Update Recovery Flow
POST {{baseUrl}}/self-service/recovery?flow=<string>&token=<string>
Use this endpoint to update a recovery flow. This endpoint behaves differently for API and browser flows and has several states:
choose_method expects flow (in the URL query) and email (in the body) to be sent
and works with API- and Browser-initiated flows.
For API clients and Browser clients with HTTP Header Accept: application/json it either returns a HTTP 200 OK when the form is valid and HTTP 400 OK when the form is invalid.
and a HTTP 303 See Other redirect with a fresh recovery flow if the flow was otherwise invalid (e.g. expired).
For Browser clients without HTTP Header Accept or with Accept: text/* it returns a HTTP 303 See Other redirect to the Recovery UI URL with the Recovery Flow ID appended.
sent_email is the success state after choose_method for the link method and allows the user to request another recovery email. It
works for both API and Browser-initiated flows and returns the same responses as the flow in choose_method state.
passed_challenge expects a token to be sent in the URL query and given the nature of the flow (sending a recovery link
)
does not have any API capabilities. The server responds with a HTTP 303 See Other redirect either to the Settings UI URL
(if the link was valid) and instructs the user to update their password, or a redirect to the Recover UI URL with
a new Recovery Flow ID which contains an error message that the recovery link was invalid.
More information can be found at Ory Kratos Account Recovery Documentation.
Request Params
| Key | Datatype | Required | Description |
|---|---|---|---|
flow | string | (Required) The Recovery Flow ID |
The value for this parameter comes from flow URL Query parameter sent to your
application (e.g. /recovery?flow=abcde). |
| token | string | | Recovery Token
The recovery token which completes the recovery request. If the token is invalid (e.g. expired) an error will be shown to the end-user.
This parameter is usually set in a link and not used by any direct API call. |
Request Body
[{"name"=>"email", "value"=>"<string>", "datatype"=>"string"}, {"name"=>"method", "value"=>"link", "datatype"=>"string"}, {"name"=>"csrf_token", "value"=>"<string>", "datatype"=>"string"}]
HEADERS
| Key | Datatype | Required | Description |
|---|---|---|---|
Cookie | string | HTTP Cookies |
When using the SDK in a browser app, on the server side you must include the HTTP Cookie Header
sent by the client to your server here. This ensures that CSRF and session cookies are respected. |
| Content-Type | string | | |
| Accept | string | | |