12/23/2021, 6:53 PM
Hello, I'm trying to play with Ory a little bit. I have client side app where I decided to implement self-service ui for Ory and protected routes. Also I have headless server api which requires user context and must be protected with auth. 1. Is it okay if client app will directly call Kratos instance to utilize self-service? 2. Is it okay when client would need some business specific stuff it would call server api and server api would call whoami of Kratos before doing any business logic?


12/24/2021, 9:04 AM
Hey, welcome :) 1. Yes! You can distinguish between browser flows and server flows using Kratos 2. That's okay -> the request will include the session cookie from the client, you can use the token as a bearer token in the HTTP Authorization Header to call `whoami`:
👍 1


12/24/2021, 5:09 PM
Thank you!