Logo
Deploy Now

Stars

15174

Forks

703

Watchers

78

Developer links

Supertokens Core

Authentication that lives inside your application rather than behind a redirect to an external identity provider - SuperTokens takes a fundamentally different architecture from Auth0 and AWS Cognito. Three tiers make that work - frontend SDKs (React, Angular, Vue, vanilla JS, React Native) render overridable login UI and manage tokens; backend SDKs (Node.js, Python, Go) expose auth endpoints on your own API domain; and SuperTokens Core, the piece you host here, is the stateless HTTP service handling core auth logic, password hashing, token signing, and database operations against PostgreSQL. The recipe system keeps features decoupled: use email/password, social login, passwordless (magic links, OTP), phone-password, multi-factor authentication (TOTP, WebAuthn), user roles, and microservice auth - individually or combined; you can even use SuperTokens purely for session management alongside another login provider. Sessions are where it shines: rotating refresh tokens with theft detection, automatic access-token refresh, CSRF protection, and secure cookie handling out of the box - the details that become vulnerabilities when hand-rolled. Verification happens locally in your backend via cached JWT signing keys, so the Core stays off the hot path. Self-hosted means no user limits, free forever, with all user data in your database. Apache-licensed.

Supertokens Core

Benefits

  • No Per-User Pricing Cliff
  • Unlimited users forever - the MAU-based bills that make Auth0 painful don't exist.
  • Auth Inside Your App
  • SDK-embedded flows on your own domains replace redirects to an external identity server.
  • Sessions Done Right
  • Rotating refresh tokens with theft detection, CSRF protection, and secure cookies by default.
  • Use Only What You Need
  • Decoupled recipes let you adopt just login, just sessions, or the full stack.

Features

  • Authentication Recipes
  • Email/password, social, passwordless, phone-password, and combinations.
  • Multi-Factor Auth
  • TOTP and WebAuthn as composable second factors.
  • Session Management
  • Automatic token rotation and refresh with local JWT verification off the hot path.
  • User Roles
  • Role and permission management built into the core.
  • SDK Coverage
  • Node.js, Python, and Go backends; React, Angular, Vue, and React Native frontends.
  • Overridable Everything
  • Pre-built UI and API logic that can be customized or replaced per function.