Based on the knowledge sources, there are some limitations regarding passkey support for native apps in self-hosted Ory. Currently, Ory's WebAuthn/passkey implementation is primarily browser-focused and requires JavaScript and browser APIs. This creates challenges for native mobile applications. According to an Ory team member's comment on a GitHub issue: > "As for the Ory Network - I believe that we do not support WebAuthN on native devices for now. The current implementation of it is pretty browser focused and requires JS and browser APIs (as you mentioned)." [GitHub Issue #284](https://github.com/ory/network/issues/284) For native apps, the typical approach would be to open a browser window (using ASWebAuthenticationSession on iOS or Custom Tabs on Android) to handle the authentication flow, as mentioned in the documentation for social sign-in: > "The user clicks the social sign-in button. A browser window opens (using ASWebAuthenticationSession on iOS or Custom Tabs on Android)." [Social sign-in for native apps](https://www.ory.sh/docs/kratos/social-signin/native-apps) There's also an open issue regarding the use of YubiKeys with the passkey strategy, which indicates some limitations in the current implementation for external authentication devices in self-hosted environments. It appears that full WebAuthn/passkey support for native applications is on Ory's roadmap, but not fully implemented yet: > "We do however have it on the roadmap and would love to support WebAuthN in its full capacity on all supported devices in the (near) future." [GitHub Issue #284](https://github.com/ory/network/issues/284) If you're looking to implement biometric authentication in a native app with self-hosted Ory, you might need to consider alternative approaches or wait for full native support to be implemented.

Based on the knowledge sources, there are still limitations when it comes to using external passkeys with native apps in a self-hosted Ory environment. The documentation explicitly states that WebAuthn (which includes passkey functionality) has specific constraints: > "WebAuthn is a browser standard. It does not work in native mobile apps." [Passkeys & WebAuthN > Constraints](https://www.ory.sh/docs/kratos/passwordless/passkeys#constraints) This limitation is also confirmed in another document: > "WebAuthn is a browser-only standard. It doesn't work with native mobile apps." [WebAuthn and FIDO2 (YubiKey)](https://www.ory.sh/docs/kratos/mfa/webauthn-fido-yubikey) For native apps, the current approach involves opening a browser window to handle authentication flows, similar to how social sign-in works: > "The user clicks the social sign-in button. A browser window opens (using ASWebAuthenticationSession on iOS or Custom Tabs on Android)." [Social sign-in for native apps](https://www.ory.sh/docs/kratos/social-signin/native-apps) There is a GitHub discussion that specifically addresses NFC authentication, which mentions that: > "Sign up via NFC works on mobile and log in works afterwards from desktop -> mobile. For a desktop -> mobile direct path one needs to implement a FIDO2/WebAuthn proxy under a Credential Manager provider Android app." [GitHub Discussion #4046](https://github.com/ory/kratos/discussions/4046) However, this appears to be a workaround rather than a fully supported feature, and it may require significant custom development. In summary, while there might be some workarounds possible, the official documentation indicates that external passkeys (including hardware tokens like YubiKeys) are not natively supported for direct integration with native apps in self-hosted Ory. The recommended approach would still involve using browser-based authentication flows through ASWebAuthenticationSession (iOS) or Custom Tabs (Android).

For mobile (native) apps, the login API endpoint in self-hosted Ory is:

GET /self-service/login/api

This endpoint is specifically designed for native apps (such as mobile devices, smart TVs, etc.) and should not be used in browser-based applications. It initializes a login flow and returns all the necessary data for rendering the login UI in your native app. On successful login, Ory issues a session token that can be used to authenticate subsequent requests from the app. Example cURL request:

bash curl -X GET \   -H "Accept: application/json" \   https://$<http://PROJECT_SLUG.projects.oryapis.com/self-service/login/api|PROJECT_SLUG.projects.oryapis.com/self-service/login/api>

Replace

$PROJECT_SLUG

with your actual Ory project slug or domain. Important notes: - Do not use this endpoint in browser or SPA applications, as it does not provide CSRF protection and is intended only for native environments. - On successful login, you will receive a session token (not a cookie) to use for authenticating further API requests from your app. For more details, see the official documentation: [Create Login Flow for Native Apps](https://www.ory.sh/docs/kratos/bring-your-own-ui/custom-ui-basic-integration#create-login-flow) and [API Reference](https://raw.githubusercontent.com/ory/kratos/master/spec/api.json).

@chilly-king-10285 for self-service not ory console

For self-service login in a native (mobile) app using self-hosted Ory, you should use the following API endpoint:

GET /self-service/login/api

This endpoint initializes a login flow for API clients such as mobile devices. After initializing the flow, you will receive a JSON response containing the flow ID and UI nodes, which you use to render the login form in your app. To submit the login credentials, you send a POST request to the action URL provided in the flow response. Example flow: 1. Initialize the login flow:

bash    curl -X GET \      -H "Accept: application/json" \      https://<your-ory-domain>/self-service/login/api

This returns a JSON object with the flow details, including the

ui.action

URL and form fields to render. 2. Submit the login form:

bash    curl -X POST \      -H "Content-Type: application/json" \      -d '{"method":"password","identifier":"<mailto:email@example.com|email@example.com>","password":"yourpassword"}' \      "https://<your-ory-domain>/self-service/login?flow=<flow-id>"

Replace

<your-ory-domain>

and

<flow-id>

with your actual values. Note: - This is for self-service flows, not the Ory Console. - Do not use this endpoint in browser-based apps; it is intended for native/mobile clients only. For more details, see the official documentation on [API flows for native apps](https://www.ory.sh/docs/kratos/self-service#api-flows-native-mobile--desktop-apps-command-line-interfaces-smart-tvs-and-more) and [custom UI integration](https://www.ory.sh/docs/kratos/bring-your-own-ui/custom-ui-basic-integration#create-login-flow).

To increase the session token lifespan for native apps in self-hosted Ory, you need to adjust the session lifespan setting in your Ory Identities (Kratos) configuration. The session lifespan applies to both browser-based sessions (cookies) and native app sessions (tokens). You can set the session lifespan using the Ory Console or by editing your configuration file: Example configuration (YAML):

yaml session:   cookie:     domain: $<http://PROJECT_SLUG.projects.oryapis.com|PROJECT_SLUG.projects.oryapis.com>     name: ory_session_{name}     path: /     persistent: false     same_site: Lax   lifespan: 720h  # Set to 30 days, for example

After updating the configuration, apply it to your project using the Ory CLI:

bash ory update identity-config --project <project-id> --workspace <workspace-id> --file identity-config.yaml

The

lifespan

value determines how long the session token (for native apps) or session cookie (for browsers) remains valid before the user must re-authenticate. You can use hours (

h

), minutes (

m

), and seconds (

s

) to define the interval (e.g.,

72h

,

10m

,

1h13m3s

). Note: This setting affects all sessions, including those for native apps. There is no separate session lifespan setting specifically for native app tokens; the same configuration applies to both session types[Session lifespan](https://www.ory.sh/docs/kratos/session-management/session-lifespan). If you want to allow sessions to be refreshed (extended) before they expire, you can also adjust the

earliest_possible_extend

setting in your configuration[Refresh threshold](https://www.ory.sh/docs/kratos/session-management/refresh-extend-sessions#refresh-threshold). If you need more granular control (such as privileged session duration), see the [privileged sessions documentation](https://www.ory.sh/docs/kratos/session-management/session-lifespan#privileged-sessions).

@chilly-king-10285 How to refresh token

To refresh a session token (i.e., extend the session) for native apps in self-hosted Ory, you have two main approaches: --- ### 1. User-Initiated Session Refresh (Re-authentication) For native apps, you can trigger a session refresh by starting a new login flow with the

refresh=true

query parameter. This will prompt the user to re-authenticate, and upon successful login, the session's

authenticated_at

and

expires_at

will be updated. Endpoint:

GET /self-service/login/api?refresh=true

This is the recommended way for native/mobile apps to refresh a session, as it ensures the user is still present and authorized. [See: Refreshing a session](https://www.ory.sh/docs/kratos/self-service/flows/user-login#refreshing-a-session) --- ### 2. Administrator-Initiated Session Extension If you have administrative privileges, you can programmatically extend a user's session using the [Extend Session API](https://www.ory.sh/docs/reference/api#tag/identity/operation/extendSession). Go SDK Example:

go session, _, err = ory.IdentityApi.ExtendSession(ContextWithToken(ctx), sessionId).     Execute()

You need the session ID, which you can obtain by calling the

/sessions/whoami

endpoint or using the

toSession

SDK method. [See: Refreshing sessions as administrator](https://www.ory.sh/docs/kratos/session-management/refresh-extend-sessions) --- Note: - Ory does not use "refresh tokens" in the OAuth2 sense for session tokens. Instead, session refresh is handled by re-authentication or admin extension. - For OAuth2 access/refresh tokens, see the [OAuth2 refresh token grant documentation](https://www.ory.sh/docs/oauth2-oidc/refresh-token-grant). If you need to allow users to refresh their session before it expires, ensure your configuration allows it by setting the

earliest_possible_extend

property appropriately[Refresh threshold](https://www.ory.sh/docs/kratos/session-management/refresh-extend-sessions#refresh-threshold).