This SDK documentation is outdated. Please do not refer to it, and instead visit the User Guides section.

Skip to main content
Version: 6.1.X


cookieSecure?: boolean,
cookieSameSite?: "strict" | "lax" | "none",
sessionExpiredStatusCode?: number,
cookieDomain?: string,
errorHandlers?: ErrorHandlers,
override?: {
functions?: function,
apis?: function


cookieSecure (Optional)#

  • Sets if the cookies are secure or not.
  • Default: If the apiDomain is https, this is true.

cookieSameSite (Optional)#

  • Sets the sameSite attribute for cookies issued by SuperTokens
  • Default: If the apiDomain and the websiteDomain share the same top level domain, then this is lax, else it's none.

sessionExpiredStatusCode (Optional)#

  • The HTTP status code your backend APIs send on session expiry
  • Default: 401

cookieDomain (Optional)#

  • The domain from which the cookies will be created
  • Default: The value of apiDomain

errorHandlers (Optional)#

  • You can override the default SuperTokens error handler and define your own custom error handlers for unauthorised or token theft detection
  • Default:
    • On unauthorised: Clear cookies and send a 401 status code to the frontend.
    • On token theft detection: Revoke the session, clear the cookies and send a 401 to the frontend.

antiCsrf (Optional)#

  • See this page
  • Default: If sameSite is none, this is VIA_TOKEN, else it's VIA_CUSTOM_HEADER.

override (Optional)#

  • Use this feature to override how this recipe behaves.
  • Default: undefined