Ory is the largest open source community in the world for cloud software application security. We maintain advanced open source security software solving authentication, authorization, access control, application network security, and delegation. Ory implements a variety of industry and best-practice standards including OAuth 2.0 / OAuth 2.1, OpenID Connect, Zero Trust Networking, Google Zanzibar Policy Framework, FIDO2 U2F, WebAuthn, TOTP, and more.

Ory Community

~I'm using Svelte to make a SPA side... using `frontend.createBrowserRegistrationFlow()` works fine, it redirects the client and grabs the flow.... but when using `getRegistrationFlow()` there is no way to pass the cookie into the body or header due to the cookie being HTTP Only. I've set the frontend config to include credentials, confirmed it is sending the cookie but it seems Kratos is requiring the cookie to also be added to the body and/or another header, both of which I can't figure out how to do / don't think it is possible as it's returning CSRF violation each time.~
~Reference error: `The anti-CSRF cookie was found but the CSRF token was not included in the HTTP request body (csrf_token) nor in the HTTP Header (X-CSRF-Token)`~

~Should I just be implementing the `createNativeRegistrationFlow()` / API route instead even though it's advised against in SPA type apps &amp; browser routes should really work/be fine besides this one issue?~

~I'd really appreciate any suggestions &amp; ideas to try.~

Figured it out, just had to make sure / force fetch to run on the browser side and not server.