Hey everyone. I'm on the paid plan and i'm trying understand how to best integrate "sessions". I've read all the documentation here: https://www.ory.sh/docs/kratos/session-management/overview but it's still a bit unclear what the advice is for getting the 'whoami' info onto the server (in our case we have a HTTP api that uses a cookie to authenticate requests (Using the AWS ALB Authentication feature)). The quickstart guide seems to suggest to create a middleware that retrieves it on every request: https://www.ory.sh/docs/getting-started/integrate-auth/go#create-http-server. But that seems to be too expensive, as even with the edge sessions endpoint it adds 50+ms to every API request. Preferrably i would like to include the session information on every requet to our API, and it should work with a SPA frontend OR a plain browser requesting pages. Anyone has any insights for me?

This is a fundamental tradeoff between session and token-based authentication. See also: https://www.ory.sh/docs/kratos/session-management/overview#json-web-token-jwt-support

thank you for the response. Just to confirm: you're saying that if i don't want to contact the

whoami

on every request because of latency I need to look into session tokens instead?

Sorry no, my message was confusing. Both session tokens and session cookies as issued by Ory Identities must be checked for validity against

/sessions/whoami

, ideally on every request. What I meant was a more fundamental difference. In session-based authn (what Ory Identities/Ory Kratos does), you are normally expected to check for session validity on every request. Upside: revocation and updates to the session are instantaneous. Downside: you need to perform the check every time. If instead Kratos issued a longer-lived token (for example a JWT) which you validate by checking the signature, expiry, etc without contacting Ory Network, that'd be "token-based" authn. Upside: don't have to call /sessions/whoami from your backend in every request. Downside: revocation and updates are not real-time.

Right, thank you for taking the time to explain. I think you're saying that the "Sessions" part of Ory network (as the name suggests), refers inherently to the session-based authn approach so not doing that "correctly" by contacting Ory on every request doesn't really make sense? On the other side, if i'm going to use JWTs for token-based authentication i can use Ory network still but the "sessions" feature doesn't really apply, correct? Is there an EU AWS datacenter i can choose to minimize the latency to the /sessions/whoami? Or is the edge-optimized variant latency the best I can do?

Regarding data center location: eu-central-1 is closest if you’re in EU. For US, us-east-1 or us-west-1.

Right, this gives me a wide array of options to research, thank you!