ory · aeneasr · Feb 16, 2022 · Feb 11, 2022 · Feb 11, 2022 · Feb 14, 2022
diff --git a/docs/docs/self-service.mdx b/docs/docs/self-service.mdx
@@ -151,7 +151,7 @@ import DomainWarning from '@theme/DomainWarning'
 
 <DomainWarning />
 
-Once stored, the Browser is HTTP 302 redirected to the flow's configured UI URL
+Once stored, the Browser is HTTP 303 redirected to the flow's configured UI URL
 (e.g. `selfservice.flows.login.ui_url`), appending the flow ID as the `flow` URL
 Query Parameter. Also included are HTTP cookies such as Anti-CSRF cookies.
 
@@ -429,8 +429,8 @@ requests.
 
 :::info
 
-Ory Kratos and your UI must be on the hosted on same top level domain! You can
-not host Ory Kratos and your UI on separate top level domains:
+Ory Kratos and your UI must be hosted on the same top level domain! You can not
+host Ory Kratos and your UI on separate top level domains:
 
 - `kratos.bar.com` and `ui.bar.com` will work;
 - `kratos.bar.com` and `bar.com` will work;

diff --git a/docs/docs/self-service/flows/account-recovery.mdx b/docs/docs/self-service/flows/account-recovery.mdx
@@ -277,7 +277,7 @@ $ curl -s -i -X GET \
     -H "Accept: text/html" \
     https://playground.projects.oryapis.com/api/kratos/public/self-service/recovery/browser
 
-HTTP/2 302
+HTTP/2 303
 date: Fri, 09 Jul 2021 12:50:38 GMT
 content-type: text/html; charset=utf-8
 content-length: 120
@@ -291,7 +291,7 @@ strict-transport-security: max-age=15724800; includeSubDomains
 <a href="https://playground.projects.oryapis.com/hosted/recovery?flow=33964b22-c364-4217-b6fc-5f381d142d65">Found</a>.
 ```
 
-The server responds with a HTTP 302 redirect to the Recovery UI, appending the
+The server responds with a HTTP 303 redirect to the Recovery UI, appending the
 `?flow=<flow-id>` query parameter (see the curl example) to the URL configured
 here:
 
@@ -540,7 +540,7 @@ $ curl -H "Accept: application/json" -s \
 
 The form payloads are then submitted to Ory Kratos which follows up with:
 
-- An HTTP 302 Found redirect pointing to the Registration UI for Browser
+- An HTTP 303 See Other redirect pointing to the Registration UI for Browser
   Clients;
 - An `application/json` response for API Clients and Client-Side Browser
   applications (e.g. Single Page Apps).
@@ -552,9 +552,9 @@ validation errors such as a malformed email:
 
 <CodeTabs items={getFlowMethodLinkWithErrors} />
 
-When validation errors happen, browser clients receive a HTTP 302 Found redirect
-to the Recovery Flow UI, containing the Recovery Flow ID which includes the
-error payloads.
+When validation errors happen, browser clients receive a HTTP 303 See Other
+redirect to the Recovery Flow UI, containing the Recovery Flow ID which includes
+the error payloads.
 
 For API Clients, the server typically responds with HTTP 400 Bad Request and the
 Recovery Flow in the response payload as JSON.
@@ -568,7 +568,7 @@ On successful submission, an email will be sent to the provided address:
 ## Unsuccessful Recovery
 
 If the recovery challenge (e.g. the link in the recovery email) is invalid or
-expired, the user will be HTTP 302 redirected to the Recovery UI.
+expired, the user will be HTTP 303 redirected to the Recovery UI.
 
 :::note
 
@@ -586,7 +586,7 @@ Please keep in mind that this part of the flow always involves a Browser!
 
 ## Successful Recovery
 
-Completing account recovery always results in a HTTP 302 redirect with a Ory
+Completing account recovery always results in a HTTP 303 redirect with a Ory
 Kratos Login Session Cookie to the Settings UI with a Settings Flow prompting
 the user to update their password or credentials:
 

diff --git a/docs/docs/self-service/flows/user-login.mdx b/docs/docs/self-service/flows/user-login.mdx
@@ -131,7 +131,7 @@ strict-transport-security: max-age=15724800; includeSubDomains
 <a href="https://playground.projects.oryapis.com/hosted/login?flow=3fc63726-8461-43f4-974a-5579ff4174f1">See Other</a>.
 ```
 
-The server responds with a HTTP 302 redirect to the Login UI, appending the
+The server responds with a HTTP 303 redirect to the Login UI, appending the
 `?flow=<flow-id>` query parameter (see the curl example) to the URL configured
 here:
 
@@ -476,7 +476,7 @@ $ curl -H "Accept: application/json" -s \
 
 The form payloads are then submitted to Ory Kratos which follows up with:
 
-- An HTTP 302 Found redirect pointing to the Login UI for Browser Clients;
+- An HTTP 303 See Other redirect pointing to the Login UI for Browser Clients;
 - An `application/json` response for API Clients and Client-Side Browser
   applications (e.g. Single Page Apps).
 
@@ -488,9 +488,9 @@ missing identifier or password, or invalid credentials:
 
 <CodeTabs items={getFlowMethodPasswordWithErrors} />
 
-When validation errors happen, browser clients receive a HTTP 302 Found redirect
-to the Login Flow UI, containing the Login Flow ID which includes the error
-payloads.
+When validation errors happen, browser clients receive a HTTP 303 See Other
+redirect to the Login Flow UI, containing the Login Flow ID which includes the
+error payloads.
 
 For API Clients, the server typically responds with HTTP 400 Bad Request and the
 Login Flow in the response payload as JSON.
@@ -519,14 +519,14 @@ Completing the login behaves differently for Browser and API Clients.
 
 ### Server-Side Browser Clients
 
-When the login is completed successfully, Ory Kratos responds with a HTTP 302
+When the login is completed successfully, Ory Kratos responds with a HTTP 303
 Redirect to the
 [configured redirect URL](../../concepts/browser-redirect-flow-completion).
-Alongside the HTTP 302 Redirect is a `Set-Cookie` header which contains the Ory
+Alongside the HTTP 303 Redirect is a `Set-Cookie` header which contains the Ory
 Kratos Login Session Cookie:
 
 ```
-HTTP/1.1 302 Found
+HTTP/1.1 303 See Other
 Cache-Control: 0
 Location: http://127.0.0.1:4455/
 Set-Cookie: csrf_token=b8OebRPTPr5ow23mA5gIZmFNLeuMbv8pZz1jT1Ex7ys=; Path=/; Domain=127.0.0.1; Max-Age=31536000; HttpOnly

diff --git a/docs/docs/self-service/flows/user-registration.mdx b/docs/docs/self-service/flows/user-registration.mdx
@@ -110,7 +110,7 @@ Kratos, your Registration UI, and the end-user's browser:
 
 <SelfServiceBrowserFlow
   flows={['registration']}
-  success="User created and successful HTTP 302 redirect"
+  success="User created and successful HTTP 303 redirect"
   interactions={['"Sign up"']}
 />
 
@@ -136,7 +136,7 @@ strict-transport-security: max-age=15724800; includeSubDomains
 <a href="https://playground.projects.oryapis.com/hosted/registration?flow=6c2ae96c-8486-42f0-91f9-f654eccd09fb">See Other</a>.
 ```
 
-The server responds with a HTTP 302 redirect to the Registration UI, appending
+The server responds with a HTTP 303 redirect to the Registration UI, appending
 the `?flow=<flow-id>` query parameter (see the curl example) to the configured
 registration URL.
 
@@ -541,7 +541,7 @@ $ curl -H "Accept: application/json" -s \
 
 The form payloads are then submitted to Ory Kratos which follows up with:
 
-- An HTTP 302 Found redirect pointing to the Registration UI for Browser
+- An HTTP 303 Found redirect pointing to the Registration UI for Browser
   Clients;
 - An `application/json` response for API Clients and Client-Side Browser
   applications (e.g. Single Page Apps).
@@ -590,9 +590,9 @@ validation errors:
 
 <CodeTabs items={getFlowMethodPasswordWithErrors} />
 
-When validation errors happen, browser clients receive a HTTP 302 Found redirect
-to the Registration Flow UI, containing the Registration Flow ID which includes
-the error payloads.
+When validation errors happen, browser clients receive a HTTP 303 See Other
+redirect to the Registration Flow UI, containing the Registration Flow ID which
+includes the error payloads.
 
 For API Clients, the server typically responds with HTTP 400 Bad Request and the
 Registration Flow in the response payload as JSON.
@@ -701,17 +701,17 @@ typically not an issue if you follow the guidelines in the
 ### Server-Side Browser Clients
 
 When the registration is completed successfully, Ory Kratos responds with a HTTP
-302 Redirect to the
+303 Redirect to the
 [configured redirect URL](../../concepts/browser-redirect-flow-completion.mdx).
 
 #### With Auto-Login on Registration
 
 If the `session` after hook is enabled, a `Set-Cookie` HTTP Header is set
-alongside the HTTP 302 redirect which contains the Ory Kratos Login Session
+alongside the HTTP 303 redirect which contains the Ory Kratos Login Session
 Cookie:
 
 ```
-HTTP/1.1 302 Found
+HTTP/1.1 303 SeeOther
 Cache-Control: 0
 Location: http://127.0.0.1:4455/
 Set-Cookie: csrf_token=b8OebRPTPr5ow23mA5gIZmFNLeuMbv8pZz1jT1Ex7ys=; Path=/; Domain=127.0.0.1; Max-Age=31536000; HttpOnly
@@ -804,11 +804,11 @@ When the registration is completed successfully, Ory Kratos responds with a HTTP
 #### With Auto-Login on Registration
 
 If the `session` after hook is enabled, a `Set-Cookie` HTTP Header is set
-alongside the HTTP 302 redirect which contains the Ory Kratos Login Session
+alongside the HTTP 303 redirect which contains the Ory Kratos Login Session
 Cookie:
 
 ```
-HTTP/1.1 302 Found
+HTTP/1.1 303 Found
 Cache-Control: 0
 Location: http://127.0.0.1:4455/
 Set-Cookie: csrf_token=b8OebRPTPr5ow23mA5gIZmFNLeuMbv8pZz1jT1Ex7ys=; Path=/; Domain=127.0.0.1; Max-Age=31536000; HttpOnly

diff --git a/docs/docs/self-service/flows/user-settings.mdx b/docs/docs/self-service/flows/user-settings.mdx
@@ -220,7 +220,7 @@ Kratos, your Settings UI, and the end-user's browser:
 
 <SelfServiceBrowserFlow
   flows={['settings']}
-  success="Identity Updated and HTTP 302 redirect to Success Flow"
+  success="Identity Updated and HTTP 303 redirect to Success Flow"
   interactions={['"Save Profile Changes"']}
 />
 
@@ -262,7 +262,7 @@ $ curl -s -i -X GET \
     -H "Accept: text/html" \
     https://playground.projects.oryapis.com/api/kratos/public/self-service/settings/browser
 
-HTTP/2 302
+HTTP/2 303
 date: Fri, 09 Jul 2021 11:07:48 GMT
 content-type: text/html; charset=utf-8
 content-length: 120
@@ -275,7 +275,7 @@ strict-transport-security: max-age=15724800; includeSubDomains
 <a href="https://playground.projects.oryapis.com/hosted/settings?flow=95efce11-0bd2-4f55-abce-180ced8b69d7">Found</a>.
 ```
 
-The server responds with a HTTP 302 redirect to the Settings UI, appending the
+The server responds with a HTTP 303 redirect to the Settings UI, appending the
 `?flow=<flow-id>` query parameter (see the curl example) to the configured
 settings URL.
 
@@ -647,15 +647,15 @@ a future version, which is partially tracked as
 
 The form payloads are then submitted to Ory Kratos which follows up with:
 
-- An HTTP 302 Found redirect pointing to the Registration UI for Browser
+- An HTTP 303 See Other redirect pointing to the Registration UI for Browser
   Clients;
 - An `application/json` response for API Clients and Client-Side Browser
   applications (e.g. Single Page Apps).
 
-When validation errors happen, browser clients receive a HTTP 302 Found redirect
-to the Settings Flow UI, containing the Settings Flow ID which includes the
-error payloads. For API Clients, the server typically responds with HTTP 400 Bad
-Request `application/json` and the Settings Flow in the response payload as
+When validation errors happen, browser clients receive a HTTP 303 See Other
+redirect to the Settings Flow UI, containing the Settings Flow ID which includes
+the error payloads. For API Clients, the server typically responds with HTTP 400
+Bad Request `application/json` and the Settings Flow in the response payload as
 JSON.
 
 ### Update Profile
@@ -692,7 +692,7 @@ Completing the settings update behaves differently for Browser and API Clients.
 ### Server-Side Browser Clients
 
 When the profile update is completed successfully, Ory Kratos responds with a
-HTTP 302 Redirect to the Settings UI which now contains the success state
+HTTP 303 Redirect to the Settings UI which now contains the success state
 (`state: success`) as well as the updated identity:
 
 ```shell-session

diff --git a/docs/docs/self-service/flows/verify-email-account-activation.mdx b/docs/docs/self-service/flows/verify-email-account-activation.mdx
@@ -254,7 +254,7 @@ $ curl -s -i -X GET \
     -H "Accept: text/html" \
     https://playground.projects.oryapis.com/api/kratos/public/self-service/verification/browser
 
-HTTP/2 302
+HTTP/2 303
 date: Fri, 09 Jul 2021 13:08:00 GMT
 content-type: text/html; charset=utf-8
 content-length: 124
@@ -268,7 +268,7 @@ strict-transport-security: max-age=15724800; includeSubDomains
 <a href="https://playground.projects.oryapis.com/hosted/verification?flow=ba66958a-5f15-4b8f-88f9-52b35020db5c">Found</a>.
 ```
 
-The server responds with a HTTP 302 redirect to the Verification UI, appending
+The server responds with a HTTP 303 redirect to the Verification UI, appending
 the `?flow=<flow-id>` query parameter (see the curl example) to the URL
 configured here:
 
@@ -562,7 +562,7 @@ $ curl -H "Accept: application/json" -s \
 
 The form payloads are then submitted to Ory Kratos which follows up with:
 
-- An HTTP 302 Found redirect pointing to the Registration UI for Browser
+- An HTTP 303 See Other redirect pointing to the Registration UI for Browser
   Clients;
 - An `application/json` response for API Clients and Client-Side Browser
   applications (e.g. Single Page Apps).
@@ -574,9 +574,9 @@ validation errors such as a malformed email:
 
 <CodeTabs items={getFlowMethodLinkWithErrors} />
 
-When validation errors happen, browser clients receive a HTTP 302 Found redirect
-to the Verification Flow UI, containing the Verification Flow ID which includes
-the error payloads.
+When validation errors happen, browser clients receive a HTTP 303 See Other
+redirect to the Verification Flow UI, containing the Verification Flow ID which
+includes the error payloads.
 
 For API Clients, the server typically responds with HTTP 400 Bad Request and the
 Verification Flow in the response payload as JSON.
@@ -590,7 +590,7 @@ On successful submission, an email will be sent to the provided address:
 ## Unsuccessful Verification
 
 If the verification challenge (e.g. the link in the verification email) is
-invalid or expired, the user will be HTTP 302 redirected to the Verification UI.
+invalid or expired, the user will be HTTP 303 redirected to the Verification UI.
 
 :::note
 

diff --git a/docs/src/theme/SelfServiceBrowserFlow.js b/docs/src/theme/SelfServiceBrowserFlow.js
@@ -17,7 +17,7 @@ sequenceDiagram
 
   B->>K: Follow link to /self-service/${components}/browser
   K-->>K: Create and store new ${flows.join(', ')} flow
-  K->>B: HTTP 302 Found <selfservice.flows.${components}.ui_url>?flow=<flow-id>
+  K->>B: HTTP 303 See Other <selfservice.flows.${components}.ui_url>?flow=<flow-id>
 
   B->>A: Opens <selfservice.flows.<${flows.join('|')}>.ui_url>?flow=<flow-id>
   A-->>K: Fetches data to render forms using /selfservice/${components}/flows?id=<flow-id>
@@ -29,7 +29,7 @@ sequenceDiagram
     K->>B: ${success}
   else Form payload invalid
     K-->>K: Update and store flow (e.g. add form validation errors)
-    K-->>B: HTTP 302 Found <selfservice.flows.${components}.ui_url>?flow=<flow-id>
+    K-->>B: HTTP 303 See Other <selfservice.flows.${components}.ui_url>?flow=<flow-id>
     B->>A: Opens <selfservice.flows.${components}?flow=<flow-id>
     A-->>K: Fetches data to render form fields and errors
     B->>K: Repeat flow with input data, submit, validate, ...