Qodex.ai

Create Login Flow for Native Apps

GET {{baseUrl}}/self-service/login/api?refresh=<boolean>&aal=<string>&return_session_token_exchange_code=<boolean>&return_to=<string>&via=<string>

This endpoint initiates a login flow for native apps that do not use a browser, such as mobile devices, smart TVs, and so on.

If a valid provided session cookie or session token is provided, a 400 Bad Request error will be returned unless the URL query parameter ?refresh=true is set.

To fetch an existing login flow call /self-service/login/flows?flow=<flow_id>.

You MUST NOT use this endpoint in client-side (Single Page Apps, ReactJS, AngularJS) nor server-side (Java Server Pages, NodeJS, PHP, Golang, ...) browser applications. Using this endpoint in these applications will make you vulnerable to a variety of CSRF attacks, including CSRF login attacks.

In the case of an error, the error.id of the JSON response body can be one of:

session_already_available: The user is already signed in. session_aal1_required: Multi-factor auth (e.g. 2fa) was requested but the user has no session yet. security_csrf_violation: Unable to fetch the flow because a CSRF violation occurred.

This endpoint MUST ONLY be used in scenarios such as native mobile apps (React Native, Objective C, Swift, Java, ...).

More information can be found at Ory Kratos User Login and User Registration Documentation.

Request Params

KeyDatatypeRequiredDescription
refreshstringRefresh a login session

If set to true, this will refresh an existing login session by asking the user to sign in again. This will reset the authenticated_at time of the session. | | aal | string | | Request a Specific AuthenticationMethod Assurance Level

Use this parameter to upgrade an existing session's authenticator assurance level (AAL). This allows you to ask for multi-factor authentication. When an identity sign in using e.g. username+password, the AAL is 1. If you wish to "upgrade" the session's security by asking the user to perform TOTP / WebAuth/ ... you would set this to "aal2". | | return_session_token_exchange_code | string | | EnableSessionTokenExchangeCode requests the login flow to include a code that can be used to retrieve the session token after the login flow has been completed. | | return_to | string | | The URL to return the browser to after the flow was completed. | | via | string | | Via should contain the identity's credential the code should be sent to. Only relevant in aal2 flows. |

HEADERS

KeyDatatypeRequiredDescription
X-Session-TokenstringThe Session Token of the Identity performing the settings flow.
Acceptstring

RESPONSES

status: OK

{&quot;id&quot;:&quot;\u003cuuid\u003e&quot;,&quot;type&quot;:&quot;\u003cstring\u003e&quot;,&quot;expires_at&quot;:&quot;\u003cdateTime\u003e&quot;,&quot;issued_at&quot;:&quot;\u003cdateTime\u003e&quot;,&quot;request_url&quot;:&quot;\u003cstring\u003e&quot;,&quot;ui&quot;:{&quot;action&quot;:&quot;\u003cstring\u003e&quot;,&quot;method&quot;:&quot;\u003cstring\u003e&quot;,&quot;nodes&quot;:[{&quot;type&quot;:&quot;img&quot;,&quot;group&quot;:&quot;default&quot;,&quot;attributes&quot;:{&quot;name&quot;:&quot;\u003cstring\u003e&quot;,&quot;type&quot;:&quot;password&quot;,&quot;disabled&quot;:&quot;\u003cboolean\u003e&quot;,&quot;node_type&quot;:&quot;a&quot;,&quot;autocomplete&quot;:&quot;one-time-code&quot;,&quot;label&quot;:{&quot;id&quot;:&quot;\u003clong\u003e&quot;,&quot;text&quot;:&quot;\u003cstring\u003e&quot;,&quot;type&quot;:&quot;error&quot;,&quot;context&quot;:{}},&quot;onclick&quot;:&quot;\u003cstring\u003e&quot;,&quot;onload&quot;:&quot;\u003cstring\u003e&quot;,&quot;pattern&quot;:&quot;\u003cstring\u003e&quot;,&quot;required&quot;:&quot;\u003cboolean\u003e&quot;,&quot;value&quot;:{&quot;description&quot;:&quot;The input&#39;s value.&quot;,&quot;nullable&quot;:true}},&quot;messages&quot;:[{&quot;id&quot;:&quot;\u003clong\u003e&quot;,&quot;text&quot;:&quot;\u003cstring\u003e&quot;,&quot;type&quot;:&quot;error&quot;,&quot;context&quot;:{}},{&quot;id&quot;:&quot;\u003clong\u003e&quot;,&quot;text&quot;:&quot;\u003cstring\u003e&quot;,&quot;type&quot;:&quot;info&quot;,&quot;context&quot;:{}}],&quot;meta&quot;:{&quot;label&quot;:{&quot;id&quot;:&quot;\u003clong\u003e&quot;,&quot;text&quot;:&quot;\u003cstring\u003e&quot;,&quot;type&quot;:&quot;error&quot;,&quot;context&quot;:{}}}},{&quot;type&quot;:&quot;a&quot;,&quot;group&quot;:&quot;webauthn&quot;,&quot;attributes&quot;:{&quot;name&quot;:&quot;\u003cstring\u003e&quot;,&quot;type&quot;:&quot;submit&quot;,&quot;disabled&quot;:&quot;\u003cboolean\u003e&quot;,&quot;node_type&quot;:&quot;input&quot;,&quot;autocomplete&quot;:&quot;one-time-code&quot;,&quot;label&quot;:{&quot;id&quot;:&quot;\u003clong\u003e&quot;,&quot;text&quot;:&quot;\u003cstring\u003e&quot;,&quot;type&quot;:&quot;success&quot;,&quot;context&quot;:{}},&quot;onclick&quot;:&quot;\u003cstring\u003e&quot;,&quot;onload&quot;:&quot;\u003cstring\u003e&quot;,&quot;pattern&quot;:&quot;\u003cstring\u003e&quot;,&quot;required&quot;:&quot;\u003cboolean\u003e&quot;,&quot;value&quot;:{&quot;description&quot;:&quot;The input&#39;s value.&quot;,&quot;nullable&quot;:true}},&quot;messages&quot;:[{&quot;id&quot;:&quot;\u003clong\u003e&quot;,&quot;text&quot;:&quot;\u003cstring\u003e&quot;,&quot;type&quot;:&quot;success&quot;,&quot;context&quot;:{}},{&quot;id&quot;:&quot;\u003clong\u003e&quot;,&quot;text&quot;:&quot;\u003cstring\u003e&quot;,&quot;type&quot;:&quot;info&quot;,&quot;context&quot;:{}}],&quot;meta&quot;:{&quot;label&quot;:{&quot;id&quot;:&quot;\u003clong\u003e&quot;,&quot;text&quot;:&quot;\u003cstring\u003e&quot;,&quot;type&quot;:&quot;info&quot;,&quot;context&quot;:{}}}}],&quot;messages&quot;:[{&quot;id&quot;:&quot;\u003clong\u003e&quot;,&quot;text&quot;:&quot;\u003cstring\u003e&quot;,&quot;type&quot;:&quot;info&quot;,&quot;context&quot;:{}},{&quot;id&quot;:&quot;\u003clong\u003e&quot;,&quot;text&quot;:&quot;\u003cstring\u003e&quot;,&quot;type&quot;:&quot;success&quot;,&quot;context&quot;:{}}]},&quot;state&quot;:{&quot;description&quot;:&quot;State represents the state of this request:\n\nchoose_method: ask the user to choose a method to sign in with\nsent_email: the email has been sent to the user\npassed_challenge: the request was successful and the login challenge was passed.&quot;},&quot;active&quot;:&quot;password&quot;,&quot;created_at&quot;:&quot;\u003cdateTime\u003e&quot;,&quot;oauth2_login_challenge&quot;:&quot;\u003cstring\u003e&quot;,&quot;oauth2_login_request&quot;:{&quot;challenge&quot;:&quot;\u003cstring\u003e&quot;,&quot;client&quot;:{&quot;access_token_strategy&quot;:&quot;\u003cstring\u003e&quot;,&quot;allowed_cors_origins&quot;:[&quot;\u003cstring\u003e&quot;,&quot;\u003cstring\u003e&quot;],&quot;audience&quot;:[&quot;\u003cstring\u003e&quot;,&quot;\u003cstring\u003e&quot;],&quot;authorization_code_grant_access_token_lifespan&quot;:&quot;\u003cstring\u003e&quot;,&quot;authorization_code_grant_id_token_lifespan&quot;:&quot;\u003cstring\u003e&quot;,&quot;authorization_code_grant_refresh_token_lifespan&quot;:&quot;\u003cstring\u003e&quot;,&quot;backchannel_logout_session_required&quot;:&quot;\u003cboolean\u003e&quot;,&quot;backchannel_logout_uri&quot;:&quot;\u003cstring\u003e&quot;,&quot;client_credentials_grant_access_token_lifespan&quot;:&quot;\u003cstring\u003e&quot;,&quot;client_id&quot;:&quot;\u003cstring\u003e&quot;,&quot;client_name&quot;:&quot;\u003cstring\u003e&quot;,&quot;client_secret&quot;:&quot;\u003cstring\u003e&quot;,&quot;client_secret_expires_at&quot;:&quot;\u003clong\u003e&quot;,&quot;client_uri&quot;:&quot;\u003cstring\u003e&quot;,&quot;contacts&quot;:[&quot;\u003cstring\u003e&quot;,&quot;\u003cstring\u003e&quot;],&quot;created_at&quot;:&quot;\u003cdateTime\u003e&quot;,&quot;frontchannel_logout_session_required&quot;:&quot;\u003cboolean\u003e&quot;,&quot;frontchannel_logout_uri&quot;:&quot;\u003cstring\u003e&quot;,&quot;grant_types&quot;:[&quot;\u003cstring\u003e&quot;,&quot;\u003cstring\u003e&quot;],&quot;implicit_grant_access_token_lifespan&quot;:&quot;\u003cstring\u003e&quot;,&quot;implicit_grant_id_token_lifespan&quot;:&quot;\u003cstring\u003e&quot;,&quot;jwks&quot;:{&quot;description&quot;:&quot;OAuth 2.0 Client JSON Web Key Set  Client&#39;s JSON Web Key Set [JWK] document, passed by value. The semantics of the jwks parameter are the same as the jwks_uri parameter, other than that the JWK Set is passed by value, rather than by reference. This parameter is intended only to be used by Clients that, for some reason, are unable to use the jwks_uri parameter, for instance, by native applications that might not have a location to host the contents of the JWK Set. If a Client can use jwks_uri, it MUST NOT use jwks. One significant downside of jwks is that it does not enable key rotation (which jwks_uri does, as described in Section 10 of OpenID Connect Core 1.0 [OpenID.Core]). The jwks_uri and jwks parameters MUST NOT be used together.&quot;},&quot;jwks_uri&quot;:&quot;\u003cstring\u003e&quot;,&quot;jwt_bearer_grant_access_token_lifespan&quot;:&quot;\u003cstring\u003e&quot;,&quot;logo_uri&quot;:&quot;\u003cstring\u003e&quot;,&quot;metadata&quot;:{},&quot;owner&quot;:&quot;\u003cstring\u003e&quot;,&quot;policy_uri&quot;:&quot;\u003cstring\u003e&quot;,&quot;post_logout_redirect_uris&quot;:[&quot;\u003cstring\u003e&quot;,&quot;\u003cstring\u003e&quot;],&quot;redirect_uris&quot;:[&quot;\u003cstring\u003e&quot;,&quot;\u003cstring\u003e&quot;],&quot;refresh_token_grant_access_token_lifespan&quot;:&quot;\u003cstring\u003e&quot;,&quot;refresh_token_grant_id_token_lifespan&quot;:&quot;\u003cstring\u003e&quot;,&quot;refresh_token_grant_refresh_token_lifespan&quot;:&quot;\u003cstring\u003e&quot;,&quot;registration_access_token&quot;:&quot;\u003cstring\u003e&quot;,&quot;registration_client_uri&quot;:&quot;\u003cstring\u003e&quot;,&quot;request_object_signing_alg&quot;:&quot;\u003cstring\u003e&quot;,&quot;request_uris&quot;:[&quot;\u003cstring\u003e&quot;,&quot;\u003cstring\u003e&quot;],&quot;response_types&quot;:[&quot;\u003cstring\u003e&quot;,&quot;\u003cstring\u003e&quot;],&quot;scope&quot;:&quot;\u003cstring\u003e&quot;,&quot;sector_identifier_uri&quot;:&quot;\u003cstring\u003e&quot;,&quot;skip_consent&quot;:&quot;\u003cboolean\u003e&quot;,&quot;skip_logout_consent&quot;:&quot;\u003cboolean\u003e&quot;,&quot;subject_type&quot;:&quot;\u003cstring\u003e&quot;,&quot;token_endpoint_auth_method&quot;:&quot;\u003cstring\u003e&quot;,&quot;token_endpoint_auth_signing_alg&quot;:&quot;\u003cstring\u003e&quot;,&quot;tos_uri&quot;:&quot;\u003cstring\u003e&quot;,&quot;updated_at&quot;:&quot;\u003cdateTime\u003e&quot;,&quot;userinfo_signed_response_alg&quot;:&quot;\u003cstring\u003e&quot;},&quot;oidc_context&quot;:{&quot;acr_values&quot;:[&quot;\u003cstring\u003e&quot;,&quot;\u003cstring\u003e&quot;],&quot;display&quot;:&quot;\u003cstring\u003e&quot;,&quot;id_token_hint_claims&quot;:{&quot;sit_b&quot;:{}},&quot;login_hint&quot;:&quot;\u003cstring\u003e&quot;,&quot;ui_locales&quot;:[&quot;\u003cstring\u003e&quot;,&quot;\u003cstring\u003e&quot;]},&quot;request_url&quot;:&quot;\u003cstring\u003e&quot;,&quot;requested_access_token_audience&quot;:[&quot;\u003cstring\u003e&quot;,&quot;\u003cstring\u003e&quot;],&quot;requested_scope&quot;:[&quot;\u003cstring\u003e&quot;,&quot;\u003cstring\u003e&quot;],&quot;session_id&quot;:&quot;\u003cstring\u003e&quot;,&quot;skip&quot;:&quot;\u003cboolean\u003e&quot;,&quot;subject&quot;:&quot;\u003cstring\u003e&quot;},&quot;organization_id&quot;:&quot;\u003cstring\u003e&quot;,&quot;refresh&quot;:&quot;\u003cboolean\u003e&quot;,&quot;requested_aal&quot;:&quot;aal2&quot;,&quot;return_to&quot;:&quot;\u003cstring\u003e&quot;,&quot;session_token_exchange_code&quot;:&quot;\u003cstring\u003e&quot;,&quot;transient_payload&quot;:{},&quot;updated_at&quot;:&quot;\u003cdateTime\u003e&quot;}