SuperTokens is an open source authentication solution offering features like: Different types of login: Email / password, Passwordless (OTP or Magic link based).

SuperTokens.com

> Surely if an intruder has access to the refresh token, they can spawn more access tokens and use those to get access to your API?
Yes. But when they use that refresh token, they will also be getting a new refresh token - this is known as rotating refresh tokens. This change will allow us to detect theft of refresh token since after the new one is issued, the victim will still use the old one at some point - which is a clear anomaly - this will result in `TOKEN_THEFT_DETECTED_ERROR`.

> I get the error even without espress-session package. Without package it says req.session (session does not exist on type Request)
hmm. This means somewhere you are using that in your code - in supertokens library, there is no such reference to session object inside req object. 

> every route will have same options and then never think about it again (unless I need to)? 
Yes. That can work.

> If I want to make it easy to test in Insomnia/Postman, I can't work it out, any chance you can elaborate?
I could elaborate here, but it would take me lots of time to type it out. Is it possible we can have a call with screen share so I can show it to you?