API Flow with Dedicated API Endpoints for Embeddable SPAs? #4451
Unanswered
maxtotheguenther
asked this question in
Q&A
Replies: 0 comments
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Uh oh!
There was an error while loading. Please reload this page.
-
Hey there 👋 ,
I'm currently evaluating Kratos for a project and I'm quite impressed with it so far!
My goal is to embed Solid.js-based web components (which require authentication) across various domains. Given that most modern browsers block third-party cookies, I intend to use bearer tokens for authentication. I've found the relevant documentation on how to convert a session into a bearer token.
While most flows in Kratos are client-triggered and automatically set cookies, I'm particularly interested in the API Flows.
Now, for the main question:
Is it advisable to create dedicated API endpoints that utilize Kratos's API flows? In this setup, I would simply return the final JWT to the browser. Are there any caveats (e.g., regarding CSRF or XSS) that I might be overlooking with this approach?
Thanks for your help ❤️ !
Beta Was this translation helpful? Give feedback.
All reactions