Hey! So for web sockets, what usually happens is that you initiate a web socket via a http call (during which u can use SuperTokens for session authentication), and once a websocket connection is established, then u can freely communicate in that since true websockets isn’t stateless (unlike http) so there isn’t any risk of spoofing user identity in that.