SuperTokens is an open source authentication solution offering features like: Different types of login: Email / password, Passwordless (OTP or Magic link based).

SuperTokens.com

Supertokens is setting the access token cookie like so: 
is this normal? what is the % doing in the base64 string?

yes it is normal. i checked it against mine and that is what I get too.

rp is probably going to say *can i see the request headers of the API call which throws that error?*

I found the issue. Supertokens is checking `request.cookie` and if defined, it just gets the cookie from there, assuming that the cookie header was correctly parsed already.
I had this code in my express app:
```
    req.cookies = req.cookies || {};
    req.headers.cookie?.split(";").forEach((cookie) => {
      const [key, value] = cookie.split("=");
      req.cookies[key.trim()] = value;
    });
```
This code doesn't url-decode the strings, so that was the issue. After removing this code, Supertokens looks at the request.headers and parses the cookie correctly itself.