Skip to main content

Customize login and registration flows with webhooks and actions

Customize login and registration behavior

You can customize login and registration flows using Ory Actions. This includes calling external services or logic with webhooks and triggering logic that is built-in to Ory, such requiring a verified email address to sign in.

Trigger external logic with webhooks

Make webhook calls to third-party service providers when users sign up or sign in:

Control who registers with additional validation

Use Ory Actions to add extra validation that allows you to control exactly who can sign up. For example, you can prevent users from signing up when:

  • their email domain doesn't match a certain value - this way you can allow only users from certain organizations to sign up.
  • their IP address isn't allowed. This way you can prevent user registrations from locales where you don't provide services.
  • they used an invalid invite code or invite password to sign up. This way you can ensure that newly registered users don't get access to expired content or functionality.

Use flow-interrupting webhooks to add this validation to sign-up and registration flows.

Read the Flow-interrupting webhooks documentation to learn more.

Revoke previously issued sessions at login

You can revoke all of the user's active session when they log in to your system. This allows the users to have only one active session, and ensures that they access your services from one point of entry (a device, a browser) at a time.

To enable this behavior, use the Ory CLI.

Run this command to revoke all active sessions of the user after every login:

ory patch identity-config {project_id} \
--add '/selfservice/flows/login/after/hooks=[{"hook": "revoke_active_sessions"}]'

To use this feature only for specific methods, run this command:

ory patch identity-config {project_id} \
--add '/selfservice/flows/login/after/password/hooks=[{"hook": "revoke_active_sessions"}]' \
--add '/selfservice/flows/login/after/oidc/hooks=[{"hook": "revoke_active_sessions"}]' \
--add '/selfservice/flows/login/after/webauthn/hooks=[{"hook": "revoke_active_sessions"}]'

Disable session revocation

Follow these steps to disable session revocation on login:

  1. List all configured hooks for the after login method:

    ory get identity-config {project_id} \
    --format=jsonpath='selfservice.flows.login.after'
  2. Check the JSON output and identify the array index of the revoke_active_sessions hook:

    {
    hooks: [
    {
    hook: "some_other_hook", // The index of this hook is '0'.
    },
    {
    hook: "revoke_active_sessions", // The index of this hook is '1'.
    },
    ],
    oidc: {
    hooks: [],
    },
    password: {
    hooks: [],
    },
    webauthn: {
    hooks: [],
    },
    }
  3. Remove the hook by passing the hook index in the command:

    ory patch identity-config {project_id} \
    --remove '/selfservice/flows/login/after/hooks/1'

Allow login only with verified email

To allow only the users with a verified email to sign in, follow these steps:

  1. Go to Ory Console → Email Verification.
  2. Toggle Require Verified Address for Login to switch on the feature.
info

Ory doesn't recommend requiring a verified email to sign in. If you want to encourage users to verify their addresses, show a banner and limit functionality for unverified accounts. This approach helps improve signup conversion.

First sign in without verification

If sessions are issued after registration, users will be signed in after registration, but will need to verify their email address before they can sign in using other devices or browsers and get more active sessions as a result.

Log in users after registration

When you enable this behavior, users get a session after they sign up. This means that they don't have to sign in with their newly created account to get access to your services, but instead can access all the features immediately.

  1. Go to Ory Console → Base Settings.
  2. Toggle Sign In After Registration.

Provide login hints to users

When users attempt to sign up with an identifier (username, email address etc.) which has previously been registered, they will be presented an error explaining that an account is already on file and advising them to login to that account.

If you have a number of different sign-in methods configured (say username and password plus one or more social sign-in providers), your users might not remember with which provider they initially signed up.

You can configure your Ory Network project to provide login hints to your users in this scenario. If a user attempts to sign up but an account already exists, the error message will tell them exactly which sign-in provider to use instead.

To enable these login hints, use the Ory CLI:

ory patch project ${project_id} \
--replace '/services/identity/config/selfservice/flows/registration/login_hints=true'
info

This behavior improves the sign-in experience for your users, but comes at the cost of exposing information about which sign-in mehods a particular account identifier has associated with it.

Do not enable this feature if account enumeration attacks are a risk factor in your threat model.

Show verification after successful registration

If you want to show the verification screen after registration, follow these steps:

For server rendered applications, such as an Express.js app, or when using the Ory Account Experience, Ory Identities can be configured to redirect to the verification screen automatically after registration.

  1. Go to Ory Console → Email Verification.
  2. Toggle Show verification screen for the respective methods.

Or using the Ory CLI:

ory patch identity-config {project_id} \
--add '/selfservice/flows/registration/after/password/hooks=[{"hook": "show_verification_ui"}]' \
--add '/selfservice/flows/registration/after/oidc/hooks=[{"hook": "show_verification_ui"}]' \
--add '/selfservice/flows/registration/after/webauthn/hooks=[{"hook": "show_verification_ui"}]'
note

If your identity schema defines multiple verifiable addresses, Ory Identities redirects to the verification flow of only one of the addresses.