Description
SuperTokens is the most secure solution for user session management - enabling robust prevention and detection of attacks. We mitigate against all types of attacks (XSS, MITM, session fixation, CSRF etc) and are the only ones that we know of to scalably implement detection of auth token theft (as per the official OAuth 2.0 specifications in RFC 6819). We have solved the scalability, race conditions and failure issues usually associated with this. Fitbit tried to implement theft detection in 2016 but was unable to do so. Many companies build their own session management solution - which can take weeks to months (depending on developer experience and robustness of their solution). Ours can be rapidly integrated with in a few days.
SuperTokens Community alternatives and similar libraries
Based on the "Security" category.
Alternatively, view SuperTokens Community alternatives based on common mentions on social networks and blogs.
-
DOMPurify
DOMPurify - a DOM-only, super-fast, uber-tolerant XSS sanitizer for HTML, MathML and SVG. DOMPurify works with a secure default, but offers a lot of configurability and hooks. Demo: -
Retire.js
scanner detecting the use of JavaScript libraries with known vulnerabilities. Can also generate an SBOM of the libraries it finds. -
sanitize-html
Clean up user-submitted HTML, preserving whitelisted elements and whitelisted attributes on a per-element basis. Built on htmlparser2 for speed and tolerance -
Themis by Cossack Labs
Easy to use cryptographic framework for data protection: secure messaging with forward secrecy and secure data storage. Has unified APIs across 14 platforms. -
cidaas SDK for JS
With this SDK, you can integrate cidaas smoothly and with minimal effort into your javascript application. It enables you to map the most important user flows for OAuth2 and OIDC compliant authentication. Secure β Fast β And unrivaled Swabian. -
data-guardian π
Tiny, zero-dependencies, package which tries to mask sensitive data in arbitrary collections (map, set), errors, objects and strings.
Civic Auth - Auth in Less Than 5 Minutes

* Code Quality Rankings and insights are calculated and provided by Lumnify.
They vary from L1 to L5 with "L5" being the highest.
Do you think we are missing an alternative of SuperTokens Community or a related project?
README
Open-Source auth provider
Add secure login and session management to your apps. SDKs available for popular languages and front-end frameworks e.g. Node.js, Go, Python, React.js, React Native, Vanilla JS, etc.
Supertokens architecture is optimized to add secure authentication for your users without compromising on user and developer experience
Three building blocks of SuperTokens architecture
- Frontend SDK: Manages session tokens and renders login UI widgets
- Backend SDK: Provides APIs for sign-up, sign-in, signout, session refreshing etc. Your Frontend will talk to these APIs
- SuperTokens Core: The HTTP service for the core auth logic and database operations. This service is used by the Backend SDK
Supports multiple auth strategies
[auth recipes](.github/auth_strategies.png)
Guides to setup different recipes
- Passwordless
- Social Login
- Email Password Login
- Phone Password Login
- Passwordless + Social Login
- Email Password + Social Login
- Session Management
Learn more
- π What is SuperTokens?
- ποΈ Architecture
- β Why Java?
- π₯ SuperTokens vs Others
- π οΈ Building from source
- π₯ Community
- π©βπ» Contributing
- π License
If you like our project, please :star2: this repository! For feedback, feel free to join our Discord, or create an issue on this repo
π What is SuperTokens?
SuperTokens is an open core alternative to proprietary login providers like Auth0 or AWS Cognito. We are different because we offer:
- Open source: SuperTokens can be used for free, forever, with no limits on the number of users.
- An on-premises deployment so that you control 100% of your user data, using your own database.
- An end to end solution with login, sign ups, user and session management, without all the complexities of OAuth protocols.
- Ease of implementation and higher security.
- Extensibility: Anyone can contribute and make SuperTokens better!
Philosophy
Authentication directly affects UX, dev experience and security of any app. We believe that current solutions are unable to optimise for all three "pillars", leading to a large number of applications hand rolling their own auth. This not only leads to security issues, but is also a massive time drain.
We want to change that - we believe the only way is to provide a solution that has the right level of abstraction, gives you maximum control, is secure, and is simple to use - just like if you build it yourself, from scratch (minus the time to learn, build and maintain).
We also believe in the principle of least vendor lockin. Your having full control of your user's data means that you can switch away from SuperTokens without forcing your existing users to logout, reset their passwords or in the worst case, sign up again.
Features - Click here to see the demo app.
- Please visit our website to see the list of features.
- We want to make features as decoupled as possible. This means, you can use SuperTokens for just login, or just session management, or both. In fact, we also offer session management integrations with other login providers like Auth0.
Documentation
The docs can be seen on our website.
There is more information about SuperTokens on the GitHub wiki section.
ποΈ Architecture
Please find an architecture diagram here
For more information, please visit our GitHub wiki section.
β Why Java?
- β Whilst running Java can seem difficult, we provide the JDK along with the binary / docker image when distributing it. This makes running SuperTokens just like running any other http microservice.
- β Java has a very mature ecosystem. This implies that third party libraries have been battle tested.
- β Java's strong type system ensures fewer bugs and easier maintainability. This is especially important when many people are expected to work on the same project.
- β Our team is most comfortable with Java and hiring for great Java developers is relatively easy as well.
- β
One of the biggest criticisms of Java is memory usage. We have three solutions to this:
- The most frequent auth related operation is session verification - this happens within the backend SDK (node, python, Go) without contacting the Java core. Therefore, a single instance of the core can handle several 10s of thousands of users fairly easily.
- We have carefully chosen our dependencies. For eg: we use an embedded tomcat server instead of a higher level web framework.
- We also plan on using GraalVM in the future and this can reduce memory usage down by 95%!
- β If you require any modifications to the auth APIs, those would need to be done on the backend SDK level (for example Node, Golang, Python..). So youβd rarely need to directly modify / work with the Java code in this repo.
π₯ SuperTokens vs others
Please find a detailed comparison chart on our website
π οΈ Building from source
Please see our wiki for instructions.
π₯ Community
If you think this is a project you could use in the future, please :star2: this repository!
Contributors (across all SuperTokens repositories)
Rishabh Poddar Advait Ruia Bhumil Sarvaiya Joel Coutinho Rakesh UP Mufassir Kazi Nemi Shah Rohit Bhatia Madhu Mahadevan Aidar Nugmanoff Arnav Dewan NkxxkN LordChadiwala Luiz Soares Sudipto Ghosh Fabricio20 metallicmonkey Vidhyanshu Jain Domenico Luciani Enzo Batrov EloΓ―se Isautier Γkos Resch Chotu Chaudhary TomΓ‘Ε‘ HorΓ‘Δek Sam Bauch Alexey Tylindus Gus Fune chenkaiC4 Marek Dulowski Piyushh Bhutoria Eric Dobbertin Kyle Dodson Ralph Lawrence Christopher Kapic Hanzyusuf MihΓ‘ly Lengyel Cerino O. Ligutom III nadilas Vasile Catana Jay Mistry Jacob Marshall miketromba Oleg Vdovenko Siddharth xuatz Yoway Buorn Ronit Panda Anugrah Singhal Jeremy Eastham Assaf Yacobi Sattvik Chakravarthy Olivier Pichon Siddhant Varma renyijiu Isaiah Thomason Utsav Barnwal
π©βπ» Contributing
Please see the CONTRIBUTING.md file for instructions.
π License
© 2020 SuperTokens Inc and its contributors. All rights reserved.
Licensed under the Apache 2.0 license.
*Note that all licence references and agreements mentioned in the SuperTokens Community README section above
are relevant to that project's source code only.