Yes, it is possible to identify if a registration event comes from a web user or a mobile user in Ory by looking at the flow type that was used to initiate the registration. Ory Identities supports two distinct flow types: 1. Browser flows - Used by web applications (server-side or client-side) 2. API/Native flows - Used by mobile apps, Smart TVs, and other API clients These flow types use different endpoints: - Browser apps use:

https://$<http://PROJECT_SLUG.projects.oryapis.com/self-service/{flow-type}/browser|PROJECT_SLUG.projects.oryapis.com/self-service/{flow-type}/browser>

- Native apps use:

https://$<http://PROJECT_SLUG.projects.oryapis.com/self-service/{flow-type}/api|PROJECT_SLUG.projects.oryapis.com/self-service/{flow-type}/api>

[Browser vs. native apps](https://www.ory.sh/docs/identities/native-browser) documentation explains that these different endpoints implement different security measures. Browser flows use anti-CSRF cookies and issue session cookies, while native flows don't use CSRF protection and issue session tokens instead. In your server logs or when implementing webhooks, you can identify the flow type by checking: 1. The endpoint that was used to initiate the flow 2. The

type

field in the flow data, which will be either

browser

or

api

For example, in the GitHub issue logs, you can see the flow type specified:

"type": "browser"

This distinction is important because Ory recommends never using API flows to implement browser applications due to security concerns, as mentioned in the [Self-service flows](https://www.ory.sh/docs/kratos/self-service#performing-login-registration-settings--flows) documentation. When implementing webhooks or actions that respond to registration events, you can use this information to customize your logic based on whether the user is registering from a web browser or a mobile application.

Using a WebView with browser flows for mobile registration is possible, but there are important security considerations to be aware of. When using WebViews in mobile apps with Ory's browser flows, you're essentially embedding a browser within your native application. This approach has some implications: ## Security Considerations Ory discourages the use of iframes (which are similar to WebViews in some ways) due to security risks: > Iframes can pose a significant security risk for authentication services due to many attack vectors such as clickjacking, iframe injection, iframe phishing, and many others. > > Safari has additionally implemented a feature called Intelligent Tracking Prevention that blocks third-party cookies by default in iframe contexts, which breaks authentication, CSRF-prevention, and sessions. Chrome is planning on rolling out the same changes in 2024. [Troubleshoot iframe related issues](https://www.ory.sh/docs/troubleshooting/iframes) ## Cookie Handling When using browser flows in a WebView, you need to ensure that: 1. The WebView properly handles cookies, as browser flows rely on HTTP cookies for CSRF protection and session management 2. Your WebView is configured to support the same cookie policies as regular browsers ## Domain Requirements Remember that Ory and your UI must be hosted on the same top-level domain: > -

<http://ory.bar.com|ory.bar.com>

and

<http://app.bar.com|app.bar.com>

will work; > -

<http://ory.bar.com|ory.bar.com>

and

<http://bar.com|bar.com>

will work; > -

<http://ory.bar.com|ory.bar.com>

and

<http://not-bar.com|not-bar.com>

will not work. [Self-service flows](https://www.ory.sh/docs/kratos/self-service#browser-flows-for-server-side-apps-nodejs-php-java-) ## Alternative Approach For mobile applications, Ory recommends using the native API flows instead of browser flows in WebViews: > Native apps use the

https://$<http://PROJECT_SLUG.projects.oryapis.com/self-service/{flow-type}/api|PROJECT_SLUG.projects.oryapis.com/self-service/{flow-type}/api>

endpoint to initialize flows such as sign in, registration, profile changes, and so on. When using this endpoint, no CSRF cookies will be issued by Ory. [Browser vs. native apps](https://www.ory.sh/docs/identities/native-browser) The native API approach is specifically designed for mobile applications and avoids many of the security concerns associated with WebViews and browser flows.