Skip to main content

Browser vs. native apps

Ory Identities supports both mobile (native) and browser applications. Because of the broad capabilities browsers offer, they pose a higher security risk than native applications. To shield your users from those risks, Ory Identities implements special browser APIs which use additional security measures such as anti-CSRF cookies.

Native apps

Native apps use the https://{project.slug}.projects.oryapis.com/self-service/{flow-type}/api endpoint to initialize flows such as sign in, registration, profile changes, and so on. When using this endpoint, no CSRF cookies will be issued by Ory.

Additionally, Ory issues an Ory Session Token instead of an Ory Session Cookie. This token is equivalent to the session cookie and returns the same session response when calling ory.toSession({ xSessionToken: "{session-token}" }).

Because it is very dangerous to use native app endpoints in a browser context, Ory prevents you from using these APIs in the browser.

Browser apps

Browser apps use the https://{project.slug}.projects.oryapis.com/self-service/{flow-type}/browser endpoint to initialize flows such as sign in, registration, profile changes, and so on. When using this endpoint, Ory will set anti CSRF cookies.

When a user signs in successfully, Ory will issue an Ory Session Cookie. Calling ory.toSession() will return the same session but does not require any additional calls when used in client-side browser apps (for example React, Vue, Angular).