Yes, it is possible to issue a session token for a user using an API without requiring a password in Ory. This can be achieved through passwordless authentication methods, particularly using WebAuthn (Web Authentication). Ory supports passwordless authentication through the WebAuthn API, which allows users to authenticate using hardware keys, biometrics, or passkeys without entering a traditional password. Here's how you can implement this: 1. First, you need to enable passwordless authentication in your Ory configuration. This can be done through the Ory Console UI or using the Ory CLI [as described in the documentation](https://www.ory.sh/docs/kratos/passwordless/passkeys#configuration-2). 2. Once enabled, you can implement the passwordless authentication flow in your application. The process typically involves these steps: a. Create a login flow b. Render the UI with the

webauthn

group c. User enters their identifier (e.g., email or username) d. The form is submitted, starting a new flow with the

webauthn

group e. Render the new UI prompting the user to use their security key or biometric f. User authenticates using their device or external authenticator 3. After successful authentication, Ory will issue a session token without requiring a password. To integrate this into your application, you'll need to include the Ory WebAuthn JavaScript in your page:

html <head>   <script src="/.well-known/ory/webauthn.js"></script> </head>

[As mentioned in the documentation](https://www.ory.sh/docs/kratos/bring-your-own-ui/custom-ui-advanced-integration#passwordless-authentication), this script provides the necessary handlers for initiating the passwordless authentication flow. It's worth noting that the specific API endpoints for exchanging session tokens (

exchangeSessionToken

and

toSession

) [do not require authentication themselves](https://www.ory.sh/docs/reference/api), which aligns with the passwordless flow. By implementing this passwordless authentication method, you can issue session tokens for users through an API-based flow without requiring a traditional password.