Customize login and registration flows with webhooks and actions

Customize login and registration behavior

You can customize login and registration flows using Ory Actions. This includes calling external services or logic with webhooks and triggering logic that is built-in to Ory, such requiring a verified email address to sign in.

Trigger external logic with webhooks

Make webhook calls to third-party service providers when users sign up or sign in:

• Mailchimp
• Segment
• Hubspot
• Other webhook targets

Control who registers with additional validation

Use Ory Actions to add extra validation that allows you to control exactly who can sign up. For example, you can prevent users from signing up when:

• their email domain doesn't match a certain value - this way you can allow only users from certain organizations to sign up.
• their IP address isn't allowed. This way you can prevent user registrations from locales where you don't provide services.
• they used an invalid invite code or invite password to sign up. This way you can ensure that newly registered users don't get access to expired content or functionality.

Use flow-interrupting webhooks to add this validation to sign-up and registration flows.

Read the Flow-interrupting webhooks documentation to learn more.

Revoke previously issued sessions at login

You can revoke all of the user's active session when they log in to your system. This allows the users to have only one active session, and ensures that they access your services from one point of entry (a device, a browser) at a time.

To enable this behavior, use the Ory CLI.

Run this command to revoke all active sessions of the user after every login:

ory patch identity-config {project_id} \
  --add '/selfservice/flows/login/after/hooks=[{"hook": "revoke_active_sessions"}]'

To use this feature only for specific methods, run this command:

ory patch identity-config {project_id} \
  --add '/selfservice/flows/login/after/password/hooks=[{"hook": "revoke_active_sessions"}]' \
  --add '/selfservice/flows/login/after/oidc/hooks=[{"hook": "revoke_active_sessions"}]' \
  --add '/selfservice/flows/login/after/webauthn/hooks=[{"hook": "revoke_active_sessions"}]'

Disable session revocation

Follow these steps to disable session revocation on login:

1. List all configured hooks for the after login method:

   ory get identity-config {project_id} \
     --format=jsonpath='selfservice.flows.login.after'

2. Check the JSON output and identify the array index of the revoke_active_sessions hook:

   {
     hooks: [
       {
         hook: "some_other_hook", // The index of this hook is '0'.
       },
       {
         hook: "revoke_active_sessions", // The index of this hook is '1'.
       },
     ],
     oidc: {
       hooks: [],
     },
     password: {
       hooks: [],
     },
     webauthn: {
       hooks: [],
     },
   }

3. Remove the hook by passing the hook index in the command:

   ory patch identity-config {project_id} \
     --remove '/selfservice/flows/login/after/hooks/1'

Allow login only with verified email

To allow only the users with a verified email to sign in, follow these steps:

1. Go to Ory Console → Email Verification.
2. Toggle Require Verified Address for Login to switch on the feature.

info

Ory doesn't recommend requiring a verified email to sign in. If you want to encourage users to verify their addresses, show a banner and limit functionality for unverified accounts. This approach helps improve signup conversion.

First sign in without verification

If sessions are issued after registration, users will be signed in after registration, but will need to verify their email address before they can sign in using other devices or browsers and get more active sessions as a result.

Log in users after registration

When you enable this behavior, users get a session after they sign up. This means that they don't have to sign in with their newly created account to get access to your services, but instead can access all the features immediately.

1. Go to Ory Console → Base Settings.
2. Toggle Sign In After Registration.

Show verification after successful registration

If you want to show the verification screen after registration, follow these steps:

Server rendered browser client

For server rendered applications, such as an Express.js app, or when using the Ory Account Experience, Ory Identities can be configured to redirect to the verification screen automatically after registration.

1. Go to Ory Console → Email Verification.
2. Toggle Show verification screen for the respective methods.

Or using the Ory CLI:

ory patch identity-config {project_id} \
  --add '/selfservice/flows/registration/after/password/hooks=[{"hook": "show_verification_ui"}]' \
  --add '/selfservice/flows/registration/after/oidc/hooks=[{"hook": "show_verification_ui"}]' \
  --add '/selfservice/flows/registration/after/webauthn/hooks=[{"hook": "show_verification_ui"}]'

note

If your identity schema defines multiple verifiable addresses, Ory Identities redirects to the verification flow of only one of the addresses.

SPA & Native clients

For SPA and native clients, the response from the registration endpoint contains a continue_with field. This field lists possible actions, the user might need to or can take next. For example, an object containing the ID of the verification flow created as part of the registration flow:

{
  "continue_with": [
    {
      "action": "show_verification_ui",
      "flow": {
        "id": "d859f6af-1dfe-453e-9320-d572e10edeea",
        "verifiable_address": "example@ory.sh"
      }
    }
    // Other items
  ]
}

You can use this ID to fetch the verification flow information, using the getVerificationFlow API method.

note

The response from the registration endpoint always contains the continue_with field with the verification_ui action, if verification is enabled and the identity schema defines at least one verifiable address. Because of this, the show_verification_ui hook has no effect for API and SPA clients.