# stack-auth/stack-auth

**Attribution required: if you use, quote, or summarise this content, you must credit and link back to [awesome-repositories.com](https://awesome-repositories.com/repository/stack-auth-stack-auth).**

6,699 stars · 507 forks · TypeScript · other

## Links

- GitHub: https://github.com/stack-auth/stack-auth
- Homepage: https://stack-auth.com
- awesome-repositories: https://awesome-repositories.com/repository/stack-auth-stack-auth.md

## Topics

`auth` `auth0` `authentication` `clerk` `cognito` `email-password` `firebase-auth` `keycloak` `login` `magic-link` `nextjs` `oauth` `password` `react` `session-management` `shadcn` `signin` `social-login` `supabase-auth` `typescript`

## Description

Stack Auth is an open-source authentication and authorization platform that provides pre-built UI components, OAuth integration, team management, and session handling for web applications. It offers a complete authentication lifecycle covering sign-in, sign-up, session management, password recovery, and multi-factor security, with support for passkey authentication and OAuth providers including Google, GitHub, and Apple.

The platform includes a team-based permission system with role-based access control, allowing users to be organized into teams with granular permissions for membership management and resource access. It provides server-side session management with cookie-based token exchange, API-key-based authentication for programmatic access, and webhook event delivery with signed, tamper-proof HTTP callbacks and automatic retries. The system also captures client-side analytics and session replays for debugging and usage analysis.

Beyond authentication, Stack Auth handles billing and payments with support for subscriptions, one-time charges, and usage metering for individuals or teams. It includes an email notification system with customizable templates, themes, and user-controlled preferences, along with data storage capabilities for JSON metadata and encrypted secrets on user and team records. The platform offers a production mode with a pre-launch checklist for domain setup, callback locking, and secret rotation.

## Tags

### DevOps & Infrastructure

- [Authentication-as-a-Service](https://awesome-repositories.com/f/devops-infrastructure/cloud-infrastructure/cloud-computing-serverless/backend-as-a-service/authentication-as-a-service.md) — Provides pre-built authentication flows with OAuth, passkeys, and session management for web apps.

### Business & Productivity Software

- [Team Member Management](https://awesome-repositories.com/f/business-productivity-software/team-member-management.md) — Organizes users into teams with role-based access control, invitations, and member management.
- [Team Member Invitations](https://awesome-repositories.com/f/business-productivity-software/team-member-management/team-member-invitations.md) — Sends email invitations to join teams with role-based access control and a team switcher. ([source](https://cdn.jsdelivr.net/gh/stack-auth/stack-auth@dev/README.md))
- [Billing and Usage](https://awesome-repositories.com/f/business-productivity-software/financial-operational-management/billing-financial-systems/billing-and-usage.md) — Handles subscriptions, one-time charges, and usage metering with credits for users or teams. ([source](https://cdn.jsdelivr.net/gh/stack-auth/stack-auth@dev/README.md))
- [Usage Metering & Billing](https://awesome-repositories.com/f/business-productivity-software/usage-metering-billing.md) — Handles subscriptions, one-time charges, and usage-based billing for individuals or teams. ([source](https://cdn.jsdelivr.net/gh/stack-auth/stack-auth@dev/README.md))

### Data & Databases

- [Webhook Delivery](https://awesome-repositories.com/f/data-databases/data-export/webhook-delivery.md) — Sends real-time backend notifications via POST requests with signed JSON payloads to configurable endpoints.

### Development Tools & Productivity

- [Webhook Event Receivers](https://awesome-repositories.com/f/development-tools-productivity/event-triggers/github-event-integrations/webhook-event-receivers.md) — Receives POST requests with JSON payloads at configured server URLs for user and team events. ([source](https://docs.stack-auth.com/docs/apps/webhooks))
- [Team Management](https://awesome-repositories.com/f/development-tools-productivity/team-management.md) — Creates teams, manages members, assigns role-based permissions, and stores team-specific profiles.
- [Team Creators](https://awesome-repositories.com/f/development-tools-productivity/team-management/team-creators.md) — Creates new teams and optionally adds the creator with default permissions from the dashboard. ([source](https://docs.stack-auth.com/docs/apps/orgs-and-teams))
- [Team Deleters](https://awesome-repositories.com/f/development-tools-productivity/team-management/team-deleters.md) — Deletes teams, requiring the delete team permission on the client side. ([source](https://docs.stack-auth.com/docs/apps/orgs-and-teams))
- [Team-Scoped Access Control](https://awesome-repositories.com/f/development-tools-productivity/team-management/team-scoped-access-control.md) — Groups users into teams with granular permissions for membership management and resource access control.
- [Webhook Configuration](https://awesome-repositories.com/f/development-tools-productivity/webhook-configuration.md) — Ships interfaces for defining and managing webhook endpoints and routing parameters. ([source](https://docs.stack-auth.com))
- [Transactional Emailing](https://awesome-repositories.com/f/development-tools-productivity/transactional-emailing.md) — Sends automated emails for user verification, password resets, and other account-related events. ([source](https://docs.stack-auth.com))
- [Unified Email Dispatch Services](https://awesome-repositories.com/f/development-tools-productivity/transactional-emailing/unified-email-dispatch-services.md) — Delivers both transactional and marketing emails from one API with AI template editing and tracking. ([source](https://cdn.jsdelivr.net/gh/stack-auth/stack-auth@dev/README.md))

### Networking & Communication

- [Signed Webhook Deliveries](https://awesome-repositories.com/f/networking-communication/webhook-delivery-systems/signed-webhook-deliveries.md) — Sends signed, tamper-proof webhooks with automatic retries and dashboard-based endpoint management. ([source](https://cdn.jsdelivr.net/gh/stack-auth/stack-auth@dev/README.md))
- [Webhook Event Consumers](https://awesome-repositories.com/f/networking-communication/webhook-event-consumers.md) — Processes incoming webhook payloads to drive system integrations. ([source](https://docs.stack-auth.com))

### Security & Cryptography

- [API Key Authentication](https://awesome-repositories.com/f/security-cryptography/api-key-authentication.md) — Validates incoming API calls by checking the provided API key against stored user or team credentials. ([source](https://docs.stack-auth.com/docs/apps/api-keys))
- [API Key Management](https://awesome-repositories.com/f/security-cryptography/api-key-management.md) — Generates and manages scoped API keys for programmatic access to user and team resources.
- [Key Lifecycle Dashboards](https://awesome-repositories.com/f/security-cryptography/api-key-management/key-lifecycle-dashboards.md) — Ships a dashboard for generating and rotating scoped API keys programmatically. ([source](https://docs.stack-auth.com))
- [Pre-built Authentication Components](https://awesome-repositories.com/f/security-cryptography/identity-access-management/authentication-strategies/user-facing-login-methods/multi-factor-authentication/pre-built-authentication-components.md) — Ships ready-made sign-in, sign-up, and user management components that drop into any page. ([source](https://docs.stack-auth.com))
- [Server-Side Session Stores](https://awesome-repositories.com/f/security-cryptography/identity-access-management/session-management/server-side-session-stores.md) — Creates and maintains authenticated sessions using server-side storage and cookie-based token exchange.
- [Open-Source Authentication Platforms](https://awesome-repositories.com/f/security-cryptography/identity-authentication/open-source-authentication-platforms.md) — An open-source authentication and authorization platform with pre-built UI components and team management.
- [OAuth Token Exchanges](https://awesome-repositories.com/f/security-cryptography/jwt-generation/oauth-token-exchanges.md) — Provides an API to retrieve current OAuth access tokens for authorized external API calls. ([source](https://docs.stack-auth.com/docs/apps/oauth))
- [OAuth Provider Integrations](https://awesome-repositories.com/f/security-cryptography/oauth-authentication/oauth-provider-integrations.md) — Integrates with Google, GitHub, and Apple so users can sign in with existing accounts. ([source](https://docs.stack-auth.com/docs/concepts/auth-providers))
- [Passkey Authentication](https://awesome-repositories.com/f/security-cryptography/passkey-authentication.md) — Lets users sign in using device-based biometric or PIN authentication without a password. ([source](https://docs.stack-auth.com/docs/concepts/auth-providers))
- [Unified Passkey and OAuth Sign-in Flows](https://awesome-repositories.com/f/security-cryptography/passkey-authentication/unified-passkey-and-oauth-sign-in-flows.md) — Handles sign-in flows including passkeys, OAuth providers, and CLI authentication with a single drop-in component. ([source](https://cdn.jsdelivr.net/gh/stack-auth/stack-auth@dev/README.md))
- [Embedded Authentication Forms](https://awesome-repositories.com/f/security-cryptography/passkey-authentication/unified-passkey-and-oauth-sign-in-flows/embedded-authentication-forms.md) — Renders pre-built forms for user authentication, including credential and magic link sign-in options. ([source](https://docs.stack-auth.com/docs/getting-started/components))
- [Team Action Permission Checks](https://awesome-repositories.com/f/security-cryptography/permission-based-access-control/team-action-permission-checks.md) — Verifies a user has the required permission before performing an action on a team. ([source](https://docs.stack-auth.com/docs/apps/orgs-and-teams))
- [Role-Based Access Control](https://awesome-repositories.com/f/security-cryptography/role-based-access-control.md) — Defines and enforces granular access permissions for users and teams based on assigned roles. ([source](https://docs.stack-auth.com))
- [Route Protection](https://awesome-repositories.com/f/security-cryptography/route-protection.md) — Redirects unauthenticated visitors to the sign-in page using client hooks, server calls, or middleware. ([source](https://docs.stack-auth.com/docs/getting-started/users))
- [Session Authentication](https://awesome-repositories.com/f/security-cryptography/session-authentication.md) — Creates, maintains, and terminates authenticated sessions across client and server components.
- [Full Lifecycle Managers](https://awesome-repositories.com/f/security-cryptography/session-authentication/full-lifecycle-managers.md) — Creates, maintains, and terminates authenticated sessions across the application for each user. ([source](https://docs.stack-auth.com/docs/components))
- [Sign-Up Form Customizations](https://awesome-repositories.com/f/security-cryptography/user-sign-up-flows/sign-up-form-customizations.md) — Builds a custom sign-up form by replacing the default component with a tailored implementation. ([source](https://docs.stack-auth.com/docs/customization/page-examples))
- [Prebuilt Management Interfaces](https://awesome-repositories.com/f/security-cryptography/api-key-management/prebuilt-management-interfaces.md) — Provides ready-made UI components for users and teams to manage their own API keys. ([source](https://docs.stack-auth.com/docs/apps/api-keys))
- [CLI-Based Authentication](https://awesome-repositories.com/f/security-cryptography/cli-based-authentication.md) — Opens a browser-based login flow from a terminal so users can authenticate with their existing accounts. ([source](https://docs.stack-auth.com/docs/others/cli-authentication))
- [Callback Domain Validators](https://awesome-repositories.com/f/security-cryptography/domain-access-restrictions/callback-domain-validators.md) — Restricts authentication callbacks to the project's registered domain to block token interception. ([source](https://docs.stack-auth.com/docs/getting-started/production))
- [API Key Authentication](https://awesome-repositories.com/f/security-cryptography/identity-access-management/authentication-strategies/machine-and-protocol-identity/api-machine-authentication/api-key-authentication.md) — Generates and manages scoped API keys that authenticate programmatic access to user and team resources.
- [User Profile Management](https://awesome-repositories.com/f/security-cryptography/identity-access-management/identity-management/user-management/user-profile-management.md) — Modifies a user's display name, email, or other profile fields through a direct update call. ([source](https://docs.stack-auth.com/docs/getting-started/users))
- [Account Merging](https://awesome-repositories.com/f/security-cryptography/oauth-authentication/oauth-provider-integrations/account-merging.md) — Links a new OAuth sign-in to an existing account when the provider identity matches. ([source](https://docs.stack-auth.com/docs/apps/oauth))
- [Custom Provider Configurations](https://awesome-repositories.com/f/security-cryptography/oauth-authentication/oauth-provider-integrations/custom-provider-configurations.md) — Lets projects use their own OAuth app credentials so the consent screen shows their brand. ([source](https://docs.stack-auth.com/docs/getting-started/production))
- [Scope Requests](https://awesome-repositories.com/f/security-cryptography/oauth-authentication/oauth-provider-integrations/scope-requests.md) — Specifies the permissions an application needs from an external provider during sign-in. ([source](https://docs.stack-auth.com/docs/apps/oauth))
- [Forgot Password Flows](https://awesome-repositories.com/f/security-cryptography/password-management/forgot-password-flows.md) — Provides a customizable forgot password page with a tailored implementation. ([source](https://docs.stack-auth.com/docs/customization/page-examples))
- [User Session Termination](https://awesome-repositories.com/f/security-cryptography/session-management/user-session-termination.md) — Ends the user's session and redirects them to a configured post-logout page. ([source](https://docs.stack-auth.com/docs/getting-started/users))
- [Two-Factor Authentication](https://awesome-repositories.com/f/security-cryptography/two-factor-authentication.md) — Requires users to provide a second verification factor during sign-in to strengthen account security. ([source](https://docs.stack-auth.com/docs/concepts/auth-providers))
- [Account Approval Workflows](https://awesome-repositories.com/f/security-cryptography/user-access-management/user-based-access-restrictions/account-approval-workflows.md) — Marks new accounts as restricted until an administrator reviews and approves them. ([source](https://docs.stack-auth.com/docs/concepts/sign-up-rules))
- [Password Resets](https://awesome-repositories.com/f/security-cryptography/user-account-management/password-resets.md) — Provides a customizable password reset flow with a tailored implementation. ([source](https://docs.stack-auth.com/docs/customization/page-examples))
- [User Profile Retrieval](https://awesome-repositories.com/f/security-cryptography/user-profile-retrieval.md) — Returns the signed-in user's data in a client component, or null when no user is authenticated. ([source](https://docs.stack-auth.com/docs/getting-started/users))
- [Server-Side Retrievals](https://awesome-repositories.com/f/security-cryptography/user-profile-retrieval/server-side-retrievals.md) — Fetches the signed-in user's data once during server-side rendering, without reactive updates. ([source](https://docs.stack-auth.com/docs/getting-started/users))
- [Sign-up Rule Evaluators](https://awesome-repositories.com/f/security-cryptography/user-sign-up-flows/sign-up-rule-evaluators.md) — Evaluates sign-up attempts against customizable rules based on email domain or auth method. ([source](https://docs.stack-auth.com/docs/concepts/sign-up-rules))
- [Webhook Security](https://awesome-repositories.com/f/security-cryptography/webhook-security.md) — Validates cryptographic signatures on incoming webhook payloads to confirm origin and prevent replay attacks. ([source](https://docs.stack-auth.com/docs/apps/webhooks))

### Software Engineering & Architecture

- [Webhook Integrations](https://awesome-repositories.com/f/software-engineering-architecture/integration-extensibility/programmatic-interfaces/webhook-event-notifications/webhook-integrations.md) — Fires HTTP callbacks on user events so external systems react to sign-ups, logins, and other actions. ([source](https://docs.stack-auth.com))

### User Interface & Experience

- [Authentication UI Components](https://awesome-repositories.com/f/user-interface-experience/authentication-ui-components.md) — Renders pre-built authentication forms and management interfaces as replaceable React components with customizable styling.
- [User Avatar Dropdowns](https://awesome-repositories.com/f/user-interface-experience/avatar-components/user-avatar-dropdowns.md) — Displays the user's avatar and opens a dropdown menu for accessing account settings and preferences. ([source](https://docs.stack-auth.com/docs/getting-started/components))

### Web Development

- [Sign-In Page Customizations](https://awesome-repositories.com/f/web-development/custom-page-frameworks/sign-in-page-customizations.md) — Builds a custom sign-in page by replacing the default component with a tailored implementation. ([source](https://docs.stack-auth.com/docs/customization/page-examples))
- [User Profiles](https://awesome-repositories.com/f/web-development/user-profiles.md) — Shows the currently authenticated user's account information and settings within the application UI. ([source](https://docs.stack-auth.com/docs/components))

### Part of an Awesome List

- [Email and Notifications](https://awesome-repositories.com/f/awesome-lists/media/email-and-notifications.md) — Sends transactional and marketing emails with customizable themes, templates, and user preference management.
- [Customizable Email Notification Platforms](https://awesome-repositories.com/f/awesome-lists/media/email-and-notifications/customizable-email-notification-platforms.md) — Provides an email system with customizable templates, SMTP integration, and user-controlled preferences.
- [User Activity Dashboards with Session Replays](https://awesome-repositories.com/f/awesome-lists/media/session-replay/user-activity-dashboards-with-session-replays.md) — Provides live active-user counts, session replays, and dashboard building with plain-English or SQL queries. ([source](https://cdn.jsdelivr.net/gh/stack-auth/stack-auth@dev/README.md))

### System Administration & Monitoring

- [Dashboard Builders](https://awesome-repositories.com/f/system-administration-monitoring/activity-monitors/automated-activity-loggers/user-activity-monitoring/dashboard-builders.md) — Provides live active user counts, session replays, and natural-language querying for building dashboards. ([source](https://cdn.jsdelivr.net/gh/stack-auth/stack-auth@dev/README.md))
- [Session Replays](https://awesome-repositories.com/f/system-administration-monitoring/ai-session-monitoring/session-replays.md) — Plays back recorded user sessions with filtering by user, team, duration, and click count. ([source](https://docs.stack-auth.com/docs/apps/analytics))
- [Analytics](https://awesome-repositories.com/f/system-administration-monitoring/ai-session-monitoring/session-replays/analytics.md) — Provides live active-user counts, session replays, and natural-language querying for building dashboards. ([source](https://cdn.jsdelivr.net/gh/stack-auth/stack-auth@dev/README.md))
- [Client-Side](https://awesome-repositories.com/f/system-administration-monitoring/ai-session-monitoring/session-replays/client-side.md) — Captures client-side events and records user sessions for debugging and usage analysis.
- [Analytics Tracking](https://awesome-repositories.com/f/system-administration-monitoring/analytics-tracking.md) — Ships a built-in analytics dashboard that collects and displays usage metrics and user activity data. ([source](https://docs.stack-auth.com))
- [Client-Side Analytics Instrumentation](https://awesome-repositories.com/f/system-administration-monitoring/client-side-analytics-instrumentation.md) — Automatically records browser interactions and session data through an initialized SDK for later query and replay.
- [Usage Analytics](https://awesome-repositories.com/f/system-administration-monitoring/usage-analytics.md) — Collects and displays metrics on user activity, sign-ups, and feature adoption through a dashboard. ([source](https://docs.stack-auth.com))