Overview:
SuperTokens is an open-core authentication provider that adds secure login and session management to applications. It is designed as an alternative to proprietary services like Auth0 or AWS Cognito, offering on-premises deployment that gives organizations full control over user data in their own database. The project provides a three-tier architecture consisting of frontend SDKs for session token management and login UI, backend SDKs for sign-up/sign-in/signout APIs, and a core HTTP service for authentication logic and database operations. SDKs are available for popular languages and frameworks including Node.js, Go, Python, React.js, and React Native.
Core Features:
Passwordless Login: Authentication without requiring a password.
Email Password Login: Traditional email-based credential authentication.
Phone Password Login: Phone number-based credential authentication.
Social Login: Authentication through third-party social providers.
Session Management: Secure session creation, refreshing, and revocation.
Multi-Factor Authentication: Additional authentication layers beyond primary login.
Multi Tenancy / Organization Support: Enterprise SSO capabilities for multiple organizations.
User Roles: Role-based access management for application users.
Microservice Authentication: Auth support for microservices architectures.
Use Cases:
Application developers needing to add login, sign-up, and session management without constructing OAuth protocols from scratch.
Self-hosters who require on-premises authentication with full control over user data stored in their own database.
Teams operating microservice architectures requiring authentication that spans across multiple services.
Organizations needing multi-tenant authentication with enterprise SSO support for separate organizations or tenants.
Why It Matters:
SuperTokens provides an open-core model where the authentication system can be self-hosted, giving developers complete data control and reducing reliance on proprietary auth providers. Its decoupled architecture allows using just login, just session management, or both, and session management can integrate with other login providers. The backend SDK handles frequent session verification without contacting the Java core, enabling a single core instance to support tens of thousands of users. The project emphasizes minimal vendor lock-in—user data remains in your database, allowing future migration without forcing existing users to logout or reset passwords.
