Create Registration Flow for Browsers

GET https://accounts.<domain>/auth/self-service/registration/browser

This endpoint initializes a browser-based user registration flow. This endpoint will set the appropriate cookies and anti-CSRF measures required for browser-based flows.

If this endpoint is opened as a link in the browser, it will be redirected to selfservice.flows.registration.ui_url with the flow ID set as the query parameter ?flow=. If a valid user session exists already, the browser will be redirected to urls.default_redirect_url.

If this endpoint is called via an AJAX request, the response contains the flow without a redirect. In the case of an error, the error.id of the JSON response body can be one of:

session_already_available: The user is already signed in. security_csrf_violation: Unable to fetch the flow because a CSRF violation occurred. security_identity_mismatch: The requested ?return_to address is not allowed to be used. Adjust this in the configuration!

If this endpoint is called via an AJAX request, the response contains the registration flow without a redirect.

This endpoint is NOT INTENDED for clients that do not have a browser (Chrome, Firefox, ...) as cookies are needed.

Request

Query Parameters

return_to string

The URL to return the browser to after the flow was completed.

login_challenge string

OAuth 2.0 Login Challenge.

If set will cooperate with OAuth2 and OpenID to act as an OAuth2 server / OpenID Provider.

The value for this parameter comes from login_challenge URL Query parameter sent to your application (e.g. /registration?login_challenge=abcde).

after_verification_return_to string

The URL to return the browser to after the verification flow was completed.

After the registration flow is completed, the user will be sent a verification email. Upon completing the verification flow, this URL will be used to override the default selfservice.flows.verification.after.default_redirect_to value.

organization string

Responses

200
303
default

registrationFlow

application/json

Schema
Example (from schema)

Schema

active CredentialsType represents several different credential types, like password credentials, passwordless credentials,

Possible values: [password, totp, oidc, webauthn, lookup_secret, code]

and so on.

expires_at date-timerequired

ExpiresAt is the time (UTC) when the flow expires. If the user still wishes to log in, a new flow has to be initiated.

id uuidrequired

ID represents the flow's unique ID. When performing the registration flow, this represents the id in the registration ui's query parameter: http://<selfservice.flows.registration.ui_url>/?flow=

issued_at date-timerequired

IssuedAt is the time (UTC) when the flow occurred.

oauth2_login_challenge string

OAuth 2.0 Login Challenge.

This value is set using the login_challenge query parameter of the registration and login endpoints. If set will cooperate with OAuth2 and OpenID to act as an OAuth2 server / OpenID Provider.

oauth2_login_request object

OAuth2LoginRequest struct for OAuth2LoginRequest

AdditionalProperties object

challenge string

ID is the identifier ("login challenge") of the login request. It is used to identify the session.

client object

AdditionalProperties object

access_token_strategy string

OAuth 2.0 Access Token Strategy AccessTokenStrategy is the strategy used to generate access tokens. Valid options are jwt and opaque.

allowed_cors_origins string[]

audience string[]

authorization_code_grant_access_token_lifespan string

Specify a time duration in milliseconds, seconds, minutes, hours.

authorization_code_grant_id_token_lifespan string

Specify a time duration in milliseconds, seconds, minutes, hours.

authorization_code_grant_refresh_token_lifespan string

Specify a time duration in milliseconds, seconds, minutes, hours.

backchannel_logout_session_required boolean

OpenID Connect Back-Channel Logout Session Required Boolean value specifying whether the RP requires that a sid (session ID) Claim be included in the Logout Token to identify the RP session with the OP when the backchannel_logout_uri is used. If omitted, the default value is false.

backchannel_logout_uri string

OpenID Connect Back-Channel Logout URI RP URL that will cause the RP to log itself out when sent a Logout Token by the OP.

client_credentials_grant_access_token_lifespan string

Specify a time duration in milliseconds, seconds, minutes, hours.

client_id string

OAuth 2.0 Client ID The ID is autogenerated and immutable.

client_name string

OAuth 2.0 Client Name The human-readable name of the client to be presented to the end-user during authorization.

client_secret string

OAuth 2.0 Client Secret The secret will be included in the create request as cleartext, and then never again. The secret is kept in hashed format and is not recoverable once lost.

client_secret_expires_at int64

OAuth 2.0 Client Secret Expires At The field is currently not supported and its value is always 0.

client_uri string

OAuth 2.0 Client URI ClientURI is a URL string of a web page providing information about the client. If present, the server SHOULD display this URL to the end-user in a clickable fashion.

contacts string[]

created_at date-time

OAuth 2.0 Client Creation Date CreatedAt returns the timestamp of the client's creation.

frontchannel_logout_session_required boolean

OpenID Connect Front-Channel Logout Session Required Boolean value specifying whether the RP requires that iss (issuer) and sid (session ID) query parameters be included to identify the RP session with the OP when the frontchannel_logout_uri is used. If omitted, the default value is false.

frontchannel_logout_uri string

OpenID Connect Front-Channel Logout URI RP URL that will cause the RP to log itself out when rendered in an iframe by the OP. An iss (issuer) query parameter and a sid (session ID) query parameter MAY be included by the OP to enable the RP to validate the request and to determine which of the potentially multiple sessions is to be logged out; if either is included, both MUST be.

grant_types string[]

implicit_grant_access_token_lifespan string

Specify a time duration in milliseconds, seconds, minutes, hours.

implicit_grant_id_token_lifespan string

Specify a time duration in milliseconds, seconds, minutes, hours.

jwks

OAuth 2.0 Client JSON Web Key Set Client's JSON Web Key Set [JWK] document, passed by value. The semantics of the jwks parameter are the same as the jwks_uri parameter, other than that the JWK Set is passed by value, rather than by reference. This parameter is intended only to be used by Clients that, for some reason, are unable to use the jwks_uri parameter, for instance, by native applications that might not have a location to host the contents of the JWK Set. If a Client can use jwks_uri, it MUST NOT use jwks. One significant downside of jwks is that it does not enable key rotation (which jwks_uri does, as described in Section 10 of OpenID Connect Core 1.0 [OpenID.Core]). The jwks_uri and jwks parameters MUST NOT be used together.

jwks_uri string

OAuth 2.0 Client JSON Web Key Set URL URL for the Client's JSON Web Key Set [JWK] document. If the Client signs requests to the Server, it contains the signing key(s) the Server uses to validate signatures from the Client. The JWK Set MAY also contain the Client's encryption keys(s), which are used by the Server to encrypt responses to the Client. When both signing and encryption keys are made available, a use (Key Use) parameter value is REQUIRED for all keys in the referenced JWK Set to indicate each key's intended usage. Although some algorithms allow the same key to be used for both signatures and encryption, doing so is NOT RECOMMENDED, as it is less secure. The JWK x5c parameter MAY be used to provide X.509 representations of keys provided. When used, the bare key values MUST still be present and MUST match those in the certificate.

jwt_bearer_grant_access_token_lifespan string

Specify a time duration in milliseconds, seconds, minutes, hours.

logo_uri string

OAuth 2.0 Client Logo URI A URL string referencing the client's logo.

metadata

owner string

OAuth 2.0 Client Owner Owner is a string identifying the owner of the OAuth 2.0 Client.

policy_uri string

OAuth 2.0 Client Policy URI PolicyURI is a URL string that points to a human-readable privacy policy document that describes how the deployment organization collects, uses, retains, and discloses personal data.

post_logout_redirect_uris string[]

redirect_uris string[]

refresh_token_grant_access_token_lifespan string

Specify a time duration in milliseconds, seconds, minutes, hours.

refresh_token_grant_id_token_lifespan string

Specify a time duration in milliseconds, seconds, minutes, hours.

refresh_token_grant_refresh_token_lifespan string

Specify a time duration in milliseconds, seconds, minutes, hours.

registration_access_token string

OpenID Connect Dynamic Client Registration Access Token RegistrationAccessToken can be used to update, get, or delete the OAuth2 Client. It is sent when creating a client using Dynamic Client Registration.

registration_client_uri string

OpenID Connect Dynamic Client Registration URL RegistrationClientURI is the URL used to update, get, or delete the OAuth2 Client.

request_object_signing_alg string

OpenID Connect Request Object Signing Algorithm JWS [JWS] alg algorithm [JWA] that MUST be used for signing Request Objects sent to the OP. All Request Objects from this Client MUST be rejected, if not signed with this algorithm.

request_uris string[]

response_types string[]

scope string

OAuth 2.0 Client Scope Scope is a string containing a space-separated list of scope values (as described in Section 3.3 of OAuth 2.0 [RFC6749]) that the client can use when requesting access tokens.

sector_identifier_uri string

OpenID Connect Sector Identifier URI URL using the https scheme to be used in calculating Pseudonymous Identifiers by the OP. The URL references a file with a single JSON array of redirect_uri values.

skip_consent boolean

SkipConsent skips the consent screen for this client. This field can only be set from the admin API.

subject_type string

OpenID Connect Subject Type The subject_types_supported Discovery parameter contains a list of the supported subject_type values for this server. Valid types include pairwise and public.

token_endpoint_auth_method string

OAuth 2.0 Token Endpoint Authentication Method Requested Client Authentication method for the Token Endpoint. The options are: client_secret_basic: (default) Send client_id and client_secret as application/x-www-form-urlencoded encoded in the HTTP Authorization header. client_secret_post: Send client_id and client_secret as application/x-www-form-urlencoded in the HTTP body. private_key_jwt: Use JSON Web Tokens to authenticate the client. none: Used for public clients (native apps, mobile apps) which can not have secrets.

token_endpoint_auth_signing_alg string

OAuth 2.0 Token Endpoint Signing Algorithm Requested Client Authentication signing algorithm for the Token Endpoint.

tos_uri string

OAuth 2.0 Client Terms of Service URI A URL string pointing to a human-readable terms of service document for the client that describes a contractual relationship between the end-user and the client that the end-user accepts when authorizing the client.

updated_at date-time

OAuth 2.0 Client Last Update Date UpdatedAt returns the timestamp of the last update.

userinfo_signed_response_alg string

OpenID Connect Request Userinfo Signed Response Algorithm JWS alg algorithm [JWA] REQUIRED for signing UserInfo Responses. If this is specified, the response will be JWT [JWT] serialized, and signed using JWS. The default, if omitted, is for the UserInfo Response to return the Claims as a UTF-8 encoded JSON object using the application/json content-type.

oidc_context object

OAuth2ConsentRequestOpenIDConnectContext struct for OAuth2ConsentRequestOpenIDConnectContext

AdditionalProperties object

acr_values string[]

ACRValues is the Authentication AuthorizationContext Class Reference requested in the OAuth 2.0 Authorization request. It is a parameter defined by OpenID Connect and expresses which level of authentication (e.g. 2FA) is required. OpenID Connect defines it as follows: > Requested Authentication AuthorizationContext Class Reference values. Space-separated string that specifies the acr values that the Authorization Server is being requested to use for processing this Authentication Request, with the values appearing in order of preference. The Authentication AuthorizationContext Class satisfied by the authentication performed is returned as the acr Claim Value, as specified in Section 2. The acr Claim is requested as a Voluntary Claim by this parameter.

display string

Display is a string value that specifies how the Authorization Server displays the authentication and consent user interface pages to the End-User. The defined values are: page: The Authorization Server SHOULD display the authentication and consent UI consistent with a full User Agent page view. If the display parameter is not specified, this is the default display mode. popup: The Authorization Server SHOULD display the authentication and consent UI consistent with a popup User Agent window. The popup User Agent window should be of an appropriate size for a login-focused dialog and should not obscure the entire window that it is popping up over. touch: The Authorization Server SHOULD display the authentication and consent UI consistent with a device that leverages a touch interface. wap: The Authorization Server SHOULD display the authentication and consent UI consistent with a "feature phone" type display. The Authorization Server MAY also attempt to detect the capabilities of the User Agent and present an appropriate display.

id_token_hint_claims object

login_hint string

LoginHint hints about the login identifier the End-User might use to log in (if necessary). This hint can be used by an RP if it first asks the End-User for their e-mail address (or other identifier) and then wants to pass that value as a hint to the discovered authorization service. This value MAY also be a phone number in the format specified for the phone_number Claim. The use of this parameter is optional.

ui_locales string[]

UILocales is the End-User'id preferred languages and scripts for the user interface, represented as a space-separated list of BCP47 [RFC5646] language tag values, ordered by preference. For instance, the value "fr-CA fr en" represents a preference for French as spoken in Canada, then French (without a region designation), followed by English (without a region designation). An error SHOULD NOT result if some or all of the requested locales are not supported by the OpenID Provider.

request_url string

RequestURL is the original OAuth 2.0 Authorization URL requested by the OAuth 2.0 client. It is the URL which initiates the OAuth 2.0 Authorization Code or OAuth 2.0 Implicit flow. This URL is typically not needed, but might come in handy if you want to deal with additional request parameters.

requested_access_token_audience string[]

requested_scope string[]

session_id string

SessionID is the login session ID. If the user-agent reuses a login session (via cookie / remember flag) this ID will remain the same. If the user-agent did not have an existing authentication session (e.g. remember is false) this will be a new random value. This value is used as the "sid" parameter in the ID Token and in OIDC Front-/Back- channel logout. It's value can generally be used to associate consecutive login requests by a certain user.

skip boolean

Skip, if true, implies that the client has requested the same scopes from the same user previously. If true, you can skip asking the user to grant the requested scopes, and simply forward the user to the redirect URL. This feature allows you to update / set session information.

subject string

Subject is the user ID of the end-user that authenticated. Now, that end user needs to grant or deny the scope requested by the OAuth 2.0 client. If this value is set and skip is true, you MUST include this subject type when accepting the login request, or the request will fail.

organization_id uuid4nullable

request_url stringrequired

RequestURL is the initial URL that was requested. It can be used to forward information contained in the URL's path or query for example.

return_to string

ReturnTo contains the requested return_to URL.

session_token_exchange_code string

SessionTokenExchangeCode holds the secret code that the client can use to retrieve a session token after the flow has been completed. This is only set if the client has requested a session token exchange code, and if the flow is of type "api", and only on creating the flow.

state required

State represents the state of this request:

choose_method: ask the user to choose a method (e.g. registration with email) sent_email: the email has been sent to the user passed_challenge: the request was successful and the registration challenge was passed.

transient_payload object

TransientPayload is used to pass data from the registration to a webhook

type Type is the flow type.required

The flow type can either be api or browser.

ui objectrequired

Container represents a HTML Form. The container can work with both HTTP Form and JSON requests

action stringrequired

Action should be used as the form action URL <form action="{{ .Action }}" method="post">.

messages object[]

method stringrequired

Method is the form method (e.g. POST)

nodes object[]required

Array [

attributes objectrequired

oneOf

uiNodeInputAttributes
TextAttributes represents the attributes of a text node.
ImageAttributes represents the attributes of an image node.
AnchorAttributes represents the attributes of an anchor node.
ScriptAttributes represent script nodes which load javascript.

autocomplete string

Possible values: [email, tel, url, current-password, new-password, one-time-code]

The autocomplete attribute for the input. email InputAttributeAutocompleteEmail tel InputAttributeAutocompleteTel url InputAttributeAutocompleteUrl current-password InputAttributeAutocompleteCurrentPassword new-password InputAttributeAutocompleteNewPassword one-time-code InputAttributeAutocompleteOneTimeCode

disabled booleanrequired

Sets the input's disabled field to true or false.

label object

name stringrequired

The input's element name.

node_type stringrequired

NodeType represents this node's types. It is a mirror of node.type and is primarily used to allow compatibility with OpenAPI 3.0. In this struct it technically always is "input".

onclick string

OnClick may contain javascript which should be executed on click. This is primarily used for WebAuthn.

pattern string

The input's pattern.

required boolean

Mark this input field as required.

type stringrequired

Possible values: [text, password, number, checkbox, hidden, email, tel, submit, button, datetime-local, date, url]

The input's element type. text InputAttributeTypeText password InputAttributeTypePassword number InputAttributeTypeNumber checkbox InputAttributeTypeCheckbox hidden InputAttributeTypeHidden email InputAttributeTypeEmail tel InputAttributeTypeTel submit InputAttributeTypeSubmit button InputAttributeTypeButton datetime-local InputAttributeTypeDateTimeLocal date InputAttributeTypeDate url InputAttributeTypeURI

value nullable

The input's value.

id stringrequired

A unique identifier

node_type stringrequired

NodeType represents this node's types. It is a mirror of node.type and is primarily used to allow compatibility with OpenAPI 3.0. In this struct it technically always is "text".

text objectrequired

height int64required

Height of the image

id stringrequired

A unique identifier

node_type stringrequired

NodeType represents this node's types. It is a mirror of node.type and is primarily used to allow compatibility with OpenAPI 3.0. In this struct it technically always is "img".

src stringrequired

The image's source URL.

format: uri

width int64required

Width of the image

href stringrequired

The link's href (destination) URL.

format: uri

id stringrequired

A unique identifier

node_type stringrequired

NodeType represents this node's types. It is a mirror of node.type and is primarily used to allow compatibility with OpenAPI 3.0. In this struct it technically always is "a".

title objectrequired

async booleanrequired

The script async type

crossorigin stringrequired

The script cross origin policy

id stringrequired

A unique identifier

integrity stringrequired

The script's integrity hash

node_type stringrequired

NodeType represents this node's types. It is a mirror of node.type and is primarily used to allow compatibility with OpenAPI 3.0. In this struct it technically always is "script".

nonce stringrequired

Nonce for CSP

A nonce you may want to use to improve your Content Security Policy. You do not have to use this value but if you want to improve your CSP policies you may use it. You can also choose to use your own nonce value!

referrerpolicy stringrequired

The script referrer policy

src stringrequired

The script source

type stringrequired

The script MIME type

group stringrequired

Possible values: [default, password, oidc, profile, link, code, totp, lookup_secret, webauthn]

Group specifies which group (e.g. password authenticator) this node belongs to. default DefaultGroup password PasswordGroup oidc OpenIDConnectGroup profile ProfileGroup link LinkGroup code CodeGroup totp TOTPGroup lookup_secret LookupGroup webauthn WebAuthnGroup

messages object[]required

meta objectrequired

type stringrequired

Possible values: [text, input, img, a, script]

The node's type text Text input Input img Image a Anchor script Script

]

{
  "active": "password",
  "expires_at": "2025-04-17T12:10:30.828Z",
  "id": "3fa85f64-5717-4562-b3fc-2c963f66afa6",
  "issued_at": "2025-04-17T12:10:30.828Z",
  "oauth2_login_challenge": "string",
  "oauth2_login_request": {
    "AdditionalProperties": {},
    "challenge": "string",
    "client": {
      "AdditionalProperties": {},
      "access_token_strategy": "string",
      "allowed_cors_origins": [
        "string"
      ],
      "audience": [
        "string"
      ],
      "authorization_code_grant_access_token_lifespan": "string",
      "authorization_code_grant_id_token_lifespan": "string",
      "authorization_code_grant_refresh_token_lifespan": "string",
      "backchannel_logout_session_required": true,
      "backchannel_logout_uri": "string",
      "client_credentials_grant_access_token_lifespan": "string",
      "client_id": "string",
      "client_name": "string",
      "client_secret": "string",
      "client_secret_expires_at": 0,
      "client_uri": "string",
      "contacts": [
        "string"
      ],
      "created_at": "2025-04-17T12:10:30.828Z",
      "frontchannel_logout_session_required": true,
      "frontchannel_logout_uri": "string",
      "grant_types": [
        "string"
      ],
      "implicit_grant_access_token_lifespan": "string",
      "implicit_grant_id_token_lifespan": "string",
      "jwks_uri": "string",
      "jwt_bearer_grant_access_token_lifespan": "string",
      "logo_uri": "string",
      "metadata": {},
      "owner": "string",
      "policy_uri": "string",
      "post_logout_redirect_uris": [
        "string"
      ],
      "redirect_uris": [
        "string"
      ],
      "refresh_token_grant_access_token_lifespan": "string",
      "refresh_token_grant_id_token_lifespan": "string",
      "refresh_token_grant_refresh_token_lifespan": "string",
      "registration_access_token": "string",
      "registration_client_uri": "string",
      "request_object_signing_alg": "string",
      "request_uris": [
        "string"
      ],
      "response_types": [
        "string"
      ],
      "scope": "string",
      "sector_identifier_uri": "string",
      "skip_consent": true,
      "subject_type": "string",
      "token_endpoint_auth_method": "string",
      "token_endpoint_auth_signing_alg": "string",
      "tos_uri": "string",
      "updated_at": "2025-04-17T12:10:30.828Z",
      "userinfo_signed_response_alg": "string"
    },
    "oidc_context": {
      "AdditionalProperties": {},
      "acr_values": [
        "string"
      ],
      "display": "string",
      "id_token_hint_claims": {},
      "login_hint": "string",
      "ui_locales": [
        "string"
      ]
    },
    "request_url": "string",
    "requested_access_token_audience": [
      "string"
    ],
    "requested_scope": [
      "string"
    ],
    "session_id": "string",
    "skip": true,
    "subject": "string"
  },
  "organization_id": "string",
  "request_url": "string",
  "return_to": "string",
  "session_token_exchange_code": "string",
  "transient_payload": {},
  "type": "string",
  "ui": {
    "action": "string",
    "messages": [
      {
        "context": {},
        "id": 0,
        "text": "string",
        "type": "info"
      }
    ],
    "method": "string",
    "nodes": [
      {
        "attributes": {},
        "group": "default",
        "messages": [
          {
            "context": {},
            "id": 0,
            "text": "string",
            "type": "info"
          }
        ],
        "meta": {
          "label": {
            "context": {},
            "id": 0,
            "text": "string",
            "type": "info"
          }
        },
        "type": "text"
      }
    ]
  }
}

errorGeneric

application/json

Schema
Example (from schema)

Schema

error objectrequired

{
  "error": {
    "code": 404,
    "debug": "SQL field \"foo\" is not a bool.",
    "details": {},
    "id": "string",
    "message": "The resource could not be found",
    "reason": "User with ID 1234 does not exist.",
    "request": "d7ef54b1-ec15-46e6-bccb-524b82c035e6",
    "status": "Not Found"
  }
}

CURL

curl -L -X GET 'https://accounts.<domain>/auth/self-service/registration/browser' \
-H 'Accept: application/json'

Create Registration Flow for Browsers

https://accounts.<domain>/auth/self-service/registration/browser

Request​

Query Parameters

Responses​

Request

Responses