SuperTokens is an open source authentication solution offering features like: Different types of login: Email / password, Passwordless (OTP or Magic link based).

SuperTokens.com

Hi, I'm facing a problem with the `st-auth-mode` request header.

First, I do a signup request (using the email password recipe) where I set the header `st-auth-mode: cookie`. I then get a response with `Set-Cookie` headers for the access token and refresh token. This is as expected.

Next, I do a signup request where I don't set the  `st-auth-mode` header. I then get a response with both `Set-Cookie` headers *and* `st-access-token` and `st-refresh-token` headers. I do not expect to get the `Set-Cookie` headers.

I do a signup request one more time, again without setting the `st-auth-mode` header. This time only the `st-access-token` and `st-refresh-token` headers are set. This is as expected. All signup requests I do afterwards without the `st-access-token` header give the same proper result.

The second request should not have returned the `Set-Cookie` headers. Is this a known issue or am I doing something wrong?

its expected cause in the second request, the cookies from the first request must be going in the API, so our sdk clears those older cookies. Otherwise, you would still have those sAccessToken cookies from the older session interfering with the new tokens.