Skip to main content
Version: Next

Getting URLs and Cookies to Work on Multi-Domains

Base URL#

The public base URL (serve.public.base_url) is used to compute redirect URLs, form action URLs, and more. If you host Ory Kratos on more than one domain you might want to enable the domain aliasing feature. This allows to register additional base URLs. On incoming HTTP Requests, Ory Kratos checks the HTTP Host Header and compares that to the list of domain aliases.

base_url: https://this-is-the-default/base-url
- match_domain:
base_path: /kratos
scheme: https
- match_domain:
base_path: /
scheme: http

If a match is found, the value serve.public.base_url will be ignored and instead the base URL is computed:

<config.protocol>://< + request.port><config.base_path>

Values <>, <request.port> are set by the incoming HTTP request and <config.base_path>, <config.protocol>, by the config:

  • Incoming request is to so the result is
  • Incoming request is to so the result is
  • Incoming request is to so the result is


Ory Kratos' browser features rely heavily on HTTP Cookies to mitigate common attack vectors and make the integration as easy as possible to use. Therefore it is important to know that

  1. HTTP Cookies ignore ports, meaning the browser will send a cookie it received for to as well.
  2. Subdomains can set HTTP Cookies for parent domains, meaning a HTTP Cookie specifying will be allowed to set even if the URL is or

You can adjust the session cookie's domain using:

path: /

Do not set the cookie domain when using multiple domain aliases as it enforces the domain - breaking sessions on your alias domains.

What is not currently possible is to set up Ory Kratos in a way where you get session cookies running on two separate top level domains (e.g. and This is tracked as kratos#662.

Last updated on by aeneasr