Sa-Token

Sa-Token is an open source Java security and authentication framework that handles the common "who is this user and what are they allowed to do?" layer in web applications. Building login, session management, role-based access control, and single sign-on from scratch in every project wastes significant time — Sa-Token packages all of that into a lightweight library you drop into any Spring Boot application with a single Maven dependency.

Its five core modules cover login authentication (including remember-me and multi-device sessions), permission and role checking, single sign-on (SSO) so one login works across multiple related web apps, OAuth 2.0 so third-party apps can log in with your service, and microservice gateway authorization. Beyond those, it ships plugins for JWT integration, API parameter signing to prevent tampering, API key authorization, and account ban/kick features. Most operations are a single line of Java code — logging a user in is one method call, and protecting an endpoint with a required permission is one annotation. It integrates with Redis so session state survives server restarts and works across distributed deployments.

You would use Sa-Token if you are building a Java/Spring Boot web application or microservice system and want to add authentication and access control without wiring together low-level Spring Security or Apache Shiro configurations. It is licensed under Apache 2.0 and is free to use commercially.