> how did we get to a state where our logout requests would get a 440 (token expired response) eventhough we logged in only seconds earlier The most common reason for this is some misconfiguration or some cookies that were left from before after which there was a config change.. > Why is there a difference in the cookies i'm seeing when I point our web app to our dev environment vs. pointing it to our local environment In local env, the API domain is also localhost. This means the access, refresh tokens will be visible. In your dev env, the API is something else and the access and refresh token will be attached to that domain (and not localhost). So if you navigate your API domain on the browser, you will see the access token. > What happens if the websiteDomain does not match the origin of the request? Can you give me specific values for what you have so I can answer.. otherwise there are too many possibilities. > how does the ST lib use the apiDomain and the websiteDomain? For sessions, the websiteDomain is used for sFrontToken, sAntiCsrf and sIRTFrontend tokens. This is so that the JS running on your website can read these values. The apiDomain is use to attach httpOnly access and refresh tokens. ----------------- - You can remove

disableDefaultImplementation: false

as that is the default anyway. - I suggest upgrading to supertokens-node

3.4.2

and the latest version of supertokens-core since those handle a lot of session related configs automatically. (Though if you are not facing any issues, you don't need to)