I'm trying to figure out how the

whoami

endpoint works for APIs. In the docs, it mentions various ways to call the endpoint (cookie, authorization header, X-Session-Token, or some combination of these?). Im very confused on what to use (the Cookie header parameter in the docs has different examples, one saying to use

ory_session

, another one says to use

ory_kratos_session

). I am logging in using postman, which sets a number of different cookies. Concretely, i suppose, my questions are: 1. Where do i get the

X-Session-Token

from? (as the docs say it's mandatory when calling

whoami

from any non-browser) 2. Which of the cookies do i need to set? (the docs mention the ory_session, but that does not seem to be working for me. Postman sets a csrf token, an ory_session_projectname cookie, and a _cflb which i have no idea what it does)

Hey @stale-dog-42973! thank you for exploring Ory and welcome to the Ory Slack Community. This video might give you some pointers on how to establish a session using postman.

In postman i have it already the session. I am trying to retrieve the session in my API to be able to retrieve the identity (instead of passing the kratos id all over the place)

Hey Nils. Yes, on your BE/API you verify the request by resolving the identity with the admin endpoint. Here is an example for a express BE. You can use the SDK for convenience. If you are using Ory Network you can use the CLI (tunnel) for local development in case you encounter CORS issues.

Thank you, i will try this instead