Stupid question: judging by your feature comparison, the only thing you have over Keycloak is you provide managed instances. So why not just be a Keycloak managed provider? They also seem to have features you lack?

There are other differences too:

- Our architecture is different: We provide a frontend SDK with react components that are embedded in your own website - giving you more control and a better dev experience. The frontend doesn't talk to SuperTokens directly, but instead proxies requests via your backend API layer (using our backend SDK). This makes it much easier for you to customise the backend auth logic (you can reuse your API code and also are not forced to use Java), and also enables us to handle your app's session management out of the box.

- For use cases that don't need OAuth (for example if you have a single website), we don't require you to use the protocol. This makes it simpler to setup auth, especially for people not familiar with OAuth and its various flows already.

- There are other feature differences - some features that we have that they don't and vice versa. But this is just a function of time investment on either side.

Authelia is the giant open source elephant in this room

That it is, but is a bit convoluted. I ended up settling on Authentik. [0]

[0] https://goauthentik.io/

Looks like a really interesting platform with extremely reasonably pricing. I might have to try it out soon.

Question on your 2FA though. It says "Partial" and lists that you don't have app access. What does that mean you do have though? FIDO/webAuthn?

If I was self-hosting the open source version at auth.mydomain.com would I be able to export the data, load it into your cloud offering and point the domain to your service for a hiccup free transition for site users? What about the reverse?

I like what I see so far though. Definitely a project to keep an eye on.

The reason it says Partial is cause we don't have 2FA with TOPT at the moment. This feature, along with FIDO / webAuthN are in our dev pipeline.

> If I was self-hosting the open source version at auth.mydomain.com would I be able to export the data, load it into your cloud offering and point the domain to your service for a hiccup free transition for site users? What about the reverse?

Yes you can - both ways.

Thanks!

This pricing is very reasonable, you can tell they want your SaaS to grow with them. I'm going to find an excuse to give this a shot, if anything just to see if the experience matches the presentation, because they nailed it.

Thanks aliqot! Would love to hear your feedback once you do

In my experience, businesses are especially concerned with authorization — enabling product sales to customers.

They would rather not deal with identity and authentication — usernames and passwords — at all. These are already quite nicely handled to various degrees by Cogntio, Auth0, Azure Active Directory, and others.

To address minimalist authorization needs, the portfolio of companies I worked with collaborated to create The Usher[1]. The Usher is an open source authorization server in NodeJS. Worth a peek if you, too, want to focus on authorization separate from authentication.

Disclosure: I am a contributor to The Usher.

[1] https://github.com/DMGT-TECH/the-usher-server

I really appreciate the “free up to a cap” and reasonable pricing. Makes me much more likely to try this for a side project unlike competitors who want me to commit to paying right off the bat.

One thing I noticed is that the link to themes (which I was hoping to see a demo at) is broken: https://supertokens.com/docs/emailpassword/common-customizat... under pricing

Thanks for letting us know about the broken link :)

Implementing SuperTokens is on my roadmap. I’ve read through the docs and been lurking on discord. The approach having your own layer in front of theirs to augment everything sits really well with me.

I wish you guys all the luck, I think it’s a really interesting product.

Thank you Aidos! Thats what makes SuperTokens different from the others

Pretty awesome.

SLA Guarantees is spelt wrong: https://supertokens.com/pricing

Thank you for pointing this out

I'm just starting a new project, and having only rolled our own ghetto authentication and authorization in the past the number of options out there is quite overwhelming!

https://free-for.dev/#/?id=authentication-authorization-and-...

...any advice on a cheap + easy self-hosted solution?

SuperTokens has a self-hosted solution for free [0].

[0] https://supertokens.com/pricing

Your code is open source and free for self-hosting. You have a paid managed model. I really like this model and want to adopt it, but have always wondered how this works out for most companies. Do most people opt for your managed solution? Is it enough to keep paying the bills? Do you have outside contributions thanks to the projects being open sourced?

At the moment, our usage skews in favour of self hosted.

Yes, we do have outside contributions.

Over the long term, revenue will be from 1. hosting (as you mentioned), 2. Enterprises that pay for closed source features (regardless of whether they host with us or on their own infra)

Sounds to me a bit like https://zitadel.com/

Thanks for mentioning ZITADEL. Co-founder here. Supertokens is a good solution with obviously a lot of open source traction, which is great to see in this space. Expanding to authorization makes a lot of sense. ZITADEL supports both authentication and authorization in a turnkey solution (AuthN, AuthZ, APIs, UI, DB). Looking at Supertoken's roadmap, Zitadel seems to be more feature rich offering Passkeys, OTP, multi-tenancy, account linking and a management ui.

Zitadel looks interesting, but their website is quite confusing. I'm not sure is it open source and free to use (as keycloak) or you need a commercial license to use "open source".

The software is open source under Apache 2.0 (https://github.com/zitadel/zitadel). No open core or similar, we run the same version on our Cloud Service and for Enterprises. Thanks for the feedback, we need to make that more obvious then.

What do people on HN use for Authentication?

I've gotten quite used to Firebase + Firebase authentication for some side-projects. Now I'm interested in some other cloud hosting providers (Supabase + Render) and one of the key things making me want to keep using Firebase is that I'd have to learn a new auth system.

I used it recently and really liked the experience specially SDKs.

Support on their discord community is also great.

I have a question. Can I protect a graphql api as well with supertokens?

Yes! We have docs for this (both with and without hasura)