explaingit

dromara/sa-token

📈 Trending18,813JavaAudience · developerComplexity · 2/5ActiveLicenseSetup · easy

TLDR

Lightweight Java authentication and access control framework for Spring Boot apps. Handles login, sessions, roles, and permissions with minimal code.

Mindmap

mindmap
  root((sa-token))
    Core Features
      Login & Sessions
      Role-Based Access
      Single Sign-On
      OAuth 2.0
    Integrations
      Redis
      JWT
      API Keys
    Use Cases
      Web Applications
      Microservices
      Multi-App Systems
    Tech Stack
      Java
      Spring Boot
      Redis

Things people build with this

USE CASE 1

Add login and session management to a Spring Boot web app without configuring Spring Security from scratch.

USE CASE 2

Implement role-based access control across a microservice system with a single annotation on endpoints.

USE CASE 3

Set up single sign-on so users log in once and access multiple related web applications automatically.

USE CASE 4

Protect an API with OAuth 2.0 so third-party apps can request access on behalf of users.

Tech stack

JavaSpring BootRedisJWTOAuth 2.0

Getting it running

Difficulty · easy Time to first run · 5min
Use freely for any purpose, including commercial use, as long as you include the Apache 2.0 license notice.

In plain English

Sa-Token is an open source Java security and authentication framework that handles the common "who is this user and what are they allowed to do?" layer in web applications. Building login, session management, role-based access control, and single sign-on from scratch in every project wastes significant time, Sa-Token packages all of that into a lightweight library you drop into any Spring Boot application with a single Maven dependency. Its five core modules cover login authentication (including remember-me and multi-device sessions), permission and role checking, single sign-on (SSO) so one login works across multiple related web apps, OAuth 2.0 so third-party apps can log in with your service, and microservice gateway authorization. Beyond those, it ships plugins for JWT integration, API parameter signing to prevent tampering, API key authorization, and account ban/kick features. Most operations are a single line of Java code, logging a user in is one method call, and protecting an endpoint with a required permission is one annotation. It integrates with Redis so session state survives server restarts and works across distributed deployments. You would use Sa-Token if you are building a Java/Spring Boot web application or microservice system and want to add authentication and access control without wiring together low-level Spring Security or Apache Shiro configurations. It is licensed under Apache 2.0 and is free to use commercially.

Copy-paste prompts

Prompt 1
Show me how to add Sa-Token to a Spring Boot project and protect an endpoint with a required role using just an annotation.
Prompt 2
How do I set up single sign-on with Sa-Token so one login works across three separate Spring Boot web apps?
Prompt 3
Give me a code example of using Sa-Token to log a user in, store their session in Redis, and check their permissions on a request.
Prompt 4
How do I integrate Sa-Token with JWT tokens instead of server-side sessions?
Prompt 5
Show me how to implement OAuth 2.0 login with Sa-Token so external apps can authenticate users through my service.
Open on GitHub → Explain another repo

Generated 2026-05-18 · Model: sonnet-4-6 · Verify against the repo before relying on details.