Sharing Token in a suite of apps

yiannis · May 23, 2025, 12:05pm

Hi, I have a suite of applications and I want to use Okta for the authentication.

My apps are like

auth.mydomain.com
app1.mydomain.com
app2.mydomain.com

When I browse to auth I can login correctly and I get back with Okta session token in a cookie auth-session. This holds the domain of mydomain.com so I can reuse it to the rest of the apps.

Now I want to browse to app1 and call its API. In my middleware till now I had only JWT validations but now as I understand I need to call Okta’s session api api/v1/sessions/me in order to get validated.

Is this the correct way or there is a better one?

andrea · May 27, 2025, 5:25pm

Use of the /api/v1/sessions/me endpoint is so you can receive information about the users current Okta session (or a 404 if they do not have a session).

Why are you validating the Okta session? You mention doing JWT validation, which makes sense as each of these (presumably OIDC) applications would be issued their own JWTs and if they are calling an API should be validated by that API. But why would the applications be concerned about the Okta session itself?

yiannis · May 28, 2025, 2:45pm

Indeed I eventually used the normal JWT token which I managed to verify in all my apps. The session was an extra step that was not needed.

Post		Replies	Views
Session management for OIDC apps with Okta Questions	3	4730	September 21, 2020
Alterative to "sessions/me" API API	1	2740	June 10, 2022
Validate session token Questions	3	2983	October 13, 2023
How to share authenticated state across subdomains? OAuth/OIDC	3	6101	December 20, 2022
Need to get session token from okta widget Questions	1	1350	December 22, 2023

Sharing Token in a suite of apps

Related topics