> To check if a user is authenticated in Server Side Rendering, we use the function: getSession(). Does this function execute an internal API CALL or does it call a module function without HTTP request?
It does stateless verification of the session. Sometimes, it has to talk to the supertokens core, so it contacts it via HTTP
> Are the user sessions stored in the database? Or does supertokens use JWT tokens?
The access token is a signed cookie, so it's not stored in the db. But the refresh token's hash is stored in the DB.
> Compared to NEXT AUTH, is supertokens more efficient?
On the backend, SuperTokens does session verification in a stateless way, so no IO calls and hence it's very effieient and quick.
On the frontend, SuperTokens stores "proxy tokens" (non sensitive tokens) in frontend set cookies which tells the frontend if a session exists or not. So even for protected routes on the frontend, it doesn't need to do any API call.
I believe that with NextAuth, it requires an API call on the frontend each time a protected route is loaded (to check if a session exists). Therefore, I would say that SuperTokens is more efficient (but please do correct me if i am wrong here about NextAuth).