SuperTokens is an open source authentication solution offering features like: Different types of login: Email / password, Passwordless (OTP or Magic link based).

SuperTokens.com

In our deployment scenario, we have `auth-api.example.com` which serves as the SuperTokens backend, `gateway-api.example.com`, which is the API backend for our websites, and 2 websites `alpha.example.com` and `beta.example.com`. Each website is logging in users using `auth-api.example.com` as the backend.

I am confused about what the value of `websiteDomain` needs to be for `auth-api.example.com`. Should it be `https://example.com`?

the websiteDomain can just be `https://example.com`. You would need to override the sendEmail function of the recipes (in the emailDelivery config of the recipe) to change the domain on the fly based on the req object's origin header.

Yup. You will have to configure cors to allow both the domains.