dromara/sa-token

★ 18,802JavaAudience · developerComplexity · 2/5LicenseSetup · easy

Mindmap

mindmap
  root((sa-token))
    Core Features
      Login auth
      Role permissions
      SSO support
      OAuth 2.0
    Tech Stack
      Java
      Spring Boot
      Redis
      JWT
    Use Cases
      Web app auth
      Microservice auth
      API security
    Audience
      Java developers
      Spring Boot teams

mindmap root((sa-token)) Core Features Login auth Role permissions SSO support OAuth 2.0 Tech Stack Java Spring Boot Redis JWT Use Cases Web app auth Microservice auth API security Audience Java developers Spring Boot teams

Click or tap to explore — scroll the page freely

Things people build with this

USE CASE 1

Add user login, logout, and remember-me sessions to a Spring Boot web app with a single method call.

USE CASE 2

Protect API endpoints so only users with specific roles or permissions can access them, using one annotation.

USE CASE 3

Set up single sign-on so users log in once and stay authenticated across multiple related web apps.

USE CASE 4

Issue and verify OAuth 2.0 tokens so third-party apps can authenticate against your service.

Tech stack

JavaSpring BootRedisJWTMavenOAuth 2.0

Getting it running

Difficulty · easy Time to first run · 30min

Requires an existing Spring Boot project, Redis is optional but needed for distributed session storage across multiple servers.

Use freely for any purpose, including commercial, as long as you keep the license notice. Apache 2.0.

In plain English

Sa-Token is an open source Java security and authentication framework that handles the common "who is this user and what are they allowed to do?" layer in web applications. Building login, session management, role-based access control, and single sign-on from scratch in every project wastes significant time, Sa-Token packages all of that into a lightweight library you drop into any Spring Boot application with a single Maven dependency. Its five core modules cover login authentication (including remember-me and multi-device sessions), permission and role checking, single sign-on (SSO) so one login works across multiple related web apps, OAuth 2.0 so third-party apps can log in with your service, and microservice gateway authorization. Beyond those, it ships plugins for JWT integration, API parameter signing to prevent tampering, API key authorization, and account ban/kick features. Most operations are a single line of Java code, logging a user in is one method call, and protecting an endpoint with a required permission is one annotation. It integrates with Redis so session state survives server restarts and works across distributed deployments. You would use Sa-Token if you are building a Java/Spring Boot web application or microservice system and want to add authentication and access control without wiring together low-level Spring Security or Apache Shiro configurations. It is licensed under Apache 2.0 and is free to use commercially.

Copy-paste prompts

Prompt 1

I have a Spring Boot app and want to add user login and role-based access control using Sa-Token. Show me the Maven dependency and the minimum setup code.

Prompt 2

Using Sa-Token, how do I protect a REST endpoint so only users with the role admin can call it? Show me the annotation and the configuration.

Prompt 3

Help me configure Sa-Token with Redis so sessions survive a server restart and work across multiple service instances.

Prompt 4

How do I set up Sa-Token's SSO module so users can log in once and access three different Spring Boot services without logging in again?

Prompt 5

I need to add OAuth 2.0 authorization to my Sa-Token app. Show me a minimal working example with token issuance and verification.

Open on GitHub → Explain another repo

This repo across BitVibe Labs

Scan in gitsafehub Deploy in gitdeployhub dromara on gitmyhub

Verify against the repo before relying on details.