https://www.ory.sh/ logo
#general
Title
# general
b

boundless-action-62507

12/23/2021, 6:53 PM
Hello, I'm trying to play with Ory a little bit. I have client side app where I decided to implement self-service ui for Ory and protected routes. Also I have headless server api which requires user context and must be protected with auth. 1. Is it okay if client app will directly call Kratos instance to utilize self-service? 2. Is it okay when client would need some business specific stuff it would call server api and server api would call whoami of Kratos before doing any business logic?
r

rough-sunset-51786

12/24/2021, 9:04 AM
Hey, welcome :) 1. Yes! You can distinguish between browser flows and server flows using Kratos https://www.ory.sh/kratos/docs/next/self-service/#performing-login-registration-settings--flows 2. That's okay -> the request will include the session cookie from the client, you can use the token as a bearer token in the HTTP Authorization Header to call `whoami`: https://www.ory.sh/kratos/docs/next/guides/login-session#api-client
👍 1
b

boundless-action-62507

12/24/2021, 5:09 PM
Thank you!