SuperTokens is an open source authentication solution offering features like: Different types of login: Email / password, Passwordless (OTP or Magic link based).

SuperTokens.com

Supertokens doesn't appear to be validating my CSRF header, and I don't think I've turned off CSRF protection anywhere

hey <@188838417256284161> by default, we do CSRF checks on non GET APIs. We do this by checking if there is a header preset in the request (`rid` header), which is auto added to the request header by our interceptor on the frontend.

This is one way to do CSRF checks: https://cheatsheetseries.owasp.org/cheatsheets/Cross-Site_Request_Forgery_Prevention_Cheat_Sheet.html#use-of-custom-request-headers

---------
The other way is what an anti-csrf token which is something you need to enable on the backend (see http://localhost:3000/docs/session/common-customizations/sessions/anti-csrf#manually-enable-anti-csrf). You will have to set the value of `antiCsrf` to `VIA_TOKEN`.  However, this is not really needed usually since the custom header method should be good enough.

Is there something else you were looking for?

I removed the custom header from a request in curl and the request still succeeded (tried this because a pentester indicated our anti csrf wasn't fully working)

Cause in GET API calls, there is no csrf check thats needed.

Also, which version of the backend sdk are you using?