createBrowserSettingsFlow method

Create Settings Flow for Browsers This endpoint initializes a browser-based user settings flow. Once initialized, the browser will be redirected to `selfservice.flows.settings.ui_url` with the flow ID set as the query parameter `?flow=`. If no valid Ory Kratos Session Cookie is included in the request, a login flow will be initialized. If this endpoint is opened as a link in the browser, it will be redirected to `selfservice.flows.settings.ui_url` with the flow ID set as the query parameter `?flow=`. If no valid user session was set, the browser will be redirected to the login endpoint. If this endpoint is called via an AJAX request, the response contains the settings flow without any redirects or a 401 forbidden error if no valid session was set. Depending on your configuration this endpoint might return a 403 error if the session has a lower Authenticator Assurance Level (AAL) than is possible for the identity. This can happen if the identity has password + webauthn credentials (which would result in AAL2) but the session has only AAL1. If this error occurs, ask the user to sign in with the second factor (happens automatically for server-side browser flows) or change the configuration. If this endpoint is called via an AJAX request, the response contains the flow without a redirect. In the case of an error, the `` of the JSON response body can be one of: `security_csrf_violation`: Unable to fetch the flow because a CSRF violation occurred. `session_inactive`: No Ory Session was found - sign in a user first. `security_identity_mismatch`: The requested `?return_to` address is not allowed to be used. Adjust this in the configuration! This endpoint is NOT INTENDED for clients that do not have a browser (Chrome, Firefox, ...) as cookies are needed. More information can be found at Ory Kratos User Settings & Profile Management Documentation.


  • returnTo - The URL to return the browser to after the flow was completed.
  • cookie - HTTP Cookies When using the SDK in a browser app, on the server side you must include the HTTP Cookie Header sent by the client to your server here. This ensures that CSRF and session cookies are respected.
  • cancelToken - A CancelToken that can be used to cancel the operation
  • headers - Can be used to add additional headers to the request
  • extras - Can be used to add flags to the request
  • validateStatus - A ValidateStatus callback that can be used to determine request success based on the HTTP status of the response
  • onSendProgress - A ProgressCallback that can be used to get the send progress
  • onReceiveProgress - A ProgressCallback that can be used to get the receive progress

Returns a Future containing a Response with a SettingsFlow as data Throws DioError if API call or serialization fails


}) async {
  final _path = r'/self-service/settings/browser';
  final _options = Options(
    method: r'GET',
    headers: <String, dynamic>{
      if (cookie != null) r'Cookie': cookie,
    extra: <String, dynamic>{
      'secure': <Map<String, String>>[],
    validateStatus: validateStatus,

  final _queryParameters = <String, dynamic>{
    if (returnTo != null) r'return_to': encodeQueryParameter(_serializers, returnTo, const FullType(String)),

  final _response = await _dio.request<Object>(
    options: _options,
    queryParameters: _queryParameters,
    cancelToken: cancelToken,
    onSendProgress: onSendProgress,
    onReceiveProgress: onReceiveProgress,

  SettingsFlow? _responseData;

  try {
    final rawResponse =;
    _responseData = rawResponse == null ? null : _serializers.deserialize(
      specifiedType: const FullType(SettingsFlow),
    ) as SettingsFlow;

  } catch (error, stackTrace) {
    throw DioError(
      requestOptions: _response.requestOptions,
      response: _response,
      type: DioErrorType.unknown,
      error: error,
      stackTrace: stackTrace,

  return Response<SettingsFlow>(
    data: _responseData,
    headers: _response.headers,
    isRedirect: _response.isRedirect,
    requestOptions: _response.requestOptions,
    redirects: _response.redirects,
    statusCode: _response.statusCode,
    statusMessage: _response.statusMessage,
    extra: _response.extra,