To extend a Kratos session when a user's Ory Hydra OAuth2 access token is refreshed, you need to coordinate session management between Ory Kratos (identity/session) and Ory Hydra (OAuth2/token). However, the knowledge sources do not describe a built-in, automatic mechanism that links Hydra's access token refresh directly to a Kratos session extension. Here’s what is supported and recommended based on the documentation: 1. Extending Kratos Sessions (Admin Action): - You can programmatically extend a Kratos session using the [extend session API](https://www.ory.sh/docs/reference/api#tag/identity/operation/extendSession) as an administrator. This requires the session ID, which you can obtain via the

/sessions/whoami

endpoint or the

toSession

SDK method. Example code is provided for both Go and TypeScript SDKs:

go    func RefreshSession(ctx context.Context, sessionId string) (session *client.Session, err error) {          session, _, err = ory.IdentityApi.ExtendSession(ContextWithToken(ctx), sessionId).Execute()          if err != nil {              return nil, err          }          return session, err      }

typescript    export async function refreshSession(sessionId: string) {      return await identity.extendSession({        id: sessionId,      })    }

[Refresh/extend sessions](https://www.ory.sh/docs/kratos/session-management/refresh-extend-sessions) 2. Session Cookie Handling: - Extending the session in the database does not automatically update the session cookie in the user's browser. After extending the session, you must ensure the client receives the updated cookie. One approach is to call the

whoami

(or

toSession

) endpoint after extending the session and replace the old cookie with the new one returned by this endpoint. This ensures the session cookie's expiration matches the extended session in the backend. This workaround is discussed in a [GitHub issue](https://github.com/ory/kratos/issues/4441). 3. No Automatic Link Between Hydra Token Refresh and Kratos Session: - The documentation does not describe a built-in way for Hydra's refresh token flow to automatically trigger a Kratos session extension. You would need to implement this logic in your application: when you detect a Hydra access token refresh (e.g., in your OAuth2 callback or token endpoint logic), you should also call the Kratos session extension API for the corresponding user session. Summary: You must manually extend the Kratos session (using the admin API) when you refresh the user's Hydra access token, and ensure the session cookie is updated on the client. There is no automatic synchronization between Hydra token refresh and Kratos session extension in the current Ory documentation and examples. If you need a seamless experience, you will have to implement this coordination in your application logic, as described above. [Refresh/extend sessions](https://www.ory.sh/docs/kratos/session-management/refresh-extend-sessions) [GitHub issue: Extending a session is not working](https://github.com/ory/kratos/issues/4441)

Based on the available knowledge sources, Ory Kratos sessions are always configured with a finite lifespan, which is set in the configuration using hours, minutes, and seconds (e.g.,

720h

for 30 days). When the session lifespan expires, the user must re-authenticate. There is no documented way to create a session that never expires (i.e., an infinite or "non-expiring" session). The session will always expire after the configured lifespan, and the documentation does not mention support for unlimited or permanent sessions [Session lifespan](https://www.ory.sh/docs/kratos/session-management/session-lifespan). If you require very long sessions, you can set a large lifespan value, but true non-expiring sessions are not supported according to the current documentation.

Passkey (passwordless/WebAuthn) authentication is not currently supported in native apps using the Kratos API endpoint. The knowledge sources explicitly state that WebAuthn is a browser standard and does not work in native mobile apps. The current implementation of passkeys and WebAuthn in Ory Kratos is browser-focused and relies on browser APIs and JavaScript, which are not available in native app environments. This limitation is confirmed in both the documentation and community discussions, and support for native app passkey flows is on the roadmap for the future, but not available at this time [WebAuthn constraints](https://www.ory.sh/docs/kratos/passwordless/passkeys#constraints) [Flutter native app and biometric authentication](https://github.com/ory/network/issues/284).

In Ory Kratos, whether users are prompted for 2FA (two-factor authentication) on API requests in native apps depends on your project's multi-factor authentication (MFA) enforcement settings. By default, Ory Network uses the Strict enforcement model, which means high-risk operations (like updating user settings) require step-up authentication (2FA). However, if your configuration is set to the Lax model, users may only be required to authenticate with the first factor (e.g., password) and not be prompted for 2FA on sign-in or certain API requests. To ensure users are prompted for 2FA in native apps, you must: - Enable and configure MFA methods (such as TOTP, SMS, etc.). - Set the enforcement model to require the highest available authentication assurance level (AAL) for the relevant flows. For example, to enforce 2FA on sign-in and settings flows, your configuration should include:

yaml selfservice:   flows:     settings:       required_aal: highest_available session:   whoami:     required_aal: highest_available

If these are not set, users may not be prompted for 2FA after the initial login, especially in native app API flows [Step-up authentication](https://www.ory.sh/docs/kratos/mfa/step-up-authentication). Summary: If users are not being asked for 2FA on API requests in native apps, it is likely because the MFA enforcement model is set to Lax or the required AAL is not configured for those flows. Adjust your configuration to enforce 2FA as needed.