ORY Kratos allows users to update their own profile information using two principal flows:
- Browser-based (easy): This flow works for all applications running on top of a browser. Websites, single-page apps, Cordova/Ionic, and so on.
- API-based (advanced): This flow works for native applications like iOS (Swift), Android (Java), Microsoft (.NET), React Native, Electron, and others.
This flow does not allow updates of security-sensitive information such as the password, fields associated with login (e.g. email), fields associated with account recovery (e.g. recovery email address). These fields must be updated using a separate flow which requires prior security checks.
The updated profile must be valid against the JSON Schema defined for its Identity Traits. If one or more fields do not validate (e.g. "Not an email"), the profile will not be updated.
The only required configuration is setting the Profile UI URL in the ORY Kratos configuration file:
Self-Service User Profile Management for Browser Applications
Server-Side Browser Applications
The Network Flows for Browsers works as follows for Profile Management:
- An initial HTTP Request is made to
- ORY Kratos redirects the browser to the URL set in
urls.profile_uiand appends the
requestURL Query Parameter (e.g.
- The Endpoint at
/profilemakes a HTTP GET Request to
https://ory-kratos-admin.example-org.vpc/self-service/browser/flows/requests/profile?request=abcdeand fetches Profile Management Request JSON Payload that represent the individual fields that can be updated.
- The User updates the profile data and sends a HTTP POST request to
- If the profile data is invalid, all validation errors will be collected and
added to the Profile Management JSON Payload. The Browser is redirected to
- If the profile data is valid, the identity's traits are updated and the process is complete.
- If the profile data is invalid, all validation errors will be collected and added to the Profile Management JSON Payload. The Browser is redirected to the
Assuming the Identity's Traits JSON Schema is defined as
the resulting JSON Payload coming from
would look something along the lines of:
If the user tries to save profile data that does not validate against the provided JSON Schema, error payloads will be added to the fields affected:
Keep in mind that it is not possible to update the
traits.email field as
updating that field requires prior authentication.
Updating these "protected" fields will be implemented in a future release of ORY Kratos.
Client-Side Browser Applications
Because Client-Side Browser Applications do not have access to ORY Kratos' Admin
API, they must use the ORY Kratos Public API instead. The flow for a Client-Side
Browser Application is almost the exact same as the one for Server-Side
Applications, with the small difference that
would be called via AJAX instead of making a request to
To prevent brute force, guessing, session injection, and other attacks, it is required that cookies are working for this endpoint. The cookie set in the initial HTTP request made to
https://example.org/.ory/kratos/public/profilesMUST be set and available when calling this endpoint!
Self-Service User Profile Management for API Clients
Will be addressed in a future release.