Tesseral

Tesseral is open source auth infrastructure for business software (i.e., B2B SaaS).

Tesseral is a multi-tenant, API-first service designed to run on the cloud. It is not an authentication library tied to a particular language or framework; Tesseral works with any tech stack.

Most developers should start by using Tesseral's managed service, available at console.tesseral.com. You can also self-host Tesseral.

Key Features

Tesseral bundles everything that a developer needs to manage users in business software.

Prebuilt UIs, customizable to your brand. Add and remove login methods with just a few clicks in the Tesseral Console.
Tesseral is built for B2B SaaS. Your customer's admins control how their users log in to their tenant, and can add or remove users at will.
See exactly what your users see. Debug and support faster by logging in as your users.
Pre-built settings pages where your customers can invite coworkers, edit their login settings, and everything else they need.
Add "Log in with Email" support using magic links, without writing any code.
Social Login	Add Log in with Google, Log in with GitHub, and Log in with Microsoft support without writing any code.
Add SAML support to your product without writing any code.
Add SCIM support to your product without writing any code.
Add fine-grained permissions to your product. The UI's done for you, just plug in hasPermission calls wherever you need them.
Add 2FA to your product without writing any code. Your customers can choose to require MFA for their users if they wish.
Add "Log in with Passkey" support to your product without writing any code. Supports all passkey platforms, including Touch ID, Yubikeys, and more.
Add time-based one-time-password (TOTP) support to your product without writing any code.
Not just user authentication. If you want your customers to call your endpoints automatically, give them API keys. UIs, permissions, and authentication checks all come pre-built.
Your users can invite their coworkers, or you can invite them yourself from the Tesseral Console.
Live-sync data from Tesseral into your database with realtime webhook delivery.

Get Started

Read the documentation

We encourage all developers to read the full documentation first, which is available at tesseral.com/docs. This README provides only a very brief subset of the docs to illustrate some basic ideas.

SDKs

Tesseral currently offers several SDKs for common web development frameworks.

• Clientside SDKs
  • React
• Serverside SDKs

More SDKs, in particular Next.js, are in active development. If you do not see your preferred framework listed here, please get in touch with [email protected]; we may be able to give you early access.

Sign up

For Tesseral’s managed service, you will first need to create an account at https://console.tesseral.com.

You will need to create a Project and generate a Publishable Key. Publishable Keys always look like this: publishable_key_....

Integrate your frontend

To integrate Tesseral into your app, you'll first need to integrate your frontend. This example uses the Tesseral React SDK.

Install the SDK like this:

npm install @tesseral/tesseral-react

Then, using your Publishable Key (starts with publishable_key_...), wrap your React app in the component:

import { createRoot } from "react-dom/client"
import { TesseralProvider } from "@tesseral/tesseral-react";
import App from "./App.tsx"

const root = createRoot(document.getElementById("root")) 
root.render(
  // use your Project's Publishable Key here
  <TesseralProvider publishableKey="publishable_key_...">
    <App />
  TesseralProvider>
)

The will handle a variety of auth-related tasks for you, including:

• Redirecting unauthenticated users to the login page ("login gating")
• Refreshing users' access tokens in the background when they're close to expiring
• Automatically including access tokens in requests from your frontend to your backend

Integrate your backend

Once you have your frontend integrated with Tesseral, you'll then need to integrate your backend.

Tesseral works with any backend or framework. SDKs are available for the following:

Your app might look something like this example, using the Flask SDK:

from flask import Flask
from tesseral_flask import access_token_claims, require_auth


app = Flask(__name__)

# use the same Publishable Key you used for your frontend
app.before_request(require_auth(publishable_key="publishable_key_..."))


@app.route("/api/hello", methods=["GET"])
def hello():
    # get the user's email from the current request
    # Tesseral ensures that user emails are always verified
    email = access_token_claims().user.email
    return ("hello, " + email)


if __name__ == "__main__":
    app.run(debug=True, port=5050)

Tesseral's require_auth() middleware (or its equivalent in your framework's SDK) validates access tokens for you, and only authenticated requests will go through to your endpoint handlers. A client can successfully GET /api/hello if and only if it has a valid Tesseral access token.

You can extract out details about the requester using:

Or their equivalent in your framework's SDK.

Once you have your backend integrated, you have implemented Tesseral!

License

MIT.

Contributing

We welcome outside contributions!

Please be aware, however, that auth software is complex and extremely delicate. We are very cautious with the changes that we merge. We recommend you first open a GitHub issue outlining any proposed changes.

Security

Please immediately report any potential vulnerabilities to [email protected]. We will get back to you over email.

Please do not open GitHub issues for any security-related concerns.

Community

We love enterprise software and the people building it.

Please join our community and stay up to date on new releases, events, and other Tesseral news by following us on LinkedIn and on X (Twitter). You can also check out our newsletter and our blog.

You should also feel welcome to get in touch at [email protected] with questions.

Who we are

This is commercial open source software managed by Tesseral, a startup based in San Francisco. We previously built SSOReady, an open source middleware for SAML SSO and SCIM provisioning.

Primary technical responsibility for Tesseral belongs to Ulysse Carion, cofounder and CTO at Tesseral, and to Tesseral's technical staff: Blake Williams and Dillon Nys.