Ory is the largest open source community in the world for cloud software application security. We maintain advanced open source security software solving authentication, authorization, access control, application network security, and delegation. Ory implements a variety of industry and best-practice standards including OAuth 2.0 / OAuth 2.1, OpenID Connect, Zero Trust Networking, Google Zanzibar Policy Framework, FIDO2 U2F, WebAuthn, TOTP, and more.

Ory Community

Hi, we're looking to migrate from Auth0 but have run into a issue with how to verify the identity of users on our API's. We currently use expressjwt and while that works if the user has logged in via OIDC, it doesn't work with the 'Sign in after Registration' flow. I can see a cookie being set "ory_session_[slug]" that I can use for "/sessions/whoami" but I'm struggling to find any information on how one can check/verify on the API side. Any help on best practises to protecting API's with Ory would be much appreciated

In general you want to make sure that the cookie is send to the backend (cookie domain etc.), and then you can do the whoami verification there. For more advanced cases there is the JWT conversion: <https://www.ory.sh/docs/identities/session-to-jwt-cors>
However, we recommend to always do the session check over whoami if there is no blocker there. The API is highly optimized for latency on our side, including edge caching if enabled.