React native apps do not work on the web. They are native apps only. If you intend to use the same APIs for a website, then you should add these CORS headers. > Here it says we can revoke session, but this is in catch block so session variable is not defined. How is this done? You can revoke a session using the

sessionHandle

as mentioned in this page: https://supertokens.io/docs/nodejs/usage-with-express/user-logout#call-the-revokesessionusingsessionhandle-function-api-reference-api-reference-revoke-session-using-session-handle > there is no response sent from the /api/session/refresh example except a string saying Check the headers that are sent from this API call. You will see new tokens there. > How do I change the 'Signing Key' for the JWT and Refresh tokens, as these are signed with a specific key. How will I be able to set my signing keys for both? The signing key for access token is managed by our library. You cannot set it to something specific as it is an implementation detail. This key also keeps changing over time as to not bottleneck your entire user security on this part. The refresh token signing key is not really needed and can be ignored. We intent to remove that signing key as it provides no security benefits. > I get an error in typescript req.session (session doesnt exist on req) and when npm installing @types/express-session I get error If you are using SuperTokens, you do not need to use

express-session

. Hence you do not need its typing either. > it makes requests to /categories for example but it fails with "must refresh token" how do I get supertest to work So when you get the refresh token error, you must call the refresh endpoint. This is something that's taken care by the frontend SDK which we are making for react-native. If you are using postman, to test, then you should manually call the refresh API with the cookies set.