
+
+ If you do not have a logout token because you only have a session cookie,
+ call `/self-service/logout/browser` to generate a URL for this endpoint.
+ explode: true
+ in: query
+ name: token
+ required: false
+ schema:
+ type: string
+ style: form
+ - description: The URL to return to after the logout was completed.
+ explode: true
+ in: query
+ name: return_to
+ required: false
+ schema:
+ type: string
+ style: form
+ responses:
+ "204":
+ description: "Empty responses are sent when, for example, resources are\
+ \ deleted. The HTTP status code for empty responses is typically 201."
+ "303":
+ description: "Empty responses are sent when, for example, resources are\
+ \ deleted. The HTTP status code for empty responses is typically 201."
+ "500":
+ content:
+ application/json:
+ schema:
+ $ref: '#/components/schemas/jsonError'
+ description: jsonError
+ summary: Complete Self-Service Logout
+ tags:
+ - v0alpha2
+ /self-service/logout/api:
+ delete:
+ description: |-
+ Use this endpoint to log out an identity using an Ory Session Token. If the Ory Session Token was successfully
+ revoked, the server returns a 204 No Content response. A 204 No Content response is also sent when
+ the Ory Session Token has been revoked already before.
+
+ If the Ory Session Token is malformed or does not exist a 403 Forbidden response will be returned.
+
+ This endpoint does not remove any HTTP
+ Cookies - use the Browser-Based Self-Service Logout Flow instead.
+ operationId: submitSelfServiceLogoutFlowWithoutBrowser
+ requestBody:
+ content:
+ application/json:
+ schema:
+ $ref: '#/components/schemas/submitSelfServiceLogoutFlowWithoutBrowserBody'
+ required: true
+ x-originalParamName: Body
+ responses:
+ "204":
+ description: "Empty responses are sent when, for example, resources are\
+ \ deleted. The HTTP status code for empty responses is typically 201."
+ "400":
+ content:
+ application/json:
+ schema:
+ $ref: '#/components/schemas/jsonError'
+ description: jsonError
+ "500":
+ content:
+ application/json:
+ schema:
+ $ref: '#/components/schemas/jsonError'
+ description: jsonError
+ summary: "Perform Logout for APIs, Services, Apps, ..."
+ tags:
+ - v0alpha2
+ /self-service/logout/browser:
+ get:
+ description: |-
+ This endpoint initializes a browser-based user logout flow and a URL which can be used to log out the user.
+
+ This endpoint is NOT INTENDED for API clients and only works
+ with browsers (Chrome, Firefox, ...). For API clients you can
+ call the `/self-service/logout/api` URL directly with the Ory Session Token.
+
+ The URL is only valid for the currently signed in user. If no user is signed in, this endpoint returns
+ a 401 error.
+
+ When calling this endpoint from a backend, please ensure to properly forward the HTTP cookies.
+ operationId: createSelfServiceLogoutFlowUrlForBrowsers
+ parameters:
+ - description: |-
+ HTTP Cookies
+
+ If you call this endpoint from a backend, please include the
+ original Cookie header in the request.
+ explode: false
+ in: header
+ name: cookie
+ required: false
+ schema:
+ type: string
+ style: simple
+ responses:
+ "200":
+ content:
+ application/json:
+ schema:
+ $ref: '#/components/schemas/selfServiceLogoutUrl'
+ description: selfServiceLogoutUrl
+ "401":
+ content:
+ application/json:
+ schema:
+ $ref: '#/components/schemas/jsonError'
+ description: jsonError
+ "500":
+ content:
+ application/json:
+ schema:
+ $ref: '#/components/schemas/jsonError'
+ description: jsonError
+ summary: Create a Logout URL for Browsers
+ tags:
+ - v0alpha2
+ /self-service/recovery:
+ post:
+ description: |-
+ Use this endpoint to complete a recovery flow. This endpoint
+ behaves differently for API and browser flows and has several states:
+
+ `choose_method` expects `flow` (in the URL query) and `email` (in the body) to be sent
+ and works with API- and Browser-initiated flows.
+ For API clients and Browser clients with HTTP Header `Accept: application/json` it either returns a HTTP 200 OK when the form is valid and HTTP 400 OK when the form is invalid.
+ and a HTTP 303 See Other redirect with a fresh recovery flow if the flow was otherwise invalid (e.g. expired).
+ For Browser clients without HTTP Header `Accept` or with `Accept: text/*` it returns a HTTP 303 See Other redirect to the Recovery UI URL with the Recovery Flow ID appended.
+ `sent_email` is the success state after `choose_method` for the `link` method and allows the user to request another recovery email. It
+ works for both API and Browser-initiated flows and returns the same responses as the flow in `choose_method` state.
+ `passed_challenge` expects a `token` to be sent in the URL query and given the nature of the flow ("sending a recovery link")
+ does not have any API capabilities. The server responds with a HTTP 303 See Other redirect either to the Settings UI URL
+ (if the link was valid) and instructs the user to update their password, or a redirect to the Recover UI URL with
+ a new Recovery Flow ID which contains an error message that the recovery link was invalid.
+
+ More information can be found at [Ory Kratos Account Recovery Documentation](../self-service/flows/account-recovery).
+ operationId: submitSelfServiceRecoveryFlow
+ parameters:
+ - description: |-
+ The Recovery Flow ID
+
+ The value for this parameter comes from `flow` URL Query parameter sent to your
+ application (e.g. `/recovery?flow=abcde`).
+ explode: true
+ in: query
+ name: flow
+ required: true
+ schema:
+ type: string
+ style: form
+ - description: |-
+ Recovery Token
+
+ The recovery token which completes the recovery request. If the token
+ is invalid (e.g. expired) an error will be shown to the end-user.
+
+ This parameter is usually set in a link and not used by any direct API call.
+ explode: true
+ in: query
+ name: token
+ required: false
+ schema:
+ type: string
+ style: form
+ - description: |-
+ HTTP Cookies
+
+ When using the SDK in a browser app, on the server side you must include the HTTP Cookie Header
+ sent by the client to your server here. This ensures that CSRF and session cookies are respected.
+ explode: false
+ in: header
+ name: Cookie
+ required: false
+ schema:
+ type: string
+ style: simple
+ requestBody:
+ content:
+ application/json:
+ schema:
+ $ref: '#/components/schemas/submitSelfServiceRecoveryFlowBody'
+ application/x-www-form-urlencoded:
+ schema:
+ $ref: '#/components/schemas/submitSelfServiceRecoveryFlowBody'
+ required: true
+ x-originalParamName: Body
+ responses:
+ "200":
+ content:
+ application/json:
+ schema:
+ $ref: '#/components/schemas/selfServiceRecoveryFlow'
+ description: selfServiceRecoveryFlow
+ "303":
+ description: "Empty responses are sent when, for example, resources are\
+ \ deleted. The HTTP status code for empty responses is typically 201."
+ "400":
+ content:
+ application/json:
+ schema:
+ $ref: '#/components/schemas/selfServiceRecoveryFlow'
+ description: selfServiceRecoveryFlow
+ "410":
+ content:
+ application/json:
+ schema:
+ $ref: '#/components/schemas/jsonError'
+ description: jsonError
+ "422":
+ content:
+ application/json:
+ schema:
+ $ref: '#/components/schemas/selfServiceBrowserLocationChangeRequiredError'
+ description: selfServiceBrowserLocationChangeRequiredError
+ "500":
+ content:
+ application/json:
+ schema:
+ $ref: '#/components/schemas/jsonError'
+ description: jsonError
+ summary: Complete Recovery Flow
+ tags:
+ - v0alpha2
+ /self-service/recovery/api:
+ get:
+ description: |-
+ This endpoint initiates a recovery flow for API clients such as mobile devices, smart TVs, and so on.
+
+ If a valid provided session cookie or session token is provided, a 400 Bad Request error.
+
+ To fetch an existing recovery flow call `/self-service/recovery/flows?flow=`.
+
+ You MUST NOT use this endpoint in client-side (Single Page Apps, ReactJS, AngularJS) nor server-side (Java Server
+ Pages, NodeJS, PHP, Golang, ...) browser applications. Using this endpoint in these applications will make
+ you vulnerable to a variety of CSRF attacks.
+
+ This endpoint MUST ONLY be used in scenarios such as native mobile apps (React Native, Objective C, Swift, Java, ...).
+
+ More information can be found at [Ory Kratos Account Recovery Documentation](../self-service/flows/account-recovery).
+ operationId: initializeSelfServiceRecoveryFlowWithoutBrowser
+ responses:
+ "200":
+ content:
+ application/json:
+ schema:
+ $ref: '#/components/schemas/selfServiceRecoveryFlow'
+ description: selfServiceRecoveryFlow
+ "400":
+ content:
+ application/json:
+ schema:
+ $ref: '#/components/schemas/jsonError'
+ description: jsonError
+ "500":
+ content:
+ application/json:
+ schema:
+ $ref: '#/components/schemas/jsonError'
+ description: jsonError
+ summary: "Initialize Recovery Flow for APIs, Services, Apps, ..."
+ tags:
+ - v0alpha2
+ /self-service/recovery/browser:
+ get:
+ description: |-
+ This endpoint initializes a browser-based account recovery flow. Once initialized, the browser will be redirected to
+ `selfservice.flows.recovery.ui_url` with the flow ID set as the query parameter `?flow=`. If a valid user session
+ exists, the browser is returned to the configured return URL.
+
+ If this endpoint is called via an AJAX request, the response contains the recovery flow without any redirects
+ or a 400 bad request error if the user is already authenticated.
+
+ This endpoint is NOT INTENDED for clients that do not have a browser (Chrome, Firefox, ...) as cookies are needed.
+
+ More information can be found at [Ory Kratos Account Recovery Documentation](../self-service/flows/account-recovery).
+ operationId: initializeSelfServiceRecoveryFlowForBrowsers
+ parameters:
+ - description: The URL to return the browser to after the flow was completed.
+ explode: true
+ in: query
+ name: return_to
+ required: false
+ schema:
+ type: string
+ style: form
+ responses:
+ "200":
+ content:
+ application/json:
+ schema:
+ $ref: '#/components/schemas/selfServiceRecoveryFlow'
+ description: selfServiceRecoveryFlow
+ "303":
+ description: "Empty responses are sent when, for example, resources are\
+ \ deleted. The HTTP status code for empty responses is typically 201."
+ "400":
+ content:
+ application/json:
+ schema:
+ $ref: '#/components/schemas/jsonError'
+ description: jsonError
+ "500":
+ content:
+ application/json:
+ schema:
+ $ref: '#/components/schemas/jsonError'
+ description: jsonError
+ summary: Initialize Recovery Flow for Browsers
+ tags:
+ - v0alpha2
+ /self-service/recovery/flows:
+ get:
+ description: |-
+ This endpoint returns a recovery flow's context with, for example, error details and other information.
+
+ Browser flows expect the anti-CSRF cookie to be included in the request's HTTP Cookie Header.
+ For AJAX requests you must ensure that cookies are included in the request or requests will fail.
+
+ If you use the browser-flow for server-side apps, the services need to run on a common top-level-domain
+ and you need to forward the incoming HTTP Cookie header to this endpoint:
+
+ ```js
+ pseudo-code example
+ router.get('/recovery', async function (req, res) {
+ const flow = await client.getSelfServiceRecoveryFlow(req.header('Cookie'), req.query['flow'])
+
+ res.render('recovery', flow)
+ })
+ ```
+
+ More information can be found at [Ory Kratos Account Recovery Documentation](../self-service/flows/account-recovery).
+ operationId: getSelfServiceRecoveryFlow
+ parameters:
+ - description: |-
+ The Flow ID
+
+ The value for this parameter comes from `request` URL Query parameter sent to your
+ application (e.g. `/recovery?flow=abcde`).
+ explode: true
+ in: query
+ name: id
+ required: true
+ schema:
+ type: string
+ style: form
+ - description: |-
+ HTTP Cookies
+
+ When using the SDK in a browser app, on the server side you must include the HTTP Cookie Header
+ sent by the client to your server here. This ensures that CSRF and session cookies are respected.
+ explode: false
+ in: header
+ name: Cookie
+ required: false
+ schema:
+ type: string
+ style: simple
+ responses:
+ "200":
+ content:
+ application/json:
+ schema:
+ $ref: '#/components/schemas/selfServiceRecoveryFlow'
+ description: selfServiceRecoveryFlow
+ "404":
+ content:
+ application/json:
+ schema:
+ $ref: '#/components/schemas/jsonError'
+ description: jsonError
+ "410":
+ content:
+ application/json:
+ schema:
+ $ref: '#/components/schemas/jsonError'
+ description: jsonError
+ "500":
+ content:
+ application/json:
+ schema:
+ $ref: '#/components/schemas/jsonError'
+ description: jsonError
+ summary: Get Recovery Flow
+ tags:
+ - v0alpha2
+ /self-service/registration:
+ post:
+ description: |-
+ Use this endpoint to complete a registration flow by sending an identity's traits and password. This endpoint
+ behaves differently for API and browser flows.
+
+ API flows expect `application/json` to be sent in the body and respond with
+ HTTP 200 and a application/json body with the created identity success - if the session hook is configured the
+ `session` and `session_token` will also be included;
+ HTTP 410 if the original flow expired with the appropriate error messages set and optionally a `use_flow_id` parameter in the body;
+ HTTP 400 on form validation errors.
+
+ Browser flows expect a Content-Type of `application/x-www-form-urlencoded` or `application/json` to be sent in the body and respond with
+ a HTTP 303 redirect to the post/after registration URL or the `return_to` value if it was set and if the registration succeeded;
+ a HTTP 303 redirect to the registration UI URL with the flow ID containing the validation errors otherwise.
+
+ Browser flows with an accept header of `application/json` will not redirect but instead respond with
+ HTTP 200 and a application/json body with the signed in identity and a `Set-Cookie` header on success;
+ HTTP 303 redirect to a fresh login flow if the original flow expired with the appropriate error messages set;
+ HTTP 400 on form validation errors.
+
+ If this endpoint is called with `Accept: application/json` in the header, the response contains the flow without a redirect. In the
+ case of an error, the `error.id` of the JSON response body can be one of:
+
+ `session_already_available`: The user is already signed in.
+ `security_csrf_violation`: Unable to fetch the flow because a CSRF violation occurred.
+ `security_identity_mismatch`: The requested `?return_to` address is not allowed to be used. Adjust this in the configuration!
+ `browser_location_change_required`: Usually sent when an AJAX request indicates that the browser needs to open a specific URL.
+ Most likely used in Social Sign In flows.
+
+ More information can be found at [Ory Kratos User Login](https://www.ory.sh/docs/kratos/self-service/flows/user-login) and [User Registration Documentation](https://www.ory.sh/docs/kratos/self-service/flows/user-registration).
+ operationId: submitSelfServiceRegistrationFlow
+ parameters:
+ - description: |-
+ The Registration Flow ID
+
+ The value for this parameter comes from `flow` URL Query parameter sent to your
+ application (e.g. `/registration?flow=abcde`).
+ explode: true
+ in: query
+ name: flow
+ required: true
+ schema:
+ type: string
+ style: form
+ - description: |-
+ HTTP Cookies
+
+ When using the SDK in a browser app, on the server side you must include the HTTP Cookie Header
+ sent by the client to your server here. This ensures that CSRF and session cookies are respected.
+ explode: false
+ in: header
+ name: Cookie
+ required: false
+ schema:
+ type: string
+ style: simple
+ requestBody:
+ content:
+ application/json:
+ schema:
+ $ref: '#/components/schemas/submitSelfServiceRegistrationFlowBody'
+ application/x-www-form-urlencoded:
+ schema:
+ $ref: '#/components/schemas/submitSelfServiceRegistrationFlowBody'
+ required: true
+ x-originalParamName: Body
+ responses:
+ "200":
+ content:
+ application/json:
+ schema:
+ $ref: '#/components/schemas/successfulSelfServiceRegistrationWithoutBrowser'
+ description: successfulSelfServiceRegistrationWithoutBrowser
+ "303":
+ description: "Empty responses are sent when, for example, resources are\
+ \ deleted. The HTTP status code for empty responses is typically 201."
+ "400":
+ content:
+ application/json:
+ schema:
+ $ref: '#/components/schemas/selfServiceRegistrationFlow'
+ description: selfServiceRegistrationFlow
+ "410":
+ content:
+ application/json:
+ schema:
+ $ref: '#/components/schemas/jsonError'
+ description: jsonError
+ "422":
+ content:
+ application/json:
+ schema:
+ $ref: '#/components/schemas/selfServiceBrowserLocationChangeRequiredError'
+ description: selfServiceBrowserLocationChangeRequiredError
+ "500":
+ content:
+ application/json:
+ schema:
+ $ref: '#/components/schemas/jsonError'
+ description: jsonError
+ summary: Submit a Registration Flow
+ tags:
+ - v0alpha2
+ /self-service/registration/api:
+ get:
+ description: |-
+ This endpoint initiates a registration flow for API clients such as mobile devices, smart TVs, and so on.
+
+ If a valid provided session cookie or session token is provided, a 400 Bad Request error
+ will be returned unless the URL query parameter `?refresh=true` is set.
+
+ To fetch an existing registration flow call `/self-service/registration/flows?flow=`.
+
+ You MUST NOT use this endpoint in client-side (Single Page Apps, ReactJS, AngularJS) nor server-side (Java Server
+ Pages, NodeJS, PHP, Golang, ...) browser applications. Using this endpoint in these applications will make
+ you vulnerable to a variety of CSRF attacks.
+
+ In the case of an error, the `error.id` of the JSON response body can be one of:
+
+ `session_already_available`: The user is already signed in.
+ `security_csrf_violation`: Unable to fetch the flow because a CSRF violation occurred.
+
+ This endpoint MUST ONLY be used in scenarios such as native mobile apps (React Native, Objective C, Swift, Java, ...).
+
+ More information can be found at [Ory Kratos User Login](https://www.ory.sh/docs/kratos/self-service/flows/user-login) and [User Registration Documentation](https://www.ory.sh/docs/kratos/self-service/flows/user-registration).
+ operationId: initializeSelfServiceRegistrationFlowWithoutBrowser
+ responses:
+ "200":
+ content:
+ application/json:
+ schema:
+ $ref: '#/components/schemas/selfServiceRegistrationFlow'
+ description: selfServiceRegistrationFlow
+ "400":
+ content:
+ application/json:
+ schema:
+ $ref: '#/components/schemas/jsonError'
+ description: jsonError
+ "500":
+ content:
+ application/json:
+ schema:
+ $ref: '#/components/schemas/jsonError'
+ description: jsonError
+ summary: "Initialize Registration Flow for APIs, Services, Apps, ..."
+ tags:
+ - v0alpha2
+ /self-service/registration/browser:
+ get:
+ description: |-
+ This endpoint initializes a browser-based user registration flow. This endpoint will set the appropriate
+ cookies and anti-CSRF measures required for browser-based flows.
+
+ :::info
+
+ This endpoint is EXPERIMENTAL and subject to potential breaking changes in the future.
+
+ :::
+
+ If this endpoint is opened as a link in the browser, it will be redirected to
+ `selfservice.flows.registration.ui_url` with the flow ID set as the query parameter `?flow=`. If a valid user session
+ exists already, the browser will be redirected to `urls.default_redirect_url`.
+
+ If this endpoint is called via an AJAX request, the response contains the flow without a redirect. In the
+ case of an error, the `error.id` of the JSON response body can be one of:
+
+ `session_already_available`: The user is already signed in.
+ `security_csrf_violation`: Unable to fetch the flow because a CSRF violation occurred.
+ `security_identity_mismatch`: The requested `?return_to` address is not allowed to be used. Adjust this in the configuration!
+
+ If this endpoint is called via an AJAX request, the response contains the registration flow without a redirect.
+
+ This endpoint is NOT INTENDED for clients that do not have a browser (Chrome, Firefox, ...) as cookies are needed.
+
+ More information can be found at [Ory Kratos User Login](https://www.ory.sh/docs/kratos/self-service/flows/user-login) and [User Registration Documentation](https://www.ory.sh/docs/kratos/self-service/flows/user-registration).
+ operationId: initializeSelfServiceRegistrationFlowForBrowsers
+ parameters:
+ - description: The URL to return the browser to after the flow was completed.
+ explode: true
+ in: query
+ name: return_to
+ required: false
+ schema:
+ type: string
+ style: form
+ - description: |-
+ Ory OAuth 2.0 Login Challenge.
+
+ If set will cooperate with Ory OAuth2 and OpenID to act as an OAuth2 server / OpenID Provider.
+
+ The value for this parameter comes from `login_challenge` URL Query parameter sent to your
+ application (e.g. `/registration?login_challenge=abcde`).
+
+ This feature is compatible with Ory Hydra when not running on the Ory Network.
+ explode: true
+ in: query
+ name: login_challenge
+ required: false
+ schema:
+ type: string
+ style: form
+ responses:
+ "200":
+ content:
+ application/json:
+ schema:
+ $ref: '#/components/schemas/selfServiceRegistrationFlow'
+ description: selfServiceRegistrationFlow
+ "303":
+ description: "Empty responses are sent when, for example, resources are\
+ \ deleted. The HTTP status code for empty responses is typically 201."
+ "500":
+ content:
+ application/json:
+ schema:
+ $ref: '#/components/schemas/jsonError'
+ description: jsonError
+ summary: Initialize Registration Flow for Browsers
+ tags:
+ - v0alpha2
+ /self-service/registration/flows:
+ get:
+ description: |-
+ This endpoint returns a registration flow's context with, for example, error details and other information.
+
+ Browser flows expect the anti-CSRF cookie to be included in the request's HTTP Cookie Header.
+ For AJAX requests you must ensure that cookies are included in the request or requests will fail.
+
+ If you use the browser-flow for server-side apps, the services need to run on a common top-level-domain
+ and you need to forward the incoming HTTP Cookie header to this endpoint:
+
+ ```js
+ pseudo-code example
+ router.get('/registration', async function (req, res) {
+ const flow = await client.getSelfServiceRegistrationFlow(req.header('cookie'), req.query['flow'])
+
+ res.render('registration', flow)
+ })
+ ```
+
+ This request may fail due to several reasons. The `error.id` can be one of:
+
+ `session_already_available`: The user is already signed in.
+ `self_service_flow_expired`: The flow is expired and you should request a new one.
+
+ More information can be found at [Ory Kratos User Login](https://www.ory.sh/docs/kratos/self-service/flows/user-login) and [User Registration Documentation](https://www.ory.sh/docs/kratos/self-service/flows/user-registration).
+ operationId: getSelfServiceRegistrationFlow
+ parameters:
+ - description: |-
+ The Registration Flow ID
+
+ The value for this parameter comes from `flow` URL Query parameter sent to your
+ application (e.g. `/registration?flow=abcde`).
+ explode: true
+ in: query
+ name: id
+ required: true
+ schema:
+ type: string
+ style: form
+ - description: |-
+ HTTP Cookies
+
+ When using the SDK in a browser app, on the server side you must include the HTTP Cookie Header
+ sent by the client to your server here. This ensures that CSRF and session cookies are respected.
+ explode: false
+ in: header
+ name: Cookie
+ required: false
+ schema:
+ type: string
+ style: simple
+ responses:
+ "200":
+ content:
+ application/json:
+ schema:
+ $ref: '#/components/schemas/selfServiceRegistrationFlow'
+ description: selfServiceRegistrationFlow
+ "403":
+ content:
+ application/json:
+ schema:
+ $ref: '#/components/schemas/jsonError'
+ description: jsonError
+ "404":
+ content:
+ application/json:
+ schema:
+ $ref: '#/components/schemas/jsonError'
+ description: jsonError
+ "410":
+ content:
+ application/json:
+ schema:
+ $ref: '#/components/schemas/jsonError'
+ description: jsonError
+ "500":
+ content:
+ application/json:
+ schema:
+ $ref: '#/components/schemas/jsonError'
+ description: jsonError
+ summary: Get Registration Flow
+ tags:
+ - v0alpha2
+ /self-service/settings:
+ post:
+ description: |-
+ Use this endpoint to complete a settings flow by sending an identity's updated password. This endpoint
+ behaves differently for API and browser flows.
+
+ API-initiated flows expect `application/json` to be sent in the body and respond with
+ HTTP 200 and an application/json body with the session token on success;
+ HTTP 303 redirect to a fresh settings flow if the original flow expired with the appropriate error messages set;
+ HTTP 400 on form validation errors.
+ HTTP 401 when the endpoint is called without a valid session token.
+ HTTP 403 when `selfservice.flows.settings.privileged_session_max_age` was reached or the session's AAL is too low.
+ Implies that the user needs to re-authenticate.
+
+ Browser flows without HTTP Header `Accept` or with `Accept: text/*` respond with
+ a HTTP 303 redirect to the post/after settings URL or the `return_to` value if it was set and if the flow succeeded;
+ a HTTP 303 redirect to the Settings UI URL with the flow ID containing the validation errors otherwise.
+ a HTTP 303 redirect to the login endpoint when `selfservice.flows.settings.privileged_session_max_age` was reached or the session's AAL is too low.
+
+ Browser flows with HTTP Header `Accept: application/json` respond with
+ HTTP 200 and a application/json body with the signed in identity and a `Set-Cookie` header on success;
+ HTTP 303 redirect to a fresh login flow if the original flow expired with the appropriate error messages set;
+ HTTP 401 when the endpoint is called without a valid session cookie.
+ HTTP 403 when the page is accessed without a session cookie or the session's AAL is too low.
+ HTTP 400 on form validation errors.
+
+ Depending on your configuration this endpoint might return a 403 error if the session has a lower Authenticator
+ Assurance Level (AAL) than is possible for the identity. This can happen if the identity has password + webauthn
+ credentials (which would result in AAL2) but the session has only AAL1. If this error occurs, ask the user
+ to sign in with the second factor (happens automatically for server-side browser flows) or change the configuration.
+
+ If this endpoint is called with a `Accept: application/json` HTTP header, the response contains the flow without a redirect. In the
+ case of an error, the `error.id` of the JSON response body can be one of:
+
+ `session_refresh_required`: The identity requested to change something that needs a privileged session. Redirect
+ the identity to the login init endpoint with query parameters `?refresh=true&return_to=`,
+ or initiate a refresh login flow otherwise.
+ `security_csrf_violation`: Unable to fetch the flow because a CSRF violation occurred.
+ `session_inactive`: No Ory Session was found - sign in a user first.
+ `security_identity_mismatch`: The flow was interrupted with `session_refresh_required` but apparently some other
+ identity logged in instead.
+ `security_identity_mismatch`: The requested `?return_to` address is not allowed to be used. Adjust this in the configuration!
+ `browser_location_change_required`: Usually sent when an AJAX request indicates that the browser needs to open a specific URL.
+ Most likely used in Social Sign In flows.
+
+ More information can be found at [Ory Kratos User Settings & Profile Management Documentation](../self-service/flows/user-settings).
+ operationId: submitSelfServiceSettingsFlow
+ parameters:
+ - description: |-
+ The Settings Flow ID
+
+ The value for this parameter comes from `flow` URL Query parameter sent to your
+ application (e.g. `/settings?flow=abcde`).
+ explode: true
+ in: query
+ name: flow
+ required: true
+ schema:
+ type: string
+ style: form
+ - description: The Session Token of the Identity performing the settings flow.
+ explode: false
+ in: header
+ name: X-Session-Token
+ required: false
+ schema:
+ type: string
+ style: simple
+ - description: |-
+ HTTP Cookies
+
+ When using the SDK in a browser app, on the server side you must include the HTTP Cookie Header
+ sent by the client to your server here. This ensures that CSRF and session cookies are respected.
+ explode: false
+ in: header
+ name: Cookie
+ required: false
+ schema:
+ type: string
+ style: simple
+ requestBody:
+ content:
+ application/json:
+ schema:
+ $ref: '#/components/schemas/submitSelfServiceSettingsFlowBody'
+ application/x-www-form-urlencoded:
+ schema:
+ $ref: '#/components/schemas/submitSelfServiceSettingsFlowBody'
+ required: true
+ x-originalParamName: Body
+ responses:
+ "200":
+ content:
+ application/json:
+ schema:
+ $ref: '#/components/schemas/selfServiceSettingsFlow'
+ description: selfServiceSettingsFlow
+ "303":
+ description: "Empty responses are sent when, for example, resources are\
+ \ deleted. The HTTP status code for empty responses is typically 201."
+ "400":
+ content:
+ application/json:
+ schema:
+ $ref: '#/components/schemas/selfServiceSettingsFlow'
+ description: selfServiceSettingsFlow
+ "401":
+ content:
+ application/json:
+ schema:
+ $ref: '#/components/schemas/jsonError'
+ description: jsonError
+ "403":
+ content:
+ application/json:
+ schema:
+ $ref: '#/components/schemas/jsonError'
+ description: jsonError
+ "410":
+ content:
+ application/json:
+ schema:
+ $ref: '#/components/schemas/jsonError'
+ description: jsonError
+ "422":
+ content:
+ application/json:
+ schema:
+ $ref: '#/components/schemas/selfServiceBrowserLocationChangeRequiredError'
+ description: selfServiceBrowserLocationChangeRequiredError
+ "500":
+ content:
+ application/json:
+ schema:
+ $ref: '#/components/schemas/jsonError'
+ description: jsonError
+ security:
+ - sessionToken: []
+ summary: Complete Settings Flow
+ tags:
+ - v0alpha2
+ /self-service/settings/api:
+ get:
+ description: |-
+ This endpoint initiates a settings flow for API clients such as mobile devices, smart TVs, and so on.
+ You must provide a valid Ory Kratos Session Token for this endpoint to respond with HTTP 200 OK.
+
+ To fetch an existing settings flow call `/self-service/settings/flows?flow=`.
+
+ You MUST NOT use this endpoint in client-side (Single Page Apps, ReactJS, AngularJS) nor server-side (Java Server
+ Pages, NodeJS, PHP, Golang, ...) browser applications. Using this endpoint in these applications will make
+ you vulnerable to a variety of CSRF attacks.
+
+ Depending on your configuration this endpoint might return a 403 error if the session has a lower Authenticator
+ Assurance Level (AAL) than is possible for the identity. This can happen if the identity has password + webauthn
+ credentials (which would result in AAL2) but the session has only AAL1. If this error occurs, ask the user
+ to sign in with the second factor or change the configuration.
+
+ In the case of an error, the `error.id` of the JSON response body can be one of:
+
+ `security_csrf_violation`: Unable to fetch the flow because a CSRF violation occurred.
+ `session_inactive`: No Ory Session was found - sign in a user first.
+
+ This endpoint MUST ONLY be used in scenarios such as native mobile apps (React Native, Objective C, Swift, Java, ...).
+
+ More information can be found at [Ory Kratos User Settings & Profile Management Documentation](../self-service/flows/user-settings).
+ operationId: initializeSelfServiceSettingsFlowWithoutBrowser
+ parameters:
+ - description: The Session Token of the Identity performing the settings flow.
+ explode: false
+ in: header
+ name: X-Session-Token
+ required: false
+ schema:
+ type: string
+ style: simple
+ responses:
+ "200":
+ content:
+ application/json:
+ schema:
+ $ref: '#/components/schemas/selfServiceSettingsFlow'
+ description: selfServiceSettingsFlow
+ "400":
+ content:
+ application/json:
+ schema:
+ $ref: '#/components/schemas/jsonError'
+ description: jsonError
+ "500":
+ content:
+ application/json:
+ schema:
+ $ref: '#/components/schemas/jsonError'
+ description: jsonError
+ summary: "Initialize Settings Flow for APIs, Services, Apps, ..."
+ tags:
+ - v0alpha2
+ /self-service/settings/browser:
+ get:
+ description: |-
+ This endpoint initializes a browser-based user settings flow. Once initialized, the browser will be redirected to
+ `selfservice.flows.settings.ui_url` with the flow ID set as the query parameter `?flow=`. If no valid
+ Ory Kratos Session Cookie is included in the request, a login flow will be initialized.
+
+ If this endpoint is opened as a link in the browser, it will be redirected to
+ `selfservice.flows.settings.ui_url` with the flow ID set as the query parameter `?flow=`. If no valid user session
+ was set, the browser will be redirected to the login endpoint.
+
+ If this endpoint is called via an AJAX request, the response contains the settings flow without any redirects
+ or a 401 forbidden error if no valid session was set.
+
+ Depending on your configuration this endpoint might return a 403 error if the session has a lower Authenticator
+ Assurance Level (AAL) than is possible for the identity. This can happen if the identity has password + webauthn
+ credentials (which would result in AAL2) but the session has only AAL1. If this error occurs, ask the user
+ to sign in with the second factor (happens automatically for server-side browser flows) or change the configuration.
+
+ If this endpoint is called via an AJAX request, the response contains the flow without a redirect. In the
+ case of an error, the `error.id` of the JSON response body can be one of:
+
+ `security_csrf_violation`: Unable to fetch the flow because a CSRF violation occurred.
+ `session_inactive`: No Ory Session was found - sign in a user first.
+ `security_identity_mismatch`: The requested `?return_to` address is not allowed to be used. Adjust this in the configuration!
+
+ This endpoint is NOT INTENDED for clients that do not have a browser (Chrome, Firefox, ...) as cookies are needed.
+
+ More information can be found at [Ory Kratos User Settings & Profile Management Documentation](../self-service/flows/user-settings).
+ operationId: initializeSelfServiceSettingsFlowForBrowsers
+ parameters:
+ - description: The URL to return the browser to after the flow was completed.
+ explode: true
+ in: query
+ name: return_to
+ required: false
+ schema:
+ type: string
+ style: form
+ - description: |-
+ HTTP Cookies
+
+ When using the SDK in a browser app, on the server side you must include the HTTP Cookie Header
+ sent by the client to your server here. This ensures that CSRF and session cookies are respected.
+ explode: false
+ in: header
+ name: Cookie
+ required: false
+ schema:
+ type: string
+ style: simple
+ responses:
+ "200":
+ content:
+ application/json:
+ schema:
+ $ref: '#/components/schemas/selfServiceSettingsFlow'
+ description: selfServiceSettingsFlow
+ "303":
+ description: "Empty responses are sent when, for example, resources are\
+ \ deleted. The HTTP status code for empty responses is typically 201."
+ "400":
+ content:
+ application/json:
+ schema:
+ $ref: '#/components/schemas/jsonError'
+ description: jsonError
+ "401":
+ content:
+ application/json:
+ schema:
+ $ref: '#/components/schemas/jsonError'
+ description: jsonError
+ "403":
+ content:
+ application/json:
+ schema:
+ $ref: '#/components/schemas/jsonError'
+ description: jsonError
+ "500":
+ content:
+ application/json:
+ schema:
+ $ref: '#/components/schemas/jsonError'
+ description: jsonError
+ summary: Initialize Settings Flow for Browsers
+ tags:
+ - v0alpha2
+ /self-service/settings/flows:
+ get:
+ description: |-
+ When accessing this endpoint through Ory Kratos' Public API you must ensure that either the Ory Kratos Session Cookie
+ or the Ory Kratos Session Token are set.
+
+ Depending on your configuration this endpoint might return a 403 error if the session has a lower Authenticator
+ Assurance Level (AAL) than is possible for the identity. This can happen if the identity has password + webauthn
+ credentials (which would result in AAL2) but the session has only AAL1. If this error occurs, ask the user
+ to sign in with the second factor or change the configuration.
+
+ You can access this endpoint without credentials when using Ory Kratos' Admin API.
+
+ If this endpoint is called via an AJAX request, the response contains the flow without a redirect. In the
+ case of an error, the `error.id` of the JSON response body can be one of:
+
+ `security_csrf_violation`: Unable to fetch the flow because a CSRF violation occurred.
+ `session_inactive`: No Ory Session was found - sign in a user first.
+ `security_identity_mismatch`: The flow was interrupted with `session_refresh_required` but apparently some other
+ identity logged in instead.
+
+ More information can be found at [Ory Kratos User Settings & Profile Management Documentation](../self-service/flows/user-settings).
+ operationId: getSelfServiceSettingsFlow
+ parameters:
+ - description: |-
+ ID is the Settings Flow ID
+
+ The value for this parameter comes from `flow` URL Query parameter sent to your
+ application (e.g. `/settings?flow=abcde`).
+ explode: true
+ in: query
+ name: id
+ required: true
+ schema:
+ type: string
+ style: form
+ - description: |-
+ The Session Token
+
+ When using the SDK in an app without a browser, please include the
+ session token here.
+ explode: false
+ in: header
+ name: X-Session-Token
+ required: false
+ schema:
+ type: string
+ style: simple
+ - description: |-
+ HTTP Cookies
+
+ When using the SDK in a browser app, on the server side you must include the HTTP Cookie Header
+ sent by the client to your server here. This ensures that CSRF and session cookies are respected.
+ explode: false
+ in: header
+ name: Cookie
+ required: false
+ schema:
+ type: string
+ style: simple
+ responses:
+ "200":
+ content:
+ application/json:
+ schema:
+ $ref: '#/components/schemas/selfServiceSettingsFlow'
+ description: selfServiceSettingsFlow
+ "401":
+ content:
+ application/json:
+ schema:
+ $ref: '#/components/schemas/jsonError'
+ description: jsonError
+ "403":
+ content:
+ application/json:
+ schema:
+ $ref: '#/components/schemas/jsonError'
+ description: jsonError
+ "404":
+ content:
+ application/json:
+ schema:
+ $ref: '#/components/schemas/jsonError'
+ description: jsonError
+ "410":
+ content:
+ application/json:
+ schema:
+ $ref: '#/components/schemas/jsonError'
+ description: jsonError
+ "500":
+ content:
+ application/json:
+ schema:
+ $ref: '#/components/schemas/jsonError'
+ description: jsonError
+ summary: Get Settings Flow
+ tags:
+ - v0alpha2
+ /self-service/verification:
+ post:
+ description: |-
+ Use this endpoint to complete a verification flow. This endpoint
+ behaves differently for API and browser flows and has several states:
+
+ `choose_method` expects `flow` (in the URL query) and `email` (in the body) to be sent
+ and works with API- and Browser-initiated flows.
+ For API clients and Browser clients with HTTP Header `Accept: application/json` it either returns a HTTP 200 OK when the form is valid and HTTP 400 OK when the form is invalid
+ and a HTTP 303 See Other redirect with a fresh verification flow if the flow was otherwise invalid (e.g. expired).
+ For Browser clients without HTTP Header `Accept` or with `Accept: text/*` it returns a HTTP 303 See Other redirect to the Verification UI URL with the Verification Flow ID appended.
+ `sent_email` is the success state after `choose_method` when using the `link` method and allows the user to request another verification email. It
+ works for both API and Browser-initiated flows and returns the same responses as the flow in `choose_method` state.
+ `passed_challenge` expects a `token` to be sent in the URL query and given the nature of the flow ("sending a verification link")
+ does not have any API capabilities. The server responds with a HTTP 303 See Other redirect either to the Settings UI URL
+ (if the link was valid) and instructs the user to update their password, or a redirect to the Verification UI URL with
+ a new Verification Flow ID which contains an error message that the verification link was invalid.
+
+ More information can be found at [Ory Kratos Email and Phone Verification Documentation](https://www.ory.sh/docs/kratos/selfservice/flows/verify-email-account-activation).
+ operationId: submitSelfServiceVerificationFlow
+ parameters:
+ - description: |-
+ The Verification Flow ID
+
+ The value for this parameter comes from `flow` URL Query parameter sent to your
+ application (e.g. `/verification?flow=abcde`).
+ explode: true
+ in: query
+ name: flow
+ required: true
+ schema:
+ type: string
+ style: form
+ - description: |-
+ Verification Token
+
+ The verification token which completes the verification request. If the token
+ is invalid (e.g. expired) an error will be shown to the end-user.
+
+ This parameter is usually set in a link and not used by any direct API call.
+ explode: true
+ in: query
+ name: token
+ required: false
+ schema:
+ type: string
+ style: form
+ - description: |-
+ HTTP Cookies
+
+ When using the SDK in a browser app, on the server side you must include the HTTP Cookie Header
+ sent by the client to your server here. This ensures that CSRF and session cookies are respected.
+ explode: false
+ in: header
+ name: Cookie
+ required: false
+ schema:
+ type: string
+ style: simple
+ requestBody:
+ content:
+ application/json:
+ schema:
+ $ref: '#/components/schemas/submitSelfServiceVerificationFlowBody'
+ application/x-www-form-urlencoded:
+ schema:
+ $ref: '#/components/schemas/submitSelfServiceVerificationFlowBody'
+ required: true
+ x-originalParamName: Body
+ responses:
+ "200":
+ content:
+ application/json:
+ schema:
+ $ref: '#/components/schemas/selfServiceVerificationFlow'
+ description: selfServiceVerificationFlow
+ "303":
+ description: "Empty responses are sent when, for example, resources are\
+ \ deleted. The HTTP status code for empty responses is typically 201."
+ "400":
+ content:
+ application/json:
+ schema:
+ $ref: '#/components/schemas/selfServiceVerificationFlow'
+ description: selfServiceVerificationFlow
+ "410":
+ content:
+ application/json:
+ schema:
+ $ref: '#/components/schemas/jsonError'
+ description: jsonError
+ "500":
+ content:
+ application/json:
+ schema:
+ $ref: '#/components/schemas/jsonError'
+ description: jsonError
+ summary: Complete Verification Flow
+ tags:
+ - v0alpha2
+ /self-service/verification/api:
+ get:
+ description: |-
+ This endpoint initiates a verification flow for API clients such as mobile devices, smart TVs, and so on.
+
+ To fetch an existing verification flow call `/self-service/verification/flows?flow=`.
+
+ You MUST NOT use this endpoint in client-side (Single Page Apps, ReactJS, AngularJS) nor server-side (Java Server
+ Pages, NodeJS, PHP, Golang, ...) browser applications. Using this endpoint in these applications will make
+ you vulnerable to a variety of CSRF attacks.
+
+ This endpoint MUST ONLY be used in scenarios such as native mobile apps (React Native, Objective C, Swift, Java, ...).
+
+ More information can be found at [Ory Kratos Email and Phone Verification Documentation](https://www.ory.sh/docs/kratos/self-service/flows/verify-email-account-activation).
+ operationId: initializeSelfServiceVerificationFlowWithoutBrowser
+ responses:
+ "200":
+ content:
+ application/json:
+ schema:
+ $ref: '#/components/schemas/selfServiceVerificationFlow'
+ description: selfServiceVerificationFlow
+ "400":
+ content:
+ application/json:
+ schema:
+ $ref: '#/components/schemas/jsonError'
+ description: jsonError
+ "500":
+ content:
+ application/json:
+ schema:
+ $ref: '#/components/schemas/jsonError'
+ description: jsonError
+ summary: "Initialize Verification Flow for APIs, Services, Apps, ..."
+ tags:
+ - v0alpha2
+ /self-service/verification/browser:
+ get:
+ description: |-
+ This endpoint initializes a browser-based account verification flow. Once initialized, the browser will be redirected to
+ `selfservice.flows.verification.ui_url` with the flow ID set as the query parameter `?flow=`.
+
+ If this endpoint is called via an AJAX request, the response contains the recovery flow without any redirects.
+
+ This endpoint is NOT INTENDED for API clients and only works with browsers (Chrome, Firefox, ...).
+
+ More information can be found at [Ory Kratos Email and Phone Verification Documentation](https://www.ory.sh/docs/kratos/selfservice/flows/verify-email-account-activation).
+ operationId: initializeSelfServiceVerificationFlowForBrowsers
+ parameters:
+ - description: The URL to return the browser to after the flow was completed.
+ explode: true
+ in: query
+ name: return_to
+ required: false
+ schema:
+ type: string
+ style: form
+ responses:
+ "200":
+ content:
+ application/json:
+ schema:
+ $ref: '#/components/schemas/selfServiceVerificationFlow'
+ description: selfServiceVerificationFlow
+ "303":
+ description: "Empty responses are sent when, for example, resources are\
+ \ deleted. The HTTP status code for empty responses is typically 201."
+ "500":
+ content:
+ application/json:
+ schema:
+ $ref: '#/components/schemas/jsonError'
+ description: jsonError
+ summary: Initialize Verification Flow for Browser Clients
+ tags:
+ - v0alpha2
+ /self-service/verification/flows:
+ get:
+ description: |-
+ This endpoint returns a verification flow's context with, for example, error details and other information.
+
+ Browser flows expect the anti-CSRF cookie to be included in the request's HTTP Cookie Header.
+ For AJAX requests you must ensure that cookies are included in the request or requests will fail.
+
+ If you use the browser-flow for server-side apps, the services need to run on a common top-level-domain
+ and you need to forward the incoming HTTP Cookie header to this endpoint:
+
+ ```js
+ pseudo-code example
+ router.get('/recovery', async function (req, res) {
+ const flow = await client.getSelfServiceVerificationFlow(req.header('cookie'), req.query['flow'])
+
+ res.render('verification', flow)
+ })
+
+ More information can be found at [Ory Kratos Email and Phone Verification Documentation](https://www.ory.sh/docs/kratos/selfservice/flows/verify-email-account-activation).
+ operationId: getSelfServiceVerificationFlow
+ parameters:
+ - description: |-
+ The Flow ID
+
+ The value for this parameter comes from `request` URL Query parameter sent to your
+ application (e.g. `/verification?flow=abcde`).
+ explode: true
+ in: query
+ name: id
+ required: true
+ schema:
+ type: string
+ style: form
+ - description: |-
+ HTTP Cookies
+
+ When using the SDK on the server side you must include the HTTP Cookie Header
+ originally sent to your HTTP handler here.
+ explode: false
+ in: header
+ name: cookie
+ required: false
+ schema:
+ type: string
+ style: simple
+ responses:
+ "200":
+ content:
+ application/json:
+ schema:
+ $ref: '#/components/schemas/selfServiceVerificationFlow'
+ description: selfServiceVerificationFlow
+ "403":
+ content:
+ application/json:
+ schema:
+ $ref: '#/components/schemas/jsonError'
+ description: jsonError
+ "404":
+ content:
+ application/json:
+ schema:
+ $ref: '#/components/schemas/jsonError'
+ description: jsonError
+ "500":
+ content:
+ application/json:
+ schema:
+ $ref: '#/components/schemas/jsonError'
+ description: jsonError
+ summary: Get Verification Flow
+ tags:
+ - v0alpha2
+ /sessions:
+ delete:
+ description: |-
+ Calling this endpoint invalidates all except the current session that belong to the logged-in user.
+ Session data are not deleted.
+
+ This endpoint is useful for:
+
+ To forcefully logout the current user from all other devices and sessions
+ operationId: revokeSessions
+ parameters:
+ - description: Set the Session Token when calling from non-browser clients.
+ A session token has a format of `MP2YWEMeM8MxjkGKpH4dqOQ4Q4DlSPaj`.
+ explode: false
+ in: header
+ name: X-Session-Token
+ required: false
+ schema:
+ type: string
+ style: simple
+ - description: |-
+ Set the Cookie Header. This is especially useful when calling this endpoint from a server-side application. In that
+ scenario you must include the HTTP Cookie Header which originally was included in the request to your server.
+ An example of a session in the HTTP Cookie Header is: `ory_kratos_session=a19iOVAbdzdgl70Rq1QZmrKmcjDtdsviCTZx7m9a9yHIUS8Wa9T7hvqyGTsLHi6Qifn2WUfpAKx9DWp0SJGleIn9vh2YF4A16id93kXFTgIgmwIOvbVAScyrx7yVl6bPZnCx27ec4WQDtaTewC1CpgudeDV2jQQnSaCP6ny3xa8qLH-QUgYqdQuoA_LF1phxgRCUfIrCLQOkolX5nv3ze_f==`.
+
+ It is ok if more than one cookie are included here as all other cookies will be ignored.
+ explode: false
+ in: header
+ name: Cookie
+ required: false
+ schema:
+ type: string
+ style: simple
+ responses:
+ "200":
+ content:
+ application/json:
+ schema:
+ $ref: '#/components/schemas/revokedSessions'
+ description: revokedSessions
+ "400":
+ content:
+ application/json:
+ schema:
+ $ref: '#/components/schemas/jsonError'
+ description: jsonError
+ "401":
+ content:
+ application/json:
+ schema:
+ $ref: '#/components/schemas/jsonError'
+ description: jsonError
+ "404":
+ content:
+ application/json:
+ schema:
+ $ref: '#/components/schemas/jsonError'
+ description: jsonError
+ "500":
+ content:
+ application/json:
+ schema:
+ $ref: '#/components/schemas/jsonError'
+ description: jsonError
+ summary: Invalidate all Other Sessions
+ tags:
+ - v0alpha2
+ get:
+ description: |-
+ This endpoints returns all other active sessions that belong to the logged-in user.
+ The current session can be retrieved by calling the `/sessions/whoami` endpoint.
+
+ This endpoint is useful for:
+
+ Displaying all other sessions that belong to the logged-in user
+ operationId: listSessions
+ parameters:
+ - description: Set the Session Token when calling from non-browser clients.
+ A session token has a format of `MP2YWEMeM8MxjkGKpH4dqOQ4Q4DlSPaj`.
+ explode: false
+ in: header
+ name: X-Session-Token
+ required: false
+ schema:
+ type: string
+ style: simple
+ - description: |-
+ Set the Cookie Header. This is especially useful when calling this endpoint from a server-side application. In that
+ scenario you must include the HTTP Cookie Header which originally was included in the request to your server.
+ An example of a session in the HTTP Cookie Header is: `ory_kratos_session=a19iOVAbdzdgl70Rq1QZmrKmcjDtdsviCTZx7m9a9yHIUS8Wa9T7hvqyGTsLHi6Qifn2WUfpAKx9DWp0SJGleIn9vh2YF4A16id93kXFTgIgmwIOvbVAScyrx7yVl6bPZnCx27ec4WQDtaTewC1CpgudeDV2jQQnSaCP6ny3xa8qLH-QUgYqdQuoA_LF1phxgRCUfIrCLQOkolX5nv3ze_f==`.
+
+ It is ok if more than one cookie are included here as all other cookies will be ignored.
+ explode: false
+ in: header
+ name: Cookie
+ required: false
+ schema:
+ type: string
+ style: simple
+ - description: |-
+ Items per Page
+
+ This is the number of items per page.
+ explode: true
+ in: query
+ name: per_page
+ required: false
+ schema:
+ default: 250
+ format: int64
+ maximum: 1000
+ minimum: 1
+ type: integer
+ style: form
+ - description: |-
+ Pagination Page
+
+ This value is currently an integer, but it is not sequential. The value is not the page number, but a
+ reference. The next page can be any number and some numbers might return an empty list.
+
+ For example, page 2 might not follow after page 1. And even if page 3 and 5 exist, but page 4 might not exist.
+ explode: true
+ in: query
+ name: page
+ required: false
+ schema:
+ default: 1
+ format: int64
+ minimum: 1
+ type: integer
+ style: form
+ responses:
+ "200":
+ content:
+ application/json:
+ schema:
+ $ref: '#/components/schemas/sessionList'
+ description: sessionList
+ "400":
+ content:
+ application/json:
+ schema:
+ $ref: '#/components/schemas/jsonError'
+ description: jsonError
+ "401":
+ content:
+ application/json:
+ schema:
+ $ref: '#/components/schemas/jsonError'
+ description: jsonError
+ "404":
+ content:
+ application/json:
+ schema:
+ $ref: '#/components/schemas/jsonError'
+ description: jsonError
+ "500":
+ content:
+ application/json:
+ schema:
+ $ref: '#/components/schemas/jsonError'
+ description: jsonError
+ summary: Get Active Sessions
+ tags:
+ - v0alpha2
+ /sessions/whoami:
+ get:
+ description: |-
+ Uses the HTTP Headers in the GET request to determine (e.g. by using checking the cookies) who is authenticated.
+ Returns a session object in the body or 401 if the credentials are invalid or no credentials were sent.
+ Additionally when the request it successful it adds the user ID to the 'X-Kratos-Authenticated-Identity-Id' header
+ in the response.
+
+ If you call this endpoint from a server-side application, you must forward the HTTP Cookie Header to this endpoint:
+
+ ```js
+ pseudo-code example
+ router.get('/protected-endpoint', async function (req, res) {
+ const session = await client.toSession(undefined, req.header('cookie'))
+
+ console.log(session)
+ })
+ ```
+
+ When calling this endpoint from a non-browser application (e.g. mobile app) you must include the session token:
+
+ ```js
+ pseudo-code example
+ ...
+ const session = await client.toSession("the-session-token")
+
+ console.log(session)
+ ```
+
+ Depending on your configuration this endpoint might return a 403 status code if the session has a lower Authenticator
+ Assurance Level (AAL) than is possible for the identity. This can happen if the identity has password + webauthn
+ credentials (which would result in AAL2) but the session has only AAL1. If this error occurs, ask the user
+ to sign in with the second factor or change the configuration.
+
+ This endpoint is useful for:
+
+ AJAX calls. Remember to send credentials and set up CORS correctly!
+ Reverse proxies and API Gateways
+ Server-side calls - use the `X-Session-Token` header!
+
+ # This endpoint authenticates users by checking
+
+ if the `Cookie` HTTP header was set containing an Ory Kratos Session Cookie;
+ if the `Authorization: bearer ` HTTP header was set with a valid Ory Kratos Session Token;
+ if the `X-Session-Token` HTTP header was set with a valid Ory Kratos Session Token.
+
+ If none of these headers are set or the cooke or token are invalid, the endpoint returns a HTTP 401 status code.
+
+ As explained above, this request may fail due to several reasons. The `error.id` can be one of:
+
+ `session_inactive`: No active session was found in the request (e.g. no Ory Session Cookie / Ory Session Token).
+ `session_aal2_required`: An active session was found but it does not fulfil the Authenticator Assurance Level, implying that the session must (e.g.) authenticate the second factor.
+ operationId: toSession
+ parameters:
+ - description: Set the Session Token when calling from non-browser clients.
+ A session token has a format of `MP2YWEMeM8MxjkGKpH4dqOQ4Q4DlSPaj`.
+ example: MP2YWEMeM8MxjkGKpH4dqOQ4Q4DlSPaj
+ explode: false
+ in: header
+ name: X-Session-Token
+ required: false
+ schema:
+ type: string
+ style: simple
+ - description: |-
+ Set the Cookie Header. This is especially useful when calling this endpoint from a server-side application. In that
+ scenario you must include the HTTP Cookie Header which originally was included in the request to your server.
+ An example of a session in the HTTP Cookie Header is: `ory_kratos_session=a19iOVAbdzdgl70Rq1QZmrKmcjDtdsviCTZx7m9a9yHIUS8Wa9T7hvqyGTsLHi6Qifn2WUfpAKx9DWp0SJGleIn9vh2YF4A16id93kXFTgIgmwIOvbVAScyrx7yVl6bPZnCx27ec4WQDtaTewC1CpgudeDV2jQQnSaCP6ny3xa8qLH-QUgYqdQuoA_LF1phxgRCUfIrCLQOkolX5nv3ze_f==`.
+
+ It is ok if more than one cookie are included here as all other cookies will be ignored.
+ example: ory_kratos_session=a19iOVAbdzdgl70Rq1QZmrKmcjDtdsviCTZx7m9a9yHIUS8Wa9T7hvqyGTsLHi6Qifn2WUfpAKx9DWp0SJGleIn9vh2YF4A16id93kXFTgIgmwIOvbVAScyrx7yVl6bPZnCx27ec4WQDtaTewC1CpgudeDV2jQQnSaCP6ny3xa8qLH-QUgYqdQuoA_LF1phxgRCUfIrCLQOkolX5nv3ze_f==
+ explode: false
+ in: header
+ name: Cookie
+ required: false
+ schema:
+ type: string
+ style: simple
+ responses:
+ "200":
+ content:
+ application/json:
+ schema:
+ $ref: '#/components/schemas/session'
+ description: session
+ "401":
+ content:
+ application/json:
+ schema:
+ $ref: '#/components/schemas/jsonError'
+ description: jsonError
+ "403":
+ content:
+ application/json:
+ schema:
+ $ref: '#/components/schemas/jsonError'
+ description: jsonError
+ "500":
+ content:
+ application/json:
+ schema:
+ $ref: '#/components/schemas/jsonError'
+ description: jsonError
+ summary: Check Who the Current HTTP Session Belongs To
+ tags:
+ - v0alpha2
+ /sessions/{id}:
+ delete:
+ description: |-
+ Calling this endpoint invalidates the specified session. The current session cannot be revoked.
+ Session data are not deleted.
+
+ This endpoint is useful for:
+
+ To forcefully logout the current user from another device or session
+ operationId: revokeSession
+ parameters:
+ - description: ID is the session's ID.
+ explode: false
+ in: path
+ name: id
+ required: true
+ schema:
+ type: string
+ style: simple
+ responses:
+ "204":
+ description: "Empty responses are sent when, for example, resources are\
+ \ deleted. The HTTP status code for empty responses is typically 201."
+ "400":
+ content:
+ application/json:
+ schema:
+ $ref: '#/components/schemas/jsonError'
+ description: jsonError
+ "401":
+ content:
+ application/json:
+ schema:
+ $ref: '#/components/schemas/jsonError'
+ description: jsonError
+ "500":
+ content:
+ application/json:
+ schema:
+ $ref: '#/components/schemas/jsonError'
+ description: jsonError
+ summary: Invalidate a Session
+ tags:
+ - v0alpha2
+ /version:
+ get:
+ description: |-
+ This endpoint returns the version of Ory Kratos.
+
+ If the service supports TLS Edge Termination, this endpoint does not require the
+ `X-Forwarded-Proto` header to be set.
+
+ Be aware that if you are running multiple nodes of this service, the version will never
+ refer to the cluster state, only to a single instance.
+ operationId: getVersion
+ responses:
+ "200":
+ content:
+ application/json:
+ schema:
+ $ref: '#/components/schemas/getVersion_200_response'
+ description: Returns the Ory Kratos version.
+ summary: Return Running Software Version.
+ tags:
+ - metadata
+components:
+ responses:
+ adminListSessions:
+ content:
+ application/json:
+ schema:
+ items:
+ $ref: '#/components/schemas/session'
+ type: array
+ description: |-
+ Session List Response
+
+ The response given when listing sessions in an administrative context.
+ emptyResponse:
+ description: "Empty responses are sent when, for example, resources are deleted.\
+ \ The HTTP status code for empty responses is typically 201."
+ schemas:
+ AdminUpdateIdentityBody:
+ example:
+ metadata_admin: ""
+ traits: "{}"
+ credentials:
+ password:
+ config:
+ hashed_password: hashed_password
+ password: password
+ oidc:
+ config:
+ config:
+ hashed_password: hashed_password
+ password: password
+ providers:
+ - provider: provider
+ subject: subject
+ - provider: provider
+ subject: subject
+ schema_id: schema_id
+ state: null
+ metadata_public: ""
+ properties:
+ credentials:
+ $ref: '#/components/schemas/adminIdentityImportCredentials'
+ metadata_admin:
+ description: Store metadata about the user which is only accessible through
+ admin APIs such as `GET /admin/identities/`.
+ metadata_public:
+ description: |-
+ Store metadata about the identity which the identity itself can see when calling for example the
+ session endpoint. Do not store sensitive information (e.g. credit score) about the identity in this field.
+ schema_id:
+ description: |-
+ SchemaID is the ID of the JSON Schema to be used for validating the identity's traits. If set
+ will update the Identity's SchemaID.
+ type: string
+ state:
+ $ref: '#/components/schemas/identityState'
+ traits:
+ description: |-
+ Traits represent an identity's traits. The identity is able to create, modify, and delete traits
+ in a self-service manner. The input will always be validated against the JSON Schema defined
+ in `schema_id`.
+ type: object
+ required:
+ - schema_id
+ - state
+ - traits
+ type: object
+ Duration:
+ description: |-
+ A Duration represents the elapsed time between two instants
+ as an int64 nanosecond count. The representation limits the
+ largest representable duration to approximately 290 years.
+ format: int64
+ type: integer
+ ID:
+ format: int64
+ type: integer
+ JSONRawMessage:
+ title: "JSONRawMessage represents a json.RawMessage that works well with JSON,\
+ \ SQL, and Swagger."
+ type: object
+ LoginRequest:
+ description: LoginRequest struct for LoginRequest
+ example:
+ requested_access_token_audience:
+ - requested_access_token_audience
+ - requested_access_token_audience
+ subject: subject
+ oidc_context:
+ login_hint: login_hint
+ ui_locales:
+ - ui_locales
+ - ui_locales
+ id_token_hint_claims:
+ key: ""
+ acr_values:
+ - acr_values
+ - acr_values
+ display: display
+ challenge: challenge
+ client:
+ metadata:
+ key: ""
+ token_endpoint_auth_signing_alg: token_endpoint_auth_signing_alg
+ client_uri: client_uri
+ jwks:
+ key: ""
+ logo_uri: logo_uri
+ created_at: 2000-01-23T04:56:07.000+00:00
+ registration_client_uri: registration_client_uri
+ allowed_cors_origins:
+ - allowed_cors_origins
+ - allowed_cors_origins
+ registration_access_token: registration_access_token
+ client_id: client_id
+ token_endpoint_auth_method: token_endpoint_auth_method
+ userinfo_signed_response_alg: userinfo_signed_response_alg
+ updated_at: 2000-01-23T04:56:07.000+00:00
+ scope: scope
+ request_uris:
+ - request_uris
+ - request_uris
+ client_secret: client_secret
+ backchannel_logout_session_required: true
+ backchannel_logout_uri: backchannel_logout_uri
+ client_name: client_name
+ policy_uri: policy_uri
+ owner: owner
+ audience:
+ - audience
+ - audience
+ post_logout_redirect_uris:
+ - post_logout_redirect_uris
+ - post_logout_redirect_uris
+ grant_types:
+ - grant_types
+ - grant_types
+ subject_type: subject_type
+ redirect_uris:
+ - redirect_uris
+ - redirect_uris
+ sector_identifier_uri: sector_identifier_uri
+ frontchannel_logout_session_required: true
+ frontchannel_logout_uri: frontchannel_logout_uri
+ client_secret_expires_at: 0
+ jwks_uri: jwks_uri
+ request_object_signing_alg: request_object_signing_alg
+ tos_uri: tos_uri
+ contacts:
+ - contacts
+ - contacts
+ response_types:
+ - response_types
+ - response_types
+ session_id: session_id
+ skip: true
+ request_url: request_url
+ requested_scope:
+ - requested_scope
+ - requested_scope
+ properties:
+ challenge:
+ description: ID is the identifier (\"login challenge\") of the login request.
+ It is used to identify the session.
+ type: string
+ client:
+ $ref: '#/components/schemas/OAuth2Client'
+ oidc_context:
+ $ref: '#/components/schemas/OpenIDConnectContext'
+ request_url:
+ description: "RequestURL is the original OAuth 2.0 Authorization URL requested\
+ \ by the OAuth 2.0 client. It is the URL which initiates the OAuth 2.0\
+ \ Authorization Code or OAuth 2.0 Implicit flow. This URL is typically\
+ \ not needed, but might come in handy if you want to deal with additional\
+ \ request parameters."
+ type: string
+ requested_access_token_audience:
+ items:
+ type: string
+ type: array
+ requested_scope:
+ items:
+ type: string
+ type: array
+ session_id:
+ description: SessionID is the login session ID. If the user-agent reuses
+ a login session (via cookie / remember flag) this ID will remain the same.
+ If the user-agent did not have an existing authentication session (e.g.
+ remember is false) this will be a new random value. This value is used
+ as the \"sid\" parameter in the ID Token and in OIDC Front-/Back- channel
+ logout. It's value can generally be used to associate consecutive login
+ requests by a certain user.
+ type: string
+ skip:
+ description: "Skip, if true, implies that the client has requested the same\
+ \ scopes from the same user previously. If true, you can skip asking the\
+ \ user to grant the requested scopes, and simply forward the user to the\
+ \ redirect URL. This feature allows you to update / set session information."
+ type: boolean
+ subject:
+ description: "Subject is the user ID of the end-user that authenticated.\
+ \ Now, that end user needs to grant or deny the scope requested by the\
+ \ OAuth 2.0 client. If this value is set and `skip` is true, you MUST\
+ \ include this subject type when accepting the login request, or the request\
+ \ will fail."
+ type: string
+ type: object
+ NullBool:
+ nullable: true
+ type: boolean
+ NullInt:
+ nullable: true
+ type: integer
+ NullString:
+ nullable: true
+ type: string
+ NullTime:
+ format: date-time
+ nullable: true
+ type: string
+ NullUUID:
+ format: uuid4
+ nullable: true
+ type: string
+ OAuth2Client:
+ description: OAuth2Client struct for OAuth2Client
+ example:
+ metadata:
+ key: ""
+ token_endpoint_auth_signing_alg: token_endpoint_auth_signing_alg
+ client_uri: client_uri
+ jwks:
+ key: ""
+ logo_uri: logo_uri
+ created_at: 2000-01-23T04:56:07.000+00:00
+ registration_client_uri: registration_client_uri
+ allowed_cors_origins:
+ - allowed_cors_origins
+ - allowed_cors_origins
+ registration_access_token: registration_access_token
+ client_id: client_id
+ token_endpoint_auth_method: token_endpoint_auth_method
+ userinfo_signed_response_alg: userinfo_signed_response_alg
+ updated_at: 2000-01-23T04:56:07.000+00:00
+ scope: scope
+ request_uris:
+ - request_uris
+ - request_uris
+ client_secret: client_secret
+ backchannel_logout_session_required: true
+ backchannel_logout_uri: backchannel_logout_uri
+ client_name: client_name
+ policy_uri: policy_uri
+ owner: owner
+ audience:
+ - audience
+ - audience
+ post_logout_redirect_uris:
+ - post_logout_redirect_uris
+ - post_logout_redirect_uris
+ grant_types:
+ - grant_types
+ - grant_types
+ subject_type: subject_type
+ redirect_uris:
+ - redirect_uris
+ - redirect_uris
+ sector_identifier_uri: sector_identifier_uri
+ frontchannel_logout_session_required: true
+ frontchannel_logout_uri: frontchannel_logout_uri
+ client_secret_expires_at: 0
+ jwks_uri: jwks_uri
+ request_object_signing_alg: request_object_signing_alg
+ tos_uri: tos_uri
+ contacts:
+ - contacts
+ - contacts
+ response_types:
+ - response_types
+ - response_types
+ properties:
+ allowed_cors_origins:
+ items:
+ type: string
+ type: array
+ audience:
+ items:
+ type: string
+ type: array
+ backchannel_logout_session_required:
+ description: "Boolean value specifying whether the RP requires that a sid\
+ \ (session ID) Claim be included in the Logout Token to identify the RP\
+ \ session with the OP when the backchannel_logout_uri is used. If omitted,\
+ \ the default value is false."
+ type: boolean
+ backchannel_logout_uri:
+ description: RP URL that will cause the RP to log itself out when sent a
+ Logout Token by the OP.
+ type: string
+ client_id:
+ description: ID is the id for this client.
+ type: string
+ client_name:
+ description: Name is the human-readable string name of the client to be
+ presented to the end-user during authorization.
+ type: string
+ client_secret:
+ description: "Secret is the client's secret. The secret will be included\
+ \ in the create request as cleartext, and then never again. The secret\
+ \ is stored using BCrypt so it is impossible to recover it. Tell your\
+ \ users that they need to write the secret down as it will not be made\
+ \ available again."
+ type: string
+ client_secret_expires_at:
+ description: SecretExpiresAt is an integer holding the time at which the
+ client secret will expire or 0 if it will not expire. The time is represented
+ as the number of seconds from 1970-01-01T00:00:00Z as measured in UTC
+ until the date/time of expiration. This feature is currently not supported
+ and it's value will always be set to 0.
+ format: int64
+ type: integer
+ client_uri:
+ description: "ClientURI is an URL string of a web page providing information\
+ \ about the client. If present, the server SHOULD display this URL to\
+ \ the end-user in a clickable fashion."
+ type: string
+ contacts:
+ items:
+ type: string
+ type: array
+ created_at:
+ description: CreatedAt returns the timestamp of the client's creation.
+ format: date-time
+ type: string
+ frontchannel_logout_session_required:
+ description: "Boolean value specifying whether the RP requires that iss\
+ \ (issuer) and sid (session ID) query parameters be included to identify\
+ \ the RP session with the OP when the frontchannel_logout_uri is used.\
+ \ If omitted, the default value is false."
+ type: boolean
+ frontchannel_logout_uri:
+ description: "RP URL that will cause the RP to log itself out when rendered\
+ \ in an iframe by the OP. An iss (issuer) query parameter and a sid (session\
+ \ ID) query parameter MAY be included by the OP to enable the RP to validate\
+ \ the request and to determine which of the potentially multiple sessions\
+ \ is to be logged out; if either is included, both MUST be."
+ type: string
+ grant_types:
+ items:
+ type: string
+ type: array
+ jwks:
+ additionalProperties: {}
+ type: object
+ jwks_uri:
+ description: "URL for the Client's JSON Web Key Set [JWK] document. If the\
+ \ Client signs requests to the Server, it contains the signing key(s)\
+ \ the Server uses to validate signatures from the Client. The JWK Set\
+ \ MAY also contain the Client's encryption keys(s), which are used by\
+ \ the Server to encrypt responses to the Client. When both signing and\
+ \ encryption keys are made available, a use (Key Use) parameter value\
+ \ is REQUIRED for all keys in the referenced JWK Set to indicate each\
+ \ key's intended usage. Although some algorithms allow the same key to\
+ \ be used for both signatures and encryption, doing so is NOT RECOMMENDED,\
+ \ as it is less secure. The JWK x5c parameter MAY be used to provide X.509\
+ \ representations of keys provided. When used, the bare key values MUST\
+ \ still be present and MUST match those in the certificate."
+ type: string
+ logo_uri:
+ description: LogoURI is an URL string that references a logo for the client.
+ type: string
+ metadata:
+ additionalProperties: {}
+ type: object
+ owner:
+ description: Owner is a string identifying the owner of the OAuth 2.0 Client.
+ type: string
+ policy_uri:
+ description: "PolicyURI is a URL string that points to a human-readable\
+ \ privacy policy document that describes how the deployment organization\
+ \ collects, uses, retains, and discloses personal data."
+ type: string
+ post_logout_redirect_uris:
+ items:
+ type: string
+ type: array
+ redirect_uris:
+ items:
+ type: string
+ type: array
+ registration_access_token:
+ description: "RegistrationAccessToken can be used to update, get, or delete\
+ \ the OAuth2 Client."
+ type: string
+ registration_client_uri:
+ description: "RegistrationClientURI is the URL used to update, get, or delete\
+ \ the OAuth2 Client."
+ type: string
+ request_object_signing_alg:
+ description: "JWS [JWS] alg algorithm [JWA] that MUST be used for signing\
+ \ Request Objects sent to the OP. All Request Objects from this Client\
+ \ MUST be rejected, if not signed with this algorithm."
+ type: string
+ request_uris:
+ items:
+ type: string
+ type: array
+ response_types:
+ items:
+ type: string
+ type: array
+ scope:
+ description: "Scope is a string containing a space-separated list of scope\
+ \ values (as described in Section 3.3 of OAuth 2.0 [RFC6749]) that the\
+ \ client can use when requesting access tokens."
+ type: string
+ sector_identifier_uri:
+ description: URL using the https scheme to be used in calculating Pseudonymous
+ Identifiers by the OP. The URL references a file with a single JSON array
+ of redirect_uri values.
+ type: string
+ subject_type:
+ description: SubjectType requested for responses to this Client. The subject_types_supported
+ Discovery parameter contains a list of the supported subject_type values
+ for this server. Valid types include `pairwise` and `public`.
+ type: string
+ token_endpoint_auth_method:
+ description: "Requested Client Authentication method for the Token Endpoint.\
+ \ The options are client_secret_post, client_secret_basic, private_key_jwt,\
+ \ and none."
+ type: string
+ token_endpoint_auth_signing_alg:
+ description: Requested Client Authentication signing algorithm for the Token
+ Endpoint.
+ type: string
+ tos_uri:
+ description: TermsOfServiceURI is a URL string that points to a human-readable
+ terms of service document for the client that describes a contractual
+ relationship between the end-user and the client that the end-user accepts
+ when authorizing the client.
+ type: string
+ updated_at:
+ description: UpdatedAt returns the timestamp of the last update.
+ format: date-time
+ type: string
+ userinfo_signed_response_alg:
+ description: "JWS alg algorithm [JWA] REQUIRED for signing UserInfo Responses.\
+ \ If this is specified, the response will be JWT [JWT] serialized, and\
+ \ signed using JWS. The default, if omitted, is for the UserInfo Response\
+ \ to return the Claims as a UTF-8 encoded JSON object using the application/json\
+ \ content-type."
+ type: string
+ type: object
+ OpenIDConnectContext:
+ description: OpenIDConnectContext struct for OpenIDConnectContext
+ example:
+ login_hint: login_hint
+ ui_locales:
+ - ui_locales
+ - ui_locales
+ id_token_hint_claims:
+ key: ""
+ acr_values:
+ - acr_values
+ - acr_values
+ display: display
+ properties:
+ acr_values:
+ description: "ACRValues is the Authentication AuthorizationContext Class\
+ \ Reference requested in the OAuth 2.0 Authorization request. It is a\
+ \ parameter defined by OpenID Connect and expresses which level of authentication\
+ \ (e.g. 2FA) is required. OpenID Connect defines it as follows: > Requested\
+ \ Authentication AuthorizationContext Class Reference values. Space-separated\
+ \ string that specifies the acr values that the Authorization Server is\
+ \ being requested to use for processing this Authentication Request, with\
+ \ the values appearing in order of preference. The Authentication AuthorizationContext\
+ \ Class satisfied by the authentication performed is returned as the acr\
+ \ Claim Value, as specified in Section 2. The acr Claim is requested as\
+ \ a Voluntary Claim by this parameter."
+ items:
+ type: string
+ type: array
+ display:
+ description: "Display is a string value that specifies how the Authorization\
+ \ Server displays the authentication and consent user interface pages\
+ \ to the End-User. The defined values are: page: The Authorization Server\
+ \ SHOULD display the authentication and consent UI consistent with a full\
+ \ User Agent page view. If the display parameter is not specified, this\
+ \ is the default display mode. popup: The Authorization Server SHOULD\
+ \ display the authentication and consent UI consistent with a popup User\
+ \ Agent window. The popup User Agent window should be of an appropriate\
+ \ size for a login-focused dialog and should not obscure the entire window\
+ \ that it is popping up over. touch: The Authorization Server SHOULD display\
+ \ the authentication and consent UI consistent with a device that leverages\
+ \ a touch interface. wap: The Authorization Server SHOULD display the\
+ \ authentication and consent UI consistent with a \\\"feature phone\\\"\
+ \ type display. The Authorization Server MAY also attempt to detect the\
+ \ capabilities of the User Agent and present an appropriate display."
+ type: string
+ id_token_hint_claims:
+ additionalProperties: true
+ description: IDTokenHintClaims are the claims of the ID Token previously
+ issued by the Authorization Server being passed as a hint about the End-User's
+ current or past authenticated session with the Client.
+ type: object
+ login_hint:
+ description: LoginHint hints about the login identifier the End-User might
+ use to log in (if necessary). This hint can be used by an RP if it first
+ asks the End-User for their e-mail address (or other identifier) and then
+ wants to pass that value as a hint to the discovered authorization service.
+ This value MAY also be a phone number in the format specified for the
+ phone_number Claim. The use of this parameter is optional.
+ type: string
+ ui_locales:
+ description: "UILocales is the End-User'id preferred languages and scripts\
+ \ for the user interface, represented as a space-separated list of BCP47\
+ \ [RFC5646] language tag values, ordered by preference. For instance,\
+ \ the value \\\"fr-CA fr en\\\" represents a preference for French as\
+ \ spoken in Canada, then French (without a region designation), followed\
+ \ by English (without a region designation). An error SHOULD NOT result\
+ \ if some or all of the requested locales are not supported by the OpenID\
+ \ Provider."
+ items:
+ type: string
+ type: array
+ type: object
+ RecoveryAddressType:
+ title: RecoveryAddressType must not exceed 16 characters as that is the limitation
+ in the SQL Schema.
+ type: string
+ TemplateType:
+ type: string
+ Time:
+ format: date-time
+ type: string
+ UUID:
+ format: uuid4
+ type: string
+ adminCreateIdentityBody:
+ properties:
+ credentials:
+ $ref: '#/components/schemas/adminIdentityImportCredentials'
+ metadata_admin:
+ description: Store metadata about the user which is only accessible through
+ admin APIs such as `GET /admin/identities/`.
+ metadata_public:
+ description: |-
+ Store metadata about the identity which the identity itself can see when calling for example the
+ session endpoint. Do not store sensitive information (e.g. credit score) about the identity in this field.
+ recovery_addresses:
+ description: |-
+ RecoveryAddresses contains all the addresses that can be used to recover an identity.
+
+ Use this structure to import recovery addresses for an identity. Please keep in mind
+ that the address needs to be represented in the Identity Schema or this field will be overwritten
+ on the next identity update.
+ items:
+ $ref: '#/components/schemas/recoveryIdentityAddress'
+ type: array
+ schema_id:
+ description: SchemaID is the ID of the JSON Schema to be used for validating
+ the identity's traits.
+ type: string
+ state:
+ $ref: '#/components/schemas/identityState'
+ traits:
+ description: |-
+ Traits represent an identity's traits. The identity is able to create, modify, and delete traits
+ in a self-service manner. The input will always be validated against the JSON Schema defined
+ in `schema_url`.
+ type: object
+ verifiable_addresses:
+ description: |-
+ VerifiableAddresses contains all the addresses that can be verified by the user.
+
+ Use this structure to import verified addresses for an identity. Please keep in mind
+ that the address needs to be represented in the Identity Schema or this field will be overwritten
+ on the next identity update.
+ items:
+ $ref: '#/components/schemas/verifiableIdentityAddress'
+ type: array
+ required:
+ - schema_id
+ - traits
+ type: object
+ adminCreateIdentityImportCredentialsOidc:
+ example:
+ config:
+ config:
+ hashed_password: hashed_password
+ password: password
+ providers:
+ - provider: provider
+ subject: subject
+ - provider: provider
+ subject: subject
+ properties:
+ config:
+ $ref: '#/components/schemas/adminCreateIdentityImportCredentialsOidcConfig'
+ type: object
+ adminCreateIdentityImportCredentialsOidcConfig:
+ example:
+ config:
+ hashed_password: hashed_password
+ password: password
+ providers:
+ - provider: provider
+ subject: subject
+ - provider: provider
+ subject: subject
+ properties:
+ config:
+ $ref: '#/components/schemas/adminCreateIdentityImportCredentialsPasswordConfig'
+ providers:
+ description: A list of OpenID Connect Providers
+ items:
+ $ref: '#/components/schemas/adminCreateIdentityImportCredentialsOidcProvider'
+ type: array
+ type: object
+ adminCreateIdentityImportCredentialsOidcProvider:
+ example:
+ provider: provider
+ subject: subject
+ properties:
+ provider:
+ description: The OpenID Connect provider to link the subject to. Usually
+ something like `google` or `github`.
+ type: string
+ subject:
+ description: The subject (`sub`) of the OpenID Connect connection. Usually
+ the `sub` field of the ID Token.
+ type: string
+ required:
+ - provider
+ - subject
+ type: object
+ adminCreateIdentityImportCredentialsPassword:
+ example:
+ config:
+ hashed_password: hashed_password
+ password: password
+ properties:
+ config:
+ $ref: '#/components/schemas/adminCreateIdentityImportCredentialsPasswordConfig'
+ type: object
+ adminCreateIdentityImportCredentialsPasswordConfig:
+ example:
+ hashed_password: hashed_password
+ password: password
+ properties:
+ hashed_password:
+ description: "The hashed password in [PHC format]( https://www.ory.sh/docs/kratos/concepts/credentials/username-email-password#hashed-password-format)"
+ type: string
+ password:
+ description: The password in plain text if no hash is available.
+ type: string
+ type: object
+ adminCreateSelfServiceRecoveryCodeBody:
+ properties:
+ expires_in:
+ description: |-
+ Code Expires In
+
+ The recovery code will expire after that amount of time has passed. Defaults to the configuration value of
+ `selfservice.methods.code.config.lifespan`.
+ pattern: "^([0-9]+(ns|us|ms|s|m|h))*$"
+ type: string
+ identity_id:
+ description: |-
+ Identity to Recover
+
+ The identity's ID you wish to recover.
+ format: uuid
+ type: string
+ required:
+ - identity_id
+ type: object
+ adminCreateSelfServiceRecoveryLinkBody:
+ properties:
+ expires_in:
+ description: |-
+ Link Expires In
+
+ The recovery link will expire after that amount of time has passed. Defaults to the configuration value of
+ `selfservice.methods.code.config.lifespan`.
+ pattern: "^[0-9]+(ns|us|ms|s|m|h)$"
+ type: string
+ identity_id:
+ description: |-
+ Identity to Recover
+
+ The identity's ID you wish to recover.
+ format: uuid
+ type: string
+ required:
+ - identity_id
+ type: object
+ adminIdentityImportCredentials:
+ example:
+ password:
+ config:
+ hashed_password: hashed_password
+ password: password
+ oidc:
+ config:
+ config:
+ hashed_password: hashed_password
+ password: password
+ providers:
+ - provider: provider
+ subject: subject
+ - provider: provider
+ subject: subject
+ properties:
+ oidc:
+ $ref: '#/components/schemas/adminCreateIdentityImportCredentialsOidc'
+ password:
+ $ref: '#/components/schemas/adminCreateIdentityImportCredentialsPassword'
+ type: object
+ authenticatorAssuranceLevel:
+ description: |-
+ The authenticator assurance level can be one of "aal1", "aal2", or "aal3". A higher number means that it is harder
+ for an attacker to compromise the account.
+
+ Generally, "aal1" implies that one authentication factor was used while AAL2 implies that two factors (e.g.
+ password + TOTP) have been used.
+
+ To learn more about these levels please head over to: https://www.ory.sh/kratos/docs/concepts/credentials
+ enum:
+ - aal0
+ - aal1
+ - aal2
+ - aal3
+ title: Authenticator Assurance Level (AAL)
+ type: string
+ courierMessageList:
+ items:
+ $ref: '#/components/schemas/message'
+ title: A list of messages.
+ type: array
+ courierMessageStatus:
+ description: A Message's Status
+ enum:
+ - queued
+ - sent
+ - processing
+ - abandoned
+ type: string
+ courierMessageType:
+ description: It can either be `email` or `phone`
+ enum:
+ - email
+ - phone
+ title: A Message's Type
+ type: string
+ errorAuthenticatorAssuranceLevelNotSatisfied:
+ properties:
+ code:
+ description: The status code
+ example: 404
+ format: int64
+ type: integer
+ debug:
+ description: |-
+ Debug information
+
+ This field is often not exposed to protect against leaking
+ sensitive information.
+ example: SQL field "foo" is not a bool.
+ type: string
+ details:
+ additionalProperties: {}
+ description: Further error details
+ type: object
+ id:
+ description: |-
+ The error ID
+
+ Useful when trying to identify various errors in application logic.
+ type: string
+ message:
+ description: |-
+ Error message
+
+ The error's message.
+ example: The resource could not be found
+ type: string
+ reason:
+ description: A human-readable reason for the error
+ example: User with ID 1234 does not exist.
+ type: string
+ redirect_browser_to:
+ type: string
+ request:
+ description: |-
+ The request ID
+
+ The request ID is often exposed internally in order to trace
+ errors across service architectures. This is often a UUID.
+ example: d7ef54b1-ec15-46e6-bccb-524b82c035e6
+ type: string
+ status:
+ description: The status description
+ example: Not Found
+ type: string
+ required:
+ - message
+ title: ErrAALNotSatisfied is returned when an active session was found but the
+ requested AAL is not satisfied.
+ type: object
+ genericError:
+ properties:
+ code:
+ description: The status code
+ example: 404
+ format: int64
+ type: integer
+ debug:
+ description: |-
+ Debug information
+
+ This field is often not exposed to protect against leaking
+ sensitive information.
+ example: SQL field "foo" is not a bool.
+ type: string
+ details:
+ additionalProperties: false
+ description: Further error details
+ type: object
+ id:
+ description: |-
+ The error ID
+
+ Useful when trying to identify various errors in application logic.
+ type: string
+ message:
+ description: |-
+ Error message
+
+ The error's message.
+ example: The resource could not be found
+ type: string
+ reason:
+ description: A human-readable reason for the error
+ example: User with ID 1234 does not exist.
+ type: string
+ request:
+ description: |-
+ The request ID
+
+ The request ID is often exposed internally in order to trace
+ errors across service architectures. This is often a UUID.
+ example: d7ef54b1-ec15-46e6-bccb-524b82c035e6
+ type: string
+ status:
+ description: The status description
+ example: Not Found
+ type: string
+ required:
+ - message
+ type: object
+ healthNotReadyStatus:
+ properties:
+ errors:
+ additionalProperties:
+ type: string
+ description: Errors contains a list of errors that caused the not ready
+ status.
+ type: object
+ type: object
+ healthStatus:
+ properties:
+ status:
+ description: Status always contains "ok".
+ type: string
+ type: object
+ identity:
+ description: |-
+ An identity can be a real human, a service, an IoT device - everything that
+ can be described as an "actor" in a system.
+ example:
+ traits: ""
+ credentials:
+ key:
+ updated_at: 2000-01-23T04:56:07.000+00:00
+ identifiers:
+ - identifiers
+ - identifiers
+ created_at: 2000-01-23T04:56:07.000+00:00
+ type: null
+ config: "{}"
+ version: 0
+ state_changed_at: 2000-01-23T04:56:07.000+00:00
+ created_at: 2000-01-23T04:56:07.000+00:00
+ recovery_addresses:
+ - updated_at: 2000-01-23T04:56:07.000+00:00
+ created_at: 2000-01-23T04:56:07.000+00:00
+ id: 046b6c7f-0b8a-43b9-b35d-6489e6daee91
+ value: value
+ via: via
+ - updated_at: 2000-01-23T04:56:07.000+00:00
+ created_at: 2000-01-23T04:56:07.000+00:00
+ id: 046b6c7f-0b8a-43b9-b35d-6489e6daee91
+ value: value
+ via: via
+ metadata_admin: ""
+ updated_at: 2000-01-23T04:56:07.000+00:00
+ verifiable_addresses:
+ - updated_at: 2014-01-01T23:28:56.782Z
+ verified_at: 2000-01-23T04:56:07.000+00:00
+ verified: true
+ created_at: 2014-01-01T23:28:56.782Z
+ id: 046b6c7f-0b8a-43b9-b35d-6489e6daee91
+ value: value
+ status: status
+ via: via
+ - updated_at: 2014-01-01T23:28:56.782Z
+ verified_at: 2000-01-23T04:56:07.000+00:00
+ verified: true
+ created_at: 2014-01-01T23:28:56.782Z
+ id: 046b6c7f-0b8a-43b9-b35d-6489e6daee91
+ value: value
+ status: status
+ via: via
+ schema_id: schema_id
+ schema_url: schema_url
+ id: 046b6c7f-0b8a-43b9-b35d-6489e6daee91
+ state: null
+ metadata_public: ""
+ properties:
+ created_at:
+ description: CreatedAt is a helper struct field for gobuffalo.pop.
+ format: date-time
+ type: string
+ credentials:
+ additionalProperties:
+ $ref: '#/components/schemas/identityCredentials'
+ description: Credentials represents all credentials that can be used for
+ authenticating this identity.
+ type: object
+ id:
+ description: |-
+ ID is the identity's unique identifier.
+
+ The Identity ID can not be changed and can not be chosen. This ensures future
+ compatibility and optimization for distributed stores such as CockroachDB.
+ format: uuid
+ type: string
+ metadata_admin:
+ description: "NullJSONRawMessage represents a json.RawMessage that works\
+ \ well with JSON, SQL, and Swagger and is NULLable-"
+ nullable: true
+ metadata_public:
+ description: "NullJSONRawMessage represents a json.RawMessage that works\
+ \ well with JSON, SQL, and Swagger and is NULLable-"
+ nullable: true
+ recovery_addresses:
+ description: RecoveryAddresses contains all the addresses that can be used
+ to recover an identity.
+ items:
+ $ref: '#/components/schemas/recoveryIdentityAddress'
+ type: array
+ x-omitempty: true
+ schema_id:
+ description: SchemaID is the ID of the JSON Schema to be used for validating
+ the identity's traits.
+ type: string
+ schema_url:
+ description: |-
+ SchemaURL is the URL of the endpoint where the identity's traits schema can be fetched from.
+
+ format: url
+ type: string
+ state:
+ $ref: '#/components/schemas/identityState'
+ state_changed_at:
+ format: date-time
+ title: NullTime implements sql.NullTime functionality.
+ type: string
+ traits:
+ description: |-
+ Traits represent an identity's traits. The identity is able to create, modify, and delete traits
+ in a self-service manner. The input will always be validated against the JSON Schema defined
+ in `schema_url`.
+ updated_at:
+ description: UpdatedAt is a helper struct field for gobuffalo.pop.
+ format: date-time
+ type: string
+ verifiable_addresses:
+ description: VerifiableAddresses contains all the addresses that can be
+ verified by the user.
+ items:
+ $ref: '#/components/schemas/verifiableIdentityAddress'
+ type: array
+ x-omitempty: true
+ required:
+ - id
+ - schema_id
+ - schema_url
+ - traits
+ title: Identity represents an Ory Kratos identity
+ type: object
+ identityCredentials:
+ description: Credentials represents a specific credential type
+ example:
+ updated_at: 2000-01-23T04:56:07.000+00:00
+ identifiers:
+ - identifiers
+ - identifiers
+ created_at: 2000-01-23T04:56:07.000+00:00
+ type: null
+ config: "{}"
+ version: 0
+ properties:
+ config:
+ title: "JSONRawMessage represents a json.RawMessage that works well with\
+ \ JSON, SQL, and Swagger."
+ type: object
+ created_at:
+ description: CreatedAt is a helper struct field for gobuffalo.pop.
+ format: date-time
+ type: string
+ identifiers:
+ description: Identifiers represents a list of unique identifiers this credential
+ type matches.
+ items:
+ type: string
+ type: array
+ type:
+ $ref: '#/components/schemas/identityCredentialsType'
+ updated_at:
+ description: UpdatedAt is a helper struct field for gobuffalo.pop.
+ format: date-time
+ type: string
+ version:
+ description: Version refers to the version of the credential. Useful when
+ changing the config schema.
+ format: int64
+ type: integer
+ type: object
+ identityCredentialsOidc:
+ properties:
+ providers:
+ items:
+ $ref: '#/components/schemas/identityCredentialsOidcProvider'
+ type: array
+ title: CredentialsOIDC is contains the configuration for credentials of the
+ type oidc.
+ type: object
+ identityCredentialsOidcProvider:
+ properties:
+ initial_access_token:
+ type: string
+ initial_id_token:
+ type: string
+ initial_refresh_token:
+ type: string
+ provider:
+ type: string
+ subject:
+ type: string
+ title: CredentialsOIDCProvider is contains a specific OpenID COnnect credential
+ for a particular connection (e.g. Google).
+ type: object
+ identityCredentialsPassword:
+ properties:
+ hashed_password:
+ description: HashedPassword is a hash-representation of the password.
+ type: string
+ title: CredentialsPassword is contains the configuration for credentials of
+ the type password.
+ type: object
+ identityCredentialsType:
+ description: and so on.
+ enum:
+ - password
+ - totp
+ - oidc
+ - webauthn
+ - lookup_secret
+ title: "CredentialsType represents several different credential types, like\
+ \ password credentials, passwordless credentials,"
+ type: string
+ identityList:
+ items:
+ $ref: '#/components/schemas/identity'
+ title: A list of identities.
+ type: array
+ identitySchema:
+ description: Raw JSON Schema
+ type: object
+ identitySchemaContainer:
+ example:
+ schema: "{}"
+ id: id
+ properties:
+ id:
+ description: The ID of the Identity JSON Schema
+ type: string
+ schema:
+ description: Raw JSON Schema
+ type: object
+ type: object
+ identitySchemas:
+ description: Raw identity Schema list
+ items:
+ $ref: '#/components/schemas/identitySchemaContainer'
+ type: array
+ identityState:
+ description: The state can either be `active` or `inactive`.
+ enum:
+ - active
+ - inactive
+ title: An Identity's State
+ type: string
+ identityTraits:
+ description: |-
+ Traits represent an identity's traits. The identity is able to create, modify, and delete traits
+ in a self-service manner. The input will always be validated against the JSON Schema defined
+ in `schema_url`.
+ identityVerifiableAddressStatus:
+ description: VerifiableAddressStatus must not exceed 16 characters as that is
+ the limitation in the SQL Schema
+ type: string
+ identityVerifiableAddressType:
+ description: VerifiableAddressType must not exceed 16 characters as that is
+ the limitation in the SQL Schema
+ type: string
+ jsonError:
+ description: The standard Ory JSON API error format.
+ properties:
+ error:
+ $ref: '#/components/schemas/genericError'
+ required:
+ - error
+ title: JSON API Error Response
+ type: object
+ jsonPatch:
+ description: A JSONPatch document as defined by RFC 6902
+ properties:
+ from:
+ description: |-
+ This field is used together with operation "move" and uses JSON Pointer notation.
+
+ Learn more [about JSON Pointers](https://datatracker.ietf.org/doc/html/rfc6901#section-5).
+ example: /name
+ type: string
+ op:
+ description: "The operation to be performed. One of \"add\", \"remove\"\
+ , \"replace\", \"move\", \"copy\", or \"test\"."
+ example: replace
+ type: string
+ path:
+ description: |-
+ The path to the target path. Uses JSON pointer notation.
+
+ Learn more [about JSON Pointers](https://datatracker.ietf.org/doc/html/rfc6901#section-5).
+ example: /name
+ type: string
+ value:
+ description: |-
+ The value to be used within the operations.
+
+ Learn more [about JSON Pointers](https://datatracker.ietf.org/doc/html/rfc6901#section-5).
+ example: foobar
+ required:
+ - op
+ - path
+ type: object
+ jsonPatchDocument:
+ description: A JSONPatchDocument request
+ items:
+ $ref: '#/components/schemas/jsonPatch'
+ type: array
+ message:
+ example:
+ updated_at: 2000-01-23T04:56:07.000+00:00
+ subject: subject
+ recipient: recipient
+ created_at: 2000-01-23T04:56:07.000+00:00
+ send_count: 0
+ template_type: template_type
+ id: 046b6c7f-0b8a-43b9-b35d-6489e6daee91
+ body: body
+ type: null
+ status: null
+ properties:
+ body:
+ type: string
+ created_at:
+ description: CreatedAt is a helper struct field for gobuffalo.pop.
+ format: date-time
+ type: string
+ id:
+ format: uuid
+ type: string
+ recipient:
+ type: string
+ send_count:
+ format: int64
+ type: integer
+ status:
+ $ref: '#/components/schemas/courierMessageStatus'
+ subject:
+ type: string
+ template_type:
+ type: string
+ type:
+ $ref: '#/components/schemas/courierMessageType'
+ updated_at:
+ description: UpdatedAt is a helper struct field for gobuffalo.pop.
+ format: date-time
+ type: string
+ type: object
+ needsPrivilegedSessionError:
+ properties:
+ code:
+ description: The status code
+ example: 404
+ format: int64
+ type: integer
+ debug:
+ description: |-
+ Debug information
+
+ This field is often not exposed to protect against leaking
+ sensitive information.
+ example: SQL field "foo" is not a bool.
+ type: string
+ details:
+ additionalProperties: {}
+ description: Further error details
+ type: object
+ id:
+ description: |-
+ The error ID
+
+ Useful when trying to identify various errors in application logic.
+ type: string
+ message:
+ description: |-
+ Error message
+
+ The error's message.
+ example: The resource could not be found
+ type: string
+ reason:
+ description: A human-readable reason for the error
+ example: User with ID 1234 does not exist.
+ type: string
+ redirect_browser_to:
+ description: Points to where to redirect the user to next.
+ type: string
+ request:
+ description: |-
+ The request ID
+
+ The request ID is often exposed internally in order to trace
+ errors across service architectures. This is often a UUID.
+ example: d7ef54b1-ec15-46e6-bccb-524b82c035e6
+ type: string
+ status:
+ description: The status description
+ example: Not Found
+ type: string
+ required:
+ - message
+ - redirect_browser_to
+ title: Is sent when a privileged session is required to perform the settings
+ update.
+ type: object
+ nullDuration:
+ nullable: true
+ pattern: "^[0-9]+(ns|us|ms|s|m|h)$"
+ type: string
+ nullInt64:
+ nullable: true
+ type: integer
+ nullJsonRawMessage:
+ description: "NullJSONRawMessage represents a json.RawMessage that works well\
+ \ with JSON, SQL, and Swagger and is NULLable-"
+ nullable: true
+ nullTime:
+ format: date-time
+ title: NullTime implements sql.NullTime functionality.
+ type: string
+ pagination:
+ properties:
+ page:
+ default: 1
+ description: |-
+ Pagination Page
+
+ This value is currently an integer, but it is not sequential. The value is not the page number, but a
+ reference. The next page can be any number and some numbers might return an empty list.
+
+ For example, page 2 might not follow after page 1. And even if page 3 and 5 exist, but page 4 might not exist.
+ format: int64
+ minimum: 1
+ type: integer
+ per_page:
+ default: 250
+ description: |-
+ Items per Page
+
+ This is the number of items per page.
+ format: int64
+ maximum: 1000
+ minimum: 1
+ type: integer
+ type: object
+ recoveryIdentityAddress:
+ example:
+ updated_at: 2000-01-23T04:56:07.000+00:00
+ created_at: 2000-01-23T04:56:07.000+00:00
+ id: 046b6c7f-0b8a-43b9-b35d-6489e6daee91
+ value: value
+ via: via
+ properties:
+ created_at:
+ description: CreatedAt is a helper struct field for gobuffalo.pop.
+ format: date-time
+ type: string
+ id:
+ format: uuid
+ type: string
+ updated_at:
+ description: UpdatedAt is a helper struct field for gobuffalo.pop.
+ format: date-time
+ type: string
+ value:
+ type: string
+ via:
+ title: RecoveryAddressType must not exceed 16 characters as that is the
+ limitation in the SQL Schema.
+ type: string
+ required:
+ - id
+ - value
+ - via
+ type: object
+ revokedSessions:
+ example:
+ count: 0
+ properties:
+ count:
+ description: The number of sessions that were revoked.
+ format: int64
+ type: integer
+ type: object
+ selfServiceBrowserLocationChangeRequiredError:
+ properties:
+ code:
+ description: The status code
+ example: 404
+ format: int64
+ type: integer
+ debug:
+ description: |-
+ Debug information
+
+ This field is often not exposed to protect against leaking
+ sensitive information.
+ example: SQL field "foo" is not a bool.
+ type: string
+ details:
+ additionalProperties: {}
+ description: Further error details
+ type: object
+ id:
+ description: |-
+ The error ID
+
+ Useful when trying to identify various errors in application logic.
+ type: string
+ message:
+ description: |-
+ Error message
+
+ The error's message.
+ example: The resource could not be found
+ type: string
+ reason:
+ description: A human-readable reason for the error
+ example: User with ID 1234 does not exist.
+ type: string
+ redirect_browser_to:
+ description: Since when the flow has expired
+ type: string
+ request:
+ description: |-
+ The request ID
+
+ The request ID is often exposed internally in order to trace
+ errors across service architectures. This is often a UUID.
+ example: d7ef54b1-ec15-46e6-bccb-524b82c035e6
+ type: string
+ status:
+ description: The status description
+ example: Not Found
+ type: string
+ required:
+ - message
+ title: Is sent when a flow requires a browser to change its location.
+ type: object
+ selfServiceError:
+ example:
+ updated_at: 2000-01-23T04:56:07.000+00:00
+ created_at: 2000-01-23T04:56:07.000+00:00
+ id: 046b6c7f-0b8a-43b9-b35d-6489e6daee91
+ error: "{}"
+ properties:
+ created_at:
+ description: CreatedAt is a helper struct field for gobuffalo.pop.
+ format: date-time
+ type: string
+ error:
+ type: object
+ id:
+ description: ID of the error container.
+ format: uuid
+ type: string
+ updated_at:
+ description: UpdatedAt is a helper struct field for gobuffalo.pop.
+ format: date-time
+ type: string
+ required:
+ - id
+ type: object
+ selfServiceFlowExpiredError:
+ description: Is sent when a flow is expired
+ properties:
+ code:
+ description: The status code
+ example: 404
+ format: int64
+ type: integer
+ debug:
+ description: |-
+ Debug information
+
+ This field is often not exposed to protect against leaking
+ sensitive information.
+ example: SQL field "foo" is not a bool.
+ type: string
+ details:
+ additionalProperties: {}
+ description: Further error details
+ type: object
+ expired_at:
+ description: When the flow has expired
+ format: date-time
+ type: string
+ id:
+ description: |-
+ The error ID
+
+ Useful when trying to identify various errors in application logic.
+ type: string
+ message:
+ description: |-
+ Error message
+
+ The error's message.
+ example: The resource could not be found
+ type: string
+ reason:
+ description: A human-readable reason for the error
+ example: User with ID 1234 does not exist.
+ type: string
+ request:
+ description: |-
+ The request ID
+
+ The request ID is often exposed internally in order to trace
+ errors across service architectures. This is often a UUID.
+ example: d7ef54b1-ec15-46e6-bccb-524b82c035e6
+ type: string
+ since:
+ description: |-
+ A Duration represents the elapsed time between two instants
+ as an int64 nanosecond count. The representation limits the
+ largest representable duration to approximately 290 years.
+ format: int64
+ type: integer
+ status:
+ description: The status description
+ example: Not Found
+ type: string
+ use_flow_id:
+ description: The flow ID that should be used for the new flow as it contains
+ the correct messages.
+ format: uuid
+ type: string
+ required:
+ - message
+ type: object
+ selfServiceFlowType:
+ description: The flow type can either be `api` or `browser`.
+ title: Type is the flow type.
+ type: string
+ selfServiceLoginFlow:
+ description: |-
+ This object represents a login flow. A login flow is initiated at the "Initiate Login API / Browser Flow"
+ endpoint by a client.
+
+ Once a login flow is completed successfully, a session cookie or session token will be issued.
+ example:
+ requested_aal: null
+ active: null
+ created_at: 2000-01-23T04:56:07.000+00:00
+ refresh: true
+ return_to: return_to
+ type: type
+ issued_at: 2000-01-23T04:56:07.000+00:00
+ request_url: request_url
+ expires_at: 2000-01-23T04:56:07.000+00:00
+ oauth2_login_request:
+ requested_access_token_audience:
+ - requested_access_token_audience
+ - requested_access_token_audience
+ subject: subject
+ oidc_context:
+ login_hint: login_hint
+ ui_locales:
+ - ui_locales
+ - ui_locales
+ id_token_hint_claims:
+ key: ""
+ acr_values:
+ - acr_values
+ - acr_values
+ display: display
+ challenge: challenge
+ client:
+ metadata:
+ key: ""
+ token_endpoint_auth_signing_alg: token_endpoint_auth_signing_alg
+ client_uri: client_uri
+ jwks:
+ key: ""
+ logo_uri: logo_uri
+ created_at: 2000-01-23T04:56:07.000+00:00
+ registration_client_uri: registration_client_uri
+ allowed_cors_origins:
+ - allowed_cors_origins
+ - allowed_cors_origins
+ registration_access_token: registration_access_token
+ client_id: client_id
+ token_endpoint_auth_method: token_endpoint_auth_method
+ userinfo_signed_response_alg: userinfo_signed_response_alg
+ updated_at: 2000-01-23T04:56:07.000+00:00
+ scope: scope
+ request_uris:
+ - request_uris
+ - request_uris
+ client_secret: client_secret
+ backchannel_logout_session_required: true
+ backchannel_logout_uri: backchannel_logout_uri
+ client_name: client_name
+ policy_uri: policy_uri
+ owner: owner
+ audience:
+ - audience
+ - audience
+ post_logout_redirect_uris:
+ - post_logout_redirect_uris
+ - post_logout_redirect_uris
+ grant_types:
+ - grant_types
+ - grant_types
+ subject_type: subject_type
+ redirect_uris:
+ - redirect_uris
+ - redirect_uris
+ sector_identifier_uri: sector_identifier_uri
+ frontchannel_logout_session_required: true
+ frontchannel_logout_uri: frontchannel_logout_uri
+ client_secret_expires_at: 0
+ jwks_uri: jwks_uri
+ request_object_signing_alg: request_object_signing_alg
+ tos_uri: tos_uri
+ contacts:
+ - contacts
+ - contacts
+ response_types:
+ - response_types
+ - response_types
+ session_id: session_id
+ skip: true
+ request_url: request_url
+ requested_scope:
+ - requested_scope
+ - requested_scope
+ ui:
+ nodes:
+ - meta:
+ label:
+ context: "{}"
+ id: 6
+ text: text
+ type: type
+ messages:
+ - context: "{}"
+ id: 6
+ text: text
+ type: type
+ - context: "{}"
+ id: 6
+ text: text
+ type: type
+ attributes: null
+ type: text
+ group: default
+ - meta:
+ label:
+ context: "{}"
+ id: 6
+ text: text
+ type: type
+ messages:
+ - context: "{}"
+ id: 6
+ text: text
+ type: type
+ - context: "{}"
+ id: 6
+ text: text
+ type: type
+ attributes: null
+ type: text
+ group: default
+ method: method
+ action: action
+ messages:
+ - context: "{}"
+ id: 6
+ text: text
+ type: type
+ - context: "{}"
+ id: 6
+ text: text
+ type: type
+ updated_at: 2000-01-23T04:56:07.000+00:00
+ oauth2_login_challenge: oauth2_login_challenge
+ id: 046b6c7f-0b8a-43b9-b35d-6489e6daee91
+ properties:
+ active:
+ $ref: '#/components/schemas/identityCredentialsType'
+ created_at:
+ description: CreatedAt is a helper struct field for gobuffalo.pop.
+ format: date-time
+ type: string
+ expires_at:
+ description: |-
+ ExpiresAt is the time (UTC) when the flow expires. If the user still wishes to log in,
+ a new flow has to be initiated.
+ format: date-time
+ type: string
+ id:
+ description: |-
+ ID represents the flow's unique ID. When performing the login flow, this
+ represents the id in the login UI's query parameter: http:///?flow=
+ format: uuid
+ type: string
+ issued_at:
+ description: IssuedAt is the time (UTC) when the flow started.
+ format: date-time
+ type: string
+ oauth2_login_challenge:
+ format: uuid4
+ nullable: true
+ type: string
+ oauth2_login_request:
+ $ref: '#/components/schemas/LoginRequest'
+ refresh:
+ description: Refresh stores whether this login flow should enforce re-authentication.
+ type: boolean
+ request_url:
+ description: |-
+ RequestURL is the initial URL that was requested from Ory Kratos. It can be used
+ to forward information contained in the URL's path or query for example.
+ type: string
+ requested_aal:
+ $ref: '#/components/schemas/authenticatorAssuranceLevel'
+ return_to:
+ description: ReturnTo contains the requested return_to URL.
+ type: string
+ type:
+ description: The flow type can either be `api` or `browser`.
+ title: Type is the flow type.
+ type: string
+ ui:
+ $ref: '#/components/schemas/uiContainer'
+ updated_at:
+ description: UpdatedAt is a helper struct field for gobuffalo.pop.
+ format: date-time
+ type: string
+ required:
+ - expires_at
+ - id
+ - issued_at
+ - request_url
+ - type
+ - ui
+ title: Login Flow
+ type: object
+ selfServiceLogoutUrl:
+ example:
+ logout_url: logout_url
+ logout_token: logout_token
+ properties:
+ logout_token:
+ description: LogoutToken can be used to perform logout using AJAX.
+ type: string
+ logout_url:
+ description: |-
+ LogoutURL can be opened in a browser to sign the user out.
+
+ format: uri
+ type: string
+ required:
+ - logout_token
+ - logout_url
+ type: object
+ selfServiceRecoveryCode:
+ example:
+ expires_at: 2000-01-23T04:56:07.000+00:00
+ recovery_code: recovery_code
+ recovery_link: recovery_link
+ properties:
+ expires_at:
+ description: |-
+ Expires At is the timestamp of when the recovery flow expires
+
+ The timestamp when the recovery link expires.
+ format: date-time
+ type: string
+ recovery_code:
+ description: RecoveryCode is the code that can be used to recover the account
+ type: string
+ recovery_link:
+ description: |-
+ RecoveryLink with flow
+
+ This link opens the recovery UI with an empty `code` field.
+ type: string
+ required:
+ - recovery_code
+ - recovery_link
+ type: object
+ selfServiceRecoveryFlow:
+ description: |-
+ This request is used when an identity wants to recover their account.
+
+ We recommend reading the [Account Recovery Documentation](../self-service/flows/password-reset-account-recovery)
+ example:
+ expires_at: 2000-01-23T04:56:07.000+00:00
+ ui:
+ nodes:
+ - meta:
+ label:
+ context: "{}"
+ id: 6
+ text: text
+ type: type
+ messages:
+ - context: "{}"
+ id: 6
+ text: text
+ type: type
+ - context: "{}"
+ id: 6
+ text: text
+ type: type
+ attributes: null
+ type: text
+ group: default
+ - meta:
+ label:
+ context: "{}"
+ id: 6
+ text: text
+ type: type
+ messages:
+ - context: "{}"
+ id: 6
+ text: text
+ type: type
+ - context: "{}"
+ id: 6
+ text: text
+ type: type
+ attributes: null
+ type: text
+ group: default
+ method: method
+ action: action
+ messages:
+ - context: "{}"
+ id: 6
+ text: text
+ type: type
+ - context: "{}"
+ id: 6
+ text: text
+ type: type
+ active: active
+ return_to: return_to
+ id: 046b6c7f-0b8a-43b9-b35d-6489e6daee91
+ state: null
+ type: type
+ issued_at: 2000-01-23T04:56:07.000+00:00
+ request_url: request_url
+ properties:
+ active:
+ description: |-
+ Active, if set, contains the recovery method that is being used. It is initially
+ not set.
+ type: string
+ expires_at:
+ description: |-
+ ExpiresAt is the time (UTC) when the request expires. If the user still wishes to update the setting,
+ a new request has to be initiated.
+ format: date-time
+ type: string
+ id:
+ description: |-
+ ID represents the request's unique ID. When performing the recovery flow, this
+ represents the id in the recovery ui's query parameter: http://?request=
+ format: uuid
+ type: string
+ issued_at:
+ description: IssuedAt is the time (UTC) when the request occurred.
+ format: date-time
+ type: string
+ request_url:
+ description: |-
+ RequestURL is the initial URL that was requested from Ory Kratos. It can be used
+ to forward information contained in the URL's path or query for example.
+ type: string
+ return_to:
+ description: ReturnTo contains the requested return_to URL.
+ type: string
+ state:
+ $ref: '#/components/schemas/selfServiceRecoveryFlowState'
+ type:
+ description: The flow type can either be `api` or `browser`.
+ title: Type is the flow type.
+ type: string
+ ui:
+ $ref: '#/components/schemas/uiContainer'
+ required:
+ - expires_at
+ - id
+ - issued_at
+ - request_url
+ - state
+ - type
+ - ui
+ title: A Recovery Flow
+ type: object
+ selfServiceRecoveryFlowState:
+ description: |-
+ The state represents the state of the recovery flow.
+
+ choose_method: ask the user to choose a method (e.g. recover account via email)
+ sent_email: the email has been sent to the user
+ passed_challenge: the request was successful and the recovery challenge was passed.
+ enum:
+ - choose_method
+ - sent_email
+ - passed_challenge
+ title: Recovery Flow State
+ type: string
+ selfServiceRecoveryLink:
+ example:
+ expires_at: 2000-01-23T04:56:07.000+00:00
+ recovery_link: recovery_link
+ properties:
+ expires_at:
+ description: |-
+ Recovery Link Expires At
+
+ The timestamp when the recovery link expires.
+ format: date-time
+ type: string
+ recovery_link:
+ description: |-
+ Recovery Link
+
+ This link can be used to recover the account.
+ type: string
+ required:
+ - recovery_link
+ type: object
+ selfServiceRegistrationFlow:
+ example:
+ expires_at: 2000-01-23T04:56:07.000+00:00
+ oauth2_login_request:
+ requested_access_token_audience:
+ - requested_access_token_audience
+ - requested_access_token_audience
+ subject: subject
+ oidc_context:
+ login_hint: login_hint
+ ui_locales:
+ - ui_locales
+ - ui_locales
+ id_token_hint_claims:
+ key: ""
+ acr_values:
+ - acr_values
+ - acr_values
+ display: display
+ challenge: challenge
+ client:
+ metadata:
+ key: ""
+ token_endpoint_auth_signing_alg: token_endpoint_auth_signing_alg
+ client_uri: client_uri
+ jwks:
+ key: ""
+ logo_uri: logo_uri
+ created_at: 2000-01-23T04:56:07.000+00:00
+ registration_client_uri: registration_client_uri
+ allowed_cors_origins:
+ - allowed_cors_origins
+ - allowed_cors_origins
+ registration_access_token: registration_access_token
+ client_id: client_id
+ token_endpoint_auth_method: token_endpoint_auth_method
+ userinfo_signed_response_alg: userinfo_signed_response_alg
+ updated_at: 2000-01-23T04:56:07.000+00:00
+ scope: scope
+ request_uris:
+ - request_uris
+ - request_uris
+ client_secret: client_secret
+ backchannel_logout_session_required: true
+ backchannel_logout_uri: backchannel_logout_uri
+ client_name: client_name
+ policy_uri: policy_uri
+ owner: owner
+ audience:
+ - audience
+ - audience
+ post_logout_redirect_uris:
+ - post_logout_redirect_uris
+ - post_logout_redirect_uris
+ grant_types:
+ - grant_types
+ - grant_types
+ subject_type: subject_type
+ redirect_uris:
+ - redirect_uris
+ - redirect_uris
+ sector_identifier_uri: sector_identifier_uri
+ frontchannel_logout_session_required: true
+ frontchannel_logout_uri: frontchannel_logout_uri
+ client_secret_expires_at: 0
+ jwks_uri: jwks_uri
+ request_object_signing_alg: request_object_signing_alg
+ tos_uri: tos_uri
+ contacts:
+ - contacts
+ - contacts
+ response_types:
+ - response_types
+ - response_types
+ session_id: session_id
+ skip: true
+ request_url: request_url
+ requested_scope:
+ - requested_scope
+ - requested_scope
+ ui:
+ nodes:
+ - meta:
+ label:
+ context: "{}"
+ id: 6
+ text: text
+ type: type
+ messages:
+ - context: "{}"
+ id: 6
+ text: text
+ type: type
+ - context: "{}"
+ id: 6
+ text: text
+ type: type
+ attributes: null
+ type: text
+ group: default
+ - meta:
+ label:
+ context: "{}"
+ id: 6
+ text: text
+ type: type
+ messages:
+ - context: "{}"
+ id: 6
+ text: text
+ type: type
+ - context: "{}"
+ id: 6
+ text: text
+ type: type
+ attributes: null
+ type: text
+ group: default
+ method: method
+ action: action
+ messages:
+ - context: "{}"
+ id: 6
+ text: text
+ type: type
+ - context: "{}"
+ id: 6
+ text: text
+ type: type
+ oauth2_login_challenge: oauth2_login_challenge
+ active: null
+ return_to: return_to
+ id: 046b6c7f-0b8a-43b9-b35d-6489e6daee91
+ type: type
+ issued_at: 2000-01-23T04:56:07.000+00:00
+ request_url: request_url
+ properties:
+ active:
+ $ref: '#/components/schemas/identityCredentialsType'
+ expires_at:
+ description: |-
+ ExpiresAt is the time (UTC) when the flow expires. If the user still wishes to log in,
+ a new flow has to be initiated.
+ format: date-time
+ type: string
+ id:
+ description: |-
+ ID represents the flow's unique ID. When performing the registration flow, this
+ represents the id in the registration ui's query parameter: http:///?flow=
+ format: uuid
+ type: string
+ issued_at:
+ description: IssuedAt is the time (UTC) when the flow occurred.
+ format: date-time
+ type: string
+ oauth2_login_challenge:
+ format: uuid4
+ nullable: true
+ type: string
+ oauth2_login_request:
+ $ref: '#/components/schemas/LoginRequest'
+ request_url:
+ description: |-
+ RequestURL is the initial URL that was requested from Ory Kratos. It can be used
+ to forward information contained in the URL's path or query for example.
+ type: string
+ return_to:
+ description: ReturnTo contains the requested return_to URL.
+ type: string
+ type:
+ description: The flow type can either be `api` or `browser`.
+ title: Type is the flow type.
+ type: string
+ ui:
+ $ref: '#/components/schemas/uiContainer'
+ required:
+ - expires_at
+ - id
+ - issued_at
+ - request_url
+ - type
+ - ui
+ type: object
+ selfServiceSettingsFlow:
+ description: |-
+ This flow is used when an identity wants to update settings
+ (e.g. profile data, passwords, ...) in a selfservice manner.
+
+ We recommend reading the [User Settings Documentation](../self-service/flows/user-settings)
+ example:
+ expires_at: 2000-01-23T04:56:07.000+00:00
+ ui:
+ nodes:
+ - meta:
+ label:
+ context: "{}"
+ id: 6
+ text: text
+ type: type
+ messages:
+ - context: "{}"
+ id: 6
+ text: text
+ type: type
+ - context: "{}"
+ id: 6
+ text: text
+ type: type
+ attributes: null
+ type: text
+ group: default
+ - meta:
+ label:
+ context: "{}"
+ id: 6
+ text: text
+ type: type
+ messages:
+ - context: "{}"
+ id: 6
+ text: text
+ type: type
+ - context: "{}"
+ id: 6
+ text: text
+ type: type
+ attributes: null
+ type: text
+ group: default
+ method: method
+ action: action
+ messages:
+ - context: "{}"
+ id: 6
+ text: text
+ type: type
+ - context: "{}"
+ id: 6
+ text: text
+ type: type
+ identity:
+ traits: ""
+ credentials:
+ key:
+ updated_at: 2000-01-23T04:56:07.000+00:00
+ identifiers:
+ - identifiers
+ - identifiers
+ created_at: 2000-01-23T04:56:07.000+00:00
+ type: null
+ config: "{}"
+ version: 0
+ state_changed_at: 2000-01-23T04:56:07.000+00:00
+ created_at: 2000-01-23T04:56:07.000+00:00
+ recovery_addresses:
+ - updated_at: 2000-01-23T04:56:07.000+00:00
+ created_at: 2000-01-23T04:56:07.000+00:00
+ id: 046b6c7f-0b8a-43b9-b35d-6489e6daee91
+ value: value
+ via: via
+ - updated_at: 2000-01-23T04:56:07.000+00:00
+ created_at: 2000-01-23T04:56:07.000+00:00
+ id: 046b6c7f-0b8a-43b9-b35d-6489e6daee91
+ value: value
+ via: via
+ metadata_admin: ""
+ updated_at: 2000-01-23T04:56:07.000+00:00
+ verifiable_addresses:
+ - updated_at: 2014-01-01T23:28:56.782Z
+ verified_at: 2000-01-23T04:56:07.000+00:00
+ verified: true
+ created_at: 2014-01-01T23:28:56.782Z
+ id: 046b6c7f-0b8a-43b9-b35d-6489e6daee91
+ value: value
+ status: status
+ via: via
+ - updated_at: 2014-01-01T23:28:56.782Z
+ verified_at: 2000-01-23T04:56:07.000+00:00
+ verified: true
+ created_at: 2014-01-01T23:28:56.782Z
+ id: 046b6c7f-0b8a-43b9-b35d-6489e6daee91
+ value: value
+ status: status
+ via: via
+ schema_id: schema_id
+ schema_url: schema_url
+ id: 046b6c7f-0b8a-43b9-b35d-6489e6daee91
+ state: null
+ metadata_public: ""
+ active: active
+ return_to: return_to
+ id: 046b6c7f-0b8a-43b9-b35d-6489e6daee91
+ state: null
+ type: type
+ issued_at: 2000-01-23T04:56:07.000+00:00
+ request_url: request_url
+ properties:
+ active:
+ description: |-
+ Active, if set, contains the registration method that is being used. It is initially
+ not set.
+ type: string
+ expires_at:
+ description: |-
+ ExpiresAt is the time (UTC) when the flow expires. If the user still wishes to update the setting,
+ a new flow has to be initiated.
+ format: date-time
+ type: string
+ id:
+ description: |-
+ ID represents the flow's unique ID. When performing the settings flow, this
+ represents the id in the settings ui's query parameter: http://?flow=
+ format: uuid
+ type: string
+ identity:
+ $ref: '#/components/schemas/identity'
+ issued_at:
+ description: IssuedAt is the time (UTC) when the flow occurred.
+ format: date-time
+ type: string
+ request_url:
+ description: |-
+ RequestURL is the initial URL that was requested from Ory Kratos. It can be used
+ to forward information contained in the URL's path or query for example.
+ type: string
+ return_to:
+ description: ReturnTo contains the requested return_to URL.
+ type: string
+ state:
+ $ref: '#/components/schemas/selfServiceSettingsFlowState'
+ type:
+ description: The flow type can either be `api` or `browser`.
+ title: Type is the flow type.
+ type: string
+ ui:
+ $ref: '#/components/schemas/uiContainer'
+ required:
+ - expires_at
+ - id
+ - identity
+ - issued_at
+ - request_url
+ - state
+ - type
+ - ui
+ title: Flow represents a Settings Flow
+ type: object
+ selfServiceSettingsFlowState:
+ description: |-
+ show_form: No user data has been collected, or it is invalid, and thus the form should be shown.
+ success: Indicates that the settings flow has been updated successfully with the provided data.
+ Done will stay true when repeatedly checking. If set to true, done will revert back to false only
+ when a flow with invalid (e.g. "please use a valid phone number") data was sent.
+ enum:
+ - show_form
+ - success
+ title: 'State represents the state of this flow. It knows two states:'
+ type: string
+ selfServiceVerificationFlow:
+ description: |-
+ Used to verify an out-of-band communication
+ channel such as an email address or a phone number.
+
+ For more information head over to: https://www.ory.sh/docs/kratos/selfservice/flows/verify-email-account-activation
+ example:
+ expires_at: 2000-01-23T04:56:07.000+00:00
+ ui:
+ nodes:
+ - meta:
+ label:
+ context: "{}"
+ id: 6
+ text: text
+ type: type
+ messages:
+ - context: "{}"
+ id: 6
+ text: text
+ type: type
+ - context: "{}"
+ id: 6
+ text: text
+ type: type
+ attributes: null
+ type: text
+ group: default
+ - meta:
+ label:
+ context: "{}"
+ id: 6
+ text: text
+ type: type
+ messages:
+ - context: "{}"
+ id: 6
+ text: text
+ type: type
+ - context: "{}"
+ id: 6
+ text: text
+ type: type
+ attributes: null
+ type: text
+ group: default
+ method: method
+ action: action
+ messages:
+ - context: "{}"
+ id: 6
+ text: text
+ type: type
+ - context: "{}"
+ id: 6
+ text: text
+ type: type
+ active: active
+ return_to: return_to
+ id: 046b6c7f-0b8a-43b9-b35d-6489e6daee91
+ state: null
+ type: type
+ issued_at: 2000-01-23T04:56:07.000+00:00
+ request_url: request_url
+ properties:
+ active:
+ description: |-
+ Active, if set, contains the registration method that is being used. It is initially
+ not set.
+ type: string
+ expires_at:
+ description: |-
+ ExpiresAt is the time (UTC) when the request expires. If the user still wishes to verify the address,
+ a new request has to be initiated.
+ format: date-time
+ type: string
+ id:
+ description: |-
+ ID represents the request's unique ID. When performing the verification flow, this
+ represents the id in the verify ui's query parameter: http://?request=
+
+ type: string
+ format: uuid
+ format: uuid
+ type: string
+ issued_at:
+ description: IssuedAt is the time (UTC) when the request occurred.
+ format: date-time
+ type: string
+ request_url:
+ description: |-
+ RequestURL is the initial URL that was requested from Ory Kratos. It can be used
+ to forward information contained in the URL's path or query for example.
+ type: string
+ return_to:
+ description: ReturnTo contains the requested return_to URL.
+ type: string
+ state:
+ $ref: '#/components/schemas/selfServiceVerificationFlowState'
+ type:
+ description: The flow type can either be `api` or `browser`.
+ title: Type is the flow type.
+ type: string
+ ui:
+ $ref: '#/components/schemas/uiContainer'
+ required:
+ - id
+ - state
+ - type
+ - ui
+ title: A Verification Flow
+ type: object
+ selfServiceVerificationFlowState:
+ description: |-
+ The state represents the state of the verification flow.
+
+ choose_method: ask the user to choose a method (e.g. recover account via email)
+ sent_email: the email has been sent to the user
+ passed_challenge: the request was successful and the recovery challenge was passed.
+ enum:
+ - choose_method
+ - sent_email
+ - passed_challenge
+ title: Verification Flow State
+ type: string
+ session:
+ description: A Session
+ example:
+ expires_at: 2000-01-23T04:56:07.000+00:00
+ devices:
+ - location: location
+ id: 046b6c7f-0b8a-43b9-b35d-6489e6daee91
+ ip_address: ip_address
+ user_agent: user_agent
+ - location: location
+ id: 046b6c7f-0b8a-43b9-b35d-6489e6daee91
+ ip_address: ip_address
+ user_agent: user_agent
+ authentication_methods:
+ - completed_at: 2000-01-23T04:56:07.000+00:00
+ method: link_recovery
+ aal: null
+ - completed_at: 2000-01-23T04:56:07.000+00:00
+ method: link_recovery
+ aal: null
+ authenticator_assurance_level: null
+ identity:
+ traits: ""
+ credentials:
+ key:
+ updated_at: 2000-01-23T04:56:07.000+00:00
+ identifiers:
+ - identifiers
+ - identifiers
+ created_at: 2000-01-23T04:56:07.000+00:00
+ type: null
+ config: "{}"
+ version: 0
+ state_changed_at: 2000-01-23T04:56:07.000+00:00
+ created_at: 2000-01-23T04:56:07.000+00:00
+ recovery_addresses:
+ - updated_at: 2000-01-23T04:56:07.000+00:00
+ created_at: 2000-01-23T04:56:07.000+00:00
+ id: 046b6c7f-0b8a-43b9-b35d-6489e6daee91
+ value: value
+ via: via
+ - updated_at: 2000-01-23T04:56:07.000+00:00
+ created_at: 2000-01-23T04:56:07.000+00:00
+ id: 046b6c7f-0b8a-43b9-b35d-6489e6daee91
+ value: value
+ via: via
+ metadata_admin: ""
+ updated_at: 2000-01-23T04:56:07.000+00:00
+ verifiable_addresses:
+ - updated_at: 2014-01-01T23:28:56.782Z
+ verified_at: 2000-01-23T04:56:07.000+00:00
+ verified: true
+ created_at: 2014-01-01T23:28:56.782Z
+ id: 046b6c7f-0b8a-43b9-b35d-6489e6daee91
+ value: value
+ status: status
+ via: via
+ - updated_at: 2014-01-01T23:28:56.782Z
+ verified_at: 2000-01-23T04:56:07.000+00:00
+ verified: true
+ created_at: 2014-01-01T23:28:56.782Z
+ id: 046b6c7f-0b8a-43b9-b35d-6489e6daee91
+ value: value
+ status: status
+ via: via
+ schema_id: schema_id
+ schema_url: schema_url
+ id: 046b6c7f-0b8a-43b9-b35d-6489e6daee91
+ state: null
+ metadata_public: ""
+ authenticated_at: 2000-01-23T04:56:07.000+00:00
+ active: true
+ id: 046b6c7f-0b8a-43b9-b35d-6489e6daee91
+ issued_at: 2000-01-23T04:56:07.000+00:00
+ properties:
+ active:
+ description: Active state. If false the session is no longer active.
+ type: boolean
+ authenticated_at:
+ description: |-
+ The Session Authentication Timestamp
+
+ When this session was authenticated at. If multi-factor authentication was used this
+ is the time when the last factor was authenticated (e.g. the TOTP code challenge was completed).
+ format: date-time
+ type: string
+ authentication_methods:
+ description: A list of authenticators which were used to authenticate the
+ session.
+ items:
+ $ref: '#/components/schemas/sessionAuthenticationMethod'
+ title: List of (Used) AuthenticationMethods
+ type: array
+ authenticator_assurance_level:
+ $ref: '#/components/schemas/authenticatorAssuranceLevel'
+ devices:
+ description: Devices has history of all endpoints where the session was
+ used
+ items:
+ $ref: '#/components/schemas/sessionDevice'
+ type: array
+ expires_at:
+ description: |-
+ The Session Expiry
+
+ When this session expires at.
+ format: date-time
+ type: string
+ id:
+ description: Session ID
+ format: uuid
+ type: string
+ identity:
+ $ref: '#/components/schemas/identity'
+ issued_at:
+ description: |-
+ The Session Issuance Timestamp
+
+ When this session was issued at. Usually equal or close to `authenticated_at`.
+ format: date-time
+ type: string
+ required:
+ - id
+ - identity
+ type: object
+ sessionAuthenticationMethod:
+ description: A singular authenticator used during authentication / login.
+ example:
+ completed_at: 2000-01-23T04:56:07.000+00:00
+ method: link_recovery
+ aal: null
+ properties:
+ aal:
+ $ref: '#/components/schemas/authenticatorAssuranceLevel'
+ completed_at:
+ description: When the authentication challenge was completed.
+ format: date-time
+ type: string
+ method:
+ enum:
+ - link_recovery
+ - code_recovery
+ - password
+ - totp
+ - oidc
+ - webauthn
+ - lookup_secret
+ - v0.6_legacy_session
+ title: The method used
+ type: string
+ title: AuthenticationMethod identifies an authentication method
+ type: object
+ sessionAuthenticationMethods:
+ description: A list of authenticators which were used to authenticate the session.
+ items:
+ $ref: '#/components/schemas/sessionAuthenticationMethod'
+ title: List of (Used) AuthenticationMethods
+ type: array
+ sessionDevice:
+ description: Device corresponding to a Session
+ example:
+ location: location
+ id: 046b6c7f-0b8a-43b9-b35d-6489e6daee91
+ ip_address: ip_address
+ user_agent: user_agent
+ properties:
+ id:
+ description: Device record ID
+ format: uuid
+ type: string
+ ip_address:
+ description: IPAddress of the client
+ type: string
+ location:
+ description: Geo Location corresponding to the IP Address
+ type: string
+ user_agent:
+ description: UserAgent of the client
+ type: string
+ required:
+ - id
+ type: object
+ sessionList:
+ items:
+ $ref: '#/components/schemas/session'
+ type: array
+ settingsProfileFormConfig:
+ properties:
+ action:
+ description: "Action should be used as the form action URL `