SuperTokens Core
SuperTokens Core is an open-source authentication HTTP service that provides the core logic for user authentication and session management. It’s designed as a self-hosted alternative to proprietary authentication providers like Auth0, Firebase Auth, and AWS Cognito.Quickstart
Get up and running with SuperTokens Core in minutes
Architecture
Learn about the three-tier SuperTokens architecture
Configuration
Configure SuperTokens Core for your use case
API Reference
Explore the complete API documentation
What is SuperTokens Core?
SuperTokens Core is the HTTP service that sits at the heart of the SuperTokens architecture. It provides:- Complete authentication logic: Handles sign-up, sign-in, session management, and token operations
- Database operations: Manages user data, sessions, and authentication state
- Multi-tenancy support: Built-in support for apps, tenants, and organizations
- Multiple authentication methods: Email/password, passwordless, social login, OAuth, MFA, WebAuthn, and SAML
- Session management: Secure access and refresh tokens with automatic rotation
- Self-hosted control: 100% control over your user data and infrastructure
Key features
Session Management
Secure access and refresh tokens with automatic rotation and theft detection
Email/Password Auth
Traditional authentication with password reset and account recovery
Passwordless Login
One-time codes via email or SMS for frictionless authentication
Social Login
OAuth integration with Google, Facebook, GitHub, Apple, and more
OAuth 2.0 Provider
Act as an OAuth provider for your ecosystem
Multi-Factor Authentication
TOTP-based MFA for enhanced security
WebAuthn Support
Modern passwordless authentication with passkeys and biometrics
SAML Integration
Enterprise SSO with SAML 2.0 support
Multi-tenancy
Built-in support for multi-tenant applications and organizations
User Roles
Role-based access control with flexible permissions
User Metadata
Store custom attributes for each user
Bulk Import
Migrate users from other platforms with password hash support
Why SuperTokens Core?
Open source and self-hosted
- Free forever: No user limits, no feature restrictions
- Complete control: Host on your own infrastructure
- Data ownership: All user data stays in your database
- No vendor lock-in: Export and migrate at any time
Built for developers
- Simple integration: REST APIs that work with any backend
- SDKs available: Official SDKs for Node.js, Python, Go, and more
- Comprehensive docs: Detailed API documentation and guides
- Active community: Join our Discord for support
Production-ready
- Battle-tested: Used by thousands of applications
- Secure by default: Industry-standard security practices
- Scalable: Handle millions of users with ease
- Multi-database support: PostgreSQL, MySQL, MongoDB, and SQLite
Architecture overview
SuperTokens uses a three-tier architecture:- Frontend SDK: Manages session tokens and renders UI components
- Backend SDK: Provides authentication APIs that your frontend calls
- SuperTokens Core: The HTTP service for core authentication logic (this project)
Learn more about architecture
Understand how the three components work together
Supported databases
SuperTokens Core supports multiple database backends:- PostgreSQL 11 or higher
- MySQL 5.7 or higher
- MongoDB 4.2 or higher (document-based storage)
- SQLite (for development)
Next steps
Get started with quickstart
Run SuperTokens Core locally in 5 minutes
Explore authentication methods
Learn about available authentication options
Deploy to production
Self-host SuperTokens Core in your infrastructure
Browse API reference
Dive into the complete API documentation
Community and support
- Discord: Join our community Discord for questions and discussions
- GitHub: Report issues and contribute on GitHub
- Documentation: Full documentation at supertokens.io/docs
License
SuperTokens Core is licensed under Apache 2.0. Enterprise features (located in theee/ directory) require a commercial license for production use.