Skip to main content

Access Token Blacklisting

By default, session verification is stateless. This means that SuperTokens does not check that the session actually exists in the database, and only verifies the session by checking it's signature. Whilst this makes session verifications fast, it also means that if a session is revoked, the user will still be able to use it until the access token expires.

If you want session verifications to fail immediately after the session has revoked, you should use this feature. Since you can use this feature on a per API basis, we recommend that you only use it for non GET APIs since only those are state changing.

This feature works by passing the checkDatabase option when verifying the session as shown below.

Using the verifySession middleware#

import express from "express";
import { verifySession } from "supertokens-node/recipe/session/framework/express";
import { SessionRequest } from "supertokens-node/framework/express";

let app = express();

app.post("/like-comment", verifySession({ checkDatabase: true }), (req: SessionRequest, res) => {
let userId = req.session!.getUserId();
//....
});

Using getSession#

import express from "express";
import Session from "supertokens-node/recipe/session";

let app = express();

app.post("/like-comment", async (req, res, next) => {
try {
let session = await Session.getSession(req, res, { checkDatabase: true })

if (session !== undefined) {
let userId = session.getUserId();
} else {
// user is not logged in...
}
//....
} catch (err) {
next(err);
}
});
Looking for older versions of the documentation?
Which UI do you use?
Custom UI
Pre built UI