I notice you're asking about the empty CSRF token in native login flows with Ory Kratos. This is actually expected behavior. When you create a native login flow using the

/self-service/login/api

endpoint, the CSRF token in the response will be empty by design. This is because native applications (like mobile apps, desktop apps, etc.) don't need CSRF protection in the same way browser applications do. From the knowledge sources, we can see this in the example response from creating a native login flow:

json {   "id": "db748b69-a059-464f-870c-2d4f4a3a2f26",   "type": "api",   "ui": {     "nodes": [       {         "type": "input",         "group": "default",         "attributes": {           "name": "csrf_token",           "type": "hidden",           "value": "",  // Note the empty value           "required": true,           "disabled": false,           "node_type": "input"         },         "messages": [],         "meta": {}       },       // other nodes...     ]   } }

This is different from browser flows, where the CSRF token is populated with a value to protect against cross-site request forgery attacks. As explained in the documentation: > Native applications must use the API flows which don't set any cookies. The response contains all data required to render the UI. On successful login, Ory issues a session token that can be used to authenticate following requests to Ory. [Integration basics](https://www.ory.sh/docs/kratos/bring-your-own-ui/custom-ui-basic-integration) documentation clarifies that browser applications need CSRF protection, but native applications don't: > Browser applications are apps with which users interact through their web browsers... the communication between the user that interacts with the app and Ory must be secured. This is achieved by setting a CSRF cookie and token. > Native applications, such as Android mobile apps or desktop applications, aren't rendered in the browser. Since the application isn't rendered in the browser, the CSRF cookie and token aren't necessary. So if you're implementing a native application flow, you don't need to worry about the empty CSRF token - it's by design.