Hello, i am on Rails 6.1.4, ruby 2.7.4, devise 4.8.1, devise-jwt 0.9.0

Regarding the Session Store Caveat, the docs recommendations are not working at all. The only way i managed to disable the cookie being set with the user session (both on sign_in and sign_up) was:

1. Adding protect_from_forgery with: :null_session to application_controller.rb
2. Making sure that the sessions_controllers.rb and registrations_controllers.rb doesnt have this: skip_before_action :verify_authenticity_token (it actually only worked after i removed these)
3. Removed/commented out all the skip_session_storage

Doing this it stopped sending the Set-Cookie on header only for the Devise API requests, but the ActiveAdmin and the rest of the API controllers sessions remained working.

Actually, i don't have a clue why it happened, any help clarifying?

Not sure. However, if you don't need cookies you can disable session storage altogether.

I'm experiencing the same issue.

Rails 6.1.6.1, ruby 2.7.5, devise 4.8.1, devise-jwt 0.9.0

As I can't disable cookies entirely, for the sessions controller my solution was to disable session through warden store option:

# controllers/custom_sessions_controller.rb

def create
  self.resource = warden.authenticate!(auth_options.merge(store: !request.format.json?))
  # ...
end

And as for the create action (which is called when signing up), I had to override the sign_up method:

# controllers/custom_registrations_controller.rb
protected

def sign_up(resource_name, resource)
    # Do nothing. Originally, this methods calls for:
    #   sign_in(resource_name, resource)
end

But I'm not sure if this is the best aproach.

To make this work gracefully, you need to overload sign_up to deal with user pushed to session on create as @democlitos mentioned and use store: false option

see #235 (comment)

Closing it, as that's something already documented in the Readme. If you come up with a better solution, please, feel free to submit a PR updating the README. Thanks all for your collaboration 🙏