Ory is the largest open source community in the world for cloud software application security. We maintain advanced open source security software solving authentication, authorization, access control, application network security, and delegation. Ory implements a variety of industry and best-practice standards including OAuth 2.0 / OAuth 2.1, OpenID Connect, Zero Trust Networking, Google Zanzibar Policy Framework, FIDO2 U2F, WebAuthn, TOTP, and more.

Ory Community

I started with `@ory/kratos-client` but then implemented a few endpoints with `fetch()` from a js app. I found it a bit easier after a while. :smile: Axios was too much for me. I am all client-side though, and pointed a custom domain to my ory cloud project. So that makes sharing cookies/session a lot easier.

I use browser based flows where possible, and include the CSRF token. It seems safer. The example app has node/js code that takes cookies from the client side and passes them along in requests which are done server-side. The only place where I didn't is a cli-app. There I use server-to-server. You just need to adjust the name I think — if you use a cloud project it suffixes (or prefixes) the cookies with your cloud project ID/name.

For the `/whoami` I am not aware of it needing a CSRF token. But it needs the session (cookie) or a JWT. You generally only need the CSRF token when you submit (browser-based) flows, etc..