You can use that along with our verifySession middleware by passing sessionRequired: false in the verifySession function. So in case a supertokens session exists, you use that, otherwise you try and verify the JWT header.