Customize login and registration flows with webhooks and actions
Customize login and registration behavior
You can customize login and registration flows using Ory Actions. This includes calling external services or logic with webhooks and triggering logic that is built-in to Ory, such requiring a verified email address to sign in.
Trigger external logic with webhooks
Make webhook calls to third-party service providers when users sign up or sign in:
Control who registers with additional validation
Use Ory Actions to add extra validation that allows you to control exactly who can sign up. For example, you can prevent users from signing up when:
- their email domain doesn't match a certain value - this way you can allow only users from certain organizations to sign up.
- their IP address isn't allowed. This way you can prevent user registrations from locales where you don't provide services.
- they used an invalid invite code or invite password to sign up. This way you can ensure that newly registered users don't get access to expired content or functionality.
Use flow-interrupting webhooks to add this validation to sign-up and registration flows.
Read the Flow-interrupting webhooks documentation to learn more.
Revoke previously issued sessions at login
You can revoke all of the user's active session when they log in to your system. This allows the users to have only one active session, and ensures that they access your services from one point of entry (a device, a browser) at a time.
To enable this behavior, use the Ory CLI.
Run this command to revoke all active sessions of the user after every login:
ory patch identity-config {project_id} \
--add '/selfservice/flows/login/after/hooks=[{"hook": "revoke_active_sessions"}]'
To use this feature only for specific methods, run this command:
ory patch identity-config {project_id} \
--add '/selfservice/flows/login/after/password/hooks=[{"hook": "revoke_active_sessions"}]' \
--add '/selfservice/flows/login/after/oidc/hooks=[{"hook": "revoke_active_sessions"}]' \
--add '/selfservice/flows/login/after/webauthn/hooks=[{"hook": "revoke_active_sessions"}]'
Disable session revocation
Follow these steps to disable session revocation on login:
-
List all configured hooks for the
after
login method:ory get identity-config {project_id} \
--format=jsonpath='selfservice.flows.login.after' -
Check the JSON output and identify the array index of the
revoke_active_sessions
hook:{
hooks: [
{
hook: "some_other_hook", // The index of this hook is '0'.
},
{
hook: "revoke_active_sessions", // The index of this hook is '1'.
},
],
oidc: {
hooks: [],
},
password: {
hooks: [],
},
webauthn: {
hooks: [],
},
} -
Remove the hook by passing the hook index in the command:
ory patch identity-config {project_id} \
--remove '/selfservice/flows/login/after/hooks/1'
Allow login only with verified email
To allow only the users with a verified email to sign in, follow these steps:
- Go to Authentication → Email verification in the Ory Console.
- Toggle Require Verified Address for Login to switch on the feature.
Ory doesn't recommend requiring a verified email to sign in. If you want to encourage users to verify their addresses, show a banner and limit functionality for unverified accounts. This approach helps improve signup conversion.
First sign in without verification
If sessions are issued after registration, users will be signed in after registration, but will need to verify their email address before they can sign in using other devices or browsers and get more active sessions as a result.
Log in users after registration
When you enable this behavior, users get a session after they sign up. This means that they don't have to sign in with their newly created account to get access to your services, but instead can access all the features immediately.
- Go to Authentication → Registration in the Ory Console.
- Toggle Sign In After Registration.
Show verification after successful registration
If you want to show the verification screen after registration or login, follow these steps:
- Server rendered browser client
- SPA & Native clients
For server rendered applications, such as an Express.js app, or when using the Ory Account Experience, Ory Identities can be configured to redirect to the verification screen automatically after registration.
- Go to Authentication → Email verification in the Ory Console.
- Toggle Show verification screen for the respective methods.
Or using the Ory CLI:
ory patch identity-config {project_id} \
--add '/selfservice/flows/registration/after/password/hooks=[{"hook": "show_verification_ui"}]' \
--add '/selfservice/flows/registration/after/oidc/hooks=[{"hook": "show_verification_ui"}]' \
--add '/selfservice/flows/registration/after/webauthn/hooks=[{"hook": "show_verification_ui"}]'
If your identity schema defines multiple verifiable addresses, Ory Identities redirects to the verification flow of only one of the addresses.
For SPA and native clients, the response from the registration endpoint contains a continue_with
field. This field lists
possible actions, the user might need to or can take next. For example, an object containing the ID of the verification flow
created as part of the registration flow:
{
"continue_with": [
{
"action": "show_verification_ui",
"flow": {
"id": "d859f6af-1dfe-453e-9320-d572e10edeea",
"verifiable_address": "example@ory.sh"
}
}
// Other items
]
}
You can use this ID to fetch the verification flow information, using the
getVerificationFlow
API method.
The response from the registration endpoint always contains the continue_with
field with the verification_ui
action, if
verification is enabled and the identity schema defines at least one verifiable address. Because of this, the
show_verification_ui
hook has no effect for API and SPA clients.
Show verification after login if address is not verified yet
If you want to show the verification screen after login, if any of the user's addresses are not verified yet, add the
verification
hook to the login after hooks.
Using the Ory CLI:
ory patch identity-config {project_id} \
--add '/selfservice/flows/login/after/password/hooks=[{"hook": "verification"}]' \
--add '/selfservice/flows/login/after/oidc/hooks=[{"hook": "verification"}]' \
--add '/selfservice/flows/login/after/webauthn/hooks=[{"hook": "verification"}]'
To automatically show the verification screen in server rendered browser flows, add the show_verification_ui
hook as well:
- Server rendered browser client
- SPA & Native clients
Using the Ory CLI:
ory patch identity-config {project_id} \
--add '/selfservice/flows/login/after/password/hooks=[{"hook": "show_verification_ui"}]' \
--add '/selfservice/flows/login/after/oidc/hooks=[{"hook": "show_verification_ui"}]' \
--add '/selfservice/flows/login/after/webauthn/hooks=[{"hook": "show_verification_ui"}]'
If your identity schema defines multiple verifiable addresses, Ory Identities redirects to the verification flow of only one of the addresses.
For SPA and native clients, the response from the registration endpoint contains a continue_with
field. This field lists
possible actions, the user might need to or can take next. For example, an object containing the ID of the verification flow
created as part of the registration flow:
{
"continue_with": [
{
"action": "show_verification_ui",
"flow": {
"id": "d859f6af-1dfe-453e-9320-d572e10edeea",
"verifiable_address": "example@ory.sh"
}
}
// Other items
]
}
You can use this ID to fetch the verification flow information, using the
getVerificationFlow
API method.
The response from the registration endpoint always contains the continue_with
field with the verification_ui
action, if
verification is enabled and the identity schema defines at least one verifiable address. Because of this, the
show_verification_ui
hook has no effect for API and SPA clients.