I also had a doubt regarding removing a user session If I use the remove session endpoint (

/recipe/session/remove

) and get a 200 response code, the session is removed from DB (I cannot see it in all user sessions endpoint (

/recipe/session/user

), did this just to confirm if the session is removed) but if I pass the access token to the session verify endpoint (

/recipe/session/verify

) why does it still return status code 200 when I have removed the session from db?

Hey!

Okay got it. But if I still want to use the stateless way and horizontally scale the SuperTokens Auth Core, will this behaviour still be consistent If possible can you tell me in brief what is happening behind the scenes when I hit the session verify (

/recipe/session/verify

)? It will clear a lot of things for me Thanks

> But if I still want to use the stateless way and horizontally scale the SuperTokens Auth Core, will this behaviour still be consistent Yes. > If possible can you tell me in brief what is happening behind the scenes when I hit the session verify (/recipe/session/verify)? It essentially verifies the access token with the public key that it has in memory. If the public key fails to verify, it tries to find the latest public key from the db and verifies with that (which is a rare event). If verification is successful, it returns 200 success. If you have switched on access token blacklisting, it does the same verification, but then after that, it checks if the session handle in the access token is actually present in the db or not. If it's not, it returns a failure case

Okay got it Thanks for all the help and quick replies, I really appreciate it.