There are three methods of session verification that you can use with SuperTokens:
- Use the
- Use the
- Manually verify the JWT using a JWT verification lib.
The method you pick depends on your code structur and your preference:
verifySession function is a middleware, and it's the easiest to use, but it requires that your backend framework supports the concept of a middlewares. This function also writes responses to the client on its own based on the session's validity and the config you provide it.
getSession function does the same thing as the
verifySession middleware, but it won't write to the client on its own, and instead will throw errors that you can catch and handle. If these errors are left unhandled, the SuperTokens error handler will catch these errors and write to the client (just like the
verifySession middleware). You should use this function if:
- Your framework doesn't support middlewares.
- You want to do custom error handling for unauthorised, session refreshing or invalid claim errors.
- You want to build your own custom middleware that does extra checks on top of the result of
#Manual JWT verification
The JWT verification method is most suitable if:
- Your APIs are on a backend for which SuperTokens doesn't have SDKs.
- You are using a non http protocol (like websockets) and passing in the access token.
- You are using an API gateway which does JWT verification based on the JWKs endpoint.
The downside to using JWT verification manually is that:
- You will have to pick and configure a JWT verification library for your framework. There will be several online guides on how to do this though.
- You will have to manually verify some of the custom claims in the JWT (like the user's role is
admin, or that the user's email is verified) based on your authorization rules.
- You don't have access to the
sessionobject using which you can modify the session's access token payload, or revoke the session easily. These operations can of course be done in an offline manner, but they will get reflected in the user's session only after a session refresh.