This is most likely some basic thing, but I am trying to follow the quickstart guide and implement my own UI for the login/stuff... Following this: https://www.ory.sh/docs/kratos/quickstart#perform-registration-login-and-logout There is Here's a play-by-play of what happened and 1,2,3,4 steps.. Step 1: DONE and works Step 2: DONE and works Step 3: not working. When my server does the request, it receives following error: {"error":{"id":"security_csrf_violation","code":403,"status":"Forbidden","reason":"Please retry the flow and optionally clear your cookies. The request was rejected to protect you from Cross-Site-Request-Forgery (CSRF) which could cause account takeover, leaking personal information, and other serious security issues.","details":{"docs":"https://www.ory.sh/kratos/docs/debug/csrf","hint":"The anti-CSRF cookie was found but the CSRF token was not included in the HTTP request body (csrf_token) nor in the HTTP Header (X-CSRF-Token).","reject_reason":"The HTTP Cookie Header was set and a CSRF token was sent but they do not match. We recommend deleting all cookies for this domain and retrying the flow."},"message":"the request was rejected to protect you from Cross-Site-Request-Forgery"}} So my guess would be, that I have to copy the cookie information from the HTTP request to the server side HTTP request?

Link to the docs in the error might answer your question: https://www.ory.sh/docs/kratos/debug/csrf

Nope.. That is not really the case here. The request that the server does is basicly just: curl -s -X GET \ -H "Accept: application/json" \ "http://127.0.0.1:4433/self-service/login/flows?id=$flowId" And it does work if instead of /login/browser I use /login/api and fetch the flow id from the JSON message. But that would also mean that I am not utilizing the cookie information that kratos is using