Skip to content
OAOpenAppPhysical Security as a Service
Login

Auth (browser session)

The Auth OpenAPI tag covers browser-oriented identity: reading the current Kratos session (or null), checking lightweight provisioning state, and clearing session cookies. These routes are not the same as Authentication (API keys and Authorization: Bearer …).

Callers using only an API key may still invoke GET helpers where the server allows anonymous access; POST /auth/logout and POST /auth/sign-out are meaningful when the HTTP client retains session cookies from a dashboard or hosted login flow.

Operations vs wire routes

Section titled “Operations vs wire routes”
ConcernHTTPoperationIdNotes
Session / identityGET /auth/whoamiget_auth_whoamiSession JSON or null (200).
Session (alias path)GET /auth/sessionget_auth_sessionSame payload; public (anonymous allowed).
WAF-safe session pathGET /auth/kratos-identityget_auth_kratos_identitySame as get_auth_session; avoids some proxies that block session / whoami segments.
Provisioning probeGET /auth/provisionedget_auth_provisioned204 if provisioned, 401 if not (no DB; relies on gateway X-User when provisioned).
Clear session cookiePOST /auth/logoutpost_auth_logout204 — browser logout.
Sign out (alternate)POST /auth/sign-outpost_auth_sign_out204.

Response shapes for the GET introspection endpoints follow the session schema in the API reference (see Auth tag operations).

SDK coverage

Section titled “SDK coverage”
CapabilityPythonRust (openapp_sdk)GoTypeScript (AsyncClient)
whoami / session / kratos_identityclient.auth.whoami() · session() · kratos_identity()client.auth().whoami() · session() · kratos_identity()AuthAPI.GetAuthWhoami · GetAuthSession · GetAuthKratosIdentityNot on façade yet
Provisioning probeclient.auth.provisioned()client.auth().provisioned()AuthAPI.GetAuthProvisionedNot on façade yet
Logout / sign-outclient.auth.logout() · sign_out()client.auth().logout() · sign_out()AuthAPI.PostAuthLogout · PostAuthSignOutNot on façade yet

Typical errors

Section titled “Typical errors”

401 on get_auth_provisioned when the principal is not provisioned (expected for that probe). Introspection **GET**s return 200 with a JSON null body when there is no session — not an HTTP error. 401 may still appear when using an invalid or revoked API key on clients that attach bearer credentials by default. See Errors & retries.

Examples

Section titled “Examples”

Read current session (whoami)

Section titled “Read current session (whoami)”
session = await client.auth.whoami()

Session alias paths (GET /auth/session, GET /auth/kratos-identity)

Section titled “Session alias paths (GET /auth/session, GET /auth/kratos-identity)”

Same session payload as get_auth_whoami — use /auth/session for a path some CDNs cache as public, or /auth/kratos-identity when a WAF blocks whoami / session segments.

via_session = await client.auth.session()
via_kratos = await client.auth.kratos_identity()

Provisioning probe

Section titled “Provisioning probe”
from openapp_sdk.errors import ApiError


try:
    await client.auth.provisioned()
except ApiError as err:
    if err.status == 401:
        ...
Section titled “Cookie logout”
await client.auth.logout()

Alternate sign-out (POST /auth/sign-out)

Section titled “Alternate sign-out (POST /auth/sign-out)”

Same 204 empty-body semantics as post_auth_logout — some gateways or frontends wire this path instead of /auth/logout.

await client.auth.sign_out()

Cookie-aware HTTP clients (ory_kratos_session, csrf_token_*)

Section titled “Cookie-aware HTTP clients (ory_kratos_session, csrf_token_*)”

These routes resolve identity from the ory_kratos_session browser cookie that Oathkeeper / Kratos issues at the end of a login flow. The default SDK transports are tuned for API key (bearer) workflows and do not persist a per-call cookie jar across requests, so you have a few options when calling /auth/* from server-side code:

  • Run a real browser flow once (or proxy the user’s browser) and forward the Cookie: header verbatim into a one-shot SDK call.
  • Build a cookie-aware HTTP client (Python httpx.AsyncClient(cookies=jar), Rust reqwest::Client::builder().cookie_store(true), Go http.Client{Jar: jar}, TS fetch(..., { credentials: "include" }) in the browser) and drive Kratos directly, then use the resulting cookie for /auth/whoami, /auth/logout, etc.
  • Skip the browser session entirely and use API keys (Authentication) for non-interactive workflows — that is what most SDK callers should be doing.

Kratos issues a fresh csrf_token_<hex> cookie per flow (login, recovery, verification, settings). When you POST a flow back to Kratos you must echo the flow’s JSON csrf_token and keep its matching cookie in the same jar — otherwise Kratos returns security_csrf_violation. POST /auth/logout here clears the active ory_kratos_session cookie and any stale csrf_token_* cookies it sees in the request (host-only and Domain= variants), so a successful logout response always carries multiple Set-Cookie lines you should let your jar absorb.

import httpx


cookies = httpx.Cookies()
async with httpx.AsyncClient(
    base_url="https://app.openapp.house",
    cookies=cookies,
    follow_redirects=False,
) as http:
    pass


session = await client.auth.whoami()

The internal httpx.AsyncClient already carries cookies across calls; reuse the same client for the Kratos self-service flow + /auth/whoami so that the ory_kratos_session cookie set by Kratos is presented automatically.

Login itself: continue_with and where these endpoints stop

Section titled “Login itself: continue_with and where these endpoints stop”

The Auth tag is introspection-only. Actually obtaining an ory_kratos_session cookie requires driving Kratos’s self-service public API (e.g. POST /self-service/login) — that is not part of OpenApp’s OpenAPI surface, so you call Kratos directly. A typical sequence:

  1. GET /self-service/login/browser (or /api) on the Kratos public URL → response carries a flow id, the JSON csrf_token, and one Set-Cookie: csrf_token_<hex>=….
  2. POST /self-service/login?flow=<id> with the user identifier + password and the csrf_token in the JSON body, sending the csrf_token_<hex> cookie back.
  3. Successful flows return either session + session_token directly (/api flow) or a continue_with array — entries like continue_with[].action == "set_ory_session_token" or "show_verification_ui" tell the client what to do next (set the cookie, push to verification, etc.). Browser flows mostly redirect; API flows expect the caller to interpret continue_with themselves.
  4. Once the cookie jar holds ory_kratos_session, GET /auth/whoami (or /auth/session / /auth/kratos-identity) returns the resolved session JSON; GET /auth/provisioned returns 204 if the gateway has provisioned an OpenApp user for the Kratos identity.

For non-interactive backends, prefer API keys (Authentication). Reach for the cookie-and-Kratos path only when you genuinely need to act as a specific human user (impersonation, support tooling, headless dashboard tests) — and even then, mint a short-lived API key on behalf of that user when you can.