So with SuperTokens, we abstract away token and session management for you (using AT and R-RT). We essentially allow you to handle access on a device level (one session per device). So you can do the following in your login API: - For the current user (after successful password check), get all devices they are logged into using

supertokens.getAllSessionsForUser(userId)

(in Node JS). - If the returned array length is >= 1, then don't allow the user to login, else successfully log them in. If you want this to be race condition proof, then in your login API, after you check the user's password, then you should take a distributed lock on the userId, and then do the above check.