Sick of spending time on Auth, we built an open source 'Stripe for Auth'

If someone loses access to an email account then I can use manual processes to verify the person and change the email address in the database. This has never happened.

EDIT: "fault" => "problem"

It’s always a chance to read about what’s changed in the technologies/ideas you usually lean on for it. Apply that simplification that you wish you could have for your already launched application. Maybe you have a need to make your auth slightly more proprietary. If you churn out applications all the time yeah I get why this could all be seen as a waste of time.

I don’t say this to belittle your service at all, looks neat! Just throwing out an alternative viewpoint for the sake of it :)

Many large orgs with data requirements need things like ISO 27001, FedRAMP, etc. If you build with a product like SuperTokens and then need to meet these requirements later in your development lifecycle, you'll have to:

a. switch to Cognito/Auth0 for ISO, and for FedRAMP you can only use Cognito.

b. modify SuperTokens by learning NIST requirements (costs engineer time, developers might not know Java)

c. you can make your own, but that defeats the purpose for these systems (costs more time than b)

I feel an "Enterprise" (paid) option by SuperTokens where security compliance is handled, with still the option for self-hosting, would be a massive win.

It looks like a good feature set and yes, I would love to use a solution from someone who focuses on auth vs. rolling my own.

I do think your documentation could be expanded. You have some examples of how to use it with Netlify, but I'd love to see example apps for other cloud providers as well (Heroku, in my case.) Similarly for the react-auth documentation - the basic syntax of how to use it is a good start, but a full working app demonstrating its use with role-based authorizations would put it over the top to prove to me it could meet my needs.

If you are so inclined also interested in any comparison with https://keratin.tech/ and https://www.keycloak.org

You should connect with Mike over at Gluu. He's a great guy and very supportive of the industry as a whole. I'm also happy to connect with you all as well.

Steer clear of Auth0, OneLogin and the others. They don't play fair and I'm positive you'll be receiving your first cease and desist letters in the coming weeks. We have stacks of them and their claims are always total BS. But you don't want to go to battle with a company that has $300M in the bank.

Congrats on the launch!

This being open source is a HUGE draw. It means I don't have to trust you as much, because the code is out in the open for security researchers to poke at. Do you have a bug bounty program?

I assume this works via an API as well, not just web based sessions? My use case is an online multiplayer game written in Unity.

My last two experiences have been with Firebase and Django, both with React front-ends.

I think the state of JWT auth in Django with Rest Framework is dire. I've used the most popular packages (dj-rest-auth, which uses simple-jwt for JWT under the hood) and I've had to tweak way more than I would like to make it all work. I've been shocked to learn that this is not a solved problem in one of the world's most popular web frameworks, and I'd definitely consider using external auth in future projects.

The Firebase experience on the other hand has been outstanding. The front-end SDK is great and so is the documentation. I had to implement SAML SSO for a massive corporate customer using Microsoft AD and was able pull it off in an afternoon without a hitch. The ability to add custom claims and the like is also great - the whole thing feels really feature-complete. But then there's the fact that I don't trust Google with my user data and that I fear that at any time they could start charging onerous amounts for the service, or worse.

In both cases, the most painful bit however has been by far implementing the React front-end. Wiring the views, Redux async actions, etc. That's the part I wish I could get rid of. I see you provide some sort of front-end, but if you provided some sort of adjacent, standalone React library offering views and auth state management out of the box you'd surely get my attention - I'd possibly consider contributing code to it, too.

Overall I think the whole idea sounds great and you may be on to something: in summary, I feel that Google can't be trusted, Auth0 looks eye-watering expensive, Keycloak looks a bit complicated for certain projects, and popular web frameworks like Django may not be as good at token auth as we would take for granted.

I must be honest in that I wouldn't put your tech into production right now because I'm never a tech early-adopter, but I'll keep an eye on it, I'll seriously consider it for personal projects, and if it gets decent momentum in a few months I'll definitely consider extending it to client projects.

Congratulations for launching - I really, really wish you the best of luck.

1. What MFA methods do you support? TOTP? App based auth? U2F? FIDO2? (FIDO2 USB? BLE? Platform authenticators?) Smart cards (especially for enterprise)? Backup OTP's? New device detection?

2. Your docs mention not playing nice with password manager autofill by default. Are there plans to address this?

3. Password reset emails come from @supertokens.io, which specifically raises phishing red flags when you get a password reset email from a domain that is not the one you're logging into. How would an integrator go about addressing this?

I don't have a complex SSO/Auth need, and so, something as simple as single-factor FIDO based passwordless login (such as sawo [0] / portier [1]) or hands-off user management (like userbase [2] / human-id [3]) cuts it for me.

That said, the only question I have is the GitHub page says SuperTokens is "open core"

> SuperTokens is an open core alternative to proprietary login providers like Auth0 or AWS Cognito. We are different because we offer:

> - Open source:...

...So, which parts of supertokens is open core vs open source (supertokens-core, I can see, is vanilla Apache v2 without any strings attached like the horrible Commons Clause)?

[0] https://sawolabs.com/

[1] https://portier.github.io/

[2] https://userbase.com/

[3] https://human-id.org/

Yep that tends to happen when you are supporting SSO and certifications like OpenID Connect. Using one SSO portal to handle mobile, spa, web apps and code auth with evolving techniques like PCRE. That's probably why some customisations are not available too because it breaks the standard. You will just end up with the same models once you've implemented all the same features. Okta, Auth0 and others are all really similar because of the standards behind them not because they thrive to be complex.

I've been working on Enterprise Access Control (EACL) in my spare time, an embedded Datalog-based library with a uniform declarative Clojure API that lets you write grant/deny ACL rules in the shape: Who, What, Why, When, Where & How that goes a little further than Role & Attribute. Link: https://github.com/theronic/eacl

Will do a Show HN when I fix all the bugs and get it fast enough.

Tokens are an interesting approach to future-proof a young application against having to rebuild auth internally. I like your up-front Pricing Philosophy section.

I'm a devops/support engineer and I build out small tools all of the time for our teams and I use Firebase for auth as an end-around our IT admin to avoid having to request oauth2 apps via Google every time I need to make something, since all of our people share the same e-mail domain.

That's what I'd be looking to do with your product. I've got a project in mind to give it a shot.

If there's an auth spectrum, from:

roll your own -> use a language specific library -> use a full featured solution like Auth0, Firebase or FusionAuth

it seems like SuperTokens is in between the library and the full featured solution.

I guess I'd ask, if I don't want a full featured solution (the use case you've identified), why wouldn't I use a language specific library (devise for rails, passport for js, etc). Or is the value that you're providing a modular integration so I don't have to integrate authentication + authorization + user management + API auth myself?

Anyways, congrats on launching. We need more auth solutions and I'm glad to see an interesting approach in the open source world. The other major contender, KeyCloak, is, I've heard, a bear to run and extend.

Full disclosure, I'm an employee of FusionAuth.

just FYI, I saw that you are setting third party cookies without consent. While I generally don't like the flood of cookie banners, it's a legal requirement if you are accepting EU customers.