# supertokens/supertokens-core **Attribution required: if you use, quote, or summarise this content, you must credit and link back to [awesome-repositories.com](https://awesome-repositories.com/repository/supertokens-supertokens-core).** 14,922 stars · 639 forks · Java · other ## Links - GitHub: https://github.com/supertokens/supertokens-core - Homepage: https://supertokens.com - awesome-repositories: https://awesome-repositories.com/repository/supertokens-supertokens-core.md ## Topics `auth0` `authentication` `aws-cognito` `email-password` `email-password-login` `firebase-auth` `hacktoberfest` `java` `keycloak` `login` `oauth` `password` `passwordless` `passwordless-authentication` `passwordless-login` `session-management` `signin` `social-login` `supertokens` ## Description SuperTokens Core is an open-source, self-hosted authentication and identity management platform designed for deployment within private infrastructure. It provides a comprehensive suite for managing user accounts, roles, and secure authentication flows, utilizing a modular, recipe-based architecture that allows developers to enable specific security features without modifying the core codebase. The platform distinguishes itself through its robust multi-tenancy capabilities, which allow for the logical or physical isolation of user records and configuration settings across different organizational environments. It employs a claims-based session management model that uses cryptographically signed tokens to enable stateless authorization, alongside an event-driven hook system that triggers custom business logic during authentication lifecycle events. The system covers a broad capability surface, including diverse authentication methods such as passwordless flows, social and enterprise single sign-on, and hardware-backed passkey support. It also integrates advanced security features like threat detection, multi-factor authentication enforcement, and granular role-based access control, while providing tools for session monitoring, request tracing, and user data migration from legacy systems. The project is designed to be run as a containerized service, offering horizontal scalability to handle varying traffic loads. Detailed documentation and administrative interfaces are available to assist with environment configuration, UI theming, and the integration of custom authentication logic. ## Tags ### Artificial Intelligence & ML - [Stateless Session Authentication](https://awesome-repositories.com/f/artificial-intelligence-ml/agentic-systems-frameworks/agent-orchestration-multi-agent/security-and-auth/authentication-strategies/session-state/stateless-session-authentication.md) — The authentication service validates access tokens using cryptographic signatures without network round-trips to ensure low-latency authentication checks for every request. ([source](https://supertokens.com/docs/deployment/scalability.md)) ### Data & Databases - [Multi-Tenant Data Management](https://awesome-repositories.com/f/data-databases/multi-tenant-data-management.md) — Enables robust multi-tenant data isolation through logical or physical partitioning of user records and configuration. - [Multi-Tenant Authentication Configurations](https://awesome-repositories.com/f/data-databases/multi-tenant-data-management/multi-tenant-authentication-configurations.md) — The authentication service sets specific first and second factor requirements for individual tenants to allow customized login flows within a multi-tenant environment. ([source](https://supertokens.com/docs/additional-verification/mfa/initial-setup.md)) ### DevOps & Infrastructure - [Self-Hosted Infrastructure](https://awesome-repositories.com/f/devops-infrastructure/self-hosted-infrastructure.md) — Enables self-hosted deployment of centralized authentication infrastructure to maintain full control over user data. - [API Throttling](https://awesome-repositories.com/f/devops-infrastructure/api-throttling.md) — Limits incoming API requests per application and IP address to prevent service abuse and ensure stability. ([source](https://supertokens.com/docs/deployment/rate-limits.md)) ### Security & Cryptography - [Multi-Tenant Identity Management](https://awesome-repositories.com/f/security-cryptography/identity-access-management/access-control/identity-role-management/multi-tenant-identity-management.md) — Enables isolated authentication environments with unique login methods, user pools, and security policies per tenant. - [Passwordless Authentication](https://awesome-repositories.com/f/security-cryptography/identity-access-management/authentication-strategies/user-facing-login-methods/standard-web-authentication-schemes/passwordless-authentication.md) — Provides secure passwordless authentication flows using email or phone number verification codes. ([source](https://supertokens.com/docs/references/frontend-sdks/supertokens-auth-react/recipe-passwordless.md)) - [Identity and Access Management](https://awesome-repositories.com/f/security-cryptography/identity-and-access-management.md) — Provides a comprehensive suite for managing user accounts, roles, and secure authentication flows. - [Open-Source Authentication Platforms](https://awesome-repositories.com/f/security-cryptography/identity-authentication/open-source-authentication-platforms.md) — Provides a self-hosted, open-source authentication service with session management and multi-factor authentication. - [Stateless Session Management](https://awesome-repositories.com/f/security-cryptography/stateless-session-management.md) — Implements stateless, claims-based session management using cryptographically signed tokens for distributed authorization. - [Authentication Flows](https://awesome-repositories.com/f/security-cryptography/authentication-flows.md) — Executes core sign-up and sign-in flows by managing user credential submission and validation. ([source](https://supertokens.com/docs/quickstart/frontend-setup.md)) - [Self-Hosted Deployments](https://awesome-repositories.com/f/security-cryptography/authentication-services/self-hosted-deployments.md) — Runs the authentication backend as a containerized service within your own infrastructure. ([source](https://supertokens.com/docs/deployment/self-host-supertokens.md)) - [Authentication Workflows](https://awesome-repositories.com/f/security-cryptography/authentication-workflows/authentication-workflows.md) — Provides pre-built forms and workflows for email and password-based user sign-in and registration. ([source](https://supertokens.com/docs/references/frontend-sdks/prebuilt-ui/ui-showcase.md)) - [Email Authentication Strategies](https://awesome-repositories.com/f/security-cryptography/email-authentication-strategies.md) — Registers new accounts and validates credentials to establish secure user sessions for email-based authentication. ([source](https://supertokens.com/docs/references/frontend-sdks/supertokens-auth-react/recipe-emailpassword.md)) - [Hardware Authentication](https://awesome-repositories.com/f/security-cryptography/hardware-authentication.md) — Verifies user identity using hardware security keys and biometric authenticators via WebAuthn. ([source](https://supertokens.com/docs/references/frontend-sdks/supertokens-auth-react/recipe-webauthn.md)) - [Providers](https://awesome-repositories.com/f/security-cryptography/identity-access-management/authentication-strategies/user-facing-login-methods/standard-web-authentication-schemes/passwordless-authentication/providers.md) — Supports secure user sign-in and registration using magic links, OTP codes, and WebAuthn passkeys. - [JWT Claim Validation](https://awesome-repositories.com/f/security-cryptography/jwt-claim-validation.md) — Confirms token authenticity and expiration using public keys to ensure stateless authorization. ([source](https://supertokens.com/docs/authentication/unified-login/verify-tokens.md)) - [Multi-Tenant Authentication Services](https://awesome-repositories.com/f/security-cryptography/multi-tenant-security/multi-tenant-authentication-services.md) — Enables isolated user pools and tenant-specific login configurations for secure multi-tenant environments. - [OAuth Providers](https://awesome-repositories.com/f/security-cryptography/oauth-providers.md) — Acts as an OAuth and OIDC provider to issue access tokens and manage authorization flows. - [Passkey Authentication](https://awesome-repositories.com/f/security-cryptography/passkey-authentication.md) — Integrates passwordless authentication using browser-based standards for biometric and hardware key login. ([source](https://supertokens.com/docs/authentication/passkeys/initial-setup.md)) - [Role-Based Access Control](https://awesome-repositories.com/f/security-cryptography/role-based-access-control.md) — Provides granular role-based access control to manage authorization levels and restrict access to protected resources. - [API and Machine Authentication](https://awesome-repositories.com/f/security-cryptography/identity-access-management/authentication-strategies/machine-and-protocol-identity/api-machine-authentication.md) — Secures machine-to-machine communication by validating client credentials and issuing access tokens for authorized resource access. ([source](https://supertokens.com/docs/authentication/unified-login/oauth2-basics.md)) - [Multi-Factor Authentication Strategies](https://awesome-repositories.com/f/security-cryptography/multi-factor-authentication-strategies.md) — The authentication service requires users to complete a secondary verification step after initial login by tracking progress and validating completion before granting access. ([source](https://supertokens.com/docs/quickstart/next-steps.md)) - [Conditional Enforcement](https://awesome-repositories.com/f/security-cryptography/multi-factor-authentication/conditional-enforcement.md) — The authentication service requires additional verification steps like OTP based on user attributes, roles, or account-specific settings during the authentication flow. ([source](https://supertokens.com/docs/additional-verification/mfa/email-sms-otp/otp-for-opt-in-users.md)) - [One-Time Passwords](https://awesome-repositories.com/f/security-cryptography/one-time-passwords.md) — Validates user identity by sending temporary codes to email or phone for entry during the login process. ([source](https://supertokens.com/docs/references/frontend-sdks/prebuilt-ui/ui-showcase.md)) - [SAML Authentication](https://awesome-repositories.com/f/security-cryptography/saml-authentication.md) — Integrates with external enterprise identity providers using the SAML protocol for single sign-on. ([source](https://supertokens.com/docs/authentication/enterprise/saml.md)) - [Adaptive Security Policies](https://awesome-repositories.com/f/security-cryptography/security-orchestration/adaptive-security-policies.md) — Provides adaptive authentication that dynamically adjusts security requirements based on real-time risk signals and user policies. - [Password Hashing Utilities](https://awesome-repositories.com/f/security-cryptography/security/cryptography-and-secrets/cryptographic-primitives-management/password-hashing-utilities.md) — Encrypts user passwords using configurable hashing algorithms like Argon2 or BCrypt to maintain secure credential storage. ([source](https://supertokens.com/docs/authentication/email-password/password-hashing.md)) - [Enterprise SSO Integrations](https://awesome-repositories.com/f/security-cryptography/social-login-providers/enterprise-sso-integrations.md) — Integrates third-party social providers and enterprise SAML services for external account authentication. - [Social Login Integrations](https://awesome-repositories.com/f/security-cryptography/social-login-providers/social-login-integrations.md) — Integrates third-party social identity providers directly into the login interface. ([source](https://supertokens.com/docs/references/frontend-sdks/prebuilt-ui/ui-showcase.md)) - [Threat Detection](https://awesome-repositories.com/f/security-cryptography/threat-detection.md) — Analyzes login requests for bot activity, VPN usage, and brute-force attempts to block malicious access. ([source](https://supertokens.com/docs/additional-verification/attack-protection-suite/initial-setup.md)) - [Bot Blocking](https://awesome-repositories.com/f/security-cryptography/application-and-system-security/browser-security/content-filtering-blocking/bot-blocking.md) — Analyzes request patterns and behavioral indicators to block automated bot activity and credential stuffing. ([source](https://supertokens.com/docs/additional-verification/attack-protection-suite/introduction.md)) - [Authentication and Authorization](https://awesome-repositories.com/f/security-cryptography/authentication-and-authorization.md) — Facilitates secure web application authentication by exchanging authorization codes for access tokens via redirection. ([source](https://supertokens.com/docs/authentication/unified-login/oauth2-basics.md)) - [Magic Link](https://awesome-repositories.com/f/security-cryptography/authentication-flows/magic-link.md) — Supports passwordless authentication by sending secure, time-limited links to users for login. ([source](https://supertokens.com/docs/references/frontend-sdks/prebuilt-ui/ui-showcase.md)) - [Brute Force Protections](https://awesome-repositories.com/f/security-cryptography/brute-force-protections.md) — Monitors sensitive action frequency to block brute-force attempts and prevent unauthorized account access. ([source](https://supertokens.com/docs/additional-verification/attack-protection-suite/introduction.md)) - [Pre-built Authentication Components](https://awesome-repositories.com/f/security-cryptography/identity-access-management/authentication-strategies/user-facing-login-methods/multi-factor-authentication/pre-built-authentication-components.md) — Renders pre-built login components that support multi-factor authentication and account switching. ([source](https://supertokens.com/docs/additional-verification/mfa/legacy-mfa/prebuilt-ui/showing-login-ui.md)) - [WebAuthn Registrations](https://awesome-repositories.com/f/security-cryptography/identity-access-management/credential-lifecycle-management/credential-security/webauthn-registrations.md) — Enables users to register hardware security keys and biometric authenticators for account access. ([source](https://supertokens.com/docs/references/frontend-sdks/supertokens-auth-react/recipe-webauthn.md)) - [Server-Side Session Stores](https://awesome-repositories.com/f/security-cryptography/identity-access-management/session-management/server-side-session-stores.md) — Enables immediate server-side session invalidation by removing records directly from the database. ([source](https://supertokens.com/docs/post-authentication/session-management/session-invalidation.md)) - [OAuth2 Providers](https://awesome-repositories.com/f/security-cryptography/oauth2-providers.md) — Configures the backend to act as an OAuth2 provider, exposing endpoints for authorization requests and token exchanges. ([source](https://supertokens.com/docs/authentication/unified-login/quickstart-guides/multiple-frontends-with-separate-backends.md)) - [Leaked Credential Checks](https://awesome-repositories.com/f/security-cryptography/password-management/leaked-credential-checks.md) — Prevents the use of compromised or insecure passwords by comparing them against databases of known leaked credentials. ([source](https://supertokens.com/docs/additional-verification/attack-protection-suite/introduction.md)) - [Requirement Policies](https://awesome-repositories.com/f/security-cryptography/requirement-policies.md) — The authentication service defines which secondary authentication factors are mandatory for specific users or groups to secure access to sensitive accounts. ([source](https://supertokens.com/docs/additional-verification/mfa/email-sms-otp/otp-for-opt-in-users.md)) - [OAuth2 Access Token Issuance](https://awesome-repositories.com/f/security-cryptography/token-based-authentication/oauth2-access-token-issuance.md) — Facilitates secure microservice communication by generating short-lived access tokens based on defined scopes. ([source](https://supertokens.com/docs/authentication/m2m/client-credentials.md)) - [Token Validation Services](https://awesome-repositories.com/f/security-cryptography/token-validation-services.md) — Exposes JSON Web Key Set endpoints to allow external services to verify access tokens independently. ([source](https://supertokens.com/docs/additional-verification/session-verification/protect-api-routes.md)) - [Horizontal Scaling](https://awesome-repositories.com/f/security-cryptography/authentication-services/horizontal-scaling.md) — Distributes authentication traffic across multiple stateless service instances to handle high request volumes. ([source](https://supertokens.com/docs/deployment/scalability.md)) - [Cross-Domain Authentication](https://awesome-repositories.com/f/security-cryptography/cross-domain-authentication.md) — Configures authentication cookies for cross-subdomain access to enable seamless session sharing. ([source](https://supertokens.com/docs/authentication/enterprise/common-domain-login.md)) - [CSRF Protections](https://awesome-repositories.com/f/security-cryptography/csrf-protections.md) — Restricts cookie transmission to same-site contexts to prevent cross-site request forgery attacks. ([source](https://supertokens.com/docs/post-authentication/session-management/security.md)) - [New Device Alerts](https://awesome-repositories.com/f/security-cryptography/device-authentication-flows/new-device-alerts.md) — Identifies and alerts on authentication attempts from previously unseen devices to prevent unauthorized access. ([source](https://supertokens.com/docs/additional-verification/attack-protection-suite/introduction.md)) - [Cross-Tenant User Associations](https://awesome-repositories.com/f/security-cryptography/identity-access-management/access-control/identity-role-management/multi-tenant-identity-management/cross-tenant-user-associations.md) — Connects existing user accounts to multiple tenants to grant access while maintaining unique identity records. ([source](https://supertokens.com/docs/authentication/enterprise/manage-tenants.md)) - [Recovery Credentials](https://awesome-repositories.com/f/security-cryptography/multi-factor-authentication/recovery-credentials.md) — The authentication service allows users to regain access to their accounts using secondary verification methods when primary WebAuthn credentials are unavailable. ([source](https://supertokens.com/docs/references/frontend-sdks/supertokens-auth-react/recipe-webauthn.md)) - [Passkey Configurations](https://awesome-repositories.com/f/security-cryptography/passkey-authentication/passkey-configurations.md) — Customizes relying party identity and origin binding to integrate passkeys into application login flows. ([source](https://supertokens.com/docs/authentication/passkeys/customization.md)) - [Route Protection](https://awesome-repositories.com/f/security-cryptography/route-protection.md) — Restricts access to specific application views by verifying user session status and redirecting unauthenticated users. ([source](https://supertokens.com/docs/quickstart/frontend-setup.md)) - [Step-up Authentication](https://awesome-repositories.com/f/security-cryptography/session-authentication/step-up-authentication.md) — The authentication service requires users to complete additional authentication challenges before accessing specific pages or performing sensitive actions to ensure ongoing security. ([source](https://supertokens.com/docs/additional-verification/mfa/step-up-auth.md)) - [Geographic Anomaly Detection](https://awesome-repositories.com/f/security-cryptography/threat-detection/geographic-anomaly-detection.md) — Detects fraudulent activity by identifying geographically impossible login patterns within short timeframes. ([source](https://supertokens.com/docs/additional-verification/attack-protection-suite/introduction.md)) - [Account Duplication Prevention](https://awesome-repositories.com/f/security-cryptography/user-account-management/account-duplication-prevention.md) — The authentication service intercepts authentication requests to verify if a user already exists and blocks registration if the provided credentials conflict with an existing account. ([source](https://supertokens.com/docs/post-authentication/user-management/account-deduplication.md)) - [GraphQL Authorizers](https://awesome-repositories.com/f/security-cryptography/api-gateway-security/graphql-authorizers.md) — Authenticates GraphQL requests by validating user identity through an API gateway authorizer. ([source](https://supertokens.com/docs/quickstart/integrations/aws-lambda/appsync-integration.md)) - [Automatic Request Token Injection](https://awesome-repositories.com/f/security-cryptography/bearer-token-authentication/automatic-request-token-injection.md) — Ensures secure communication with protected services by automatically injecting authentication tokens into outgoing network requests. ([source](https://supertokens.com/docs/references/frontend-sdks/supertokens-auth-react/recipe-session.md)) - [Captcha Services](https://awesome-repositories.com/f/security-cryptography/captcha-services.md) — Embeds automated bot detection into authentication flows by supporting multiple third-party captcha providers. ([source](https://supertokens.com/docs/references/plugins/captcha-react.md)) - [Device Fingerprinting](https://awesome-repositories.com/f/security-cryptography/device-fingerprinting.md) — Maintains persistent device identifiers across sessions to recognize and track requesters. ([source](https://supertokens.com/docs/additional-verification/attack-protection-suite/introduction.md)) - [Embedded Session Authentication](https://awesome-repositories.com/f/security-cryptography/embedded-session-authentication.md) — Supports authentication within cross-origin iframes using header-based token transmission. ([source](https://supertokens.com/docs/post-authentication/session-management/advanced-workflows/in-iframe.md)) - [Environment Configuration](https://awesome-repositories.com/f/security-cryptography/environment-configuration.md) — Defines application metadata and network routing paths during initialization to ensure correct request mapping. ([source](https://supertokens.com/docs/references/frontend-sdks/reference.md)) - [Authenticator Security Validation](https://awesome-repositories.com/f/security-cryptography/hardware-authentication/authenticator-security-validation.md) — The authentication service inspects device metadata during registration to confirm the authenticity and security capabilities of the hardware being used. ([source](https://supertokens.com/docs/authentication/passkeys/important-concepts.md)) - [Username Authentication Configurations](https://awesome-repositories.com/f/security-cryptography/identity-access-management/authentication-strategies/user-facing-login-methods/standard-web-authentication-schemes/basic-authentication/username-authentication-configurations.md) — Supports flexible user identification by allowing sign-in and registration via custom usernames. ([source](https://supertokens.com/docs/authentication/email-password/implement-username-login.md)) - [Registration Allow-Lists](https://awesome-repositories.com/f/security-cryptography/identity-access-management/credential-lifecycle-management/credential-security/webauthn-registrations/registration-allow-lists.md) — The authentication service validates user contact information against a predefined list of authorized emails or phone numbers during the registration process to prevent unauthorized account creation. ([source](https://supertokens.com/docs/authentication/passwordless/allow-list-flow.md)) - [Account Linking](https://awesome-repositories.com/f/security-cryptography/identity-access-management/identity-management/account-linking.md) — Connects secondary authentication accounts with primary user profiles to maintain consistent identity data. ([source](https://supertokens.com/docs/additional-verification/mfa/legacy-mfa/backend-setup/second-factor.md)) - [User Profile Management](https://awesome-repositories.com/f/security-cryptography/identity-access-management/identity-management/user-management/user-profile-management.md) — Supports progressive profile collection to minimize onboarding friction while building complete user profiles over time. - [Session Claims](https://awesome-repositories.com/f/security-cryptography/identity-access-management/session-management/custom-session-storage-providers/session-claims.md) — Extends session data models by embedding custom attributes directly into access tokens for stateless authorization. ([source](https://supertokens.com/docs/additional-verification/session-verification/claim-validation.md)) - [External Provider Redirections](https://awesome-repositories.com/f/security-cryptography/social-authentication-providers/external-provider-redirections.md) — Handles the redirection logic required to perform social logins via external identity providers. ([source](https://supertokens.com/docs/references/frontend-sdks/supertokens-auth-react/recipe-thirdparty.md)) ### Software Engineering & Architecture - [Stateless Token Validation](https://awesome-repositories.com/f/software-engineering-architecture/stateless-architectures/stateless-token-validation.md) — Enables high-performance authorization by verifying access tokens locally using public keys. - [Recipe-Based Modular Systems](https://awesome-repositories.com/f/software-engineering-architecture/modular-extension-architectures/recipe-based-modular-systems.md) — Utilizes a recipe-based modular architecture to enable specific security features without modifying the core codebase. - [Event-Driven Hook Systems](https://awesome-repositories.com/f/software-engineering-architecture/event-driven-hook-systems.md) — Provides an event-driven hook system to trigger custom business logic during authentication lifecycle events. ### Part of an Awesome List - [Authentication and Identity](https://awesome-repositories.com/f/awesome-lists/security/authentication-and-identity.md) — Open-source authentication with prebuilt UI components. ### Web Development - [Authentication SDK Bridges](https://awesome-repositories.com/f/web-development/backend-to-frontend-bridges/authentication-sdk-bridges.md) — Simplifies frontend integration by abstracting complex authentication flows into configurable client-side hooks. - [Custom Metadata Storage](https://awesome-repositories.com/f/web-development/user-metadata-management/custom-metadata-storage.md) — Allows storing arbitrary key-value data associated with user accounts for application-specific state. ([source](https://supertokens.com/docs/authentication/social/custom-invite-flow.md)) ### Networking & Communication - [Authentication SMS Gateways](https://awesome-repositories.com/f/networking-communication/communication-platforms-services/messaging-notification-systems/messaging-services/notification-delivery-services/authentication-sms-gateways.md) — The authentication service integrates third-party messaging providers or custom logic to send authentication codes and magic links to users via text message. ([source](https://supertokens.com/docs/platform-configuration/sms-delivery.md)) - [SMTP Integrations](https://awesome-repositories.com/f/networking-communication/email-delivery-configurations/smtp-integrations.md) — The authentication service connects to external SMTP servers to send authentication-related emails using a custom domain and override default email templates or logic. ([source](https://supertokens.com/docs/platform-configuration/email-delivery.md)) ### User Interface & Experience - [Custom Authentication Interfaces](https://awesome-repositories.com/f/user-interface-experience/custom-ui-components/custom-authentication-interfaces.md) — Enables developers to implement custom frontend routes by disabling pre-built authentication components. ([source](https://supertokens.com/docs/authentication/passwordless/customize-the-magic-link.md))