This message was deleted.

And the question about reliability of communication between our stack and Ory Cloud is not hypothetical… https://ory-community.slack.com/archives/C02MR4DEEGH/p1668625795570089 (Well, in this case we’re technically talking about apparently taking ~130ms to validate a session token inside the Ory Network – I think validating a JWT signature would surely be faster and more reliable than this.)

if you use oathkeeper, you can convert an ory session to a JWT token

Self-hosting Ory Kratos (and the rest of the stack) in your own infrastructure is also possible and allows for extremely low latency, provided you arent dependent on any of the features offered exclusively by Ory Network

We are currently working hard to run Ory Network on multiple regions and clouds btw. Also, we have developed edge caching as an opt-in (currently only for the Ory project, soon you can enable that).

@loud-spoon-23770 – yeah, aware of this, but thanks! I am talking about the “our infra” <> “Ory Network infra” connection @aloof-oxygen-62624 – yup, aware of this as well – but not something we want to do now @steep-lamp-91158 – thanks, this is good to know! As someone new to authn/authz, any comments on potentially using JWTs instead requiring Oathkeeper to constantly talk to Kratos? I appreciate that a lot can be done to increase resilience and lower the latency, but if some potential customers (like us…) are fine with the say ~900s TTL of JWT auth tokens, could this be offered as an alternative to session tokens? If the answer is that session tokens are just too deeply rooted in the architectural assumptions of the system that’s fine – I just wanted to know where we stand! thanks for the quick responses everyone, really helpful!

We don't think that JWTs are a good idea for session identifiers, but we are considering a hybrid approach with the opaque session cookie/token + short lived (few seconds) JWTs so that you can reduce the number of calls/do async background calls instead of sync validation. That hybrid approach is not a priority rn, but we could talk about what is needed to get that if it is a hard requirement for you. Our cache strategy is using a "stale while revalidate" approach to deliver max one invalid response. But for all the technical details and future plans, I'd recommend to schedule a call.

Thanks Patrick! Yes, a call would be fantastic. I can ping a calendly link over to you in a DM? Thanks!

If I can do a little solutionising for Ory: it would be interesting to see if the ory session logic could fit into some edge tech such as Cloudflare’s worker/kv store model. Then you could have session validation close to the user.

Yes that's exactly what we do, have a look at

Oh! Hah.