Skip to main content

Check for sessions

You can check for sessions by calling the /sessions/whoami endpoint and including the issued cookie or token.

Browser cookies

To check if the user is signed in, call the /sessions/whoami endpoint. When the user doesn't have a session, you get a 401 Unauthorized response. If the user has a session, you get a 200 OK response and the session payload.

GET https://{your-project-slug-here}
Cookies: ory_session_...=...
# OR
X-Session-Token: {your-session-token}

Code sample

If you have the session cookie available from another source you can also use the X-Session-Cookie header:

app.get("/", function (req, res) {
// Cookies that haven't been signed
const cookie = req.cookies["ory_kratos_session"]

// Make a request and include the cookie in X-Session-Cookie
fetch("", {
headers: { "X-Session-Cookie": cookie },
.then((res) => res.json())
.then((session) => console.log(session))

Session tokens

To check for sessions of API clients, call the /sessions/whoami and include the Ory Session Token as the Bearer Token in the HTTP Authorization header:

curl -s -X POST -H "Accept: application/json" \
-H "Authorization: Bearer $sessionToken" \
# OR: \
# -H "X-Session-Token: $sessionToken" \
https://{your-project-slug-here} | jq
"id": "8f660ce3-69ec-4aeb-9fda-f9230dc3243f",
"active": true,
"expires_at": "2020-08-25T13:42:15.7411522Z",
"authenticated_at": "2020-08-24T13:42:15.7411522Z",
"issued_at": "2020-08-24T13:42:15.7412042Z",
"identity": {
"id": "bf32596a-f853-47c4-91e6-a3f41cf4949d",
"schema_id": "default",
"schema_url": "",
"traits": {
"email": "[email protected]",
"name": {
"last": "User",
"first": "API"
"verifiable_addresses": [
"id": "f877db6c-7dfb-45e3-bbeb-ac8349348128",
"value": "[email protected]",
"verified": false,
"via": "email",
"verified_at": null,
"expires_at": "2020-08-24T14:35:59.125873Z"
"recovery_addresses": [
"id": "065a908c-82be-4110-bf67-9910f36242b7",
"value": "[email protected]",
"via": "email"