This is a fantastic run down! thank you massively. this point

The refresh token signing key is not really needed and can be ignored. We intent to remove that signing key as it provides no security benefits.

Surely if an intruder has access to the refresh token, they can spawn more access tokens and use those to get access to your API? So it's better to have a long and secure refresh token key And also here

I get an error in typescript req.session (session doesnt exist on req) and when npm installing @types/express-session I get error 
If you are using SuperTokens, you do not need to use express-session. Hence you do not need its typing either.

I get the error even without espress-session package. Without package it says req.session (session does not exist on type Request) I see you mention that setting CORS options are not needed for mobile apps, but in the future I will move my app onto the web as well. In this case should I just make app.options("*", function...) with all options specified by supertokens and add POST, GET, PATCH, PUT. DELETE. IE every route will have same options and then never think about it again (unless I need to)? Lastly: I'm using Express. I now see my access and refresh token in Headers. This is awesome. If I want to make it easy to test in Insomnia/Postman, I can't work it out, any chance you can elaborate? I've got: Supertokens middleware, supertokens login, supertokens refresh. All work well, login returns res with headers, middleware blocks and refresh makes new session. I just cant put them all together for testing (without front end sdk) Other than this, the Software is FANTASTIC!