# dromara/Sa-Token

**Attribution required: if you use, quote, or summarise this content, you must credit and link back to [awesome-repositories.com](https://awesome-repositories.com/repository/dromara-sa-token).**

18,626 stars · 2,884 forks · Java · apache-2.0

## Links

- GitHub: https://github.com/dromara/Sa-Token
- Homepage: https://sa-token.cc
- awesome-repositories: https://awesome-repositories.com/repository/dromara-sa-token.md

## Topics

`aouth2` `authorization` `java` `springcloud` `sso` `token`

## Description

Sa-Token is a Java-based authentication and authorization framework designed to manage user sessions, permissions, and identity verification within web applications and microservice architectures. It provides a centralized security layer that enforces access control policies and identity validation across distributed service environments and API gateways.

The framework distinguishes itself through its support for cross-domain single sign-on and its ability to function as an OAuth2 identity provider. It manages user session lifecycles by applying configurable rules for single or multi-login requirements and synchronizes authentication states across multiple servers and independent application instances using external, persistent storage.

Beyond core identity management, the project covers a broad range of security capabilities including role-based access control and interceptor-based enforcement. It integrates with diverse web frameworks through an adapter-based approach, allowing for consistent security enforcement regardless of the underlying application architecture.

## Tags

### Security & Cryptography

- [Authentication and Authorization](https://awesome-repositories.com/f/security-cryptography/authentication-and-authorization.md) — Provides a comprehensive framework for managing user authentication, session lifecycles, and access control permissions in Java applications.
- [Identity Providers](https://awesome-repositories.com/f/security-cryptography/identity-providers.md) — Implements custom identity provider services using standard authorization protocols.
- [OAuth2 Providers](https://awesome-repositories.com/f/security-cryptography/oauth2-providers.md) — Implements standard OAuth2 authorization protocols to secure inter-service communication and manage user access across diverse platforms.
- [Role-Based Access Control](https://awesome-repositories.com/f/security-cryptography/role-based-access-control.md) — Enforces access control by evaluating user permissions against defined roles and security policies.
- [Single Sign-On](https://awesome-repositories.com/f/security-cryptography/single-sign-on.md) — Supports cross-domain single sign-on by sharing authentication tokens through secure centralized storage.
- [Cross-Domain Authentication](https://awesome-repositories.com/f/security-cryptography/cross-domain-authentication.md) — Enables secure authentication across multiple domains by sharing tokens through centralized storage. ([source](https://sa-token.cc))
- [Microservices Security](https://awesome-repositories.com/f/security-cryptography/microservices-security.md) — Enforces centralized identity verification and access control policies across distributed microservice architectures and API gateways.
- [Session Management](https://awesome-repositories.com/f/security-cryptography/session-management.md) — Coordinates user login states and authentication sessions across multiple domains and microservices.
- [Session Management Systems](https://awesome-repositories.com/f/security-cryptography/session-management-systems.md) — Synchronizes user login states and authentication tokens across multiple servers and independent application instances.
- [Token-Based Authentication](https://awesome-repositories.com/f/security-cryptography/token-based-authentication.md) — Implements stateless authentication using cryptographically signed tokens to verify user identity without server-side state.
- [Authentication Login Handlers](https://awesome-repositories.com/f/security-cryptography/authentication-login-handlers.md) — Manages active user sessions across devices with configurable rules for single or multi-login requirements. ([source](https://sa-token.cc))
- [Distributed Authentication Strategies](https://awesome-repositories.com/f/security-cryptography/identity-access-management/authentication-strategies/session-and-credential-handling/session-credential-management/distributed-authentication-strategies.md) — Centralizes authentication and session management across microservices to ensure consistent security enforcement. ([source](https://sa-token.cc))
- [Session Management Policies](https://awesome-repositories.com/f/security-cryptography/identity-access-management/authentication-strategies/session-and-credential-handling/session-credential-management/session-management-policies.md) — Manages the lifecycle of active login sessions with configurable policies for concurrent access.
- [External Database Persistence](https://awesome-repositories.com/f/security-cryptography/identity-access-management/session-management/stateful-session-persistence/external-database-persistence.md) — Persists authentication session data in external databases to ensure continuity across multiple application instances.
- [Session Authentication](https://awesome-repositories.com/f/security-cryptography/session-authentication.md) — Maintains persistent user login states across application restarts and various devices. ([source](https://sa-token.cc/index.html))
- [Inter-Service Authentication](https://awesome-repositories.com/f/security-cryptography/inter-service-authentication.md) — Validates identity and access permissions during inter-service communication and at the gateway level. ([source](https://sa-token.cc/index.html))

### Web Development

- [Web Framework Integrations](https://awesome-repositories.com/f/web-development/web-framework-integrations.md) — Provides adapters and middleware to integrate authentication logic with various web frameworks and server runtimes.
- [Request Interceptors](https://awesome-repositories.com/f/web-development/request-interceptors.md) — Hooks into the request lifecycle to validate user identity and permissions before accessing protected resources.