Today's Deep-Dive: SuperTokens

[SPEAKER_00] So before we jump into today's deep dive, I really want to mention the supporter of today's show safe server.

[SPEAKER_00] Because, well, if you're building software right now, you know, the landscape is utterly dominated by these really expensive proprietary tools.

[SPEAKER_01] Right, things like Auth or AWS Cognito, Google Firebase.

[SPEAKER_00] Exactly.

[SPEAKER_00] And Safe Server is entirely focused on replacing those costly black boxes with open source solutions.

[SPEAKER_00] I mean, when you look at the long-term scaling costs, the financial difference of switching away from big vendors is absolutely staggering.

[SPEAKER_01] Yeah.

[SPEAKER_01] And there's also a massive compliance angle here too, right?

[SPEAKER_01] Because authentication isn't just about logging in.

[SPEAKER_01] You are handling passwords, personal emails, session tokens.

[SPEAKER_01] And depending on your industry, you might be facing incredibly strict legal and regulatory requirements around like data protection or financial records, audit trails.

[SPEAKER_00] Which is exactly where data sovereignty comes in.

[SPEAKER_00] Because if your user's data lives on, say, an AWS server in a jurisdiction you don't control, you don't really control the data.

[SPEAKER_00] No, not at all.

[SPEAKER_00] So Safe Server helps organizations, whether you're a startup, a business, or an association, find and implement the right open source authentication solutions.

[SPEAKER_00] They guide you from the initial consulting strategy all the way to operating the software on secure servers located right in the EU.

[SPEAKER_01] That's a huge deal for Peace of Mind.

[SPEAKER_00] It really is.

[SPEAKER_00] You can explore how they can help your organization at www.safeserver.de.

[SPEAKER_00] So, welcome to today's Deep Dive, everyone.

[SPEAKER_00] Our mission today is to give you a really beginner-friendly, under-the-hood look at a tool to try to decentralize digital identity.

[SPEAKER_00] It's called SuperTokens.

[SPEAKER_01] Yeah, and we are pulling directly from the official SuperTokens documentation, their architecture blueprints, and we've even been analyzing the raw code in their GitHub repository, specifically the SuperTokens core repo.

[SPEAKER_00] Right.

[SPEAKER_00] OK, let's unpack this.

[SPEAKER_00] Why is user authentication such a massive headache in the first place?

[SPEAKER_00] I mean, it affects user experience, developer experience, security.

[SPEAKER_00] It feels like something we should have standardized like 20 years ago.

[SPEAKER_01] You would think so, wouldn't you?

[SPEAKER_01] But it remains a massive headache because the target is constantly moving.

[SPEAKER_01] And the philosophy we see throughout the SuperToken's documentation highlights this core tension.

[SPEAKER_00] Right.

[SPEAKER_01] Like, let's say you're a developer and you decide to hand roll your own authentication from scratch just to keep control.

[SPEAKER_00] I feel like every time a developer says, I'll just write my own crypto, a security engineer somewhere just wakes up in a cold sweat.

[SPEAKER_01] Oh, absolutely.

[SPEAKER_01] Unless you are a dedicated cryptographer, hand rolling your auth almost inevitably leads to critical flaws.

[SPEAKER_00] Like what, for example?

[SPEAKER_01] Well, developers might forget to properly salt their passwords, for one.

[SPEAKER_01] Salting is the mechanism where you add a unique string of random data to each user's password before you mathematically scramble or hash it.

[SPEAKER_00] Right, to make it unique.

[SPEAKER_01] Exactly.

[SPEAKER_01] And if you don't do that, hackers can use pre-computed tables of common passwords to crack your database in literally seconds.

[SPEAKER_01] Or maybe a developer misconfigures the secure flags on session cookies, leaving users vulnerable to session hijacking.

[SPEAKER_00] So basically building it yourself is a total minefield.

[SPEAKER_01] It really is.

[SPEAKER_00] And that pushes developers to the other extreme, right?

[SPEAKER_00] They go to a giant corporation and essentially say, Hey, can I rent a bank vault?

[SPEAKER_00] You get the security, but the landlord keeps the master key.

[SPEAKER_01] Which creates massive vendor lock-in.

[SPEAKER_00] Exactly.

[SPEAKER_00] So looking at the super tokens architecture, how do they actually provide the vault and let you keep the master key?

[SPEAKER_00] Like how are they solving this?

[SPEAKER_01] So they've engineered an open core Y Combinator-backed alternative, and their foundational promise is on-premises deployment.

[SPEAKER_00] OK, so you run it yourself.

[SPEAKER_01] Right.

[SPEAKER_01] You deploy it on your infrastructure, connect it to your own database, meaning you own 100% of your user data.

[SPEAKER_01] But to make this manageable, they completely decoupled the architecture into three distinct building blocks.

[SPEAKER_00] OK, break those blocks down for me, because if I'm looking at a standard web app, I usually just think, well, front end and back end.

[SPEAKER_01] Sure.

[SPEAKER_01] Super Tokens uses a similar starting point.

[SPEAKER_01] So block number one is the front-end SDK.

[SPEAKER_01] This is the code living in the user's browser or on their mobile app.

[SPEAKER_01] It renders the actual login UI and manages the session tokens on the client side.

[SPEAKER_01] And they provide pre-built, highly customizable UI widgets so you can literally get a login screen running in like five minutes.

[SPEAKER_00] Wow.

[SPEAKER_00] Okay.

[SPEAKER_00] Which is great for speed.

[SPEAKER_00] So the user clicks login on the front-end SDK.

[SPEAKER_00] What happens next?

[SPEAKER_01] The request goes to block two, which is the backend SDK.

[SPEAKER_01] This sits directly inside your existing server application, whether your team writes in Node.js, Python, Go, Ruby, whatever.

[SPEAKER_01] This SDK intercepts the login request and provides the APIs for sign up, sign in, and refreshing sessions.

[SPEAKER_00] Wait, hold on.

[SPEAKER_00] If I'm a new developer, having a frontend taking the credentials and a backend receiving them, that sounds like a complete app.

[SPEAKER_00] But you said there are three blocks.

[SPEAKER_00] Why split the core from the backend SDK?

[SPEAKER_00] That just sounds overly complicated.

[SPEAKER_01] Well, what's fascinating here is that the specific decoupling is the secret to their flexibility because block three is the super tokens core.

[SPEAKER_01] This is a completely separate standalone HTTP service and the super tokens core handles all the heavy lifting, the complex cryptographic logic, reading and writing to your database.

[SPEAKER_01] Your backend SDK simply talks to this core service.

[SPEAKER_01] You can actually use super tokens for just log in, just session management or both.

[SPEAKER_00] I mean, if I can play devil's advocate here for a second.

[SPEAKER_00] If I'm running a lean, agile startup, the moment you tell me I have to deploy and maintain a completely separate standalone core service just to let my users log in, my alarm bells are ringing.

[SPEAKER_01] That's a common reaction.

[SPEAKER_00] Right.

[SPEAKER_00] Because that sounds like a DevOps nightmare.

[SPEAKER_00] Why not just bake the database logic right into the backend SDK?

[SPEAKER_01] It's a very valid concern.

[SPEAKER_01] But think about modern company infrastructure.

[SPEAKER_01] You rarely just have one backend anymore, do you?

[SPEAKER_00] Well, yeah.

[SPEAKER_00] I guess that's true.

[SPEAKER_01] You might have a Node server handling your web app, a Python server running your AI features, and maybe a Go server handling real-time chat.

[SPEAKER_00] Ah, right.

[SPEAKER_00] Microservices.

[SPEAKER_01] Exactly.

[SPEAKER_01] If the auth logic was baked directly into the backend, you'd have to implement and synchronize complex database operations across Node, Python, and Go.

[SPEAKER_01] It'd be a mess.

[SPEAKER_00] Awful.

[SPEAKER_01] By pulling the heavy security logic out into one central supertokens core, your microservices don't need to know how to hash passwords or query user tables.

[SPEAKER_01] They just ping the core.

[SPEAKER_01] It gives you a single source of truth.

[SPEAKER_00] OK, that actually makes a lot of sense.

[SPEAKER_00] You centralized the dangerous critical code in one place.

[SPEAKER_00] But speaking of that centralized code, I was digging through the super tokens core repository on GitHub and I noticed something that honestly made me do a double take.

[SPEAKER_01] Oh, yeah.

[SPEAKER_01] What was that?

[SPEAKER_00] The core service is written in Java, like the repost ads show it's ninety eight point four percent Java.

[SPEAKER_01] Right.

[SPEAKER_01] Yes.

[SPEAKER_00] And in the world of fast moving, trendy startups, Java often gets a bad rap, right?

[SPEAKER_00] People view it as legacy, heavy, bloated.

[SPEAKER_00] Why on earth would a modern YC backed startup choose Java for their core product?

[SPEAKER_01] Yeah, the developers actually address this exact question in their documentation, and their rationale is incredibly pragmatic.

[SPEAKER_01] Oh, so.

[SPEAKER_01] When you're building a foundational security product, you really don't want to be experimenting with the newest, trendiest programming language.

[SPEAKER_01] You want a massive, mature, battle-tested ecosystem.

[SPEAKER_00] OK, so security needs to be boring, like in the best possible way.

[SPEAKER_01] Precisely.

[SPEAKER_01] Java has been hammered by global enterprise usage for over two decades.

[SPEAKER_01] Additionally, Java's strong static typing system catches a massive class of bugs at compile time before the code ever even runs.

[SPEAKER_00] Right, which is huge for security.

[SPEAKER_01] Exactly.

[SPEAKER_01] When you're managing cryptographic keys and user identities, fewer bugs are non-negotiable.

[SPEAKER_01] Plus, from a company-building perspective, finding highly experienced Java developers to scale their team is just much easier than hunting for engineers fluent in, like, super-niche systems languages.

[SPEAKER_00] I completely buy the security and hiring arguments.

[SPEAKER_00] I really do.

[SPEAKER_00] But what about performance critique?

[SPEAKER_00] I mean, the classic complaint about Java is that it's an absolute memory hog.

[SPEAKER_00] If I'm self-hosting this, I don't want to spin up a massive, expensive AWS instance just to run my login core.

[SPEAKER_00] Doesn't that defeat the whole purpose of escaping big vendors?

[SPEAKER_01] This is where their architectural choices really shine.

[SPEAKER_01] And it goes back to that three block system.

[SPEAKER_01] Think about how authentication actually works in practice.

[SPEAKER_01] Logging in like, typing a password and hashing it is actually a very rare event.

[SPEAKER_01] A user does it maybe once a month.

[SPEAKER_00] Right, they log in and then they just stay logged in.

[SPEAKER_01] Exactly.

[SPEAKER_01] The most frequent operation by far is session verification.

[SPEAKER_01] Every single time a user clicks a link, updates their profile, or loads a private image, the system has to verify that their session is still valid.

[SPEAKER_01] If the Super Tokens Jamacore had to process every single one of those verification checks over the network, it would absolutely become a bottleneck.

[SPEAKER_01] And yeah, it would require a massive server.

[SPEAKER_00] So how do they avoid that?

[SPEAKER_00] Do they cache it or something?

[SPEAKER_01] No, they use a mechanism where verification happens entirely within the backend SDK like in Node, Go, or Python without ever contacting the Java core.

[SPEAKER_00] Wait, if the backend SDK doesn't talk to the core, how does it know the user isn't an imposter?

[SPEAKER_01] It all comes down to JSON web tokens or GWTs and cryptographic signatures.

[SPEAKER_01] Think of the Java core like an embassy issuing a passport.

[SPEAKER_00] OK, I like that analogy.

[SPEAKER_01] When you log in, the core verifies your identity and issues a passport, the JWT.

[SPEAKER_01] This token has a mathematical signature stamped on it.

[SPEAKER_01] Now, your backend SDK acts like the border guard.

[SPEAKER_00] Right.

[SPEAKER_01] When a user tries to access a page, they present that passport.

[SPEAKER_01] The border guard doesn't need to call the embassy every single time to ask if the passport is real.

[SPEAKER_00] because they can just check the stamp.

[SPEAKER_01] Exactly.

[SPEAKER_01] They have the public key, the mathematical formula, to verify the embassy signature right there on the spot.

[SPEAKER_01] Because the back-end SDK can verify the math locally, it takes less than a millisecond.

[SPEAKER_01] And the Java core never even hears about it.

[SPEAKER_00] Oh, wow.

[SPEAKER_00] So they've effectively outsourced the heaviest processing burden directly to the client's own servers.

[SPEAKER_00] That completely flips traditional backend scaling on its head.

[SPEAKER_01] It really does.

[SPEAKER_01] Because the core isn't bogged down verifying every click, a single lightweight instance of the Java core can handle tens of thousands of users easily.

[SPEAKER_00] That's incredible.

[SPEAKER_01] Yeah.

[SPEAKER_01] And to optimize the Java footprint itself, they don't use massive enterprise application servers.

[SPEAKER_01] They use an embedded Tomcat server, which is really stripped down.

[SPEAKER_01] And they also plan to use Graal VM in the future.

[SPEAKER_00] Graal VM.

[SPEAKER_00] For the listener who isn't deep into the Java ecosystem, what does Graal VM actually do?

[SPEAKER_01] So usually Java runs on a virtual machine that translates code on the fly.

[SPEAKER_01] That requires a decent amount of RAM just to keep the engine running.

[SPEAKER_01] GrelVM is a modern technology that takes that Java code and pre-compiles it directly down into a native machine executable.

[SPEAKER_00] Oh, so it just runs directly on the hardware.

[SPEAKER_01] Exactly.

[SPEAKER_01] It allows the program to start instantly and sift memory like a lightweight language.

[SPEAKER_01] SuperTokens projects this could reduce the core's memory footprint by up to 95%.

[SPEAKER_00] A 95% memory reduction is wild.

[SPEAKER_00] Okay, so the engine under the hood is mathematically clever, it scales, it's lightweight, but knowing the engine is solid is only half the battle, right?

[SPEAKER_00] Here's where it gets really interesting.

[SPEAKER_00] What can you actually build with it?

[SPEAKER_00] Like, what's the out of the box feature set?

[SPEAKER_01] Well, the feature set is remarkably comprehensive for an open source tool.

[SPEAKER_01] They aren't just giving you a basic email and password form.

[SPEAKER_01] They provide passwordless login via magic links.

[SPEAKER_01] They have full social login support.

[SPEAKER_01] So, you know, continue with Google, Apple, GitHub.

[SPEAKER_00] Nice.

[SPEAKER_01] And they include natively built multi-factor authentication, which is basically a mandatory compliance requirement now.

[SPEAKER_00] And looking through their documentation, they also heavily highlight multi-tenancy.

[SPEAKER_01] Yes, which is a massive differentiator for B2B software.

[SPEAKER_01] Multi-tenancy is what allows you to offer enterprise single sign-on or SSO.

[SPEAKER_00] Let's pause on SSL because I feel like users see it all the time but might not realize how complex it is.

[SPEAKER_00] This is when you try to log into a software tool and it redirects you to your company's internal Microsoft or Okta login page, right?

[SPEAKER_01] Exactly.

[SPEAKER_01] If you build an app and try to sell it to a Fortune 500 company, their IT department will absolutely demand that their employees log in using the company's existing corporate credentials.

[SPEAKER_01] Building the SAMALO or OIDC protocols to connect your database securely

[SPEAKER_01] to a massive corporation's active directory is notoriously painful.

[SPEAKER_01] But supertokens having multi-tenancy built in means you can compartmentalize different enterprise clients within the same instance securely.

[SPEAKER_00] It's like having one apartment building, but every tenant gets their own highly customized security system.

[SPEAKER_01] That's a great way to put it.

[SPEAKER_00] And speaking of customization, they have a really interesting approach to adding features.

[SPEAKER_00] You don't have to rewrite the core code.

[SPEAKER_01] Right.

[SPEAKER_01] They use a highly modular plugins architecture.

[SPEAKER_00] Yeah.

[SPEAKER_00] The way I visualize this is like having a smartphone.

[SPEAKER_00] The super tokens core is the operating system.

[SPEAKER_00] But if you suddenly need your phone to, I don't know, scan QR codes, you don't rewrite the OS.

[SPEAKER_00] You just download an app.

[SPEAKER_00] Their plugins act exactly like apps for your authentication core.

[SPEAKER_01] Perfect analogy.

[SPEAKER_01] The plugins are entirely modular.

[SPEAKER_01] So if your platform suddenly gets targeted by automated bots trying to brute force your login page, you don't panic and rewrite your front end.

[SPEAKER_00] You just snap in a plugin.

[SPEAKER_01] Exactly.

[SPEAKER_01] You just snap in their Capshot plugin, which natively integrates things like recap TCHA or Cloudflare turnstile.

[SPEAKER_01] They have plugins for user banning.

[SPEAKER_01] So an admin can instantly revoke a bad actor's access everywhere and plugins for tenant discovery interfaces.

[SPEAKER_00] It's one thing to read a list of features, but the real-world examples they share really prove its value.

[SPEAKER_00] There's a fascinating story in the sources about Poppy, which is a Belgian ride-sharing company.

[SPEAKER_01] Oh, yeah.

[SPEAKER_01] Ride-sharing apps are incredibly lucrative targets for fraud.

[SPEAKER_00] Huge targets.

[SPEAKER_00] You have bad actors creating fake accounts to take free rides, testing stolen credit cards, you name it.

[SPEAKER_00] Poppy decided to switch their entire authentication system over to supertokens.

[SPEAKER_00] and they managed to do it in just one day.

[SPEAKER_01] Wow, one day?

[SPEAKER_00] Yeah, and by locking down their off-flow, they eliminated thousands of euros in daily fraud in a single afternoon.

[SPEAKER_01] That really validates their claim of the five-minute setup.

[SPEAKER_01] When an API is logically designed, swapping out an old, leaky system doesn't have to be a six-month engineering saga.

[SPEAKER_00] Exactly.

[SPEAKER_00] And there's another example that stood out to me.

[SPEAKER_00] Traceable.ai.

[SPEAKER_00] They've raised like over $80 million, so they clearly have a budget to buy whatever they want.

[SPEAKER_00] But they explicitly chose super tokens because other open source options were simply too complex.

[SPEAKER_01] Right.

[SPEAKER_01] A lot of the alternatives require deploying multiple different services.

[SPEAKER_00] Exactly.

[SPEAKER_00] The competitors required them to orchestrate a dozen different microservices just to get a basic login system working.

[SPEAKER_00] They needed something robust but simple to deploy.

[SPEAKER_00] Super tokens fit the bill perfectly.

[SPEAKER_01] But, you know, this raises an important question about the reality of migrating user bases.

[SPEAKER_01] It is incredibly easy to look at a sleek new tool and say, wow, I wish we had built our application with this from day one.

[SPEAKER_00] Oh, for sure.

[SPEAKER_01] But the reality is most established companies are deeply entrenched.

[SPEAKER_01] They are currently stuck paying massive monthly invoices to Auth or AWS Cognito.

[SPEAKER_01] How do they actually escape without ruining their users' experience?

[SPEAKER_00] Yeah, you can't just flip a switch and send an email to 100,000 users saying, hey, please click this link to reset your password.

[SPEAKER_00] You would lose half your active users overnight.

[SPEAKER_00] The friction is just way too high.

[SPEAKER_01] Exactly.

[SPEAKER_01] The fear of user friction is the single biggest reason companies remain chained to vendors they actively dislike.

[SPEAKER_01] But SuperToken supports both bulk and what they call lazy migrations.

[SPEAKER_00] OK, walk me through how lazy migration works.

[SPEAKER_00] Because moving users without asking them to change their password and without even forcing them to log out, that sounds like magic.

[SPEAKER_01] It's not magic, but it is brilliant API routing.

[SPEAKER_01] The migration happens invisibly to the end user one user at a time at the exact moment they try to log in.

[SPEAKER_01] OK. Let's imagine you are migrating away from us.

[SPEAKER_01] First, you set up super tokens to act as a proxy, a middleman.

[SPEAKER_00] OK, so the user goes to my app and types in their email and password.

[SPEAKER_01] Right.

[SPEAKER_01] Your SuperToken's backend SDK catches those credentials.

[SPEAKER_01] It looks at its own local database and realizes, uh-oh, I don't have this user yet.

[SPEAKER_01] Now, instead of throwing an error, SuperToken silently takes those credentials and behind the scenes fires an API request over to your old auth account.

[SPEAKER_00] Ah, so it's asking the old landlord to verify the key.

[SPEAKER_01] Precisely.

[SPEAKER_01] Auth checks its database and responds, yes, these credentials are valid.

[SPEAKER_01] SuperToken's intercepts that success message.

[SPEAKER_01] It then takes the password the user just typed, hashes it securely using its own algorithms, and creates a brand new account for that user in your self-hosted database.

[SPEAKER_01] And finally, it issues the local session token to the user.

[SPEAKER_00] And how long does all of that proxying and hashing take?

[SPEAKER_01] Fractions of a second.

[SPEAKER_01] The user experiences absolutely zero delay.

[SPEAKER_01] They don't have to reset their password.

[SPEAKER_01] From their perspective, they just logged in normally.

[SPEAKER_00] So what does this all mean?

[SPEAKER_00] It means the biggest hurdle, the terror of ruining the user experience, is completely eliminated.

[SPEAKER_00] You just completely eliminate the friction of switching to an open source, cost-saving alternative.

[SPEAKER_01] Yes.

[SPEAKER_01] You get the robust security of an enterprise giant, but you reclaim your data sovereignty.

[SPEAKER_01] Which leaves us with a really provocative final thought to ponder.

[SPEAKER_00] Hmm.

[SPEAKER_00] Late on me.

[SPEAKER_01] If authentication, the literal gateway to our digital identities, becomes completely modular, decentralized, and developer controlled, what does the future hold for those massive tech companies whose main leverage has always been holding our user data hostage?

[SPEAKER_00] That is a great question.

[SPEAKER_00] If the vault door is suddenly affordable and incredibly easy to install yourself, the landlords are going to face an existential threat.

[SPEAKER_01] Exactly.

[SPEAKER_00] And empowering organizations to break free from that lock-in is exactly the mission of our supporter, SafeServer.

[SPEAKER_00] As we've explored today, what organizations, whether you're a business, an association, or any other group stand to gain by switching to an open source solution like SuperTokens is immense control and major cost savings.

[SPEAKER_01] Absolutely.

[SPEAKER_01] Reclaiming that data sovereignty is just so critical today.

[SPEAKER_00] It really is.

[SPEAKER_00] And just as a reminder, SafeServer can be commissioned for consulting.

[SPEAKER_00] So whether the right fit for your specific organization is SuperTokens,

[SPEAKER_00] or a comparable open source alternative, they have the expertise to help you figure it out.

[SPEAKER_00] You can find more information and get in touch with them at www.safeserver.de.

[SPEAKER_01] It's definitely worth checking out.

[SPEAKER_00] Well, thank you so much for joining us on this deep dive.

[SPEAKER_00] Keep questioning the software you rely on every day, because at the end of the day, it's your digital house.

[SPEAKER_00] You should be the one holding the master key to the front door.