Hi guys. I’m trying to understand the backend flows for verifying an Ory Kratos session token that is coming from a mobile app. What Ory API endpoint(s) would I use to validate that the session token is valid, and to get the details of the user/identity that is associated with that session token (e.g. their name and email address)? This is for the purpose of having a REST API endpoint in my own backend which should only be accessible to authenticated users. From reading the docs, this seems like something that would be done using one of the Admin APIs and the request would be authenticated using an Ory Personal Access Token? Although I haven’t been able to identify the specific endpoint(s) that I would use for this task. Note that we’re using Ory Cloud for this project.

nah, there is

/whoami

endpoint

@brainy-plumber-70688 thanks for the response. Can that flow be used in a context where cookies are not involved? The frontend will be a mobile app that talks to the Ory APIs, so it will not be dealing with cookies. The frontend will get an Ory session token and send that in a header for requests it makes to our own backend. Then our backend needs to be able to grab that session token and somehow validate it with Ory and get the details of the user. What I was hoping/expecting is there’s some Ory endpoint that lets me pass the session token as a parameter and get back the relevant information from Ory. Side note in case it’s relevant - this is a project where we’re using Ory Cloud.

yes the docs specific for cloud are not really there yet, but the API is the same as the open source kratos, so have a look there https://www.ory.sh/kratos/docs/reference/api#operation/toSession

Thanks @steep-lamp-91158, that looks like what I need, I’ll give that a try 🙂

@steep-lamp-91158 docs seem to be wrong: validation only happens on cookie.

Please open an issue then with a detailed bug report

@brainy-plumber-70688 I was testing with the Ory playground API and I did find that I could check/validate a session token by passing it in the

X-Session-Token

header to a request to https://playground.projects.oryapis.com/api/kratos/public/sessions/whoami Are you saying that you had a different result?

@worried-photographer-43513 correct. I need to do some more investigation, later because it is possible that rust's client is wrong (goes directly to kratos) and my proxy is messing with headers (that what i use for curl)