Good to see the flow, but that uses session tokens and I want to use JWT instead as the API and other elements of the platform are built around that (they get the JWT from the authorisation header, decode and validate it and then grab some of the properties out of it like the users email

You can use session tokens for the mobile app and JWT for the API - what is the problem with that approach?

How would I get the JWT for the mobile app to include in the API calls to our backend?

Maybe I am missing something but can you include the JWT in the Authorization header of your API requests to your backend?

Yup. My question is how do I get the JWT in the first place?

I guess it depends if you want to use OAuth2 or not. I would generally not recommend using OAuth2 for first-party user authN - especially with mobile bc then you always have some kind of browser involved. If you use Ory Kratos only without OAuth2 you should be able to use this feature: https://www.ory.sh/docs/identities/session-to-jwt-cors

That acts a a proxy and when requests pass through it it gets the session from the cookie, looks it up and inserts a JWT into the request before forwarding it on?

yes 👍

the former thing, requesting a token from the server, would be easier for development. if I'm running a local copy of the API server then I couldn't run oathkeeper

sure, feel free to let me know how it goes.