Can I share tokens somehow between subdomains? So let's say I have app.todolists.io and admin.todolists.io so I can do some user management or whatever in the adminpanel. Can I share my login between those two apps so I don't have to reauthenticate? (and maybe I would have an account.todolists.io for language and theme preference for example, or to enable 2fa in the future ;-))

Yes!

None yet, still exploring the features. But I think I'd want email/password + passwordless, but there's no recipe for that yet ;-)

Well, you can customise your way through doing that. We have a demo app that does thirdpartyemailpassword + passwordless: https://github.com/supertokens/supertokens-auth-react/tree/master/examples/with-thirdpartyemailpassword-passwordless Now to answer your question, you can change the session config as shown here: https://supertokens.com/docs/passwordless/common-customizations/sessions/share-sessions-across-sub-domains And can share a session across the sub domains. This would work as long as the sub domains all query the same API domain. If you also have different API domains (different sub domains), you can share the session across them too like this: https://supertokens.com/docs/passwordless/common-customizations/sessions/multiple-api-endpoints

I would have one api domain, in this example api.todolists.io so that sounds good!

Then you can ignore the last link I sent