As long as you exchange the sessionToken for a session cookie, you just need to ensure that cookies are sent in your request to the /api/v1/users/me endpoint. That endpoint will return information about the authenticated user as long as you’re able to access the Okta session cookie (ymmv if your browser blocks third party cookies, see this FAQ for more info on that)
Here’s an example fetch request that you can call from a domain added to Trusted Origins for CORS requests and on a browser that doesn’t blcok 3rd party cookies OR from a domain that is TLD+1 from your Okta domain (see the FAQ above for examples):
fetch('https://oktaDomain/api/v1/users/me', {credentials: "include"})
.then((response) => {
return response.json();
})
.then((data) => {
console.log(data);
alert(JSON.stringify(data));
});
List Groups has different requirements and can only be accessed with Admin permissions, aka, you'll need an [SSWS](https://developer.okta.com/docs/guides/create-an-api-token/) (don't use one on the front end!) or an Access Token granted to an [admin](https://developer.okta.com/docs/guides/implement-oauth-for-okta/main/) or a [service app](https://developer.okta.com/docs/guides/implement-oauth-for-okta-serviceapp/) to access this endpoint.