Skip to main content

Access Token Blacklisting

By default, session verification is stateless. This means that SuperTokens does not check that the session actually exists in the database, and only verifies the session by checking its signature. Whilst this makes session verifications fast, it also means that if a session is revoked, the user will still be able to use it until the access token expires.

If you want session verifications to fail immediately after the session has revoked, you should use this feature. Since you can use this feature on a per API basis, we recommend that you only use it for non GET APIs since only those are state changing.

This feature works by passing the checkDatabase option when verifying the session as shown below.

caution

For managed service users, please check our rate limit policy before implementing this feature. If you suspect that you will breach the free limit you can:

  • Email us to increase your rate limit.
  • Use the checkDatabase flag only on certain important APIs. For example, omit using it in any GET API as those are not state changing.
  • Implement your own method for keeping track of revoked access tokens by using a cache like Redis.

Using the verifySession middleware

import express from "express";
import { verifySession } from "supertokens-node/recipe/session/framework/express";
import { SessionRequest } from "supertokens-node/framework/express";

let app = express();

app.post("/like-comment", verifySession({ checkDatabase: true }), (req: SessionRequest, res) => {
let userId = req.session!.getUserId();
//....
});

Using getSession

import express from "express";
import Session from "supertokens-node/recipe/session";

let app = express();

app.post("/like-comment", async (req, res, next) => {
try {
let session = await Session.getSession(req, res, { checkDatabase: true })

if (session !== undefined) {
let userId = session.getUserId();
} else {
// user is not logged in...
}
//....
} catch (err) {
next(err);
}
});