SuperTokens is an open source authentication solution offering features like: Different types of login: Email / password, Passwordless (OTP or Magic link based).

SuperTokens.com

Alright. So you would need to do the following:
- On the frontend, you would have to set the `websiteDomain` to whatever the current sub domain is. This would restrict the session to work only within that sub domain.
- On the backend, you can set the `websiteDomain` value to your top level domain, but you would have to define the `GetResetPasswordURL` (https://pkg.go.dev/github.com/supertokens/supertokens-golang@v0.3.0/recipe/emailpassword/epmodels#TypeInputResetPasswordUsingTokenFeature) and `GetEmailVerificationURL` (https://pkg.go.dev/github.com/supertokens/supertokens-golang@v0.3.0/recipe/emailpassword/epmodels#TypeInputEmailVerificationFeature) functions to return the right sub domain URL depending on who is trying to reset their password or verify their email (a regular user or a brand)