SuperTokens is an open source authentication solution offering features like: Different types of login: Email / password, Passwordless (OTP or Magic link based).

SuperTokens.com

Thanks for your answer, our API will actually be on a domain of it's own let's say api.xxx.io
But we have two different domains for our client websites, xxx.eu and xxx.com, and when initializing Supertokens on the backend we can only define one website domain

the websiteDomain on the backend is used for generating reset password or email verification links and setting cookie attributes.

You can set the websiteDomain to any one of those domains, and then:
- override the sendEmail function for email verification / reset password (if applicable) to change the link's domain based on the request's origin.
- set cookieSameSite property in session.init on the backend to "none"

Oh that's good news! Thanks for the info, will try it that way. We thought we would have issues when trying to initialize sessions from a different origin than the websiteDomain, but now it's more clear.