Sharing Token in a suite of apps

yiannis · May 23, 2025, 12:05pm

Hi, I have a suite of applications and I want to use Okta for the authentication.

My apps are like

auth.mydomain.com
app1.mydomain.com
app2.mydomain.com

When I browse to auth I can login correctly and I get back with Okta session token in a cookie auth-session. This holds the domain of mydomain.com so I can reuse it to the rest of the apps.

Now I want to browse to app1 and call its API. In my middleware till now I had only JWT validations but now as I understand I need to call Okta’s session api api/v1/sessions/me in order to get validated.

Is this the correct way or there is a better one?

andrea · May 27, 2025, 5:25pm

Use of the /api/v1/sessions/me endpoint is so you can receive information about the users current Okta session (or a 404 if they do not have a session).

Why are you validating the Okta session? You mention doing JWT validation, which makes sense as each of these (presumably OIDC) applications would be issued their own JWTs and if they are calling an API should be validated by that API. But why would the applications be concerned about the Okta session itself?

yiannis · May 28, 2025, 2:45pm

Indeed I eventually used the normal JWT token which I managed to verify in all my apps. The session was an extra step that was not needed.

Post		Replies	Views
Authorization using session token Questions	2	81	September 22, 2024
Which API to use OAuth/OIDC	2	3464	June 25, 2020
Authenticating using API Token vs JWT Token OAuth/OIDC	1	4648	February 12, 2024
OKta JWT verifier is Questions	4	1925	June 9, 2023
Validate session token Questions	4	2825	February 15, 2024

Sharing Token in a suite of apps

Related topics