SuperTokens is an open source authentication solution offering features like: Different types of login: Email / password, Passwordless (OTP or Magic link based).

SuperTokens.com

on the passwordless recipe, i noticed that ST alllowed anyone who can verify the otp. is there a way to limit logins to only known email addresses?

You can override the createCode api on the backend to check that the u out email is whitelisted

sounds interesting, you have a link to the doc which describes this?

Checkout the advanced customisation > APIs override section