SuperTokens
Last verified 2026-05-30 · Reviewed by guptadeepak
Editorial verdict
SuperTokens is the modern OSS auth library with the cleanest pluggable architecture in 2026, Apache 2.0 self-hosted Core, Recipe-based composition (each auth method is a module), and strong session management primitives. For teams that want OSS auth as a library with optional managed offering, SuperTokens shortlists alongside FusionAuth and Zitadel. The trade-off is narrower compliance and weaker B2B Organizations than dedicated B2B platforms.
Last verified by @guptadeepak on 2026-05-30.
At a glance
- Best for
- Teams that want OSS-licensed auth library with self-host as the primary deployment
- Pricing
- tiered-mau
- Free tier
- Unlimited
- Deployment
- self-hosted, cloud-saas
- SOC 2 Type II
- Yes
- Passkeys
- Native
- Self-host
- Yes
- Open source
- No
Funding & business
- Funding model
- Venture-backed
- Total raised
- $5.0M
- Latest round
- Seed · 2020
- Years in business
- 6 yrs
- Round led by
- Y Combinator
- Profitable
- Not disclosed
Open-source Auth0 alternative; YC S20, ~$5M raised across seed rounds.
Funding data from primary source. See also the CIAM investor landscape.
Strengths
- Pluggable Recipe architecture, auth methods are composable modules, pay only for what you use.
- Apache 2.0 self-hosted Core under the most permissive OSS license among full CIAM platforms.
- Strong session management primitives, refresh token rotation, anti-CSRF, and revocation are first-class.
- Clean SDK ergonomics across major JS frameworks plus Python / Go / PHP.
Limitations
- Smaller community than Keycloak; larger than newer entrants but still mid-tier.
- Compliance footprint on managed product is narrow, SOC 2 Type II only.
- B2B Organizations exists but is less mature than dedicated B2B vendors.
- No native FGA, no adaptive MFA, no bot defense.
Capability matrix
Every vendor scored on the same axes. See the methodology for criteria.
| Password authentication | Yes |
|---|---|
| Social login | Yes |
| Magic links | Yes |
| SMS OTP | Yes |
| Email OTP | Yes |
| TOTP (authenticator app) | Yes |
| Push MFA | No |
| WebAuthn / passkeys | Yes |
| Biometric | Yes |
| Hardware security keys | Yes |
| SAML SSO | Yes |
| OIDC SSO | Yes |
| OAuth 2.0 SSO | Yes |
| Enterprise federation | Yes |
| Passwordless-only flows | Yes |
| Adaptive MFA | No |
| Step-up auth | Yes |
| RBAC | Yes |
|---|---|
| ABAC | Partial |
| ReBAC | No |
| FGA engine | No |
| API authorization | Yes |
| Fine-grained permissions | Yes |
| Self-service registration | Yes |
|---|---|
| Progressive profiling | Yes |
| Self-service account | Yes |
| Bulk user import | Yes |
| Admin user search | Yes |
| Custom user metadata | Yes |
| Organizations / tenants | Yes |
| Multi-tenancy | Yes |
| REST API | Yes |
|---|---|
| GraphQL API | No |
| SDKs | js, node, react, next, vue, angular, python, go, php |
| CLI | Yes |
| Terraform provider | No |
| Local emulator | Yes |
| Extension model | Pluggable recipes (auth methods as composable modules) + override APIs |
| Bot detection | No |
|---|---|
| Breached password detection | Yes |
| Brute-force protection | Yes |
| Anomaly detection | No |
| Log streams | Yes |
| Audit logs | Yes |
| GDPR data export | Yes |
| PII minimization | Yes |
| Post-quantum roadmap | No |
| MCP support | No |
|---|---|
| OAuth 2.1 | Yes |
| Dynamic client registration | No |
| Agent vs human token separation | No |
| Web Bot Auth | No |
| SOC 2 Type II | Yes |
|---|---|
| ISO 27001 | No |
| ISO 27018 | No |
| HIPAA | No |
| PCI DSS | No |
| GDPR | Yes |
| CCPA | Yes |
| FedRAMP | No |
| EU data residency | Yes |
| Consent management | No |
|---|---|
| Preference center | No |
| Purpose-specific consent | No |
| Integrates with CMPs | n/a |
Pricing
| 10,000 MAU | $0/mo |
|---|---|
| 100,000 MAU | $200/mo |
| 500,000 MAU | $900/mo |
| 1,000,000 MAU | $1,800/mo |
- Self-hosted Core service is Apache 2.0, free at any scale
- Managed Service (SaaS) priced per-MAU with included MAU allowance at low cost
- Pluggable recipe model, pay only for the auth methods you actually deploy
Estimates use the standard assumptions in our methodology. Always confirm with the vendor.
Best for
- Teams that want OSS-licensed auth library with self-host as the primary deployment
- Apps that compose auth methods incrementally rather than buying the full stack
- B2C consumer apps or B2B SaaS at mid-market scale
Not for
- Workloads requiring HIPAA, FedRAMP, ISO 27001, or PCI DSS
- Mid-large enterprise federation requirements
- Authorization-heavy use cases requiring FGA
FAQ
- What is the SuperTokens Recipe architecture?
- Each auth method (passwords, passwordless, social login, multi-tenancy, MFA, dashboard) is a separate Recipe, a composable module that can be added or removed independently. This is more flexible than monolithic CIAM where you pay for and operate everything regardless of usage.
- Is SuperTokens self-hosted only?
- No, both self-hosted Core (Apache 2.0, free at any scale) and SuperTokens Managed Service (SaaS) are available. The Managed Service runs the Core for you with included MAU allowances.
- How does SuperTokens compare to Auth.js / NextAuth?
- SuperTokens is a hosted backend service with SDKs, while Auth.js is a library that runs entirely inside the application. SuperTokens has stronger session management, multi-tenant primitives, and admin tooling; Auth.js has zero-deployment simplicity. For projects beyond a single Next.js app, SuperTokens is usually the right model.
Sources
- SuperTokens Pricingaccessed 2026-04-22
- SuperTokens Documentationaccessed 2026-04-22
- SuperTokens GitHubaccessed 2026-04-22
What SuperTokens is
SuperTokens launched in 2020 as an open-source auth library with a focus on session management, with the codebase split between the Core (Apache 2.0 backend service) and SDK Recipes (pluggable auth method modules). Both self-hosted and managed offerings share the same Core, and the Recipe architecture is the design center: each auth method (passwords, passwordless, social, multi-tenancy, MFA) is a composable module.
Where SuperTokens wins
The pluggable Recipe model is the differentiator, teams pay for and operate only the auth methods they actually use, which keeps both the bundle and the operational surface small. Apache 2.0 licensing across the Core is the most permissive in the OSS CIAM tier. Session management primitives (refresh token rotation, anti-CSRF, revocation) are strong.
Where SuperTokens hurts
Compliance footprint on the managed product is narrow (SOC 2 only). B2B Organizations exists but is less mature than WorkOS or Frontegg. No native FGA, no adaptive MFA, no bot defense.
How SuperTokens compares
SuperTokens sits in a useful middle of the OSS CIAM tier, heavier than a code-first library like BetterAuth, lighter than full enterprise platforms like Keycloak or WSO2 IS. The Recipe-based composition is its most distinctive design choice and the main reason teams pick it over Keycloak. The closest direct comparisons are SuperTokens vs Keycloak, SuperTokens vs FusionAuth, and Auth0 vs SuperTokens. For modern OSS with B2B-first focus, Zitadel is the alternative.