Hello. Following the tutorial on ktor website, I have implemented the session auth and the jwt auth separately. Now I want to have my client send request with my jwt on cookie and decode it. here is my UserSession I created. it holds a jwt token. data class UserSession(val jwt: String): Principal Now, I am thinking of extracting this jwt from the cookie hopefully in below (A) and then validate it. Is there a standard or recommended way to do so? _install_(Authentication) { _session_<UserSession>("auth-session") { validate { session -> //(A) i want to validate my jwt (session.jwt here) } challenge { … } } _jwt_("access") { realm = myRealm verifier(JWT .require(Algorithm.HMAC256(accessTokenConfig.secret)) .withAudience(accessTokenConfig.audience) .withIssuer(accessTokenConfig.issuer) .build() ) validate { credential -> if (credential.payload.expiresAt.time > System.currentTimeMillis() && credential.payload.audience.contains(accessTokenConfig.audience) && credential.payload.issuer == accessTokenConfig.issuer && userDataSource.getUserByUserId(credential.payload.getClaim("userId").asString()) != null ) { JWTPrincipal(credential.payload) } else { null } } } } Thanks in advance.

What kind of validation do you need to do in the session authentication provider?

Not necessarily ‘in’ the authentication provider. I just want to relay the contents of a session (session.jwt in above code) to the jwt validation clause. Thanks @Aleksei Tirman [JB].

The standard way is to validate a JWT token in the JWT Authentication and save it into a session in a route’s handler. In the Session authentication provider you should check the validity of a session. You can find an example in the documentation.