You're right to be concerned about this warning. Ory strongly advises against using API flows in browser applications due to security risks. Instead, you should use browser flows which have built-in protections. ## Why Browser Flows Instead of API Flows Browser flows in Ory include essential security measures like anti-CSRF cookies and proper session management that API flows don't provide. API flows are designed for native applications (mobile apps, smart TVs, etc.) where these browser-specific attack vectors aren't present. ## How to Properly Implement Browser Flows For browser applications (both server-side and client-side/SPAs), you should: 1. Use the correct endpoints: Use

/self-service/{flow-type}/browser

endpoints instead of the

/self-service/{flow-type}/api

endpoints [Identities: Browser vs. native apps](https://www.ory.sh/docs/identities/native-browser). 2. For Single-Page Apps (SPAs): Set the

Accept: application/json

header in your requests. This tells Ory to respond with JSON instead of redirects while still setting the necessary security cookies [Browser flows for client-side apps](https://www.ory.sh/docs/kratos/self-service#browser-flows-for-client-side-apps-single-page-apps-reactjs-angular-nextjs-). 3. Handle CSRF protection: Ensure you're properly handling the CSRF token in your forms. When mapping UI nodes, include the hidden

csrf_token

field in your form submissions [Integration basics](https://www.ory.sh/docs/kratos/bring-your-own-ui/custom-ui-basic-integration#debug). 4. Configure your SDK properly: When using Ory's JavaScript SDK, ensure you set

withCredentials: true

to properly handle cookies:

javascript import { FrontendApi, Configuration } from "@ory/client"  const ory = new FrontendApi(   new Configuration({     basePath,     baseOptions: {       withCredentials: true,     },   }), )

5. Same domain requirement: Ensure Ory and your application are on the same top-level domain. For local development, use [Ory Tunnel](https://www.ory.sh/docs/getting-started/local-development) [Cookie-based security model](https://www.ory.sh/docs/security-model). ## Common Issues to Watch For - CORS errors: These often occur when Ory and your application are on different domains. Use Ory Tunnel for development or add your domain to your Ory Project. - CSRF errors: Make sure you're properly handling the CSRF token in form submissions. - Cookie issues: Ensure cookies are being properly set and sent with requests. By following these guidelines, you can build secure browser applications with Ory while maintaining proper protection against common attack vectors like CSRF.