What would be the correct way to verify a session without the client accessing the API? I need to use PHP to get the token then verify it through the API instead of the client directly communicating with the API

Hey.

Thank you @rp_st When Im on a subdomain, say site.mydev.com then I send a signin post to auth.mydev.com and in my cors Ive added site.mydev.com and in the Session.init recipe I added .mydev.com, should it be creating a login cookie when I make the post from live?

> creating a login cookie when I make the post from live? What do you mean by from live?

Im not sure if the API will create the cookies for me or if I need logic on the front end to create the cookies? Sorry by live I mean site.mydev.com

it should be. The session tokens will be attached to auth.mydev.com and whenevr you query that from any of your sub domains, it will send those session tokens along with the requests (as lng as you use our frontend sdk on that domain)

I can see in my cookies sFrontToken but no sAccessToken? When I use the login function with the SDK

The sAccessToken is attached to the api domain

Okay I see, Im not sure if Im missing something important then because how would I then verify my login session without the front end directly communicating to the api? Since in this case its a php website and the php needs to verify the jwt

What’s the domain of the php api?

The PHP is what is serving the web page, the domain would be site.mydev.com in the example

Right. So you can share session cookies across sub domains as well: https://supertokens.com/docs/session/common-customizations/sessions/multiple-api-endpoints