Create Settings Flow for Native Apps

GET 
https://accounts.<domain>/auth/self-service/settings/api

This endpoint initiates a settings flow for API clients such as mobile devices, smart TVs, and so on. You must provide a valid Session Token for this endpoint to respond with HTTP 200 OK.

To fetch an existing settings flow call /settings/flows?flow=<flow_id>.

You MUST NOT use this endpoint in client-side (Single Page Apps, ReactJS, AngularJS) nor server-side (Java Server Pages, NodeJS, PHP, Golang, ...) browser applications. Using this endpoint in these applications will make you vulnerable to a variety of CSRF attacks.

Depending on your configuration this endpoint might return a 403 error if the session has a lower Authenticator Assurance Level (AAL) than is possible for the identity. This can happen if the identity has password + webauthn credentials (which would result in AAL2) but the session has only AAL1. If this error occurs, ask the user to sign in with the second factor or change the configuration.

In the case of an error, the error.id of the JSON response body can be one of:

security_csrf_violation: Unable to fetch the flow because a CSRF violation occurred. session_inactive: No Session was found - sign in a user first.

This endpoint MUST ONLY be used in scenarios such as native mobile apps (React Native, Objective C, Swift, Java, ...).

Request

Header Parameters

X-Session-Token string

The Session Token of the Identity performing the settings flow.

Responses

200

settingsFlow

application/json

Schema

Schema

active string

Active, if set, contains the registration method that is being used. It is initially not set.

continue_with object[]
Contains a list of actions, that could follow this flow
It can, for example, contain a reference to the verification flow, created as part of the user's registration.
Array [
oneOf
continueWithVerificationUi
action stringrequired
Possible values: [show_verification_ui]
Action will always be show_verification_ui show_verification_ui ContinueWithActionShowVerificationUIString
flow objectrequired
id uuidrequired
The ID of the verification flow
url string
The URL of the verification flow
verifiable_address stringrequired
The address that should be verified in this flow
continueWithSetOrySessionToken
action stringrequired
Possible values: [set_ory_session_token]
ory_session_token stringrequired
Token is the token of the session
continueWithSettingsUi
action stringrequired
Possible values: [show_settings_ui]
Action will always be show_settings_ui show_settings_ui ContinueWithActionShowSettingsUIString
flow objectrequired
id uuidrequired
The ID of the settings flow
continueWithRecoveryUi
action stringrequired
Possible values: [show_recovery_ui]
Action will always be show_recovery_ui show_recovery_ui ContinueWithActionShowRecoveryUIString
flow objectrequired
id uuidrequired
The ID of the recovery flow
url string
The URL of the recovery flow
]
expires_at date-timerequired

ExpiresAt is the time (UTC) when the flow expires. If the user still wishes to update the setting, a new flow has to be initiated.

id uuidrequired

ID represents the flow's unique ID. When performing the settings flow, this represents the id in the settings ui's query parameter: http://<selfservice.flows.settings.ui_url>?flow=

identity objectrequired
An identity represents a (human) user.
created_at date-time
CreatedAt is a helper struct field for gobuffalo.pop.
credentials object
Credentials represents all credentials that can be used for authenticating this identity.
property name* identityCredentials
Credentials represents a specific credential type
config object
created_at date-time
CreatedAt is a helper struct field for gobuffalo.pop.
identifiers string[]
Identifiers represents a list of unique identifiers this credential type matches.
type CredentialsType represents several different credential types, like password credentials, passwordless credentials,
Possible values: [password, totp, oidc, webauthn, lookup_secret, code]
and so on.
updated_at date-time
UpdatedAt is a helper struct field for gobuffalo.pop.
version int64
Version refers to the version of the credential. Useful when changing the config schema.
id uuidrequired
ID is the identity's unique identifier.
The Identity ID can not be changed and can not be chosen. This ensures future compatibility and optimization for distributed stores such as CockroachDB.
metadata_admin nullJsonRawMessagenullable
NullJSONRawMessage represents a json.RawMessage that works well with JSON, SQL, and Swagger and is NULLable-
metadata_public nullJsonRawMessagenullable
NullJSONRawMessage represents a json.RawMessage that works well with JSON, SQL, and Swagger and is NULLable-
organization_id uuid4nullable
recovery_addresses object[]
RecoveryAddresses contains all the addresses that can be used to recover an identity.
Array [
created_at date-time
CreatedAt is a helper struct field for gobuffalo.pop.
id uuidrequired
updated_at date-time
UpdatedAt is a helper struct field for gobuffalo.pop.
value stringrequired
via RecoveryAddressType must not exceed 16 characters as that is the limitation in the SQL Schema.required
]
schema_id stringrequired
SchemaID is the ID of the JSON Schema to be used for validating the identity's traits.
schema_url stringrequired
SchemaURL is the URL of the endpoint where the identity's traits schema can be fetched from.
format: url
state An Identity's State
Possible values: [active, inactive]
The state can either be active or inactive.
state_changed_at date-time
traits identityTraitsrequired
Traits represent an identity's traits. The identity is able to create, modify, and delete traits in a self-service manner. The input will always be validated against the JSON Schema defined in schema_url.
updated_at date-time
UpdatedAt is a helper struct field for gobuffalo.pop.
verifiable_addresses object[]
VerifiableAddresses contains all the addresses that can be verified by the user.
Array [
created_at date-time
When this entry was created
id uuid
The ID
status identityVerifiableAddressStatusrequired
VerifiableAddressStatus must not exceed 16 characters as that is the limitation in the SQL Schema
updated_at date-time
When this entry was last updated
value stringrequired
The address value
example foo@user.com
verified booleanrequired
Indicates if the address has already been verified
verified_at date-time
via stringrequired
Possible values: [email, sms]
The delivery method
]
issued_at date-timerequired

IssuedAt is the time (UTC) when the flow occurred.

request_url stringrequired

RequestURL is the initial URL that was requested. It can be used to forward information contained in the URL's path or query for example.

return_to string

ReturnTo contains the requested return_to URL.

state required

State represents the state of this flow. It knows two states:

show_form: No user data has been collected, or it is invalid, and thus the form should be shown. success: Indicates that the settings flow has been updated successfully with the provided data. Done will stay true when repeatedly checking. If set to true, done will revert back to false only when a flow with invalid (e.g. "please use a valid phone number") data was sent.

type Type is the flow type.required

The flow type can either be api or browser.

ui objectrequired
Container represents a HTML Form. The container can work with both HTTP Form and JSON requests
action stringrequired
Action should be used as the form action URL <form action="{{ .Action }}" method="post">.
messages object[]
Array [
context object
The message's context. Useful when customizing messages.
id int64required
text stringrequired
The message text. Written in american english.
type stringrequired
Possible values: [info, error, success]
The message type. info Info error Error success Success
]
method stringrequired
Method is the form method (e.g. POST)
nodes object[]required
Array [
attributes objectrequired
oneOf
uiNodeInputAttributes
autocomplete string
Possible values: [email, tel, url, current-password, new-password, one-time-code]
The autocomplete attribute for the input. email InputAttributeAutocompleteEmail tel InputAttributeAutocompleteTel url InputAttributeAutocompleteUrl current-password InputAttributeAutocompleteCurrentPassword new-password InputAttributeAutocompleteNewPassword one-time-code InputAttributeAutocompleteOneTimeCode
disabled booleanrequired
Sets the input's disabled field to true or false.
label object
context object
The message's context. Useful when customizing messages.
id int64required
text stringrequired
The message text. Written in american english.
type stringrequired
Possible values: [info, error, success]
The message type. info Info error Error success Success
name stringrequired
The input's element name.
node_type stringrequired
NodeType represents this node's types. It is a mirror of node.type and is primarily used to allow compatibility with OpenAPI 3.0. In this struct it technically always is "input".
onclick string
OnClick may contain javascript which should be executed on click. This is primarily used for WebAuthn.
pattern string
The input's pattern.
required boolean
Mark this input field as required.
type stringrequired
Possible values: [text, password, number, checkbox, hidden, email, tel, submit, button, datetime-local, date, url]
The input's element type. text InputAttributeTypeText password InputAttributeTypePassword number InputAttributeTypeNumber checkbox InputAttributeTypeCheckbox hidden InputAttributeTypeHidden email InputAttributeTypeEmail tel InputAttributeTypeTel submit InputAttributeTypeSubmit button InputAttributeTypeButton datetime-local InputAttributeTypeDateTimeLocal date InputAttributeTypeDate url InputAttributeTypeURI
value nullable
The input's value.
TextAttributes represents the attributes of a text node.
id stringrequired
A unique identifier
node_type stringrequired
NodeType represents this node's types. It is a mirror of node.type and is primarily used to allow compatibility with OpenAPI 3.0. In this struct it technically always is "text".
text objectrequired
context object
The message's context. Useful when customizing messages.
id int64required
text stringrequired
The message text. Written in american english.
type stringrequired
Possible values: [info, error, success]
The message type. info Info error Error success Success
ImageAttributes represents the attributes of an image node.
height int64required
Height of the image
id stringrequired
A unique identifier
node_type stringrequired
NodeType represents this node's types. It is a mirror of node.type and is primarily used to allow compatibility with OpenAPI 3.0. In this struct it technically always is "img".
src stringrequired
The image's source URL.
format: uri
width int64required
Width of the image
AnchorAttributes represents the attributes of an anchor node.
href stringrequired
The link's href (destination) URL.
format: uri
id stringrequired
A unique identifier
node_type stringrequired
NodeType represents this node's types. It is a mirror of node.type and is primarily used to allow compatibility with OpenAPI 3.0. In this struct it technically always is "a".
title objectrequired
context object
The message's context. Useful when customizing messages.
id int64required
text stringrequired
The message text. Written in american english.
type stringrequired
Possible values: [info, error, success]
The message type. info Info error Error success Success
ScriptAttributes represent script nodes which load javascript.
async booleanrequired
The script async type
crossorigin stringrequired
The script cross origin policy
id stringrequired
A unique identifier
integrity stringrequired
The script's integrity hash
node_type stringrequired
NodeType represents this node's types. It is a mirror of node.type and is primarily used to allow compatibility with OpenAPI 3.0. In this struct it technically always is "script".
nonce stringrequired
Nonce for CSP
A nonce you may want to use to improve your Content Security Policy. You do not have to use this value but if you want to improve your CSP policies you may use it. You can also choose to use your own nonce value!
referrerpolicy stringrequired
The script referrer policy
src stringrequired
The script source
type stringrequired
The script MIME type
group stringrequired
Possible values: [default, password, oidc, profile, link, code, totp, lookup_secret, webauthn]
Group specifies which group (e.g. password authenticator) this node belongs to. default DefaultGroup password PasswordGroup oidc OpenIDConnectGroup profile ProfileGroup link LinkGroup code CodeGroup totp TOTPGroup lookup_secret LookupGroup webauthn WebAuthnGroup
messages object[]required
Array [
context object
The message's context. Useful when customizing messages.
id int64required
text stringrequired
The message text. Written in american english.
type stringrequired
Possible values: [info, error, success]
The message type. info Info error Error success Success
]
meta objectrequired
This might include a label and other information that can optionally be used to render UIs.
label object
context object
The message's context. Useful when customizing messages.
id int64required
text stringrequired
The message text. Written in american english.
type stringrequired
Possible values: [info, error, success]
The message type. info Info error Error success Success
type stringrequired
Possible values: [text, input, img, a, script]
The node's type text Text input Input img Image a Anchor script Script
]

Example (from schema)

{
  "active": "string",
  "continue_with": [
    {},
    {},
    {},
    {}
  ],
  "expires_at": "2025-04-17T12:10:30.836Z",
  "id": "3fa85f64-5717-4562-b3fc-2c963f66afa6",
  "identity": {
    "created_at": "2025-04-17T12:10:30.836Z",
    "credentials": {},
    "id": "3fa85f64-5717-4562-b3fc-2c963f66afa6",
    "organization_id": "string",
    "recovery_addresses": [
      {
        "created_at": "2025-04-17T12:10:30.836Z",
        "id": "3fa85f64-5717-4562-b3fc-2c963f66afa6",
        "updated_at": "2025-04-17T12:10:30.836Z",
        "value": "string",
        "via": "string"
      }
    ],
    "schema_id": "string",
    "schema_url": "string",
    "state": "active",
    "state_changed_at": "2025-04-17T12:10:30.836Z",
    "updated_at": "2025-04-17T12:10:30.836Z",
    "verifiable_addresses": [
      {
        "created_at": "2014-01-01T23:28:56.782Z",
        "id": "3fa85f64-5717-4562-b3fc-2c963f66afa6",
        "status": "string",
        "updated_at": "2014-01-01T23:28:56.782Z",
        "value": "string",
        "verified": true,
        "verified_at": "2025-04-17T12:10:30.836Z",
        "via": "email"
      }
    ]
  },
  "issued_at": "2025-04-17T12:10:30.836Z",
  "request_url": "string",
  "return_to": "string",
  "type": "string",
  "ui": {
    "action": "string",
    "messages": [
      {
        "context": {},
        "id": 0,
        "text": "string",
        "type": "info"
      }
    ],
    "method": "string",
    "nodes": [
      {
        "attributes": {},
        "group": "default",
        "messages": [
          {
            "context": {},
            "id": 0,
            "text": "string",
            "type": "info"
          }
        ],
        "meta": {
          "label": {
            "context": {},
            "id": 0,
            "text": "string",
            "type": "info"
          }
        },
        "type": "text"
      }
    ]
  }
}

400

errorGeneric

application/json

Schema

Schema

error objectrequired

code int64

The status code

debug string

Debug information

This field is often not exposed to protect against leaking sensitive information.

details object

Further error details

id string

The error ID

Useful when trying to identify various errors in application logic.

message stringrequired

Error message

The error's message.

reason string

A human-readable reason for the error

request string

The request ID

The request ID is often exposed internally in order to trace errors across service architectures. This is often a UUID.

status string

The status description

Example (from schema)

{
  "error": {
    "code": 404,
    "debug": "SQL field \"foo\" is not a bool.",
    "details": {},
    "id": "string",
    "message": "The resource could not be found",
    "reason": "User with ID 1234 does not exist.",
    "request": "d7ef54b1-ec15-46e6-bccb-524b82c035e6",
    "status": "Not Found"
  }
}

default

errorGeneric

application/json

Schema

Schema

error objectrequired

code int64

The status code

debug string

Debug information

This field is often not exposed to protect against leaking sensitive information.

details object

Further error details

id string

The error ID

Useful when trying to identify various errors in application logic.

message stringrequired

Error message

The error's message.

reason string

A human-readable reason for the error

request string

The request ID

The request ID is often exposed internally in order to trace errors across service architectures. This is often a UUID.

status string

The status description

Example (from schema)

{
  "error": {
    "code": 404,
    "debug": "SQL field \"foo\" is not a bool.",
    "details": {},
    "id": "string",
    "message": "The resource could not be found",
    "reason": "User with ID 1234 does not exist.",
    "request": "d7ef54b1-ec15-46e6-bccb-524b82c035e6",
    "status": "Not Found"
  }
}

• curl
• python
• go
• nodejs
• ruby
• csharp
• php
• java
• powershell

• CURL

curl -L -X GET 'https://accounts.<domain>/auth/self-service/settings/api' \
-H 'Accept: application/json'

Request Collapse all

Base URL

https://accounts.<domain>

Parameters

X-Session-Token — header