Yes, it is a valid approach to exchange a cookie with a JWT (JSON Web Token) regularly in a Single Page Application (SPA) for authentication in a stateless REST API. This is a common practice in OAuth 2.0 and OpenID Connect protocols, which are widely used for authentication and authorization in web applications. In Ory, you can use JWTs as authorization grants. This allows you to exchange a JWT for an access token at the OAuth2 token endpoint by sending a POST request with specific parameters. The

grant_type

should be set to

urn:ietf:params:oauth:grant-type:jwt-bearer

and the

assertion

should be the JWT. The

scope

parameter is optional. Here is a sample request:

bash POST /oauth2/token HTTP/1.1   Host: {project.slug}.<http://projects.oryapis.com|projects.oryapis.com>   Content-Type: application/x-www-form-urlencoded      grant_type=urn%3Aietf%3Aparams%3Aoauth%3Agrant-type%3Ajwt-bearer   &scope=read   &assertion=eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9.eyJpc3MiOiJodHRwczovL215LWlzc3Vlci5jb20iLCJzdWIiOiJhbGljZUBleGFtcGxlLm9yZyIsImF1ZCI6IjcxNDZkZDBiLWYyNDMtNDNiYS04MTVjLTdhMDAyMTZiNDgyMyIsIm5iZiI6MTMwMDgxNTc4MCwiZXhwIjoxMzAwODE5MzgwfQ.Dpn7zYEhaWxi7CLxr1c8Db2zxOJDzpu5QTZgeM6me68aGt7jgpKujunfx2FBhhuKY2oJmIAhXJWXplGH2NnbCGxNzx17Y4CPGJE9jLC2ZxprvV_5Cdmx5GkGcFjpOXsgBSonhmsyKkxYhS3C-mq4u2Tx9Zi494G2EbDH0L2BSuWYi411qm4LrIHQRdiFP9v34VH-5hU005bvrlGJBA9W-Eom4krFYtC4_Zgc7XY2mcChBw0AYz3A1B0_7ui95iDR-33D5tBAGRn6iGgnVBeR1GmZX5y4jz7Nht2lbPQkrCyLsoPxn2ZQPqvbOUKxdgsrhkcs0UGND8GsDwDzISuuAw

You can find more details about this in the [Ory documentation](https://www.ory.sh/docs/hydra/guides/jwt#exchanging-jwt-assertion-for-access-token). However, it's important to note that while this approach can be used for authentication, it does not manage sessions. If you want to learn how Ory supports JWTs to manage sessions, you can read the [Session management documentation](https://www.ory.sh/docs/kratos/session-management/overview) and the [Session to JWT documentation](https://www.ory.sh/docs/identities/session-to-jwt-cors).

@chilly-king-10285 I don't use oauth. I just use the cookie based approach.

In a cookie-based approach, the server sets a cookie after the user logs in, and the client sends this cookie in subsequent requests for authentication. Ory supports this approach and implements special browser APIs which use additional security measures such as anti-CSRF cookies. This approach is designed to shield your users from security risks posed by browsers, which have broader capabilities than native applications. However, Ory does not recommend using this approach for managing sessions in a stateless REST API. Instead, it recommends using OAuth 2.0 / OpenID Connect for advanced use cases, such as providing third-party integration with your application. If you're interested in using JWTs for session management in a stateless REST API, Ory provides support for this as well. You can learn more about this in the [Session management documentation](https://www.ory.sh/docs/kratos/session-management/overview) and the [Session to JWT documentation](https://www.ory.sh/docs/identities/session-to-jwt-cors). Remember, it's important to choose the right approach based on your specific use case and requirements. If you're unsure, the [Ory documentation](https://www.ory.sh/docs/) provides a wealth of information to help you make an informed decision.