Ory is the largest open source community in the world for cloud software application security. We maintain advanced open source security software solving authentication, authorization, access control, application network security, and delegation. Ory implements a variety of industry and best-practice standards including OAuth 2.0 / OAuth 2.1, OpenID Connect, Zero Trust Networking, Google Zanzibar Policy Framework, FIDO2 U2F, WebAuthn, TOTP, and more.

Ory Community

I am using oathkeeper to protect our web api already. So far clients can only use the browser login flow. I now want to also enable the native flow for native applications.
In the native flow, I get the session token, instead of the cookie session. How am I supposed to use this token (i.e., how to set it on the HTTP request) such that oathkeeper can authenticate and authorize my request.

For the authenticators, I currently have:
```          cookie_session:
            enabled: true
            config:
              check_session_url: "{{ orgman_deploy_kratos_api_addr }}/sessions/whoami"
              preserve_path: true
              extra_from: "@this"
              subject_from: "identity.id"
              only:
                - ory_kratos_session```
Do I simply also configure the `bearer_token` authenticator with:
```          bearer_token:
            enabled: true
            config:
              check_session_url: "{{ orgman_deploy_kratos_api_addr }}/sessions/whoami"
              preserve_path: true
              extra_from: "@this"
              subject_from: "identity.id"
              token_from:
                header: X-Session-Token```
and set the token in the HTTP headers?

That's what we do. Different header though, but whatever you want to call it. :slightly_smiling_face: