Ory is the largest open source community in the world for cloud software application security. We maintain advanced open source security software solving authentication, authorization, access control, application network security, and delegation. Ory implements a variety of industry and best-practice standards including OAuth 2.0 / OAuth 2.1, OpenID Connect, Zero Trust Networking, Google Zanzibar Policy Framework, FIDO2 U2F, WebAuthn, TOTP, and more.

Ory Community

I have not yet tested this myself but you should be able to pass the cookies in API endpoint call (`credentials: ’include’`), and verify the session in backend by passing the cookies as a parameter for `toSession()` call. As far as I have understood your frontend and backend has to be under same top-level domain (defined for cookie). <https://www.ory.sh/docs/identities/sign-in/check-session-token-cookie-api|https://www.ory.sh/docs/identities/sign-in/check-session-token-cookie-api>

So our internal API works as a backend for our web app and a front end for ORY?

If that's so then I can remove the authentication from the web app and do the process on the server

AFAIK, you will check session from Ory in both UI and API. You will authenticate in UI and get the cookie from Ory. When you make an internal API call you will pass this cookie to your backend that verifies the session (using this cookie) from Ory.

<@U04R980AQ1Y> If you reach enough concurrent requests, you'll check session too many times and Ory will return error 429.