Ory is the largest open source community in the world for cloud software application security. We maintain advanced open source security software solving authentication, authorization, access control, application network security, and delegation. Ory implements a variety of industry and best-practice standards including OAuth 2.0 / OAuth 2.1, OpenID Connect, Zero Trust Networking, Google Zanzibar Policy Framework, FIDO2 U2F, WebAuthn, TOTP, and more.

Ory Community

Hey :wave: everyone. We’re trying to build an SSO auth system right now and we’re looking at basing it all on Kratos. However, we have a GraphQL/Prisma backend, and we need some way to validate the session token from the API side (at least as I understand it).

Is there any route we can call in the Kratos HTTP API to verify the token passed from the browser? I’m not fully understanding how this part is expected to work <https://www.ory.sh/docs/kratos/reference/api#operation/toSession>. Right now we run everything on JWT authorization tokens that we can verify server-side, so I’m not sure how the communication between our server/API and the Kratos service/API is supposed to happen.

We would appreciate any help we can get!
CC’ing <@U03864DC7N2>

<@U011D3UQKNY> or <@U010F2N7G2X> if there’s any way to pay for consulting on this we’d probably be interested

Hello.

Kratos sets `ory_kratos_cookie` which is `httpOnly` for all browser sessions and you can use `toSession` SDK method to validate session

As another solution you can call `/sessions/whoami` endpoint which is the same.