SuperTokens is an open source authentication solution offering features like: Different types of login: Email / password, Passwordless (OTP or Magic link based).

SuperTokens.com

Does SuperTokens have a way to obfuscate the password sent from the frontend? Looking at the Next.js example, the password just seems to be submitted as is. Seems a little risky.

Yea! Absolutely. You can override the sign in / sign up recipe function on the frontend to hash it before calling the original implementation. This would send the hashed password to the backend. And the backend would further hash it in the core before saving it

One down side of this is that you can’t reliably enforce password syntax rules. Cause the backend no longer gets the original password. Whilst the frontend can check for password syntax before having it, it can be easily hacked by changing the frontend code

Ah, interesting. That does make sense. Okay. Thanks for the helpful info!