> if one hits /login endpoint multiple times, it makes multiple sessions in db, is this intended? Yes. Because this is like the user is logging in via different devices. So each has their own session. If you want the login to not create a session in case one already exists, you can check if a session exists by calling the

getSession

function. Since yours is a mobile app,

UNAUTHORISED

should send session expired status code (440). In this case, the frontend SDK will throw this status code to your code and then you can take the user back to the login screen. In case of

TRY_REFRESH_TOKEN

, you also need to send 440. The frontendSDK will take care of calling your refresh API and regenerating the session. If you want to test your middleware via postman, then you have to first create a session by calling you login API. That will return a few tokens (in headers and cookies). You must then pass those tokens to any of your APIs that you this middleware as cookies and headers. Which token goes where can be seen here: https://supertokens.io/docs/nodejs/usage-without-express/verify-session You can recreate tables without the need for a new license. However of course, your data will be lost. For options API, you can have something like

app.options("*", function...)

. Using

*

should make all OPTION calls go to this API. However, you will have to make

Access-Control-Allow-Methods

POST

,

GET

, etc... depending on how many types of APIs you have.