The error message you're seeing is related to Cross-Site-Request-Forgery (CSRF) protection. It seems like the CSRF token sent in the HTTP request does not match the anti-CSRF cookie found. This mismatch is causing the request to be rejected. Here are a few steps you can take to resolve this issue: 1. Ensure that you're sending the correct CSRF token in your request. The CSRF token value is a hidden input field called

csrf_token

. You can find this in the login flow response. 2. Make sure you're using the

-c

flag to store the cookies in a file and the

-b

flag to read the cookies from the file in your cURL command. This is necessary to ensure that requests work correctly for the browser flow. 3. If the issue persists, try deleting all cookies for this domain and retrying the flow as suggested in the error message. For more information on CSRF troubleshooting, you can refer to [this document](https://www.ory.sh/docs/kratos/debug/csrf) as suggested in the error details. Here is an example of how your cURL command should look like:

bash curl -X GET \     -H 'Content-Type: application/json' \     -H 'Accept: application/json' \     -c cookies.txt \     -b cookies.txt \     "<https://strange-khorana-ejixunujvz.projects.oryapis.com/self-service/login/flows?id=7fc65c63-7ffa-494f-9561-3e3409e5340e>"

Please note that this command does not include the

X-CSRF-Token

header. The CSRF token should be included in the body of a POST request when you're submitting the login flow, not in the GET request to retrieve the login flow.

A message from kapa.ai

The anti-CSRF cookie is used as a security measure to protect against Cross-Site Request Forgery (CSRF) attacks. In the context of Ory, it is used in conjunction with CSRF tokens to ensure that requests made to the server are legitimate and originated from the client. Here's how it works: 1. When a client initiates a flow (like a login or registration flow), Ory sets an anti-CSRF cookie in the client's browser. This cookie is automatically sent with every subsequent request to the server. 2. Along with the anti-CSRF cookie, Ory also includes a CSRF token in the body of the response. This token is a hidden input field in the form that the client needs to submit. 3. When the client submits the form, it must include the CSRF token in the request. This can be done by including the token in the body of the request or in the

X-CSRF-Token

header. 4. Ory compares the CSRF token in the request with the value of the anti-CSRF cookie. If the values match, the request is allowed. If they don't match, the request is rejected. Here's an example of how you might include the CSRF token in a form submission using JavaScript:

javascript fetch('<https://your-ory-instance.com/self-service/login/flows>', {   method: 'POST',   headers: {     'Content-Type': 'application/json'   },   body: JSON.stringify({     // other form data...     'csrf_token': csrfToken // replace csrfToken with the actual CSRF token   }) })

In this example,

csrfToken

should be the CSRF token you received from Ory in the login flow response. You can find this token in the

ui.nodes

array of the response, where the

name

of the node is

csrf_token

([source](https://www.ory.sh/docs/kratos/bring-your-own-ui/custom-ui-basic-integration#cross-site-request-forgery-errors)). Remember, the anti-CSRF cookie is automatically sent with every request because it's stored in the client's browser. You don't need to manually include it in your requests. For more information on how Ory uses anti-CSRF cookies and CSRF tokens to protect against CSRF attacks, you can refer to [this document](https://www.ory.sh/docs/kratos/concepts/security#defenses-against-cross-site-request-forgery).

A message from kapa.ai

I'm glad you found the information helpful! If you have any more questions or need further clarification on anything, feel free to ask. I'm here to help!

A message from kapa.ai

The error message you're seeing is related to Cross-Site-Request-Forgery (CSRF) protection. It seems like the CSRF token sent in the HTTP request does not match the anti-CSRF cookie found. This mismatch is causing the request to be rejected. Here are a few steps you can take to resolve this issue: 1. Ensure that you're sending the correct CSRF token in your request. The CSRF token value is a hidden input field called

csrf_token

. You can find this in the login flow response. 2. Make sure you're using the

-c

flag to store the cookies in a file and the

-b

flag to read the cookies from the file in your cURL command. This is necessary to ensure that requests work correctly for the browser flow. 3. If the issue persists, try deleting all cookies for this domain and retrying the flow as suggested in the error message. For more information on CSRF troubleshooting, you can refer to [this document](https://www.ory.sh/kratos/docs/debug/csrf) as suggested in the error details. Here is an example of how your cURL command should look like:

bash curl -X GET \     -H 'Content-Type: application/json' \     -H 'Accept: application/json' \     -c cookies.txt \     -b cookies.txt \     "<https://strange-khorana-ejixunujvz.projects.oryapis.com/self-service/login/flows?id=7fc65c63-7ffa-494f-9561-3e3409e5340e>"

Please note that this command does not include the

X-CSRF-Token

header. The CSRF token should be included in the body of a POST request when you're submitting the login flow, not in the GET request to retrieve the login flow.