The back-end is served in the same top-level domain as the front-end so that they share the Ory cookie. Getting the current user using the Ory api on every request would be too expensive, so we do it once and store it in a separate back-end specific cookie. If another application triggers a session invalidation query for the user, how could this backend be notified so that it could expire its own related session?

thats why you have to validate every time with the ory api

How does this edge caching thing works? Is it just a cache that we could implement our self when self hosting? Does it do cache invalidation, if so how? Could we achieve the same by using a webhook on the logout flow?

Yeah already expected that, thanks anyways.

no not really, depends on your requirements and architecture

Read docs for gatekeeper which if I recall does some caching but not so eager to introduce another proxy in front of all backends

I'm basically just experimenting with Ory at this point, as evaluating some options to deal with SSO. I can't really test the Edge Caching mechanism since it's only available to paid plans, but while testing from Brazil, calling the whoami api takes about 1s every time, which would make the back-end too slow for what we're aiming at. The user experience should be really fast, but it won't be if we have to check against Ory upon every single request. That's why I was curious if there was a way we could use our own gateway session to speed things up and only authenticate the user against Ory once in a while. If I understood correctly from the docs, with Edge caching it would be possible to specify some low expiry time to improve things up, but we could probably do that too in our own gateway, which should improve the user experience if we only had to query Ory once per minute, for example, but I'd prefer a better way so that users wouldn't have to wait for at least 1s once a minute. I was thinking about building a gateway that would be responsible for every action related to authentication (logout, session invalidation and so on). As long as the gateway is always used for dealing with authentication related actions, it should be fine. I mean, we would enforce a policy that each application would be forbidden to expose the js-client api to authentication-related actions such as logout or session invalidation. This way we'll always know when a user's session should be invalidated for all backends. Am I missing something?

No problem, 1s definitely is way too slow. Do edge session not work for you?

I think Edge sessions are only available to paid customers, so I can't test it since I'm currently just evaluating Ory, I'm not a paid customer yet.