Ory is the largest open source community in the world for cloud software application security. We maintain advanced open source security software solving authentication, authorization, access control, application network security, and delegation. Ory implements a variety of industry and best-practice standards including OAuth 2.0 / OAuth 2.1, OpenID Connect, Zero Trust Networking, Google Zanzibar Policy Framework, FIDO2 U2F, WebAuthn, TOTP, and more.

Ory Community

Hello,
I noticed that when we make a GET request to `/self-service/login/browser` we get `csrf_token` (lets call it as csrf 1) in the response body which we need to send back.
We resend this `csrf_token` back in POST request to `/self-service/login?flow=xxxxx` .
But when there is some error in the POST request (e.g: invalid password) then we get another `csrf_token` (csrf 2) in the response body. After then when we make a POST request with same flow id and with old `csrf_token`  (csrf 1) and valid credentials then request will be success. So my question is what is the use of (csrf 2)