Unauthorized whoami react self service ui

Hey Guys,

i’m new in the ory community and im trying to implement a react self service ui in react.
The login and registration flows are working but now when i try to call the /sessions/whoami endpoint i get a 401 response.
The Kratos log says:
level=error msg=An error occurred while handling a request func=github.com/ory/herodot.DefaultErrorReporter.func1 file=/go/pkg/mod/github.com/ory/[email protected]/error_reporter.go:24 audience=application error=map[debug: message:The request could not be authorized reason:No valid session cookie found. status:Unauthorized status_code:401 trace:
But when i look in chome dev tools store there is an ory_kratos_session cookie

I am using the @oryd/kratos npm package in version 0.5.3-alpha.1. and Kratos in verion v0.5.3-alpha.1 in docker on my local machine
Did i missed something?

Looks like the session cookie is not properly sent to the endpoint. Are you using CORS or something similar?

Yes i’m using cors in the kratos config with the following configuration.

      enabled: true
        - POST
        - GET
        - PUT
        - PATCH
        - DELETE
        - Authorization
        - Cookie
        - Content-Type
        - Set-Cookie

When i disable cors i get the following error on every request.

Access to XMLHttpRequest at '' from origin '' has been blocked by CORS policy: No 'Access-Control-Allow-Origin' header is present on the requested resource.

Can you confirm that the cookie is actually send to the whoami endpoint? You can see all the cookies send in the network tab in the dev tools when you select the request.

Unfortunately it seems like the cookies aren’t set in the reqest headers.
Im using the PublicApi from @oryd/kratos-client:v0.5.3-alpha.1.

      .then((res) => console.log("RESULT", res))
      .catch((err) => console.error("ERROR", err));

Am i missing something? Or do i need to specify the cookies myself?

My headers:


GET /sessions/whoami HTTP/1.1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:82.0) Gecko/20100101 Firefox/82.0
Accept: application/json, text/plain, */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Connection: keep-alive


HTTP/1.1 401 Unauthorized
Access-Control-Allow-Credentials: true
Access-Control-Expose-Headers: Content-Type, Set-Cookie
Content-Type: application/json
Set-Cookie: csrf_token=J3LVWTuAimboXTjWPQ1GoTEV3PzuDuX/EXL4GTmBJnk=; Path=/; Domain=; Max-Age=31536000; HttpOnly
Vary: Origin
Vary: Cookie
Date: Thu, 12 Nov 2020 11:07:53 GMT
Content-Length: 137

I have crated a small demo repository to demonstrate this behaviour.

You could try:

const kratos = new PublicApi(
    new Configuration({
      basePath: kratosUrl,
      baseOptions: {
        withCredentials: true
1 Like

Alternatively kratos.whoami() accepts a cookie as the first argument, but the cookie is not available in the JS context. I think the problem is that the SDK isn’t instructed to include credentials. The SDK uses https://github.com/axios/axios under the hood so you might have some luck looking through their documentation!

Thank you a lot @hackerman, the withCredential was the missing point.

baseOptions: {
    withCredentials: true

I have seen the credentials options on some fetch request in your slack channel but didnt know that i’m able the set this option in the PublicApi Configuration.

I thought the sdk set this option by default.

1 Like