> it seems like it would be very easy to spoof a password reset email and make it appear to come from any site using supertokens
True, we are planning on adding an API key to it which you would need to use to query our API. This API key would be tied to your website domain and app name which would prevent spoofing 🙂
SuperTokens is an open source authentication solution offering features like: Different types of login: Email / password, Passwordless (OTP or Magic link based).
