Skip to main content

Learn about the account recovery flow initiated by admins

You can initiate account recovery for identities using the admin API endpoints.


You can generate a link for an account without a recovery address via the admin API, but if the recovery link expires the users can't re-initiate the flow by themselves if a recovery address hasn't been added.

To create the account recovery link, use:

curl --request POST -sL \
--header "Authorization: Bearer ory_pat_xRKLsFEOUFQFVBjd6o3FQDifaLYhabGd" \
--header "Content-Type: application/json" \
--request POST \
--data '{
"expires_in": "12h",
"identity_id": "e01b5f2f-6afc-4194-8578-4cebcf69a4d5"

The response contains a recovery_link value. This is the link the user should use to set up his or her credentials to connect to a social sign-in provider or set up a password :

"recovery_link": "",
"expires_at": "2022-02-25T03:09:37.60684766Z"

The user has a limited amount of time to update their credentials once they use the recovery link. The time is the privileged session

Configure the privileged session lifespan at

If the user fails to set up their credentials in time, another recovery link needs to be issued and the user needs to re-do the flow.

It is currently not possible to send the recovery link directly to a user's email, this feature is tracked as #595.

Enable account recovery

To enable recovery flows, make the following adjustments to your Ory Kratos configuration:

enabled: true

# If the link should point to a domain (and path) that differs from the configured public base URL,
# set this value to the base URL you want:

enabled: true

To specify that an identity's trait is a recovery email, use the following Identity Schema:

"$id": "",
"$schema": "",
"title": "Person",
"type": "object",
"properties": {
"traits": {
"type": "object",
"properties": {
"email": {
"type": "string",
"format": "email",
"": {
"credentials": {
"password": {
"identifier": true
+ "recovery": {
+ "via": "email"
+ }
"additionalProperties": false

For more detailed information and general guidelines on these flows, take a look at the account recovery and password reset section.