I'm sorry, but the knowledge sources do not contain explicit information on how to disable cookie-based continuity in Ory Kratos or other Ory products. The available documentation and discussions mention that the continuity mechanism currently relies on cookies (specifically the ory_kratos_continuity cookie) and that there is only a cookie-based continuity manager implementation at this time. There is discussion about the need for alternative mechanisms, especially for API/native flows, but no documented way to disable or switch off cookie-based continuity is provided in the sources [Traits lost with OIDC API flow](https://github.com/ory/network/issues/345). If you have a specific use case or need, you may want to follow or contribute to the ongoing discussions in the Ory community or GitHub issues for updates on this feature.

Based on the knowledge sources provided, there is no mention of an option called use_cookies in the kratos.yml configuration file. The documentation covers various cookie-related settings such as domain, path, same_site, and name under the session.cookie section, but does not reference a use_cookies option anywhere in the configuration or examples [Cookie settings](https://www.ory.sh/docs/kratos/guides/configuring-cookies). If you are looking to control cookie behavior, you should use the documented session.cookie options instead. If you need to disable cookies entirely, there is no documented configuration option for that in the available sources.

The

SessionTokenExchangeCode

is a feature in Ory Kratos used primarily in native and API-based authentication flows, such as social sign-in for native and mobile apps. When you initiate a login or registration flow with the parameter

return_session_token_exchange_code=true

, the response will include a

session_token_exchange_code

. This code is a secret that the client can later use to retrieve a session token after the flow has been completed. The process works as follows: 1. Flow Initialization: The client starts a login or registration flow with

return_session_token_exchange_code=true

. The response contains the first part of the exchange code. 2. User Authentication: The user completes authentication (e.g., via a social provider). After successful authentication, the user is redirected back to the app with the second part of the code in the

code

query parameter. 3. Token Exchange: The native application combines both parts of the code and calls the session token exchange endpoint to obtain a session token, which can then be used for authenticated requests. This mechanism is designed to securely issue session tokens to native applications without relying on cookies, making it suitable for mobile and other non-browser clients. The

SessionTokenExchangeCode

is only set if the client has requested it and if the flow is of type

api

, and only on creating the flow—not on subsequent updates or retrievals of the flow. This is documented in the API responses for login and registration flows [Ory API Reference](https://raw.githubusercontent.com/ory/docs/master/docs/reference/api.json) and described in the implementation guide for native app authentication flows [Social sign-in for native and mobile apps](https://www.ory.sh/docs/kratos/social-signin/native-apps#implementation).