SuperTokens
Open-source authentication with session management, social login, and passwordless — self-host or managed.
Last commit 2026-06-01
SuperTokens approaches authentication from the application developer's perspective rather than the infrastructure administrator's. Instead of a standalone identity server you configure through an admin UI, it is a modular library that plugs into your existing backend. You pick the recipes you need — email/password, social OAuth, magic links, OTP, multi-tenancy — and each one ships with both a headless API and optional pre-built React UI components that you can drop in or replace entirely.
The session management implementation is a particular strength. SuperTokens uses rotating refresh tokens with automatic token theft detection, storing session state in a separate service (the core) rather than in JWTs alone. That design avoids a common vulnerability in stateless JWT authentication — the inability to revoke sessions instantly — while keeping the verification path fast by caching session validation locally in the backend SDK.
Self-hosting runs the open-source core (Apache-2.0) alongside your application, typically as a small Docker container backed by PostgreSQL or MySQL. The managed cloud option handles the core for you and includes a free tier up to 5,000 MAUs, making it a credible no-ops starting point for early-stage products. SAML SSO for enterprise customers and advanced MFA options require the paid plan. The trade-off versus alternatives like Keycloak or authentik is scope: SuperTokens is narrower, covering application-level auth well but not enterprise federation protocols like LDAP or RADIUS. For developer-led teams building SaaS products, that narrower focus is usually a feature rather than a limitation.
Key features of SuperTokens
- Session management with rotating refresh tokens and built-in token theft detection
- Email/password, social OAuth, and passwordless (magic link + OTP) recipe system
- Pre-built UI components or headless APIs for fully custom login screens
- Multi-tenancy support for SaaS applications with per-tenant configuration
- SDKs for Node.js, Python, Go, and PHP backends plus React, Next.js, and mobile frontends
- Managed cloud option with a generous free tier by MAU
Pros
- Apache-2.0 licensed core is free to self-host with no MAU or seat limits
- Recipe-based architecture lets you mix and match auth methods modularly
- Managed cloud free tier covers up to 5,000 MAU — useful for startups
Cons
- Enterprise features like SAML SSO and SCIM provisioning require the paid managed plan
- Smaller community than Auth0 or Keycloak, so fewer third-party guides
- The core is Java, which adds operational overhead if your stack is otherwise Node/Go
SuperTokens pricing
Free / self-host · open-core · Apache-2.0
Developer-led startups that want self-hosted auth with a clean SDK abstraction and a path to managed hosting as they scale.
SuperTokens is an alternative to
Frequently asked questions
Is SuperTokens open source?
Yes. SuperTokens is open source (Apache-2.0), so you can read the code, self-host it, and avoid vendor lock-in.
How much does SuperTokens cost?
SuperTokens starts at Free / self-host on a open-core model. Self-hosting can reduce that to infrastructure cost only.
Can I self-host SuperTokens?
Yes — SuperTokens supports self-hosting, giving you full data ownership.