# Ory Kratos — identity & self-service auth. Identity schema (email, name) + # password login; recovery & verification run on email codes. Every self-service # flow returns the browser to our own themed routes (§4 renders the fields). DSN + # prod courier/secrets come from the env. SSO, session tuning, and the JWT # tokenizer land in later §3/§4 items. serve: public: base_url: http://127.0.0.1:4433/ cors: enabled: false admin: base_url: http://kratos:4434/ selfservice: default_browser_return_url: http://127.0.0.1:3000/ allowed_return_urls: - http://127.0.0.1:3000 methods: password: enabled: true code: # email one-time code — powers recovery + verification (not login) enabled: true flows: error: ui_url: http://127.0.0.1:3000/error login: ui_url: http://127.0.0.1:3000/login registration: ui_url: http://127.0.0.1:3000/registration after: password: hooks: - hook: session # log in immediately after sign-up - hook: show_verification_ui settings: ui_url: http://127.0.0.1:3000/settings privileged_session_max_age: 15m required_aal: highest_available recovery: enabled: true use: code ui_url: http://127.0.0.1:3000/recovery verification: enabled: true use: code ui_url: http://127.0.0.1:3000/verification after: default_browser_return_url: http://127.0.0.1:3000/ logout: after: default_browser_return_url: http://127.0.0.1:3000/login # Dev mail catcher (compose.override.yml). Prod overrides via COURIER_SMTP_CONNECTION_URI. courier: smtp: connection_uri: smtp://mailpit:1025/?disable_starttls=true from_address: no-reply@plainpages.local from_name: Plainpages identity: default_schema_id: default schemas: - id: default url: file:///etc/config/kratos/identity.schema.json # Dev throwaways — production supplies real secrets via env (§3). cipher = 32 chars. secrets: cookie: - PLEASE-CHANGE-ME-dev-kratos-cookie-secret cipher: - 0123456789abcdef0123456789abcdef log: level: info format: text