Yes, when you use the OIDC PKCE flow to log in with Ory Network for a mobile app, you will receive an Ory Session Token in addition to the standard OIDC tokens (ID token, access token, and refresh token). For native (mobile) applications, Ory issues an Ory Session Token (not a session cookie). This token is equivalent to the session cookie used in browser apps and can be used to authenticate API requests and check session status via the

/sessions/whoami

endpoint. The session token is separate from the OIDC tokens and is specifically used for Ory session management, not for OAuth2 resource access. You do not receive a session cookie in native/mobile contexts—only the session token is provided for these apps [Browser vs. native apps](https://www.ory.sh/docs/identities/native-browser) [Check session status](https://www.ory.sh/docs/identities/sign-in/check-session-token-cookie-api). To summarize: - OIDC tokens (ID, access, refresh): Issued by the OIDC provider (Ory Hydra or another). - Ory Session Token: Issued by Ory Network for native/mobile apps, used for session management. - Ory Session Cookie: Only issued for browser-based apps, not for native/mobile apps. So, after a successful OIDC PKCE login in a mobile app, you will have both the OIDC tokens and an Ory Session Token, but not a session cookie. For more details, see: - [Browser vs. native apps](https://www.ory.sh/docs/identities/native-browser) - [Check session status](https://www.ory.sh/docs/identities/sign-in/check-session-token-cookie-api)

The main difference between web (browser) apps and mobile (native) apps in Ory is indeed how the session is managed: - Web apps receive an Ory Session Cookie after authentication. - Mobile/native apps receive an Ory Session Token instead of a cookie [Browser vs. native apps](https://www.ory.sh/docs/identities/native-browser). Both the session cookie and the session token represent the authenticated session and can be used to check session status or perform authenticated actions by calling the

/sessions/whoami

endpoint. The session token is functionally equivalent to the session cookie, but is designed for use in environments where cookies are not practical (like mobile apps) [Check session status](https://www.ory.sh/docs/identities/sign-in/check-session-token-cookie-api). Regarding privileged session actions: The knowledge sources do not explicitly mention any restrictions on using the Ory Session Token for privileged session actions compared to the session cookie. Both are described as equivalent for session management and authentication purposes. However, if an action requires a certain Authenticator Assurance Level (AAL), the session (regardless of whether it's cookie or token-based) must meet that requirement [Kratos API Reference](https://www.ory.sh/docs/kratos/reference/api). Summary: - The difference is the use of a session cookie (web) vs. a session token (mobile). - The session token can be used for authenticated and privileged session actions, as long as the session meets the required assurance level. If you have a specific privileged action in mind, please specify, and I can check for more detailed requirements.