Create Login Flow for Browsers
This endpoint initializes a browser-based user login flow. This endpoint will set the appropriate
GET /self-service/login/browser
This endpoint initializes a browser-based user login flow. This endpoint will set the appropriate cookies and anti-CSRF measures required for browser-based flows.
If this endpoint is opened as a link in the browser, it will be redirected to
selfservice.flows.login.ui_url with the flow ID set as the query parameter ?flow=. If a valid user session
exists already, the browser will be redirected to urls.default_redirect_url unless the query parameter
?refresh=true was set.
If this endpoint is called via an AJAX request, the response contains the flow without a redirect. In the
case of an error, the error.id of the JSON response body can be one of:
session_already_available: The user is already signed in.
session_aal1_required: Multi-factor auth (e.g. 2fa) was requested but the user has no session yet.
security_csrf_violation: Unable to fetch the flow because a CSRF violation occurred.
security_identity_mismatch: The requested ?return_to address is not allowed to be used. Adjust this in the configuration!
The optional query parameter login_challenge is set when using Kratos with Hydra in an OAuth2 flow. See the oauth2_provider.url configuration option.
This endpoint is NOT INTENDED for clients that do not have a browser (Chrome, Firefox, ...) as cookies are needed.
More information can be found at Ory Kratos User Login and User Registration Documentation.
Operation ID: createBrowserLoginFlow Tag: frontend
Query parameters
| Name | Type | Required | Description |
|---|---|---|---|
refresh | boolean | no | Refresh a login session If set to true, this will refresh an existing login session by asking the user to sign in again. This will reset the authenticated_at time of the session. |
aal | string | no | Request a Specific AuthenticationMethod Assurance Level Use this parameter to upgrade an existing session's authenticator assurance level (AAL). This allows you to ask for multi-factor authentication. When an identity sign in using e.g. username+password, the AAL is 1. If you wish to "upgrade" the session's security by asking the user to perform TOTP / WebAuth/ ... you would set this to "aal2". |
return_to | string | no | The URL to return the browser to after the flow was completed. |
login_challenge | string | no | An optional Hydra login challenge. If present, Kratos will cooperate with Ory Hydra to act as an OAuth2 identity provider. The value for this parameter comes from login_challenge URL Query parameter sent to your application (e.g. /login?login_challenge=abcde). |
organization | string | no | An optional organization ID that should be used for logging this user in. This parameter is only effective in the Ory Network. |
via | string | no | Via should contain the identity's credential the code should be sent to. Only relevant in aal2 flows. DEPRECATED: This field is deprecated. Please remove it from your requests. The user will now see a choice of MFA credentials to choose from to perform the second factor instead. |
identity_schema | string | no | An optional identity schema to use for the login flow. |
Header parameters
| Name | Type | Required | Description |
|---|---|---|---|
Cookie | string | no | HTTP Cookies When using the SDK in a browser app, on the server side you must include the HTTP Cookie Header sent by the client to your server here. This ensures that CSRF and session cookies are respected. |
Responses
| Status | Description | Body |
|---|---|---|
| 200 | loginFlow | application/json, object |
| 303 | Empty responses are sent when, for example, resources are deleted. The HTTP status code for empty responses is typically 204. | - |
| 400 | errorGeneric | application/json, object |
| default | errorGeneric | application/json, object |
Generated from /tmp/kratos-api.json at build time.