Wikia · abador · Jan 15, 2026 · Jan 15, 2026 · Jan 15, 2026 · Jan 15, 2026
diff --git a/driver/config/stub/.kratos.courier.channels.yaml b/driver/config/stub/.kratos.courier.channels.yaml
@@ -4,7 +4,7 @@ courier:
   channels:
     - id: phone
       request_config:
-        url: https://ory.sh
+        url: https://ory.com
         method: GET
         body: base64://ZnVuY3Rpb24oY3R4KSB7CkJvZHk6IGN0eC5ib2R5LApUbzogY3R4LnRvLEZyb206IGN0eC5mcm9tCn0=
         headers:

diff --git a/selfservice/flow/login/flow_test.go b/selfservice/flow/login/flow_test.go
@@ -101,16 +101,16 @@ func TestNewFlow(t *testing.T) {
 			assert.EqualValues(t, r.IssuedAt, r.ExpiresAt)
 			assert.Equal(t, flow.TypeBrowser, r.Type)
 			assert.False(t, r.Refresh)
-			assert.Equal(t, "https://ory.sh/", r.RequestURL)
+			assert.Equal(t, "https://ory.com/", r.RequestURL)
 		})
 
 		t.Run("case=regular flow creation", func(t *testing.T) {
 			r, err := login.NewFlow(conf, 0, "csrf", &http.Request{
-				URL:  urlx.ParseOrPanic("https://ory.sh/"),
+				URL:  urlx.ParseOrPanic("https://ory.com/"),
 				Host: "ory.sh",
 			}, flow.TypeBrowser)
 			require.NoError(t, err)
-			assert.Equal(t, "https://ory.sh/", r.RequestURL)
+			assert.Equal(t, "https://ory.com/", r.RequestURL)
 		})
 	})
 
@@ -141,12 +141,12 @@ func TestNewFlow(t *testing.T) {
 	})
 
 	t.Run("should parse login_challenge when Hydra is configured", func(t *testing.T) {
-		_, err := login.NewFlow(conf, 0, "csrf", &http.Request{URL: urlx.ParseOrPanic("https://ory.sh/?login_challenge=badee1"), Host: "ory.sh"}, flow.TypeBrowser)
+		_, err := login.NewFlow(conf, 0, "csrf", &http.Request{URL: urlx.ParseOrPanic("https://ory.com/?login_challenge=badee1"), Host: "ory.sh"}, flow.TypeBrowser)
 		require.Error(t, err)
 
 		conf.MustSet(ctx, config.ViperKeyOAuth2ProviderURL, "https://hydra")
 
-		r, err := login.NewFlow(conf, 0, "csrf", &http.Request{URL: urlx.ParseOrPanic("https://ory.sh/?login_challenge=8aadcb8fc1334186a84c4da9813356d9"), Host: "ory.sh"}, flow.TypeBrowser)
+		r, err := login.NewFlow(conf, 0, "csrf", &http.Request{URL: urlx.ParseOrPanic("https://ory.com/?login_challenge=8aadcb8fc1334186a84c4da9813356d9"), Host: "ory.sh"}, flow.TypeBrowser)
 		require.NoError(t, err)
 		assert.Equal(t, "8aadcb8fc1334186a84c4da9813356d9", string(r.OAuth2LoginChallenge))
 	})

diff --git a/selfservice/flow/login/handler_test.go b/selfservice/flow/login/handler_test.go
@@ -372,7 +372,7 @@ func TestFlowLifecycle(t *testing.T) {
 
 			t.Run("type=browser", func(t *testing.T) {
 				_, res := run(t, flow.TypeBrowser, url.Values{"method": {"password"}})
-				assert.Contains(t, res.Request.URL.String(), "https://www.ory.sh")
+				assert.Contains(t, res.Request.URL.String(), "https://www.ory.com")
 			})
 		})
 
@@ -667,7 +667,7 @@ func TestFlowLifecycle(t *testing.T) {
 
 			t.Run("case=redirects if aal2 is requested and set up already without refresh", func(t *testing.T) {
 				res, _ := initAuthenticatedFlow(t, url.Values{"aal": {"aal2"}, "set_aal": {"aal2"}}, false)
-				assert.Contains(t, res.Request.URL.String(), "https://www.ory.sh")
+				assert.Contains(t, res.Request.URL.String(), "https://www.ory.com")
 			})
 
 			t.Run("case=can not request aal2 on unauthenticated request", func(t *testing.T) {
@@ -678,7 +678,7 @@ func TestFlowLifecycle(t *testing.T) {
 
 			t.Run("case=ignores aal1 if session has aal1 already", func(t *testing.T) {
 				res, _ := initAuthenticatedFlow(t, url.Values{"aal": {"aal1"}}, false)
-				assert.Contains(t, res.Request.URL.String(), "https://www.ory.sh")
+				assert.Contains(t, res.Request.URL.String(), "https://www.ory.com")
 			})
 
 			t.Run("case=aal0 is not a valid value", func(t *testing.T) {
@@ -707,12 +707,12 @@ func TestFlowLifecycle(t *testing.T) {
 
 			t.Run("case=does not set forced flag on authenticated request without refresh=true", func(t *testing.T) {
 				res, _ := initAuthenticatedFlow(t, url.Values{}, false)
-				assert.Contains(t, res.Request.URL.String(), "https://www.ory.sh")
+				assert.Contains(t, res.Request.URL.String(), "https://www.ory.com")
 			})
 
 			t.Run("case=does not set forced flag on authenticated request with refresh=false", func(t *testing.T) {
 				res, _ := initAuthenticatedFlow(t, url.Values{"refresh": {"false"}}, false)
-				assert.Contains(t, res.Request.URL.String(), "https://www.ory.sh")
+				assert.Contains(t, res.Request.URL.String(), "https://www.ory.com")
 			})
 
 			t.Run("case=does set forced flag on authenticated request with refresh=true", func(t *testing.T) {
@@ -748,7 +748,7 @@ func TestFlowLifecycle(t *testing.T) {
 			conf.MustSet(ctx, config.ViperKeyOAuth2ProviderURL, "https://fake-hydra")
 
 			t.Run("case=oauth2 flow init should override return_to to the oauth2 request_url", func(t *testing.T) {
-				conf.MustSet(ctx, config.ViperKeyURLsAllowedReturnToDomains, []string{"https://www.ory.sh", "https://example.com"})
+				conf.MustSet(ctx, config.ViperKeyURLsAllowedReturnToDomains, []string{"https://www.ory.com", "https://example.com"})
 				conf.MustSet(ctx, config.ViperKeyOAuth2ProviderOverrideReturnTo, true)
 
 				t.Cleanup(func() {
@@ -774,7 +774,7 @@ func TestFlowLifecycle(t *testing.T) {
 
 				require.NoError(t, res.Body.Close())
 
-				assert.Equal(t, "https://www.ory.sh", gjson.GetBytes(body, "return_to").Value())
+				assert.Equal(t, "https://www.ory.com", gjson.GetBytes(body, "return_to").Value())
 			})
 
 			t.Run("case=invalid oauth2 login challenge returns 400 Bad Request", func(t *testing.T) {
@@ -824,7 +824,7 @@ func TestGetFlow(t *testing.T) {
 			require.NoError(t, err)
 		}))
 		conf.MustSet(ctx, config.ViperKeySelfServiceLoginUI, ts.URL)
-		conf.MustSet(ctx, config.ViperKeySelfServiceBrowserDefaultReturnTo, "https://www.ory.sh")
+		conf.MustSet(ctx, config.ViperKeySelfServiceBrowserDefaultReturnTo, "https://www.ory.com")
 		t.Cleanup(ts.Close)
 		return ts
 	}
@@ -872,7 +872,7 @@ func TestGetFlow(t *testing.T) {
 	})
 
 	t.Run("case=expired with return_to", func(t *testing.T) {
-		returnTo := "https://www.ory.sh"
+		returnTo := "https://www.ory.com"
 		conf.MustSet(ctx, config.ViperKeyURLsAllowedReturnToDomains, []string{returnTo})
 
 		client := testhelpers.NewClientWithCookies(t)

diff --git a/selfservice/flow/registration/flow_test.go b/selfservice/flow/registration/flow_test.go
@@ -54,7 +54,7 @@ func TestNewFlow(t *testing.T) {
 		require.NoError(t, err)
 		assert.EqualValues(t, r.IssuedAt, r.ExpiresAt)
 		assert.Equal(t, flow.TypeBrowser, r.Type)
-		assert.Equal(t, "https://ory.sh/", r.RequestURL)
+		assert.Equal(t, "https://ory.com/", r.RequestURL)
 	})
 
 	t.Run("type=return_to", func(t *testing.T) {
@@ -78,20 +78,20 @@ func TestNewFlow(t *testing.T) {
 
 	t.Run("case=2", func(t *testing.T) {
 		r, err := registration.NewFlow(conf, 0, "csrf", &http.Request{
-			URL:  urlx.ParseOrPanic("https://ory.sh/"),
+			URL:  urlx.ParseOrPanic("https://ory.com/"),
 			Host: "ory.sh",
 		}, flow.TypeBrowser)
 		require.NoError(t, err)
-		assert.Equal(t, "https://ory.sh/", r.RequestURL)
+		assert.Equal(t, "https://ory.com/", r.RequestURL)
 	})
 
 	t.Run("should parse login_challenge when Hydra is configured", func(t *testing.T) {
-		_, err := registration.NewFlow(conf, 0, "csrf", &http.Request{URL: urlx.ParseOrPanic("https://ory.sh/?login_challenge=badee1"), Host: "ory.sh"}, flow.TypeBrowser)
+		_, err := registration.NewFlow(conf, 0, "csrf", &http.Request{URL: urlx.ParseOrPanic("https://ory.com/?login_challenge=badee1"), Host: "ory.sh"}, flow.TypeBrowser)
 		require.Error(t, err)
 
 		conf.MustSet(ctx, config.ViperKeyOAuth2ProviderURL, "https://hydra")
 
-		r, err := registration.NewFlow(conf, 0, "csrf", &http.Request{URL: urlx.ParseOrPanic("https://ory.sh/?login_challenge=8aadcb8fc1334186a84c4da9813356d9"), Host: "ory.sh"}, flow.TypeBrowser)
+		r, err := registration.NewFlow(conf, 0, "csrf", &http.Request{URL: urlx.ParseOrPanic("https://ory.com/?login_challenge=8aadcb8fc1334186a84c4da9813356d9"), Host: "ory.sh"}, flow.TypeBrowser)
 		require.NoError(t, err)
 		assert.Equal(t, "8aadcb8fc1334186a84c4da9813356d9", string(r.OAuth2LoginChallenge))
 	})

diff --git a/selfservice/flow/settings/flow_test.go b/selfservice/flow/settings/flow_test.go
@@ -57,7 +57,7 @@ func TestNewFlow(t *testing.T) {
 		require.NoError(t, err)
 		assert.Equal(t, r.IssuedAt, r.ExpiresAt)
 		assert.Equal(t, flow.TypeBrowser, r.Type)
-		assert.Equal(t, "https://ory.sh/", r.RequestURL)
+		assert.Equal(t, "https://ory.com/", r.RequestURL)
 	})
 
 	t.Run("type=return_to", func(t *testing.T) {
@@ -80,10 +80,10 @@ func TestNewFlow(t *testing.T) {
 
 	t.Run("case=2", func(t *testing.T) {
 		r, err := settings.NewFlow(conf, 0, &http.Request{
-			URL:  urlx.ParseOrPanic("https://ory.sh/"),
+			URL:  urlx.ParseOrPanic("https://ory.com/"),
 			Host: "ory.sh"}, id, flow.TypeBrowser)
 		require.NoError(t, err)
-		assert.Equal(t, "https://ory.sh/", r.RequestURL)
+		assert.Equal(t, "https://ory.com/", r.RequestURL)
 	})
 }
 

diff --git a/selfservice/flow/verification/flow_test.go b/selfservice/flow/verification/flow_test.go
@@ -145,9 +145,9 @@ func TestFromOldFlow(t *testing.T) {
 }
 
 func TestContinueURL(t *testing.T) {
-	const globalReturnTo = "https://ory.sh/global-return-to"
-	const localReturnTo = "https://ory.sh/local-return-to"
-	const flowReturnTo = "https://ory.sh/flow-return-to"
+	const globalReturnTo = "https://ory.com/global-return-to"
+	const localReturnTo = "https://ory.com/local-return-to"
+	const flowReturnTo = "https://ory.com/flow-return-to"
 
 	for _, tc := range []struct {
 		desc       string

diff --git a/selfservice/hook/web_hook_integration_test.go b/selfservice/hook/web_hook_integration_test.go
@@ -155,7 +155,7 @@ func TestWebHooks(t *testing.T) {
 						"Some-Cookie-2": "Some-other-Cookie-Value",
 						"Some-Cookie-3": "Third-Cookie-Value"
 					}
-				}`, f.GetID(), req.Method, "http://www.ory.sh/some_end_point")
+				}`, f.GetID(), req.Method, "http://www.ory.com/some_end_point")
 		if len(req.Header) != 0 {
 			if ua := req.Header.Get("User-Agent"); ua != "" {
 				body, _ = sjson.Set(body, "headers.User-Agent", []string{ua})
@@ -177,7 +177,7 @@ func TestWebHooks(t *testing.T) {
 						"Some-Cookie-3": "Third-Cookie-Value"
 					},
 					"transient_payload": %s
-				}`, f.GetID(), s.Identity.ID, req.Method, "http://www.ory.sh/some_end_point", string(tp))
+				}`, f.GetID(), s.Identity.ID, req.Method, "http://www.ory.com/some_end_point", string(tp))
 		if len(req.Header) != 0 {
 			if ua := req.Header.Get("User-Agent"); ua != "" {
 				body, _ = sjson.Set(body, "headers.User-Agent", []string{ua})
@@ -200,7 +200,7 @@ func TestWebHooks(t *testing.T) {
 						"Some-Cookie-3": "Third-Cookie-Value"
 					},
 					"transient_payload": %s
-				}`, f.GetID(), s.Identity.ID, s.ID, req.Method, "http://www.ory.sh/some_end_point", string(tp))
+				}`, f.GetID(), s.Identity.ID, s.ID, req.Method, "http://www.ory.com/some_end_point", string(tp))
 		if len(req.Header) != 0 {
 			if ua := req.Header.Get("User-Agent"); ua != "" {
 				body, _ = sjson.Set(body, "headers.User-Agent", []string{ua})

diff --git a/selfservice/strategy/oidc/provider_generic_test.go b/selfservice/strategy/oidc/provider_generic_test.go
@@ -53,12 +53,12 @@ func makeAuthCodeURL(t *testing.T, r *login.Flow, reg *driver.RegistryDefault) s
 func TestProviderGenericOIDC_AddAuthCodeURLOptions(t *testing.T) {
 	ctx := context.Background()
 	conf, reg := internal.NewFastRegistryWithMocks(t)
-	conf.MustSet(ctx, config.ViperKeyPublicBaseURL, "https://ory.sh")
+	conf.MustSet(ctx, config.ViperKeyPublicBaseURL, "https://ory.com")
 	t.Run("case=redirectURI is public base url", func(t *testing.T) {
 		r := &login.Flow{ID: x.NewUUID(), Refresh: true}
 		actual, err := url.ParseRequestURI(makeAuthCodeURL(t, r, reg))
 		require.NoError(t, err)
-		assert.Contains(t, actual.Query().Get("redirect_uri"), "https://ory.sh")
+		assert.Contains(t, actual.Query().Get("redirect_uri"), "https://ory.com")
 	})
 
 	t.Run("case=redirectURI is public base url", func(t *testing.T) {

diff --git a/selfservice/strategy/oidc/strategy_login.go b/selfservice/strategy/oidc/strategy_login.go
@@ -145,13 +145,19 @@ func (s *Strategy) processLogin(ctx context.Context, w http.ResponseWriter, r *h
 			registrationFlow.IDToken = loginFlow.IDToken
 			registrationFlow.RawIDTokenNonce = loginFlow.RawIDTokenNonce
 			registrationFlow.RequestURL, err = x.TakeOverReturnToParameter(loginFlow.RequestURL, registrationFlow.RequestURL)
-			registrationFlow.TransientPayload = loginFlow.TransientPayload
-			registrationFlow.Active = s.ID()
+			if err != nil {
+				return nil, s.handleError(ctx, w, r, loginFlow, provider.Config().ID, nil, err)
+			}
 
+			// Add copied_from parameter to track flow conversion
+			registrationFlow.RequestURL, err = x.AddURLParameter(registrationFlow.RequestURL, "copied_from", "login")
 			if err != nil {
 				return nil, s.handleError(ctx, w, r, loginFlow, provider.Config().ID, nil, err)
 			}
 
+			registrationFlow.TransientPayload = loginFlow.TransientPayload
+			registrationFlow.Active = s.ID()
+
 			if _, err := s.processRegistration(ctx, w, r, registrationFlow, token, claims, provider, container); err != nil {
 				return registrationFlow, err
 			}

diff --git a/selfservice/strategy/oidc/strategy_registration.go b/selfservice/strategy/oidc/strategy_registration.go
@@ -290,6 +290,13 @@ func (s *Strategy) registrationToLogin(ctx context.Context, w http.ResponseWrite
 	if err != nil {
 		return nil, err
 	}
+
+	// Add copied_from parameter to track flow conversion
+	lf.RequestURL, err = x.AddURLParameter(lf.RequestURL, "copied_from", "registration")
+	if err != nil {
+		return nil, err
+	}
+
 	lf.TransientPayload = rf.TransientPayload
 	lf.Active = s.ID()
 

diff --git a/test/e2e/cypress/integration/profiles/email/registration/errors.spec.ts b/test/e2e/cypress/integration/profiles/email/registration/errors.spec.ts
@@ -37,7 +37,7 @@ describe("Registration failures with email profile", () => {
 
       it("fails when CSRF cookies are missing", () => {
         cy.get(`${appPrefix(app)} input[name="traits.website"]`).type(
-          "https://www.ory.sh",
+          "http://www.ory.com",
         )
         cy.get('input[name="traits.email"]')
           .type(identity)
@@ -58,7 +58,7 @@ describe("Registration failures with email profile", () => {
 
       describe("show errors when invalid signup data is used", () => {
         it("should show an error when the password has leaked before", () => {
-          cy.get('input[name="traits.website"]').type("https://www.ory.sh")
+          cy.get('input[name="traits.website"]').type("http://www.ory.com")
           cy.get('input[name="traits.email"]')
             .type(identity)
             .should("have.value", identity)
@@ -74,7 +74,7 @@ describe("Registration failures with email profile", () => {
         })
 
         it("should show an error when the password is too similar", () => {
-          cy.get('input[name="traits.website"]').type("https://www.ory.sh")
+          cy.get('input[name="traits.website"]').type("http://www.ory.com")
           cy.get('input[name="traits.email"]').type(identity)
           cy.get('input[name="password"]').type(identity)
 
@@ -86,7 +86,7 @@ describe("Registration failures with email profile", () => {
         })
 
         it("should show an error when the password is empty", () => {
-          cy.get('input[name="traits.website"]').type("https://www.ory.sh")
+          cy.get('input[name="traits.website"]').type("http://www.ory.com")
           cy.get('input[name="traits.email"]').type(identity)
 
           // the browser will prevent the form from being submitted if the input field is required
@@ -105,7 +105,7 @@ describe("Registration failures with email profile", () => {
         })
 
         it("should show an error when the email is empty", () => {
-          cy.get('input[name="traits.website"]').type("https://www.ory.sh")
+          cy.get('input[name="traits.website"]').type("http://www.ory.com")
           cy.get('input[name="password"]').type(password)
 
           // the browser will prevent the form from being submitted if the input field is required
@@ -125,7 +125,7 @@ describe("Registration failures with email profile", () => {
         })
 
         it("should show an error when the email is not an email", () => {
-          cy.get('input[name="traits.website"]').type("https://www.ory.sh")
+          cy.get('input[name="traits.website"]').type("http://www.ory.com")
           cy.get('input[name="password"]').type(password)
 
           // the browser will prevent the form from being submitted if the input data doesn't conform to the input field type

diff --git a/test/e2e/cypress/integration/profiles/email/settings/ui.spec.ts b/test/e2e/cypress/integration/profiles/email/settings/ui.spec.ts
@@ -25,7 +25,7 @@ context("Settings errors with email profile", () => {
         cy.useConfigProfile(profile)
         cy.registerApi({
           ...identity,
-          fields: { "traits.website": "https://www.ory.sh/" },
+          fields: { "traits.website": "http://www.ory.com/" },
         })
         cy.proxy(app)
       })

diff --git a/test/e2e/cypress/integration/profiles/mobile/registration/errors.spec.ts b/test/e2e/cypress/integration/profiles/mobile/registration/errors.spec.ts
@@ -53,7 +53,7 @@ context("Mobile Profile", () => {
       })
 
       it("should show an error when the email is empty", () => {
-        cy.get('input[data-testid="traits.website"]').type("https://www.ory.sh")
+        cy.get('input[data-testid="traits.website"]').type("http://www.ory.com")
         cy.get('input[data-testid="password"]').type(password)
 
         cy.get('div[data-testid="submit-form"]').click()
@@ -64,7 +64,7 @@ context("Mobile Profile", () => {
       })
 
       it("should show an error when the email is not an email", () => {
-        cy.get('input[data-testid="traits.website"]').type("https://www.ory.sh")
+        cy.get('input[data-testid="traits.website"]').type("http://www.ory.com")
         cy.get('input[data-testid="traits.email"]').type("not-an-email")
         cy.get('input[data-testid="password"]').type(password)
 

diff --git a/test/e2e/cypress/integration/profiles/oidc-provider/registration.spec.ts b/test/e2e/cypress/integration/profiles/oidc-provider/registration.spec.ts
@@ -74,7 +74,7 @@ context("OpenID Provider", () => {
       email,
       password,
       fields: {
-        "traits.website": "https://www.ory.sh",
+        "traits.website": "http://www.ory.com",
         "traits.tos": "1",
         "traits.age": 22,
       },

diff --git a/test/e2e/cypress/integration/profiles/passwordless/flows.spec.ts b/test/e2e/cypress/integration/profiles/passwordless/flows.spec.ts
@@ -18,14 +18,14 @@ const signup = (registration: string, app: string, email = gen.email()) => {
 
   cy.get('[name="webauthn_register_displayname"]').type("key1")
   cy.get(emailTrait).type(email)
-  cy.get(websiteTrait).type("https://www.ory.sh")
+  cy.get(websiteTrait).type("http://www.ory.com")
   cy.clickWebAuthButton("register")
   cy.getSession({
     expectAal: "aal1",
     expectMethods: ["webauthn"],
   }).then((session) => {
     expect(session.identity.traits.email).to.equal(email)
-    expect(session.identity.traits.website).to.equal("https://www.ory.sh")
+    expect(session.identity.traits.website).to.equal("http://www.ory.com")
   })
 }
 
@@ -116,14 +116,14 @@ context("Passwordless registration", () => {
         cy.get(websiteTrait).should("have.value", "b")
         cy.get(emailTrait).should("have.value", email)
         cy.get(websiteTrait).clear()
-        cy.get(websiteTrait).type("https://www.ory.sh")
+        cy.get(websiteTrait).type("http://www.ory.com")
         cy.clickWebAuthButton("register")
         cy.getSession({
           expectAal: "aal1",
           expectMethods: ["webauthn"],
         }).then((session) => {
           expect(session.identity.traits.email).to.equal(email)
-          expect(session.identity.traits.website).to.equal("https://www.ory.sh")
+          expect(session.identity.traits.website).to.equal("http://www.ory.com")
         })
       })