> why is then the session verification part of the example? Just to show how one could do session verification in a lambda function. > but does every regular function also has to be wrapped in Express? and have the CORS part? If you are using supertokens in that function, then yes.