why did u join?

I made this server.

oh haha sorry didn't know

no worries. It's a server meant for answering questions about our product - supertokens.io

oh well i guess i am,at wrong server then

hi @User !

hey @User !

Hi everyone. I have followed the whole setup docs and launched the SuperTokens server. But my Node Js backend does not seem to get any response while creating the session token.

hey! thanks for trying it out. What is the error being thrown by the

createNewSession

function?

seems like the UserId can only be a string. I was using an integer

yea. it must be a

string

I have a question (a critique one I guess). "JWT sign-in Key Rotations" is supposed to be done in the middleware auth validation right? (I am currently using Node Js lib)

the key is stored in the database. We use RSA keys for JWT, which means, a private key is used to sign and create JWT, and a public key is used to verify it. The nodeJS SDK get's only the public key from the service for purpose of verification. Creating a new token, or changing the signing keys happens in the service side. So if the signing key is changed, the NodeJS sdk will still have the older public key. Any new access token that comes in will fail invalidation. The SDK will then pass on the access token to the service to verify (which will succeed cause it has the latest JWT key), and in response, the NodeJS sdk will get the new public key. Also, JWT signing Key Rotations is a pro feature only.

I'm not entirely sure I answered your question.. If not, please feel free to clarify

Thanks. The answer is very clear. It means if I had to enable Token theft detection feature, each subsequent request that requires SuperTokens middleware validation, a database call is to be made? Am I correct?

Token theft detection has nothing to do with JWT signing key. Token theft detection is already enabled. > each subsequent request that requires SuperTokens middleware validation, a database call is to be made? No. Token theft detection happens when refreshing a session. Not validating a session.

I'd recommend you see this: https://supertokens.io/blog/the-best-way-to-securely-manage-user-sessions

Yes I understand that. I tied your answer with subsequent questions 🤦‍♂️. I am just trying to evaluate why I would use SuperToken while developing Laravel apps. Your solution is great as it separates the session management from the other app logic. My main concern is why the solution relies on JWT .

Thank you! We rely on JWTs cause that way, for most API calls, your session verification can happen in < 1 MS as opposed to 50 MS.

thereby making your APIs faster!

Once I add the blacklisting feature, will that just transform the solution from stateless to stateful authentication because of database calls? (correct me if I am wrong, I am still going through the codebase)

Yup. That is correct. However, what we also plan on doing is that you can add blacklisting for certain APIs. Like all POST APIs can check the blacklist, whilst all GET APIs need not do that. This means that your GET APIs (which are most frequently called) will be super fast, whilst your POST APIs will get the benefit of immediate revocation. As a note, we also plan on supporting opaque access tokens. We just started off with JWTs since that's what the majority of the people we had spoken to wanted.

Alright. Thank you for your time & reply to my queries @User .

Cheers! If you have any more questions, please feel free to ping me here.

hey @User

Hey @User !

hey @User

hi

what brings you to our server?