Yes, when your API endpoint interacts with Ory APIs on behalf of a user, you typically need to handle two different types of authentication: 1. For Admin API calls: You need to use an Ory API Key (prefixed with

ory_apikey_

or

ory_pat_

) in the Authorization header. This is required for privileged operations that access Admin APIs.

Authorization: Bearer ory_apikey_your_api_key

2. For user session validation: You need to forward the user's session information, which can be either: - Ory Session Cookie (

ory_session_...

) - Ory Session Token (prefixed with

ory_st_

) in the Authorization header Here's how this typically works in an Express.js backend:

javascript const express = require("express") const { FrontendApi, Configuration } = require("@ory/client")  const app = express()  const ory = new FrontendApi(   new Configuration({     basePath: `https://${process.env.PROJECT_SLUG}.<http://projects.oryapis.com|projects.oryapis.com>`,   }), )  app.get("/api/resource", async function (req, res) {   const authHeader = req.headers.authorization   const hasAuthHeader = authHeader && authHeader.startsWith("Bearer ")   const sessionToken = hasAuthHeader     ? authHeader.slice(7, authHeader.length)     : null    const session = await ory     .toSession({       cookie: req.headers.cookie,       xSessionToken: sessionToken,     })     .catch((err) => {       // Handle unauthorized access       return res.status(401).json({ error: "Unauthorized" })     })        // If we get here, the user is authenticated   // Now you can make Admin API calls using your API key   // ... })

This approach allows you to: 1. Validate the user's session first using their session cookie or token 2. Then make privileged Admin API calls using your API key if needed [Ory Network API Keys](https://www.ory.sh/docs/concepts/personal-access-token) documentation explains that Admin APIs require API keys for authorization, while the [Check session status](https://www.ory.sh/docs/identities/sign-in/check-session-token-cookie-api) guide shows how to validate user sessions. Remember that your API must handle both Ory Session Cookies and Ory Session Tokens when checking if a user is authenticated, as shown in the example above.