supertokens/supertokens-core

SuperTokens is an open source login system. Almost every web or mobile app needs a way for users to sign up, sign in, stay signed in across page loads, and sign out. Companies usually either pay a service like Auth0, Firebase Auth, or AWS Cognito to handle that, or they build it themselves and risk security mistakes. SuperTokens offers a third path: a self-hosted login backend that the team and community maintain in the open, with no per-user fee. This particular repository, supertokens-core, is one of three pieces. The README explains the layout. A Frontend SDK runs in the user's browser or mobile app and manages session tokens and login UI widgets. A Backend SDK runs in the app's own server and provides routes for sign-up, sign-in, signout, and session refresh. The core, which is the code in this repo, is an HTTP service written in Java that holds the authentication logic and talks to a database. The Backend SDK calls into the core. Frontend SDKs are available for languages and frameworks such as Node.js, Go, Python, React, React Native, and plain JavaScript. The feature list covers most of what mainstream login providers offer: passwordless login, social login through providers like Google or GitHub, email and password login, phone and password login, session management, multi-factor authentication, multi-tenancy and enterprise single sign-on, user roles, and authentication for service-to-service calls between microservices. There is also a separate user management dashboard for listing users and editing their sessions, metadata, roles, and account info. The README spends a section explaining why the core is written in Java. The team is comfortable with it, the ecosystem is mature, the type system reduces bugs, and binaries ship with the JDK bundled so running SuperTokens feels like running any other service. On memory use, session verification, the most frequent operation, happens in the Backend SDK without contacting the core, so one core instance can handle tens of thousands of users. The team also mentions plans to move to GraalVM later. The pitch against paid competitors centres on data ownership. Because SuperTokens runs on the developer's own servers and database, the developer keeps full control of user records and can move away later without forcing users to reset passwords. Documentation, architecture notes, and build instructions live on the project website and wiki. Community channels are a Discord server and a team email.