After calling the Create Registration Flow for Browsers endpoint (

GET /self-service/registration/browser

), the next API you should call is the Submit Registration Flow endpoint (

POST /self-service/registration

). Here's the typical sequence: 1. Call

/self-service/registration/browser

to initialize the registration flow. This will provide you with a flow ID and the form fields (including CSRF token) required for registration. 2. Submit the registration data by sending a POST request to

/self-service/registration?flow=<flow-id>

, including all required form fields (such as

traits.email

,

password

,

csrf_token

, etc.) in the request body. Make sure to include cookies and the CSRF token as provided in the previous step. Example (cURL):

bash curl -X POST \     -H 'Content-Type: application/json' \     -H 'Accept: application/json' \     -d '{"method":"password","csrf_token":"your-csrf-token","traits.email":"<mailto:email@example.com|email@example.com>","password":"verystrongpassword","traits.tos":"true"}' \     -b cookies.txt \     -c cookies.txt \     "https://$<http://PROJECT_SLUG.projects.oryapis.com/self-service/registration?flow=<your-flow-id|PROJECT_SLUG.projects.oryapis.com/self-service/registration?flow=<your-flow-id>>"

This completes the registration process for browser-based clients [Submit registration flow](https://www.ory.sh/docs/kratos/bring-your-own-ui/custom-ui-basic-integration#submit-registration-flow).

To submit a registration flow using the [github.com/ory/kratos-client-go](http://github.com/ory/kratos-client-go) package, you should call the function:

go FrontendApi.UpdateRegistrationFlow(ctx).Flow(flowId).UpdateRegistrationFlowBody(body).Execute()

Here is a full example from the knowledge sources:

go func SubmitRegistration(ctx context.Context, flowId string, body client.UpdateRegistrationFlowBody) (*client.SuccessfulNativeRegistration, error) {  flow, _, err := ory.FrontendApi.UpdateRegistrationFlow(ctx).Flow(flowId).UpdateRegistrationFlowBody(body).Execute()  if err != nil {   return nil, err  }  return flow, nil }

This function submits the registration data to complete the registration flow in Ory Kratos using the Go SDK [Submit registration flow](https://www.ory.sh/docs/kratos/sdk/go#submit-registration-flow).

The function shown above is for native flows (API clients such as mobile or desktop apps), not browser flows. This is confirmed by the documentation, which provides this function as an example for native registration flow submission using the Go SDK. For browser flows, the process and requirements (such as handling CSRF tokens and cookies) differ and are typically handled in a browser context, not directly via this function in the Go SDK [Submit registration flow](https://www.ory.sh/docs/kratos/sdk/go#submit-registration-flow).

If you want to wrap the browser registration flow with your own API using the Go SDK (`github.com/ory/kratos-client-go`), you should use the following SDK function to submit the registration flow:

go FrontendApi.UpdateRegistrationFlow(ctx).Flow(flowId).UpdateRegistrationFlowBody(body).Execute()

This function is used for both native and browser flows. For browser flows, you must ensure that you handle cookies and CSRF tokens correctly, as required by browser-based flows. The SDK does not differentiate between native and browser flows at the function level; the distinction is in how you initialize and handle the flow (e.g., cookies, CSRF, and redirect handling) [Submit registration flow](https://www.ory.sh/docs/kratos/sdk/go#submit-registration-flow). Summary: - Use

FrontendApi.UpdateRegistrationFlow

to submit the registration flow for both native and browser flows. - For browser flows, make sure to handle cookies and CSRF tokens as required by the Ory Kratos browser flow. If you need to create the browser registration flow, use:

go FrontendApi.CreateBrowserRegistrationFlow(ctx).Execute()

This will initialize the browser registration flow and return the necessary data to proceed [Frontend API](https://www.ory.sh/docs/kratos/sdk/go#frontend-api).

For browser flows, you must handle both cookies and the CSRF token correctly when wrapping the flow with your own API: - CSRF Token: You need to extract the CSRF token from the registration flow response (it is provided as a hidden field in the UI nodes). When your frontend submits the registration data to your API, your API must include this CSRF token in the payload when calling the Ory Kratos SDK function (

UpdateRegistrationFlow

). The CSRF token is required in the request body for browser flows [Submit registration flow](https://www.ory.sh/docs/kratos/bring-your-own-ui/custom-ui-basic-integration#submit-registration-flow). - Cookies: You must forward the cookies (especially the CSRF cookie and any session cookies) from the user's browser to Ory Kratos. This is necessary because Ory uses these cookies to validate the flow and protect against CSRF attacks. If your API acts as a proxy, it should read the cookies from the incoming request and pass them along in the SDK call. Without forwarding the

Cookie

HTTP header, you will encounter security errors [CSRF troubleshooting](https://www.ory.sh/docs/troubleshooting/csrf). In summary: - Your API should receive the CSRF token and cookies from the frontend. - Pass the CSRF token in the request body to the SDK function. - Forward the cookies in the request to Ory Kratos. This ensures the browser flow works securely and as intended.

To forward cookies in the request to Ory Kratos via the Go SDK (`github.com/ory/kratos-client-go`), you need to manually attach the

Cookie

header from the incoming HTTP request (from your frontend/client) to the SDK call. The SDK provides a method to set the cookie header when making API calls. For example, when using the

ToSession

or flow-related methods, you can use the

.Cookie()

method to pass the cookies:

go resp, _, err := apiClient.FrontendApi.     ToSession(context.Background()).     Cookie(request.Header.Get("Cookie")). // Forward the incoming Cookie header     Execute()

Similarly, for registration or login flows, you should forward the

Cookie

header:

go resp, _, err := apiClient.FrontendApi.     GetRegistrationFlow(context.Background()).     Id(flowId).     Cookie(request.Header.Get("Cookie")). // Forward the incoming Cookie header     Execute()

This approach is required because backend calls to Ory’s API won’t automatically include cookies; you must manually attach the relevant cookies to these requests. Without forwarding the

Cookie

HTTP header, you can't fetch or submit flows due to security errors [Migrate to Ory: Integrate backend](https://www.ory.sh/docs/migrate-to-ory#integrate-backend) [CSRF troubleshooting](https://www.ory.sh/docs/troubleshooting/csrf) [API Reference](https://raw.githubusercontent.com/ory/kratos/master/spec/api.json). Summary: - Read the

Cookie

header from the incoming request in your API. - Pass it to the Ory Kratos SDK call using the

.Cookie()

method. This ensures that Ory Kratos receives all necessary cookies (including CSRF and session cookies) for secure flow handling.

After creating the browser login flow using the Kratos SDK's

CreateBrowserLoginFlow

, the next SDK function to invoke for submitting the login flow is:

go FrontendApi.UpdateLoginFlow(ctx).Flow(flowId).UpdateLoginFlowBody(body).Execute()

This function submits the user's login credentials and any required fields (such as the CSRF token) to complete the login process for the browser flow. You must provide the

flowId

from the created login flow and the request body containing the login data [Submit login flow](https://www.ory.sh/docs/kratos/sdk/go#submit-login-flow) [Submit login flow (custom UI)](https://www.ory.sh/docs/kratos/bring-your-own-ui/custom-ui-basic-integration#submit-login-flow). Example:

go func SubmitLogin(ctx context.Context, flowId string, body client.UpdateLoginFlowBody) (*client.SuccessfulNativeLogin, error) {  flow, _, err := ory.FrontendApi.UpdateLoginFlow(ctx).Flow(flowId).UpdateLoginFlowBody(body).Execute()  if err != nil {   return nil, err  }  return flow, nil }

Make sure to include all necessary cookies and the CSRF token in your request when handling browser flows.

To expose the Ory Hydra

/oauth2/auth

endpoint via your own Golang service, you essentially need to act as a reverse proxy or gateway between your clients and Hydra. Here’s how you can approach this, based on the official Ory documentation: ### 1. Understand the Endpoint The

/oauth2/auth

endpoint is part of Hydra’s public API and is designed to be exposed to the public internet. It is used to initiate OAuth2 and OpenID Connect authorization flows. Hydra expects this endpoint to be accessible to browsers and clients directly [Exposing administrative and public API endpoints](https://www.ory.sh/docs/hydra/self-hosted/production#exposing-administrative-and-public-api-endpoints). ### 2. Recommended Approach: Reverse Proxy The standard and recommended way to expose this endpoint is to use a reverse proxy (such as Nginx or your own Go service) that forwards requests to Hydra’s public API. This is how the Ory documentation suggests production deployments should be set up [Install and configure Nginx](https://www.ory.sh/docs/hydra/self-hosted/deploy-hydra-example#install-and-configure-nginx). Example Nginx config:

nginx location ~ ^/(.well-known|oauth2/auth|oauth2/token|oauth2/sessions|oauth2/revoke|oauth2/fallbacks/consent|oauth2/fallbacks/error|userinfo)/? {   proxy_pass <http://public_api>;   proxy_redirect    off;   proxy_set_header  Host              $host;   proxy_set_header  X-Real-IP         $remote_addr;   proxy_set_header  X-Forwarded-For   $proxy_add_x_forwarded_for;   proxy_set_header  X-Forwarded-Proto $http_x_forwarded_proto; }

You can implement similar logic in Go using the

httputil.ReverseProxy

package. ### 3. Implementing a Reverse Proxy in Go Here’s a basic example of how you might forward

/hydra/oauth2/auth

requests from your Go service to Hydra:

go package main  import (     "net/http"     "net/http/httputil"     "net/url" )  func main() {     target, _ := url.Parse("<http://localhost:4444>") // Hydra public API     proxy := httputil.NewSingleHostReverseProxy(target)      http.HandleFunc("/hydra/oauth2/auth", func(w http.ResponseWriter, r *http.Request) {         // Optionally, you can add custom logic here (logging, auth, etc.)         r.URL.Path = "/oauth2/auth"         proxy.ServeHTTP(w, r)     })      http.ListenAndServe(":8080", nil) }

This will forward requests from

/hydra/oauth2/auth

on your service to

/oauth2/auth

on Hydra. ### 4. Security Considerations - The

/oauth2/auth

endpoint is safe to expose publicly, but do not expose Hydra’s admin API endpoints. - Ensure you forward all necessary headers (especially for authentication and session management). - If you need to add custom logic (e.g., logging, rate limiting), you can do so before proxying the request. ### 5. Do Not Use the SDK for This Endpoint The Ory Hydra Go SDK is not intended for proxying or consuming the

/oauth2/auth

endpoint. It is meant for administrative and management tasks. For OAuth2 flows, use a reverse proxy or the standard [golang.org/x/oauth2](https://godoc.org/golang.org/x/oauth2) package for clients [Ory OAuth2 & OpenID Connect Go SDK](https://www.ory.sh/docs/hydra/sdk/go). --- Summary: - Use a reverse proxy pattern in your Go service to forward

/hydra/oauth2/auth

to Hydra’s public API. - Do not use the SDK for this endpoint. - Follow Ory’s security recommendations and only expose public endpoints [Exposing administrative and public API endpoints](https://www.ory.sh/docs/hydra/self-hosted/production#exposing-administrative-and-public-api-endpoints). If you need more advanced routing or security, refer to the Ory documentation for production deployment best practices.

The recommended Go SDK for interacting with Hydra Admin APIs (such as accepting a login request with

/oauth2/auth/requests/login/accept?login_challenge

) is [`github.com/ory/hydra-client-go`](https://github.com/ory/hydra-client-go). This SDK is specifically generated for Ory Hydra and provides typed methods for all admin endpoints, including login and consent request handling. You should use this SDK instead of making raw HTTP requests for admin operations. For example, to accept a login request, you would use the appropriate method from the SDK rather than manually constructing HTTP requests [Ory Hydra Go SDK](https://www.ory.sh/docs/hydra/self-hosted/go) [Hydra SDK overview](https://www.ory.sh/docs/hydra/sdk/overview). The Ory Network/Cloud SDK (`github.com/ory/client-go`) is not intended for self-hosted Hydra admin APIs. Summary: - Use

<http://github.com/ory/hydra-client-go|github.com/ory/hydra-client-go>

for Hydra Admin API operations such as accepting login requests. - The SDK provides methods for these endpoints, so you do not need to invoke them as raw HTTP requests. If you need a code example for accepting a login request, let me know!

Certainly! Here is a sample Go code snippet that demonstrates how to accept a login challenge using the Ory Hydra Admin Go SDK (`github.com/ory/hydra-client-go`) in a self-hosted environment:

go package main  import (  "context"  "fmt"  client "<http://github.com/ory/hydra-client-go|github.com/ory/hydra-client-go>" )  func main() {  // Configure the Hydra Admin API client  configuration := client.NewConfiguration()  configuration.Servers = []client.ServerConfiguration{   {    URL: "<http://localhost:4445>", // Replace with your Hydra Admin API URL   },  }  apiClient := client.NewAPIClient(configuration)   loginChallenge := "your-login-challenge" // Replace with the actual login challenge   acceptLogin := *client.NewAcceptOAuth2LoginRequest()  acceptLogin.SetSubject("user-id") // Set the authenticated user's ID  acceptLogin.SetRemember(true)  acceptLogin.SetRememberFor(int64(3600)) // Remember for 1 hour   // Call the accept login request endpoint  resp, _, err := apiClient.OAuth2Api.AcceptOAuth2LoginRequest(context.Background()).   LoginChallenge(loginChallenge).   AcceptOAuth2LoginRequest(acceptLogin).   Execute()  if err != nil {   fmt.Printf("Error accepting login request: %v\n", err)   return  }   fmt.Printf("Redirect user to: %s\n", resp.GetRedirectTo()) }

This code configures the SDK, sets up the login acceptance payload, and calls the

AcceptOAuth2LoginRequest

method to accept the login challenge. The response contains the

redirect_to

URL, which you should use to redirect the user's browser [Ory Hydra Go SDK](https://www.ory.sh/docs/hydra/self-hosted/go). > Note: > Replace

"your-login-challenge"

and

"user-id"

with the actual values from your login flow. This approach is the recommended way to interact with Hydra's admin endpoints in a self-hosted environment using Go.

No, you should not use the

hydra-client-go

SDK for the

/oauth2/auth

and

/oauth2/token

APIs. The official Ory documentation explicitly states that you should not consume the

/oauth2/auth

and

/oauth2/token

endpoints using the SDK. Instead, you should use well-established OAuth2 client libraries, such as [golang.org/x/oauth2](https://godoc.org/golang.org/x/oauth2), for handling OAuth2 and OpenID Connect flows in your applications [Ory Hydra Go SDK](https://www.ory.sh/docs/hydra/self-hosted/go) [Ory OAuth2 & OpenID Connect Go SDK](https://www.ory.sh/docs/hydra/sdk/go) [Popular OAuth2 client libraries](https://www.ory.sh/docs/hydra/guides/using-oauth2). The SDK is intended for administrative and management tasks (such as handling login/consent challenges, managing clients, etc.), not for performing OAuth2 authorization or token requests.

New message text here