Create Verification Flow for Browser Clients

GET https://accounts.<domain>/auth/self-service/verification/browser

This endpoint initializes a browser-based account verification flow. Once initialized, the browser will be redirected to selfservice.flows.verification.ui_url with the flow ID set as the query parameter ?flow=.

If this endpoint is called via an AJAX request, the response contains the recovery flow without any redirects.

This endpoint is NOT INTENDED for API clients and only works with browsers (Chrome, Firefox, ...).

Request

Query Parameters

return_to string

The URL to return the browser to after the flow was completed.

Responses

200
303
default

verificationFlow

application/json

Schema
Example (from schema)

Schema

active string

Active, if set, contains the registration method that is being used. It is initially not set.

expires_at date-time

ExpiresAt is the time (UTC) when the request expires. If the user still wishes to verify the address, a new request has to be initiated.

id uuidrequired

ID represents the request's unique ID. When performing the verification flow, this represents the id in the verify ui's query parameter: http://<selfservice.flows.verification.ui_url>?request=

type: string format: uuid

issued_at date-time

IssuedAt is the time (UTC) when the request occurred.

request_url string

RequestURL is the initial URL that was requested. It can be used to forward information contained in the URL's path or query for example.

return_to string

ReturnTo contains the requested return_to URL.

state required

State represents the state of this request:

choose_method: ask the user to choose a method (e.g. verify your email) sent_email: the email has been sent to the user passed_challenge: the request was successful and the verification challenge was passed.

type Type is the flow type.required

The flow type can either be api or browser.

ui objectrequired

Container represents a HTML Form. The container can work with both HTTP Form and JSON requests

action stringrequired

Action should be used as the form action URL <form action="{{ .Action }}" method="post">.

messages object[]

method stringrequired

Method is the form method (e.g. POST)

nodes object[]required

Array [

attributes objectrequired

oneOf

uiNodeInputAttributes
TextAttributes represents the attributes of a text node.
ImageAttributes represents the attributes of an image node.
AnchorAttributes represents the attributes of an anchor node.
ScriptAttributes represent script nodes which load javascript.

autocomplete string

Possible values: [email, tel, url, current-password, new-password, one-time-code]

The autocomplete attribute for the input. email InputAttributeAutocompleteEmail tel InputAttributeAutocompleteTel url InputAttributeAutocompleteUrl current-password InputAttributeAutocompleteCurrentPassword new-password InputAttributeAutocompleteNewPassword one-time-code InputAttributeAutocompleteOneTimeCode

disabled booleanrequired

Sets the input's disabled field to true or false.

label object

name stringrequired

The input's element name.

node_type stringrequired

NodeType represents this node's types. It is a mirror of node.type and is primarily used to allow compatibility with OpenAPI 3.0. In this struct it technically always is "input".

onclick string

OnClick may contain javascript which should be executed on click. This is primarily used for WebAuthn.

pattern string

The input's pattern.

required boolean

Mark this input field as required.

type stringrequired

Possible values: [text, password, number, checkbox, hidden, email, tel, submit, button, datetime-local, date, url]

The input's element type. text InputAttributeTypeText password InputAttributeTypePassword number InputAttributeTypeNumber checkbox InputAttributeTypeCheckbox hidden InputAttributeTypeHidden email InputAttributeTypeEmail tel InputAttributeTypeTel submit InputAttributeTypeSubmit button InputAttributeTypeButton datetime-local InputAttributeTypeDateTimeLocal date InputAttributeTypeDate url InputAttributeTypeURI

value nullable

The input's value.

id stringrequired

A unique identifier

node_type stringrequired

NodeType represents this node's types. It is a mirror of node.type and is primarily used to allow compatibility with OpenAPI 3.0. In this struct it technically always is "text".

text objectrequired

height int64required

Height of the image

id stringrequired

A unique identifier

node_type stringrequired

NodeType represents this node's types. It is a mirror of node.type and is primarily used to allow compatibility with OpenAPI 3.0. In this struct it technically always is "img".

src stringrequired

The image's source URL.

format: uri

width int64required

Width of the image

href stringrequired

The link's href (destination) URL.

format: uri

id stringrequired

A unique identifier

node_type stringrequired

NodeType represents this node's types. It is a mirror of node.type and is primarily used to allow compatibility with OpenAPI 3.0. In this struct it technically always is "a".

title objectrequired

async booleanrequired

The script async type

crossorigin stringrequired

The script cross origin policy

id stringrequired

A unique identifier

integrity stringrequired

The script's integrity hash

node_type stringrequired

NodeType represents this node's types. It is a mirror of node.type and is primarily used to allow compatibility with OpenAPI 3.0. In this struct it technically always is "script".

nonce stringrequired

Nonce for CSP

A nonce you may want to use to improve your Content Security Policy. You do not have to use this value but if you want to improve your CSP policies you may use it. You can also choose to use your own nonce value!

referrerpolicy stringrequired

The script referrer policy

src stringrequired

The script source

type stringrequired

The script MIME type

group stringrequired

Possible values: [default, password, oidc, profile, link, code, totp, lookup_secret, webauthn]

Group specifies which group (e.g. password authenticator) this node belongs to. default DefaultGroup password PasswordGroup oidc OpenIDConnectGroup profile ProfileGroup link LinkGroup code CodeGroup totp TOTPGroup lookup_secret LookupGroup webauthn WebAuthnGroup

messages object[]required

meta objectrequired

type stringrequired

Possible values: [text, input, img, a, script]

The node's type text Text input Input img Image a Anchor script Script

]

{
  "active": "string",
  "expires_at": "2025-04-17T12:10:30.847Z",
  "id": "3fa85f64-5717-4562-b3fc-2c963f66afa6",
  "issued_at": "2025-04-17T12:10:30.847Z",
  "request_url": "string",
  "return_to": "string",
  "type": "string",
  "ui": {
    "action": "string",
    "messages": [
      {
        "context": {},
        "id": 0,
        "text": "string",
        "type": "info"
      }
    ],
    "method": "string",
    "nodes": [
      {
        "attributes": {},
        "group": "default",
        "messages": [
          {
            "context": {},
            "id": 0,
            "text": "string",
            "type": "info"
          }
        ],
        "meta": {
          "label": {
            "context": {},
            "id": 0,
            "text": "string",
            "type": "info"
          }
        },
        "type": "text"
      }
    ]
  }
}

errorGeneric

application/json

Schema
Example (from schema)

Schema

error objectrequired

{
  "error": {
    "code": 404,
    "debug": "SQL field \"foo\" is not a bool.",
    "details": {},
    "id": "string",
    "message": "The resource could not be found",
    "reason": "User with ID 1234 does not exist.",
    "request": "d7ef54b1-ec15-46e6-bccb-524b82c035e6",
    "status": "Not Found"
  }
}

CURL

curl -L -X GET 'https://accounts.<domain>/auth/self-service/verification/browser' \
-H 'Accept: application/json'

Create Verification Flow for Browser Clients

https://accounts.<domain>/auth/self-service/verification/browser

Request​

Query Parameters

Responses​

Request

Responses