So I am looking for a way to grant JWTs to our team that allows me to assign a role of

team-member

and would be valid for any subdomain of my tld.

So unfortunately, we do not support the case where the TLDs are different. The way to solve for that is to use SSO where each website is issued their own separate OpenID token via the login provider which is then used to issue a JWT / session for that website

I'm not looking for different TLDs, sorry if that wasnt clear.

then? all your sites have the same TLD?

oops.. sorry.. misread your message earlier

Yup all on the same TLD

So with supertokens, we have designed the session assuming that you have a "backend" or an API server

the way it works is that the client calls the "login" API, which issues an access / refresh token and associates them to cookies against the API domain

in your case, there is no API domain

So how does login work?

I see.

I mean the login form must be sending a POST request to a domain right? Which domain is that?

Well when I tried this with Auth-O a few years ago, they provide a JS login widget than can then handly auth and user management on Auth-o's system and return the signed JWT to the user.

I was assuming that the managed SuperTokens service would work in a similar way, but I might have the wrong assumptions

In our case, we provide the login widget, that calls your own API domain which then calls the supertokens core.

so if you do not have a an API domain, you need to create one in NodeJS, specifically for auth

the quick setup guide for backend is what you need to implement

using that API layer, you can gain a lot of flexibility in terms of various auth related functions you may want to carry out...

So I would host a backend service for auth at say,

auth.my-domain.com

that would integrate with SuperTokens core

yes

OK - thanks for clarifying - is there a recommended boilerplate app I can deploy?

yes

Thank you. I'll take a look and update you if it works out or not for my use-case.

Let's say your website is w1.example.com & w2.example.com. Your login site is login.example.com You would need an API domain like api.example.com. This would talk to the supertokens core. Now when the user logs in, the form will call the sign in POST API in

api.example.com

. This API is provided by the supertokens-node SDK. On success, it would create an access and a refresh token, and associate them with

api.example.com

. The frontend SDK (supertokens-auth-react) would also add a few cookies on

.example.com

, which can be used to determine if a session exists on

w1.example.com

and

w2.example.com

. Then in

w1.example.com

, on the client side, you would need to check if a session exists, and render appropriate content. Likewise for

w2.example.com

. Finally, you can add any role to the access token which can be read on w1 or w2.example.com, on the client side. This implies that netlify would not be involved in checking for a JWT. Your client side code needs to do that via the supertokens-auth-react SDK. We have a

doesSessionExist()

function that can be used for this.

Thanks for the clarification. I think in that case, the SuperTokens model does not mesh well with what I'm trying to do.

w1.example.com

and

w2.example.com

are just static websites and are not aware of sessions or users. Netlify would provide the access control in front of these sites, but that depends on a valid JWT existing in the user's browser. I don't really want to manage additional services for login (which is part of the attraction of the JAMStack for me). Do you know of any SaaS that could handle the lifecycle of these JWTs? Okta and Auth-0 are both very enterprise-y, and overly complex.

Have you seen fire base auth?

Firebase*

Thanks will check it out!