Based on the knowledge sources, there are a few ways to enrich claims in JWT access tokens when working with Ory Kratos, particularly when integrating with other Ory components. When using Kratos with Hydra (Ory's OAuth2 server), you can enrich claims in JWT tokens. However, there seems to be a limitation where claim information is not automatically available in webhooks. As mentioned in a GitHub issue: > "It is currently not possible to access any of this info since claim info is not available in the webhooks (or jsonnet data is not merged in some fashion automatically, 'fill the blanks'). The easiest way to fix this without a lot of changes required from Kratos is to simply include the claims info in the webhooks." [Github Issue #3816](https://github.com/ory/kratos/issues/3816) For JWT support with Kratos sessions, there are several approaches: 1. Session to JWT conversion: Kratos sessions are not issued as JWTs by default, but you can convert them using the recommended "Session to JWT" approach. This allows you to include additional claims in the resulting JWT. 2. Using Ory Oathkeeper: You can use Ory Oathkeeper as an API Gateway to convert Kratos sessions to JWTs with enriched claims. The ID Token Mutator in Oathkeeper can take session information and put it into a JWT:

mutators:     id_token:       enabled: true       config:         issuer_url: <http://127.0.0.1:4455/>         jwks_url: file:///etc/config/oathkeeper/id_token.jwks.json         claims: |           {             "session": {{ .Extra | toJson }}           }

This configuration allows you to include the entire session data as a claim in the JWT [Zero Trust with Access Proxy guide](https://www.ory.sh/docs/kratos/guides/zero-trust-iap-proxy-identity-access-proxy#configuration). 3. Using Ory Proxy: When using Ory Proxy, it can automatically generate JWTs containing the full Ory Session in the

session

field, along with the

sub

field set to the Ory Identity ID [ory proxy](https://www.ory.sh/docs/cli/ory-proxy#json-web-token). For more specific claim enrichment with OAuth2/OIDC flows, you might need to look into Hydra's JWT assertion validation and token issuance capabilities, which allow for more control over the claims in the resulting tokens.

Based on the knowledge sources, the

/sessions/whoami

endpoint (also called

toSession

in the SDK) is used to check the current session status, but it doesn't refresh the session token by itself. The

/sessions/whoami

endpoint is primarily used to: - Check who the current HTTP session belongs to - Determine if a user is authenticated - Retrieve session information To refresh a session in Ory Kratos, you have several options: 1. Force session refresh through re-authentication: You can force users to refresh their session by prompting them to re-authenticate using:

https://$<http://PROJECT_SLUG.projects.oryapis.com/self-service/login/browser?refresh=true|PROJECT_SLUG.projects.oryapis.com/self-service/login/browser?refresh=true>

[Session Management - Refresh Sessions](https://www.ory.sh/docs/kratos/session-management/refresh-extend-sessions) 2. Administrative refresh: Administrators can refresh a specific user's session using the extend session API:

typescript    import { Configuration, IdentityApi } from "@ory/client"          const identity = new IdentityApi(        new Configuration({          basePath: `https://${process.env.ORY_PROJECT_SLUG}.<http://projects.oryapis.com|projects.oryapis.com>`,          accessToken: `${process.env.ORY_ACCESS_TOKEN}`,        }),      )          export async function refreshSession(sessionId: string) {        return await identity.extendSession({          id: sessionId,        })      }

[Session Management - Refresh Sessions](https://www.ory.sh/docs/kratos/session-management/refresh-extend-sessions) 3. For OAuth2/OIDC tokens: If you're using OAuth2/OIDC tokens (which are different from Kratos sessions), you would use the refresh token grant to refresh access tokens:

javascript    const params = new URLSearchParams({      grant_type: "refresh_token",      refresh_token: refreshToken,      scope: "scope1 scope2",      client_id: clientId,      client_secret: clientSecret,    })

[OAuth2 Refresh Token Grant](https://www.ory.sh/docs/oauth2-oidc/refresh-token-grant) It's important to note that Ory Kratos sessions and OAuth2/OIDC tokens are different mechanisms. The

/sessions/whoami

endpoint is for Kratos sessions, while OAuth2/OIDC tokens would be refreshed through the OAuth2 token endpoint.

Based on the knowledge sources, when using the admin API to extend a session, there are limitations on how frequently you can extend the same session ID. According to the API documentation for the

extendSession

endpoint: > This endpoint ignores consecutive requests to extend the same session and returns a 404 error in those scenarios. This endpoint also returns 404 errors if the session does not exist. [Kratos API Reference](https://www.ory.sh/docs/kratos/reference/api) This means that if you try to extend the same session ID multiple times in succession, only the first request will succeed, and subsequent requests will result in a 404 error until certain conditions are met. The ability to extend a session is also governed by the

earliest_possible_extend

configuration setting. As explained in the documentation: > You can limit the time in which the session can be refreshed by adjusting the

earliest_possible_extend

configuration. > > For example, if you set

earliest_possible_extend

to

24h

, sessions can't be refreshed sooner than 24 hours before they expire. [Refresh Threshold Documentation](https://www.ory.sh/docs/kratos/session-management/refresh-extend-sessions#refresh-threshold) If you need more flexibility, you can set

earliest_possible_extend

to

lifespan

, which allows sessions to be refreshed during their entire lifespan, even right after they are created. However, the documentation warns that with this setting, "all sessions will constantly be refreshed!" So to directly answer your question: Yes, you can only successfully extend a session once for the same session ID until the time specified by

earliest_possible_extend

has passed.

Based on the knowledge sources, when you extend a session using the admin API's

extendSession

endpoint, it does not generate a new session ID. The extension simply updates the existing session's expiration time. According to the API documentation: > Calling this endpoint extends the given session ID. If

session.earliest_possible_extend

is set it will only extend the session after the specified time has passed. [Kratos API Reference](https://www.ory.sh/docs/kratos/reference/api) When you extend a session, what happens is: - The session's

expires_at

property is updated to a new value - This new value is calculated as the current time plus the amount of time defined by the value of

/session/lifespan

- The original session ID remains the same It's worth noting that in newer Ory Network projects, the extend session endpoint returns a 204 No Content response on success, while older projects may return a 200 OK response with the session in the body. As mentioned in the documentation: > This endpoint returns per default a 204 No Content response on success. Older Ory Network projects may return a 200 OK response with the session in the body. Returning the session as part of the response will be deprecated in the future and should not be relied upon. [Kratos API Reference](https://www.ory.sh/docs/kratos/reference/api) If you need to get the updated session details after extension, you would need to fetch the session separately using the

/sessions/whoami

endpoint or the

toSession

SDK method.