Overview
There are three methods of session verification that you can use with SuperTokens:
- Use the
verifySession
middleware - Use the
getSession
function - Manually verify the JWT using a JWT verification lib.
The method you pick depends on your code structur and your preference:
verifySession
middleware#
The verifySession
function is a middleware, and it's the easiest to use, but it requires that your backend framework supports the concept of a middlewares. This function also writes responses to the client on its own based on the session's validity and the config you provide it.
getSession
function#
The getSession
function does the same thing as the verifySession
middleware, but it won't write to the client on its own, and instead will throw errors that you can catch and handle. If these errors are left unhandled, the SuperTokens error handler will catch these errors and write to the client (just like the verifySession
middleware). You should use this function if:
- Your framework doesn't support middlewares.
- You want to do custom error handling for unauthorised, session refreshing or invalid claim errors.
- You want to build your own custom middleware that does extra checks on top of the result of
getSession
.
#
Manual JWT verificationThe JWT verification method is most suitable if:
- Your APIs are on a backend for which SuperTokens doesn't have SDKs.
- You are using a non http protocol (like websockets) and passing in the access token.
- You are using an API gateway which does JWT verification based on the JWKs endpoint.
The downside to using JWT verification manually is that:
- You will have to pick and configure a JWT verification library for your framework. There will be several online guides on how to do this though.
- You will have to manually verify some of the custom claims in the JWT (like the user's role is
admin
, or that the user's email is verified) based on your authorization rules. - You don't have access to the
session
object using which you can modify the session's access token payload, or revoke the session easily. These operations can of course be done in an offline manner, but they will get reflected in the user's session only after a session refresh.