Kratos validates the token sent when calling the

/sessions/whoami

route by using the HTTP Headers in the GET request to determine who is authenticated. If the endpoint is called from a server-side application, the HTTP Cookie Header must be forwarded to this endpoint. If the endpoint is called from a non-browser application (e.g. mobile app), the session token must be included. The endpoint returns a session object in the body or 401 if the credentials are invalid or no credentials were sent. When the request is successful, it adds the user ID to the 'X-Kratos-Authenticated-Identity-Id' header in the response. Here is an example of how to use the SDK to call the

/sessions/whoami

endpoint:

js import { Configuration, FrontendApi } from "@ory/client"      const frontend = new FrontendApi(    new Configuration({    basePath: `https://${process.env.ORY_PROJECT_SLUG}.<http://projects.oryapis.com|projects.oryapis.com>`,    }),   )      export async function checkSession(sessionId: string, token: string) {    return await frontend.toSession({    xSessionToken: token,    })   }

And here is an example of how to call this endpoint from a non-browser application:

js pseudo-code example ... const session = await client.toSession("the-session-token")  console.log(session)

When using a token template, the token is included in the

tokenized

field of the session.

js pseudo-code example ... const session = await client.toSession("the-session-token", { tokenize_as: "example-jwt-template" })

Sources: - [Kratos API Reference](https://www.ory.sh/docs/kratos/reference/api) - [Bring-your-own-ui](https://www.ory.sh/docs/kratos/bring-your-own-ui/custom-ui-basic-integration)

New message text here