Supertokens is setting the access token cookie like so: is this normal? what is the % doing in the base64 string?

yes it is normal. i checked it against mine and that is what I get too.

I found the issue. Supertokens is checking

request.cookie

and if defined, it just gets the cookie from there, assuming that the cookie header was correctly parsed already. I had this code in my express app:

req.cookies = req.cookies || {};
    req.headers.cookie?.split(";").forEach((cookie) => {
      const [key, value] = cookie.split("=");
      req.cookies[key.trim()] = value;
    });

This code doesn't url-decode the strings, so that was the issue. After removing this code, Supertokens looks at the request.headers and parses the cookie correctly itself.