DEV Community: FrostByte Software NZ The latest articles on DEV Community by FrostByte Software NZ (@frostbyte_nz). https://dev.to/frostbyte_nz https://media2.dev.to/dynamic/image/width=90,height=90,fit=cover,gravity=auto,format=auto/https:%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Fuser%2Fprofile_image%2F3761319%2F9b7b5810-0518-4403-a750-f224b2a52664.png DEV Community: FrostByte Software NZ https://dev.to/frostbyte_nz en How We Built a Multi-Tenant SaaS with Next.js 16, Prisma 7, and Auth.js FrostByte Software NZ Mon, 09 Feb 2026 08:23:40 +0000 https://dev.to/frostbyte_nz/how-we-built-a-multi-tenant-saas-with-nextjs-16-prisma-7-and-authjs-57gj https://dev.to/frostbyte_nz/how-we-built-a-multi-tenant-saas-with-nextjs-16-prisma-7-and-authjs-57gj <p>How We Built a Multi-Tenant SaaS with Next.js 16, Prisma 7, and Auth.js</p> <p>We recently shipped <a href="https://frostbytesoftware.co.nz" rel="noopener noreferrer">Frostbyte Pro</a> — an inventory management system for New Zealand businesses. Here's a technical breakdown of the architecture decisions we made and what we learned building a multi-tenant SaaS from scratch.</p> <h2> The Stack </h2> <ul> <li> <strong>Next.js 16</strong> (App Router) + <strong>React 19</strong> + <strong>TypeScript</strong> </li> <li> <strong>PostgreSQL</strong> + <strong>Prisma 7</strong> ORM</li> <li> <strong>Auth.js v5</strong> (NextAuth) with Credentials provider</li> <li> <strong>Stripe</strong> for subscription billing</li> <li> <strong>Vercel</strong> for hosting</li> <li> <strong>shadcn/ui</strong> + <strong>Tailwind CSS v4</strong> for the UI</li> </ul> <h2> Multi-Tenancy: Row-Level Isolation </h2> <p>We chose row-level isolation over schema-per-tenant. Every table that contains business data has an <code>orgId</code> column:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>model Product { id String @id @default(cuid()) orgId String name String sku String // ... org Organization @relation(fields: [orgId], references: [id]) @@unique([orgId, sku]) @@map("products") } </code></pre> </div> <p>The key to making this work safely is a single function that every query flows through:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="c1">// server/queries/helpers.ts</span> <span class="k">export</span> <span class="k">async</span> <span class="kd">function</span> <span class="nf">getAuthenticatedContext</span><span class="p">()</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">session</span> <span class="o">=</span> <span class="k">await</span> <span class="nf">auth</span><span class="p">();</span> <span class="k">if </span><span class="p">(</span><span class="o">!</span><span class="nx">session</span><span class="p">?.</span><span class="nx">user</span><span class="p">?.</span><span class="nx">id</span><span class="p">)</span> <span class="k">throw</span> <span class="k">new</span> <span class="nc">Error</span><span class="p">(</span><span class="dl">"</span><span class="s2">Unauthorized</span><span class="dl">"</span><span class="p">);</span> <span class="kd">const</span> <span class="nx">membership</span> <span class="o">=</span> <span class="k">await</span> <span class="nx">prisma</span><span class="p">.</span><span class="nx">orgMember</span><span class="p">.</span><span class="nf">findFirst</span><span class="p">({</span> <span class="na">where</span><span class="p">:</span> <span class="p">{</span> <span class="na">userId</span><span class="p">:</span> <span class="nx">session</span><span class="p">.</span><span class="nx">user</span><span class="p">.</span><span class="nx">id</span><span class="p">,</span> <span class="na">isActive</span><span class="p">:</span> <span class="kc">true</span> <span class="p">},</span> <span class="p">});</span> <span class="k">if </span><span class="p">(</span><span class="o">!</span><span class="nx">membership</span><span class="p">)</span> <span class="k">throw</span> <span class="k">new</span> <span class="nc">Error</span><span class="p">(</span><span class="dl">"</span><span class="s2">No active membership</span><span class="dl">"</span><span class="p">);</span> <span class="k">return</span> <span class="p">{</span> <span class="na">userId</span><span class="p">:</span> <span class="nx">session</span><span class="p">.</span><span class="nx">user</span><span class="p">.</span><span class="nx">id</span><span class="p">,</span> <span class="na">orgId</span><span class="p">:</span> <span class="nx">membership</span><span class="p">.</span><span class="nx">orgId</span><span class="p">,</span> <span class="na">role</span><span class="p">:</span> <span class="nx">membership</span><span class="p">.</span><span class="nx">role</span><span class="p">,</span> <span class="p">};</span> <span class="p">}</span> </code></pre> </div> <p>Every server action and query starts with <code>const { orgId } = await getAuthenticatedContext()</code>. This makes it impossible to accidentally query another tenant's data.</p> <h2> RBAC: Keep It Simple </h2> <p>We use five roles: Owner &gt; Admin &gt; Manager &gt; Staff &gt; Viewer. Rather than complex permission trees, we use a simple numeric hierarchy:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="kd">const</span> <span class="nx">ROLE_HIERARCHY</span> <span class="o">=</span> <span class="p">{</span> <span class="na">VIEWER</span><span class="p">:</span> <span class="mi">1</span><span class="p">,</span> <span class="na">STAFF</span><span class="p">:</span> <span class="mi">2</span><span class="p">,</span> <span class="na">MANAGER</span><span class="p">:</span> <span class="mi">3</span><span class="p">,</span> <span class="na">ADMIN</span><span class="p">:</span> <span class="mi">4</span><span class="p">,</span> <span class="na">OWNER</span><span class="p">:</span> <span class="mi">5</span><span class="p">,</span> <span class="p">};</span> <span class="k">export</span> <span class="kd">function</span> <span class="nf">hasPermission</span><span class="p">(</span><span class="nx">userRole</span><span class="p">:</span> <span class="nx">Role</span><span class="p">,</span> <span class="nx">required</span><span class="p">:</span> <span class="nx">Role</span><span class="p">):</span> <span class="nx">boolean</span> <span class="p">{</span> <span class="k">return</span> <span class="nx">ROLE_HIERARCHY</span><span class="p">[</span><span class="nx">userRole</span><span class="p">]</span> <span class="o">&gt;=</span> <span class="nx">ROLE_HIERARCHY</span><span class="p">[</span><span class="nx">required</span><span class="p">];</span> <span class="p">}</span> </code></pre> </div> <p>This covers 95% of use cases. A Manager can do everything a Staff member can, plus more. Simple to reason about, simple to implement.</p> <h2> Server Actions for Everything </h2> <p>We use Next.js Server Actions for all mutations. No API routes for internal operations. The pattern is consistent:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="dl">"</span><span class="s2">use server</span><span class="dl">"</span><span class="p">;</span> <span class="k">export</span> <span class="k">async</span> <span class="kd">function</span> <span class="nf">createProduct</span><span class="p">(</span><span class="nx">data</span><span class="p">:</span> <span class="nx">ProductFormData</span><span class="p">)</span> <span class="p">{</span> <span class="kd">const</span> <span class="p">{</span> <span class="nx">orgId</span><span class="p">,</span> <span class="nx">role</span> <span class="p">}</span> <span class="o">=</span> <span class="k">await</span> <span class="nf">getAuthenticatedContext</span><span class="p">();</span> <span class="k">if </span><span class="p">(</span><span class="o">!</span><span class="nf">hasPermission</span><span class="p">(</span><span class="nx">role</span><span class="p">,</span> <span class="dl">"</span><span class="s2">MANAGER</span><span class="dl">"</span><span class="p">))</span> <span class="p">{</span> <span class="k">throw</span> <span class="k">new</span> <span class="nc">Error</span><span class="p">(</span><span class="dl">"</span><span class="s2">Insufficient permissions</span><span class="dl">"</span><span class="p">);</span> <span class="p">}</span> <span class="c1">// Validate with Zod</span> <span class="kd">const</span> <span class="nx">parsed</span> <span class="o">=</span> <span class="nx">createProductSchema</span><span class="p">.</span><span class="nf">safeParse</span><span class="p">(</span><span class="nx">data</span><span class="p">);</span> <span class="k">if </span><span class="p">(</span><span class="o">!</span><span class="nx">parsed</span><span class="p">.</span><span class="nx">success</span><span class="p">)</span> <span class="p">{</span> <span class="k">return</span> <span class="p">{</span> <span class="na">error</span><span class="p">:</span> <span class="nx">parsed</span><span class="p">.</span><span class="nx">error</span><span class="p">.</span><span class="nx">issues</span><span class="p">[</span><span class="mi">0</span><span class="p">].</span><span class="nx">message</span> <span class="p">};</span> <span class="p">}</span> <span class="c1">// Create with orgId automatically scoped</span> <span class="kd">const</span> <span class="nx">product</span> <span class="o">=</span> <span class="k">await</span> <span class="nx">prisma</span><span class="p">.</span><span class="nx">product</span><span class="p">.</span><span class="nf">create</span><span class="p">({</span> <span class="na">data</span><span class="p">:</span> <span class="p">{</span> <span class="p">...</span><span class="nx">parsed</span><span class="p">.</span><span class="nx">data</span><span class="p">,</span> <span class="nx">orgId</span> <span class="p">},</span> <span class="p">});</span> <span class="nf">revalidatePath</span><span class="p">(</span><span class="dl">"</span><span class="s2">/products</span><span class="dl">"</span><span class="p">);</span> <span class="k">return</span> <span class="p">{</span> <span class="na">success</span><span class="p">:</span> <span class="kc">true</span><span class="p">,</span> <span class="na">id</span><span class="p">:</span> <span class="nx">product</span><span class="p">.</span><span class="nx">id</span> <span class="p">};</span> <span class="p">}</span> </code></pre> </div> <p>Server Components fetch data. Server Actions mutate it. No client-side API calls for business logic.</p> <h2> Stock Operations: Transactions Are Non-Negotiable </h2> <p>Inventory operations must be atomic. When you receive a purchase order, you need to:</p> <ol> <li>Update the PO status</li> <li>Create stock entries for each line item</li> <li>Update product quantities</li> <li>Log an audit trail entry</li> </ol> <p>If step 3 fails, you can't have step 1 already committed. Everything goes through <code>prisma.$transaction()</code>:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="k">await</span> <span class="nx">prisma</span><span class="p">.</span><span class="nf">$transaction</span><span class="p">(</span><span class="k">async </span><span class="p">(</span><span class="nx">tx</span><span class="p">)</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="k">await</span> <span class="nx">tx</span><span class="p">.</span><span class="nx">purchaseOrder</span><span class="p">.</span><span class="nf">update</span><span class="p">({</span> <span class="p">...</span> <span class="p">});</span> <span class="k">for </span><span class="p">(</span><span class="kd">const</span> <span class="nx">line</span> <span class="k">of</span> <span class="nx">lines</span><span class="p">)</span> <span class="p">{</span> <span class="k">await</span> <span class="nx">tx</span><span class="p">.</span><span class="nx">stockEntry</span><span class="p">.</span><span class="nf">create</span><span class="p">({</span> <span class="p">...</span> <span class="p">});</span> <span class="k">await</span> <span class="nx">tx</span><span class="p">.</span><span class="nx">product</span><span class="p">.</span><span class="nf">update</span><span class="p">({</span> <span class="na">where</span><span class="p">:</span> <span class="p">{</span> <span class="na">id</span><span class="p">:</span> <span class="nx">line</span><span class="p">.</span><span class="nx">productId</span> <span class="p">},</span> <span class="na">data</span><span class="p">:</span> <span class="p">{</span> <span class="na">totalQty</span><span class="p">:</span> <span class="p">{</span> <span class="na">increment</span><span class="p">:</span> <span class="nx">line</span><span class="p">.</span><span class="nx">quantity</span> <span class="p">}</span> <span class="p">},</span> <span class="p">});</span> <span class="p">}</span> <span class="k">await</span> <span class="nx">tx</span><span class="p">.</span><span class="nx">auditLog</span><span class="p">.</span><span class="nf">create</span><span class="p">({</span> <span class="p">...</span> <span class="p">});</span> <span class="p">});</span> </code></pre> </div> <h2> Trial Licensing + Stripe </h2> <p>New users get a 14-day free trial with no credit card. The license check happens in the Auth.js <code>authorize()</code> callback — before a session is even created:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="nx">authorize</span><span class="p">:</span> <span class="k">async </span><span class="p">(</span><span class="nx">credentials</span><span class="p">)</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="c1">// ... verify password ...</span> <span class="kd">const</span> <span class="nx">membership</span> <span class="o">=</span> <span class="k">await</span> <span class="nx">prisma</span><span class="p">.</span><span class="nx">orgMember</span><span class="p">.</span><span class="nf">findFirst</span><span class="p">({</span> <span class="na">where</span><span class="p">:</span> <span class="p">{</span> <span class="na">userId</span><span class="p">:</span> <span class="nx">user</span><span class="p">.</span><span class="nx">id</span> <span class="p">},</span> <span class="na">include</span><span class="p">:</span> <span class="p">{</span> <span class="na">org</span><span class="p">:</span> <span class="p">{</span> <span class="na">include</span><span class="p">:</span> <span class="p">{</span> <span class="na">license</span><span class="p">:</span> <span class="kc">true</span> <span class="p">}</span> <span class="p">}</span> <span class="p">},</span> <span class="p">});</span> <span class="kd">const</span> <span class="nx">license</span> <span class="o">=</span> <span class="nx">membership</span><span class="p">?.</span><span class="nx">org</span><span class="p">?.</span><span class="nx">license</span><span class="p">;</span> <span class="k">if </span><span class="p">(</span><span class="o">!</span><span class="nx">license</span> <span class="o">||</span> <span class="o">!</span><span class="nx">license</span><span class="p">.</span><span class="nx">isActive</span><span class="p">)</span> <span class="k">return</span> <span class="kc">null</span><span class="p">;</span> <span class="k">if </span><span class="p">(</span><span class="nx">license</span><span class="p">.</span><span class="nx">expiresAt</span> <span class="o">&amp;&amp;</span> <span class="nx">license</span><span class="p">.</span><span class="nx">expiresAt</span> <span class="o">&lt;</span> <span class="k">new</span> <span class="nc">Date</span><span class="p">())</span> <span class="k">return</span> <span class="kc">null</span><span class="p">;</span> <span class="k">return</span> <span class="nx">user</span><span class="p">;</span> <span class="p">}</span> </code></pre> </div> <p>When the trial expires, users can't log in. They're redirected to a Stripe Checkout page. A webhook activates their license on successful payment.</p> <h2> What We'd Do Differently </h2> <ol> <li><p><strong>Start with a monorepo.</strong> As the app grew, having a single <code>src/</code> directory got unwieldy. A turborepo with separate packages for the marketing site, app, and shared code would have been cleaner.</p></li> <li><p><strong>Use Prisma's connection pooling earlier.</strong> We hit serverless cold start issues before adopting Prisma Accelerate.</p></li> <li><p><strong>Plan the URL structure upfront.</strong> Changing routes after launch is painful with Next.js App Router — every file rename cascades through imports, middleware matchers, and redirect rules.</p></li> </ol> <h2> Try It Out </h2> <p>If you're interested in seeing the end result, <a href="https://frostbytesoftware.co.nz" rel="noopener noreferrer">Frostbyte Pro</a> offers a 14-day free trial. It's a real production system handling inventory for NZ businesses — not a side project.</p> <p>Got questions about the architecture? Drop a comment below.</p> <p><strong>Tags:</strong> #nextjs #prisma #saas #typescript<br> <strong>Platform:</strong> Dev.to</p> architecture nextjs saas showdev