Skip to main content

Supporting other backend frameworks

If your backend framework is not supported by SuperTokens, you can follow this guide on setting up an authentication server to protect your frontend and backend.

A key feature of the SuperTokens backend SDK is the middleware it adds to your backend server. This middleware adds authentication routes to handle requests like user creation and login. If your backend framework is not supported by SuperTokens, you need to run a separate server with the SuperTokens backend SDK configured. This could be a service in NodeJS, Python, or Golang.

To illustrate how this setup works, consider an example:

  • The user has a React based frontend and a PHP backend server.
  • SuperTokens does not have a PHP SDK, and a separate service in NodeJS starts to act as an authentication server. The SuperTokens backend SDK configures this server to handle authentication requests and the issuing of access and refresh tokens.
  • The architecture of setup should have the following design:

SuperTokens Setup With Authentication server

  • In the architecture above the the React Frontend communicates with the PHP and node server through a reverse proxy.
  • Authentication requests like sign-up or sign-in route to the NodeJS server. These APIs are automatically created and handled by the supertokens-node SDK. On the other hand, your application-specific APIs are on the PHP server.
  • Once a user signs up or signs in, the system creates a session between your API server's domain and the frontend.
  • Application requests to the PHP server have session tokens attached to them.
  • The session token is a JWT, and the PHP server can verify it.
  • When verifying a request, if the session token is missing or has expired, the PHP server should return a 401 response. This prompts the SuperTokens Frontend SDK to trigger the automatic refresh flow to generate new session tokens and retry the request.
Important

The method mentioned above assumes that the authentication server is running on the same domain as the PHP server. If instead, your authentication server runs on a separate subdomain, you need to enable cookie sharing for cookies to be automatically attached to requests to the PHP server.