Token theft detection has nothing to do with JWT signing key. Token theft detection is already enabled. > each subsequent request that requires SuperTokens middleware validation, a database call is to be made? No. Token theft detection happens when refreshing a session. Not validating a session.