explaingit

supertokens/supertokens-core

Analysis updated 2026-06-24

15,037JavaAudience · developerComplexity · 4/5Setup · moderate

TLDR

SuperTokens core is a self-hosted Java auth backend for login, sessions, social and passwordless flows, MFA, and multi-tenancy, used via frontend and backend SDKs.

Mindmap

mindmap
  root((supertokens-core))
    Inputs
      Sign in requests
      Backend SDK calls
    Outputs
      Session tokens
      User records
    Use Cases
      Self host login
      Replace Auth0
      Add social and MFA
    Tech Stack
      Java
      JDBC
      MySQL
      PostgreSQL
Click or tap to explore — scroll the page freely

Code map

Detail Auto

An interactive map of this repo's files and how they connect — its source is parsed live in your browser. Click Visualize to build it.

filefunction / class

What do people build with it?

USE CASE 1

Self-host a login service to avoid per-user fees from Auth0 or Cognito

USE CASE 2

Add passwordless, social, and email password sign in to a web app via the backend SDK

USE CASE 3

Run multi-tenant or enterprise SSO with the user management dashboard

USE CASE 4

Keep user records inside your own database for portability and data ownership

What is it built with?

JavaMySQLPostgreSQLJDBC

How does it compare?

supertokens/supertokens-corezhisheng17/flink-learningjava-decompiler/jd-gui
Stars15,03715,05315,084
LanguageJavaJavaJava
Last pushed2026-05-06
MaintenanceMaintained
Setup difficultymoderatehardeasy
Complexity4/54/52/5
Audiencedeveloperdatadeveloper

Figures from each repo's GitHub metadata at analysis time.

How do you get it running?

Difficulty · moderate Time to first run · 1h+

Run the Java core service against MySQL or PostgreSQL, then add backend and frontend SDKs into the app code, session verification stays in the backend SDK to keep the core lean.

In plain English

SuperTokens is an open source login system. Almost every web or mobile app needs a way for users to sign up, sign in, stay signed in across page loads, and sign out. Companies usually either pay a service like Auth0, Firebase Auth, or AWS Cognito to handle that, or they build it themselves and risk security mistakes. SuperTokens offers a third path: a self-hosted login backend that the team and community maintain in the open, with no per-user fee. This particular repository, supertokens-core, is one of three pieces. The README explains the layout. A Frontend SDK runs in the user's browser or mobile app and manages session tokens and login UI widgets. A Backend SDK runs in the app's own server and provides routes for sign-up, sign-in, signout, and session refresh. The core, which is the code in this repo, is an HTTP service written in Java that holds the authentication logic and talks to a database. The Backend SDK calls into the core. Frontend SDKs are available for languages and frameworks such as Node.js, Go, Python, React, React Native, and plain JavaScript. The feature list covers most of what mainstream login providers offer: passwordless login, social login through providers like Google or GitHub, email and password login, phone and password login, session management, multi-factor authentication, multi-tenancy and enterprise single sign-on, user roles, and authentication for service-to-service calls between microservices. There is also a separate user management dashboard for listing users and editing their sessions, metadata, roles, and account info. The README spends a section explaining why the core is written in Java. The team is comfortable with it, the ecosystem is mature, the type system reduces bugs, and binaries ship with the JDK bundled so running SuperTokens feels like running any other service. On memory use, session verification, the most frequent operation, happens in the Backend SDK without contacting the core, so one core instance can handle tens of thousands of users. The team also mentions plans to move to GraalVM later. The pitch against paid competitors centres on data ownership. Because SuperTokens runs on the developer's own servers and database, the developer keeps full control of user records and can move away later without forcing users to reset passwords. Documentation, architecture notes, and build instructions live on the project website and wiki. Community channels are a Discord server and a team email.

Copy-paste prompts

Prompt 1
Run supertokens-core locally with the bundled JDK and point it at a Postgres database
Prompt 2
Wire the Node.js backend SDK to a local SuperTokens core and add email/password sign up
Prompt 3
Configure SuperTokens to support Google social login and verify the redirect flow
Prompt 4
Enable multi-tenancy in supertokens-core and create two tenants with different login methods

Frequently asked questions

What is supertokens-core?

SuperTokens core is a self-hosted Java auth backend for login, sessions, social and passwordless flows, MFA, and multi-tenancy, used via frontend and backend SDKs.

What language is supertokens-core written in?

Mainly Java. The stack also includes Java, MySQL, PostgreSQL.

How hard is supertokens-core to set up?

Setup difficulty is rated moderate, with roughly 1h+ to a first successful run.

Who is supertokens-core for?

Mainly developer.

Open on GitHub → Explain another repo

This repo across BitVibe Labs

Verify against the repo before relying on details.