Submit a Login Flow
Use this endpoint to complete a login flow. This endpoint
POST /self-service/login
Use this endpoint to complete a login flow. This endpoint behaves differently for API and browser flows.
API flows expect application/json to be sent in the body and responds with
HTTP 200 and a application/json body with the session token on success;
HTTP 410 if the original flow expired with the appropriate error messages set and optionally a use_flow_id parameter in the body;
HTTP 400 on form validation errors.
Browser flows expect a Content-Type of application/x-www-form-urlencoded or application/json to be sent in the body and respond with
a HTTP 303 redirect to the post/after login URL or the return_to value if it was set and if the login succeeded;
a HTTP 303 redirect to the login UI URL with the flow ID containing the validation errors otherwise.
Browser flows with an accept header of application/json will not redirect but instead respond with
HTTP 200 and a application/json body with the signed in identity and a Set-Cookie header on success;
HTTP 303 redirect to a fresh login flow if the original flow expired with the appropriate error messages set;
HTTP 400 on form validation errors.
If this endpoint is called with Accept: application/json in the header, the response contains the flow without a redirect. In the
case of an error, the error.id of the JSON response body can be one of:
session_already_available: The user is already signed in.
security_csrf_violation: Unable to fetch the flow because a CSRF violation occurred.
security_identity_mismatch: The requested ?return_to address is not allowed to be used. Adjust this in the configuration!
browser_location_change_required: Usually sent when an AJAX request indicates that the browser needs to open a specific URL.
Most likely used in Social Sign In flows.
More information can be found at Ory Kratos User Login and User Registration Documentation.
Operation ID: updateLoginFlow Tag: frontend
Query parameters
| Name | Type | Required | Description |
|---|---|---|---|
flow | string | yes | The Login Flow ID The value for this parameter comes from flow URL Query parameter sent to your application (e.g. /login?flow=abcde). |
Header parameters
| Name | Type | Required | Description |
|---|---|---|---|
X-Session-Token | string | no | The Session Token of the Identity performing the settings flow. |
Cookie | string | no | HTTP Cookies When using the SDK in a browser app, on the server side you must include the HTTP Cookie Header sent by the client to your server here. This ensures that CSRF and session cookies are respected. |
Request body
Content-Type: application/json
Type:
Schema: updateLoginFlowBody, see the Ory Identities API schemas reference for the full type.
Content-Type: application/x-www-form-urlencoded
Type:
Schema: updateLoginFlowBody, see the Ory Identities API schemas reference for the full type.
Responses
| Status | Description | Body |
|---|---|---|
| 200 | successfulNativeLogin | application/json, object |
| 303 | Empty responses are sent when, for example, resources are deleted. The HTTP status code for empty responses is typically 204. | - |
| 400 | loginFlow | application/json, object |
| 410 | errorGeneric | application/json, object |
| 422 | errorBrowserLocationChangeRequired | application/json, object |
| default | errorGeneric | application/json, object |
Generated from /tmp/kratos-api.json at build time.