Can I use API-only flows in browser

Hi there.

Thanks for the amazing work on the ORY stack which I find very coherent compared to other solutions. Especially the “pick what you need, we build small, lightweight and open-source blocks” aspect is very appealing to me and I am very grateful for this contribution to the OSS community :+1:.

I’m starting a new project that will probably use Kratos as primary identity provider. In order to save some development efforts at the beginning, I’ll probably use some native development framework for both web and native (mobile) apps. Therefore, I’d prefer to only rely on the upcoming API flows rather than the browser flows (as I’ll have to use the API flows for native apps anyways). Also, I prefer API-only flows in general because I find them easier to understand in the context of a single-page app, and they avoid some HTTP requests and redirections that happen in traditional back-end applications.

My first question: Is it fine to do so? Is there any security implication that I should be aware of?

My second question: I’ve tried to do so, but wasn’t able to. I can perform the initiation request to the /self-service/login/api endpoint, but then Kratos rejects the POST request to /self-service/login/methods/password complaining about a missing or invalid CSRF. It works fine with bare curl so I assume Kratos gets confused with the CSRF cookie sent by the browser. Is this a bug of the current version on master or is it the actual intended behavior?


Don’t do this, you should use each endpoint for the right cause – if your client is a user agent you should use the browser flow as it protects you from CSRF attacks.

CSRF is preserved through cookie so make sure Kratos and your app are on the same domain (or proxy to Kratos via your app using some kind of a proxy)

1 Like

Makes sense. Thank you.