I’m trying to understand what is the recommended way to work with backend apis. Say that I’ve logged into my app (mobile or web) and I have a session token or cookie. 1. How is the backend supposed to trust the call based on the session token? 2. Are you supposed to call the get session end-point from the backend api (server-to-server) on every request?

yes, exactly.

return await axios
      .get(config.default.kratos.public + '/sessions/whoami', {
        headers: { ...headers }
      })...

The code that you show is that running in the client or in some backend api? The spread of headers signifies to take all the headers from the client and pass onto the kratos public end-point for whoami?

its an example of an express.js API (backend). you can use both a cookie or a session token, in the case of native clients.

Thanks for the links. On the notion of calling whoami on every request. For self-hosting do you recommend putting kratos on the same network close to your backend? I know of oathkeeper and hydra as ways of getting a jwt which would prevent having to call kratos all the time, but I’d prefer to only manage kratos. If the service is on the same network I’m guessing the latency can be really low.

Ory Network provides Edge Sessions which is designed enable global, low latency (typically <50ms) session validation. This allows you to implement the described zero-trust model. We can’t really consult on self-hosted scenarios without more context. Typically you will validate sessions both on the client side and the server side. So, perhaps it might be better to deploy close to where your user base is? We do have architecture workshops available to guide teams that are designing security infrastructure using Ory. Would this be helpful?

Thanks, @rich-thailand-93889 that answers my question