Submit a Login Flow

POST {{baseUrl}}/self-service/login?flow=<string>

Use this endpoint to complete a login flow. This endpoint behaves differently for API and browser flows.

API flows expect application/json to be sent in the body and responds with HTTP 200 and a application/json body with the session token on success; HTTP 410 if the original flow expired with the appropriate error messages set and optionally a use_flow_id parameter in the body; HTTP 400 on form validation errors.

Browser flows expect a Content-Type of application/x-www-form-urlencoded or application/json to be sent in the body and respond with a HTTP 303 redirect to the post/after login URL or the return_to value if it was set and if the login succeeded; a HTTP 303 redirect to the login UI URL with the flow ID containing the validation errors otherwise.

Browser flows with an accept header of application/json will not redirect but instead respond with HTTP 200 and a application/json body with the signed in identity and a Set-Cookie header on success; HTTP 303 redirect to a fresh login flow if the original flow expired with the appropriate error messages set; HTTP 400 on form validation errors.

If this endpoint is called with Accept: application/json in the header, the response contains the flow without a redirect. In the case of an error, the error.id of the JSON response body can be one of:

session_already_available: The user is already signed in. security_csrf_violation: Unable to fetch the flow because a CSRF violation occurred. security_identity_mismatch: The requested ?return_to address is not allowed to be used. Adjust this in the configuration! browser_location_change_required: Usually sent when an AJAX request indicates that the browser needs to open a specific URL. Most likely used in Social Sign In flows.

More information can be found at Ory Kratos User Login and User Registration Documentation.

Request Params

The value for this parameter comes from flow URL Query parameter sent to your application (e.g. /login?flow=abcde). |

Request Body

[{"name"=>"method", "value"=>"<string>", "datatype"=>"string"}, {"name"=>"password", "value"=>"<string>", "datatype"=>"string"}, {"name"=>"identifier", "value"=>"<string>", "datatype"=>"string"}, {"name"=>"csrf_token", "value"=>"<string>", "datatype"=>"string"}, {"name"=>"password_identifier", "value"=>"<string>", "datatype"=>"string"}]

HEADERS

When using the SDK in a browser app, on the server side you must include the HTTP Cookie Header sent by the client to your server here. This ensures that CSRF and session cookies are respected. | | Content-Type | string | | | | Accept | string | | |

RESPONSES

status: OK

{"session":{"id":"\u003cuuid\u003e","active":"\u003cboolean\u003e","authenticated_at":"\u003cdateTime\u003e","authentication_methods":[{"aal":"aal0","completed_at":"\u003cdateTime\u003e","method":"v0.6_legacy_session","organization":"\u003cstring\u003e","provider":"\u003cstring\u003e"},{"aal":"aal1","completed_at":"\u003cdateTime\u003e","method":"webauthn","organization":"\u003cstring\u003e","provider":"\u003cstring\u003e"}],"authenticator_assurance_level":"aal0","devices":[{"id":"\u003cuuid\u003e","ip_address":"\u003cstring\u003e","location":"\u003cstring\u003e","user_agent":"\u003cstring\u003e"},{"id":"\u003cuuid\u003e","ip_address":"\u003cstring\u003e","location":"\u003cstring\u003e","user_agent":"\u003cstring\u003e"}],"expires_at":"\u003cdateTime\u003e","identity":{"id":"\u003cuuid\u003e","schema_id":"\u003cstring\u003e","schema_url":"\u003cstring\u003e","traits":{"description":"Traits represent an identity's traits. The identity is able to create, modify, and delete traits\nin a self-service manner. The input will always be validated against the JSON Schema defined\nin `schema_url`."},"created_at":"\u003cdateTime\u003e","credentials":{"dolore__e":{"config":{},"created_at":"\u003cdateTime\u003e","identifiers":["\u003cstring\u003e","\u003cstring\u003e"],"type":"profile","updated_at":"\u003cdateTime\u003e","version":"\u003clong\u003e"},"in_":{"config":{},"created_at":"\u003cdateTime\u003e","identifiers":["\u003cstring\u003e","\u003cstring\u003e"],"type":"webauthn","updated_at":"\u003cdateTime\u003e","version":"\u003clong\u003e"}},"metadata_admin":{"description":"NullJSONRawMessage represents a json.RawMessage that works well with JSON, SQL, and Swagger and is NULLable-","nullable":true},"metadata_public":{"description":"NullJSONRawMessage represents a json.RawMessage that works well with JSON, SQL, and Swagger and is NULLable-","nullable":true},"organization_id":"\u003cstring\u003e","recovery_addresses":[{"id":"\u003cuuid\u003e","value":"\u003cstring\u003e","via":"\u003cstring\u003e","created_at":"\u003cdateTime\u003e","updated_at":"\u003cdateTime\u003e"},{"id":"\u003cuuid\u003e","value":"\u003cstring\u003e","via":"\u003cstring\u003e","created_at":"\u003cdateTime\u003e","updated_at":"\u003cdateTime\u003e"}],"state":"active","state_changed_at":"\u003cdateTime\u003e","updated_at":"\u003cdateTime\u003e","verifiable_addresses":[{"value":"\u003cstring\u003e","verified":"\u003cboolean\u003e","via":"email","status":"\u003cstring\u003e","created_at":"\u003cdateTime\u003e","id":"\u003cuuid\u003e","updated_at":"\u003cdateTime\u003e","verified_at":"\u003cdateTime\u003e"},{"value":"\u003cstring\u003e","verified":"\u003cboolean\u003e","via":"sms","status":"\u003cstring\u003e","created_at":"\u003cdateTime\u003e","id":"\u003cuuid\u003e","updated_at":"\u003cdateTime\u003e","verified_at":"\u003cdateTime\u003e"}]},"issued_at":"\u003cdateTime\u003e","tokenized":"\u003cstring\u003e"},"continue_with":[{"action":"show_verification_ui","flow":{"id":"\u003cuuid\u003e","verifiable_address":"\u003cstring\u003e","url":"\u003cstring\u003e"}},{"action":"show_verification_ui","flow":{"id":"\u003cuuid\u003e","verifiable_address":"\u003cstring\u003e","url":"\u003cstring\u003e"}}],"session_token":"\u003cstring\u003e"}