To get your Ory session tokens to work over HTTPS on localhost while developing locally, you need to ensure that Ory APIs are exposed on the same domain as your application. This is because Ory uses HTTP cookies to manage sessions, tokens, and cookies. Here are the steps you need to follow: 1. When developing locally, use either

localhost

or

127.0.0.1

, but not both. Although technically these mean the same thing, they're different hostnames. Using both interchangeably in your code can cause problems with the origin of HTTP cookies sent by the application. When that happens Ory APIs might not be able to read the cookies sent by your app. 2. To get your application that runs locally and Ory APIs on the same domain, use Ory Tunnel - a development tool bundled with Ory CLI. It's like a microservice - an authentication API server on your domain! Here is an example of how to start the Ory Tunnel:

bash npx @ory/cli tunnel --dev <http://localhost:3000>

3. Ory APIs are now mirrored on

<http://localhost:4000>

. Use that URL as the

baseUrl

for the

@ory/client

SDK. Please note that the

--dev

flag disables security checks for easier integration and should not be used when deploying the Tunnel to a staging environment. For more information, you can refer to the following documentation: - [Develop applications on your local machine](https://www.ory.sh/docs/getting-started/local-development) - [Integrate authentication into React](https://www.ory.sh/docs/getting-started/integrate-auth/react) - [Ory Proxy and Ory Tunnel](https://www.ory.sh/docs/guides/cli/proxy-and-tunnel)

@chilly-king-10285 This will only work on

http

but I need

https

. Is there a way to run the tunnel securely

To run Ory Kratos securely over HTTPS, even on localhost, you can use self-signed TLS certificates. Here are the steps to generate and use these certificates: 1. Generate the self-signed certificates:

bash openssl genrsa -out key.pem 4096   openssl req -new -x509 -sha256 -key key.pem -out cert.crt -days 365

2. Set the environment variables for the certificates:

bash SERVE_PUBLIC_TLS_CERT_BASE64=$(base64 -i cert.crt)   SERVE_PUBLIC_TLS_KEY_BASE64=$(base64 -i key.pem)   SERVE_ADMIN_TLS_CERT_BASE64=$(base64 -i cert.crt)   SERVE_ADMIN_TLS_KEY_BASE64=$(base64 -i key.pem)

Or you can specify the path to the certificates:

bash SERVE_PUBLIC_TLS_KEY_PATH=/path/to/key.pem   SERVE_PUBLIC_TLS_CERT_PATH=/path/to/cert.crt   SERVE_ADMIN_TLS_KEY_PATH=/path/to/key.pem   SERVE_ADMIN_TLS_CERT_PATH=/path/to/cert.crt

3. If you run Docker locally, you can then use the environment variables:

bash docker run ... \    -e SERVE_PUBLIC_TLS_CERT_BASE64="$SERVE_PUBLIC_TLS_CERT_BASE64" \    -e SERVE_PUBLIC_TLS_KEY_BASE64="$SERVE_PUBLIC_TLS_KEY_BASE64" \    -e SERVE_ADMIN_TLS_CERT_BASE64="$SERVE_ADMIN_TLS_CERT_BASE64" \    -e SERVE_ADMIN_TLS_KEY_BASE64="$SERVE_ADMIN_TLS_KEY_BASE64" \    ...

Or mount the files using

--mount

and linking to the files. For more information, you can refer to the [Set up HTTPS (TLS)](https://www.ory.sh/docs/kratos/guides/https-tls) guide in the Ory documentation.