---
id: credentials
title: Credentials
---

Each identity has one or more credentials associated with it:

```yaml
credentials:
  password:
    id: password
    identifiers:
      - john.doe@acme.com
      - johnd@ory.com
    config:
      hashed_password: ...
  oidc:
    id: oidc
    identifiers:
      - google:j8kf7a3...
      - facebook:83475891...
    config:
      - provider: google
        identifier: j8kf7a3
      - provider: facebook
        identifier: 83475891
```

Ory Kratos supports several credential types:

- `password`: The most common identifier (username, email, ...) + password credential.
- `passkey`: Passkeys use WebAuthn standards for secure, user-friendly, and cryptographic passwordless authentication.
- `code`: The "Log in via email or SMS" credential using a one-time code.
- `oidc`: The "Log in with Google/Facebook/GitHub/..." credential using OpenID Connect.
- `saml`: A standard for exchanging auth data between parties, often used for B2B SSO.
- `webauthn`: The same technology as Passkeys used as a second factor.
- `totp`: Time-based one-time passwords generated by authenticator apps, used as a second factor.
- `lookup_secret`: One-time codes used as a recovery mechanism for 2FA when the primary second factor is unavailable.

Each credential - regardless of its type - has one or more identifiers attached to it. Each identifier is universally unique.
Assuming we had one identity with credentials

```yaml
credentials:
  password:
    id: password
    identifiers:
      - john.doe@acme.com
```

and tried to create (or update) another identity with the same identifier (`john.doe@acme.com`), the system would reject the
request with a 409 Conflict state.

While credentials must be unique per type, there can be duplicates amongst multiple types:

```yaml
# This is ok:
credentials:
  password:
    id: password
    identifiers:
      - john.doe@acme.com
  oidc:
    id: oidc
    identifiers:
      - john.doe@acme.com
```

The same would apply if those were two separate identities:

```yaml
# Identity 1
credentials:
  password:
    id: password
    identifiers:
      - john.doe@acme.com
---
# Identity 2
credentials:
  oidc:
    id: oidc
    identifiers:
      - john.doe@acme.com
```