// the find
supertokens/supertokens-core
Open source alternative to Auth0 / Firebase Auth / AWS Cognito
SuperTokens is a self-hosted authentication server you run as a Java HTTP microservice, with SDKs for your frontend and backend that handle the actual session token management. It targets teams who want Auth0-level features (passwordless, social login, MFA, multi-tenancy) without handing their user database to a third party. Active development, pushed yesterday, ~15k stars.
The three-tier split (core HTTP service + backend SDK + frontend SDK) is architecturally sound — session verification happens in the backend SDK without hitting the Java core, so the core is not on the hot path for every request. The plugin interface for storage means you can swap PostgreSQL, MySQL, or MongoDB under the hood without touching application code. Multi-tenancy with per-tenant SSO configuration is genuinely useful and not common in open-source auth. The open-core model means basic auth flows are fully Apache 2.0 — no user count limits, no feature expiry.
The EE directory under a separate proprietary license is a trap: multi-tenancy and some MFA features live there, so the thing you probably need for a real production app requires a commercial license. The Java core adds operational weight — you are now running a JVM service plus your own app, and despite their memory optimizations, a fresh instance still costs more RAM than a Go or Rust equivalent. SDK fragmentation is real: if your stack isn't Node, Go, or Python on the backend and React on the frontend, you are either using a community SDK of unknown quality or rolling your own. The migration story when upgrading the core has historically been painful — check the migration_scripts directory, there's a Node.js script in there for one version bump, which is not confidence-inspiring for a Java project.