The main difference between Kratos browser and API flows lies in their intended application type, security measures, and how sessions and CSRF protection are handled: Browser Flows: - Designed for applications running in a web browser, including server-side rendered apps and single-page applications (SPAs). - Use endpoints like

/self-service/{flow_type}/browser

. - Ory sets anti-CSRF cookies and session cookies to protect against CSRF and session hijacking. - On successful login, a session cookie is issued and used for subsequent authentication. - Browser flows may use HTTP redirects for flow completion, but if the

Accept

header is set to

application/json

(as in SPAs), responses are in JSON while still setting cookies. - Must not be used in native or API-only contexts, as they rely on browser-specific security features like cookies and CSRF tokens [Browser vs. native apps](https://www.ory.sh/docs/identities/native-browser) [Browser flows for client-side apps](https://www.ory.sh/docs/kratos/self-service#browser-flows-for-client-side-apps-single-page-apps-reactjs-angular-nextjs-) [Integration basics](https://www.ory.sh/docs/kratos/bring-your-own-ui/custom-ui-basic-integration). API Flows: - Intended for native applications (mobile, desktop), command-line interfaces, smart TVs, and other non-browser clients. - Use endpoints like

/self-service/{flow_type}/api

. - Do not set or require CSRF cookies, as these environments are not vulnerable to browser-based CSRF attacks. - On successful login, a session token is issued instead of a session cookie. This token is used for authenticating subsequent requests. - All communication is in JSON, and there are no HTTP redirects. - Must not be used in browser applications, as this opens up security vulnerabilities (e.g., CSRF attacks) [Browser vs. native apps](https://www.ory.sh/docs/identities/native-browser) [API flows: Native Mobile & Desktop Apps](https://www.ory.sh/docs/kratos/self-service#api-flows-native-mobile--desktop-apps-command-line-interfaces-smart-tvs-and-more). Key Security Note: Never use API flows in browser applications (including SPAs), as this bypasses critical security protections and exposes your app to attacks [Performing login, registration, settings, ... flows](https://www.ory.sh/docs/kratos/self-service#performing-login-registration-settings--flows). In summary: - Browser flows = for web apps, use cookies and CSRF protection. - API flows = for native/mobile/CLI apps, use tokens, no cookies or CSRF. Always use the correct flow for your application type to ensure security and proper functionality.