SuperTokens is an open source authentication solution offering features like: Different types of login: Email / password, Passwordless (OTP or Magic link based).

SuperTokens.com

Just wanted to confirm somthing. I see supertokens has CSRF built in by default. I personally use this with my Next.JS (app dir) application and external Express.JS API. Both share the same connection uri. I am essentially then allowing users to configure stuff on a dashboard (via the Next.JS application), which typically calls the built in Next.JS API, which then may call my external API. 

Basically, I am wondering if my external Express.JS API would also be protected from CSRF attacks by default, assuming configs are correct.

Are you using our session verification function like verifySession or getSession in your express api? If so, then yes, it will be protected too.