To pass authentication information from your Next.js application to a gRPC service, you can use Ory's session management capabilities. When a user is authenticated, Ory creates a session and sets a cookie in the user's browser. This cookie can be used to validate the user's session on subsequent requests. In your Next.js application, you can create a special route that connects your app with Ory's APIs and ensures that all cookies and credentials are set up. This is done using the

@ory/integrations

package, which provides a way to create an Ory Network API "bridge". This bridge is used to communicate with Ory's APIs and manage sessions. Here is an example of how you can set up this route in your Next.js application:

javascript import { config, createApiHandler } from "@ory/integrations/next-edge"    // We need to export the config.   export { config }    // And create the Ory Network API "bridge".   export default createApiHandler({     fallbackToPlayground: true,     dontUseTldForCookieDomain: true,   })

This route is only required when developing locally and can be removed when going to production with a custom domain. When a request is made to your Next.js application, you can use the

toSession

method provided by the

@ory/client

package to check if the user has a valid session. This method takes the request's cookies as an argument and returns the user's session if it is valid. Here is an example of how you can use the

toSession

method in your Next.js application:

javascript ory     .toSession()     .then(({ data }) => {       // User has a session!       setSession(data)       // Create a logout url       ory.createBrowserLogoutFlow().then(({ data }) => {         setLogoutUrl(data.logout_url)       })     })     .catch(() => {       // Redirect to login page       return router.push(edgeConfig.basePath + "/ui/login")     })

Once you have the user's session, you can extract the necessary authentication information from it and pass it to your gRPC service. Please note that to manage HTTP cookies, Ory APIs must be exposed on the same domain as your application. If you don't fulfill this requirement, HTTP Cookies are ignored by the browser, which prevents the Ory Identities from functioning properly. For more information, you can refer to the following documentation: - [Integrate authentication into Next.js](https://www.ory.sh/docs/getting-started/integrate-auth/nextjs) - [Access to your domain](https://www.ory.sh/docs/security-model#access-to-your-domain) - [Session Checks](https://www.ory.sh/docs/kratos/bring-your-own-ui/custom-ui-basic-integration#session-checks)

To validate the user session in a gRPC API, you can use the Ory Session Token. This token is issued when the user authenticates through a client other than a web browser. You can send a request to the

/sessions/whoami

endpoint to get the session payload. Here is an example of how you can check the current session using the Ory Session Token:

go package frontend      import (    "context"    "fmt"    "os"       "<http://github.com/ory/client-go|github.com/ory/client-go>"   )      type oryMiddleware struct {    ory *ory.APIClient   }      func init() {    cfg := client.NewConfiguration()    cfg.Servers = client.ServerConfigurations{     {URL: fmt.Sprintf("<https://%s.projects.oryapis.com>", os.Getenv("ORY_PROJECT_SLUG"))},    }       ory = client.NewAPIClient(cfg)   }      func CheckSession(ctx context.Context, sessionToken string) (session *client.Session, err error) {    session, _, err = ory.FrontendApi.ToSession(ctx).     XSessionToken(sessionToken).     Execute()    if err != nil {     // error revoking the session, for example due to expired token provided     return nil, err    }       return session, nil   }

In this example, the

CheckSession

function takes a context and a session token as arguments. It uses the

ToSession

method provided by the

ory.FrontendApi

to check if the session is active. If the session is active, it returns the session. If the session is not active, it returns an error. You can use this function in your gRPC API to validate the user session. When a request is made to your gRPC API, you can extract the session token from the request and pass it to the

CheckSession

function. If the function returns a session, the request is authenticated. If the function returns an error, the request is not authenticated. For more information, you can refer to the following documentation: - [Using Ory Session Token](https://www.ory.sh/docs/kratos/session-management/overview#using-ory-session-token) - [Check who the current HTTP session belongs to](https://www.ory.sh/docs/kratos/sdk/go#native---check-who-the-current-http-session-belongs-to)

New message text here