User Authentication with Advait Ruia, CEO of SuperTokens

Transcript

[00:00:00] John Britton:

Hello, and welcome to The Yes-code Podcast, a show all about the Yes-code pattern and the tools that implement it.

I'm your host, John Britton, and today we have Advait Ruia Co-founder and CEO of SuperTokens joining us on the show to talk about authentication.

With Advait we talk about various authentication recipes, getting rid of passwords, documentation, security, and open source developer tools.

Let's get started.

Advait, thanks so much for joining me.

Can you introduce yourself and tell me a little bit about what you do and who you are?

[00:00:32] Advait Ruia (SuperTokens):

Yeah, thanks for having me, John, Yeah, I'm the co-founder of SuperTokens. We build open-source user authentication.

[00:00:37] John Britton:

Just for the audience, I know authentication and authorization get confused. Can you tell me a little bit more, like what you mean when you say authentication? Like what does that encompass.

[00:00:47] Advait Ruia (SuperTokens):

Yeah. Authenti- yeah, that's a great question. I mean like a lot of people do get confused, so authentication is like identifying who is the user, right. So it's like knowing, okay, this is John, right? And then authorization is saying, okay, what does John have access to, right? So it's like letting so authentication is letting John into the building and then authorization is saying, okay, "which floors do we let him into? Which offices do we let him into?" And things like that.

[00:01:08] John Britton:

And then at the company, what do you do? I mean, I know you said you're CEO, are you on the technical side, more on the product side? Like what's your day to day?

[00:01:14] Advait Ruia (SuperTokens):

Everything non-technical essentially, so I do do product, but I do everything else as well. So whether that's hiring, fundraising, you know, growth, marketing, or like basically, like, I mean, if you spin a company up, basically everything, that's not the technical part. So I have a CTO and then yeah, he takes care of the tech and then I take care of everything else.

[00:01:30] John Britton:

I love programming. I think of it as a superpower. The ability to just create something out of nothing is so cool. it's so, it's so empowering. I think that code is super flexible. I can do anything that I want, but I always find myself getting into this very frustrating situation where like I sit down and I start to code and there are all these problems I need solve that are totally irrelevant to the task at hand and I just wish that there were better building blocks, that there were higher level abstractions for the things that I need to use every day. As I, like, noticed this problem over and over again It basically got to this point where, I just think that we need more developer tools that are working in this way of solving a discrete problem with remixable primitives. Things that solve specific kind of business level use cases, but can be composed in any number of ways.

That was like the annoying thing that motivated me to start creating more developer tools and start working on this idea of Yes-code, which is a pattern for building tools in a certain shape for developers. And I was wondering, you know, whether to do with SuperTokens or any other kind of project you've worked on.

What about programming, building software, has annoyed you and, and has motivated you to be a creator?

[00:02:52] Advait Ruia (SuperTokens):

I resonate with a lot of that messaging that you just said. Um, I think like, I think it's exactly what you said, right? Like you want to make the non-core parts of like the product development process as quick as possible, right? So you want the developer to have the best, like you want to enable more people to build more things as quickly as possible. Developers are pretty high value in terms of their time, so if you can save a developer time on like a global scale, you're actually doing the world a pretty good favor. So I think, I think like that's sort of like messaging is sort of like one of the takes that's like really intere-, and just, and developer tools is is one of the most interesting spaces to work on because if you've worked on developer tools. You learn so much about like, such a core part of the world, right? Like software, it powers the world. So if you are, if you're building the infrastructure for that software, that's always something you can take forward in whatever else you do in life.

[00:03:40] John Britton:

SuperTokens focuses on authentication. One of the reasons why I see people building developer tools is because these are hard problems that people don't want to solve over and over again. What makes authentication hard?

[00:03:53] Advait Ruia (SuperTokens):

I think it depends on like the specific use case. Do you mean hard for the developer or do you mean hard for the business building authentication?

[00:04:01] John Britton:

Really what it comes down to is why do developers need to be given these tools to be more efficient? What makes it difficult to roll your own?

[00:04:09] Advait Ruia (SuperTokens):

Auth is like pretty broad and pretty complex. So it can start off with something super simple, but as like your security requirements increase as your user base increases as like the product complexity increases solving, those problems becomes like exponentially harder. The most obvious one is obviously security. If you could do auth it in like a non-secure way, it probably wouldn't be that hard, but then you have to make sure that passwords encrypted or like, I mean the most basic version obviously is like passwords are encrypted. But then there's like a whole host of things you need to do on top of that. And being aware of all those things and implementing them correctly is nontrivial.

[00:04:41] John Britton:

Yeah, it's kind of one of those situations where it's knowing what you don't know, right?

[00:04:46] Advait Ruia (SuperTokens):

Yeah, exactly that?

[00:04:47] John Britton:

There are the unknowns and then there are the unknown unknowns and especially with security, I think there are a lot of unknown unknowns for the average developer.

[00:04:55] Advait Ruia (SuperTokens):

Yep, exactly.

[00:04:58] John Britton:

So let's talk about your product. SuperTokens, authentication tools for developers. How do you define the boundary of what's in and what's out for SuperTokens.

[00:05:08] Advait Ruia (SuperTokens):

Like most companies, I think the boundaries almost always defined by, by users, by customers who are developers. So what do they want most immediately is what's in and what do they want like, not that importantly is out. Because as a startup, you have to make that trade off is what's most important. So only what the . Users say is most important is what's in right on the on the most like high level.

And then the way we see it as like, we have a sort of collaborative approach to the whole ecosystem. So we want to do things that are core to us, but things that are adjacent to us, we'd rather have like specialized companies that do those really well and like provide like a seamless integration for our users to be able to use those services.

Whether that's authorization or, you know, certain other adjacent areas, you know, we'd rather work with a company we really know and trust and then have a seamless integration so that our users can just do one integration but get the power of like multiple companies working on that part of the product.

[00:05:57] John Britton:

When it comes to you know deciding what's in and what's out, you know, obviously the user experience is very important in what your customers are demanding. Do you have any kind of philosophical opinions that you use within the team on, kind of as guidelines of what's in and what's out, for example, I could see a situation where payments might be related to having accounts. Is there like a kind of a line in the sand that you're thinking about?

[00:06:24] Advait Ruia (SuperTokens):

Yeah. I mean, so yeah, for that example, obviously payments would be out. I think that the way we look at it is like, where are the biggest problem areas and what do people need the most? So for example, we started with session management, which is just one, like niche within the authentication space.

But if you were using session management, do you want with the same provider to also give you login and authentication? So it's like, whatever, like, from the developer's point of view, whatever it makes sense for it to be a single integration, you're completely okay with payments being a separate integration, because it's a unique enough product where you don't want it to be a one, a single solution.

Anything in that involves writing the use-, to the database, like interacting with the user information in the database. Like so if anything has to do with like interactions between the front end backend and the, the data, the user in the database, that's all something that SuperTokens should take care of on a technical level, but It is like, kind of, dependent on what developers expect to be part of the same product.

[00:07:12] John Britton:

I mean for me, this is something that is the art of being a software or a product builder is designing the abstraction, saying this is the boundary. This is where our users can expect us to give them an answer and these are the places where we tell the user to use something else or we have a seamless integration with something else.

As a new user potentially going out to build a product that needs, authentication. What's the first run experience, with SuperTokens and more broadly with just authentication in general. If I want to add authentication, what are the differences between, you know, a product like SuperTokens versus, you know, roll your own.

[00:07:50] Advait Ruia (SuperTokens):

What is the first run like? In terms of the first run, I mean, so the first run is obviously you land on a website and, depending on whether you use the SaaS version or the self-hosted version, the first run is largely your experience with the documentation.

So before you've even like, started doing anything, you look at the documentation and see "what is this product?" So I think that's like the first touch point, in terms of like building it on your own, I think it's like first you probably like, think about, okay, what is the feature set I need?

What is the authentication method? That we say, like, so do you need social login? Do you need passwordless? Do you need email password? What is the flow you're imagining for your users? and then as soon as you start thinking about that, then you start either implementing that yourself or looking for providers that, that offer you that.

[00:08:31] John Britton:

I want to talk a little bit about your point that you said the kind of the first one is the documentation. What are your feelings and opinions about documentation for this kind of a product, for a developer SaaS, that's pretty configurable. What's your approach towards building out your documentation?

[00:08:47] Advait Ruia (SuperTokens):

We spend a lot of time on documentation, obviously. You want as much information as possible in the docs, but, too little information is obviously bad, too much information is also bad. So you want all the information to be there, but you want to have it in such a hierarchy where you only get the information as and when you need it.

And it's very easy for you to be able to navigate to the point in the docs when you have that specific question. So on first run, you should only get the perfect amount of information for your use case. What we do is actually we like split out documentation for different use cases.

Because, so for example, passwordless users see a completely different documentation than email password users. The reason is because if you try and like put all of them in the same docs, then they'll start seeing information that they don't need to see.

So we have like a couple of principles like this, like just like don't show like information that they don't particularly need at that point in time. Don't show them too little. Have some commentary in the doc, so they know what they're doing as opposed to just the specific steps. So instead of just saying, okay, run this command. You may also want to have some commentary to explain what exactly that is and what, how that works and then maybe you link to a blog post that like expands on that, but a little bit in more detail.

[00:09:48] John Britton:

So say I'm checking out your docs and I want to get a good understanding of SuperTokens. What are the top level kind of concepts or primitives in your system that I need to be aware of and understand in order to implement authentication SuperTokens? What primitives do you expose to the developer? What are the building blocks that they can use to build their custom solutions?

[00:10:12] Advait Ruia (SuperTokens):

Yeah, I think it's, you know, essentially you have like a couple of fundamentals that the developer must interact with, right? So you have the user itself. So the creating the user in the database, so everything around the user as an individual entity, and then you have like sessions and tokens, which is everything that happens for signup, right?

So once the user gets created in the database you issue these tokens that are then sent to the frontend. So everything else that happens then is essentially you interacting with these tokens in some way or form, right? So you add information about the user into these tokens. So it's user, user information, and tokens.

[00:10:42] John Britton:

So what I'm seeing with Yes-code tools and the people that I've been talking to is it's really common to have this kind of recipe model for giving you a working solution out of the box for the most common use cases and then in addition, that recipe is made up of these primitives, these things that are totally composable by the developer, and they can configure in hundreds or thousands of different ways and put them into their own code, the way that they want to use them. But from the first run on day one, they don't have to do that. They can just use it kind of out of the box and then they can customize over time.

[00:11:17] Advait Ruia (SuperTokens):

Recipes or modules, which is essentially, you pick, I think like I alluded to earlier, right? You pick what authentication method you want. So do you want passwordless? Do you want email password? Do you want social login? All of that, right? And then once you pick that, you've now picked the recipe.

And then beyond that, I think it's like, ok so the way we do it is like, as part of the developer experience, it's like the quick setup and then the common customizations. Right? So the quick setup is, okay, let's get set up as quickly as possible. Let's get it working so you know how it works and then you can then go into like, let's configure this, like, you know, in a hundred different ways to make it useful for your particular use case.

[00:11:50] John Britton:

Log in and authentication are very, very opinionated topics, every company or every product manager who owns that part of the flow, you know, it's such an optimization, right. They want to make sure that it's a high conversion rate, that they don't get people dropping off and so there are a lot of reasons why they would want to customize this stuff.

[00:12:08] Advait Ruia (SuperTokens):

I think one of the really interesting things that were also sort of like, um, like, you know, we've done underneath the hood is like, look at the different parts of the user signup process.

You have pre-sign up, like, pre-authentication, then you have authentication attempt, and then you have post-authentication and then you have authorization. So if you look at those, like everything is sort of, like, built on top of one of those different points in time.

[00:12:30] John Britton:

So, you know, you have an idea of what you want. So say we have this kind of pre authentication step. What are the components that I'm working with? Do I drop in a login component of some sort that you provide? Do I need to build like a user backend? How does, how does that kind of stuff work?

[00:12:47] Advait Ruia (SuperTokens):

So let's say you pick passwordless, then you'll see, like, the login component would be for the passwordless UI. So there would be no password box in there, but it would offer you, like, you could choose, like whether you want to show a mobile number or an email ID field, and yeah, and we would give you that component to implement on your website. You can implement that wherever you want. You can have it as a standalone page or as part of another page.

Yeah, and then you would implement that and then we'd also give you like the UI components for every other part of the flow, so reset password, email verification, all of that kind of stuff and then the frontend SDK would also communicate with the backend, you know, automatically refresh the sessions and all of the other things that need to happen under the hood.

[00:13:21] John Britton:

So when I was looking through your documentation, I saw that it was divided into more or less three big categories, one being login, another being session management and a third being role management.

Can you help me and the audience understand a little bit about how your system is broken down and what kinds of functionality they should expect out of those pieces?

[00:13:40] Advait Ruia (SuperTokens):

Yeah, so essentially log-in is creating the user. Right. And how do you identify the user so that you can identify the user through the email password, to their mobile number, through the social login that authenticate provided that they use. So that's all part of like the user creation or log in page, Or sign up page. Right. So that's, that's like the login part. It's like, what, how are you identifying this user? What is the ID? then beyond that, once that users created, you're essentially issuing these identifiers that are used on every API request. So the users created in the database now instead of like exchanging their credentials on every API request. So like exchanging, for example, that you mean, notice whenever you create requests, you essentially hand over this meaningless token, right on the frontend. Right. Which can only be sense on the backend. and then that's used in every API request and that is called session management.

And the way those tokens are created sent to the front end, verified on the backend, all of that, that comes under what essentially is session management and then role management, is there information or so role management and user information is just like this information that you store about the user on these tokens.

Can be like for multiple purposes, it could be like saying which APIs they have access to. It could be, you know, things that you want read on the front end. So for example, if you want to display the name on there, on one of the buttons, you know, that's like information that's out there on the front end, so that, so the session token can contain that information so that the front end can then display it.

Right. So it has multiple different use cases. And that's all got to do with user and user roles is like a big part of like that information that you store in those tokens.

[00:15:10] John Britton:

Two questions for you. The first is what are the forms of authentication that you can use with SuperTokens?

[00:15:15] Advait Ruia (SuperTokens):

So we offer like most of the popular ones, Email password, social login, passwordless, any combination of those. So you can like mix and match those in any way you want.

[00:15:25] John Britton:

And then beyond, just kind of the features of SuperTokens I want to talk a little bit about passwords in general. You can't talk about authentication or log in without talking about passwords. What do you see happening for web applications and passwords in the future and what do you want to see happen?

[00:15:43] Advait Ruia (SuperTokens):

There are a lot of people that have bet a lot of money on saying that passwords are going to die. And people have been wanting passwords to die for a long, long time.

I recently saw a Twitter poll which had about like 1500 votes so it was a decently good sample size of like and like followers, like people like me, and email password, so passwordless was an option, email password was an option, all of that kind of stuff and email password is actually the most popular option. Like people had selected email password the most. So it was pretty interesting to see that in like, in a, in a structured way that people have actually said that like 30 or 40% of the vote was for email password.

Passwords aren't great. I agree with like a lot of the fundamental sort of points over there. I don't think I disagree with those, but I don't think that they're as bad as everyone says either, right? Like you have some pretty good solutions today that, like, help you manage that.

Some of the people in the team note down passwords in an encrypted file and some people use password managers or some people use Chrome's password manager. So, no one's actually remembering the 300 passwords that they need to, right, which is one common argument. Is that oh you have to remember your 300 passwords.

I actually see very few people that are, that are remembering 300 different passwords. So I don't know if that's like one of the core problems.

[00:16:45] John Britton:

I definitely think that password managers are a good solution to this problem, but I've found that it's mostly sophisticated users that are doing password managers. If I look at any family member or just average person who is not in technology, like they're not using password managers.

They're either using the same password for everything or they have some kind of algorithm that they use which is like you know the first letter of the website's domain followed by my base password followed by XYZ. There's a great like XKCD um you know about that too right.

[00:17:17] Advait Ruia (SuperTokens):

Yeah, yeah, yeah for sure.

[00:17:19] John Britton:

So yeah, I, I just was curious, cause I definitely have opinions about passwords and find them to be not very ergonomic, but also there's no real good alternative.

[00:17:28] Advait Ruia (SuperTokens):

I think, I think what's happening now. Is like, is a solution that I really believe in and I think it's super interesting, right? Like, so what we call now WebAuthn or FIDO. Which is essentially like hardware based authentication, which is, so you already authenticate to any device you want with your biometrics. So you authenticate with your iPhone or any phone through your Face ID or your fingerprint and similarly with your laptop.

You have like, like all the Macbooks, for example, have fingerprint scanners now inbuilt, right? So I think if you just extend that to all the apps that run on those devices I think that's like a pretty good solution because those devices already have that, have that hardware.

[00:18:01] John Britton:

Why aren't we there yet? Wha- what's holding us back from this?

[00:18:04] Advait Ruia (SuperTokens):

That's a great question. I don't think we're too far out, I think this is something you'll definitely see in the next couple of years. So for example, like Apple, Google, Facebook, and a bunch of these guys just like updated the FIDO protocol recently, or like came up with, like, a joint statement on it. So I think would see a lot of this happen in the next couple of years, for sure.

[00:18:19] John Britton:

I, saw that thing goes through the news where they agreed on the standard which is a pretty big, pretty big deal I think

[00:18:24] Advait Ruia (SuperTokens):

Yeah, exactly. Exactly.

The reason I think it hasn't happened yet is because I don't think you've had the devices that like properly supported these methods yet. I think that's only happened in the last couple of years and you need it to be ubiquitous enough, you need everyone. Like you can't just have like 30% of the population with devices that have it, because if it needs to be implemented as a standard in all applications, you need like the majority of population to be able to log in with that method.

[00:18:47] John Britton:

I'm starting to see things like Apple Pay, which has some kind of web integration be more and more popular and I think the same kind of technique can be used for this as what they're doing. You know, it's not supported everywhere obviously, and it's, it's a vendor specific. So that, that agreement between the big providers to agree on a standard is a pretty big deal.

Now, when it comes to SuperTokens, say in two years time, standard emerges and it starts to become acceptable to do this kind of hardware based authentication and a developer has implemented SuperTokens. How would they take advantage of that?

[00:19:20] Advait Ruia (SuperTokens):

We would just offer that as a recipe, right? So you could really easily just add this recipe to your app. You could just do SuperTokens in it, WebAuthn, right? Like, and that would initialize the WebAuthn recipe and, and, and that's it. You now have, like, obviously you can con-, configure that and customize it how ever you want, but now you have WebAuthn added to your already existing, authentication features.

You essentially would need to figure out how to migrate your existing users from email password or whatever it is and then cross-reference them to these new authentication methods. But that's obviously something we'll build out and give you when you implement.

[00:19:51] John Britton:

What are you doing behind the scenes that the developer doesn't necessarily have to know about that helps with security and helps with preventing things like session fixation attacks or other kinds of things that a typical developer might not know about right off the bat.

[00:20:06] Advait Ruia (SuperTokens):

I'm super glad you asked about this actually, because this is like one of our core, core strengths. So we started off with session management and something that we do, that's really unique to us is we implement something called rotating refresh tokens, and what that means.

So you have something called an access token, and then you have something called a refresh token and I can go into more detail about what each of those are, but essentially, every time the refresh token is used, we change both the access token as well as the refresh token. So the refresh token rotates on every use and what this enables is it enables a dynamic that allows you to detect if two different frontends are using the same set of session tokens.

Which means it allows you to detect if session theft has occured. And there are only two ways of stealing a user's account. It's either through their credentials or through the session tokens. And a lot of big vulnerabilities have happened through theft of the tokens. So for example, Docker, Facebook, YouTube, GitLab it all, had like sessions vulnerabilities in the past.

Right, and we've solved that like in a really interesting way, we were the first people, like the first vendor to really implement this thing called rolling refresh tokens. And the reason is because it's pretty challenging to solve. There's a lot of edge cases, risk conditions, network issues and we had to actually write some libraries to solve for those edge cases. And actually Auth0 uses one of our libraries in their own implementation of rotating refresh tokens.

I think that's pretty challenging problem to, if you wanted to solve that yourself. And we also do it in the most optimized way. The time and space, complexity of our solution is like very optimum as if you weren't doing this.

We only store one set of tokens in the database even though we are using that to subsequently generate significant more sets. You're only ever storing one in your database and we use that one to then derive any subsequent ones that we need to figure out "does this exist for that user or not?"

[00:21:46] John Britton:

That's very cool. I've worked on a product, I worked on an API that had a frontend component and we had to build our own rotation logic into that and it was a nightmare. It was very confusing for our end users because we had to teach them how to rotate tokens and do all kinds of stuff.

It's very appealing to me to have that security around my session, but also not have to implement it myself

Was there anything else that you wanted to mention with regards to security and solutions that you've found that again, the end user won't have to implement themselves?

[00:22:16] Advait Ruia (SuperTokens):

Yeah I think another really interesting one is actually to do with local storage versus HTTP only cookies.

The way, like a lot of other authentication providers work is that they are essentially a third party to your app. You have your own frontend, you have your own backend, and then you have the authentication provider as a third party.

What happens is for your frontend to be able to call both the authentication provider, plus your own backend, you have to use local storage because local storage allows you to query a backend domain that's different from the frontend domain. So you have to use local storage. So like the default implementation with, for example, again, Auth0 is local storage.

Whereas with SuperTokens you cannot use loca- like it's, we make it difficult to use local storage with SuperTokens. And so it uses HTTP only cookies and that's like a best practice according to like every single security guidelines. Whether it's NIST or OWASP they all recommend you use HTTP only cookies.

And again, that's the default implementation with SuperTokens because with SuperTokens the frontend only ever talks to your own backend, not this third-party, which is again, very unique to our architecture. I think that's, like, another important security consideration.

[00:23:16] John Britton:

The reason you're saying that the advice is to not use local storage for storing tokens is fact that it's more easily snooped, correct?

[00:23:26] Advait Ruia (SuperTokens):

Correct. So essentially malicious JavaScript on the frontend, can access local storage. The frontend is an, is an untrustworthy entity, right? When you're in the design of systems, you always assume the frontend is untrustworthy.

There could be JavaScript code on the frontend that reads local storage and then passes those tokens to the attacker or to the hacker. Whereas, with HTTP only cookies, if the frontend tries reading what's in those cookies, then the browser would just return null. It will not return the value of the things that's in the cookies. So it's very important that the tokens are only ever stored an HTTP only cookies.

[00:23:55] John Britton:

So, this is really based off of like cross-site scripting attacks, right? If you can somehow inject malicious JavaScript into a frontend, and the reason you can't do this with other systems is that you basically have to disable that protection in order to use two disparate systems, for your backend and one for your login. That's really interesting.

[00:24:16] Advait Ruia (SuperTokens):

This is like a big reason why we got into the space because we just saw so much misconception about this. Like even today, you'll see like, people argue about these concepts. They'll still be like a fair amount of people who argue that local storage is completely fine and yeah, sure you can make an argument for it, but is it security best practice? Absolutely not.

[00:24:32] John Britton:

I've definitely gone through this. And you know, what's funny, this is a, like a quintessential bike-shedding moment, right? It's like something that's so unimportant to your application's final purpose, but as a developer who wants to do a good job and make sure my system is correct, I can see myself going down the rabbit hole and researching and researching and researching and saying, "oh my goodness, I don't want to use local storage. I don't want to use this provider because X, Y, Z", and trying to find out if it's actually as bad as people say it is. And really it's one of those things that often just gets glanced over because it's not really a problem until it's a problem.

You had mentioned that there's kind of two ways to consume the product. One is a hosted SaaS and the other is an open source option that you run yourself. Can you talk to me about the business decision to offer SuperTokens as a hundred percent open source solution?

[00:25:28] Advait Ruia (SuperTokens):

I'll take a step back here and answer this a little bit more broadly before I dive deep.

So why does SuperTokens exist? The reason we exist is because we see, like, all software has, like, a build versus buy trade off. So you can build software, which means, you know, you've already started from scratch. You've got to take your time, it requires expertise, but like, you know, you have complete control of the way it works, you're not paying anyone, obviously aside from your engineering team, but you're not paying anyone, and you have complete control, right? You're not locked into a vendor.

And on the flip side, the buy sort of evaluation is you can get started very quickly off the shelf, but you're locked into a vendor, you can't like, you have to wait for them to launch features, like, if you need something, you have to wait for them to build it. They control your data, all of that like you're lock-, they can charge you whatever they want. They can change the pricing, all of that kind of stuff.

The goal of SuperTokens is essentially to eliminate that trade-off. To give you the power of build with the speed of buy. And now specifically to your question, like why make it a hundred percent open source or why let you host it yourself is because that's the goal.

One of the pillars of giving you the best of both worlds is giving you something ready-made that you can run and host yourself and customize however you want. So that filters down to the fact that we're open source, like our unique architecture, like we have an architecture that's pretty unique to other companies and the reason for that is because it gives you complete control of the frontend or the backend and all of that other stuff.

[00:26:36] John Britton:

Yeah, I think that's a really good way to put it. Is, you know, the, the benefits of build with the ease of buy. Who uses SuperTokens? Like who is your, your target user and why do you focus on them?

[00:26:49] Advait Ruia (SuperTokens):

Yeah, so our current users, are like essentially like developers, like building side projects, hobby projects, early-stage startups, those kind of things. Like that's been like the initial focus with the company and the reason for that is like, you know, we think that's a very powerful go-to-market. So that's powerful in multiple ways, it's a great business decision, but it's also like, it's, it's just great in every way.

Whether it's like product development, whether it's a go-to-market strategy in all of those different ways starting with that user base is the best. Right, and obviously again, authentication is a pretty complex space, so you can't offer everything that a mid-market or an enterprise needs on day one.

All right. So you start with like the basic set of features for relatively simple use cases and you offer that like in a really compelling way. And then as the product matures, you can then move up market.

[00:27:31] John Britton:

Among the users that you have so far, have there been any cases where they put SuperTokens to use in a way that you, like, totally didn't expect?

[00:27:41] Advait Ruia (SuperTokens):

We do have some examples of being surprised, so we don't support like a lot of technologies, right, again, as an early-stage company. So for example, we don't support .NET or we don't support, like, let's say Rust and then certain things on the front end as well. So like when we saw like, a user going and building out the entire SDK for themselves, for that parti- for their framework, that was a pretty surprising, like, we didn't expect that at all. Me and my co-founder were discussing, okay, this is definitely not going to happen, they're not going to use this, but they did, they spent that four to six weeks or whatever it was like building that framework, like building that SDK for themselves and they used it.

[00:28:11] John Britton:

And then they published it, I hope.

[00:28:12] Advait Ruia (SuperTokens):

Yep. They did. [laughs]

[00:28:14] John Britton:

That's a huge signal that somebody really likes your product, if they take the time to build an SDK for their own kind of platform or language that they prefer, just so they can use your product.

[00:28:25] Advait Ruia (SuperTokens):

We've seen that a couple of times and every time we get like, even right now, when it's happening for Rust users, a bunch of Rust members have joined our Discord and they're like, we all want Rust, sort of like self organizing themselves into a community to build that. We're still skeptical whether this will actually happen, but like we're surprised and very pleasantly surprised if it does.

[00:28:41] John Britton:

I wanted to ask you about, a case of an implementation, whether it's, you know, just a story, about like a product or a user that put SuperTokens into use. If you can mention a specific customer, that's great, if not, you can talk about it in kind of more open terms.

[00:28:57] Advait Ruia (SuperTokens):

We started with early-stage startups but we have seen now, you know, a lot more mid-market sort of like later stage companies adoption as the product has matured. We've got companies across the board, right?

So we have one company that gives you, like, rewards for sharing your compute resources, right? Like, like actual cash rewards, like financial rewards. You don't need anything, but your laptop, you log in, you, you share your compute resources and you get money.

We also have companies like on the other end of that spectrum where like the company doesn't do anything software related, they make like heavy mining machinery, like, you know, like excavators and diggers and all that kind of stuff.

but like the dashboards on the vehicles themselves, like required the operators to sign in and like, you know, upload telemetry to like the manufacturer, the OEM. So the manager of that equipment can actually see how the equipment is being used.

Very surprising to us, like, you know, this like traditional engineering, heavy machinery engineering company, you know, they should like recruit mechanical engineers in my college and now they use SuperTokens.

[00:29:49] John Britton:

What's next? What do you wish that SuperTokens could do that it doesn't do yet?

[00:29:55] Advait Ruia (SuperTokens):

You can only use SuperTokens no matter your frontend, but making it easier to use it for non-React frontends. So that's like something we definitely want to make a lot easier and then similarly, you know, we want like TOTP, like 2FA with TOTP is like another big thing. So those two are like things that we immediately want to offer, which is what we're working on.

[00:30:10] John Britton:

For folks who don't know what that is 2FA with TOTP, can you explain what you're talking about?

[00:30:15] Advait Ruia (SuperTokens):

Yeah, so, timed one time password, you know, you have your Google authenticator app and you go onto your Google authenticator app and it gives you that six digit code to like sign up to login or like 2FA on that particular app so thats, that's TOTP the Google Authenticator app is basically using TOTP.

[00:30:30] John Britton:

Before we wrap up, I wanted to talk just a little bit about your opinion on the landscape of open source developer tool companies. I know before we had started, you were talking a little bit about seeing a trend here, and I want to know, you know what you're talking about and maybe we can discuss it a little bit.

[00:30:46] Advait Ruia (SuperTokens):

Open source is not new, neither our developer tools. So they're both like pretty old, but like this sort of like combination of the two is like a new trend that I, that I'm seeing or that I think is relatively new, right?

This merging of like a lot of people who are taking existing SaaS, like that are like existing leaders in different spaces and then you have like a new entrant who is effectively doing what the large company is doing in an open source way.

Again, in our case we're also doing a bunch of things differently, but you see a lot of people that are building like the open source equivalent of market leader in the devtools space.

And I think that's really interesting because it kind of implicitly alluding to what I said earlier is about like, you know, this whole build versus buy decision. Right, I think you've seen these open source companies get a lot of traction because in some way they like solve that problem for the developer.

Like they take care of this trade off for the developer and whether the companies talk about it or even realize that it's become pretty popular now to build open source equivalents of existing companies, so you're seeing that in like pretty much every space now.

I think it's like super powerful and I'm incredibly happy that it's happening.

[00:31:44] John Britton:

You know, we've talked a lot about the build versus buy decision. Do you have any examples where you've chosen to buy versus build within your own stack?

[00:31:53] Advait Ruia (SuperTokens):

So we, we definitely buy software and wherever possible, I think we use open source right. Because again, we, we want to eliminate that trade off in our decisions as well. So like the actual test is like, we use a lot of open source as well. So as far as possibly we use open source alternatives to existing providers whether it's analytics, we use something like posthog, um, you know, whether it's like, um, yeah, stuff like that, you know, we use open-source equivalents and then obviously in some cases where there aren't opensource equivalents, we actually buy the software as well. So, like, you know, CI/CD for example is like something we buy.

[00:32:22] John Britton:

What products are there out there on the market that you're currently just in love with? We're talking to an audience of developers and people who are building these kinds of developer tools. What have you seen out there that you think would be interesting to them that you really like.

[00:32:39] Advait Ruia (SuperTokens):

In terms of like the holistic approach of like building a community, building a product, and like distributing it really well, I think Supabase. Supabase has done a great job, Um, so I'd say like that's maybe something was looking at.

[00:32:52] John Britton:

Can you Explain a little bit about what civil base is for anybody who doesn't know?

[00:32:56] Advait Ruia (SuperTokens):

It's essentially like Firebase. So if you ever use Firebase, it's basically like the open source Firebase, but Supabase has like a bunch of different modules, right, which includes auth actually, but they also have like database, they also have functions like, so they have like a lot of like, essentially like the entire backend for you so that it's very easy to spin up an app on Supabase. You know, you can get started like really quickly and like run, like, like you said, right? Like a big part of like developer tooling is like letting you focus on your core business logic. Right. So you don't have to worry about all these other things.

[00:33:25] John Britton:

For folks who want to get started doing authentication and try out SuperTokens where should they go and how should they get started?

[00:33:32] Advait Ruia (SuperTokens):

Go to the website, sign up, join our Discord, you know, and, and I think we're like pretty, like we we're super passionate about auth so if you have a use case that SuperTokens doesn't work for, or just generally, like, you're not sure if you should use SuperTokens, we're pretty like happy to just tell you want authentication provider to use, even if it's not SuperTokens

We love talking to people about auth so even if it's even it's a super basic, SuperTokens is not one of the things you want to use that's completely fine too. You can get set on our website on our Discord, our discord is a great community to talk about all this stuff.

[00:33:59] John Britton:

That's supertokens.com. Thank you so much for coming on the show. I really appreciate your time and enjoyed our conversation.

[00:34:05] Advait Ruia (SuperTokens):

Likewise, John, thank you so much for having me.

[00:34:07] John Britton:

To find out more and stay in the loop with Yes-code, head to yescode.org.