Us vs Stytch

[rishabhpoddar]

Questions

• Describe the dev setup experience (how many steps and what are they + time overall)
• How well do they support various platforms and SDKs?
• Can you easily add a custom social provider?
• How can we go about customising the UI? From colours to full customisation
• How do we do things like handle sign up success?
• Social account consolidation?
• Can sessions be used with httpOnly cookies?
• Setting up for the two use cases of multi tenancy?
• If one needs to do something like paginating across all users in the app in their API, how can they do that?
• If someone wants to tweak the sign up / sign in APIs, how can they do that?
• How would adding custom sign up fields work?
• How would adding custom sign up validators work?
• How to go about customising the email design and or the sender's domain?
• How do go about sending emails yourself if you want to?
• How to implement sign out functionality?
• How to implement revoking a user's session functionality?
• What if you want to embed the sign up / in page into your website UI (As opposed to opening a new tab..). Is that possible?
• What are features that they provide that we don't?
• Will their solution work with serverless env like in nextjs or netlify?
• Email verification with Social providers, how does it work
• Changing Email for social provider, how it works
• revoke session between your frontend and backend, how does it work
• if you want to add a password strength meter to registration, how does it work
• User has multiple sessions, only want to revoke a couple of them, how does that work
• For social account consolidation, how does changing the email work.
• Multi tenancy, properly how it works, redirection works with the frontend
• RBAC, check properly, how to get the role of the user within the API for custom logic for both frontend and backend.
• How to set roles for a user on backend, set multiple roles for a user.
• Documentation review
• Changing password validation(or some similar feature) for sign up does this get propagated to other places(Signin, password reset)
• what are the supported databases
• In multi-tenancy, can you share cookies between subdomains
• Is there a mechanism for protecting routes (similar to the supertokens auth wrapper). How easy is it to protect multiple pages and what does the code look like?
• If a session expires is there a pop-up? does the user have to handle it?
• mobile implementation, IOS and Android
• Email is not verified but password reset is done, does that verify email?
• implementation with ssr
• Migration to and away
• API customisability
• sharing session across sub domains
• How to disallow sign up and only have sign in?
• How to customise OTP sent via SMS?
• Does it provide Email OTP as a feature?
• Can a user be re-authenticated when visiting a protected route?

[rishabhpoddar]

See the answers for SuperTokens here

Describe the dev setup experience (how many steps and what are they + time overall)

• Sign up
• Setup frontend SDK
  • Download
  • Call the init function
  • Add div to place their UI in
  • Add callbacks to handle successful creation of use -> call your API to add user to your database
  • Add a route to handle magic link click
  • Design that route -> send code to backend API -> handle success and take the user to their home page
• Setup backend SDK
  • Download
  • Call the init function
  • Add a route to save stytch's userId in your database
  • Add a route to handle magic link token and call stytch's SDK function and then create a new session

How well do they support various platforms and SDKs?

• They have good support in general
• But the SDKs are minimal and are essentially wrappers around their APIs

How can we go about customising the UI? From colours to full customisation

• Seem to have limited styling options (pre defined), whereas in ours, you can define any valid CSS (including media queries)
• Modifying a part of the UI involves creating the UI from scratch.

How do we do things like handle sign up success?

• They have an onSuccess on the frontend for when a magic link was successfully sent
• You need to implement an API route your self on the backend that takes a token and calls stytch's backend. If that is successful, then you can handle post sign up success within that API route.

Setting up for the two use cases of multi tenancy?

• Not supported, unless you can hack around.
• There is no concept of tenantID as of yet. Simulating that requires you to be able to add a tenantID to the user's email during sign up like name+tenantID@example.com. But unless you make your own UI, you cannot make this change.
• Since the user has to implement the frontend and backend part of handling the tokens, they can do anything post authentication. Post auth, you will get the stytch userId using which you can fetch their relevant info and redirect them to their own domain.

If one needs to do something like paginating across all users in the app in their API, how can they do that?

• You need to store the users in your db separately and using that, you can paginate across users.

If someone wants to tweak the sign up / sign in APIs, how can they do that?

• You can use their SDKs in your backend to create your own API. Their SDK functions seem quite find graned to allow you to customise things well.

How would adding custom sign up fields work?

• You would need to create the UI from scratch, and implement your own backend API to handle the requests and use their SDK functions.

How would adding custom sign up validators work?

• You would need to create the UI from scratch, and implement your own backend API to handle the requests and use their SDK functions.

What if you want to embed the sign up / in page into your website UI (As opposed to opening a new tab..). Is that possible?

• Yes. This is easy to do.

Will their solution work with serverless env like in nextjs or netlify?

• Yes. Cause they don't integrate with your backend layer as such...

Documentation review

• Everything is clogged into one long page which makes it annoying to "go back" to the previous section that you were seeing.
• The language selection feature is nice.

What are the supported databases

• They don't have a self hosted version.. so doesn't matter.

Is there a mechanism for protecting routes (similar to the supertokens auth wrapper). How easy is it to protect multiple pages and what does the code look like?

• Not yet, since they don't do session management.

implementation with ssr

• This is a question that relates to sessions, which they don't do yet.

Migration to and away

• They have their own userIds which you need to map to your own userIds.
• If someone is using Auth0, they can't use login with Auth0 (since no OAuth 2 provider support)
• Since you need to implement the backend and frontend APIs yourself, you can do splitting of sign up requests based on the input.

API customisability

• SInce the user has to implement their own backend logic, they have the ability to customise how however they like.

How to go about customising the email design and or the sender's domain?

• Docs doesn't mention this

How do go about sending emails yourself if you want to?

• Docs doesn't mention this

How to disallow sign up and only have sign in?

• You will need to implement the UI from scratch yourself.
• When the user types in their email and clicks on the button, you will need to check if that email exists in your API (using stytch's SDK functions). If it deosn't you can throw an error to the frontend.

How to customise OTP sent via SMS?

• You can't

Does it provide Email OTP as a feature?

• No, OTP is only available by SMS

Can a user be re-authenticated when visiting a protected route?

• Since stych doesn't deal with sessions, this would be something the user would have to implement