If I am not using cookies and relying on JWT. The verifySession method on express framework is not good. I googled and got this custom method. https://supertokens.com/docs/thirdparty/common-customizations/sessions/session-verification-in-api/get-session#getsession-vs-verifysession But unfortunately, the session is always empty. I have a proper header with Authorization: Bearer JWT_TOKEN format. Any heads up for what possibly be the case? Oh also since I am usign Hasura, I have enabled custom claims and I have enabled JWT with session.

Hey @hitesh you will need to verify the JWT using any JWT verification lib. Our verifySession function doesn’t work with a JWT, and only works with the supertokens access token.

Any examples you can point me to?

So this requires JWKS_URI Can I use the same method as supertokens that generates the URI? The same server is generating and consuming it, it doesnt make sense to route the consumtion through HTTP

You could hard code the public key in your backend app. There is a section about that too in our docs. The same page as above.

If I hard code it, does it change over time?

It doesn’t.

Do I need to pass the same certificate to supertokens core or the custom supertoken auth server?

no

I wrote this as a verifySession middleware. export function verifySession() { return async (req: Request, res: Response, next: NextFunction) => { if (!req.headers.authorization) { return res.status(401).send("Authorization header is required"); } let jwt = req.headers.authorization.split(" ")[1]; console.log(process.env.JWKS_CERT!); console.log(jwt); JsonWebToken.verify(jwt, certificate, {}, function (err, decoded) { let decodedJWT = decoded; // Use JWT console.log(decodedJWT); console.log(err); }); next(); }; } but it says

JsonWebTokenError: secret or public key must be provided

Any suggestions?

See this section: https://supertokens.com/docs/session/common-customizations/sessions/with-jwt/jwt-verification#method-2-using-public-key-string

export function verifySession() {
  return async (req: Request, res: Response, next: NextFunction) => {
    if (!req.headers.authorization) {
      return res.status(401).send("Authorization header is required");
    }
    let jwt = req.headers.authorization.split(" ")[1];
    console.log(process.env.JWKS_CERT!);
    console.log(jwt);
    JsonWebToken.verify(jwt, certificate, function (err, decoded) {
      let decodedJWT = decoded;
      // Use JWT
      console.log(decodedJWT);
      console.log(err);
    });
    next();
  };
}

Modified as per your function.