Skip to main content

Supporting other backend frameworks

If your backend framework is not supported by SuperTokens, you can follow this guide on setting up an authentication server to protect your frontend and backend.

A key feature of the SuperTokens backend SDK is the middleware it adds to your backend server. This middleware will add authentication routes to handle requests like user creation and login. If your backend framework is not supported by SuperTokens, you will need to run a separate server with the SuperTokens backend SDK configured. This could be a service in NodeJS, Python or Golang.

To illustrate how this setup works, let's take an example:

  • The user has a React based frontend and a PHP backend server.
  • SuperTokens does not have a PHP SDK, so we spin up a separate service in NodeJS to act as an authentication server. This server will be configured with the SuperTokens backend SDK to handle authentication requests and the issuing of access and refresh tokens.
  • The architecture of setup should have the following design:

SuperTokens Setup With Authentication server

  • In the architecture above the the React Frontend communicates with the PHP and node server through a reverse proxy.
  • Authentication requests like sign-up or sign-in are routed to the NodeJS server. These APIs are automatically created and handled by our supertokens-node SDK. On the other hand, your application specific APIs are on the PHP server.
  • Once a user signs-up or signs-in, a session is created between your api server's domain and the frontend.
  • Application requests to the PHP server will now have session tokens attached to them.
  • The session token is a JWT and can be verified by the PHP server.
  • When verifying a request, if the session token is missing or has expired, the PHP server should return a 401 response. This will prompt the SuperTokens Frontend SDK to trigger the automatic refresh flow to generate new session tokens and retry the request.
Important

The method mentioned above assumes that the authentication server is running on the same domain as the PHP server. If instead, your authentication server runs on a separate subdomain, you will need to enable cookie sharing so that cookies are automatically attached to requests to the PHP server.