Ory is the largest open source community in the world for cloud software application security. We maintain advanced open source security software solving authentication, authorization, access control, application network security, and delegation. Ory implements a variety of industry and best-practice standards including OAuth 2.0 / OAuth 2.1, OpenID Connect, Zero Trust Networking, Google Zanzibar Policy Framework, FIDO2 U2F, WebAuthn, TOTP, and more.

Ory Community

image.png

Hi. What is the expected process for an API to authenticate an incomming request from another web app that the user has signed into (the request will come from server side)?

The user logging into the Web app isn't a problem, the question is around what is passed with the request to the API to allow authentication there?

Am I correct in thinking the expectation is that the cookie will be sent with each request?

Yes, you can just send along the session cookie and call the `toSession` api each time you need to verify that the user is actually logged in and the session is still valid.
However, depending on the number of downstream services this could get slow (since it is an external http call each time).
You can also convert the session cookie to a JWT when the request reaches your Web App Server and pass that around inside your services: <https://www.ory.sh/docs/identities/session-to-jwt-cors>