Hi everyone! We have set up the ORY Oathkeeper with the cookie_session authenticator for our Front End. However, we have been observing some unexpected behavior. When we log into the FE, we send approximately 10-15 requests to the Back End (oathkeeper decision api). The issue is that some of these requests receive a 401 response from the check_session_url, while others following that 401 response receive a 200 OK status code. This behavior is puzzling to us as the cookie is the same for those requests and it is not expired, and we are unsure why some requests are unauthorized while others are not. We are wondering if there might be a limit on the session/whoami API that we are unaware of, or if there might be another explanation for this behavior. Any insights you could provide would be greatly appreciated.

Are all of those requests being sent to the same domain?

Yes, they are all under the same domain. If I reduce the number of reqests to 5-6 everything goes as it should. I assume ORY has some limit -> https://www.ory.sh/docs/guides/rate-limits