How can I authenticate frontend requests to a custom API gateway using Appwrite sessions instead of JWTs?

How can I authenticate frontend requests to a custom API gateway using Appwrite sessions instead of JWTs?

I'm building a full-stack mobile application using Appwrite for authentication and backend services. The frontend communicates with a custom API gateway that proxies requests to various microservices.

Currently, I'm using Appwrite's account.createJWT() to authenticate users, but the JWT tokens expire every 15 minutes. Refreshing tokens that frequently isn't scalable for my application, especially as the user base grows. Because of that, I'm trying to shift to using session validation instead of JWTs.

The problem I'm facing is: how do I properly authenticate frontend requests to my API gateway using Appwrite sessions?

Environment Details:

Backend API gateway is built with FastAPI

Appwrite version: cloud

Frontend framework: React Native

My questions are:

What is the correct way to validate Appwrite user sessions from a backend service (API gateway) without using the frontend SDKs?

Is it possible to securely authenticate frontend requests to a custom backend using only Appwrite sessions (without using short-lived JWTs)?

If not, what would be the best scalable approach for authenticating requests in this setup?

Any advice, recommended flow, or examples would be greatly appreciated!

Here's what I've tried:

I retrieve the user session on the frontend (account.get() gives me session info).

I send the session ID (or the Appwrite cookie) along with API requests to my gateway.

On the backend (in the API gateway), I try to validate the session by using the Appwrite Server SDK (account.getSession(sessionId)).

However, sometimes I get errors like:
Unauthorized: User is missing "account" scope.

Answer

how to validate appwrite user sessions from backend without using frontend sdks?

you’re almost there. using the server sdk and calling account.getSession(sessionId) is technically correct, but appwrite expects that the session ID is tied to a real cookie in the request (the session cookie like a_session_<projectid>).
just calling getSession(sessionId) server-side without that cookie doesn’t feel "natural" to appwrite sometimes, and then it cries "unauthorized"

the super clean way would be:

  • from your frontend, send the session cookie along with your API requests (just like browser behavior)

  • in your fastapi gateway, you pick that cookie out from the request

  • then, instead of doing getSession(sessionId), you do account.get() while sending the cookie in the request headers (meaning you gotta simulate a real user request)

problem is — appwrite server sdk doesn’t easily allow sending raw cookies manually because it's made for "server-side trusted" calls
so the workaround is:

  • make direct REST calls to appwrite’s HTTP api inside your gateway instead of using the sdk

  • send the session cookie along with the request headers manually

  • example: call GET https://[appwrite-endpoint]/v1/account with the X-Fallback-Cookies header or just forward the cookie properly

is it possible to securely auth frontend -> custom backend -> appwrite using only sessions?

yeah it's possible. it's actually the ideal old-school "session based auth" way.

flow would be:

  1. frontend logs in normally using appwrite sdk → gets session

  2. frontend stores the session cookie (automatic if you’re using browser / for react native you gotta manually do it)

  3. frontend sends requests to your api gateway, carrying the session cookie

  4. your gateway extracts the session cookie, validates the session (like i said above, direct rest call to appwrite’s /account endpoint)

  5. if appwrite says user is good, allow request to microservices

you never need jwt this way unless you want scalability across multi-clusters or mobile + web SSO type stuff later

best scalable approach if session is messy?

if one day this session way feels annoying (like cookie management in mobile gets painful)
then you gotta move to a hybrid model:

  • short-lived access tokens (like 15 mins)

  • refresh tokens (long lived, like 1 month)

  • backend issues both

  • frontend auto-refreshes access token without user even knowing

but bro seriously unless you’re scaling like crazy (like millions of concurrent users)
session auth is clean, simpler, and you can scale it horizontally by using sticky sessions or redis session storage if needed.

quick quick version of the right flow you can try right now

  1. frontend saves and sends session cookie manually

  2. fastapi gets cookie, calls https://cloud.appwrite.io/v1/account (with cookie header) inside a simple requests.get() (python’s requests lib)

  3. if 200 ok → user is valid

  4. attach user info to request context and forward it to microservices

no need jwt, no need to refresh session, no drama

Enjoyed this article?

Check out more content on our blog or follow us on social media.

Browse more articles