The error message you're seeing is related to Cross-Site Request Forgery (CSRF) protection mechanisms in Ory. CSRF is a type of attack that tricks the victim into submitting a malicious request. Ory uses cookies to manage sessions in browser applications and deploys CSRF cookies to protect against CSRF attacks. When developing locally, your application is often exposed at the

localhost

domain. Ory APIs must be available on the same domain as your application to avoid issues with third-party cookies. The easiest way to expose Ory on your

localhost

domain is to use the Ory CLI Tunnel. You can start the Ory Tunnel using the command `ory tunnel --dev --project $PROJECT_SLUG http://localhost:3000`[^1^]. However, there are some limitations when using the Ory Tunnel. For instance, cookies set on

localhost

will not be sent in requests to

127.0.0.1

and vice versa[^4^]. Also, it's important to note that iframes can pose a significant security risk for authentication services. Safari has implemented a feature called Intelligent Tracking Prevention that blocks third-party cookies by default in iframe contexts, which breaks authentication, CSRF-prevention, and sessions[^5^]. To debug issues related to cookies or anti-CSRF defenses, you can use tools like the Chrome DevTools[^2^]. If you're using Ory Kratos, it provides CSRF protection for all flows. This means that you must send a CSRF token in the body and CSRF cookie back when submitting a flow[^3^]. [^1^]: (https://www.ory.sh/docs/getting-started/local-development#local-development) [^2^]: (https://www.ory.sh/docs/troubleshooting/csrf) [^3^]: (https://www.ory.sh/docs/kratos/bring-your-own-ui/custom-ui-basic-integration#cross-site-request-forgery-errors) [^4^]: (https://www.ory.sh/docs/getting-started/local-development#limitations) [^5^]: (https://www.ory.sh/docs/troubleshooting/iframes)

Ory Kratos is a robust identity management server that allows you to implement user management, login, and registration in a secure and straightforward way[^1^]. It provides CSRF protection for all flows, which means you must send a CSRF token in the body and CSRF cookie back when submitting a flow[^3^]. If you're facing issues with CSRF protection, it could be due to the way your application is set up. When developing locally, your application and Ory APIs must be available on the same domain to avoid issues with third-party cookies[^1^]. Safari has implemented a feature called Intelligent Tracking Prevention that blocks third-party cookies by default in iframe contexts, which can break authentication, CSRF-prevention, and sessions[^5^]. To debug issues related to cookies or anti-CSRF defenses, you can use tools like the Chrome DevTools[^2^]. If you're still facing issues, you might want to check out the Ory Kratos Quickstart guide[^1^] or the Ory Kratos API reference[^6^][^7^] for more information. [^1^]: (https://www.ory.sh/docs/ecosystem/projects#ory-kratos) [^2^]: (https://www.ory.sh/docs/troubleshooting/csrf) [^3^]: (https://www.ory.sh/docs/kratos/bring-your-own-ui/custom-ui-basic-integration#cross-site-request-forgery-errors) [^5^]: (https://www.ory.sh/docs/troubleshooting/iframes) [^6^]: (https://www.ory.sh/docs/kratos/reference/api) [^7^]: (https://www.ory.sh/docs/reference/api)