Check Who the Current HTTP Session Belongs To

GET {{baseUrl}}/sessions/whoami?tokenize_as=<string>

Uses the HTTP Headers in the GET request to determine (e.g. by using checking the cookies) who is authenticated. Returns a session object in the body or 401 if the credentials are invalid or no credentials were sent. When the request it successful it adds the user ID to the 'X-Kratos-Authenticated-Identity-Id' header in the response.

If you call this endpoint from a server-side application, you must forward the HTTP Cookie Header to this endpoint:

pseudo-code example
router.get('/protected-endpoint', async function (req, res) {
const session = await client.toSession(undefined, req.header('cookie'))

console.log(session)
})

When calling this endpoint from a non-browser application (e.g. mobile app) you must include the session token:

pseudo-code example
...
const session = await client.toSession("the-session-token")

console.log(session)

When using a token template, the token is included in the tokenized field of the session.

pseudo-code example
...
const session = await client.toSession("the-session-token", { tokenize_as: "example-jwt-template" })

console.log(session.tokenized) // The JWT

Depending on your configuration this endpoint might return a 403 status code if the session has a lower Authenticator Assurance Level (AAL) than is possible for the identity. This can happen if the identity has password + webauthn credentials (which would result in AAL2) but the session has only AAL1. If this error occurs, ask the user to sign in with the second factor or change the configuration.

This endpoint is useful for:

AJAX calls. Remember to send credentials and set up CORS correctly! Reverse proxies and API Gateways Server-side calls - use the X-Session-Token header!

This endpoint authenticates users by checking:

if the Cookie HTTP header was set containing an Ory Kratos Session Cookie; if the Authorization: bearer <ory-session-token> HTTP header was set with a valid Ory Kratos Session Token; if the X-Session-Token HTTP header was set with a valid Ory Kratos Session Token.

If none of these headers are set or the cookie or token are invalid, the endpoint returns a HTTP 401 status code.

As explained above, this request may fail due to several reasons. The error.id can be one of:

session_inactive: No active session was found in the request (e.g. no Ory Session Cookie / Ory Session Token). session_aal2_required: An active session was found but it does not fulfil the Authenticator Assurance Level, implying that the session must (e.g.) authenticate the second factor.

Request Params

The value of this parameter has to be a valid, configured Ory Session token template. For more information head over to the documentation. |

HEADERS

It is ok if more than one cookie are included here as all other cookies will be ignored. | | Accept | string | | |

RESPONSES

status: OK

{"id":"\u003cuuid\u003e","active":"\u003cboolean\u003e","authenticated_at":"\u003cdateTime\u003e","authentication_methods":[{"aal":"aal3","completed_at":"\u003cdateTime\u003e","method":"password","organization":"\u003cstring\u003e","provider":"\u003cstring\u003e"},{"aal":"aal2","completed_at":"\u003cdateTime\u003e","method":"totp","organization":"\u003cstring\u003e","provider":"\u003cstring\u003e"}],"authenticator_assurance_level":"aal2","devices":[{"id":"\u003cuuid\u003e","ip_address":"\u003cstring\u003e","location":"\u003cstring\u003e","user_agent":"\u003cstring\u003e"},{"id":"\u003cuuid\u003e","ip_address":"\u003cstring\u003e","location":"\u003cstring\u003e","user_agent":"\u003cstring\u003e"}],"expires_at":"\u003cdateTime\u003e","identity":{"id":"\u003cuuid\u003e","schema_id":"\u003cstring\u003e","schema_url":"\u003cstring\u003e","traits":{"description":"Traits represent an identity's traits. The identity is able to create, modify, and delete traits\nin a self-service manner. The input will always be validated against the JSON Schema defined\nin `schema_url`."},"created_at":"\u003cdateTime\u003e","credentials":{"deserunt_303":{"config":{},"created_at":"\u003cdateTime\u003e","identifiers":["\u003cstring\u003e","\u003cstring\u003e"],"type":"profile","updated_at":"\u003cdateTime\u003e","version":"\u003clong\u003e"},"sit_c62":{"config":{},"created_at":"\u003cdateTime\u003e","identifiers":["\u003cstring\u003e","\u003cstring\u003e"],"type":"webauthn","updated_at":"\u003cdateTime\u003e","version":"\u003clong\u003e"}},"metadata_admin":{"description":"NullJSONRawMessage represents a json.RawMessage that works well with JSON, SQL, and Swagger and is NULLable-","nullable":true},"metadata_public":{"description":"NullJSONRawMessage represents a json.RawMessage that works well with JSON, SQL, and Swagger and is NULLable-","nullable":true},"organization_id":"\u003cstring\u003e","recovery_addresses":[{"id":"\u003cuuid\u003e","value":"\u003cstring\u003e","via":"\u003cstring\u003e","created_at":"\u003cdateTime\u003e","updated_at":"\u003cdateTime\u003e"},{"id":"\u003cuuid\u003e","value":"\u003cstring\u003e","via":"\u003cstring\u003e","created_at":"\u003cdateTime\u003e","updated_at":"\u003cdateTime\u003e"}],"state":"active","state_changed_at":"\u003cdateTime\u003e","updated_at":"\u003cdateTime\u003e","verifiable_addresses":[{"value":"\u003cstring\u003e","verified":"\u003cboolean\u003e","via":"sms","status":"\u003cstring\u003e","created_at":"\u003cdateTime\u003e","id":"\u003cuuid\u003e","updated_at":"\u003cdateTime\u003e","verified_at":"\u003cdateTime\u003e"},{"value":"\u003cstring\u003e","verified":"\u003cboolean\u003e","via":"email","status":"\u003cstring\u003e","created_at":"\u003cdateTime\u003e","id":"\u003cuuid\u003e","updated_at":"\u003cdateTime\u003e","verified_at":"\u003cdateTime\u003e"}]},"issued_at":"\u003cdateTime\u003e","tokenized":"\u003cstring\u003e"}