Skip to main content

Overview

There are three methods of session verification that you can use with SuperTokens:

The method you pick depends on your code structure and your preference:

verifySession middleware

The verifySession function is a middleware, and it's the easiest to use, but it requires that your backend framework supports the concept of a middlewares. This function also writes responses to the client on its own based on the session's validity and the config you provide it.

getSession function

The getSession function does the same thing as the verifySession middleware, but it won't write to the client on its own, and instead will throw errors that you can catch and handle. If these errors are left unhandled, the SuperTokens error handler will catch these errors and write to the client (just like the verifySession middleware). You should use this function if:

  • Your framework doesn't support middlewares.
  • You want to do custom error handling for unauthorised, session refreshing or invalid claim errors.
  • You want to build your own custom middleware that does extra checks on top of the result of getSession.

Manual JWT verification

The JWT verification method is most suitable if:

  • Your APIs are on a backend for which SuperTokens doesn't have SDKs.
  • You are using a non http protocol (like websockets) and passing in the access token.
  • You are using an API gateway which does JWT verification based on the JWKs endpoint.

The downside to using JWT verification manually is that:

  • You will have to pick and configure a JWT verification library for your framework. There will be several online guides on how to do this though.
  • You will have to manually verify some of the custom claims in the JWT (like the user's role is admin, or that the user's email is verified) based on your authorization rules.
  • You don't have access to the session object using which you can modify the session's access token payload, or revoke the session easily. These operations can of course be done in an offline manner, but they will get reflected in the user's session only after a session refresh.