SuperTokens is an open-source authentication solution designed as a drop-in replacement for proprietary services like Auth0, Firebase Auth, and AWS Cognito. With nearly 15,000 GitHub stars, it provides a complete authentication stack that can be self-hosted with full data ownership, or used via the managed cloud service.

Architecture

SuperTokens uses a three-tier architecture: a Frontend SDK that manages session tokens and renders login UI widgets, a Backend SDK that provides sign-up/sign-in/session APIs, and the SuperTokens Core service (written in Java) that handles auth logic and database operations. This separation allows the auth logic to run independently while integrating tightly with your application stack.

Authentication Methods

The platform supports multiple authentication strategies out of the box: email/password login, passwordless authentication (magic links and OTP via email or SMS), social login (Google, Apple, Facebook, GitHub, and more via custom providers), and phone/password login. Multi-factor authentication adds TOTP-based second factors for enhanced security.

Enterprise Features

SuperTokens includes multi-tenancy and organization support for B2B SaaS applications, enterprise SSO via SAML and OIDC, user roles and permissions for fine-grained access control, and a user management dashboard for administrative operations. These features make it suitable for applications ranging from single-product startups to complex multi-tenant platforms.

Session Management

The session layer implements rotating refresh tokens with automatic token theft detection. Sessions support custom claims, role-based access, and are designed to be secure against CSRF and XSS attacks by default. The architecture supports both cookie-based and header-based token delivery.

SDK Ecosystem

Backend SDKs are available for Node.js, Python (Flask, Django, FastAPI), and Go (net/http, Gin, Chi). Frontend SDKs cover React, React Native, Angular, Vue, vanilla JavaScript, iOS, Android, and Flutter. Each SDK provides pre-built UI components for login flows that can be customized or replaced entirely with custom implementations.

Deployment

Self-hosted deployment runs the SuperTokens Core as a Docker container alongside PostgreSQL or MySQL. The entire stack can run via Docker Compose with a single command. There are no user count limits on the open-source edition, and all core auth features are available for free.