DEV Community: Alex Norman

Collective cyber protection: How customer penetration testing boosts Kinde security

Alex Norman — Fri, 17 Oct 2025 22:21:51 +0000

As an authentication provider, we are the front door for our customer’s product and a critical part of their product access and security. So when a customer conducts penetration testing (pen testing) and security testing, and shares the results with us, we reward their efforts. Especially if their testing helps us improve Kinde for other customers.

Customer pen tests offer diversified use cases

A lot of our customers operate in highly regulated industries, such as healthcare, finance, and local government, which have a variety of compliance and security requirements to protect user and product data. A common requirement for these business types is to conduct a penetration test at least annually. One part that will always be tested is how users authenticate with the product.

While using Kinde’s authentication helps streamline testing for our customers, the varied context of their testing gives us a broad test feedback for different cases. For example, each customer implements different SDKs, stores code differently, and handles the application state in various ways. What occurs post-authentication is also varied, giving us perspectives we might otherwise not have.

Kinde pen tests and vulnerability detection

At Kinde, we perform a pen test at least annually, and do additional random testing when there’s new major functions or features added to our product. In addition to the penetration test, we also perform weekly vulnerability scans, on-demand scans based on recently published vulnerabilities, and run a vulnerability disclosure program. These all help contribute towards securing customer authentication for ourselves and our customers.

You can read a bit more about this on our blog at Fixing vulnerabilities and getting the occasional white hat helper and Using Strike for penetration testing at Kinde.

Rewards for combining our pen testing power

The customers who conduct penetration tests throughout the year and share the results deserve more than just a thank you or a virtual high five. By providing critical test data, these highly reputable security companies and organizations, help keep auth secure for everyone who uses Kinde.

How to give us test feedback

If you’re a Kinde customer and have completed a penetration test where the authentication was in scope, please reach out to our team via support@kinde.com.

We ask for you to provide details on the tests, as well as any additional info to help us recreate your environment (SDK, active auth methods, etc.), if a vulnerability is found. Here’s the process on our side.

A customer provides a shortened or sanitised version of a pen test report showing evidence of Kinde’s authentication flows being tested and validated.
The Kinde team analyse and validate, and if vulnerabilities were found, offer quick remediation to address security concerns.
Any advice or remediation we provide can then be included in your final testing reports.

Kinde credits for a copy of the report

In return for a sanitised or truncated copy of the penetration test report, we offer credits to your Kinde account. We don’t want the full report since it likely contains intellectual property and sensitive data.

💵	A credit for one month of your base plan will be applied to your account	💵

A credit for one month of your base plan will be applied to your account. So the Pro plan will be $25, Plus plan $75, and Scale and Enterprise plans $250. We will still apply credits for a penetration test report even if there weren’t any actual findings related to Kinde, just as long as the authentication is in the scope.

Maybe some swag too

If the penetration test finds any vulnerabilities that could impact the security of our authentication, we will send the testing company some swag and list them on our Security wall of fame.

Credits and swag are solely at the discretion of the Kinde team. We will only credit one test per year.

Everyone wins from collective cybersecurity

Cybersecurity works best when everyone’s working together. That’s why we openly recognize the customers who contributes to the overall security of Kinde.

If you’re new to Kinde, check out our starter kits and SDKs to get off the ground quickly.

For advice and feedback, join one of our public communities or search for answers in our documentation. Or if you have bigger questions, book a demo with one of our amazing team members.

Kinde in 60 seconds (ish): Billing

Alex Norman — Mon, 01 Sep 2025 04:52:08 +0000

Billing without building it yourself.

Kinde billing is a fully integrated feature with the existing authentication platform that allows developers to manage payments and subscriptions for their SaaS products. Simplify the process by handling a variety of billing models, including both flat-rate and usage-based plans, and provide a hosted customer portal for users to manage their own subscriptions.

In just 60 seconds (ish), you’ll see how you can:

Create pricing plans
Gate features with entitlements
Handle upgrades, downgrades, and cancellations
Let users manage their subscriptions via the self-serve portal

It’s everything you need to go from idea to revenue, fully integrated with your authentication flow.

It Kinde of works: Part 2 of many

Alex Norman — Thu, 28 Aug 2025 21:23:57 +0000

The Kinde of posts are to highlight how Kinde's authentication can be used in fun and unproductive ways. This series will step through things like using our starter kits, workflows, properties, feature flags, custom UI, and a bunch of other features. The demo website has no real purpose, but we're going to try and get you to like and subscribe to our the company's LinkedIn profile amongst other things.

This is not a reflection of Kinde and is strictly a fun side project.

Please comment if there's any parts of Kinde you would like us to bash out or feedback on how to make this demo site more unusable.

Kinde of

Go to the site Kinde of to see the latest iteration, which may have already evolved from the time you've read this post :)

Here's a quick video taken at the time of this post.

Kinde features used

We leaned almost entirely on Kinde's custom UI with a custom auth domain to create this amazing iteration of our Kinde of masterpiece.

If you want to try fully customising the auth pages yourself, please refer to the custom UI documentation. We also have some open source starter kits with custom UI examples to help give you some inspiration.

One of our excellent engineers, Peter, also put together a Youtube video setting up a custom UI with one of our open source starter kits.

Demo highlights

This round has been focused on making an auth page mega game with a retro console homepage glow up, leaving the post-auth page with the blissful look.

The original intention was to use a wheel of fortune type wheel spinner where the selected box would be the auth you were forced to use. Maybe next time :)

But while hunting for Windows XP inspiration, we came across the classic Minesweeper game. But because this is a full auth mode implementation, our version will be called Kindesweeper.

The initial game is mostly working and requires you to find the auth method. Clicking on the emoji will reset the board and make you start again. Other UI elements like the minimise, maximise, and close buttons look nice, but do nothing.

We've also done a full restyling of the Google, Facebook and email OTP buttons to fit our Kindesweeper theme.

Who knows what's next?

Total cost of B2B CIAM: A small enterprise case study in 2025

Alex Norman — Thu, 28 Aug 2025 00:03:00 +0000

In the B2B CIAM (Customer Identity and Access Management) space, it can be hard to compare the full cost of technology choices before you invest. You need to measure them side by side.

This article explains how Kinde offers the best value for money compared to WorkOS using a common scenario to compare the two.

Scenario: Your company sells a B2B product to 150 organisations where most of the customers require single sign on (SSO) to their own enterprise directory for roughly 10,000 users total.

Let’s compare Kinde and WorkOS.

Kinde is best value with the right B2B features built-in

Kinde offers a clear and scalable B2B pricing model, which charges for monthly active users (MAU) and monthly active organizations (MAO). With this model, you only pay for the users and organizations that authenticate within your billing month. Enterprise connections to the customer's identity provider (IdP) are free, so go ahead and make as many as you need to suit their identity and security requirements. See Kinde's pricing page for more details.

Kinde price calculation

150 Organizations (50 included, 100 = $43.00 MAO)
75 Enterprise connections (included)
10k users (included)
Custom domain (included)

Kinde Scale plan for $250 per month + $43.00

A significant feature of the Kinde Scale plan is that enterprise connections are included at no additional cost, regardless of the number of connections.It is also important to note that a custom domain, which is crucial for brand consistency, is also included in all paid plans at no additional cost.

Total cost of Kinde $293.00 USD per month

Extras features on the Kinde plan

Kinde Scale plan base price also includes additional B2B features.

Comprehensive design customizations with a custom domain, custom sign in pages, and custom designs via code to ensure that the entire experience in on brand.
Customize auth tokens, enrich the auth flow with data from third party providers, or provide custom logic using workflows.

WorkOS is a strong platform with enterprise pricing

A prominent competitor in the B2B CIAM space, WorkOS, offers a different pricing structure, primarily focusing on charging for enterprise connections.

Their pricing for Single Sign-On Enterprise SAML & OIDC authentication with any identity provider is volume-based, with the cost per connection decreasing as the number of connections increases. See WorkOS's pricing page for more details.

WorkOS price calculation

150 Organizations (Included)
75 Enterprise connections ($88.00 each)
10k users (included)
Custom domain ($99.00)

For a company with 75 enterprise connections, the price is $88 per connection per month including their volume discount for usage. This means users are paying a premium for each connection per month, plus a fee for a custom domain to align with your brand.

The total monthly price for WorkOS is $6,699.00 USD.

Price summary Kinde and WorkOS

To provide a clear overview, the table below summarizes the monthly costs for both providers based on the needs of a small enterprise with 150 customer organizations and 75 enterprise connections.

Feature	Kinde	WorkOS
Cost for 150 Customer Orgs (MAO)	$293.00	$0.00
Cost for 75 Enterprise Connections	$0.00	$6,600
Custom Domain	$0.00	$99.00
Total Monthly Cost	$293.00	$6,699.00

Conclusion

The choice between these two pricing models highlights a key difference in pricing philosophy.

Kinde's platform approach bundles key B2B identity features into a single solution, with pricing that scales based on organizations and users.

In contrast, WorkOS's model segments services, leading to a much higher cost as more enterprise features are added. For a small enterprise working in the B2B space, the significant cost difference could be a decisive factor in selecting a CIAM solution that not only meets their technical requirements but also aligns with their budget.

Get started now. Boost security, drive conversion and save money in just a few minutes with Kinde.

Start for Free - Watch a demo

Kinde in 90 seconds: Customer auth self-serve portal

Alex Norman — Wed, 27 Aug 2025 00:37:55 +0000

Kinde’s self-serve portal feature gives your business customers and end-users the power to manage their own account within your app. This includes being able to update basic account details, change plans and payment methods, manage team roles, activate SSO connections, manage API Keys and more.

You can let end users (B2C) or org users (B2B) manage their own details, giving them a better product experience, and saving you time.

No need to contact you to update info, they can do it themselves. Save hours of support time.

Flick a few switches and generate a link to get started.

Here's a 90 second overview about Kinde's streamlined customer self-serve portal.

Check out our docs Enable self-serve portal for orgs

2025 Best Auth Providers: Top 5 Compared

Alex Norman — Tue, 26 Aug 2025 00:22:02 +0000

The best authentication provider for most development teams in 2025 is Kinde. It combines enterprise-grade security with developer-friendly implementation, offering complete auth flows, organizational features like teams and RBAC, plus built-in billing and feature flags. While Auth0 remains popular for enterprises needing extensive customization, and Clerk excels at modern developer experience, Kinde delivers the most balanced solution for teams that need production-ready auth without months of integration work.

TLDR Summary

Aspect	Details
Top pick	Kinde - Complete auth plus essential features in one platform
Best for	Development teams needing auth, user management, and monetization
Standout reason	Ships with organizations, RBAC, feature flags, and billing built-in

Top picks at a glance

Tool	Best for	Core features	Developer Experience	Ideal team size	Compliance
Kinde	Teams wanting complete auth stack	SSO, MFA, orgs, RBAC, feature flags, billing	22+ SDKs, 5-min setup, type-safe APIs	1-500 developers	SOC 2 Type II, GDPR, ISO 27001
Auth0	Large enterprises with complex requirements	Universal login, anomaly detection, extensive rules	Mature SDKs, extensive docs	50+ developers	SOC 2, HIPAA, FedRAMP
Clerk	Modern web apps prioritizing UX	Beautiful components, session management	React-first, great DX	1-20 developers	SOC 2 Type II
Firebase Auth	Mobile and web apps in Google ecosystem	Social logins, phone auth, anonymous users	Tight Google integration	1-100 developers	Google Cloud compliance
Supabase Auth	Open-source projects and PostgreSQL users	Row-level security, magic links	PostgreSQL integration, self-hostable	1-50 developers	SOC 2 Type II

Kinde: the best overall for development teams

Why it leads

Kinde stands out by solving the complete authentication puzzle that modern applications face. Instead of just handling login flows, it ships with the organizational structures, permission systems, and monetization tools that products actually need. You get production-ready auth in minutes, not months.

Best for

CTOs and engineering teams building modern applications who want to ship features instead of building authentication infrastructure. Particularly strong for teams that need organizations, role-based access, and subscription management from day one.

Standout features

Kinde includes capabilities that typically require multiple vendors or custom development. Organizations and multi-tenancy work out of the box. RBAC with custom roles and permissions scales from simple to complex without code changes. Feature flags integrate directly with your auth context, enabling user-specific rollouts. The billing engine handles subscriptions, usage tracking, and entitlements without additional services.

Built-in passwordless and Social SSO reduce friction for end users. Machine-to-machine tokens support service integrations.

Developer experience

Setup takes under 5 minutes for basic auth, with production-ready flows including MFA and social logins. The SDK collection covers 22+ languages and frameworks. APIs follow REST principles with predictable responses and comprehensive error messages.

Webhooks deliver auth events reliably with automatic retries. The admin API enables full automation of user and organization management. Live environments help test auth flows without affecting production.

Pricing approach

Transparent pricing starts free for up to 10,500 monthly active users. The free tier includes all core features: organizations, custom domains, and standard support. Paid plans scale predictably based on MAU with no surprise overages. Enterprise agreements offer custom rates and SLAs.

Quick start

Get started with Kinde in minutes. Create your account, choose your SDK, and implement production auth today. [link]

Other strong options

Auth0: Enterprise customization champion

Auth0 remains the authentication heavyweight for enterprises needing maximum flexibility. The platform handles complex scenarios through its Rules engine and extensive customization options.

Best for: Large enterprises with dedicated identity teams and complex compliance requirements.

Core features: Universal Login provides consistent auth across applications. Anomaly detection blocks suspicious activity automatically. The Rules pipeline enables custom logic at any authentication stage. Extensive protocol support covers SAML, WS-Fed, and legacy systems.

Pros:

Market leader with proven scale
Extensive third-party integrations
Comprehensive documentation
Global infrastructure

Cons:

Pricing complexity increases with scale
Steep learning curve for advanced features
Implementation typically takes weeks
Support varies by pricing tier

What to watch: Auth0's acquisition by Okta brought enterprise capabilities but also enterprise complexity. Teams report frustration with opaque pricing and the time required to implement seemingly simple features.

Clerk: Modern developer experience leader

Clerk reimagines authentication with beautiful, customizable components that developers actually enjoy implementing. The platform emphasizes developer experience and modern web standards.

Best for: Frontend teams building consumer applications where authentication UX matters most.

Core features: Pre-built React components handle complete auth flows. Session management works seamlessly across devices. User profiles include metadata and custom attributes. The dashboard provides clear user insights.

Pros:

Stunning default UI components
Exceptional developer documentation
Fast implementation for React apps
Modern, intuitive API design

Cons:

Limited organizational features
Higher starting price point
React-focused ecosystem
Missing advanced enterprise features

What to watch: Clerk excels at consumer authentication but lacks depth for complex organizational scenarios. Teams needing organizations, RBAC, or enterprise SSO should evaluate carefully.

Firebase Auth: Google ecosystem integration

Firebase Authentication leverages Google's infrastructure to provide reliable auth for mobile and web applications. Deep integration with other Firebase services creates a cohesive development platform.

Best for: Teams already using Firebase or Google Cloud services who need straightforward authentication.

Core features: Social provider integration covers all major platforms. Phone authentication works globally with SMS verification. Anonymous auth enables try-before-signup flows. Custom tokens support server-side authentication.

Pros:

Generous free tier to 50K MAU
Reliable Google infrastructure
Excellent mobile SDKs
Simple integration with Firebase services

Cons:

Vendor lock-in to Google ecosystem
Limited organizational features
Basic customization options
No self-hosting option

What to watch: Firebase Auth works well for simple authentication needs but lacks features for complex organizational scenarios. Migration away from Firebase requires significant effort.

Supabase Auth: Open-source PostgreSQL integration

Supabase Auth brings authentication directly to your database with PostgreSQL row-level security. The open-source approach enables self-hosting and complete control.

Best for: Teams comfortable with PostgreSQL who want auth integrated with their database.

Core features: Row-level security policies enforce permissions at the database. Magic links provide passwordless authentication. Social logins cover major providers. JWT tokens work with existing infrastructure.

Pros:

Open source with self-hosting option
Tight PostgreSQL integration
Transparent pricing model
Active community support

Cons:

Requires PostgreSQL expertise
Limited enterprise features
Smaller ecosystem than alternatives
Documentation assumes database knowledge

What to watch: Supabase Auth shines for teams that understand PostgreSQL and want database-integrated auth. The learning curve steepens quickly for complex permission models.

How to choose the right authentication provider

Decision checklist

Technical requirements:

Which SDKs and frameworks does your team use?
Do you need SSO protocols like SAML or OIDC?
Will you implement passwordless or biometric auth?
Do you require machine-to-machine authentication?
Is self-hosting or on-premise deployment necessary?

Organizational capabilities:

Do users belong to organizations or teams?
Will you implement role-based access control?
Do enterprise customers need SCIM provisioning?
Are audit logs and compliance reports required?
Will you need custom branding per organization?

Scale and performance:

How many monthly active users do you expect?
What latency requirements exist for auth operations?
Do you need multi-region deployment?
What uptime SLA do customers require?
How will auth scale with your application?

Developer experience:

How quickly must auth be implemented?
What level of customization is needed?
Does your team have identity expertise?
How important is documentation quality?
What support response time do you need?

Commercial considerations:

What's your budget for authentication?
How predictable must costs be at scale?
Do you need transparent pricing?
Are enterprise agreements required?
What payment methods are accepted?

Methodology

We evaluated authentication providers based on real implementation experience and customer feedback. Assessment criteria included time to production, feature completeness, developer experience, scalability, pricing transparency, and customer support quality. We prioritized solutions that solve actual application challenges rather than theoretical capabilities. Providers were tested with common scenarios including user signup, organization creation, permission management, and enterprise SSO configuration.

Originally published on the Kinde blog.

Use Cursor AI to design Kinde auth UX

Alex Norman — Wed, 20 Aug 2025 10:11:09 +0000

Kinde's prodigious product manager, Oli @oliwolff1, has created a demo using Cursor to help him customise the user auth pages with his own styling.

Hosted pages

Out of the box, Kinde gives you a hosted authentication page for maximum security and minimum fuss. Everything for a straight forward and seamless auth experience is ready to go. For those of you who want to fully customise the auth pages, Kinde supports the ability to bring your own code and styles to the auth pages, which is known as custom UI.

Custom UI

You can find more information about custom UI on Kinde's documentation site at Customize designs with code.

Check out Oli's video.

Re-create it yourself

Everything done with Oli's demo can be found online publicly and can be done for free.

Create a Kinde business

One of our amazing engineers Peter has a video How to deploy a Kinde Next.js app with Vercel that would be a great place to start, which uses the Next.js app router starter kit.

Custom UI template

The template he used in the video demo can be found on Kinde's starter kits at custom-ui-splitscape.

Sign in page

Grab the image from the sign in page used in the demo. Or you want to live on the wild side, grab an image from another nice looking sign in page.

Prompt used in Cursor

And here's the prompt used in the video.

Using the Kinde custom page template and [Kinde official docs](https://docs.kinde.com), I want to update the Kinde login page with the following details:
- Use the attached image as inspiration for updating the login page
- only show email field (no password field or social connections)
- remove all logos

Requirements:
- Use Kinde's CSS custom properties system (--kinde-* variables)
- All inline styles with nonce={getKindeNonce()}
- Use valid hex color values for Kinde properties
- Style only the appearance, not the functionality

Summary

This quick video just goes to show how easy it is to setup your own look and feel to the authentication flow of your web app. Reach out the team at one of our support communities if you have any questions.

It Kinde of works: Part 1 of many

Alex Norman — Mon, 18 Aug 2025 23:41:51 +0000

This is not a reflection of Kinde and is strictly a fun side project.

Please comment if there's any parts of Kinde you would like us to bash out or feedback on how to make this demo site more unusable.

Kinde of

Go to the site Kinde of to see the latest iteration, which may have already evolved from the time you've read this post :)

Here's a quick video of the simple login process now. It'll get a lot crazier as we stack more features on it.

Tech used

The initial site uses Kinde's Next.js app router starter kit, which has auth pre-built into it. More info can be found on the Next.js App Router SDK documentation. One of our team members Peter also put together a tutorial playing around with this SDK in his Build an app with Next.js, Kinde and shadcn in 20 minutes video.

For the deployment and hosting side of things, we used Vercel since it was nice and easy.

Kinde features used

Kinde's Next.js app router starter kit and then basically nothing else :) We deployed an empty site, turned on a few authentication options and then just left it vanilla.

Demo highlights

I don't know who came up with the idea, but a decision to use Windows XP styling across the board won out. First up is the classic bliss background for the homepage and an XP desktop layout on the dashboard.

The forced LinkedIn page visit feels a bit malicious with the pop up, so we might reconsider that one in future editions.

While this first pass has put together the foundation, the next few posts will start utilising features for good.

Mixed auth set up with Kinde for B2B and B2C

Alex Norman — Wed, 13 Aug 2025 12:49:54 +0000

If you have an app or site that supports a mix of business customers and direct customers, this guide shows you how to set up authentication in Kinde to meet both these needs.

For example, say you run a finance business and you have separate sign-ins for accounting business partners and direct customers. Accounting businesses sign in with an enterprise identity, e.g. SAML and direct customers sign in with email and an OTP.

This topic explains how to create a simple, unified experience for both groups.

You’ll need the Kinde Scale plan

To set up authentication for a mixed B2B and B2C business that includes multiple enterprise connections, you need to be on the Kinde Scale plan. This is the only Kinde plan that gives you access to the features you need:

Multiple enterprise connections (e.g. SAML)
Advanced organizations - for managing users and access for business customers

You get 5 enterprise connections and 5 advanced organizations included with Kinde Scale. You can add more, but costs apply.

How to build a unified sign-in experience

A unified experience is where everyone signs in through the same sign in screen, and they are routed to the relevant workflow for authentication.

This simplifies the sign in experience for all your users, including your enterprise connections.

Example of a unified authentication experience

This is what happens behind the scenes with the auth setup.

Step 1: Set up auth for your B2C users

In this scenario, your direct customers will sign in with email and a one-time-passcode (OTP). To set this up:

Step 2: Set up auth for your B2B users

Authentication for business customers can be more complex, with additional security considerations and set up time involved. For example, a partner business may require employees to only access your web app using their business email and for authentication to be centralised with their own identity provider via SAML.

Let’s go through the process for setting up 5 SAML enterprise connections for 5 different business customers.

Add 5 separate enterprise connections to Kinde. E.g. EC1, EC2, EC3, and so on.
1. Configure each connection with the domain information, including email domains in the home realm discovery field. You may need to ask the customer’s IT team for this information.
2. (Recommended) Switch on the Create user on sign up option to enable JIT provisioning.
Create 5 organizations, one for each business customer (and connection), and select only the relevant enterprise connection for each organization.

For example:

In each organization:
1. Go to Policies and add the relevant domain to the Allowed domains field.
2. Select Auto-add users from allowed domains. This activates JIT provisioning for users signing up from this domain.
3. Select Save.

With home realm discovery and allowed domains set, when a user enters an email that matches the domain name they will be routed through that enterprise connection. There is no need for them to self-select which connection they belong to.

Step 3: Enable authentication for your application

To achieve the above scenario, all the supported sign-in methods need to be switched on in your application. For example, switch on Email + code, EC1, EC2, EC3, EC4, and EC5.

Optimize your auth flow

This unified model of authentication can be extended to 10’s or 100’s of organizations, all while maintaining the same sign in screen.

Other situations you can cater for include:

Adding MFA for an organization's users
Adding other enterprise connections (e.g. Google Workspace or Microsoft Entra ID)
Auto-assigning user roles

Get started with Kinde now - Boost security, drive conversion and save money in just a few minutes.

Start for free - Watch a demo

What is AWS Aurora Serverless v2 and why we didn't use it

Alex Norman — Mon, 11 Aug 2025 03:38:38 +0000

We’re a big user of RDS Aurora from AWS to run our production workloads because it doesn’t require much infrastructure maintenance and feels like a very durable platform. If you run databases or are using RDS in AWS, then you’ve probably heard of AWS’s Aurora Serverless v2. In this article, I’m going to touch on what Aurora is, how Aurora Serverless v2 can help with your dynamic loads, and ultimately why we didn’t use it for our product.

What is Aurora

Ripped straight from the AWS docs:

Amazon Aurora (Aurora) is a fully managed relational database engine that's compatible with MySQL and PostgreSQL

What is Aurora Serverless v2

Ripped straight from the AWS docs:

Aurora Serverless v2 is an on-demand, autoscaling configuration for Amazon Aurora. Aurora Serverless v2 helps to automate the processes of monitoring the workload and adjusting the capacity for your databases.

I’m being very specific about what “v2” is because it’s a huge improvement over the product’s v1. So much so that even their own documentation is very clear in that they are 2 different things.

What problem were we trying to solve

Our product is heavy on the server side, which means quite a lot goes through the database. You can read more about it on a blog post Why is Kinde built the way it is?.

Keeping on top of database performance and scaling is critical. When an unexpected event occurs, such as a large customer migrating their entire user base in a weekend or being on the receiving end of a DDoS, our infrastructure needs to meet those needs. The default model for RDS Aurora is to provision on-demand instances with a fixed amount of vCPU and memory based on your requirements. You would have an instance size that is larger than your baseline so that unexpected events can be absorbed. If something too large was coming over the hill, then you'd have to provision a larger instance and then fail over to it. This all sounds quite inefficient.

Enter Aurora Serverless v2. Instead of provisioning based on a static vCPU and memory size, you now set a minimum and maximum threshold of those resources. Aurora Serverless v2 is calculated with ACUs, which stand for Aurora Capacity Unit.

1 ACU has approximately 2 GiB of memory with corresponding CPU and networking, similar to that used in Aurora provisioned instances.

Using this model, we would only need to set a practical minimum and then set a maximum so that our bill doesn't explode.

Setup

We have a synthetics testing system that's used to measure latency for a typical username and password authentication session. This can also be used to measure overall performance of the serverless cluster to learn a bit more about how our product is impacted by the dynamic changes.

For this test, we're going big since smaller tests all worked really well. We really want to stress this out. Initially we'd provision a big ole db.r8g.8xlarge on-demand instance, then hit it with an extremely large load that is fairly representative of a production baseline. For the serverless, we set a minimum of 64 ACUs and a maximum of 128 ACUs. With the serverless instance as the reader, it would have a chance to warm up by itself. Once things looked to have settled down, we would failover the cluster so that the serverless instance became the writer. Crunch time.

Testing good

So how did it go? So so.

Functionally everything worked as advertised. It was quite cool to see the ACUs automatically adjust based on the load and how it would ebb and flow depending on extra jobs we would add to the database.

The instance failed over at the same speed as we're used to with a pair of on-demand instances, we experienced no timeouts due to memory pressure, and the ACU scaling could be seen as the database load changed.

You can see the scaling kicked off when the instance was provisioned with this ACU chart.

And once the workload settled down after the failover, it landed on about 80 ACUs.

One part that was surprising to us was the time it took to provision the ACUs.

It took 15 minutes to provision 90 ACUs

For some reason I was expecting to scale up much faster.

Testing bad

What was even more surprising was the poor performance of the cluster once the scaling had settled down after the failover. Everything was a bit slower. The next graph shows the response latency for our synthetics monitoring in milliseconds. While the total transaction is still quite fast, it's noticeably across the board.

Not only is the latency baseline slower, it also seems more susceptible to small spikes. This is like moving from SSDs back to those hybrid magnetic HDDs.

Our baseline was running on an r8g on-demand instance, which is the latest generation available to RDS. I have no proof of this, but I suspect that Aurora Serverless v2 is re-using older hardware, basically giving AWS a longer return on investment for the data centre hardware that isn't being used by current customers. Over the years, we've noticed increasingly better performance and more consistent latency when moving from r6g to r7g and then finally to r8g.

Using Aurora Serverless v2 seems like a step in the wrong direction for overall performance. I guess in the grand scheme or things, this will need to be a considered trade off in return for dynamically increasing and reducing resource allocations for a system that is traditionally very static.

Cost

The pricing is a bit predatory too. Let's take this example we just tested. At the time of writing for the AWS us-west-2 Oregon region:

1 ACU = $0.12 per hour

So if we worked out the per hour cost of our serverless baseline:

80 (160GB memory) x $0.12 = $9.6 per hour

And then the price we were paying for the on-demand instance that had sufficient overhead already:

1 db.r8g.8xlarge (256GB memory) = $4.416 per hour

This makes Aurora Serverless v2 over double the cost at the top end of what we provisioned. The 8xlarge is already over-provisioned so that we could handle the occasional spikes.

Why it’s not right for us

In the end, the baseline performance and the costs are too far away from our expectations to consider using Aurora Serverless v2.

The baseline performance really surprised us. I have noticed that AWS don't publish what type of CPUs or the generation of hardware being used. Maybe my older generation hardware conspiracy theory? More likely the extra layers of virtualisation having a performance penalty.

The pricing wasn't too much of a surprise since you already know that the equivalent ACU to on-demand resourcing has a big delta. But the baseline that our instances sat at was a bit surprising since we were hoping that it would settle at something much closer to the minimum allocated due to the over provisioning already done.

I think if we were to use this again in the future, it would be for highly highly highly dynamic workloads where the instance could effectively be dropped down to 4 ACUs and then scale up automatically to something like 128 for the necessary period of time. That would likely save a lot compared to keeping a large enough instance available. And also assumes that the database even needs to be online the whole time.

Anyways, pop a message through or a comment if you've had an experience with Aurora Serverless v2. Good or bad.

Adding some AI hints to our documentation

Alex Norman — Thu, 07 Aug 2025 05:47:01 +0000

In the previous post Front up with front matter, I briefly touched on the request of asking AI to offer suggestions to improve SEO and enhance how AI chat bots reference and utilise our documentation.

The next round of updates relate to making it easier for our customers to directly ingest our documentation into their AI chats.

Open with ChatGPT

This one was interesting. I've seen this done before, but it turned out to be less obvious than originally dreamed.

As usual, Cursor provided most of the scaffolding to get a basic integration to send data to OpenAI's ChatGPT. What I didn't bother looking up at the start was whether this can be done and how it would work.

With ChatGPT, you can send through the chat prompt in the URL as a parameter. With the parameter in the URL, you're restricted by some character types, length, and potentially being blocked by WAFs. What ended up working looked like

https://chat.openai.com/?q=Can%20you%20summarize%20this%20page%3A%20https%3A%2F%2Fdocs.kinde.com%2Fget-started%2Fguides%2Ffirst-things-first%2F

This basically opens up ChatGPT and pre-writes the prompt to Can you summarize this page https://docs.kinde.com/get-started/guides/first-things-first/. Now when you chat about the documentation, it'll already have the context pre-loaded.

Open with other LLMs

What I didn't know was that you can't do the URL parameter trick for other LLMs, such as Claude or Gemini. Neither support this type of pre-written prompt. Honestly I'd say that this is a security feature since you could potentially inject malicious information to a prompt via a link.

I asked both Claude and Gemini for their own guidance and was pointed to their APIs and other deeper integrations, which are too time consuming for this exercise. So in the end, only ChatGPT gets a mention.

Copy for AI

The next part is something I've seen in a lot of documentation sites. Here's an example of what Stripe has on their documentation.

The copy for AI button basically takes the content of the page in markdown and copies it to your clipboard. You can then paste it into whatever LLM or AI service you're using. I guess the irony is that you can simply paste the page URL into the AI chat to get the content, so this method might save you a few tokens by not having to browse the internet for the content.

Metrics

And lastly, it's important (more a curiosity) to know if anyone is using these features. We're a big user of Plausible for our web analytics. Plausible supports custom event goals to help track when certain things happen on your site. For both the Open with ChatGPT and Copy for AI buttons, we attached a custom event that's recorded with Plausible. This way we can figure out whether this is a quality of life feature worth expanding or if it dies a slow death here.

Once the custom events are being ingested, you can create dashboard filters for them to see usage.

Summary

As part of the continuing AI-ification for our documentation, I think this is a decent practical example of helping customers and users quickly add context to their existing AI chat sessions. I'm sure there will be more to follow.

Front up with front matter

Alex Norman — Thu, 31 Jul 2025 05:15:40 +0000

We recently went through all our documentation to help make it more visible to search engines and particularly AI scrapers. Ironically the advice given was provided by an AI LLM, so let’s trust that it’s providing the right information. In this post, I’ll dig into front matter and using Cursor to help us update all our documentation.

What is front matter

Front matter is a block of metadata at the top of a document to help describe what’s on the document and how to categorise it. What you put into the front matter is up to you. Some example fields would be title, description, publication date, keywords, and categories. If you’re doing technical documentation, then other helpful fields could include language, sdks, and complexity.

And apparently it's front matter, not frontmatter?

Updating our front matter

The existing front matter we had on our pages looked something like:

---
page_id: 95d9b022-c6a1-43b0-8924-3026c1337012
title: "This cool page"
sidebar:
  order: 2
relatedArticles:
  - f4e916d4-58e6-4e9b-a8d9-aac74cb2631d
  - 86438027-c3b7-47d0-b295-9ec3d541e0b9
app_context:
  - m: user
    s: details
description: "This is an awesome page with tons of epic information"
featured: false
deprecated: false
---

While reviewing our pages, we noticed that a lot of them had a generic description not applicable the page content or were missing a description altogether.

To handle the onslaught of AI agents and LLMs referencing our documentation in conversations, we wanted to make sure it had more context to respond with. Well, this was at least the AI based recommendation provided.

So our new front matter ended up looking like:

---
page_id: 95d9b022-c6a1-43b0-8924-3026c1337012
title: "This cool page"
sidebar:
  order: 2
relatedArticles:
  - f4e916d4-58e6-4e9b-a8d9-aac74cb2631d
  - 86438027-c3b7-47d0-b295-9ec3d541e0b9
app_context:
  - m: user
    s: details
description: "This is an awesome page with tons of epic information."
topics:
  - manage-users
sdk:
  - nodejs
languages:
  - javascript
audience:
  - admins
  - developers
complexity: beginner
keywords:
  - multi-organization
  - user management
  - sign in experience
  - enterprise authentication
updated: 2025-07-29
featured: false
deprecated: false
ai-summary: "This is an awesome page with tons of epic information."
---

With this added block of text, we’ll be providing a lot more goodies for the crawlers to consume. Particularly important to us was the sdk and keywords, which weren’t there before. These will help people find related docs when working with one our SDKs. And of course more keywords is always good.

Mass updates with Cursor

Our documentation site has over 350 pages. Updating each page individually and then populating the related content would be a serious chore. AI and Cursor to the rescue.

The context used in Cursor was:

Here's a sample template of the full front matter needed for all our documentation. I want to update the front matter for all docs in the documentation folder.

Keep the existing page_id, title, sidebar.order, app_context, topics, and relatedArticles. Add the others from the context below.

topics: please use the folder one above in the tree, so in this case it'll be "authenticate"
sdk: if there's mention of an sdk, then include them, otherwise leave it blank
languages: if there's mention of a coding language, then add it, otherwise leave it blank
audience: take your best guess
complexity: make a guess from beginner to expert
keywords: use your judgement based on the article
updated: figure out the commit date for the file
featured: leave as false for all articles
deprecated: leave as false for all articles
ai-summary: create a one line summary used for ai llms to index

This worked remarkably well and provided an easy diff view for each page to quickly eyeball the change. But based on the volume, I ended up doing the Accept All option.

The best part was the analysis of the document to write out the metadata, especially for things like the description, ai-summary, sdk, and keywords. Having the AI agent analyse the document and figure out what to put in there saved a lot of human brain power.

When looking at our Cursor dashboard, I’d guess that preparing and then completing this activity would have used about 10,000 lines of agent edits. Not sure how that converts to requests with Cursor, but I’d wager that at least a few hundred out of the included 500 requests were consumed with this.

One part that didn’t work too well was actually updating every file. I had to run through this a few times since it would seemingly pick random files throughout the structure, but not all of them. It wasn’t an issue through since it’s easy to see all the modified files in the folder structure and then re-prompt Cursor to grab the missed files.

What it looks like on the page

So once deployed, this content gets written to the <head> section of the HTML files. Here's the relevant parts on our Next.js App Router SDK page based on this front matter update.

<meta name="ai-summary" content="Complete guide for Next.js App Router SDK including installation, configuration, middleware setup, route protection, and authentication integration for Next.js 13+ applications."/>
<meta name="keywords" content="Next.js SDK, App Router, Server Side Components, middleware, authentication, route protection, environment variables"/>
<meta name="description" content="Complete guide for Next.js App Router SDK including installation, configuration, middleware setup, route protection, and authentication integration for Next.js 13+ applications."/>
<meta name="sdk" content="nextjs"/>
<meta name="languages" content="javascript, typescript, jsx, tsx"/>
<meta name="audience" content="developers"/>
<meta name="complexity" content="intermediate"/>

I think for a future pass, we'll try to optimise the ai-summary to be something more suitable to the AI LLMs, but this seems good for now.

Using AI in our docs already

We currently have an AI agent built into our docs that powers both the search and chat functions, which uses InKeep under the hood.

When speaking with their team, they said that the AI agent we use won't benefit too much from the extra front matter because they analyse our pages in detail already. The biggest benefit would be breadcrumbs to help provide category context, which we already include on our pages.

In summary

Hopefully these changes will have a positive impact with how search engines and the AI chat bots index our documentation. And to be honest, I don't even know how to measure the performance against these changes, but I guess it's better try something rather than do nothing. Using an AI tool to make the changes definitely saved a ton of time and effort providing the summaries and other contextual information.