Address verification
Address verification ensures that a user’s email or phone number is valid and belongs to them. It helps prevent spam, ensures delivery of important notifications, and maintains system integrity.
Ory supports these verification policies:
- Require verified addresses during sign up and/or login.
- Allow optional verification. Users can choose to verify their email or phone number, but it’s not required or enforced by the UI.
Require verification on login
To require address verification at login, use the require_verified_address action. It requires at least one verified address for
the identity. You can enable it using either the Ory Console or CLI.
- Ory Console
- Ory CLI
- Go to Authentication → Account verification in the Ory Console.
- Enable Require Verified Address for Login.
- Click Save.
Run:
ory patch identity-config --project <project-id> --workspace <workspace-id> \
--add '/selfservice/flows/login/after/password/hooks/0/hook="require_verified_address"'
If the identity schema defines multiple verifiable addresses, Ory sends a verification code to the first one and redirects the user to the verification flow.
If none of the identity's verifiable addresses are verified, a code will be sent to the first email or phone number in the list. If at least one address is verified, Ory will not ask for verification.
- Server rendered browser client
- SPA & Native clients
For HTML form submissions, the POST /self-service/login endpoint responds with an HTTP 302 redirect to the verification flow.
For AJAX (Accept: application/json) or native clients using /self-service/login/api, the endpoint responds with a 400 error:
{
"id": "session_verified_address_required",
"code": 400,
"status": "Bad Request",
"reason": "Your account's email or phone address are not verified yet. Please check your email or phone inbox or re-request verification.",
"details": {
"continue_with": [
{
"action": "show_verification_ui",
"flow": {
"id": "7f4dfb3b-c3cc-4e35-9f09-286b09e77beb",
"verifiable_address": "user@example.com",
"url": "https://<your-slug>.projects.oryapis.com/verification?flow=7f4dfb3b-c3cc-4e35-9f09-286b09e77beb"
}
}
]
},
"message": "your email or phone address is not yet verified"
}
Legacy compatibility
Before May 2025, require_verified_address returned a 400 error without sending a verification code. This behavior is deprecated.
To re-enable it:
ory patch identity-config --project <project-id> --workspace <workspace-id> \
--add '/feature_flags/legacy_require_verified_login_error=true'
The verification and show_verification_ui actions in login flows (but not sign up!) are also deprecated. Use
require_verified_address instead.
Verification on sign up
Ory supports two options after sign up:
Optional verification
Users sign up without address verification, but a code is sent. They can verify later. By default, Ory follows this behavior.
Required verification
Users must verify their address before getting a session. After registration, they’re redirected to the verification flow.
If the identity schema includes multiple verifiable addresses, the code is sent to the first one.
To enable this:
- Go to Authentication → Account verification in the Ory Console.
- Enable Show verification screen after password registration.
Or with the CLI:
ory patch identity-config "$PROJECT_ID" \
--add '/selfservice/flows/registration/after/password/hooks/0/hook="show_verification_ui"' \
--add '/selfservice/flows/registration/after/oidc/hooks/0/hook="show_verification_ui"' \
--add '/selfservice/flows/registration/after/webauthn/hooks/0/hook="show_verification_ui"'
- Server rendered browser client
- SPA & Native clients
For browser clients using native forms, Ory redirects to the verification flow with HTTP 302.
The registration endpoint returns a 400 error with a continue_with field that contains the verification flow:
{
"id": "...",
"ui": {
"action": "...",
"method": "...",
"nodes": [
/* ... */
]
},
"continue_with": [
{
"action": "show_verification_ui",
"flow": {
"id": "d859f6af-1dfe-453e-9320-d572e10edeea",
"verifiable_address": "example@ory.sh",
"url": "https://ory.example.org/verification?flow=d859f6af-1dfe-453e-9320-d572e10edeea"
}
}
]
}
Legacy compatibility
In projects created before May 2025, the registration response includes continue_with even if Show verification screen after
password registration is off.
To re-enable this legacy behavior:
ory patch identity-config --project <project-id> --workspace <workspace-id> \
--add '/feature_flags/legacy_continue_with_verification_ui=true'
Verification on address change
When a user updates their email address or phone number in the settings flow, Ory sends a verification code to the new address. By default, the settings flow will display a success message when the profile is updated, but the address remains unverified until the user completes the verification process.
Show verification screen after address change
If you want users to be immediately redirected to verify their new address after changing it, you can configure the
show_verification_ui hook for the settings flow. This will redirect the user to the verification screen instead of showing a
success message.
To enable this behavior, use the Ory CLI:
ory patch identity-config {project_id} \
--add '/selfservice/flows/settings/after/profile/hooks/0/hook="show_verification_ui"'
- Server rendered browser client
- SPA & Native clients
For browser clients using native forms, Ory redirects to the verification flow with HTTP 302.
The settings endpoint returns a 400 error with a continue_with field that contains the verification flow:
{
"id": "...",
"ui": {
"action": "...",
"method": "...",
"nodes": [
/* ... */
]
},
"continue_with": [
{
"action": "show_verification_ui",
"flow": {
"id": "d859f6af-1dfe-453e-9320-d572e10edeea",
"verifiable_address": "example@ory.sh",
"url": "https://ory.example.org/verification?flow=d859f6af-1dfe-453e-9320-d572e10edeea"
}
}
]
}