Also, which SuperTokens recipes are you using?

or does each of the frontend domain query the api via some reverse proxy domain that is specific to that frontend?

So what you want to do is: 1) set the websiteDomain value to be

domain1.com

(doesn't really matter though) 2) set the

cookieSameSite

config in the

Session.init()

to be

"none"

- this will allow sharing of cookies cross domain. 3) override the

emailDelivery

config in ThirdPartyEmailPassword to change the password reset's and email verification's link's URL to point to the right domain based on the origin of the request. You can get the origin of the request from the

userContext

input variable in the function. See this: https://supertokens.com/docs/thirdpartyemailpassword/email-delivery/custom-method Finally, setting sameSite for cookie to

none

will have the issue that it won't work on safari when domain2.com queries api.domain1.com. The best way to solve this is to setup a reverse proxy for each of the frontends so that the base domain they query is the same. For example, domain2.com should query api.domain2.com as well (api.domain2.com may point to the same IP address as api.domain1.com). For mobile apps, if you want to enable deep linking, then when you override the emailDelivery config, then you can change the domain in the URL to be the deep link for your mobile app.

You can also change SuperTokens to use localstorage and headers instead of using cookies.. and this way there will be no issue with safari either. However, using localstorage has security issues (token theft via XSS is possible). But you can do it.. here is a demo app doing the same: https://github.com/supertokens/supertokens-auth-react/tree/master/examples/with-localstorage

Else go with the localstorage route. It’s not too bad cause we use rotating refresh tokens which limits the risks of token theft anyway.

Thanks for your help