You can forget about the ID token in the server-side, but the assumption is there’s also a Firebase client somewhere in the picture which is signed into Firebase Auth and initiating these createSessionCookie() API calls remotely. Firebase Auth SDK keeps the ID token refreshed in the client, and when the server-side session expires, the client can send the latest ID token back to the server, and obtain a new session cookie.