Update Registration Flow

POST 
https://accounts.<domain>/auth/self-service/registration

Use this endpoint to complete a registration flow by sending an identity's traits and password. This endpoint behaves differently for API and browser flows.

API flows expect application/json to be sent in the body and respond with HTTP 200 and a application/json body with the created identity success - if the session hook is configured the session and session_token will also be included; HTTP 410 if the original flow expired with the appropriate error messages set and optionally a use_flow_id parameter in the body; HTTP 400 on form validation errors.

Browser flows expect a Content-Type of application/x-www-form-urlencoded or application/json to be sent in the body and respond with a HTTP 303 redirect to the post/after registration URL or the return_to value if it was set and if the registration succeeded; a HTTP 303 redirect to the registration UI URL with the flow ID containing the validation errors otherwise.

Browser flows with an accept header of application/json will not redirect but instead respond with HTTP 200 and a application/json body with the signed in identity and a Set-Cookie header on success; HTTP 303 redirect to a fresh login flow if the original flow expired with the appropriate error messages set; HTTP 400 on form validation errors.

If this endpoint is called with Accept: application/json in the header, the response contains the flow without a redirect. In the case of an error, the error.id of the JSON response body can be one of:

session_already_available: The user is already signed in. security_csrf_violation: Unable to fetch the flow because a CSRF violation occurred. security_identity_mismatch: The requested ?return_to address is not allowed to be used. Adjust this in the configuration! browser_location_change_required: Usually sent when an AJAX request indicates that the browser needs to open a specific URL. Most likely used in Social Sign In flows.

Request

Query Parameters

flow stringrequired

The Registration Flow ID

The value for this parameter comes from flow URL Query parameter sent to your application (e.g. /registration?flow=abcde).

Header Parameters

Cookie string

HTTP Cookies

When using the SDK in a browser app, on the server side you must include the HTTP Cookie Header sent by the client to your server here. This ensures that CSRF and session cookies are respected.

application/json

Bodyrequired

methodrequired

Update Registration Request Body

Possible values: [code, oidc, password, webauthn]

code

codestring

The OTP Code sent to the user

csrf_tokenstring

The CSRF Token

resendstring

Resend restarts the flow with a new code

traitsobjectrequired

The identity's traits

transient_payloadobject

Transient data to pass along to any webhooks

oidc

csrf_tokenstring

The CSRF Token

id_tokenstring

IDToken is an optional id token provided by an OIDC provider

If submitted, it is verified using the OIDC provider's public key set and the claims are used to populate the OIDC credentials of the identity. If the OIDC provider does not store additional claims (such as name, etc.) in the IDToken itself, you can use the traits field to populate the identity's traits. Note, that Apple only includes the users email in the IDToken.

Supported providers are Apple

id_token_noncestring

IDTokenNonce is the nonce, used when generating the IDToken. If the provider supports nonce validation, the nonce will be validated against this value and is required.

providerstringrequired

The provider to register with

traitsobject

The identity traits

transient_payloadobject

Transient data to pass along to any webhooks

upstream_parametersobject

UpstreamParameters are the parameters that are passed to the upstream identity provider.

These parameters are optional and depend on what the upstream identity provider supports. Supported parameters are: login_hint (string): The login_hint parameter suppresses the account chooser and either pre-fills the email box on the sign-in form, or selects the proper session. hd (string): The hd parameter limits the login/registration process to a Google Organization, e.g. mycollege.edu. prompt (string): The prompt specifies whether the Authorization Server prompts the End-User for reauthentication and consent, e.g. select_account.

password

csrf_tokenstring

The CSRF Token

passwordstringrequired

Password to sign the user up with

traitsobjectrequired

The identity's traits

transient_payloadobject

Transient data to pass along to any webhooks

webauthn

csrf_tokenstring

CSRFToken is the anti-CSRF token

traitsobjectrequired

The identity's traits

transient_payloadobject

Transient data to pass along to any webhooks

webauthn_registerstring

Register a WebAuthn Security Key

It is expected that the JSON returned by the WebAuthn registration process is included here.

webauthn_register_displaynamestring

Name of the WebAuthn Security Key to be Added

A human-readable name for the security key which will be added.

application/x-www-form-urlencoded

Bodyrequired

methodrequired

Update Registration Request Body

Possible values: [code, oidc, password, webauthn]

code

codestring

The OTP Code sent to the user

csrf_tokenstring

The CSRF Token

resendstring

Resend restarts the flow with a new code

traitsobjectrequired

The identity's traits

transient_payloadobject

Transient data to pass along to any webhooks

oidc

csrf_tokenstring

The CSRF Token

id_tokenstring

IDToken is an optional id token provided by an OIDC provider

If submitted, it is verified using the OIDC provider's public key set and the claims are used to populate the OIDC credentials of the identity. If the OIDC provider does not store additional claims (such as name, etc.) in the IDToken itself, you can use the traits field to populate the identity's traits. Note, that Apple only includes the users email in the IDToken.

Supported providers are Apple

id_token_noncestring

IDTokenNonce is the nonce, used when generating the IDToken. If the provider supports nonce validation, the nonce will be validated against this value and is required.

providerstringrequired

The provider to register with

traitsobject

The identity traits

transient_payloadobject

Transient data to pass along to any webhooks

upstream_parametersobject

UpstreamParameters are the parameters that are passed to the upstream identity provider.

These parameters are optional and depend on what the upstream identity provider supports. Supported parameters are: login_hint (string): The login_hint parameter suppresses the account chooser and either pre-fills the email box on the sign-in form, or selects the proper session. hd (string): The hd parameter limits the login/registration process to a Google Organization, e.g. mycollege.edu. prompt (string): The prompt specifies whether the Authorization Server prompts the End-User for reauthentication and consent, e.g. select_account.

password

csrf_tokenstring

The CSRF Token

passwordstringrequired

Password to sign the user up with

traitsobjectrequired

The identity's traits

transient_payloadobject

Transient data to pass along to any webhooks

webauthn

csrf_tokenstring

CSRFToken is the anti-CSRF token

traitsobjectrequired

The identity's traits

transient_payloadobject

Transient data to pass along to any webhooks

webauthn_registerstring

Register a WebAuthn Security Key

It is expected that the JSON returned by the WebAuthn registration process is included here.

webauthn_register_displaynamestring

Name of the WebAuthn Security Key to be Added

A human-readable name for the security key which will be added.

Responses

200

successfulNativeRegistration

application/json

Schema

Schema

continue_with object[]
Contains a list of actions, that could follow this flow
It can, for example, this will contain a reference to the verification flow, created as part of the user's registration or the token of the session.
Array [
oneOf
continueWithVerificationUi
actionstringrequired
Action will always be show_verification_ui show_verification_ui ContinueWithActionShowVerificationUIString
Possible values: [show_verification_ui]
flow objectrequired
idstring<uuid>required
The ID of the verification flow
urlstring
The URL of the verification flow
verifiable_addressstringrequired
The address that should be verified in this flow
continueWithSetOrySessionToken
actionstringrequired
Possible values: [set_ory_session_token]
ory_session_tokenstringrequired
Token is the token of the session
continueWithSettingsUi
actionstringrequired
Action will always be show_settings_ui show_settings_ui ContinueWithActionShowSettingsUIString
Possible values: [show_settings_ui]
flow objectrequired
idstring<uuid>required
The ID of the settings flow
continueWithRecoveryUi
actionstringrequired
Action will always be show_recovery_ui show_recovery_ui ContinueWithActionShowRecoveryUIString
Possible values: [show_recovery_ui]
flow objectrequired
idstring<uuid>required
The ID of the recovery flow
urlstring
The URL of the recovery flow
]
identity objectrequired
An identity represents a (human) user.
created_atstring<date-time>
CreatedAt is a helper struct field for gobuffalo.pop.
credentials object
Credentials represents all credentials that can be used for authenticating this identity.
property name* identityCredentials
Credentials represents a specific credential type
configobject
created_atstring<date-time>
CreatedAt is a helper struct field for gobuffalo.pop.
identifiersstring[]
Identifiers represents a list of unique identifiers this credential type matches.
typeCredentialsType represents several different credential types, like password credentials, passwordless credentials, (string)
and so on.
Possible values: [password, totp, oidc, webauthn, lookup_secret, code]
updated_atstring<date-time>
UpdatedAt is a helper struct field for gobuffalo.pop.
versioninteger<int64>
Version refers to the version of the credential. Useful when changing the config schema.
idstring<uuid>required
ID is the identity's unique identifier.
The Identity ID can not be changed and can not be chosen. This ensures future compatibility and optimization for distributed stores such as CockroachDB.
metadata_adminnullJsonRawMessagenullable
NullJSONRawMessage represents a json.RawMessage that works well with JSON, SQL, and Swagger and is NULLable-
metadata_publicnullJsonRawMessagenullable
NullJSONRawMessage represents a json.RawMessage that works well with JSON, SQL, and Swagger and is NULLable-
organization_idstring<uuid4>nullable
recovery_addresses object[]
RecoveryAddresses contains all the addresses that can be used to recover an identity.
Array [
created_atstring<date-time>
CreatedAt is a helper struct field for gobuffalo.pop.
idstring<uuid>required
updated_atstring<date-time>
UpdatedAt is a helper struct field for gobuffalo.pop.
valuestringrequired
viaRecoveryAddressType must not exceed 16 characters as that is the limitation in the SQL Schema. (string)required
]
schema_idstringrequired
SchemaID is the ID of the JSON Schema to be used for validating the identity's traits.
schema_urlstringrequired
SchemaURL is the URL of the endpoint where the identity's traits schema can be fetched from.
format: url
stateAn Identity's State (string)
The state can either be active or inactive.
Possible values: [active, inactive]
state_changed_atstring<date-time>
traitsidentityTraitsrequired
Traits represent an identity's traits. The identity is able to create, modify, and delete traits in a self-service manner. The input will always be validated against the JSON Schema defined in schema_url.
updated_atstring<date-time>
UpdatedAt is a helper struct field for gobuffalo.pop.
verifiable_addresses object[]
VerifiableAddresses contains all the addresses that can be verified by the user.
Array [
created_atstring<date-time>
When this entry was created
Example: 2014-01-01T23:28:56.782Z
idstring<uuid>
The ID
statusidentityVerifiableAddressStatus (string)required
VerifiableAddressStatus must not exceed 16 characters as that is the limitation in the SQL Schema
updated_atstring<date-time>
When this entry was last updated
Example: 2014-01-01T23:28:56.782Z
valuestringrequired
The address value
example foo@user.com
verifiedbooleanrequired
Indicates if the address has already been verified
Example: true
verified_atstring<date-time>
viastringrequired
The delivery method
Possible values: [email, sms]
Example: email
]
session object

A Session

activeboolean

Active state. If false the session is no longer active.

authenticated_atstring<date-time>

The Session Authentication Timestamp

When this session was authenticated at. If multi-factor authentication was used this is the time when the last factor was authenticated (e.g. the TOTP code challenge was completed).

authentication_methods object[]

A list of authenticators which were used to authenticate the session.

Array [

aalAuthenticator Assurance Level (AAL) (string)

The authenticator assurance level can be one of "aal1", "aal2", or "aal3". A higher number means that it is harder for an attacker to compromise the account.

Generally, "aal1" implies that one authentication factor was used while AAL2 implies that two factors (e.g. password + TOTP) have been used.

Possible values: [aal0, aal1, aal2, aal3]

completed_atstring<date-time>

When the authentication challenge was completed.

methodThe method used (string)

Possible values: [link_recovery, code_recovery, password, code, totp, oidc, webauthn, lookup_secret, v0.6_legacy_session]

organizationstring

The Organization id used for authentication

providerstring

OIDC or SAML provider id used for authentication

]

authenticator_assurance_levelAuthenticator Assurance Level (AAL) (string)

The authenticator assurance level can be one of "aal1", "aal2", or "aal3". A higher number means that it is harder for an attacker to compromise the account.

Generally, "aal1" implies that one authentication factor was used while AAL2 implies that two factors (e.g. password + TOTP) have been used.

Possible values: [aal0, aal1, aal2, aal3]

devices object[]

Devices has history of all endpoints where the session was used

Array [

idstring<uuid>required

Device record ID

ip_addressstring

IPAddress of the client

locationstring

Geo Location corresponding to the IP Address

user_agentstring

UserAgent of the client

]

expires_atstring<date-time>

The Session Expiry

When this session expires at.

idstring<uuid>required

Session ID

identity object

An identity represents a (human) user.

created_atstring<date-time>

CreatedAt is a helper struct field for gobuffalo.pop.

credentials object

Credentials represents all credentials that can be used for authenticating this identity.

property name* identityCredentials

Credentials represents a specific credential type

configobject

created_atstring<date-time>

CreatedAt is a helper struct field for gobuffalo.pop.

identifiersstring[]

Identifiers represents a list of unique identifiers this credential type matches.

typeCredentialsType represents several different credential types, like password credentials, passwordless credentials, (string)

and so on.

Possible values: [password, totp, oidc, webauthn, lookup_secret, code]

updated_atstring<date-time>

UpdatedAt is a helper struct field for gobuffalo.pop.

versioninteger<int64>

Version refers to the version of the credential. Useful when changing the config schema.

idstring<uuid>required

ID is the identity's unique identifier.

The Identity ID can not be changed and can not be chosen. This ensures future compatibility and optimization for distributed stores such as CockroachDB.

metadata_adminnullJsonRawMessagenullable

NullJSONRawMessage represents a json.RawMessage that works well with JSON, SQL, and Swagger and is NULLable-

metadata_publicnullJsonRawMessagenullable

NullJSONRawMessage represents a json.RawMessage that works well with JSON, SQL, and Swagger and is NULLable-

organization_idstring<uuid4>nullable

recovery_addresses object[]

RecoveryAddresses contains all the addresses that can be used to recover an identity.

Array [

created_atstring<date-time>

CreatedAt is a helper struct field for gobuffalo.pop.

idstring<uuid>required

updated_atstring<date-time>

UpdatedAt is a helper struct field for gobuffalo.pop.

valuestringrequired

viaRecoveryAddressType must not exceed 16 characters as that is the limitation in the SQL Schema. (string)required

]

schema_idstringrequired

SchemaID is the ID of the JSON Schema to be used for validating the identity's traits.

schema_urlstringrequired

SchemaURL is the URL of the endpoint where the identity's traits schema can be fetched from.

format: url

stateAn Identity's State (string)

The state can either be active or inactive.

Possible values: [active, inactive]

state_changed_atstring<date-time>

traitsidentityTraitsrequired

Traits represent an identity's traits. The identity is able to create, modify, and delete traits in a self-service manner. The input will always be validated against the JSON Schema defined in schema_url.

updated_atstring<date-time>

UpdatedAt is a helper struct field for gobuffalo.pop.

verifiable_addresses object[]

VerifiableAddresses contains all the addresses that can be verified by the user.

Array [

created_atstring<date-time>

When this entry was created

Example: 2014-01-01T23:28:56.782Z

idstring<uuid>

The ID

statusidentityVerifiableAddressStatus (string)required

VerifiableAddressStatus must not exceed 16 characters as that is the limitation in the SQL Schema

updated_atstring<date-time>

When this entry was last updated

Example: 2014-01-01T23:28:56.782Z

valuestringrequired

The address value

example foo@user.com

verifiedbooleanrequired

Indicates if the address has already been verified

Example: true

verified_atstring<date-time>

viastringrequired

The delivery method

Possible values: [email, sms]

Example: email

]

issued_atstring<date-time>

The Session Issuance Timestamp

When this session was issued at. Usually equal or close to authenticated_at.

tokenizedstring

Tokenized is the tokenized (e.g. JWT) version of the session.

It is only set when the tokenize query parameter was set to a valid tokenize template during calls to /session/whoami.

session_tokenstring

The Session Token

This field is only set when the session hook is configured as a post-registration hook.

A session token is equivalent to a session cookie, but it can be sent in the HTTP Authorization Header:

Authorization: bearer ${session-token}

The session token is only issued for API flows, not for Browser flows!

Example (auto)

{
  "continue_with": [
    {
      "action": "show_verification_ui",
      "flow": {
        "id": "3fa85f64-5717-4562-b3fc-2c963f66afa6",
        "url": "string",
        "verifiable_address": "string"
      }
    },
    {
      "action": "set_ory_session_token",
      "ory_session_token": "string"
    },
    {
      "action": "show_settings_ui",
      "flow": {
        "id": "3fa85f64-5717-4562-b3fc-2c963f66afa6"
      }
    },
    {
      "action": "show_recovery_ui",
      "flow": {
        "id": "3fa85f64-5717-4562-b3fc-2c963f66afa6",
        "url": "string"
      }
    }
  ],
  "identity": {
    "created_at": "2024-07-29T15:51:28.071Z",
    "credentials": {},
    "id": "3fa85f64-5717-4562-b3fc-2c963f66afa6",
    "organization_id": "string",
    "recovery_addresses": [
      {
        "created_at": "2024-07-29T15:51:28.071Z",
        "id": "3fa85f64-5717-4562-b3fc-2c963f66afa6",
        "updated_at": "2024-07-29T15:51:28.071Z",
        "value": "string",
        "via": "string"
      }
    ],
    "schema_id": "string",
    "schema_url": "string",
    "state": "active",
    "state_changed_at": "2024-07-29T15:51:28.071Z",
    "updated_at": "2024-07-29T15:51:28.071Z",
    "verifiable_addresses": [
      {
        "created_at": "2014-01-01T23:28:56.782Z",
        "id": "3fa85f64-5717-4562-b3fc-2c963f66afa6",
        "status": "string",
        "updated_at": "2014-01-01T23:28:56.782Z",
        "value": "string",
        "verified": true,
        "verified_at": "2024-07-29T15:51:28.071Z",
        "via": "email"
      }
    ]
  },
  "session": {
    "active": true,
    "authenticated_at": "2024-07-29T15:51:28.071Z",
    "authentication_methods": [
      {
        "aal": "aal0",
        "completed_at": "2024-07-29T15:51:28.071Z",
        "method": "link_recovery",
        "organization": "string",
        "provider": "string"
      }
    ],
    "authenticator_assurance_level": "aal0",
    "devices": [
      {
        "id": "3fa85f64-5717-4562-b3fc-2c963f66afa6",
        "ip_address": "string",
        "location": "string",
        "user_agent": "string"
      }
    ],
    "expires_at": "2024-07-29T15:51:28.071Z",
    "id": "3fa85f64-5717-4562-b3fc-2c963f66afa6",
    "identity": {
      "created_at": "2024-07-29T15:51:28.071Z",
      "credentials": {},
      "id": "3fa85f64-5717-4562-b3fc-2c963f66afa6",
      "organization_id": "string",
      "recovery_addresses": [
        {
          "created_at": "2024-07-29T15:51:28.071Z",
          "id": "3fa85f64-5717-4562-b3fc-2c963f66afa6",
          "updated_at": "2024-07-29T15:51:28.071Z",
          "value": "string",
          "via": "string"
        }
      ],
      "schema_id": "string",
      "schema_url": "string",
      "state": "active",
      "state_changed_at": "2024-07-29T15:51:28.071Z",
      "updated_at": "2024-07-29T15:51:28.071Z",
      "verifiable_addresses": [
        {
          "created_at": "2014-01-01T23:28:56.782Z",
          "id": "3fa85f64-5717-4562-b3fc-2c963f66afa6",
          "status": "string",
          "updated_at": "2014-01-01T23:28:56.782Z",
          "value": "string",
          "verified": true,
          "verified_at": "2024-07-29T15:51:28.071Z",
          "via": "email"
        }
      ]
    },
    "issued_at": "2024-07-29T15:51:28.071Z",
    "tokenized": "string"
  },
  "session_token": "string"
}

303

Empty responses are sent when, for example, resources are deleted. The HTTP status code for empty responses is typically 201.

400

registrationFlow

application/json

Schema

Schema

activeCredentialsType represents several different credential types, like password credentials, passwordless credentials, (string)

and so on.

Possible values: [password, totp, oidc, webauthn, lookup_secret, code]

expires_atstring<date-time>required

ExpiresAt is the time (UTC) when the flow expires. If the user still wishes to log in, a new flow has to be initiated.

idstring<uuid>required

ID represents the flow's unique ID. When performing the registration flow, this represents the id in the registration ui's query parameter: http://<selfservice.flows.registration.ui_url>/?flow=

issued_atstring<date-time>required

IssuedAt is the time (UTC) when the flow occurred.

oauth2_login_challengestring

OAuth 2.0 Login Challenge.

This value is set using the login_challenge query parameter of the registration and login endpoints. If set will cooperate with OAuth2 and OpenID to act as an OAuth2 server / OpenID Provider.

oauth2_login_request object

OAuth2LoginRequest struct for OAuth2LoginRequest

AdditionalProperties object

property name*any

challengestring

ID is the identifier ("login challenge") of the login request. It is used to identify the session.

client object

AdditionalProperties object

property name*any

access_token_strategystring

OAuth 2.0 Access Token Strategy AccessTokenStrategy is the strategy used to generate access tokens. Valid options are jwt and opaque.

allowed_cors_originsstring[]

audiencestring[]

authorization_code_grant_access_token_lifespanstring

Specify a time duration in milliseconds, seconds, minutes, hours.

authorization_code_grant_id_token_lifespanstring

Specify a time duration in milliseconds, seconds, minutes, hours.

authorization_code_grant_refresh_token_lifespanstring

Specify a time duration in milliseconds, seconds, minutes, hours.

backchannel_logout_session_requiredboolean

OpenID Connect Back-Channel Logout Session Required Boolean value specifying whether the RP requires that a sid (session ID) Claim be included in the Logout Token to identify the RP session with the OP when the backchannel_logout_uri is used. If omitted, the default value is false.

backchannel_logout_uristring

OpenID Connect Back-Channel Logout URI RP URL that will cause the RP to log itself out when sent a Logout Token by the OP.

client_credentials_grant_access_token_lifespanstring

Specify a time duration in milliseconds, seconds, minutes, hours.

client_idstring

OAuth 2.0 Client ID The ID is autogenerated and immutable.

client_namestring

OAuth 2.0 Client Name The human-readable name of the client to be presented to the end-user during authorization.

client_secretstring

OAuth 2.0 Client Secret The secret will be included in the create request as cleartext, and then never again. The secret is kept in hashed format and is not recoverable once lost.

client_secret_expires_atinteger<int64>

OAuth 2.0 Client Secret Expires At The field is currently not supported and its value is always 0.

client_uristring

OAuth 2.0 Client URI ClientURI is a URL string of a web page providing information about the client. If present, the server SHOULD display this URL to the end-user in a clickable fashion.

contactsstring[]

created_atstring<date-time>

OAuth 2.0 Client Creation Date CreatedAt returns the timestamp of the client's creation.

frontchannel_logout_session_requiredboolean

OpenID Connect Front-Channel Logout Session Required Boolean value specifying whether the RP requires that iss (issuer) and sid (session ID) query parameters be included to identify the RP session with the OP when the frontchannel_logout_uri is used. If omitted, the default value is false.

frontchannel_logout_uristring

OpenID Connect Front-Channel Logout URI RP URL that will cause the RP to log itself out when rendered in an iframe by the OP. An iss (issuer) query parameter and a sid (session ID) query parameter MAY be included by the OP to enable the RP to validate the request and to determine which of the potentially multiple sessions is to be logged out; if either is included, both MUST be.

grant_typesstring[]

implicit_grant_access_token_lifespanstring

Specify a time duration in milliseconds, seconds, minutes, hours.

implicit_grant_id_token_lifespanstring

Specify a time duration in milliseconds, seconds, minutes, hours.

jwks

OAuth 2.0 Client JSON Web Key Set Client's JSON Web Key Set [JWK] document, passed by value. The semantics of the jwks parameter are the same as the jwks_uri parameter, other than that the JWK Set is passed by value, rather than by reference. This parameter is intended only to be used by Clients that, for some reason, are unable to use the jwks_uri parameter, for instance, by native applications that might not have a location to host the contents of the JWK Set. If a Client can use jwks_uri, it MUST NOT use jwks. One significant downside of jwks is that it does not enable key rotation (which jwks_uri does, as described in Section 10 of OpenID Connect Core 1.0 [OpenID.Core]). The jwks_uri and jwks parameters MUST NOT be used together.

jwks_uristring

OAuth 2.0 Client JSON Web Key Set URL URL for the Client's JSON Web Key Set [JWK] document. If the Client signs requests to the Server, it contains the signing key(s) the Server uses to validate signatures from the Client. The JWK Set MAY also contain the Client's encryption keys(s), which are used by the Server to encrypt responses to the Client. When both signing and encryption keys are made available, a use (Key Use) parameter value is REQUIRED for all keys in the referenced JWK Set to indicate each key's intended usage. Although some algorithms allow the same key to be used for both signatures and encryption, doing so is NOT RECOMMENDED, as it is less secure. The JWK x5c parameter MAY be used to provide X.509 representations of keys provided. When used, the bare key values MUST still be present and MUST match those in the certificate.

jwt_bearer_grant_access_token_lifespanstring

Specify a time duration in milliseconds, seconds, minutes, hours.

logo_uristring

OAuth 2.0 Client Logo URI A URL string referencing the client's logo.

metadata

ownerstring

OAuth 2.0 Client Owner Owner is a string identifying the owner of the OAuth 2.0 Client.

policy_uristring

OAuth 2.0 Client Policy URI PolicyURI is a URL string that points to a human-readable privacy policy document that describes how the deployment organization collects, uses, retains, and discloses personal data.

post_logout_redirect_urisstring[]

redirect_urisstring[]

refresh_token_grant_access_token_lifespanstring

Specify a time duration in milliseconds, seconds, minutes, hours.

refresh_token_grant_id_token_lifespanstring

Specify a time duration in milliseconds, seconds, minutes, hours.

refresh_token_grant_refresh_token_lifespanstring

Specify a time duration in milliseconds, seconds, minutes, hours.

registration_access_tokenstring

OpenID Connect Dynamic Client Registration Access Token RegistrationAccessToken can be used to update, get, or delete the OAuth2 Client. It is sent when creating a client using Dynamic Client Registration.

registration_client_uristring

OpenID Connect Dynamic Client Registration URL RegistrationClientURI is the URL used to update, get, or delete the OAuth2 Client.

request_object_signing_algstring

OpenID Connect Request Object Signing Algorithm JWS [JWS] alg algorithm [JWA] that MUST be used for signing Request Objects sent to the OP. All Request Objects from this Client MUST be rejected, if not signed with this algorithm.

request_urisstring[]

response_typesstring[]

scopestring

OAuth 2.0 Client Scope Scope is a string containing a space-separated list of scope values (as described in Section 3.3 of OAuth 2.0 [RFC6749]) that the client can use when requesting access tokens.

sector_identifier_uristring

OpenID Connect Sector Identifier URI URL using the https scheme to be used in calculating Pseudonymous Identifiers by the OP. The URL references a file with a single JSON array of redirect_uri values.

skip_consentboolean

SkipConsent skips the consent screen for this client. This field can only be set from the admin API.

subject_typestring

OpenID Connect Subject Type The subject_types_supported Discovery parameter contains a list of the supported subject_type values for this server. Valid types include pairwise and public.

token_endpoint_auth_methodstring

OAuth 2.0 Token Endpoint Authentication Method Requested Client Authentication method for the Token Endpoint. The options are: client_secret_basic: (default) Send client_id and client_secret as application/x-www-form-urlencoded encoded in the HTTP Authorization header. client_secret_post: Send client_id and client_secret as application/x-www-form-urlencoded in the HTTP body. private_key_jwt: Use JSON Web Tokens to authenticate the client. none: Used for public clients (native apps, mobile apps) which can not have secrets.

token_endpoint_auth_signing_algstring

OAuth 2.0 Token Endpoint Signing Algorithm Requested Client Authentication signing algorithm for the Token Endpoint.

tos_uristring

OAuth 2.0 Client Terms of Service URI A URL string pointing to a human-readable terms of service document for the client that describes a contractual relationship between the end-user and the client that the end-user accepts when authorizing the client.

updated_atstring<date-time>

OAuth 2.0 Client Last Update Date UpdatedAt returns the timestamp of the last update.

userinfo_signed_response_algstring

OpenID Connect Request Userinfo Signed Response Algorithm JWS alg algorithm [JWA] REQUIRED for signing UserInfo Responses. If this is specified, the response will be JWT [JWT] serialized, and signed using JWS. The default, if omitted, is for the UserInfo Response to return the Claims as a UTF-8 encoded JSON object using the application/json content-type.

oidc_context object

OAuth2ConsentRequestOpenIDConnectContext struct for OAuth2ConsentRequestOpenIDConnectContext

AdditionalProperties object

property name*any

acr_valuesstring[]

ACRValues is the Authentication AuthorizationContext Class Reference requested in the OAuth 2.0 Authorization request. It is a parameter defined by OpenID Connect and expresses which level of authentication (e.g. 2FA) is required. OpenID Connect defines it as follows: > Requested Authentication AuthorizationContext Class Reference values. Space-separated string that specifies the acr values that the Authorization Server is being requested to use for processing this Authentication Request, with the values appearing in order of preference. The Authentication AuthorizationContext Class satisfied by the authentication performed is returned as the acr Claim Value, as specified in Section 2. The acr Claim is requested as a Voluntary Claim by this parameter.

displaystring

Display is a string value that specifies how the Authorization Server displays the authentication and consent user interface pages to the End-User. The defined values are: page: The Authorization Server SHOULD display the authentication and consent UI consistent with a full User Agent page view. If the display parameter is not specified, this is the default display mode. popup: The Authorization Server SHOULD display the authentication and consent UI consistent with a popup User Agent window. The popup User Agent window should be of an appropriate size for a login-focused dialog and should not obscure the entire window that it is popping up over. touch: The Authorization Server SHOULD display the authentication and consent UI consistent with a device that leverages a touch interface. wap: The Authorization Server SHOULD display the authentication and consent UI consistent with a "feature phone" type display. The Authorization Server MAY also attempt to detect the capabilities of the User Agent and present an appropriate display.

id_token_hint_claims object

IDTokenHintClaims are the claims of the ID Token previously issued by the Authorization Server being passed as a hint about the End-User's current or past authenticated session with the Client.

property name*any

IDTokenHintClaims are the claims of the ID Token previously issued by the Authorization Server being passed as a hint about the End-User's current or past authenticated session with the Client.

login_hintstring

LoginHint hints about the login identifier the End-User might use to log in (if necessary). This hint can be used by an RP if it first asks the End-User for their e-mail address (or other identifier) and then wants to pass that value as a hint to the discovered authorization service. This value MAY also be a phone number in the format specified for the phone_number Claim. The use of this parameter is optional.

ui_localesstring[]

UILocales is the End-User'id preferred languages and scripts for the user interface, represented as a space-separated list of BCP47 [RFC5646] language tag values, ordered by preference. For instance, the value "fr-CA fr en" represents a preference for French as spoken in Canada, then French (without a region designation), followed by English (without a region designation). An error SHOULD NOT result if some or all of the requested locales are not supported by the OpenID Provider.

request_urlstring

RequestURL is the original OAuth 2.0 Authorization URL requested by the OAuth 2.0 client. It is the URL which initiates the OAuth 2.0 Authorization Code or OAuth 2.0 Implicit flow. This URL is typically not needed, but might come in handy if you want to deal with additional request parameters.

requested_access_token_audiencestring[]

requested_scopestring[]

session_idstring

SessionID is the login session ID. If the user-agent reuses a login session (via cookie / remember flag) this ID will remain the same. If the user-agent did not have an existing authentication session (e.g. remember is false) this will be a new random value. This value is used as the "sid" parameter in the ID Token and in OIDC Front-/Back- channel logout. It's value can generally be used to associate consecutive login requests by a certain user.

skipboolean

Skip, if true, implies that the client has requested the same scopes from the same user previously. If true, you can skip asking the user to grant the requested scopes, and simply forward the user to the redirect URL. This feature allows you to update / set session information.

subjectstring

Subject is the user ID of the end-user that authenticated. Now, that end user needs to grant or deny the scope requested by the OAuth 2.0 client. If this value is set and skip is true, you MUST include this subject type when accepting the login request, or the request will fail.

organization_idstring<uuid4>nullable
request_urlstringrequired

RequestURL is the initial URL that was requested. It can be used to forward information contained in the URL's path or query for example.

return_tostring

ReturnTo contains the requested return_to URL.

session_token_exchange_codestring

SessionTokenExchangeCode holds the secret code that the client can use to retrieve a session token after the flow has been completed. This is only set if the client has requested a session token exchange code, and if the flow is of type "api", and only on creating the flow.

staterequired

State represents the state of this request:

choose_method: ask the user to choose a method (e.g. registration with email) sent_email: the email has been sent to the user passed_challenge: the request was successful and the registration challenge was passed.

transient_payloadobject

TransientPayload is used to pass data from the registration to a webhook

typeType is the flow type. (string)required

The flow type can either be api or browser.

ui objectrequired
Container represents a HTML Form. The container can work with both HTTP Form and JSON requests
actionstringrequired
Action should be used as the form action URL <form action="{{ .Action }}" method="post">.
messages object[]
Array [
contextobject
The message's context. Useful when customizing messages.
idinteger<int64>required
textstringrequired
The message text. Written in american english.
typestringrequired
The message type. info Info error Error success Success
Possible values: [info, error, success]
]
methodstringrequired
Method is the form method (e.g. POST)
nodes object[]required
Array [
attributes objectrequired
node_typerequired
Possible values: [a, img, input, script, text]
a
hrefstringrequired
The link's href (destination) URL.
format: uri
idstringrequired
A unique identifier
title objectrequired
contextobject
The message's context. Useful when customizing messages.
idinteger<int64>required
textstringrequired
The message text. Written in american english.
typestringrequired
The message type. info Info error Error success Success
Possible values: [info, error, success]
img
heightinteger<int64>required
Height of the image
idstringrequired
A unique identifier
srcstringrequired
The image's source URL.
format: uri
widthinteger<int64>required
Width of the image
input
autocompletestring
The autocomplete attribute for the input. email InputAttributeAutocompleteEmail tel InputAttributeAutocompleteTel url InputAttributeAutocompleteUrl current-password InputAttributeAutocompleteCurrentPassword new-password InputAttributeAutocompleteNewPassword one-time-code InputAttributeAutocompleteOneTimeCode
Possible values: [email, tel, url, current-password, new-password, one-time-code]
disabledbooleanrequired
Sets the input's disabled field to true or false.
label object
contextobject
The message's context. Useful when customizing messages.
idinteger<int64>required
textstringrequired
The message text. Written in american english.
typestringrequired
The message type. info Info error Error success Success
Possible values: [info, error, success]
namestringrequired
The input's element name.
onclickstring
OnClick may contain javascript which should be executed on click. This is primarily used for WebAuthn.
patternstring
The input's pattern.
requiredboolean
Mark this input field as required.
typestringrequired
The input's element type. text InputAttributeTypeText password InputAttributeTypePassword number InputAttributeTypeNumber checkbox InputAttributeTypeCheckbox hidden InputAttributeTypeHidden email InputAttributeTypeEmail tel InputAttributeTypeTel submit InputAttributeTypeSubmit button InputAttributeTypeButton datetime-local InputAttributeTypeDateTimeLocal date InputAttributeTypeDate url InputAttributeTypeURI
Possible values: [text, password, number, checkbox, hidden, email, tel, submit, button, datetime-local, date, url]
valuenullable
The input's value.
script
asyncbooleanrequired
The script async type
crossoriginstringrequired
The script cross origin policy
idstringrequired
A unique identifier
integritystringrequired
The script's integrity hash
noncestringrequired
Nonce for CSP
A nonce you may want to use to improve your Content Security Policy. You do not have to use this value but if you want to improve your CSP policies you may use it. You can also choose to use your own nonce value!
referrerpolicystringrequired
The script referrer policy
srcstringrequired
The script source
typestringrequired
The script MIME type
text
idstringrequired
A unique identifier
text objectrequired
contextobject
The message's context. Useful when customizing messages.
idinteger<int64>required
textstringrequired
The message text. Written in american english.
typestringrequired
The message type. info Info error Error success Success
Possible values: [info, error, success]
groupstringrequired
Group specifies which group (e.g. password authenticator) this node belongs to. default DefaultGroup password PasswordGroup oidc OpenIDConnectGroup profile ProfileGroup link LinkGroup code CodeGroup totp TOTPGroup lookup_secret LookupGroup webauthn WebAuthnGroup
Possible values: [default, password, oidc, profile, link, code, totp, lookup_secret, webauthn]
messages object[]required
Array [
contextobject
The message's context. Useful when customizing messages.
idinteger<int64>required
textstringrequired
The message text. Written in american english.
typestringrequired
The message type. info Info error Error success Success
Possible values: [info, error, success]
]
meta objectrequired
This might include a label and other information that can optionally be used to render UIs.
label object
contextobject
The message's context. Useful when customizing messages.
idinteger<int64>required
textstringrequired
The message text. Written in american english.
typestringrequired
The message type. info Info error Error success Success
Possible values: [info, error, success]
typestringrequired
The node's type text Text input Input img Image a Anchor script Script
Possible values: [text, input, img, a, script]
]

Example (auto)

{
  "active": "password",
  "expires_at": "2024-07-29T15:51:28.071Z",
  "id": "3fa85f64-5717-4562-b3fc-2c963f66afa6",
  "issued_at": "2024-07-29T15:51:28.071Z",
  "oauth2_login_challenge": "string",
  "oauth2_login_request": {
    "AdditionalProperties": {},
    "challenge": "string",
    "client": {
      "AdditionalProperties": {},
      "access_token_strategy": "string",
      "allowed_cors_origins": [
        "string"
      ],
      "audience": [
        "string"
      ],
      "authorization_code_grant_access_token_lifespan": "string",
      "authorization_code_grant_id_token_lifespan": "string",
      "authorization_code_grant_refresh_token_lifespan": "string",
      "backchannel_logout_session_required": true,
      "backchannel_logout_uri": "string",
      "client_credentials_grant_access_token_lifespan": "string",
      "client_id": "string",
      "client_name": "string",
      "client_secret": "string",
      "client_secret_expires_at": 0,
      "client_uri": "string",
      "contacts": [
        "string"
      ],
      "created_at": "2024-07-29T15:51:28.071Z",
      "frontchannel_logout_session_required": true,
      "frontchannel_logout_uri": "string",
      "grant_types": [
        "string"
      ],
      "implicit_grant_access_token_lifespan": "string",
      "implicit_grant_id_token_lifespan": "string",
      "jwks_uri": "string",
      "jwt_bearer_grant_access_token_lifespan": "string",
      "logo_uri": "string",
      "metadata": {},
      "owner": "string",
      "policy_uri": "string",
      "post_logout_redirect_uris": [
        "string"
      ],
      "redirect_uris": [
        "string"
      ],
      "refresh_token_grant_access_token_lifespan": "string",
      "refresh_token_grant_id_token_lifespan": "string",
      "refresh_token_grant_refresh_token_lifespan": "string",
      "registration_access_token": "string",
      "registration_client_uri": "string",
      "request_object_signing_alg": "string",
      "request_uris": [
        "string"
      ],
      "response_types": [
        "string"
      ],
      "scope": "string",
      "sector_identifier_uri": "string",
      "skip_consent": true,
      "subject_type": "string",
      "token_endpoint_auth_method": "string",
      "token_endpoint_auth_signing_alg": "string",
      "tos_uri": "string",
      "updated_at": "2024-07-29T15:51:28.071Z",
      "userinfo_signed_response_alg": "string"
    },
    "oidc_context": {
      "AdditionalProperties": {},
      "acr_values": [
        "string"
      ],
      "display": "string",
      "id_token_hint_claims": {},
      "login_hint": "string",
      "ui_locales": [
        "string"
      ]
    },
    "request_url": "string",
    "requested_access_token_audience": [
      "string"
    ],
    "requested_scope": [
      "string"
    ],
    "session_id": "string",
    "skip": true,
    "subject": "string"
  },
  "organization_id": "string",
  "request_url": "string",
  "return_to": "string",
  "session_token_exchange_code": "string",
  "transient_payload": {},
  "type": "string",
  "ui": {
    "action": "string",
    "messages": [
      {
        "context": {},
        "id": 0,
        "text": "string",
        "type": "info"
      }
    ],
    "method": "string",
    "nodes": [
      {
        "attributes": {
          "autocomplete": "email",
          "disabled": true,
          "label": {
            "context": {},
            "id": 0,
            "text": "string",
            "type": "info"
          },
          "name": "string",
          "node_type": "string",
          "onclick": "string",
          "pattern": "string",
          "required": true,
          "type": "text"
        },
        "group": "default",
        "messages": [
          {
            "context": {},
            "id": 0,
            "text": "string",
            "type": "info"
          }
        ],
        "meta": {
          "label": {
            "context": {},
            "id": 0,
            "text": "string",
            "type": "info"
          }
        },
        "type": "text"
      }
    ]
  }
}

410

errorGeneric

application/json

Schema

Schema

error objectrequired
codeinteger<int64>
The status code
Example: 404
debugstring
Debug information
This field is often not exposed to protect against leaking sensitive information.
Example: SQL field "foo" is not a bool.
detailsobject
Further error details
idstring
The error ID
Useful when trying to identify various errors in application logic.
messagestringrequired
Error message
The error's message.
Example: The resource could not be found
reasonstring
A human-readable reason for the error
Example: User with ID 1234 does not exist.
requeststring
The request ID
The request ID is often exposed internally in order to trace errors across service architectures. This is often a UUID.
Example: d7ef54b1-ec15-46e6-bccb-524b82c035e6
statusstring
The status description
Example: Not Found

Example (auto)

{
  "error": {
    "code": 404,
    "debug": "SQL field \"foo\" is not a bool.",
    "details": {},
    "id": "string",
    "message": "The resource could not be found",
    "reason": "User with ID 1234 does not exist.",
    "request": "d7ef54b1-ec15-46e6-bccb-524b82c035e6",
    "status": "Not Found"
  }
}

422

errorBrowserLocationChangeRequired

application/json

Schema

Schema

error object
The standard Ory JSON API error format.
error objectrequired
codeinteger<int64>
The status code
Example: 404
debugstring
Debug information
This field is often not exposed to protect against leaking sensitive information.
Example: SQL field "foo" is not a bool.
detailsobject
Further error details
idstring
The error ID
Useful when trying to identify various errors in application logic.
messagestringrequired
Error message
The error's message.
Example: The resource could not be found
reasonstring
A human-readable reason for the error
Example: User with ID 1234 does not exist.
requeststring
The request ID
The request ID is often exposed internally in order to trace errors across service architectures. This is often a UUID.
Example: d7ef54b1-ec15-46e6-bccb-524b82c035e6
statusstring
The status description
Example: Not Found
redirect_browser_tostring

Points to where to redirect the user to next.

Example (auto)

{
  "error": {
    "error": {
      "code": 404,
      "debug": "SQL field \"foo\" is not a bool.",
      "details": {},
      "id": "string",
      "message": "The resource could not be found",
      "reason": "User with ID 1234 does not exist.",
      "request": "d7ef54b1-ec15-46e6-bccb-524b82c035e6",
      "status": "Not Found"
    }
  },
  "redirect_browser_to": "string"
}

default

errorGeneric

application/json

Schema

Schema

error objectrequired
codeinteger<int64>
The status code
Example: 404
debugstring
Debug information
This field is often not exposed to protect against leaking sensitive information.
Example: SQL field "foo" is not a bool.
detailsobject
Further error details
idstring
The error ID
Useful when trying to identify various errors in application logic.
messagestringrequired
Error message
The error's message.
Example: The resource could not be found
reasonstring
A human-readable reason for the error
Example: User with ID 1234 does not exist.
requeststring
The request ID
The request ID is often exposed internally in order to trace errors across service architectures. This is often a UUID.
Example: d7ef54b1-ec15-46e6-bccb-524b82c035e6
statusstring
The status description
Example: Not Found

Example (auto)

{
  "error": {
    "code": 404,
    "debug": "SQL field \"foo\" is not a bool.",
    "details": {},
    "id": "string",
    "message": "The resource could not be found",
    "reason": "User with ID 1234 does not exist.",
    "request": "d7ef54b1-ec15-46e6-bccb-524b82c035e6",
    "status": "Not Found"
  }
}

• csharp
• curl
• dart
• go
• http
• java
• javascript
• kotlin
• c
• nodejs
• objective-c
• ocaml
• php
• powershell
• python
• r
• ruby
• rust
• shell
• swift

• HTTPCLIENT
• RESTSHARP

var client = new HttpClient();
var request = new HttpRequestMessage(HttpMethod.Post, "https://accounts.<domain>/auth/self-service/registration");
request.Headers.Add("Accept", "application/json");
var content = new StringContent("{\n  \"csrf_token\": \"string\",\n  \"method\": \"string\",\n  \"password\": \"string\",\n  \"traits\": {},\n  \"transient_payload\": {}\n}", null, "application/json");
request.Content = content;
var response = await client.SendAsync(request);
response.EnsureSuccessStatusCode();
Console.WriteLine(await response.Content.ReadAsStringAsync());

Request Collapse all

Base URL

https://accounts.<domain>

Parameters

flow — queryrequired

Cookie — header

Body required

Content-Type

application/jsonapplication/x-www-form-urlencoded

{
  "csrf_token": "string",
  "method": "string",
  "password": "string",
  "traits": {},
  "transient_payload": {}
}