@User , i may have misinterpreted your question. Did you mean to ask if the session is stored & verified via the database (As opposed to what happens with JWT)? If yes, then we use a combination of JWT (access token) and opaque token (refresh tokens). This ensures that most session verifications calls are very efficient, but you also get the ability to revoke session fairly quickly.