Skip to main content

Customize login and registration flows with webhooks and actions

Customize login and registration behavior

You can customize login and registration flows using Ory Actions. This includes calling external services or logic with webhooks and triggering logic that is built-in to Ory, such requiring a verified email address to sign in.

Trigger external logic with webhooks

Make webhook calls to third-party service providers when users sign up or sign in:

Control who registers with additional validation

Use Ory Actions to add extra validation that allows you to control exactly who can sign up. For example, you can prevent users from signing up when:

  • their email domain doesn't match a certain value - this way you can allow only users from certain organizations to sign up.
  • their IP address isn't allowed. This way you can prevent user registrations from locales where you don't provide services.
  • they used an invalid invite code or invite password to sign up. This way you can ensure that newly registered users don't get access to expired content or functionality.

Use flow-interrupting webhooks to add this validation to sign-up and registration flows.

Read the Flow-interrupting webhooks documentation to learn more.

Revoke previously issued sessions at login

You can revoke all of the user's active session when they log in to your system. This allows the users to have only one active session, and ensures that they access your services from one point of entry (a device, a browser) at a time.

To enable this behavior, use the Ory CLI.

Run this command to revoke all active sessions of the user after every login:

ory patch identity-config {project_id} \
--add '/selfservice/flows/login/after/hooks=[{"hook": "revoke_active_sessions"}]'

To use this feature only for specific methods, run this command:

ory patch identity-config {project_id} \
--add '/selfservice/flows/login/after/password/hooks=[{"hook": "revoke_active_sessions"}]' \
--add '/selfservice/flows/login/after/oidc/hooks=[{"hook": "revoke_active_sessions"}]' \
--add '/selfservice/flows/login/after/webauthn/hooks=[{"hook": "revoke_active_sessions"}]'

Disable session revocation

Follow these steps to disable session revocation on login:

  1. List all configured hooks for the after login method:

    ory get identity-config {project_id} \
    --format=jsonpath='selfservice.flows.login.after'
  2. Check the JSON output and identify the array index of the revoke_active_sessions hook:

    {
    hooks: [
    {
    hook: "some_other_hook", // The index of this hook is '0'.
    },
    {
    hook: "revoke_active_sessions", // The index of this hook is '1'.
    },
    ],
    oidc: {
    hooks: [],
    },
    password: {
    hooks: [],
    },
    webauthn: {
    hooks: [],
    },
    }
  3. Remove the hook by passing the hook index in the command:

    ory patch identity-config {project_id} \
    --remove '/selfservice/flows/login/after/hooks/1'

Allow login only with verified email

To allow only the users with a verified email to sign in, follow these steps:

  1. Go to AuthenticationEmail verification in the Ory Console.
  2. Toggle Require Verified Address for Login to switch on the feature.
info

Ory doesn't recommend requiring a verified email to sign in. If you want to encourage users to verify their addresses, show a banner and limit functionality for unverified accounts. This approach helps improve signup conversion.

First sign in without verification

If sessions are issued after registration, users will be signed in after registration, but will need to verify their email address before they can sign in using other devices or browsers and get more active sessions as a result.

Log in users after registration

When you enable this behavior, users get a session after they sign up. This means that they don't have to sign in with their newly created account to get access to your services, but instead can access all the features immediately.

  1. Go to AuthenticationRegistration in the Ory Console.
  2. Toggle Sign In After Registration.

Show verification after successful registration

If you want to show the verification screen after registration or login, follow these steps:

For server rendered applications, such as an Express.js app, or when using the Ory Account Experience, Ory Identities can be configured to redirect to the verification screen automatically after registration.

  1. Go to AuthenticationEmail verification in the Ory Console.
  2. Toggle Show verification screen for the respective methods.

Or using the Ory CLI:

ory patch identity-config {project_id} \
--add '/selfservice/flows/registration/after/password/hooks=[{"hook": "show_verification_ui"}]' \
--add '/selfservice/flows/registration/after/oidc/hooks=[{"hook": "show_verification_ui"}]' \
--add '/selfservice/flows/registration/after/webauthn/hooks=[{"hook": "show_verification_ui"}]'
note

If your identity schema defines multiple verifiable addresses, Ory Identities redirects to the verification flow of only one of the addresses.

Show verification after login if address is not verified yet

If you want to show the verification screen after login, if any of the user's addresses are not verified yet, add the verification hook to the login after hooks.

Using the Ory CLI:

ory patch identity-config {project_id} \
--add '/selfservice/flows/login/after/password/hooks=[{"hook": "verification"}]' \
--add '/selfservice/flows/login/after/oidc/hooks=[{"hook": "verification"}]' \
--add '/selfservice/flows/login/after/webauthn/hooks=[{"hook": "verification"}]'

To automatically show the verification screen in server rendered browser flows, add the show_verification_ui hook as well:

Using the Ory CLI:

ory patch identity-config {project_id} \
--add '/selfservice/flows/login/after/password/hooks=[{"hook": "show_verification_ui"}]' \
--add '/selfservice/flows/login/after/oidc/hooks=[{"hook": "show_verification_ui"}]' \
--add '/selfservice/flows/login/after/webauthn/hooks=[{"hook": "show_verification_ui"}]'
note

If your identity schema defines multiple verifiable addresses, Ory Identities redirects to the verification flow of only one of the addresses.