Part of the beauty I find in the APIstar codebase is the use of all the right tools. So first I looked in apistar/interfaces.py to see what a HTTPSession must provide:
def new(self) -> http.Session:
def load(self, session_id: str) -> http.Session:
def save(self, session: http.Session) -> typing.Dict[str, str]:
That makes it quite clear what your obligations are.
Next I looked at apistar/components/sessions.py to see how an example implementation worked.
Interesting to note the context managed used for get_session, which shows the exact sequence your SessionStore will be invoked in:
If there is a session_id cookie, then SessionStore.load(session_id) is called, otherwise SessionStore.new(), both of which should yield a dict-like session container.
After the request, SessionStore.save(session) will be called, and is expected to yield headers to update the response, if needed.
Does this help answer your question?