> why is then the session verification part of the example?
Just to show how one could do session verification in a lambda function.
> but does every regular function also has to be wrapped in Express? and have the CORS part?
If you are using supertokens in that function, then yes.