Ory Actions are an extensibility mechanism provided by the Ory Network that allows you to integrate with third-party services:
- CRM platforms, such as Mailchimp or HubSpot
- Payment gateways, such as Stripe
- Business analytics tools, such as Google Analytics, Mixpanel, or Segment
- Integration platforms, such as Zapier or IFTT
With Ory Actions, you can define custom business logic and automate the behavior of the system in response to events that occur in your Ory-powered applications. You can write Actions in any programming language and trigger them through events such as user registration, or users resetting their passwords. This gives you a flexible way to extend the capabilities of Ory Network, integrate with other services to streamline your workflows, and improve the overall experience of your users.
Ory Actions is a feature supported by two of the Ory services:
- Ory Identities: Execute actions in response to user-related events such as login, registration, account recovery, account verification, or user settings update.
- Ory OAuth2 and OpenID Connect: Execute actions in response to refreshing OAuth 2.0 Access Tokens.
Actions in Ory Identities
Ory Identities is an identity management solution that supports actions for user-related events: login, registration, account recovery, account verification, or user settings update.
Actions triggered after events
- Login actions allow you to automate behavior in response to users logging in to your application. For example, you can use Ory Actions to update user information in your database or send welcome emails to users that log in for the first time.
- Registration actions allow you to automate behavior in response to users registering in your application. For example, you can use Ory Actions to automatically create a user account in your database or add the user to your mailing list.
- Account recovery actions allow you to automate behavior in response to users initiating the account recovery process. For example, you can use Ory Actions to send a password reset email to the user or update user information in your database.
- Verification actions allow you to automate behavior in response to users verifying their accounts. For example, you can use Ory Actions to update user information in your database or send welcome emails to users who verified their accounts.
- Settings actions allow you to automate behavior in response to users updating their account settings. For example, you can use Ory Actions to update user information in your database or send confirmation or summary emails to users.
Actions triggered before events
You can use Ory Actions before events such as user login, registration, triggering account recovery or verification, and updating account settings.
For example, you can enforce invite-only registration in your application by triggering an action that checks if certain criteria are met before the registration flow starts. This can be useful for controlling the number of users that have access to your application and ensuring that only authorized users can register.
You can also use Ory Actions to add additional security checks when users initiate login, registration, account recovery or verification, and settings update flows. For example, you can create logic that checks the IP address of the user to ensure that the request is coming from a trusted location or to verify that the user's email address is associated with a valid domain.
By using Ory Actions you can have a high degree of control over the flow of events in your application and improve the overall security and user experience.
Ory Identities supports the following action triggers:
beforelogin: The hook runs when the user starts the login flow.
afterlogin: The hook runs when the user is successfully authenticated, before the system issues an Ory Session.
beforeregistration: The hook runs when a registration flow starts.
afterregistration: The hook runs when a user successfully registers in the system.
beforerecovery: The hook runs when the user starts the recovery flow.
afterrecovery: The hook runs when the user successfully recovers their password.
beforesettings: The hook runs when the user starts the account settings flow.
aftersettings: The hook runs when the user successfully changes their account settings.
beforeverification: The hook runs when the user starts the verification flow.
afterverification: The hook runs when the user verifies their account.
Triggers based on authentication methods
You can further customize the behavior of the system by defining what action to trigger based on the authentication method used to sign in, register, and update user settings.
For example, when a user signs in with a password, you can use Ory Actions to send a welcome email to the user or update user information in your database. When a user signs in using OIDC, you can use Ory Actions to enrich your CRM with data from the social sign-in provider.
|Sign-in and sign-up with username/email and password combo.|
|Sign-in and sign-up through OIDC-compliant OAuth2 identity providers.|
|MFA Sign-in with a TOTP code from apps such as Google Authenticator.|
|MFA Sign-in with WebAuthn-compatible factors (FaceID, YubiKey) or paswordless sign-up and sign-in.|
|MFA Sign-in with recovery codes.|
There are 4 actions you can use to extend self-service user flows. The
web_hook action allows you to trigger any custom,
Some actions can only be used for specific flows and methods.
|Signs in the user immediately after they create an account.||For use only with the |
|Revokes all other active sessions of the user on successful login.||For use only with the login flow.|
|Allows users to sign in only when they verified their email address.||For use only with the |
|Allows to trigger external and custom logic. Can be used with all flows and methods except error and logout.||Requires providing webhook configuration. This is the only action type available for the |
The graph below shows when triggers happen.
- Ory executes the
beforeactions when the user starts a flow.
- Ory executes the
afteractions when the user submits or completes the flow.
- When an authentication method specifies actions, it overrides the default actions for the flow.
With the following configuration,
hook_3 is executed when the user logs in with a password,
hook_2 is executed when the user
logs in with any other method, for example through social sign-in, and
hook_1 is executed for all login flows when the user
starts the flow.
login: # Defines for which flow triggers the action.
before: # When the user starts the flow
- hook: hook_1 # Specifies which hook is triggered.
after: # When the user submits the flow
- hook: hook_2 # is executed for all authentication methods except password
- hook: hook_3 # is executed only for password method
Actions in Ory OAuth2 & OpenID Connect
Read Updating claims at token refresh to learn more about Actions in Ory OAuth2 & OpenID Connect.