The error message you're seeing is related to the Authenticator Assurance Level (AAL) of the session. AAL is a measure of the trustworthiness of the authentication process. It can be one of "aal1", "aal2", or "aal3". A higher number means that it is harder for an attacker to compromise the account. Generally, "aal1" implies that one authentication factor was used while AAL2 implies that two factors (e.g. password + TOTP) have been used. The error "An active session was found but it does not fulfill the requested Authenticator Assurance Level. Please verify yourself with a second factor to resolve this issue." indicates that the session has a lower AAL than is possible for the identity. This can happen if the identity has password + webauthn credentials (which would result in AAL2) but the session has only AAL1. To resolve this issue, you need to sign in with the second factor or change the configuration to lower the required AAL. Here is the relevant extract from the documentation: > Depending on your configuration this endpoint might return a 403 status code if the session has a lower Authenticator Assurance Level (AAL) than is possible for the identity. This can happen if the identity has password + webauthn credentials (which would result in AAL2) but the session has only AAL1. If this error occurs, ask the user to sign in with the second factor or change the configuration. Source: [Ory API Reference](https://www.ory.sh/docs/reference/api)