Skip to main content

Magic links use old custom domain name

After updating their custom domain, some users reported an error that caused the verification emails to come with magic links generated for the old domain.

This means that after changing the custom domain from old.production.com to new-domain.production.com, some verification emails still use old.production.com to generate magic links for the verification flow.

This results in emails that contain https://old.production.com/self-service/verification?code={...} instead of https://new-domain.production.com/self-service/verification?code={...}.

To fix this error, run this Ory CLI command to force Ory Network to update the /selfservice/methods/link/config/base_url configuration key:

ory patch identity-config {your-project-id} \
  --remove '/selfservice/methods/link/config/base_url'

When you run this command, the /selfservice/methods/link/config/base_url updates automatically to use your current custom domain.

tip

Ory recommends using the "one-time code" verification method. Read this document to learn more.

The selfservice.methods.link.config.base_url option used to override the base URL for recovery and verification links. It now has no effect: the base URL for generated links is derived from the incoming request URL instead.

Am I affected?

You are affected if:

  • Your selfservice.methods.link.config sets base_url.

Why was this change made?

Deriving the base URL from the request makes recovery and verification links correct across multiple domains and behind reverse proxies without a static override, so the per-strategy base_url became redundant and was removed.

How to adapt to this change?

Remove base_url from your link strategy configuration. It is ignored, so removing it does not change behavior. If you need to control the public base URL globally, set serve.public.base_url (self-hosted) and make sure any reverse proxy forwards the correct Host header to Kratos.

# Before
selfservice:
  methods:
    link:
      config:
        base_url: https://my-app.com
        lifespan: 1h

# After
selfservice:
  methods:
    link:
      config:
        lifespan: 1h

Remove base_url from the link method configuration. Recovery and verification links already use the request URL on Ory Network, so no further action is required.