ory · unatasha8 · Dec 16, 2025 · Dec 4, 2025 · Dec 4, 2025 · Dec 10, 2025
@@ -27,8 +27,8 @@ Read the changelog for Ory Network at [changelog.ory.com](https://changelog.ory.
 
 ## Roadmap
 
-Ory is actively being developed. If you are interested in a particular project, it's best to check out the
-[open issues & pull requests ](#milestones-issues-pull-requests) for that project.
+Ory is actively being developed. If you are interested in a particular project, it's best to check out the open issues & pull
+requests for that project.
 
 Please note that our roadmap is **subject to change**. This means that development is considering feedback both from the Open
 Source community as well as Ory Network users.

@@ -15,7 +15,7 @@ environment to self-hosted Ory Kratos Identity Server instances.
 This feature is useful for fluently moving your local setup to the cloud, or for working on the configuration and testing
 different settings in the safety of the local development environment.
 
-To work with the Ory Identities, you must have an active project. Use the [CLI](./config-with-cli#create-ory-cloud-project) or the
+To work with the Ory Identities, you must have an active project. Use the [CLI](./10_config-with-cli.mdx) or the
 [Ory Console](https://console.ory.sh/) to create one.
 
 ## Export configuration from Ory Network
@@ -24,8 +24,7 @@ To get your project's Ory Identities configuration, run this command:
 
 :::info
 
-You must be signed in to an Ory Network account to perform this action. Read
-[this document](./cli-basics#use-cli-with-existing-cloud-account) to learn more.
+You must be signed in to an Ory Network account to perform this action. Read [this document](./05_cli-basics.mdx) to learn more.
 
 :::
 

@@ -15,17 +15,16 @@ environment to self-hosted Ory Hydra OAuth2 Server instances.
 This feature is useful for fluently moving your local setup to the cloud, or for working on the configuration and testing
 different settings in the safety of the local development environment.
 
-To work with the Ory OAuth2 and OpenID, you must have an active project. Use the [CLI](./config-with-cli#create-ory-cloud-project)
-or the [Ory Console](https://console.ory.sh/) to create one.
+To work with the Ory OAuth2 and OpenID, you must have an active project. Use the [CLI](10_config-with-cli.mdx) or the
+[Ory Console](https://console.ory.sh/) to create one.
 
 ## Export configuration from Ory Network
 
 To get your project's Ory OAuth2 and OpenID configuration, run this command:
 
 :::info
 
-You must be signed in to an Ory Network account to perform this action. Read
-[this document](./cli-basics#use-cli-with-existing-cloud-account) to learn more.
+You must be signed in to an Ory Network account to perform this action. Read [this document](05_cli-basics.mdx) to learn more.
 
 :::
 

@@ -15,17 +15,16 @@ to self-hosted Ory Keto instances.
 This feature is useful for fluently moving your local setup to Ory Network, or for working on the configuration and testing
 different settings in the safety of the local development environment.
 
-To work with the Ory Permissions, you must have an active project. Use the [CLI](./config-with-cli#create-ory-cloud-project) or
-the [Ory Console](https://console.ory.sh/) to create one.
+To work with the Ory Permissions, you must have an active project. Use the [CLI](10_config-with-cli.mdx) or the
+[Ory Console](https://console.ory.sh/) to create one.
 
 ## Export configuration from Ory Network
 
 To get your project's Ory Permissions configuration, run this command:
 
 :::info
 
-You must be signed in to an Ory Network account to perform this action. Read
-[this document](./cli-basics#use-cli-with-existing-cloud-account) to learn more.
+You must be signed in to an Ory Network account to perform this action. Read [this document](05_cli-basics.mdx) to learn more.
 
 :::
 

@@ -35,7 +35,7 @@ Note that the slug in the above screenshot **is an example**. You will have your
 
 The Cookie Domain is the domain cookies will be scoped to. Ory Network will issue the session cookie to this domain. This means,
 that the cookie is available on this domain and all subdomains. In most cases you want this to be root domain of the CNAME record
-you set up. See the [Cookie configuration document](https://www.ory.com/kratos/docs/guides/configuring-cookies) and
+you set up. See the [Cookie configuration document](./../kratos/guides/configuring-cookies.mdx) and
 [this Stack Overflow answer](https://stackoverflow.com/a/23086139).
 
 :::warning
@@ -287,6 +287,6 @@ configured the custom domain `ory.your-custom-domain.com`, you should also confi
 :::tip
 
 To learn how to set up a custom SMTP server on the Ory Network, read
-[Send emails using your SMTP server](./../kratos/emails-sms/01_sending-emails-smtp.mdx#send-emails-using-your-smtp-server).
+[Send emails using your SMTP server](./../kratos/emails-sms/sending-emails-smtp#your-own-server).
 
 :::
@@ -9,7 +9,7 @@ applications to access user data.
 :::info Good to know
 
 If you are looking for a system that implements registration, login, password reset, social sign in, profile management, 2fa, and
-more, check out [Ory Identities](https://www.ory.com/identity-authentication) first!
+more, check out [Ory Identities](https://www.ory.com/docs/identities) first!
 
 :::
 

@@ -16,8 +16,9 @@ Network.
 Before you start, prepare your environment:
 
 - [Install Ory CLI](../../guides/cli/installation).
-- Create an account and project in the Ory Network. Use [Ory CLI](../../guides/cli/05_cli-basics.mdx#create-ory-cloud-project) or
-  go to the [Ory Console](https://console.ory.sh/).
+- Create an account and project in the Ory Network. Use
+  [Ory CLI](../../guides/cli/05_cli-basics.mdx#create-a-new-workspace-and-project) or go to the
+  [Ory Console](https://console.ory.sh/).
 - [Create an API Key](../../concepts/personal-access-token.mdx) and save it in a safe place for later use.
 
 ## Create OAuth2 client in Ory Network

@@ -204,7 +204,7 @@ import dynamicCreateTs from '!!raw-loader!../../../code-examples/sdk/typescript/
 </TabItem>
 <TabItem value="rest" label="REST API">
 
-See [API documentation](../../reference/api#tag/oAuth2/operation/createOidcDynamicClient).
+See [API documentation](../../reference/api#tag/oidc/operation/createOidcDynamicClient).
 
 </TabItem>
 </Tabs>
@@ -230,7 +230,7 @@ import dynamicGetTs from '!!raw-loader!../../../code-examples/sdk/typescript/src
 </TabItem>
 <TabItem value="rest" label="REST API">
 
-See [API documentation](../../reference/api#tag/oAuth2/operation/getOidcDynamicClient).
+See [API documentation](../../reference/api#tag/oidc/operation/getOidcDynamicClient).
 
 </TabItem>
 </Tabs>
@@ -254,7 +254,7 @@ import dynamicUpdateTs from '!!raw-loader!../../../code-examples/sdk/typescript/
 </TabItem>
 <TabItem value="rest" label="REST API">
 
-See [API documentation](../../reference/api#tag/oAuth2/operation/setOidcDynamicClient).
+See [API documentation](../../reference/api#tag/oidc/operation/setOidcDynamicClient).
 
 </TabItem>
 </Tabs>
@@ -278,7 +278,7 @@ import dynamicDeleteTs from '!!raw-loader!../../../code-examples/sdk/typescript/
 </TabItem>
 <TabItem value="rest" label="REST API">
 
-See` [API documentation](../../reference/api#tag/oAuth2/operation/deleteOidcDynamicClient).
+See` [API documentation](../../reference/api#tag/oidc/operation/deleteOidcDynamicClient).
 
 </TabItem>
 </Tabs>

@@ -123,8 +123,8 @@ Ory will perform a POST request with a JSON payload towards your endpoint.
 ```
 
 `session` represents the OAuth2 session, along with the data that was passed to the
-[Accept Consent Request](../../hydra/reference/api#operation/acceptConsentRequest) in the `id_token` field (only applicable to
-Authorization code flows).
+[Accept Consent Request](../../hydra/reference/api#tag/oAuth2/operation/acceptOAuth2ConsentRequest) in the `id_token` field (only
+applicable to Authorization code flows).
 
 `request` contains information from the OAuth client's request to the token endpoint.
 
@@ -215,7 +215,7 @@ You cannot override the token subject.
 By default, all custom claims are mirrored under the `ext` claim in the token.
 
 To flatten custom claims directly into the top level token instead of nesting them under `ext`, use the following
-[configuration](../../oauth2-oidc/jwt-access-token#adding-custom-claims-to-top-level).
+[configuration](../../oauth2-oidc/jwt-access-token.mdx#add-custom-claims-to-top-level).
 
 ### Refresh token
 

@@ -257,103 +257,3 @@ func main() {
 
 }
 ```
-
-### Fake TLS termination
-
-You can set Ory Hydra to HTTPS mode without actually accepting TLS connections, visit the
-[Preparing for Production](../../hydra/self-hosted/production#tls-termination) document to learn more. The following code example
-shows how to configure Ory Hydra to fake a TLS termination:
-
-```go
-package main
-
-import (
-  "context"
-  "fmt"
-  "net/http"
-
-  client "github.com/ory/hydra-client-go"
-)
-
-func main() {
-
-  tlsTermClient := new(http.Client)
-  rt := WithHeader(tlsTermClient.Transport)
-  rt.Set("X-Forwarded-Proto", "https")
-  tlsTermClient.Transport = rt
-
-  config := client.NewConfiguration()
-  config.Servers = []client.ServerConfiguration{
-    {
-      URL: "https://hydra.localhost:4444", // Public API URL
-    },
-  }
-  config.HTTPClient = tlsTermClient
-  c := client.NewAPIClient(config)
-  fmt.Println(c.PublicApi.RevokeOAuth2Token(context.Background()).Token("some_token").Execute())
-
-  // ...
-}
-
-type withHeader struct {
-  http.Header
-  rt http.RoundTripper
-}
-
-func WithHeader(rt http.RoundTripper) withHeader {
-  if rt == nil {
-    rt = http.DefaultTransport
-  }
-
-  return withHeader{Header: make(http.Header), rt: rt}
-}
-
-func (h withHeader) RoundTrip(req *http.Request) (*http.Response, error) {
-  for k, v := range h.Header {
-    req.Header[k] = v
-  }
-
-  return h.rt.RoundTrip(req)
-}
-
-```
-
-### Skip TLS verification
-
-When using self-signed certificates we need to skip the TLS verification and accept all certificates. In production deployments,
-you would use a certificate signed by a trusted CA. The following code example shows how to configure Ory Hydra to skip the TLS
-verification:
-
-```go
-package main
-
-import (
-  "context"
-  "crypto/tls"
-  "fmt"
-  "net/http"
-
-  client "github.com/ory/hydra-client-go"
-)
-
-func main() {
-  skipTLSClient := &http.Client{
-    Transport: &http.Transport{
-      TLSClientConfig: &tls.Config{InsecureSkipVerify: true},
-    },
-    Timeout: 10,
-  }
-  config := client.NewConfiguration()
-  config.Servers = []client.ServerConfiguration{
-    {
-      URL: "https://hydra.localhost:4444", // Public API URL
-    },
-  }
-  config.HTTPClient = skipTLSClient
-  c := client.NewAPIClient(config)
-  fmt.Println(c.PublicApi.RevokeOAuth2Token(context.Background()).Token("some_token").Execute())
-
-  // ...
-}
-
-```
@@ -236,7 +236,7 @@ If the address is malformed, or well-formed but not registered as a recovery add
   probing the system to discover which addresses are registered.
 - If the address is a valid email address but not registered as a recovery address for this user, and the configuration value
   `selfservice.flows.recovery.notify_unknown_recipients` is enabled, an email will be sent to this address with this wording (this
-  can be [customized](../../kratos/emails-sms/sending-emails-smtp#send-emails-using-an-http-server)):
+  can be [customized](../../kratos/emails-sms/05_custom-email-templates.mdx)):
   > Hi,
   >
   > you (or someone else) entered this email address when trying to recover access to an account.

@@ -65,7 +65,7 @@ ory patch identity-config {your-project-id} \
 
 Identity schemas are immutable to prevent inconsistencies in the data. This means, that you cannot update an existing schema.
 However, you can use the existing schema as a template to create a new schema. Simply follow the steps in
-[Creating custom schemas](#creating-custom-schemas) and select the current schema as a template.
+[Create custom schema](#create-custom-schema) and select the current schema as a template.
 
 It's recommended to manage identity schemas in version control. Learn more about
 [managing Ory Network configuration in git](../../guides/gitops).

@@ -67,6 +67,6 @@ tcp/22#access@c5b6454f-f79c-4a6d-9e1b-b44e04b56009
 ```
 
 The application must map every incoming request to a subject string that represents the attributes of the request. Ory Permissions
-replies with a positive [check response](./25_api-overview.mdx#check-relation-tuple) depending on the string equality of the
+replies with a positive [check response](./25_api-overview.mdx#check-relationships) depending on the string equality of the
 requested subject representing the attributes with the known relationships. Ory Permissions doesn't know how to interpret any
 information stored in relationships. The application must pre-process and map the value to the corresponding UUID.
@@ -27,7 +27,7 @@ ec788a82-a12e-45a4-b906-3e69f78c94e4#owner@demeter
 To prepare for an important meeting with the user `athena`, `demeter` wants to share the file with fertile grounds with `athena`
 so that they can both read it. Therefore, he opens the "Olymp Library" and is presented with a list of all files he owns. The
 application will internally request all [objects](../concepts/10_objects.mdx) (file IDs) with the owner `demeter` by using the
-[list-API](../concepts/25_api-overview.mdx#list-relation-tuples). The response will contain the object
+[list-API](../concepts/25_api-overview.mdx#list-relationships). The response will contain the object
 `ec788a82-a12e-45a4-b906-3e69f78c94e4`, which the application maps to the file in question.
 
 The user `demeter` will then ask the application to share the file with `athena`. The application will translate that request into
@@ -57,7 +57,7 @@ which returns the expansion tree
 The "Olymp Library" can then display this information to `demeter`.
 
 When `athena` wants to get the file containing fertile grounds, the application uses the
-[check-API](../concepts/25_api-overview.mdx#check-relation-tuple) to verify that `athena` has access to the file before it returns
+[check-API](../concepts/25_api-overview.mdx#check-relationships) to verify that `athena` has access to the file before it returns
 the file. This will allow `demeter` to revoke `athena`'s access at any point by deleting the corresponding relationship.
 
 This diagram illustrates the relationships in this example:

@@ -91,7 +91,7 @@ keto check "*" view videos /cats/2.mp4
 We already discussed that this request should be denied, but it's always good to see this in action.
 
 Now `cat lady` wants to change some view permissions of `/cats/1.mp4`. For this, the video service application has to show all
-users that are allowed to view the video. It uses Keto's [expand-API](./concepts/25_api-overview.mdx#expand-subject-set) to get
+users that are allowed to view the video. It uses Keto's [expand-API](./concepts/25_api-overview.mdx#expand-subject-sets) to get
 these data:
 
 ```shell

@@ -13,7 +13,7 @@ Configuration URL, go to <ConsoleLink route="project.settings" />, and copy the
 
 :::
 
-By default, self-service flows use [Ory Account Experience](./01_overview.mdx#why-should-i-use-ory-account-experience). In the
+By default, self-service flows use [Ory Account Experience](./01_overview.mdx#when-to-use-the-ory-account-experience). In the
 default setup, the system uses relative paths to point to the appropriate UI for every screen. The relative links that point to
 the Ory Account Experience follow the `/ui/{flow_name}` format.
 

@@ -441,7 +441,7 @@ Bitte geben Sie den folgenden Code ein, um Ihr Konto wiederherzustellen:
 :::tip
 
 You can use Sprig functions in the nested templates. For security reasons, some functions are disabled in the Ory Network.
-[Click here to see the list of disabled functions.](#spring-disabled)
+[See the list of disabled functions here.](#creating-templates)
 
 :::
 

@@ -230,7 +230,7 @@ authenticators:
 
 #### Allowed Authorizer
 
-The [Allowed Authenticator](../../oathkeeper/pipeline/authz#allowed) simply allows all users to access the URL. Since we don't
+The [Allowed Authenticator](../../oathkeeper/pipeline/authz.md#allow) simply allows all users to access the URL. Since we don't
 have Role-based access control (RBAC) or an Access Control list (ACL) in place for this example, this will be enough.
 
 ```yaml title="contrib/quickstart/oathkeeper/oathkeeper.yml"

@@ -1016,7 +1016,7 @@ log in.
 
 The email address however represents a unique identifier and personally identifiable information (PII). An attacker could for
 example check if the email address `john.doe@gmail.com` is registered at for example an adult website and use that information for
-blackmail (see [Account Enumeration Attacks](../concepts/security.mdx#account-enumeration-attacks)).
+blackmail.
 
 The same considerations apply to using a phone number as the primary registration & login identifier.
 

@@ -164,8 +164,8 @@ address the user provides when registering their account. Other fields inside th
 phone number to receive the code via an SMS.
 
 If a user has multiple recovery addresses and the `choose_recovery_address` feature flag is
-[enabled](../../../identities/get-started/account-recovery.mdx#enable-the-feature-flag-choose_recovery_address-unlocks-sending-a-recovery-code-via-sms),
-the process is as follows:
+[enabled](../../../identities/get-started/account-recovery.mdx#enable-users-to-choose-email-or-sms-recovery-method), the process
+is as follows:
 
 1. The user enters any of their registered addresses to begin the recovery flow.
 1. A masked list of their recovery addresses is displayed. Up to 10 addresses are shown.

@@ -443,12 +443,12 @@ import CodeLinkComparison from "./_common/code-link-comparison.mdx"
 ## Showing the verification flow after settings, registration or login
 
 To show the verification flow directly after the user has registered, see the
-[registration documentation](../../../identities/sign-in/actions.mdx#show-verification-after-successful-registration).
+[registration documentation](../../../actions/require-verified-address.mdx#verification-on-sign-up).
 
-For settings, see the [settings documentation](./user-settings.mdx#show-verification-after-updating-a-verifiable-address).
+For settings, see the [settings documentation](user-settings.mdx#show-verification-form-after-updating-a-verifiable-address).
 
 And for login, see the
-[login customization documentation](../../../identities/sign-in/actions.mdx#show-verification-after-login-if-address-is-not-verified-yet).
+[login customization documentation](../../../actions/require-verified-address.mdx#require-verification-on-login).
 
 ## Code examples
-Original file line number
+Diff line change
@@ Expand Up @@
     :::tip
     You can use Sprig functions in the nested templates. For security reasons, some functions are disabled in the Ory Network.
-    [Click here to see the list of disabled functions.](#spring-disabled)
+    [See the list of disabled functions here.](#creating-templates)
     :::
@@ Expand Down @@