Skip to main content

Setting up Account Recovery and Password Reset

To set up account recovery, your Identity Schema must have an email in its traits and add

{
"ory.sh/kratos": {
"recovery": {
"via": "email"
}
}
}

to it, for example:

{
"$id": "https://schemas.ory.sh/presets/kratos/quickstart/email-password/identity.schema.json",
"$schema": "http://json-schema.org/draft-07/schema#",
"title": "Person",
"type": "object",
"properties": {
"traits": {
"type": "object",
"properties": {
"email": {
"type": "string",
"format": "email",
"title": "E-Mail",
"minLength": 3,
+ "ory.sh/kratos": {
+ "recovery": {
+ "via": "email"
+ }
+ }
}
}
}
}
}

Account recovery supports sending out a recovery link to an email address. For this to work, you must have the courier SMTP connection configured in your Ory Kratos Config File (kratos serve -c /home/kratos/.kratos.yml):

 # Ory Kratos Config File
+courier:
+ smtp:
+ connection_uri: smtps://username:password@smtp-server:1234/
# ...

You also need to enable account recovery and have the link method enabled:

 selfservice:
methods:
link:
# Defaults to true, so left out. If you explicitly want to disable this method,
# set the value to `false`.
#
# enabled: true

config:
# If the link should point to a domain (and path) that differs from the configured public base URL,
# set this value to the base URL you want:
base_url: https://my-example-domain.com

flows:
# login ...
# registration...

+ recovery:
+ enabled: true
+ ui_url: http://127.0.0.1:4455/recovery

# ...

That all that's needed! For more information on implementing the UI and details about the payloads, head over to the Account Recovery Documentation!

Invalidate Other Sessions​

To invalidate all other sessions upon successful account recovery, add the revoke_active_sessions hook to:

 selfservice:
flows:
recovery:
enabled: true
ui_url: http://127.0.0.1:4455/recovery
+ after:
+ hooks:
+ - hook: revoke_active_sessions