Tesseral is open source auth infrastructure for business software (i.e., B2B SaaS).
Tesseral is a multi-tenant, API-first service designed to run on the cloud. It is not an authentication library tied to a particular language or framework; Tesseral works with any tech stack.
Most developers should start by using Tesseral's managed service, available at console.tesseral.com. You can also self-host Tesseral.
Tesseral bundles everything that a developer needs to manage users in business software.
| Hosted, customizable login pages Prebuilt UIs, customizable to your brand. Add and remove login methods with just a few clicks in the Tesseral Console. |
 |
| B2B multitenancy Tesseral is built for B2B SaaS. Your customer's admins control how their users log in to their tenant, and can add or remove users at will. |
 |
| User impersonation See exactly what your users see. Debug and support faster by logging in as your users. |
 |
| Self-service config for your customers Pre-built settings pages where your customers can invite coworkers, edit their login settings, and everything else they need. |
 |
| Magic Links Add "Log in with Email" support using magic links, without writing any code. |
 |
| Social Login Add Log in with Google, Log in with GitHub, and Log in with Microsoft support without writing any code. |
 |
| SAML (Enterprise Single Sign-On) Add SAML support to your product without writing any code. |
 |
| SCIM (Enterprise Directory Sync) Add SCIM support to your product without writing any code. |
 |
| Role-based access control (RBAC) Add fine-grained permissions to your product. The UI's done for you, just plug in hasPermission calls wherever you need them. |
 |
| Multi-factor authentication (MFA) Add 2FA to your product without writing any code. Your customers can choose to require MFA for their users if they wish. |
 |
| Passkeys / WebAuthn Add "Log in with Passkey" support to your product without writing any code. Supports all passkey platforms, including Touch ID, Yubikeys, and more. |
 |
| Authenticator apps (TOTPs) Add time-based one-time-password (TOTP) support to your product without writing any code. |
 |
| API key management Not just user authentication. If you want your customers to call your endpoints automatically, give them API keys. UIs, permissions, and authentication checks all come pre-built. |
 |
| User invitations Your users can invite their coworkers, or you can invite them yourself from the Tesseral Console. |
 |
| Webhooks Live-sync data from Tesseral into your database with realtime webhook delivery. |
 |
We encourage all developers to read the full documentation first, which is available at tesseral.com/docs. This README provides only a very brief subset of the docs to illustrate some basic ideas.
Tesseral currently offers several SDKs for common web development frameworks.
More SDKs, in particular Next.js, are in active development. If you do not see your preferred framework listed here, please get in touch with [email protected]; we may be able to give you early access.
For Tesseral’s managed service, you will first need to create an account at https://console.tesseral.com.
You will need to create a Project and generate a Publishable Key. Publishable
Keys always look like this: publishable_key_....
To integrate Tesseral into your app, you'll first need to integrate your frontend. This example uses the Tesseral React SDK.
Install the SDK like this:
npm install @tesseral/tesseral-react
Then, using your Publishable Key (starts with publishable_key_...), wrap your
React app in the <TesseralProvider> component:
import { createRoot } from "react-dom/client"
import { TesseralProvider } from "@tesseral/tesseral-react";
import App from "./App.tsx"
const root = createRoot(document.getElementById("root"))
root.render(
// use your Project's Publishable Key here
<TesseralProvider publishableKey="publishable_key_...">
<App />
</TesseralProvider>
)The <TesseralProvider> will handle a variety of auth-related tasks for you,
including:
- Redirecting unauthenticated users to the login page ("login gating")
- Refreshing users' access tokens in the background when they're close to expiring
- Automatically including access tokens in requests from your frontend to your backend
Once you have your frontend integrated with Tesseral, you'll then need to integrate your backend.
Tesseral works with any backend or framework. SDKs are available for the following:
Your app might look something like this example, using the Flask SDK:
from flask import Flask
from tesseral_flask import access_token_claims, require_auth
app = Flask(__name__)
# use the same Publishable Key you used for your frontend
app.before_request(require_auth(publishable_key="publishable_key_..."))
@app.route("/api/hello", methods=["GET"])
def hello():
# get the user's email from the current request
# Tesseral ensures that user emails are always verified
email = access_token_claims().user.email
return ("hello, " + email)
if __name__ == "__main__":
app.run(debug=True, port=5050)Tesseral's
require_auth()
middleware (or its equivalent in your framework's SDK) validates access tokens
for you, and only authenticated requests will go through to your endpoint
handlers. A client can successfully GET /api/hello if and only if it has a
valid Tesseral access token.
You can extract out details about the requester using:
Or their equivalent in your framework's SDK.
Once you have your backend integrated, you have implemented Tesseral!
MIT.
We welcome outside contributions!
Please be aware, however, that auth software is complex and extremely delicate. We are very cautious with the changes that we merge. We recommend you first open a GitHub issue outlining any proposed changes.
Please immediately report any potential vulnerabilities to [email protected]. We will get back to you over email.
Please do not open GitHub issues for any security-related concerns.
We love enterprise software and the people building it.
Please join our community and stay up to date on new releases, events, and other Tesseral news by following us on LinkedIn and on X (Twitter). You can also check out our newsletter and our blog.
You should also feel welcome to get in touch at [email protected] with questions.
This is commercial open source software managed by Tesseral, a startup based in San Francisco. We previously built SSOReady, an open source middleware for SAML SSO and SCIM provisioning.
Primary technical responsibility for Tesseral belongs to Ulysse Carion, cofounder and CTO at Tesseral, and to Tesseral's technical staff: Blake Williams and Dillon Nys.