Ory is the largest open source community in the world for cloud software application security. We maintain advanced open source security software solving authentication, authorization, access control, application network security, and delegation. Ory implements a variety of industry and best-practice standards including OAuth 2.0 / OAuth 2.1, OpenID Connect, Zero Trust Networking, Google Zanzibar Policy Framework, FIDO2 U2F, WebAuthn, TOTP, and more.

Ory Community

Hi, I'm looking to clarify whether my usescase is suited to the native API flows. I am new to front end and apologize for my ignorance.

I have a flutter SPA and a rust/grpc backend.  I need all the user authentication to be done over my own endpoints, whereupon the backend will call into the Ory network to do all the relevant work. I am not, for example, using the hosted UI.
I see a lot of warnings spread throughout the docs against using the native APIs for "server-side" clients for CSRF vulnerabilities.
I want to ensure that "server-side" in this context means things like ruby on rails or htmx  and not for API endpoints that are called by a client application.