At a Glance:
SuperTokens is an open-core authentication provider offering on-premises deployment, passwordless and social login, session management, multi-factor authentication, and multi-tenancy, serving as an alternative to proprietary services like Auth0 or AWS Cognito.
Overview:
SuperTokens is an open-core authentication provider that adds secure login and session management to applications. It provides SDKs for languages and frameworks such as Node.js, Go, Python, React, and React Native. The architecture consists of a frontend SDK for UI and session tokens, a backend SDK for auth APIs, and a core HTTP service handling logic and database operations. SuperTokens can be deployed on-premises, allowing users to retain full control of their data using their own database. It supports features like passwordless, social, and email/password login, session management, multi-factor authentication, and multi-tenancy with organization support. The project is designed for developers who need a customizable, end-to-end auth solution without relying on proprietary cloud providers.
Key Decision Points:
On-premises deployment: SuperTokens Core can be self-hosted, letting you manage auth data in your own database rather than a third-party service.
SDK-based architecture: Provides separate frontend and backend SDKs, with session verification happening within the backend SDK without always contacting the core service.
Open-core licensing: The core is open source under Apache 2.0, while certain features reside under an "ee/" directory with a separate license.
Component decoupling: You can adopt SuperTokens solely for login, solely for session management, or both; session management integrations with other providers like Auth0 are also supported.
Multi-tenancy and roles: Includes support for organization-level SSO and user roles, relevant for apps serving multiple customer organizations.
Core Features:
Passwordless login: Allows users to authenticate without passwords.
Social login: Integration with social identity providers for sign-in.
Email and phone password login: Standard authentication using email/password or phone/password combinations.
Session management: Token-based session handling with refresh and verification, partially offloaded to backend SDKs.
Multi-factor authentication (MFA): Adds an extra verification step during login.
User management dashboard: A UI to list users, manage sessions, metadata, roles, and account information.
Use Cases:
Developers building applications that need an on-premises, self-hosted authentication system to retain data control.
Teams looking to add passwordless, social, or multi-factor login to Node.js, Go, Python, or React-based apps.
Applications serving multiple organizations that require built-in multi-tenancy and role-based user management.
Open-Source Alternative Value:
SuperTokens is positioned as an open-core alternative to proprietary auth providers like Auth0 or AWS Cognito. Its open-source nature allows free usage without user limits, and the on-premises deployment model means user data remains in your own database. The decoupled architecture offers flexibility to use only the parts you need, such as login or session management, and even supports integrating session management with other providers. Backend SDKs handle frequent operations like session verification without core service calls, reducing dependency on the central Java-based service and allowing customization at the SDK level.
