In the backend I need to validate that the session token received from the client.

I read

https://support.okta.com/help/s/question/0D50Z00008C3jZ3SAJ/what-is-the-best-practice-to-validate-sessiontoken-without-having-to-recreate-a-new-sessionid-each-time?language=en_US which recommends that a session ID can be created.

However on https://developer.okta.com/docs/reference/api/sessions/ it says "Don't use this API unless you need a Session id"

I don't need a session ID, I just want to validate that it is correct. Moreover, a session ID can only be created once from a session token, so the operation is not idempotent. Eg the user might click the button several times, and each time I want to validate the session token in the backend, but creating a session ID after the first button click will fail unless the session token has changed.

On that sessions page, it says if session ID is not needed, to use one of the methods described on https://developer.okta.com/docs/guides/session-cookie/main/#retrieve-a-session-cookie-through-the-openid-connect-authorization-endpoint.

I think I should use Retrieve a session cookie through the OpenID Connect authorization endpoint which would lead to an http request like this:

https://ME.okta.com/oauth2/v1/authorize?client_id=CLIENT_ID&response_type=id_token&scope=openid&prompt=none&redirect_uri=URI&state=STATE&nonce=NONCE&sessionToken=TOKEN

The redirect_uri parameter is weird because I certainly don't want okta to call back somewhere, I just want to verify the session token. But maybe it will not be used.

So is the /authorize endpoint the way to go?