diff --git a/docs/kratos/manage-identities/15_customize-identity-schema.mdx b/docs/kratos/manage-identities/15_customize-identity-schema.mdx
index 40c581212..ef6cd5017 100644
--- a/docs/kratos/manage-identities/15_customize-identity-schema.mdx
+++ b/docs/kratos/manage-identities/15_customize-identity-schema.mdx
@@ -220,7 +220,7 @@ Because the system doesn't know which fields have system-relevant meaning, you h
The vocabulary extension can be used within a property. Let's take a look at the email identity schema preset. It uses all
available identity schema extensions:
-```json {8-34}
+```json
{
"$id": "https://schemas.ory.sh/presets/kratos/identity.email.schema.json",
"title": "Person",
@@ -233,6 +233,7 @@ available identity schema extensions:
"type": "string",
"format": "email",
"title": "E-Mail",
+# highlight-start
"ory.sh/kratos": {
"credentials": {
"password": {
@@ -247,6 +248,9 @@ available identity schema extensions:
"code": {
"identifier": true,
"via": "email"
+ },
+ "passkey": {
+ "display_name": true
}
},
"recovery": {
@@ -256,6 +260,30 @@ available identity schema extensions:
"via": "email"
}
},
+# highlight-end
+ "maxLength": 320
+ },
+ "phone": {
+ "type": "string",
+ "format": "tel",
+ "title": "Phone number",
+ "ory.sh/kratos": {
+ "credentials": {
+ "password": {
+ "identifier": true
+ },
+ "code": {
+ "identifier": true,
+ "via": "sms"
+ }
+ },
+ "recovery": {
+ "via": "sms"
+ },
+ "verification": {
+ "via": "sms"
+ }
+ },
"maxLength": 320
}
},
@@ -310,6 +338,9 @@ sign in:
"code": {
"identifier": true,
"via": "email"
+ },
+ "passkey": {
+ "display_name": true
}
},
"recovery": {
@@ -357,6 +388,13 @@ You can also specify an array of elements:
},
"totp": {
"account_name": true
+ },
+ "passkey": {
+ "display_name": true
+ },
+ "code": {
+ "identifier": true,
+ "via": "email"
}
},
"recovery": {
@@ -555,17 +593,16 @@ Using the following identity schema extension we specify that the field is used
}
```
-### Passwordless WebAuthn login identifier
+### Passkey display name
-Using the following identity schema extension we specify that the field is used as the "ID" when using passwordless WebAuthn
-login:
+Using the following identity schema extension we specify that the field is used as the display name for PassKeys:
```json
{
"ory.sh/kratos": {
"credentials": {
- "webauthn": {
- "identifier": true
+ "passkey": {
+ "display_name": true
}
}
}
@@ -577,23 +614,47 @@ login:
Using the following identity schema extension we specify that the field is used as the "ID" when using passwordless one-time code
login:
-```json5
+````mdx-code-block
+
+
+
+```json
{
"ory.sh/kratos": {
- credentials: {
- code: {
- identifier: true,
- via: "email",
- },
- },
- },
+ "credentials": {
+ "code": {
+ "identifier": true,
+ "via": "email",
+ }
+ }
+ }
+}
+```
+
+
+
+
+```json
+{
+ "ory.sh/kratos": {
+ "credentials": {
+ "code": {
+ "identifier": true,
+ "via": "sms",
+ }
+ }
+ }
}
```
-### TOTP display username
+
+
+````
+
+### Google Authenticator (TOTP) display name
The following identity schema extension specifies that this field should be displayed in the Authenticator App as the account
-name.
+name:
```json
{
@@ -607,24 +668,72 @@ name.
}
```
+### Passwordless WebAuthn login identifier
+
+:::note
+
+Please use the PassKey method instead. This is documented for legacy reasons.
+
+:::
+
+Using the following identity schema extension we specify that the field is used as the "ID" when using passwordless WebAuthn
+login:
+
+```json
+{
+ "ory.sh/kratos": {
+ "credentials": {
+ "webauthn": {
+ "identifier": true
+ }
+ }
+ }
+}
+```
+
### Verification address
Specifies that the field is verifiable by sending an email with a verification code or link.
+````mdx-code-block
+
+
+
```json
{
"ory.sh/kratos": {
- "verification": {
+ "recovery": {
"via": "email"
}
}
}
```
+
+
+
+```json
+{
+ "ory.sh/kratos": {
+ "recovery": {
+ "via": "sms"
+ }
+ }
+}
+```
+
+
+
+````
+
### Recovery address
Specifies that the field can be used to send an account recovery code or link.
+````mdx-code-block
+
+
+
```json
{
"ory.sh/kratos": {
@@ -635,6 +744,23 @@ Specifies that the field can be used to send an account recovery code or link.
}
```
+
+
+
+```json
+{
+ "ory.sh/kratos": {
+ "recovery": {
+ "via": "sms"
+ }
+ }
+}
+```
+
+
+
+````
+
## Mandatory fields for registration
Use `required` to define which identity schema fields users must fill in during registration. When users try to register without
@@ -676,6 +802,13 @@ For nested objects such as `name`, add the `required` property inside of the obj
},
"totp": {
"account_name": true
+ },
+ "code": {
+ "identifier": true,
+ "via": "email"
+ },
+ "passkey": {
+ "display_name": true
}
},
"recovery": {
@@ -778,6 +911,9 @@ Below is an example of how to do this:
"totp": {
"account_name": true
},
+ "passkey": {
+ "display_name": true
+ }
}
}
},
@@ -799,6 +935,9 @@ Below is an example of how to do this:
"code": {
"identifier": true,
"via": "email"
+ },
+ "passkey": {
+ "display_name": true
}
},
"recovery": {
@@ -900,7 +1039,7 @@ You need to decide which route you want to take.
Let's take a look at some examples!
-### Email and password
+### Email as the primary identifier
To use the email address as the login identifier, define the following identity schema:
@@ -917,13 +1056,34 @@ To use the email address as the login identifier, define the following identity
"email": {
"type": "string",
"format": "email",
+ "title": "E-Mail",
"ory.sh/kratos": {
"credentials": {
"password": {
"identifier": true
+ },
+ "webauthn": {
+ "identifier": true
+ },
+ "totp": {
+ "account_name": true
+ },
+ "code": {
+ "identifier": true,
+ "via": "email"
+ },
+ "passkey": {
+ "display_name": true
}
+ },
+ "recovery": {
+ "via": "email"
+ },
+ "verification": {
+ "via": "email"
}
- }
+ },
+ "maxLength": 320
}
}
}
@@ -954,7 +1114,26 @@ You can allow users to sign up with multiple email addresses and use any of them
"credentials": {
"password": {
"identifier": true
+ },
+ "webauthn": {
+ "identifier": true
+ },
+ "totp": {
+ "account_name": true
+ },
+ "code": {
+ "identifier": true,
+ "via": "email"
+ },
+ "passkey": {
+ "display_name": true
}
+ },
+ "recovery": {
+ "via": "email"
+ },
+ "verification": {
+ "via": "email"
}
}
}
@@ -982,9 +1161,19 @@ To use a username as the login identifier, define the following identity schema:
"username": {
"type": "string",
"ory.sh/kratos": {
- "credentials": {
- "password": {
- "identifier": true
+ "credentials": {
+ "password": {
+ "identifier": true
+ },
+ "webauthn": {
+ "identifier": true
+ },
+ "totp": {
+ "account_name": true
+ },
+ "passkey": {
+ "display_name": true
+ }
}
}
}
@@ -1016,7 +1205,26 @@ You may also mix usernames and passwords:
"credentials": {
"password": {
"identifier": true
+ },
+ "webauthn": {
+ "identifier": true
+ },
+ "totp": {
+ "account_name": true
+ },
+ "code": {
+ "identifier": true,
+ "via": "email"
+ },
+ "passkey": {
+ "display_name": true
}
+ },
+ "recovery": {
+ "via": "email"
+ },
+ "verification": {
+ "via": "email"
}
}
},
@@ -1026,6 +1234,19 @@ You may also mix usernames and passwords:
"credentials": {
"password": {
"identifier": true
+ },
+ "webauthn": {
+ "identifier": true
+ },
+ "totp": {
+ "account_name": true
+ },
+ "code": {
+ "identifier": true,
+ "via": "email"
+ },
+ "passkey": {
+ "display_name": true
}
}
}
@@ -1055,7 +1276,27 @@ You may also mix usernames and passwords:
"credentials": {
"password": {
"identifier": true
- }
+ },
+ "webauthn": {
+ "identifier": true
+ },
+ "totp": {
+ "account_name": true
+ },
+ "code": {
+ "identifier": true,
+ "via": "sms"
+ },
+ "passkey": {
+ "display_name": true
+ }
+ },
+ "recovery": {
+ "via": "sms"
+ },
+ "verification": {
+ "via": "sms"
+ }
}
}
}
@@ -1097,6 +1338,19 @@ This identity schema is just an example. It contains too many fields to be used
"credentials": {
"password": {
"identifier": true
+ },
+ "webauthn": {
+ "identifier": true
+ },
+ "totp": {
+ "account_name": true
+ },
+ "code": {
+ "identifier": true,
+ "via": "email"
+ },
+ "passkey": {
+ "display_name": true
}
},
"recovery": {
diff --git a/docs/kratos/self-service/flows/account-recovery-password-reset.mdx b/docs/kratos/self-service/flows/account-recovery-password-reset.mdx
index d448c9898..4e41743c1 100644
--- a/docs/kratos/self-service/flows/account-recovery-password-reset.mdx
+++ b/docs/kratos/self-service/flows/account-recovery-password-reset.mdx
@@ -358,6 +358,13 @@ This is an example of an identity schema with a secondary email address:
},
"totp": {
"account_name": true
+ },
+ "passkey": {
+ "display_name": true
+ },
+ "code": {
+ "identifier": true,
+ "via": "email"
}
},
"recovery": {