Ory is the largest open source community in the world for cloud software application security. We maintain advanced open source security software solving authentication, authorization, access control, application network security, and delegation. Ory implements a variety of industry and best-practice standards including OAuth 2.0 / OAuth 2.1, OpenID Connect, Zero Trust Networking, Google Zanzibar Policy Framework, FIDO2 U2F, WebAuthn, TOTP, and more.

Ory Community

I'm building API that will be consumed by both web and mobile clients. I've already implemented CSRF protection for the entire API.  My API will be a middleman between the client and Kratos (Kratos will never be exposed to the public).

Seeing as my API already has CSRF protection, doesn't this mean it's irrelevant whether my web client calls my Go API, which then calls methods such as `cli.FrontendAPI.CreateNativeRegistrationFlow` (which it said is not secure to use for web clients)? Because it doesn't make sense to me to manage two CSRF tokens (both my API's and the one for Kratos).

So instead, I'm thinking the best practice here is to just use `CreateNativeRegistrationFlow` for both web and mobile clients. Can someone please confirm if this is definitely secure?