To verify an Ory Session Cookie on the backend, you can use the

/sessions/whoami

endpoint. This endpoint allows you to check if a user is signed in and has an active session. If the user doesn't have an active session, the system returns a

401 Unauthorized

response. If the user has an active session, you get a

200 OK

response and the session payload. Here is an example of how to use this endpoint with cURL:

bash curl -H "Cookie: ory_session_...=..." \   "https://$<http://PROJECT_SLUG.projects.oryapis.com/sessions/whoami|PROJECT_SLUG.projects.oryapis.com/sessions/whoami>"

In this command, replace

ory_session_...=...

with the actual session cookie and

$PROJECT_SLUG

with your project slug. If you are using the Ory SDK, you can use the

frontend.toSession()

method to check the session. Here is an example in JavaScript:

javascript const { FrontendApi, Configuration } = require("@ory/client")  const ory = new FrontendApi(   new Configuration({     basePath: `{YOUR-CUSTOM-DOMAIN-OR-ORY-TUNNEL}`,     baseOptions: {       withCredentials: true,     },   }), )  const session = await ory.toSession().catch((err) => {   // Check the error to see if it's a 401 / 403 -> not logged in })

In this code, replace

{YOUR-CUSTOM-DOMAIN-OR-ORY-TUNNEL}

with your custom domain or Ory tunnel. For more information, refer to the following documentation: - [Check session status](https://www.ory.sh/docs/identities/sign-in/check-session-token-cookie-api) - [Using Ory Session Cookie](https://www.ory.sh/docs/kratos/session-management/overview#using-ory-session-cookie) - [Session Checks](https://www.ory.sh/docs/kratos/bring-your-own-ui/custom-ui-basic-integration#session-checks)