This will be thrown if JWT verification fails. This happens, for example, if the token has expired or the JWT signing key has changed.
This will be thrown if CSRF protection is on and anti-csrf token is missing or invalid.
When this is thrown, none of the auth cookies are removed - you should return a session expired status code which will instruct your frontend to call the refresh token API endpoint.
This function will mostly never require an I/O operation since we are using JWT access tokens (assuming that blacklisting is disabled).
If doAntiCsrfCheck is true and enable_anti_csrf (in the SuperTokens config.yaml) is set to true, this function also provides CSRF protection. We strongly recommend that you set it to true for any non-GET API that requires user auth (except for the refresh session API).
May change the access token - but this is taken care of by this function and our frontend SDKs. You do need to worry about handling this.