December 14, 2020

920 words 5 mins read



Open source alternative to Auth0 / Firebase Auth / AWS Cognito

repo name supertokens/supertokens-core
repo link
language Java
size (curr.) 6794 kB
stars (curr.) 1611
created 2020-01-05
license Apache License 2.0

SuperTokens banner


Table of Contents

If you like our project, please :star2: this repository! For feedback, feel free to join our Discord, or create an issue on this repo

πŸš€ What is SuperTokens?

SuperTokens is an open core alternative to proprietary login providers like Auth0 or AWS Cognito. We are different because we offer:

  • Open source: SuperTokens can be used for free, forever, with no limits on the number of users.
  • An on-premises deployment so that you control 100% of your user data, using your own database.
  • An end to end solution with login, sign ups, user and session management, without all the complexities of OAuth protocols.
  • Ease of implementation and higher security.
  • Extensibility: Anyone can contribute and make SuperTokens better!


Authentication directly affects UX, dev experience and security of any app. We believe that current solutions are unable to optimise for all three “pillars”, leading to a large number of applications hand rolling their own auth. This not only leads to security issues, but is also a massive time drain.

We want to change that - we believe the only way is to provide a solution that has the right level of abstraction, gives you maximum control, is secure, and is simple to use - just like if you build it yourself, from scratch (minus the time to learn, build and maintain).

We also believe in the principle of least vendor lockin. Your having full control of your user’s data means that you can switch away from SuperTokens without forcing your existing users to logout, reset their passwords or in the worst case, sign up again.

Features - Click here to see the demo app.

  • Please visit our website to see the list of features.
  • We want to make features as decoupled as possible. This means, you can use SuperTokens for just login, or just session management, or both. In fact, we also offer session management integrations with other login providers like Auth0.


The docs can be seen on our website.

There is more information about SuperTokens on the GitHub wiki section.

πŸ—οΈ Architecture

  • Frontend SDK: Responsible for rendering the login UI widgets and managing session tokens automatically.
  • Backend SDK: Provides APIs for sign-up, sign-in, signout, session refreshing etc… You can also disable these default APIs and build your own using the provided functions from this SDK.
  • SuperTokens Core: This is an HTTP service that contains the core logic for auth and sessions. It’s also responsible for interfacing with the database.

For more information, please visit our GitHub wiki section.

β˜• Why Java?

  • βœ… Whilst running Java can seem difficult, we provide the JDK along with the binary / docker image when distributing it. This makes running SuperTokens just like running any other http microservice.
  • βœ… Java has a very mature ecosystem. This implies that third party libraries have been battled tested.
  • βœ… Java’s strong type system ensures fewer bugs and easier maintainability. This is especially important when many people are expected to work on the same project.
  • βœ… Our team is most comfortable with Java and hiring for great Java developers is relatively easy as well.

πŸ”₯ SuperTokens vs others

Please find a detailed comparison chart on our website

πŸ› οΈ Building from source

Please see our wiki for instructions.

πŸ‘₯ Community

If you think this is a project you could use in the future, please :star2: this repository!

Contributors (across all SuperTokens repositories)

πŸ‘©β€πŸ’» Contributing

Please see the file for instructions.

πŸ“œ Development history

Over the last few months, we have built out session management for SuperTokens. During this period, we have made our fair share of mistakes:

  • Our first version was architected such that it tightly coupled the backend and database layer. So we had one npm library for NodeJS with MySQL, and another one for NodeJS with MongoDB etc. When adding support for a new backend framework, majority of the logic and tests needed to be rewritten. It became clear that we needed to add a service in the middle. We do realise that adding this service means it’s harder to get started and that there is an extra point of failure, however from the perspective of supporting each tech stack, this decision makes sense, since the failure problem can be addressed through easy to implement technical means.

  • Until August, 2020, our license was not truly open source. This was done as an experiment to get feedback on the importance of software license for the startup community. Since then, it’s become very clear that we must use a standard open source license, so we chose Apache 2.0

  • We used to have a notion of a license key that was required to use the community version. This license key was issued by us, and would never expire. Some parts of the code still refer to that, however, it’s only for backwards compatibility. For all intents and purposes, a license key doesn’t exist for this version, which means anyone can build from source, and use SuperTokens for free, forever.

πŸ“ License

Β© 2020 SuperTokens Inc and its contributors. All rights reserved.

Licensed under the Apache 2.0 license.

comments powered by Disqus