Hello folks, We are building an open-source platform (http://github.com/agenta-ai/agenta) where we want to include features for authentication. Each of our users hosts our platform in their own instances. We were thinking of using supertokens for authentication. One idea we had is to have one central supertokens core instance hosted by us that is shared by all users of our platform (meaning each user hosts their own instance of agenta, and their agenta backend calls supertokens core hosted by us). This would allow us to measure the real number of our users. Now, the challenge is that means that the supertokens core that we host will be openly available to all the internet without API keys. The question is: what security risks does this present? I understood that the supertokens core provides an endpoint for session creation. However, the backend itself is the one that verifies this session internally. So, if my understanding is correct, even if some attacker used supertokens core to create a session, they won't be able to user this session token in a users backend. Is this correct?

Hey.

Thanks @rp_st for your answer! This sounds very interesting! I'd love to talk more about this possiblity. How can I reach out?

Can you email us on rishabh@supertokens.com and advait@supertokens.com with details of your use case (copy / paste the above) along with an approximation of how many users you have? My co-founder, Advait, usually does pricing discussions.

Done