Based on the provided knowledge sources, the recommended way of authenticating between a web server with access to the Ory cookie and an API is by using the

oryAccessToken

. This token is required to perform operations such as getting a JSON Web Key Set, checking permissions, getting a session, expanding permissions, extending a session, and getting an identity. However, it's important to note that the APIs of Ory open-source servers don't come with integrated access control. This means that all requests sent to their APIs are considered authenticated, authorized, and will be executed. To protect access to their APIs, it's recommended to use Ory Oathkeeper or a comparable API Gateway. Ory Oathkeeper is a firewall-like solution that can be deployed to define access rules for your API endpoints. It can validate various types of tokens and assertions, providing a robust access control mechanism for your services. For more detailed information, please refer to the [Ory API Reference](https://www.ory.sh/docs/reference/api) and the [Ory Oathkeeper documentation](https://www.ory.sh/docs/ecosystem/projects#ory-oathkeeper). If you need further assistance, you can reach out to the Ory community on [Ory Community Slack](http://slack.ory.sh/).

In the case of your application's API, you can still use Ory's tools to manage authentication and authorization. For server-side web applications, it's recommended to use the OAuth2 Authorization Code Flow. This flow is suitable because server-side applications can keep the client secret confidential, which is necessary for using the Authorization Code Flow. It's also recommended to use the Authorization Code Flow with the Proof Key for Code Exchange (PKCE) extension to provide an added layer of security. For mobile applications, the OAuth2 Authorization Code Flow with the PKCE extension is also recommended. In both cases, after successful authentication, your application will receive an access token which can be used to authenticate requests to your API. To protect your API, you can use Ory Oathkeeper, which is an Identity & Access Proxy (IAP) and Access Control Decision API that authenticates, authorizes, and mutates incoming HTTP(s) requests. You can define access rules for your API endpoints and put Ory Oathkeeper like a firewall in front of your services. For more detailed information, please refer to the [OAuth2 Authorization Code Flow](https://www.ory.sh/docs/oauth2-oidc/authorization-code-flow) and the [Ory Oathkeeper documentation](https://www.ory.sh/docs/ecosystem/projects#ory-oathkeeper).