Hello guy ! Small question for you, we are using the supertokens-web-js library and I noticed that when we call the

createCode

function it's seems to also call the

session/refresh

do you know why ? Many thanks.

Hey. Which recipe are you using?

passwordless

Hmm. That function doesn’t call the refresh api at all

there is no cookie it's on a fresh private session

Right. So the refresh is called once per new visitor to check initially if a session exists or not

so why do I see the refresh call every time I start a new session and exactly the moment I call the createCode ?

So when the refresh api is called, and it returns a 401, is there anything that’s stored in the cookies?

yes indeed

right, and then if you just simply reload the page, do you see a call to the refresh API again?

no

yea that's odd. That call should happen whenever you check if a session exists and if it's a new private window

and is there a way to prevent this refresh call of we don't have the st-access-token in the cookie ?

there is. You can override the refresh function on the frontend. But if you do that, it may mess up our frontend SDKs logic - so be careful.

oh ok I'm not going to touch it now then but I would to prevent this not needed calls to our API

well, it's there for a reason.

Ok thanks and for my curiosity what is the reason to try to refresh the session is the user is not logged in ?

cause the frontend needs to know if a session exists. Now normally, you could do that by checking if the right cookies exist on the frontend, but in browsers like safari, those cookies are auto cleared after 7 days of inactivity - so the only reliable way to know if a session exists is by checking if httpOnly cookies exists, which only the backend can check

Alright