SuperTokens is an open source authentication solution offering features like: Different types of login: Email / password, Passwordless (OTP or Magic link based).

SuperTokens.com

> Can you elaborate how blacklisting works?
We store the session tokens in the db. When a session is removed, we remove the token from the db. When blacklisting is enabled, for each session verification, we check if the session token exists in the db, if not, we fail the verification.

This does have a performance penalty as every request will have a db call for session verification. You can optimise this by introducing your own middleware that runs AFTER our session verification middleware. Your middlware can cache blacklisted `sessionHandle` (it's a constant string for the lifetime of the session) and check against that blacklist. 

We also plan on introducing the ability to do session blacklisting on a per API basis. So for GET APIs, you don't need to enable session blacklisting, but for POST or other "sensitive" APIs, you can.