https://supertokens.com/ logo
Title
t

tom-glyphic

03/02/2023, 3:35 PM
Hi, I'm using the EmailPassword Recipe with hosted Supertokens, but on user sign in getting 401 errors from
<my_domain>/auth/session/refresh
. Is this endpoint used for EmailPassword recipe, and why would it be returning 401? From the docs it seems to only be within Session Recipe (https://app.swaggerhub.com/apis/supertokens/FDI/1.16.0#/Session%20Recipe/refresh)
r

rp

03/02/2023, 3:37 PM
hey @tom-glyphic can you enable backend debug logs and show me the output?
t

tom-glyphic

03/02/2023, 3:57 PM
Here's the logs, which shows a successful
POST /auth/signin
request, it then tries to make
GET
to our own
/auth/organization/
and
/auth/user/
and the
POST /auth/session/refresh
which all fail with
401
This is when attempting to log in with an existing user, in incognito mode so there is no cookie
r

rp

03/02/2023, 4:05 PM
So when you first visit the site, a 401 is expected from this API. But after you sign in, then it should all just work.
The reason this API is called first is cause the frontend SDK doesn't yet know if a session exists or not.
So calling this API tells the frontend SDK if a session exists and according to that, can show the relevant UI etc..
t

tom-glyphic

03/02/2023, 4:11 PM
The effect is the UI is being redirected back to the sign in page, even after the
auth/signin
returned 200 (the sub pages are wrapped in
<SessionAuth />
from
supertokens-auth-react/recipe/session
)
But this only happens when running in incognito
r

rp

03/02/2023, 4:12 PM
Hmm. That’s odd. If the signin api is succeeding, then it should not cause a refresh failure.
Are you using header based or cookie based auth?
t

tom-glyphic

03/02/2023, 4:15 PM
We don't set
tokenTransferMethod
explicitly, but from the request headers looks like it's defaulting to
st-auth-mode: cookie
r

rp

03/02/2023, 4:24 PM
Hmm. Right. Can I see the sign in response headers? And also the cookie store after the api is called.
Screenshots will do
What does it say on the orange triangle when you hover on it?
right. So i think in chrome incognito, it doesn't allow cross site cookies
so you may want to switch to using header based auth. Search for "token transfer method" in our docs