Email templates
Ory Identities comes with built-in templates for all messages sent by the system. You can replace the default templates with custom ones that can carry your own branding, visual elements, and communication tone.
Built-in templates
- Account recovery
- Address verification
- Login code
- Registration code
When you set the account verification method to code
, the system uses the recovery_code.valid
template to send the recovery
code to the user.
If you enabled sending attempted recovery notifications to unregistered addresses, the system uses the recovery_code.invalid
template.
If you set the account recovery method to link
, the system uses these templates instead:
recovery.valid
recovery.invalid
To read more about the recovery flow, read Account recovery and password reset.
When you set the account verification method to code
, the system uses the verification_code.valid
template to send the
verification code and a URL to the user.
If you enabled notifications to unknown recipients, the verification_code.invalid
template is used.
If you set the account verification method to link
, the system uses these templates instead:
verification.valid
verification.invalid
To read more about the verification flow, read Email and phone verification.
When you enable the one-time code method the login flow will need to send out an email to users signing in through the one-time
code method. The system will then use the login_code.valid
template to send the login code to the user.
To read more about login via a one-time code, read the one-time code documentation.
When you enable the one-time code method the registration flow will need to send out an email to users signing up using the
one-time code method. The system will then use the registration_code.valid
template to send the registration code to the user.
To read more about registration via a one-time code, read the one-time code documentation.
Using custom message templates
Templates can be customized to fit your own branding and requirements. If you don't customize a specific template, the system automatically uses the built-in template.
- Ory Console
- Ory CLI
- Go to Authentication → Email templates in the Ory Console
- Select the email template you want to customize.
The recovery & verification templates only show the versions for the method (One time code or link) you have selected in the flow configuration.
- Authentication → Account recovery in the Ory Console
- Authentication → Email verification in the Ory Console
-
List all your projects and get the Ory Identities config file:
## List all available workspaces
ory list workspaces
## List all available projects
ory list projects --workspace <workspace-id>
## Get config
ory get identity-config --project <project-id> --workspace <workspace-id> --format yaml > identity-config.yaml -
Encode your custom template to base64 using the following command:
echo "Your custom template" | base64
-
Add your Base64-encoded custom message templates to the config (don't forget to add base64:// before the encoded template):
identity-config.yamlcourier:
smtp:
from_name: MyProject via Ory
templates:
recovery:
invalid:
email:
body:
html: "base64://ENCODED_HTML_TEMPLATE"
plaintext: "base64://ENCODED_PLAINTEXT_TEMPLATE"
valid:
email:
body: {}
verification:
invalid:
email:
body: {}
valid:
email:
body: {}
login:
valid:
email:
body: {}
registration:
valid:
email:
body: {} -
Upload the edited config:
ory update identity-config --project <project-id> --workspace <workspace-id> --file updated_config.yaml
In the Ory Network, you can use only Base64-encoded templates. http://
or file://
URIs are not supported. If you provide
custom templates using unsupported methods, the system uses the default templates.
Creating templates
Templates use the Go template engine in the text/template
package for rendering the email.subject.gotmpl
and
email.body.plaintext.gotmpl
templates, and the html/template
package for rendering the email.body.gotmpl
template.
Learn more:
Templates can use the Sprig library, which provides more than 100 commonly used template functions
For security reasons, these Sprig functions are disabled in the Ory Network:
- Date functions:
date
,date_in_zone
,date_modify
,now
,htmlDate
,htmlDateInZone
,dateInZone
,dateModify
- Strings:
randAlphaNum
,randAlpha
,randAscii
,randNumeric
,uuidv4
- OS:
env
,expandenv
- Network:
getHostByName
Available variables
The variables available for use in email templates change depending on the flow and the selected method:
- Recovery (via code)
- Verification (via code)
- Recovery (via magic link)
- Verification (via magic link)
- Login (via code)
- Registration (via code)
For the recovery_code.valid
template, the following variables are available:
Variable | Description |
---|---|
To | The email address the email will be sent to |
RecoveryCode | The recovery code |
Identity | The identity to be recovered |
The recovery_code.invalid
template does not allow to send a direct link to the user, as the recovery flow enforces anti-CSRF measures, which would lead to the flow failing, in case the user opens the link in a different browser.
For the recovery_code.invalid
template, the following variables are available:
Variable | Description |
---|---|
To | the email address the email will be sent to |
For the verification_code.valid
template, the following variables are available:
Variable | Description |
---|---|
To | the email address the email will be sent to |
VerificationCode | the verification code |
VerificationURL | the verification link |
Identity | the identity of the email address |
For the verification_code.invalid
template, the following variables are available:
Variable | Description |
---|---|
To | the email address the email will be sent to |
For the recovery.valid
template, the following variables are available:
Variable | Description |
---|---|
To | The email address the email will be sent to |
RecoveryURL | The recovery link |
Identity | The identity to be recovered |
For the recovery.invalid
template, the following variables are available:
Variable | Description |
---|---|
To | the email address the email will be sent to |
For the verification.valid
template, the following variables are available:
Variable | Description |
---|---|
To | the email address the email will be sent to |
VerificationURL | the verification link |
Identity | the identity of the email address |
For the verification.invalid
template, the following variables are available:
Variable | Description |
---|---|
To | the email address the email will be sent to |
For the login_code.valid
template, the following variables are available:
Variable | Description |
---|---|
To | the email address to whom the email is sent |
LoginCode | the login code |
Identity | the identity of the email address |
For the registration_code.valid
template, the following variables are available:
Variable | Description |
---|---|
To | the email address to whom the email is sent |
RegistrationCode | the registration code |
Traits | the provided traits as specified by the Identity Schema |
Mandatory template formats
Each template must have two versions: html
and plaintext
.
html
version uses the HTML syntax to achieve the desired look and functionality (such as clickable buttons) of the email message.plaintext
version can't contain any HTML. Must contain only plain text content and any necessarygotmpl
logic. This version is used as a fallback when thehtml
version cannot be delivered, for example when the user's mail server blocks HTML in all incoming messages.
- HTML
- Plain text
Hi, please verify your account by clicking the following link:
<a href="{{ .VerificationURL }}">{{ .VerificationURL }}</a>
The plaintext
version doesn't contain any HTML and keeps only the gotmpl logic ({{ .VerificationURL }}
) and plain text.
Hi, please verify your account by clicking the following link: {{ .VerificationURL }}
Customizing template content for specific users
To enable customizing the content of templates based on the identity of the recipient of the email, the Identity
object is
available inside the templates. This object is a map containing all the attributes of an identity defined in the identity schema,
such as id
, state
, recovery_addresses
, verifiable_addresses
and traits
.
Read this document to learn more about the Ory Identity and the identity schema.
Translated templates (i18n)
You can use nested templates to render email.subject.gotmpl
, email.body.gotmpl
and email.body.plaintext.gotmpl
templates
based on user settings, for example based on their chosen language.
To enable i18n customization of templates, customize the identity schema to include the user's preferred communication language. For example:
{
// ...
"properties": {
"traits": {
"type": "object",
"properties": {
// ...
"lang": {
"type": "string",
"title": "Your preferred language"
},
"required": [
"email"
],
"additionalProperties": false,
}
}
}
This identity trait can then be used inside the template to render a section conditionally.
The following example defines various templates for the recovery_code.valid
template and renders the respective template
depending on the language set in the lang
identity traits, that was defined above:
{{define "en"}}
Hi,
Please enter the following code to recover your account:
{{ .RecoveryCode }}
{{end}}
{{define "fr"}}
Bonjour,
Veuillez entrer le code suivant pour récupérer votre compte:
{{ .RecoveryCode }}
{{end}}
{{define "de"}}
Hallo,
Bitte geben Sie den folgenden Code ein, um Ihr Konto wiederherzustellen:
{{ .RecoveryURL }}
{{end}}
{{- else if eq .Identity.traits.lang "fr" -}}
{{ template "fr" . }}
{{- else if eq .Identity.traits.lang "de" -}}
{{ template "de" . }}
{{- else -}}
{{ template "en" . }}
{{- end -}}
You can use Sprig functions in the nested templates. For security reasons, some functions are disabled in the Ory Network. Click here to see the list of disabled functions.
Metadata in templates
As an administrator, you can set identity metadata, such as the user's language, in your application code using Identity metadata property. Read this document to learn more.
You can access metadata_public
through .Identity.metadata_public
in email templates.
The following example requires that the field lang
is set in the public metadata. Your application could set this value after
user completes registration.
{{define "en"}}
Hi,
Please enter the following code to recover your account:
{{ .RecoveryCode }}
{{end}}
{{define "fr"}}
Bonjour,
Veuillez entrer le code suivant pour récupérer votre compte:
{{ .RecoveryCode }}
{{end}}
{{define "de"}}
Hallo,
Bitte geben Sie den folgenden Code ein, um Ihr Konto wiederherzustellen:
{{ .RecoveryURL }}
{{end}}
{{- if eq .Identity.metadata_public.lang "fr" -}}
{{ template "fr" . }}
{{- else if eq .Identity.metadata_public.lang "de" -}}
{{ template "de" . }}
{{- else -}}
{{ template "en" . }}
{{- end -}}
Since metadata is not validated by Ory Identities, missing entries or unexpected values can cause errors in the template rendering process. If the system encounters errors in the rendering process, Ory Identities uses the default templates.
Transient payload in templates
The transient payload allows you to pass additional data along with certain self-service flows. Transient payloads can be used for passing temporary information to your email template without storing it permanently.
The following example_key
transient payload
...
traits: {
email: "user@example.com",
},
transient_payload: {
example_key: "This is an example value"
},
...
can be accessed in the email template using {{index .TransientPayload "example_key"}}
<h1>Recovery Details</h1>
<p>To: {{.To}}</p>
<p>Recovery URL: {{.RecoveryURL}}</p>
<p>Transient Payload: {{index .TransientPayload "example_key"}}</p>
<p>
{{- if eq (index .TransientPayload "lang") "foo" -}}
FOO
{{- else -}}
BAR
{{- end -}}
</p>
This results into the following email to be sent to the user.
<h1>Recovery Details</h1>
<p>To: user@example.com</p>
<p>Recovery URL: https://example.com/recover</p>
<p>Transient Payload: This is an example value</p>
<p>
BAR
</p>