← Back to Projects

Multi-Tenant SaaS Platform

Full-stack Developer

  • Next.js (App Router)
  • Ruby on Rails (API-only)
  • Tanstack React Qeury
  • JWT Authentication
  • PostgreSQL
  • Tailwind CSS
  • TypeScript

Overview

This project is a production-oriented multi-tenant SaaS platform designed to manage organizations, users, and projects with strict tenant isolation. The focus was on building real-world authentication, authorization, and onboarding flows rather than a feature-heavy demo application.

Screenshots

home

Core Capabilities

  • Multi-tenant architecture with strict tenant-level data isolation
  • JWT-based authentication with access and refresh tokens
  • Invite-based user onboarding with secure token validation
  • Role-based access control enforced on both backend and frontend
  • Permission-aware UI rendering for projects and users

Authentication & Onboarding

Authentication and onboarding were designed to mirror real SaaS systems. Login establishes authentication, while a dedicated session bootstrap endpoint acts as the single source of truth for user identity and permissions.

  • Public signup creates a new tenant and assigns an admin role
  • Admins can invite users via email with predefined roles
  • Invite acceptance is handled through a public token-based flow
  • Users set their password during invite acceptance
  • Post-login session state is hydrated via a /me endpoint

Authorization & Permissions

Authorization is permission-driven rather than hardcoded role checks. This allows flexibility as the system grows without tightly coupling frontend logic to specific roles.

  • Permissions are defined and enforced on the backend
  • Frontend consumes permissions and conditionally renders actions
  • Admin-only actions such as inviting users and role changes are protected
  • Project-level actions respect create, read, update, and delete permissions

Frontend Architecture

The frontend was built with a strong emphasis on separation of concerns and predictable data flow, following real-world Next.js App Router patterns.

  • Clear separation between public, auth, and authenticated routes
  • Session bootstrap handled centrally at the layout level
  • Public routes for invite acceptance and onboarding
  • Reusable modal and form components with consistent UX
  • Minimal global state, relying on backend as the source of truth

Backend Architecture

The backend is implemented as an API-only Rails application, focused on correctness, security, and maintainability rather than rapid prototyping.

  • API-only Rails architecture with PostgreSQL
  • Explicit tenant scoping for all domain resources
  • Membership-based role assignment
  • Invite lifecycle management (created, accepted, expired)
  • Clear REST contracts between frontend and backend

Key Challenges & Learnings

  • Designing invite-based onboarding without leaking authentication logic to the frontend
  • Ensuring password setup during invite acceptance aligned with the existing authentication system
  • Avoiding duplicated session state by using a single backend-driven /me endpoint
  • Structuring frontend layouts to cleanly separate public and authenticated flows

Outcome

The final result is a clean, extensible SaaS foundation that demonstrates real-world concerns such as onboarding, access control, and tenant isolation. The system is intentionally scoped to emphasize architectural correctness, clarity of responsibilities, and maintainable frontend-backend contracts.