Skip to main content

Create Settings Flow for Browsers

GET 
https://accounts.<domain>/auth/self-service/settings/browser

This endpoint initializes a browser-based user settings flow. Once initialized, the browser will be redirected to selfservice.flows.settings.ui_url with the flow ID set as the query parameter ?flow=. If no valid Session Cookie is included in the request, a login flow will be initialized.

If this endpoint is opened as a link in the browser, it will be redirected to selfservice.flows.settings.ui_url with the flow ID set as the query parameter ?flow=. If no valid user session was set, the browser will be redirected to the login endpoint.

If this endpoint is called via an AJAX request, the response contains the settings flow without any redirects or a 401 forbidden error if no valid session was set.

Depending on your configuration this endpoint might return a 403 error if the session has a lower Authenticator Assurance Level (AAL) than is possible for the identity. This can happen if the identity has password + webauthn credentials (which would result in AAL2) but the session has only AAL1. If this error occurs, ask the user to sign in with the second factor (happens automatically for server-side browser flows) or change the configuration.

If this endpoint is called via an AJAX request, the response contains the flow without a redirect. In the case of an error, the error.id of the JSON response body can be one of:

security_csrf_violation: Unable to fetch the flow because a CSRF violation occurred. session_inactive: No Session was found - sign in a user first. security_identity_mismatch: The requested ?return_to address is not allowed to be used. Adjust this in the configuration!

This endpoint is NOT INTENDED for clients that do not have a browser (Chrome, Firefox, ...) as cookies are needed.

Request

Query Parameters

    return_to string

    The URL to return the browser to after the flow was completed.

Header Parameters

    Cookie string

    HTTP Cookies

    When using the SDK in a browser app, on the server side you must include the HTTP Cookie Header sent by the client to your server here. This ensures that CSRF and session cookies are respected.

Responses

settingsFlow

Schema
    active string

    Active, if set, contains the registration method that is being used. It is initially not set.

    continue_with object[]

    Contains a list of actions, that could follow this flow

    It can, for example, contain a reference to the verification flow, created as part of the user's registration.

  • Array [
    • oneOf
    action stringrequired

    Possible values: [show_verification_ui]

    Action will always be show_verification_ui show_verification_ui ContinueWithActionShowVerificationUIString

    flow objectrequired
    id uuidrequired

    The ID of the verification flow

    url string

    The URL of the verification flow

    verifiable_address stringrequired

    The address that should be verified in this flow

  • ]
    • expires_at date-timerequired

    ExpiresAt is the time (UTC) when the flow expires. If the user still wishes to update the setting, a new flow has to be initiated.

    id uuidrequired

    ID represents the flow's unique ID. When performing the settings flow, this represents the id in the settings ui's query parameter: http://<selfservice.flows.settings.ui_url>?flow=

    identity objectrequired

    An identity represents a (human) user.

    created_at date-time

    CreatedAt is a helper struct field for gobuffalo.pop.

    credentials object

    Credentials represents all credentials that can be used for authenticating this identity.

    property name* identityCredentials

    Credentials represents a specific credential type

    config object
    created_at date-time

    CreatedAt is a helper struct field for gobuffalo.pop.

    identifiers string[]

    Identifiers represents a list of unique identifiers this credential type matches.

    type CredentialsType represents several different credential types, like password credentials, passwordless credentials,

    Possible values: [password, totp, oidc, webauthn, lookup_secret, code]

    and so on.

    updated_at date-time

    UpdatedAt is a helper struct field for gobuffalo.pop.

    version int64

    Version refers to the version of the credential. Useful when changing the config schema.

    id uuidrequired

    ID is the identity's unique identifier.

    The Identity ID can not be changed and can not be chosen. This ensures future compatibility and optimization for distributed stores such as CockroachDB.

    metadata_admin nullJsonRawMessagenullable

    NullJSONRawMessage represents a json.RawMessage that works well with JSON, SQL, and Swagger and is NULLable-

    metadata_public nullJsonRawMessagenullable

    NullJSONRawMessage represents a json.RawMessage that works well with JSON, SQL, and Swagger and is NULLable-

    organization_id uuid4nullable
    recovery_addresses object[]

    RecoveryAddresses contains all the addresses that can be used to recover an identity.

  • Array [
    • created_at date-time

    CreatedAt is a helper struct field for gobuffalo.pop.

    id uuidrequired
    updated_at date-time

    UpdatedAt is a helper struct field for gobuffalo.pop.

    value stringrequired
    via RecoveryAddressType must not exceed 16 characters as that is the limitation in the SQL Schema.required
  • ]
    • schema_id stringrequired

    SchemaID is the ID of the JSON Schema to be used for validating the identity's traits.

    schema_url stringrequired

    SchemaURL is the URL of the endpoint where the identity's traits schema can be fetched from.

    format: url

    state An Identity's State

    Possible values: [active, inactive]

    The state can either be active or inactive.

    state_changed_at date-time
    traits identityTraitsrequired

    Traits represent an identity's traits. The identity is able to create, modify, and delete traits in a self-service manner. The input will always be validated against the JSON Schema defined in schema_url.

    updated_at date-time

    UpdatedAt is a helper struct field for gobuffalo.pop.

    verifiable_addresses object[]

    VerifiableAddresses contains all the addresses that can be verified by the user.

  • Array [
    • created_at date-time

    When this entry was created

    id uuid

    The ID

    status identityVerifiableAddressStatusrequired

    VerifiableAddressStatus must not exceed 16 characters as that is the limitation in the SQL Schema

    updated_at date-time

    When this entry was last updated

    value stringrequired

    The address value

    example foo@user.com

    verified booleanrequired

    Indicates if the address has already been verified

    verified_at date-time
    via stringrequired

    Possible values: [email, sms]

    The delivery method

  • ]
    • issued_at date-timerequired

    IssuedAt is the time (UTC) when the flow occurred.

    request_url stringrequired

    RequestURL is the initial URL that was requested. It can be used to forward information contained in the URL's path or query for example.

    return_to string

    ReturnTo contains the requested return_to URL.

    state required

    State represents the state of this flow. It knows two states:

    show_form: No user data has been collected, or it is invalid, and thus the form should be shown. success: Indicates that the settings flow has been updated successfully with the provided data. Done will stay true when repeatedly checking. If set to true, done will revert back to false only when a flow with invalid (e.g. "please use a valid phone number") data was sent.

    type Type is the flow type.required

    The flow type can either be api or browser.

    ui objectrequired

    Container represents a HTML Form. The container can work with both HTTP Form and JSON requests

    action stringrequired

    Action should be used as the form action URL <form action="{{ .Action }}" method="post">.

    messages object[]
  • Array [
    • context object

    The message's context. Useful when customizing messages.

    id int64required
    text stringrequired

    The message text. Written in american english.

    type stringrequired

    Possible values: [info, error, success]

    The message type. info Info error Error success Success

  • ]
    • method stringrequired

    Method is the form method (e.g. POST)

    nodes object[]required
  • Array [
    • attributes objectrequired
    oneOf
    autocomplete string

    Possible values: [email, tel, url, current-password, new-password, one-time-code]

    The autocomplete attribute for the input. email InputAttributeAutocompleteEmail tel InputAttributeAutocompleteTel url InputAttributeAutocompleteUrl current-password InputAttributeAutocompleteCurrentPassword new-password InputAttributeAutocompleteNewPassword one-time-code InputAttributeAutocompleteOneTimeCode

    disabled booleanrequired

    Sets the input's disabled field to true or false.

    label object
    context object

    The message's context. Useful when customizing messages.

    id int64required
    text stringrequired

    The message text. Written in american english.

    type stringrequired

    Possible values: [info, error, success]

    The message type. info Info error Error success Success

    name stringrequired

    The input's element name.

    node_type stringrequired

    NodeType represents this node's types. It is a mirror of node.type and is primarily used to allow compatibility with OpenAPI 3.0. In this struct it technically always is "input".

    onclick string

    OnClick may contain javascript which should be executed on click. This is primarily used for WebAuthn.

    pattern string

    The input's pattern.

    required boolean

    Mark this input field as required.

    type stringrequired

    Possible values: [text, password, number, checkbox, hidden, email, tel, submit, button, datetime-local, date, url]

    The input's element type. text InputAttributeTypeText password InputAttributeTypePassword number InputAttributeTypeNumber checkbox InputAttributeTypeCheckbox hidden InputAttributeTypeHidden email InputAttributeTypeEmail tel InputAttributeTypeTel submit InputAttributeTypeSubmit button InputAttributeTypeButton datetime-local InputAttributeTypeDateTimeLocal date InputAttributeTypeDate url InputAttributeTypeURI

    value nullable

    The input's value.

    group stringrequired

    Possible values: [default, password, oidc, profile, link, code, totp, lookup_secret, webauthn]

    Group specifies which group (e.g. password authenticator) this node belongs to. default DefaultGroup password PasswordGroup oidc OpenIDConnectGroup profile ProfileGroup link LinkGroup code CodeGroup totp TOTPGroup lookup_secret LookupGroup webauthn WebAuthnGroup

    messages object[]required
  • Array [
    • context object

    The message's context. Useful when customizing messages.

    id int64required
    text stringrequired

    The message text. Written in american english.

    type stringrequired

    Possible values: [info, error, success]

    The message type. info Info error Error success Success

  • ]
    • meta objectrequired

    This might include a label and other information that can optionally be used to render UIs.

    label object
    context object

    The message's context. Useful when customizing messages.

    id int64required
    text stringrequired

    The message text. Written in american english.

    type stringrequired

    Possible values: [info, error, success]

    The message type. info Info error Error success Success

    type stringrequired

    Possible values: [text, input, img, a, script]

    The node's type text Text input Input img Image a Anchor script Script

  • ]
curl -L -X GET 'https://accounts.<domain>/auth/self-service/settings/browser' \
-H 'Accept: application/json'
Request Collapse all
Base URL
https://accounts.<domain>
Parameters
— query
— header