For local and development testing with Ory Identities, there are several recommended practices to bypass session middleware authentication: ## Use Ory Tunnel with the

--dev

flag The most recommended approach is to use Ory Tunnel with the

--dev

flag, which disables certain security checks to make local development easier:

npx @ory/cli tunnel --dev <http://localhost:3000>

This command exposes Ory APIs on

localhost:4000

, allowing your application to interact with Ory APIs on the same domain, which is necessary for cookie-based authentication to work properly. The

--dev

flag specifically relaxes security requirements for development purposes. [Ory Tunnel documentation](https://www.ory.sh/docs/cli/ory-tunnel#ory-tunnel) explains that this setup is required for features such as CORS and cookie support during development. ## Configure your application to use the local tunnel When developing locally, make sure to point your SDK configuration to the local tunnel instead of the Ory Network URL:

javascript import { Configuration, FrontendApi } from "@ory/client"  const frontend = new FrontendApi(   new Configuration({     // Replace     //  basePath: "https://$<http://PROJECT_SLUG.projects.oryapis.com|PROJECT_SLUG.projects.oryapis.com>",     // with     basePath: "<http://localhost:4000>",     baseOptions: {       withCredentials: true,     },   }), )

As mentioned in the [local development documentation](https://www.ory.sh/docs/getting-started/local-development#local-development), this ensures your application communicates with the local tunnel. ## Important considerations 1. Use consistent hostnames: When developing locally, use either

localhost

or

127.0.0.1

, but not both interchangeably, as they're treated as different domains for cookies, which can cause authentication issues. 2. Never use Ory Tunnel in production: The [security model documentation](https://www.ory.sh/docs/security-model) explicitly states that "Ory Tunnel should be used for development only. Do not use Ory Tunnel in a production environment!" 3. Domain limitations: Be aware that cookies set on

localhost

won't be sent in requests to

127.0.0.1

and vice versa, so maintain consistency in your development environment. By following these practices, you can effectively bypass the complexities of session middleware authentication during local development while maintaining a setup that closely resembles your production environment.

I understand you need to bypass session middleware authentication specifically for backend testing without a frontend. Here are approaches you can use with Ory Identities: ## Use Session Tokens Instead of Cookies For backend testing without a frontend, you can use session tokens instead of cookies:

go // Example using Go SDK session, _, err := ory.FrontendApi.ToSession(ctx).     XSessionToken(sessionToken).     Execute()

As mentioned in the [Ory Session Token documentation](https://www.ory.sh/docs/kratos/session-management/overview#using-ory-session-token), session tokens are specifically designed for "Native applications such as desktop applications, mobile applications, or terminal-based apps that do not run inside a browser." ## Use cURL for Authentication in Scripts You can use cURL to perform the entire authentication flow in your test scripts:

curl 'https://$<http://PROJECT_SLUG.projects.oryapis.com/sessions/whoami|PROJECT_SLUG.projects.oryapis.com/sessions/whoami>' \  -H 'Accept: application/json' \  -H 'Authorization: Bearer YOUR_SESSION_TOKEN'

This approach is confirmed in a [GitHub discussion](https://github.com/ory/hydra/discussions/3741) where an Ory maintainer mentions: "curl can do anything a browser can, in my setup I login to kratos and do the whole consent flow just with curl in a script." ## Convert Sessions to JWTs For backend testing, you can convert Ory sessions to JWTs: 1. Create a JSON Web Key set 2. Configure a JsonNet template for JWT claims 3. Configure your Ory project's tokenizer templates 4. Use the tokenized JWT in your backend tests This approach is detailed in the [Convert Ory Sessions to JSON Web Tokens](https://www.ory.sh/docs/identities/session-to-jwt-cors) documentation and is particularly useful when you need to reduce the number of calls to Ory's APIs during testing. ## Important Note on API Authentication Some Ory API endpoints don't require authentication, while others do. For example: - The

disableMySession

and

disableMyOtherSessions

endpoints don't require authentication - The

disableSession

endpoint requires authentication via

oryAccessToken

This information is available in the [Kratos API Reference](https://www.ory.sh/docs/kratos/reference/api). By using these approaches, you can effectively bypass session middleware authentication for backend testing without requiring a frontend component. Would you like more specific details about implementing any of these approaches?