Hello, I'm trying to play with Ory a little bit. I have client side app where I decided to implement self-service ui for Ory and protected routes. Also I have headless server api which requires user context and must be protected with auth. 1. Is it okay if client app will directly call Kratos instance to utilize self-service? 2. Is it okay when client would need some business specific stuff it would call server api and server api would call whoami of Kratos before doing any business logic?

Hey, welcome :) 1. Yes! You can distinguish between browser flows and server flows using Kratos https://www.ory.sh/kratos/docs/next/self-service/#performing-login-registration-settings--flows 2. That's okay -> the request will include the session cookie from the client, you can use the token as a bearer token in the HTTP Authorization Header to call `whoami`: https://www.ory.sh/kratos/docs/next/guides/login-session#api-client

Thank you!