API Reference ory_client v#1.22.40

API calls for all endpoints tagged APIKeys.

API calls for all endpoints tagged Courier.

API calls for all endpoints tagged Events.

API calls for all endpoints tagged Frontend.

API calls for all endpoints tagged Identity.

API calls for all endpoints tagged Jwk.

API calls for all endpoints tagged Metadata.

API calls for all endpoints tagged OAuth2.

API calls for all endpoints tagged Oidc.

API calls for all endpoints tagged Permission.

API calls for all endpoints tagged Project.

API calls for all endpoints tagged Relationship.

API calls for all endpoints tagged Wellknown.

API calls for all endpoints tagged Workspace.

Handle Tesla connections for Ory.

Helper functions for deserializing responses into models

Contains information on an device verification

Create Identity and Import Lookup Secret Credentials

Create Identity and Import Lookup Secret Credentials Configuration

RotateIssuedAPIKeyRequest is the request for AdminRotateIssuedAPIKey. Rotation is a custom method (AIP-136) that swaps an active key for a new one with a fresh secret and key_id, then revokes the old key. It is not a partial update, so it does not carry an update_mask. Mutable fields use presence-based semantics: an absent field inherits from the old key, while a present field (including an explicitly empty value) overrides.

ImportedAPIKey represents an API key imported from an external system. The raw key is hashed (SHA-512/256) and stored. The original key is never retained.

IssuedAPIKey represents an API key issued (generated) by Talos. Root keys are opaque v1 format tokens stored in the database. Derived tokens (JWT/Macaroon) are created via DeriveToken and are stateless (not stored).

The authenticator assurance level can be one of "aal1", "aal2", or "aal3". A higher number means that it is harder for an attacker to compromise the account. Generally, "aal1" implies that one authentication factor was used while AAL2 implies that two factors (e.g. password + TOTP) have been used. To learn more about these levels please head over to: https://www.ory.com/kratos/docs/concepts/credentials

Batch Check Permission Body

Batch Check Permission Result

BatchImportAPIKeysRequest imports multiple external API keys in one request. The maximum batch size is 1000 keys.

BatchImportAPIKeysResponse returns per-item results and summary counters.

BatchImportErrorCode classifies per-item batch import failures. - BATCH_IMPORT_ERROR_UNSPECIFIED: No error (import succeeded) - BATCH_IMPORT_ERROR_INVALID_ARGUMENT: The key data is malformed or missing required fields - BATCH_IMPORT_ERROR_ALREADY_EXISTS: A key with this identifier already exists - BATCH_IMPORT_ERROR_FAILED_PRECONDITION: State conflict prevents the import - BATCH_IMPORT_ERROR_INTERNAL: Server error during import

BatchImportResult contains the result for one key in a batch import request.

Patch identities response

The content of the allowed field is mirrored in the HTTP status code.

Check Permission Result With Error

Control API consistency guarantees

Indicates, that the UI flow could be continued by showing a recovery ui

Indicates, that the UI flow could be continued by showing a recovery ui

Indicates that a session was issued, and the application should use this token for authenticated requests

Indicates, that the UI flow could be continued by showing a settings ui

Indicates, that the UI flow could be continued by showing a verification ui

A Message's Status

It can either be email or phone

Create Custom Hostname Request Body

Create Event Stream Request Body

Contains a list of all available FedCM providers.

Create Identity Body

Create JSON Web Key Set Request Body

Create Project Request Body

Create a Project Branding

Create Project MemberInvite Request Body

Create project (normalized) request payload

Create Recovery Code for Identity Request Body

Create Recovery Link for Identity Request Body

Create Relationship Request Body

Create Workspace Invite Request Body

Includes information about the supported verifiable credentials.

Custom Hostname

CustomerPortalAvailability describes whether the Stripe customer portal is available for the logged-in user (or a workspace they access).

Deleted Session Count

Schema: https://source.android.com/docs/security/features/keystore/attestation#schema

Schema: https://source.android.com/docs/security/features/keystore/attestation#schema

Exactly one of Android / IOS is set, matching the key's DeviceType.

Defined in https://developer.apple.com/documentation/devicecheck/validating-apps-that-connect-to-your-server#Verify-the-attestation .

Defined in https://developer.apple.com/documentation/devicecheck/validating-apps-that-connect-to-your-server#Verify-the-attestation .

Contains the data of the email template, including the subject and body in HTML and plaintext variants

Is sent when a flow is replaced by a different flow of the same class

The standard Ory JSON API error format.

Error

Event Stream

Error responses are sent when an error (e.g. unauthorized, bad request, ...) occurred.

Error response

Response of the getAttributesCount endpoint

Ory Identity Schema Location

Response of the getIdentityCount endpoint

Response of the getMetricsEventAttributes endpoint

Response of the getMetricsEventTypes endpoint

Response of the getProjectEvents endpoint

Body of the getProjectEvents endpoint

Response of the getMetrics endpoint

Response of the getSessionActivity endpoint

An identity represents a (human) user in Ory.

Credentials represents a specific credential type

CredentialsCode represents a one time login/registration code

Recovery codes can be used once and are invalidated after use.

Payload for patching an identity

Response for a single identity patch

An Identity JSON Schema Container

Create Identity and Import Credentials

Create Identity and Import Social Sign In Credentials

Create Identity and Import Social Sign In Credentials Configuration

Create Identity and Import Passkey Credentials

Create Identity and Import Passkey Credentials Configuration

Create Identity and Import Password Credentials

Create Identity and Import Password Credentials Configuration

Payload to import SAML credentials

Payload of SAML providers

Payload of specific SAML provider

Create Identity and Import TOTP 2FA Credentials

Create Identity and Import TOTP 2FA Credentials Configuration

Create Identity and Import WebAuthn Credentials

Create Identity and Import WebAuthn Credentials Configuration

Example: { "raw_key": "sk_live_abc123xyz789", "name": "Stripe Production Key", "actor_id": "payment-processor", "scopes": ["read", "write"], "ttl": "8760h", // 1 year (also accepts: 31536000s) "metadata": {"source": "stripe", "environment": "production"} }

ImportedAPIKey represents an API key imported from an external system. The raw key is hashed (SHA-512/256) and stored. The original key is never retained.

Get Project Branding Request Body

Is Account Experience Enabled For Project Request Body

Is Owner For Project By Slug Request Body

Introspection contains an access token's session data as specified by IETF RFC 7662

Invite Token Body

IPRestriction defines IP-based access controls for an API key. When allowed_cidrs is non-empty, only requests from IPs matching at least one CIDR range are permitted. Empty allowed_cidrs means no IP restriction (all IPs allowed). IP restrictions apply to root API key and imported key verification only; derived tokens (JWT/macaroon) are stateless and not subject to IP checks.

IssuedAPIKey represents an API key issued (generated) by Talos. Root keys are opaque v1 format tokens stored in the database. Derived tokens (JWT/Macaroon) are created via DeriveToken and are stateless (not stored).

A JSONPatch document as defined by RFC 6902

JSON Web Key Set

KeyStatus represents the lifecycle state of an API key. - KEY_STATUS_UNSPECIFIED: Default zero value. Never returned by the server. Treated as ACTIVE for backward compatibility but should not be relied on. - KEY_STATUS_ACTIVE: The key is valid and can be used to authenticate. - KEY_STATUS_REVOKED: The key was revoked. Verification fails with VERIFICATION_ERROR_REVOKED. See revocation_reason for the cause. - KEY_STATUS_EXPIRED: The key passed its expire_time. Verification fails with VERIFICATION_ERROR_EXPIRED. The transition is computed at read time and not persisted.

KeyVisibility distinguishes public (client-safe) keys from secret (server-only) keys. Public keys use a different configurable prefix for visual distinction. Both types share the same scope/permission system — visibility is about exposure safety. - KEY_VISIBILITY_UNSPECIFIED: Treated as SECRET

For details on pagination please head over to the pagination documentation.

The Link HTTP header contains multiple links (first, next) formatted as: <https://{project-slug}.projects.oryapis.com/admin/sessions?page_size=250&page_token=>; rel="first" For details on pagination please head over to the pagination documentation.

Event Stream List

B2B SSO Organization List

This object represents a login flow. A login flow is initiated at the "Initiate Login API / Browser Flow" endpoint by a client. Once a login flow is completed successfully, a session cookie or session token will be issued.

The experimental state represents the state of a login flow. This field is EXPERIMENTAL and subject to change!

Admin-test extension of a login flow. Populated only for flows created by the admin test endpoint; included in the flow's API response so the admin UI can render the pre-scoped provider and (once captured) the debug round-trip result.

Contains the parsed claims, the Jsonnet mapper input and output, and any schema validation errors. Bearer tokens (id_token, access_token, refresh_token) are intentionally excluded to limit the blast radius of the debug payload leaking through audit logs or admin browsers.

One identity-schema validation failure recorded while evaluating the traits produced by the Jsonnet mapper.

Populated when any step (token exchange, claims decode, Jsonnet evaluation, schema validation) cannot complete.

Logout Flow

Body for the bulk session management endpoint. Exactly one of identities or sessions must be provided. To operate on every session in the network, pass identities: ["*"] — the wildcard must appear alone, never mixed with explicit IDs.

Response body for the bulk session management endpoint. Reports how many rows the call processed and, for the wildcard variant, whether the network still has matching rows left. Explicit-IDs requests always return more: false. Wildcard callers drain the network by re-issuing the same request while more is true.

Together the name and identity uuid are a unique index constraint. This prevents a user from having schemas with the same name. This also allows schemas to have the same name across the system.

Ory Identity Schema Validation Result

MessageDispatch represents an attempt of sending a courier message It contains the status of the attempt (failed or successful) and the error if any occured

Represents a single datapoint/bucket of a time series

SCIMClient represents a SCIM client configuration to be used by an external identity provider.

NullValue is a singleton enumeration to represent the null value for the Value type union. The JSON representation for NullValue is JSON null. - NULL_VALUE: Null value.

OAuth 2.0 Clients are used to perform OAuth 2.0 and OpenID Connect flows. Usually, OAuth 2.0 clients are generated for applications which want to consume your OAuth 2.0 or OpenID Connect capabilities.

Lifespans of different token types issued for this OAuth 2.0 Client.

A completed OAuth 2.0 Consent Session.

Contains a redirect URL used to complete a login, consent, or logout request.

OAuth2 Token Exchange Result

Includes links to several endpoints (for example /oauth2/token) and exposes information on supported signature algorithms among others.

OpenID Connect Userinfo

B2B SSO Organization

Create B2B SSO Organization Request Body

Patch Identities Body

Perform Native Logout Request Body

Get Permissions on Project Request Parameters

Check Permission using Post Request Body

Post Check Permission Or Error Body

RateLimitPolicy describes the rate limit policy for an API key. In OSS mode, this policy is informational and meant to be consumed by upstream gateways (Envoy, Cloudflare, etc.) for enforcement. In commercial mode, Talos enforces rate limits using in-memory or Redis backends, both powered by the GCRA (Generic Cell Rate Algorithm). Compliant with draft-ietf-httpapi-ratelimit-headers-10.

Used when an administrator creates a recovery code for an identity.

This request is used when an identity wants to recover their account. We recommend reading the Account Recovery Documentation

The experimental state represents the state of a recovery flow. This field is EXPERIMENTAL and subject to change!

Used when an administrator creates a recovery link for an identity.

The experimental state represents the state of a registration flow. This field is EXPERIMENTAL and subject to change!

Relation Query

Relationship

Relationship Namespace List

Payload for patching a relationship

Paginated Relationship List

RevocationReason provides structured revocation reasons inspired by RFC 5280. Used in both admin and self-revocation flows. - REVOCATION_REASON_UNSPECIFIED: Default zero value. Use a specific reason; UNSPECIFIED is rejected by admin and self-revocation endpoints. - REVOCATION_REASON_KEY_COMPROMISE: The key was leaked or believed to be in the hands of an unauthorized party. - REVOCATION_REASON_AFFILIATION_CHANGED: The owning actor's relationship with the issuer changed (e.g., role change, departure). - REVOCATION_REASON_SUPERSEDED: A new key has replaced this one as part of a rotation. - REVOCATION_REASON_PRIVILEGE_WITHDRAWN: Admin-only. The actor's privilege to use this key was withdrawn by an operator. Self-revocation requests using this reason are rejected with InvalidArgument. Pair with description on RevokeAPIKeyRequest to record the operator-supplied justification.

SelfRevokeAPIKeyRequest allows an API key holder to revoke their own key by providing the full key secret as proof of possession.

Is sent when a flow is expired

A Session

A singular authenticator used during authentication / login.

Device corresponding to a Session

Update Custom Hostname Body

Update Event Stream Body

This flow is used when an identity wants to update settings (e.g. profile data, passwords, ...) in a selfservice manner. We recommend reading the User Settings Documentation

The experimental state represents the state of a settings flow. This field is EXPERIMENTAL and subject to change!

The Response for Registration Flows via API

The Response for Login Flows via API

The Response for Registration Flows via API

The Link HTTP header contains multiple links (first, next, last, previous) formatted as: <https://{project-slug}.projects.oryapis.com/admin/clients?page_size={limit}&page_token={offset}>; rel="{page}" For details on pagination please head over to the pagination documentation.

The Link HTTP header contains multiple links (first, next, last, previous) formatted as: <https://{project-slug}.projects.oryapis.com/admin/clients?page_size={limit}&page_token={offset}>; rel="{page}" For details on pagination please head over to the pagination documentation.

Trust OAuth2 JWT Bearer Grant Type Issuer Request Body

OAuth2 JWT Bearer Grant Type Issuer Trust Relationship

OAuth2 JWT Bearer Grant Type Issuer Trusted JSON Web Key

Container represents a HTML Form. The container can work with both HTTP Form and JSON requests

Nodes are represented as HTML elements or their native UI equivalents. For example, a node can be an <img> tag, or an <input element> but also some plain text.

Division sections are used for interactive widgets that require a hook in the DOM / view.

InputAttributes represents the attributes of an input node

Represents a single selectable value for an input whose JSON schema defined an enum. The value is always a scalar JSON type (string, number, or boolean) serialized verbatim from the schema. When present, clients should render the parent input as a select/dropdown.

This might include a label and other information that can optionally be used to render UIs.

Update Identity Body

Update Login flow using the code method

Update Login Flow with Multi-Step Method

Update Login Flow with Lookup Secret Method

Update Login Flow with OpenID Connect Method

Update Login Flow with Passkey Method

Update Login Flow with Password Method

Update login flow using SAML

Update Login Flow with TOTP Method

Update Login Flow with WebAuthn Method

Update Recovery Flow Request Body

Update Recovery Flow with Code Method

Update Recovery Flow with Link Method

Update Registration Request Body

Update Registration Flow with Code Method

Update Registration Flow with OpenID Connect Method

Update Registration Flow with Passkey Method

Update Registration Flow with Password Method

Update Registration Flow with Profile Method

Update registration flow using SAML

Update Registration Flow with WebAuthn Method

Update Settings Flow Request Body

Update Settings Flow with Lookup Method

Update Settings Flow with OpenID Connect Method

Update Settings Flow with Passkey Method

Update Settings Flow with Password Method

Update Settings Flow with Profile Method

Update settings flow using SAML

Update Settings Flow with TOTP Method

Update Settings Flow with WebAuthn Method

Update Verification Flow Request Body

Update Verification Flow with Link Method

The endpoint is mounted on backoffice's admin listener and is not exposed on the public ingress; the bearer token is the credential. See .claude/docs/plans/courier-rewrite.md for the design.

ValidateBaseURLRewriteResponse is the response shape. The endpoint always returns HTTP 200 with a structured outcome so the client has a single response shape for tracing and so neither side has to special-case 4xx vs. body parsing.

VerifiableAddress is an identity's verifiable address

Used to verify an out-of-band communication channel such as an email address or a phone number. For more information head over to: https://www.ory.com/docs/kratos/self-service/flows/verify-email-account-activation

The experimental state represents the state of a verification flow. This field is EXPERIMENTAL and subject to change!

Helper functions for building Tesla requests