Skip to main content

This is a contributors guide and NOT a user guide. Please visit these docs if you are using or evaluating SuperTokens.

How session interception works

The session recipe is in the supertokens-website repo.

It works on the basis of adding interceptors to fetch and axios instances. In a nutshell, it:

  • Before sending a request: Adds anti-csrf token measures if necessary, plus st-auth-mode and authorization
  • After the response:
    • If a new session is created, it saves the various tokens in the frontend cookies.
    • If a session is revoked, it removes those tokens from the frontend cookies.
    • If a refresh is required, it calls the refresh API and then retries the original request.

It also provides ways to check if a session exists, get the access token payload on the frontend, and to sign out.


Looking for older versions of the documentation?
Which UI do you use?
Custom UI
Pre built UI