Yes, you can expose your own API endpoint that internally invokes Ory SDK's browser registration function, but there are important considerations and requirements: - CSRF and Cookie Handling: The Ory browser registration flow (

/self-service/registration/browser

) is designed to work with browser clients and relies on setting and reading cookies, including anti-CSRF tokens. If you proxy this endpoint through your own API, you must ensure that all cookies (especially CSRF tokens) are correctly forwarded between the client and Ory. This includes handling

Set-Cookie

and

Cookie

headers transparently between the browser and Ory, which can be complex and error-prone if not done carefully. - Same Domain Requirement: Ory documentation states that Ory and your UI must be hosted on the same top-level domain for browser flows to work correctly. If your API is on a different domain or subdomain, you may run into issues with cookies and CSRF protection, as browsers restrict cookie sharing across domains for security reasons [Initialize registration flow](https://www.ory.sh/docs/kratos/self-service/flows/user-registration#initialize-registration-flow). - Recommended Integration: The recommended approach is to have your frontend (browser) application communicate directly with the Ory browser endpoints, not through a backend proxy, to avoid these issues. If you must proxy, you need to implement full cookie and CSRF token passthrough, which is non-trivial [Bring-your-own-ui integration basics](https://www.ory.sh/docs/kratos/bring-your-own-ui/custom-ui-basic-integration). - SDK Usage Example: The Ory SDK can be used in your backend to call the browser registration flow, but again, you must ensure that all headers and cookies are handled correctly. For example, in Express.js, the SDK is used to fetch the registration flow and render it, but the browser still interacts directly with Ory for form submissions and receives cookies from Ory [Express.js example](https://www.ory.sh/docs/kratos/bring-your-own-ui/custom-ui-basic-integration#create-registration-flow). Summary: While technically possible, exposing the Ory browser registration API via your own API is not recommended unless you fully understand and correctly implement cookie and CSRF token handling. The preferred and secure method is to let the browser interact directly with Ory's browser endpoints. If you need to support native or API clients, use the

/self-service/registration/api

endpoint, which does not require CSRF or cookie handling [Browser vs. native apps](https://www.ory.sh/docs/identities/native-browser).