ory · MikeSagnelli · Apr 3, 2026 · Apr 7, 2026 · Apr 8, 2026 · Apr 9, 2026
@@ -7,6 +7,12 @@ toc_max_heading_level: 3
 
 # Import identities
 
+```mdx-code-block
+import Tabs from '@theme/Tabs';
+import TabItem from '@theme/TabItem';
+import BrowserWindow from "@site/src/theme/BrowserWindow"
+```
+
 Ory allows you to import identities from any other system. To import identities, you use the same endpoint as for
 [creating identities](./20_create-users-identities.mdx). The main difference between creating and importing identities is that
 when you import identities, you must provide the `credentials` field.
@@ -45,9 +51,6 @@ This is a sample payload for importing an identity with a verified address:
 Test the above example with a cURL command:
 
 ````mdx-code-block
-import Tabs from '@theme/Tabs'
-import TabItem from '@theme/TabItem'
-
 <Tabs
   defaultValue="cloud"
   values={[
@@ -553,6 +556,75 @@ The following steps are necessary to set up password migration using a web hook:
 
 2.  Configure a password migration web hook
 
+    ```mdx-code-block
+    <Tabs
+      defaultValue="console"
+      values={[
+        {label: 'Ory Console', value: 'console'},
+        {label: 'Ory CLI', value: 'cli'},
+      ]}>
+    <TabItem value="console">
+    ```
+
+    a. Go to your project in the [Ory Console](https://console.ory.sh).
+
+    b. Click **Authentication** in the top navigation bar.
+
+    c. Click **Actions & Webhooks** in the left sidebar.
+
+    d. Click **Create new Action**.
+
+    e. In the **Action Base Details** dialog, fill in the following fields:
+
+    - **Flow** — Select **Password Migration**. The execution phase and method fields are hidden because the migration hook runs
+      at login time automatically, outside of the standard flow lifecycle.
+
+    - **URL** — Enter the URL of your password migration webhook endpoint, for example `https://example.org/migrate-password`.
+
+    - **Method** — Select the HTTP method your endpoint expects, for example **POST**.
+
+    - **Action HTTP body** — The body is pre-filled with a Jsonnet template that maps `ctx.identifier` and `ctx.password` to the
+      request payload. You can customize it. See the
+      [webhook documentation](../../guides/integrate-with-ory-cloud-through-webhooks.mdx#customizing-request-body-with-jsonnet)
+      for all available context fields.
+
+    ```mdx-code-block
+    <BrowserWindow url="https://console.ory.sh/projects/b3b748e5-7ddc-4860-a672-2436a877dc93/developers/actions">
+      ![Action Base Details dialog with Password Migration flow selected](../_static/manage-identities/import-user-accounts-identities/pw-migration-webhook-step-1.png)
+    </BrowserWindow>
+    ```
+
+    f. Click **Next** to proceed to the **Action authentication** step. Select the authentication type for your webhook endpoint.
+    Ory supports **None**, **Basic** (username and password), and **Key** (API key in a header or cookie). See the
+    [webhook authentication documentation](../../guides/integrate-with-ory-cloud-through-webhooks.mdx#request-authentication) for
+    details on each option.
+
+    :::warning
+
+    Leaving your webhook endpoint unauthenticated exposes it to unauthorized access. Secure your endpoint with strong
+    authentication to protect sensitive credentials passed during migration.
+
+    :::
+
+    ```mdx-code-block
+    <BrowserWindow url="https://console.ory.sh/projects/b3b748e5-7ddc-4860-a672-2436a877dc93/developers/actions">
+      ![Action authentication dialog](../_static/manage-identities/import-user-accounts-identities/pw-migration-webhook-step-2.png)
+    </BrowserWindow>
+    ```
+
+    g. Click **Save action**. The new **Password Migration** action appears in the actions table.
+
+    ```mdx-code-block
+    <BrowserWindow url="https://console.ory.sh/projects/b3b748e5-7ddc-4860-a672-2436a877dc93/developers/actions">
+      ![Actions & Webhooks page showing the Password Migration action](../_static/manage-identities/import-user-accounts-identities/pw-migration-webhook-table.png)
+    </BrowserWindow>
+    ```
+
+    ```mdx-code-block
+    </TabItem>
+    <TabItem value="cli">
+    ```
+
     Add the web hook URL to the configuration. See the
     [web hook configuration](../../guides/integrate-with-ory-cloud-through-webhooks.mdx#request-authentication) for authentication
     options. If you use Ory Network, update this configuration directly using the
@@ -589,6 +661,11 @@ The following steps are necessary to set up password migration using a web hook:
     }
     ```
 
+    ```mdx-code-block
+    </TabItem>
+    </Tabs>
+    ```
+
 3.  Implement the password migration web hook
 
     If a user logs in and the identifier points to an identity that has `use_password_migration_hook` set to `true`, Ory
@@ -602,6 +679,27 @@ The following steps are necessary to set up password migration using a web hook:
     }
     ```
 
+    To verify that an identity is pending migration in the Ory Console:
+
+    a. Go to your project in the [Ory Console](https://console.ory.sh).
+
+    b. Click **User management** in the top navigation bar.
+
+    c. Click **Users & identities** in the left sidebar.
+
+    d. Find the identity you want to review and click the three-dot menu (**⋮**) on its row.
+
+    e. Click **View identity** to open its details.
+
+    f. In the **Basic Information** section, under **Credential Identifiers**, the identity shows a **Migration pending** badge if
+    the user hasn't logged in and completed the password migration yet.
+
+    ```mdx-code-block
+    <BrowserWindow url="https://console.ory.sh/projects/b3b748e5-7ddc-4860-a672-2436a877dc93/identities/2db9fa1c-95fd-4112-bdbc-a4bd857d7426">
+      ![Identity detail page showing the Migration pending badge](../_static/manage-identities/import-user-accounts-identities/pw-migration-pending-badge.png)
+    </BrowserWindow>
+    ```
+
     The web hook can then check the identifier and password against the legacy system. If the password matches, the web hook must
     respond with a `200 OK` status code and the following payload: