Short answer: yes—both your SPA and your backend should use the same toSession endpoint to verify the current user session, but the way you call it differs slightly. - In a browser-based SPA, call frontend.toSession() without manually passing cookies. Configure the SDK to include credentials so the browser sends the session cookie automatically. This checks whether the user is logged in and returns the session. [[Session cookie](https://www.ory.sh/docs/kratos/session-management/overview#using-ory-session-cookie); [Check session status](https://www.ory.sh/docs/identities/sign-in/check-session-token-cookie-api); [BYO UI session checks](https://www.ory.sh/docs/kratos/bring-your-own-ui/custom-ui-basic-integration#session-checks)] - On your backend API, also call frontend.toSession(), but you must forward the client’s auth to Ory explicitly: - For browser sessions, forward the Cookie header to toSession({ cookie: req.headers.cookie }). - If you also support native/mobile, forward the Authorization: Bearer <session-token> via toSession({ xSessionToken: token }). Your API should handle both. [[Vue + API example](https://www.ory.sh/docs/getting-started/integrate-auth/vue#make-authenticated-calls-to-your-api); [Check session status](https://www.ory.sh/docs/identities/sign-in/check-session-token-cookie-api); [Migrate: integrate backend](https://www.ory.sh/docs/migrate-to-ory#integrate-backend)] Important nuances: - Use browser flows and cookies for SPAs; do not use native/api flows in the browser due to security risks. [[Self-service flows warning](https://www.ory.sh/docs/kratos/self-service#performing-login-registration-settings--flows); [Browser vs native](https://www.ory.sh/docs/identities/native-browser)] - In SPAs, ensure CORS and credentials are configured so cookies are sent. [[React/Vue guides](https://www.ory.sh/docs/getting-started/integrate-auth/react#make-authenticated-calls-to-your-api; https://www.ory.sh/docs/getting-started/integrate-auth/vue#make-authenticated-calls-to-your-api)] - In server-side apps (Express, Next.js, Go), extract and forward cookies when calling toSession. [[Session get-started](https://www.ory.sh/docs/identities/get-started/session-management); [Sign in examples](https://www.ory.sh/docs/identities/get-started/sign-in)] So, it’s correct to use the same toSession method on both sides; just pass auth differently (implicit cookies in SPA, forwarded cookies and/or session token on the backend). [[Check session status](https://www.ory.sh/docs/identities/sign-in/check-session-token-cookie-api); [BYO UI session checks](https://www.ory.sh/docs/kratos/bring-your-own-ui/custom-ui-basic-integration#session-checks)]