Hi, We are getting this error when signing in using the Ory flow from our React Native mobile app

The HTTP Request Header included the "Cookie" key, indicating that this request was made by a Browser. The flow however was initiated as an API request. To prevent potential misuse and mitigate several attack vectors including CSRF, the request has been blocked. Please consult the documentation.

This issue does not happen when using our dev Ory project and calling the

<http://locahost:4000>

tunnel, but happens only when using our production project. We do not send any cookies and the

withCredentials

params is set to false in the config. Did anyone encountered a similar issue ?

Hi @narrow-battery-46074 Are you deploying the react native application as a web app? The Ory APIs have a distinction between applications that require a browser and those that don't. In React Native applications these lines are somewhat blurred, since it can be deployed as a web application and native application from the same codebase. In the case of running the application in a browser, you would need to switch to using cookies and the

browser

APIs. https://www.ory.sh/docs/kratos/bring-your-own-ui/custom-ui-basic-integration#browser-vs-native-apps

Hi, we are not deploying the app as a web app but as a mobile app. We worked around the issue by forcing the request.headers[“Cookie”] to an empty string, we couldn’t figure how Cookies would be set on our RN app