Authorizer
Your users belong in your own database - Authorizer, an open-source authentication and authorization server shipping as a single Go binary, keeps them there. It connects to 13+ backends - PostgreSQL, MySQL, SQLite, SQL Server, MariaDB, MongoDB, Cassandra, ScyllaDB, ArangoDB, DynamoDB, Couchbase, YugabyteDB, PlanetScale, and CockroachDB - so identity data lives beside the application it protects instead of in an auth vendor's cloud. The server is fully OAuth 2.0 and OpenID Connect compliant, including authorization code flow with PKCE, a JWKS endpoint, token revocation, and nine JWT signing algorithms. Login options cover email/password, magic links, TOTP multi-factor, SMS OTP via Twilio, and social providers including Google, GitHub, Apple, Microsoft, and Discord. Authorization goes beyond roles: an embedded OpenFGA engine provides Zanzibar-style relationship-based permission checks in process. APIs are exposed over GraphQL, REST, and gRPC, with SDKs for JavaScript, React, Go, and Python, plus themeable built-in login pages and an admin dashboard. Apache 2.0 licensed.
Supertokens Core
Authentication that lives inside your application rather than behind a redirect to an external identity provider - SuperTokens takes a fundamentally different architecture from Auth0 and AWS Cognito. Three tiers make that work - frontend SDKs (React, Angular, Vue, vanilla JS, React Native) render overridable login UI and manage tokens; backend SDKs (Node.js, Python, Go) expose auth endpoints on your own API domain; and SuperTokens Core, the piece you host here, is the stateless HTTP service handling core auth logic, password hashing, token signing, and database operations against PostgreSQL. The recipe system keeps features decoupled: use email/password, social login, passwordless (magic links, OTP), phone-password, multi-factor authentication (TOTP, WebAuthn), user roles, and microservice auth - individually or combined; you can even use SuperTokens purely for session management alongside another login provider. Sessions are where it shines: rotating refresh tokens with theft detection, automatic access-token refresh, CSRF protection, and secure cookie handling out of the box - the details that become vulnerabilities when hand-rolled. Verification happens locally in your backend via cached JWT signing keys, so the Core stays off the hot path. Self-hosted means no user limits, free forever, with all user data in your database. Apache-licensed.