Create Settings Flow for Native Apps
GET {{baseUrl}}/self-service/settings/api
This endpoint initiates a settings flow for API clients such as mobile devices, smart TVs, and so on. You must provide a valid Ory Kratos Session Token for this endpoint to respond with HTTP 200 OK.
To fetch an existing settings flow call /self-service/settings/flows?flow=<flow_id>.
You MUST NOT use this endpoint in client-side (Single Page Apps, ReactJS, AngularJS) nor server-side (Java Server Pages, NodeJS, PHP, Golang, ...) browser applications. Using this endpoint in these applications will make you vulnerable to a variety of CSRF attacks.
Depending on your configuration this endpoint might return a 403 error if the session has a lower Authenticator Assurance Level (AAL) than is possible for the identity. This can happen if the identity has password + webauthn credentials (which would result in AAL2) but the session has only AAL1. If this error occurs, ask the user to sign in with the second factor or change the configuration.
In the case of an error, the error.id of the JSON response body can be one of:
security_csrf_violation: Unable to fetch the flow because a CSRF violation occurred.
session_inactive: No Ory Session was found - sign in a user first.
This endpoint MUST ONLY be used in scenarios such as native mobile apps (React Native, Objective C, Swift, Java, ...).
More information can be found at Ory Kratos User Settings & Profile Management Documentation.
HEADERS
| Key | Datatype | Required | Description |
|---|---|---|---|
X-Session-Token | string | The Session Token of the Identity performing the settings flow. | |
Accept | string |
RESPONSES
status: OK
{"id":"\u003cuuid\u003e","type":"\u003cstring\u003e","expires_at":"\u003cdateTime\u003e","issued_at":"\u003cdateTime\u003e","request_url":"\u003cstring\u003e","ui":{"action":"\u003cstring\u003e","method":"\u003cstring\u003e","nodes":[{"type":"text","group":"webauthn","attributes":{"name":"\u003cstring\u003e","type":"text","disabled":"\u003cboolean\u003e","node_type":"input","autocomplete":"one-time-code","label":{"id":"\u003clong\u003e","text":"\u003cstring\u003e","type":"success","context":{}},"onclick":"\u003cstring\u003e","onload":"\u003cstring\u003e","pattern":"\u003cstring\u003e","required":"\u003cboolean\u003e","value":{"description":"The input's value.","nullable":true}},"messages":[{"id":"\u003clong\u003e","text":"\u003cstring\u003e","type":"success","context":{}},{"id":"\u003clong\u003e","text":"\u003cstring\u003e","type":"error","context":{}}],"meta":{"label":{"id":"\u003clong\u003e","text":"\u003cstring\u003e","type":"error","context":{}}}},{"type":"input","group":"webauthn","attributes":{"name":"\u003cstring\u003e","type":"number","disabled":"\u003cboolean\u003e","node_type":"img","autocomplete":"url","label":{"id":"\u003clong\u003e","text":"\u003cstring\u003e","type":"info","context":{}},"onclick":"\u003cstring\u003e","onload":"\u003cstring\u003e","pattern":"\u003cstring\u003e","required":"\u003cboolean\u003e","value":{"description":"The input's value.","nullable":true}},"messages":[{"id":"\u003clong\u003e","text":"\u003cstring\u003e","type":"info","context":{}},{"id":"\u003clong\u003e","text":"\u003cstring\u003e","type":"success","context":{}}],"meta":{"label":{"id":"\u003clong\u003e","text":"\u003cstring\u003e","type":"error","context":{}}}}],"messages":[{"id":"\u003clong\u003e","text":"\u003cstring\u003e","type":"success","context":{}},{"id":"\u003clong\u003e","text":"\u003cstring\u003e","type":"success","context":{}}]},"identity":{"id":"\u003cuuid\u003e","schema_id":"\u003cstring\u003e","schema_url":"\u003cstring\u003e","traits":{"description":"Traits represent an identity's traits. The identity is able to create, modify, and delete traits\nin a self-service manner. The input will always be validated against the JSON Schema defined\nin `schema_url`."},"created_at":"\u003cdateTime\u003e","credentials":{"fugiat37a":{"config":{},"created_at":"\u003cdateTime\u003e","identifiers":["\u003cstring\u003e","\u003cstring\u003e"],"type":"oidc","updated_at":"\u003cdateTime\u003e","version":"\u003clong\u003e"},"ut1":{"config":{},"created_at":"\u003cdateTime\u003e","identifiers":["\u003cstring\u003e","\u003cstring\u003e"],"type":"totp","updated_at":"\u003cdateTime\u003e","version":"\u003clong\u003e"}},"metadata_admin":{"description":"NullJSONRawMessage represents a json.RawMessage that works well with JSON, SQL, and Swagger and is NULLable-","nullable":true},"metadata_public":{"description":"NullJSONRawMessage represents a json.RawMessage that works well with JSON, SQL, and Swagger and is NULLable-","nullable":true},"organization_id":"\u003cstring\u003e","recovery_addresses":[{"id":"\u003cuuid\u003e","value":"\u003cstring\u003e","via":"\u003cstring\u003e","created_at":"\u003cdateTime\u003e","updated_at":"\u003cdateTime\u003e"},{"id":"\u003cuuid\u003e","value":"\u003cstring\u003e","via":"\u003cstring\u003e","created_at":"\u003cdateTime\u003e","updated_at":"\u003cdateTime\u003e"}],"state":"active","state_changed_at":"\u003cdateTime\u003e","updated_at":"\u003cdateTime\u003e","verifiable_addresses":[{"value":"\u003cstring\u003e","verified":"\u003cboolean\u003e","via":"sms","status":"\u003cstring\u003e","created_at":"\u003cdateTime\u003e","id":"\u003cuuid\u003e","updated_at":"\u003cdateTime\u003e","verified_at":"\u003cdateTime\u003e"},{"value":"\u003cstring\u003e","verified":"\u003cboolean\u003e","via":"email","status":"\u003cstring\u003e","created_at":"\u003cdateTime\u003e","id":"\u003cuuid\u003e","updated_at":"\u003cdateTime\u003e","verified_at":"\u003cdateTime\u003e"}]},"state":{"description":"State represents the state of this flow. It knows two states:\n\nshow_form: No user data has been collected, or it is invalid, and thus the form should be shown.\nsuccess: Indicates that the settings flow has been updated successfully with the provided data.\nDone will stay true when repeatedly checking. If set to true, done will revert back to false only\nwhen a flow with invalid (e.g. \"please use a valid phone number\") data was sent."},"active":"\u003cstring\u003e","continue_with":[{"action":"show_verification_ui","flow":{"id":"\u003cuuid\u003e","verifiable_address":"\u003cstring\u003e","url":"\u003cstring\u003e"}},{"action":"show_verification_ui","flow":{"id":"\u003cuuid\u003e","verifiable_address":"\u003cstring\u003e","url":"\u003cstring\u003e"}}],"return_to":"\u003cstring\u003e","transient_payload":{}}