graphql-hive · n1ru4l · Feb 18, 2026 · Feb 19, 2026 · Feb 19, 2026 · Feb 25, 2026
diff --git a/.changeset/stale-knives-help.md b/.changeset/stale-knives-help.md
@@ -0,0 +1,69 @@
+---
+'hive': major
+---
+
+**BREAKING** Remove support for `supertokens` service and replace it with native authentication solution.
+
+## Upgrade Guide
+
+Adjust your docker compose file like the following:
+- Remove `services.supertokens` from your `docker-compose.community.yml` file
+- Remove the following environment variables from the `services.server.environment`
+  - `SUPERTOKENS_CONNECTION_URI=`
+  - `SUPERTOKENS_API_KEY=`
+- Set the following environment variables for `services.server.environment`
+  - `SUPERTOKENS_REFRESH_TOKEN_KEY=`
+  - `SUPERTOKENS_ACCESS_TOKEN_KEY=`
+
+### Set the refresh token key
+
+#### Extract from existing `supertokens` deployment
+
+This method works if you use supertokens before and want to have existing user sessions to continue working.
+If you want to avoid messing with the database, you can also create a new refresh token key from scratch, the drawback is that users are forced to login again.
+
+Extract the refresh token key from the supertokens database
+```sql
+SELECT "value" FROM "supertokens_key_value" WHERE "name" = 'refresh_token_key';
+```
+
+The key should look similar to this: `1000:15e5968d52a9a48921c1c63d88145441a8099b4a44248809a5e1e733411b3eeb80d87a6e10d3390468c222f6a91fef3427f8afc8b91ea1820ab10c7dfd54a268:39f72164821e08edd6ace99f3bd4e387f45fa4221fe3cd80ecfee614850bc5d647ac2fddc14462a00647fff78c22e8d01bc306a91294f5b889a90ba891bf0aa0`
+
+Update the docker compose `services.server.environment.SUPERTOKENS_REFRESH_TOKEN_KEY` environment variable value to this string.
+
+#### Create from scratch
+
+Run the following command to create a new refresh key from scratch:
+
+```sh
+echo "1000:$(openssl rand -hex 64):$(openssl rand -hex 64)"
+```
+
+### Set the access token key
+
+Generate a new access token key using the following instructions:
+
+```sh
+# 1. Generate a unique key name. 'uuidgen' is great for this.
+#    You can replace this with any string you like, e.g., KEY_NAME="my-app-key-1"
+KEY_NAME=$(uuidgen)
+# 2. Generate a 2048-bit RSA private key in PEM format, held in memory.
+PRIVATE_KEY_PEM=$(openssl genpkey -algorithm RSA -pkeyopt rsa_keygen_bits:2048)
+# 3. Extract the corresponding public key from the private key, also held in memory.
+PUBLIC_KEY_PEM=$(echo "$PRIVATE_KEY_PEM" | openssl rsa -pubout)
+# 4. Strip the headers/footers and newlines from the private key PEM
+#    to get just the raw Base64 data.
+PRIVATE_KEY_DATA=$(echo "$PRIVATE_KEY_PEM" | awk 'NF {if (NR!=1 && $0!~/-----END/) print}' | tr -d '\n')
+# 5. Do the same for the public key PEM.
+PUBLIC_KEY_DATA=$(echo "$PUBLIC_KEY_PEM" | awk 'NF {if (NR!=1 && $0!~/-----END/) print}' | tr -d '\n')
+# 6. Echo the final formatted string to the console.
+echo "${KEY_NAME}|${PUBLIC_KEY_DATA}|${PRIVATE_KEY_DATA}"
+```
+
+Update the docker compose `services.server.environment.SUPERTOKENS_ACCESS_TOKEN_KEY` environment variable value to the formatted string output.
+
+## Conclusion
+
+After performing this updates you can run Hive Console without the need for the `supertokens` service. All the relevant authentication logic resides within the `server` container instead.
+
+Existing users in the supertokens system will continue to exist when running without the `supertokens` service.
diff --git a/deployment/index.ts b/deployment/index.ts
@@ -24,7 +24,6 @@ import { deployS3, deployS3AuditLog, deployS3Mirror } from './services/s3';
 import { deploySchema } from './services/schema';
 import { configureSentry } from './services/sentry';
 import { configureSlackApp } from './services/slack-app';
-import { deploySuperTokens } from './services/supertokens';
 import { deployTokens } from './services/tokens';
 import { deployUsage } from './services/usage';
 import { deployUsageIngestor } from './services/usage-ingestor';
@@ -201,7 +200,6 @@ const schemaPolicy = deploySchemaPolicy({
   observability,
 });
 
-const supertokens = deploySuperTokens(postgres, { dependencies: [dbMigrations] }, environment);
 const zendesk = configureZendesk({ environment });
 const githubApp = configureGithubApp();
 const slackApp = configureSlackApp();
@@ -220,7 +218,6 @@ const graphql = deployGraphQL({
   usage,
   cdn,
   commerce,
-  supertokens,
   s3,
   s3Mirror,
   s3AuditLog,

diff --git a/deployment/services/db-migrations.ts b/deployment/services/db-migrations.ts
@@ -47,7 +47,6 @@ export function deployDbMigrations({
         // Since K8s job are immutable, we can't edit or ask K8s to re-run a Job, so we are doing a
         // pseudo change to an env var, which causes Pulumi to re-create the Job.
         IGNORE_RERUN_NONCE: force ? Date.now().toString() : '0',
-        SUPERTOKENS_AT_HOME: '1',
       },
     },
     [clickhouse.deployment, clickhouse.service, ...(dependencies || [])],

diff --git a/deployment/services/environment.ts b/deployment/services/environment.ts
@@ -48,9 +48,6 @@ export function prepareEnvironment(input: {
       general: {
         replicas: isProduction || isStaging ? 3 : 1,
       },
-      supertokens: {
-        replicas: isProduction || isStaging ? 3 : 1,
-      },
       envoy: {
         replicas: isProduction || isStaging ? 3 : 1,
         cpuLimit: isProduction ? '1500m' : '120m',

diff --git a/deployment/services/graphql.ts b/deployment/services/graphql.ts
@@ -16,7 +16,6 @@ import { Redis } from './redis';
 import { S3 } from './s3';
 import { Schema } from './schema';
 import { Sentry } from './sentry';
-import { Supertokens } from './supertokens';
 import { Tokens } from './tokens';
 import { Usage } from './usage';
 import { Zendesk } from './zendesk';
@@ -40,7 +39,6 @@ export function deployGraphQL({
   usage,
   commerce,
   dbMigrations,
-  supertokens,
   s3,
   s3Mirror,
   s3AuditLog,
@@ -68,7 +66,6 @@ export function deployGraphQL({
   usage: Usage;
   dbMigrations: DbMigrations;
   commerce: CommerceService;
-  supertokens: Supertokens;
   zendesk: Zendesk;
   docker: Docker;
   sentry: Sentry;
@@ -144,7 +141,6 @@ export function deployGraphQL({
           ZENDESK_SUPPORT: zendesk.enabled ? '1' : '0',
           INTEGRATION_GITHUB: '1',
           // Auth
-          SUPERTOKENS_CONNECTION_URI: supertokens.localEndpoint,
           AUTH_GITHUB: '1',
           AUTH_GOOGLE: '1',
           AUTH_ORGANIZATION_OIDC: '1',
@@ -155,7 +151,6 @@ export function deployGraphQL({
               ? observability.tracingEndpoint
               : '',
           S3_MIRROR: '1',
-          SUPERTOKENS_AT_HOME: '1',
         },
         exposesMetrics: true,
         port: 4000,
@@ -209,7 +204,6 @@ export function deployGraphQL({
       .withSecret('S3_AUDIT_LOG_BUCKET_NAME', s3AuditLog.secret, 'bucket')
       .withSecret('S3_AUDIT_LOG_ENDPOINT', s3AuditLog.secret, 'endpoint')
       // Auth
-      .withSecret('SUPERTOKENS_API_KEY', supertokens.secret, 'apiKey')
       .withSecret('AUTH_GITHUB_CLIENT_ID', githubOAuthSecret, 'clientId')
       .withSecret('AUTH_GITHUB_CLIENT_SECRET', githubOAuthSecret, 'clientSecret')
       .withSecret('AUTH_GOOGLE_CLIENT_ID', googleOAuthSecret, 'clientId')

diff --git a/deployment/services/supertokens.ts b/deployment/services/supertokens.ts
diff --git a/docker/docker-compose.community.yml b/docker/docker-compose.community.yml
@@ -89,22 +89,6 @@ services:
     volumes:
       - './.hive/redis/db:/bitnami/redis/data'
 
-  supertokens:
-    image: registry.supertokens.io/supertokens/supertokens-postgresql:9.3
-    depends_on:
-      db:
-        condition: service_healthy
-    networks:
-      - 'stack'
-    environment:
-      POSTGRESQL_USER: '${POSTGRES_USER}'
-      POSTGRESQL_PASSWORD: '${POSTGRES_PASSWORD}'
-      POSTGRESQL_DATABASE_NAME: '${POSTGRES_DB}'
-      POSTGRESQL_TABLE_NAMES_PREFIX: 'supertokens'
-      POSTGRESQL_HOST: db
-      POSTGRESQL_PORT: 5432
-      API_KEYS: '${SUPERTOKENS_API_KEY}'
-
   s3:
     image: quay.io/minio/minio:RELEASE.2025-09-07T16-13-09Z
     command: server /data --console-address ":9001"
@@ -234,9 +218,9 @@ services:
       # Auth
       AUTH_ORGANIZATION_OIDC: '1'
       AUTH_REQUIRE_EMAIL_VERIFICATION: '0'
-      SUPERTOKENS_CONNECTION_URI: http://supertokens:3567
-      SUPERTOKENS_API_KEY: '${SUPERTOKENS_API_KEY}'
       GRAPHQL_PUBLIC_ORIGIN: http://localhost:8082
+      SUPERTOKENS_REFRESH_TOKEN_KEY: '${SUPERTOKENS_REFRESH_TOKEN_KEY}'
+      SUPERTOKENS_ACCESS_TOKEN_KEY: '${SUPERTOKENS_ACCESS_TOKEN_KEY}'
       # Tracing
       OPENTELEMETRY_COLLECTOR_ENDPOINT: '${OPENTELEMETRY_COLLECTOR_ENDPOINT:-}'
       SENTRY: '${SENTRY:-0}'

diff --git a/docker/docker-compose.dev.yml b/docker/docker-compose.dev.yml
@@ -123,25 +123,6 @@ services:
     volumes:
       - ./.hive-dev/broker/db:/var/lib/kafka/data
 
-  supertokens:
-    image: registry.supertokens.io/supertokens/supertokens-postgresql:9.3
-    mem_limit: 300m
-    depends_on:
-      db:
-        condition: service_healthy
-    networks:
-      - 'stack'
-    ports:
-      - '3567:3567'
-    environment:
-      POSTGRESQL_USER: postgres
-      POSTGRESQL_PASSWORD: postgres
-      POSTGRESQL_DATABASE_NAME: registry
-      POSTGRESQL_TABLE_NAMES_PREFIX: 'supertokens'
-      POSTGRESQL_HOST: db
-      POSTGRESQL_PORT: 5432
-      API_KEYS: bubatzbieber6942096420
-
   oidc-server-mock:
     image: ghcr.io/soluto/oidc-server-mock:0.8.6
     mem_limit: 200m

diff --git a/docker/docker-compose.end2end.yml b/docker/docker-compose.end2end.yml
@@ -33,10 +33,6 @@ services:
     networks:
       - 'stack'
 
-  supertokens:
-    ports:
-      - '3567:3567'
-
   db:
     ports:
       - '5432:5432'