Skip to main content

Setting up account recovery and password reset

To set up account recovery, your identity schema must have an email in its traits and add

{
"ory.sh/kratos": {
"recovery": {
"via": "email"
}
}
}

to it, for example:

{
"$id": "https://schemas.ory.sh/presets/kratos/quickstart/email-password/identity.schema.json",
"$schema": "http://json-schema.org/draft-07/schema#",
"title": "Person",
"type": "object",
"properties": {
"traits": {
"type": "object",
"properties": {
"email": {
"type": "string",
"format": "email",
"title": "E-Mail",
"minLength": 3,
+ "ory.sh/kratos": {
+ "recovery": {
+ "via": "email"
+ }
+ }
}
}
}
}
}

Account recovery supports sending out a recovery link to an email address. For this to work, you must have the courier SMTP connection configured in your Ory Kratos Config File (kratos serve -c /home/kratos/.kratos.yml):

 # Ory Kratos Config File
+courier:
+ smtp:
+ connection_uri: smtps://username:password@smtp-server:1234/
# ...

You also need to enable account recovery and have the link method enabled:

 selfservice:
methods:
link:
# Defaults to true, so left out. If you explicitly want to disable this method,
# set the value to `false`.
#
# enabled: true

config:
# If the link should point to a domain (and path) that differs from the configured public base URL,
# set this value to the base URL you want:
base_url: https://my-example-domain.com

flows:
# login ...
# registration...

+ recovery:
+ enabled: true
+ ui_url: http://127.0.0.1:4455/recovery

# ...

That all that's needed! For more information on implementing the UI and details about the payloads, head over to the Account Recovery Documentation!

Invalidate Other Sessions

To invalidate all other sessions upon successful account recovery, add the revoke_active_sessions hook to:

 selfservice:
flows:
recovery:
enabled: true
ui_url: http://127.0.0.1:4455/recovery
+ after:
+ hooks:
+ - hook: revoke_active_sessions