Can the SuperTokens Core Api layer be scaled?

Question

We are doing a POC with SuperTokens for authentication. We require Passwordless, Email/Password, and Social Login functionality. With that functionality required, is the SuperTokens Core Api layer scalable? If so, what is the recommended approach for scaling?

Answer 1

SuperTokens has two sets of APIs:

• Core driver interface (CDI): The API exposed via the SuperTokens Core microservice.
• Frontend driver interface (FDI): The API exposed via our backend SDK.

Your app's frontend only calls the FDI APIs and in turn, our backend SDK calls the CDI APIs. So your backend is a proxy between the frontend and the SuperTokens core service.

The scalability of the FDI APIs (which is called by your frontend) is dependent on the scalability of your API layer - which is completely controlled by you.

The scalability of the CDI APIs (exposed via the SuperTokens core service) depends on:

• The number of instances of the core that have been deployed.
• How "far" away is the core from your backend.
• The scalability of the underlying database that the core connects to.

Each SuperTokens core instance is stateless and can be scaled up / down easily. However, all of them need to connect to the same instance of a db and therefore the limiting factor here becomes the scalability of the db itself.

Since only your backend API layer queries the SuperTokens core, it is recommended to host the core in the same region as your backend.

That being said, one instance of the core can handle several hundred requests per second comfortably. You can further improve it's performance by setting:

• The max number of parallel requests to server
• The max number of parallel db connections.

Finally, if we consider the different types of auth operations, session verification is by far the most common operation (as compared to signing in / out or changing a password...). By default, SuperTokens verifies a user's session in a stateless manner. This means that your backend API layer doesn't need to query the core at all for session verification.

This in turn implies that you can easily scale SuperTokens to handle millions of users with hundreds of thousands of concurrent sessions with a fairly low number of core instances.