SuperTokens API

SuperTokens — open-source, self-hostable authentication platform with pre-built UI components and backend SDKs for session management, social login, MFA, and enterprise SSO.

Evaluated Mar 06, 2026 (0d ago) vcurrent
Homepage ↗ Repo ↗ Developer Tools supertokens auth authentication open-source self-hosted sessions sso
⚙ Agent Friendliness
61
/ 100
Can an agent use this?
🔒 Security
86
/ 100
Is it safe for agents?
⚡ Reliability
80
/ 100
Does it work consistently?

Score Breakdown

⚙ Agent Friendliness

MCP Quality
--
Documentation
85
Error Messages
80
Auth Simplicity
78
Rate Limits
78

🔒 Security

TLS Enforcement
100
Auth Strength
85
Scope Granularity
75
Dep. Hygiene
88
Secret Handling
85

Apache 2.0 open source — fully auditable. Self-hosted gives complete data sovereignty. Rotating refresh tokens prevent session hijacking. No SOC2 certification. GDPR compliant for cloud.

⚡ Reliability

Uptime/SLA
78
Version Stability
82
Breaking Changes
80
Error Recovery
80
AF Security Reliability

Best When

You need open-source, self-hosted authentication with full data control, no per-MAU pricing, and backend SDK integration for Python, Node, Go, or Java services.

Avoid When

You want zero-infrastructure auth — managed platforms like Auth0 or Clerk are significantly simpler to operate.

Use Cases

  • Agents implementing authentication in self-hosted environments with full data sovereignty and no vendor lock-in
  • Session management automation — agents creating, validating, and revoking user sessions via SuperTokens Core API
  • User management — agents provisioning, updating, and deleting users programmatically through the SuperTokens management API
  • Multi-tenancy with per-tenant auth config — agents creating tenant-specific SSO and auth flows for B2B products
  • Token refresh automation — agents handling JWT rotation and session extension without user re-authentication

Not For

  • Teams needing zero-infrastructure auth — use Auth0, Clerk, or Descope for fully managed auth
  • Enterprise SSO without self-hosting capability — managed auth providers have better enterprise support
  • Teams without backend development resources — SuperTokens requires backend SDK integration

Interface

REST API
Yes
GraphQL
No
gRPC
No
MCP Server
No
SDK
Yes
Webhooks
No

Authentication

Methods: api_key
OAuth: No Scopes: No

Core API key for SuperTokens Core communication (backend-to-core). User JWTs issued by SuperTokens for end-user auth. Self-hosted instances manage their own API keys.

Pricing

Model: open-source
Free tier: Yes
Requires CC: No

Open source core under Apache 2.0 — self-hosted is completely free. Cloud tier for managed hosting. Enterprise features (SAML, multi-tenancy) available on paid plans.

Agent Metadata

Pagination
offset
Idempotent
Partial
Retry Guidance
Not documented

Known Gotchas

  • SuperTokens Core runs as a separate service — agents must ensure Core is running before SDK operations
  • Self-hosted Core requires PostgreSQL or MySQL — in-memory mode is development-only, not production
  • Session validation happens against Core — network latency to Core affects every authenticated request
  • Multi-tenancy is an add-on feature — base setup does not include tenant isolation without configuration
  • JWT public keys are served by your backend, not SuperTokens — key distribution is developer responsibility

Alternatives

auth0-api clerk-api descope-api workos-api

Full Evaluation Report

Detailed scoring breakdown, competitive positioning, security analysis, and improvement recommendations for SuperTokens API.

$99
API endpoint ↗ Agent guide ↗ Report inaccuracy

Scores are editorial opinions as of 2026-03-06.

5229
Packages Evaluated
26151
Need Evaluation
173
Need Re-evaluation
Community Powered