Create Verification Flow for Native Apps

GET 
https://accounts.<domain>/auth/self-service/verification/api

This endpoint initiates a verification flow for API clients such as mobile devices, smart TVs, and so on.

To fetch an existing verification flow call /verification/flows?flow=<flow_id>.

You MUST NOT use this endpoint in client-side (Single Page Apps, ReactJS, AngularJS) nor server-side (Java Server Pages, NodeJS, PHP, Golang, ...) browser applications. Using this endpoint in these applications will make you vulnerable to a variety of CSRF attacks.

This endpoint MUST ONLY be used in scenarios such as native mobile apps (React Native, Objective C, Swift, Java, ...).

Request

Responses

200

verificationFlow

application/json

Schema

Schema

active string

Active, if set, contains the registration method that is being used. It is initially not set.

expires_at date-time

ExpiresAt is the time (UTC) when the request expires. If the user still wishes to verify the address, a new request has to be initiated.

id uuidrequired

ID represents the request's unique ID. When performing the verification flow, this represents the id in the verify ui's query parameter: http://<selfservice.flows.verification.ui_url>?request=

type: string format: uuid

issued_at date-time

IssuedAt is the time (UTC) when the request occurred.

request_url string

RequestURL is the initial URL that was requested. It can be used to forward information contained in the URL's path or query for example.

return_to string

ReturnTo contains the requested return_to URL.

state required

State represents the state of this request:

choose_method: ask the user to choose a method (e.g. verify your email) sent_email: the email has been sent to the user passed_challenge: the request was successful and the verification challenge was passed.

type Type is the flow type.required

The flow type can either be api or browser.

ui objectrequired
Container represents a HTML Form. The container can work with both HTTP Form and JSON requests
action stringrequired
Action should be used as the form action URL <form action="{{ .Action }}" method="post">.
messages object[]
Array [
context object
The message's context. Useful when customizing messages.
id int64required
text stringrequired
The message text. Written in american english.
type stringrequired
Possible values: [info, error, success]
The message type. info Info error Error success Success
]
method stringrequired
Method is the form method (e.g. POST)
nodes object[]required
Array [
attributes objectrequired
oneOf
uiNodeInputAttributes
autocomplete string
Possible values: [email, tel, url, current-password, new-password, one-time-code]
The autocomplete attribute for the input. email InputAttributeAutocompleteEmail tel InputAttributeAutocompleteTel url InputAttributeAutocompleteUrl current-password InputAttributeAutocompleteCurrentPassword new-password InputAttributeAutocompleteNewPassword one-time-code InputAttributeAutocompleteOneTimeCode
disabled booleanrequired
Sets the input's disabled field to true or false.
label object
context object
The message's context. Useful when customizing messages.
id int64required
text stringrequired
The message text. Written in american english.
type stringrequired
Possible values: [info, error, success]
The message type. info Info error Error success Success
name stringrequired
The input's element name.
node_type stringrequired
NodeType represents this node's types. It is a mirror of node.type and is primarily used to allow compatibility with OpenAPI 3.0. In this struct it technically always is "input".
onclick string
OnClick may contain javascript which should be executed on click. This is primarily used for WebAuthn.
pattern string
The input's pattern.
required boolean
Mark this input field as required.
type stringrequired
Possible values: [text, password, number, checkbox, hidden, email, tel, submit, button, datetime-local, date, url]
The input's element type. text InputAttributeTypeText password InputAttributeTypePassword number InputAttributeTypeNumber checkbox InputAttributeTypeCheckbox hidden InputAttributeTypeHidden email InputAttributeTypeEmail tel InputAttributeTypeTel submit InputAttributeTypeSubmit button InputAttributeTypeButton datetime-local InputAttributeTypeDateTimeLocal date InputAttributeTypeDate url InputAttributeTypeURI
value nullable
The input's value.
TextAttributes represents the attributes of a text node.
id stringrequired
A unique identifier
node_type stringrequired
NodeType represents this node's types. It is a mirror of node.type and is primarily used to allow compatibility with OpenAPI 3.0. In this struct it technically always is "text".
text objectrequired
context object
The message's context. Useful when customizing messages.
id int64required
text stringrequired
The message text. Written in american english.
type stringrequired
Possible values: [info, error, success]
The message type. info Info error Error success Success
ImageAttributes represents the attributes of an image node.
height int64required
Height of the image
id stringrequired
A unique identifier
node_type stringrequired
NodeType represents this node's types. It is a mirror of node.type and is primarily used to allow compatibility with OpenAPI 3.0. In this struct it technically always is "img".
src stringrequired
The image's source URL.
format: uri
width int64required
Width of the image
AnchorAttributes represents the attributes of an anchor node.
href stringrequired
The link's href (destination) URL.
format: uri
id stringrequired
A unique identifier
node_type stringrequired
NodeType represents this node's types. It is a mirror of node.type and is primarily used to allow compatibility with OpenAPI 3.0. In this struct it technically always is "a".
title objectrequired
context object
The message's context. Useful when customizing messages.
id int64required
text stringrequired
The message text. Written in american english.
type stringrequired
Possible values: [info, error, success]
The message type. info Info error Error success Success
ScriptAttributes represent script nodes which load javascript.
async booleanrequired
The script async type
crossorigin stringrequired
The script cross origin policy
id stringrequired
A unique identifier
integrity stringrequired
The script's integrity hash
node_type stringrequired
NodeType represents this node's types. It is a mirror of node.type and is primarily used to allow compatibility with OpenAPI 3.0. In this struct it technically always is "script".
nonce stringrequired
Nonce for CSP
A nonce you may want to use to improve your Content Security Policy. You do not have to use this value but if you want to improve your CSP policies you may use it. You can also choose to use your own nonce value!
referrerpolicy stringrequired
The script referrer policy
src stringrequired
The script source
type stringrequired
The script MIME type
group stringrequired
Possible values: [default, password, oidc, profile, link, code, totp, lookup_secret, webauthn]
Group specifies which group (e.g. password authenticator) this node belongs to. default DefaultGroup password PasswordGroup oidc OpenIDConnectGroup profile ProfileGroup link LinkGroup code CodeGroup totp TOTPGroup lookup_secret LookupGroup webauthn WebAuthnGroup
messages object[]required
Array [
context object
The message's context. Useful when customizing messages.
id int64required
text stringrequired
The message text. Written in american english.
type stringrequired
Possible values: [info, error, success]
The message type. info Info error Error success Success
]
meta objectrequired
This might include a label and other information that can optionally be used to render UIs.
label object
context object
The message's context. Useful when customizing messages.
id int64required
text stringrequired
The message text. Written in american english.
type stringrequired
Possible values: [info, error, success]
The message type. info Info error Error success Success
type stringrequired
Possible values: [text, input, img, a, script]
The node's type text Text input Input img Image a Anchor script Script
]

Example (from schema)

{
  "active": "string",
  "expires_at": "2025-04-17T12:10:30.845Z",
  "id": "3fa85f64-5717-4562-b3fc-2c963f66afa6",
  "issued_at": "2025-04-17T12:10:30.845Z",
  "request_url": "string",
  "return_to": "string",
  "type": "string",
  "ui": {
    "action": "string",
    "messages": [
      {
        "context": {},
        "id": 0,
        "text": "string",
        "type": "info"
      }
    ],
    "method": "string",
    "nodes": [
      {
        "attributes": {},
        "group": "default",
        "messages": [
          {
            "context": {},
            "id": 0,
            "text": "string",
            "type": "info"
          }
        ],
        "meta": {
          "label": {
            "context": {},
            "id": 0,
            "text": "string",
            "type": "info"
          }
        },
        "type": "text"
      }
    ]
  }
}

400

errorGeneric

application/json

Schema

Schema

error objectrequired

code int64

The status code

debug string

Debug information

This field is often not exposed to protect against leaking sensitive information.

details object

Further error details

id string

The error ID

Useful when trying to identify various errors in application logic.

message stringrequired

Error message

The error's message.

reason string

A human-readable reason for the error

request string

The request ID

The request ID is often exposed internally in order to trace errors across service architectures. This is often a UUID.

status string

The status description

Example (from schema)

{
  "error": {
    "code": 404,
    "debug": "SQL field \"foo\" is not a bool.",
    "details": {},
    "id": "string",
    "message": "The resource could not be found",
    "reason": "User with ID 1234 does not exist.",
    "request": "d7ef54b1-ec15-46e6-bccb-524b82c035e6",
    "status": "Not Found"
  }
}

default

errorGeneric

application/json

Schema

Schema

error objectrequired

code int64

The status code

debug string

Debug information

This field is often not exposed to protect against leaking sensitive information.

details object

Further error details

id string

The error ID

Useful when trying to identify various errors in application logic.

message stringrequired

Error message

The error's message.

reason string

A human-readable reason for the error

request string

The request ID

The request ID is often exposed internally in order to trace errors across service architectures. This is often a UUID.

status string

The status description

Example (from schema)

{
  "error": {
    "code": 404,
    "debug": "SQL field \"foo\" is not a bool.",
    "details": {},
    "id": "string",
    "message": "The resource could not be found",
    "reason": "User with ID 1234 does not exist.",
    "request": "d7ef54b1-ec15-46e6-bccb-524b82c035e6",
    "status": "Not Found"
  }
}

• curl
• python
• go
• nodejs
• ruby
• csharp
• php
• java
• powershell

• CURL

curl -L -X GET 'https://accounts.<domain>/auth/self-service/verification/api' \
-H 'Accept: application/json'

Request Collapse all

Base URL

https://accounts.<domain>