SuperTokens is an open source authentication solution offering features like: Different types of login: Email / password, Passwordless (OTP or Magic link based).

SuperTokens.com

[Paswordless, plain JS, own UI] When checking if the session exists with doesSessionExist, a call is made to <WEB_DOMAIN>/auth/session/refresh. There's no further detail in the documentation about how to implement this. Seeing your FDI OpenAPI spec, there's a <API_DOMAIN>/auth/session/refresh. Should the first forward the request to the latter? :/

It should be calling the API_DOMAIN, are other calls working?

what would be the other? The 5 endpoints exposed by the backend SDK seem to be working fine