SuperTokens is an open-source authentication and session management platform designed as a self-hosted alternative to Auth0, Firebase Auth, and AWS Cognito. It empowers developers to implement secure login flows—including email/password, passwordless, and social login—without vendor lock-in, while maintaining full ownership of user data. Built for startups and enterprises, it eliminates the complexity of OAuth while providing enterprise-grade features like multi-tenancy, MFA, and user roles.
The platform uses a modular three-layer architecture: Frontend SDKs (for React, Vue, Flutter, etc.) handle UI and token management, Backend SDKs (Node.js, Go, Python) expose secure APIs, and the Java-based SuperTokens Core manages authentication logic and database operations. It supports deployment via Docker or standalone binaries, integrates with PostgreSQL, MySQL, and MongoDB, and offers a user management dashboard for admin control.
What You Get
- Passwordless Login - Enables login via email or SMS links without passwords, reducing friction and phishing risks.
- Social Login - Supports OAuth providers like Google, Facebook, and GitHub with prebuilt UI components and customizable flows.
- Email-Password Login - Secure credential-based authentication with built-in password policy enforcement (capital letters, numbers, special characters).
- Session Management - Automatic token refresh, session expiration, and multi-device session control with logout from other devices.
- Multi-Factor Authentication (MFA) - Adds optional second-factor verification (TOTP or SMS) to enhance security for sensitive accounts.
- Multi-Tenancy / Organization Support - Enables SSO-style user isolation per organization with tenant discovery and role-based access control.
- User Management Dashboard - Web-based UI to view, ban, delete users, manage sessions, and assign roles without writing code.
- Microservice Authentication - Backend SDKs allow secure token validation across microservices without central auth calls.
- Captcha Protection - Integrates reCAPTCHA v2/v3 and Turnstile to block bots during login and sign-up flows.
- User Banning - Admins can ban/unban users via dashboard, with backend plugin support to block access immediately.
- Custom UI Support - Fully customizable login UIs using frontend SDKs, or use prebuilt components with minimal configuration.
- Framework Agnostic SDKs - Official SDKs for React, React Native, Angular, Vue, Node.js, Go, Python, Android, iOS, and Flutter.
Common Use Cases
- Running a SaaS product with multi-tenant users - A B2B startup uses SuperTokens to isolate customer organizations with separate user roles and tenant-specific authentication.
- Building a passwordless mobile app - A fintech app uses SuperTokens’ email/SMS passwordless login to reduce friction and improve conversion on iOS and Android.
- Securing microservices without OAuth complexity - A backend team uses SuperTokens’ session validation SDKs to authenticate requests between services without relying on external identity providers.
- Replacing Auth0 to avoid vendor lock-in - An enterprise migrates from Auth0 to self-hosted SuperTokens to retain full control of user data and reduce monthly costs.
Under The Hood
Architecture
- Clear separation of concerns through a plugin-based architecture with well-defined interfaces for storage, user info, and authentication recipes
- Modular design isolates email, SAML, and third-party authentication logic into self-contained packages with their own APIs and configuration
- Dependency injection via ResourceDistributor enables tenant-scoped singleton components, ensuring isolation across multi-tenant contexts
- Layered webserver endpoints extend base classes and depend on abstractions rather than concrete implementations, promoting testability and extensibility
- Configuration-driven extensibility using YAML and JSON manifests dynamically enables or disables features and dependencies at runtime
Tech Stack
- Java-based backend with embedded Tomcat serving as the HTTP server, leveraging annotations for metadata processing
- JSON and YAML configuration parsed using industry-standard libraries to support flexible, runtime-configurable behavior
- SQLite integration provides lightweight, file-based storage without external dependencies, abstracted behind a pluggable storage layer
- Authentication primitives powered by bcrypt for secure password hashing and SLF4J for structured, contextual logging
- Maven-based dependency management with explicit version pinning ensures reproducible builds and environment consistency
Code Quality
- Comprehensive test coverage spanning unit, integration, and end-to-end scenarios with robust HTTP API and state validation
- Strong separation of concerns enforced through interface-based design, type safety, and clear naming conventions
- Custom exception classes and structured logging enable precise error handling and operational visibility
- Test utilities and resource identifiers follow consistent naming patterns, improving maintainability and onboarding
- Automated testing includes flaky test retries, environment-aware execution, and feature-flag-aware test suites
What Makes It Unique
- Dynamic plugin system using Java ServiceLoader allows runtime extension of authentication flows without core modifications
- Centralized multitenancy architecture isolates data contexts per tenant within a single instance, simplifying deployment
- OAuth and third-party workflows are proxied through admin endpoints with automatic token translation, removing client-side complexity
- Built-in bulk user operations enforce transactional safety and usage limits to prevent abuse while ensuring compliance
- Feature flags with external JAR loading enable enterprise features to be activated post-deployment without restarts
- Unified API layer abstracts diverse authentication recipes into consistent, tenant-aware endpoints for seamless client integration