DEV Community: Hitesh Prajapati The latest articles on DEV Community by Hitesh Prajapati (@hitesh_prajapati). https://dev.to/hitesh_prajapati https://media2.dev.to/dynamic/image/width=90,height=90,fit=cover,gravity=auto,format=auto/https:%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Fuser%2Fprofile_image%2F3828742%2Fa017feb0-4fd2-40aa-aa6a-6062fca70dde.png DEV Community: Hitesh Prajapati https://dev.to/hitesh_prajapati en How I Built a .NET 8 Clean Architecture SaaS Boilerplate (And What I Learned) Hitesh Prajapati Tue, 17 Mar 2026 06:56:49 +0000 https://dev.to/hitesh_prajapati/how-i-built-a-net-8-clean-architecture-saas-boilerplate-and-what-i-learned-2g7i https://dev.to/hitesh_prajapati/how-i-built-a-net-8-clean-architecture-saas-boilerplate-and-what-i-learned-2g7i <p>Every .NET developer eventually faces the same painful moment: you're starting a new SaaS project and you spend the first <strong>3–4 weeks</strong> doing absolutely nothing unique.</p> <p>Authentication. Multi-tenancy. CQRS setup. Repository patterns. JWT. Stripe. Role-based permissions. Logging. Error handling middleware.</p> <p>It's the same scaffolding, over and over again.</p> <p>After going through this cycle one too many times, I decided to build a reusable <strong>.NET 8 Clean Architecture SaaS Boilerplate</strong> — and in this article, I want to walk you through <em>exactly</em> how it's structured, the key decisions I made, and what you can learn from it even if you don't use the boilerplate itself.</p> <h2> Why Clean Architecture for SaaS? </h2> <p>Clean Architecture (popularised by Robert C. Martin) enforces a strict separation of concerns by organising code into concentric layers — each layer only depending on the layer inside it.</p> <p>For a SaaS product, this matters enormously:</p> <ul> <li> <strong>Business logic stays pure</strong> — your core domain doesn't care if you're using SQL Server or PostgreSQL, REST or gRPC</li> <li> <strong>Testability is built-in</strong> — you can unit test use cases without touching infrastructure</li> <li> <strong>Maintainability at scale</strong> — adding a new feature doesn't mean untangling spaghetti</li> </ul> <p>Here's the layer structure I used:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>📁 src/ 📁 Domain/ ← Entities, value objects, domain events 📁 Application/ ← Use cases, CQRS commands/queries, interfaces 📁 Infrastructure/ ← EF Core, JWT, email, external services 📁 WebAPI/ ← Controllers, middleware, DI setup </code></pre> </div> <p><strong>The golden rule:</strong> dependencies always point <em>inward</em>. <code>Infrastructure</code> depends on <code>Application</code>. <code>Application</code> depends on <code>Domain</code>. <code>Domain</code> depends on nothing.</p> <h2> CQRS with MediatR </h2> <p>One of the most impactful patterns in the boilerplate is <strong>CQRS (Command Query Responsibility Segregation)</strong> implemented via <a href="https://github.com/jbogard/MediatR" rel="noopener noreferrer">MediatR</a>.</p> <p>Instead of fat service classes, every operation is a self-contained handler:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight csharp"><code><span class="c1">// Command</span> <span class="k">public</span> <span class="k">record</span> <span class="nc">CreateTenantCommand</span><span class="p">(</span><span class="kt">string</span> <span class="n">Name</span><span class="p">,</span> <span class="kt">string</span> <span class="n">AdminEmail</span><span class="p">)</span> <span class="p">:</span> <span class="n">IRequest</span><span class="p">&lt;</span><span class="n">Guid</span><span class="p">&gt;;</span> <span class="c1">// Handler</span> <span class="k">public</span> <span class="k">class</span> <span class="nc">CreateTenantCommandHandler</span> <span class="p">:</span> <span class="n">IRequestHandler</span><span class="p">&lt;</span><span class="n">CreateTenantCommand</span><span class="p">,</span> <span class="n">Guid</span><span class="p">&gt;</span> <span class="p">{</span> <span class="k">private</span> <span class="k">readonly</span> <span class="n">IApplicationDbContext</span> <span class="n">_context</span><span class="p">;</span> <span class="k">public</span> <span class="nf">CreateTenantCommandHandler</span><span class="p">(</span><span class="n">IApplicationDbContext</span> <span class="n">context</span><span class="p">)</span> <span class="p">=&gt;</span> <span class="n">_context</span> <span class="p">=</span> <span class="n">context</span><span class="p">;</span> <span class="k">public</span> <span class="k">async</span> <span class="n">Task</span><span class="p">&lt;</span><span class="n">Guid</span><span class="p">&gt;</span> <span class="nf">Handle</span><span class="p">(</span><span class="n">CreateTenantCommand</span> <span class="n">request</span><span class="p">,</span> <span class="n">CancellationToken</span> <span class="n">ct</span><span class="p">)</span> <span class="p">{</span> <span class="kt">var</span> <span class="n">tenant</span> <span class="p">=</span> <span class="n">Tenant</span><span class="p">.</span><span class="nf">Create</span><span class="p">(</span><span class="n">request</span><span class="p">.</span><span class="n">Name</span><span class="p">,</span> <span class="n">request</span><span class="p">.</span><span class="n">AdminEmail</span><span class="p">);</span> <span class="n">_context</span><span class="p">.</span><span class="n">Tenants</span><span class="p">.</span><span class="nf">Add</span><span class="p">(</span><span class="n">tenant</span><span class="p">);</span> <span class="k">await</span> <span class="n">_context</span><span class="p">.</span><span class="nf">SaveChangesAsync</span><span class="p">(</span><span class="n">ct</span><span class="p">);</span> <span class="k">return</span> <span class="n">tenant</span><span class="p">.</span><span class="n">Id</span><span class="p">;</span> <span class="p">}</span> <span class="p">}</span> </code></pre> </div> <p>This gives you:</p> <p>✅ Single Responsibility — each handler does exactly one thing<br><br> ✅ Easy to test — just inject a mock <code>IApplicationDbContext</code><br><br> ✅ Pipeline behaviours for cross-cutting concerns (logging, validation, caching)</p> <h2> Multi-Tenancy Architecture </h2> <p>Multi-tenancy is the heart of any SaaS product and usually the most complex part to get right. The boilerplate supports a <strong>shared database with tenant isolation</strong> using a <code>TenantId</code> column on every tenant-scoped entity.</p> <p>The tenant is resolved from the JWT token on every request:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight csharp"><code><span class="k">public</span> <span class="k">class</span> <span class="nc">TenantService</span> <span class="p">:</span> <span class="n">ITenantService</span> <span class="p">{</span> <span class="k">private</span> <span class="k">readonly</span> <span class="n">IHttpContextAccessor</span> <span class="n">_httpContextAccessor</span><span class="p">;</span> <span class="k">public</span> <span class="nf">TenantService</span><span class="p">(</span><span class="n">IHttpContextAccessor</span> <span class="n">accessor</span><span class="p">)</span> <span class="p">=&gt;</span> <span class="n">_httpContextAccessor</span> <span class="p">=</span> <span class="n">accessor</span><span class="p">;</span> <span class="k">public</span> <span class="n">Guid</span> <span class="nf">GetCurrentTenantId</span><span class="p">()</span> <span class="p">{</span> <span class="kt">var</span> <span class="n">claim</span> <span class="p">=</span> <span class="n">_httpContextAccessor</span><span class="p">.</span><span class="n">HttpContext</span><span class="p">?</span> <span class="p">.</span><span class="n">User</span><span class="p">.</span><span class="nf">FindFirst</span><span class="p">(</span><span class="s">"tenant_id"</span><span class="p">);</span> <span class="k">return</span> <span class="n">Guid</span><span class="p">.</span><span class="nf">Parse</span><span class="p">(</span><span class="n">claim</span><span class="p">?.</span><span class="n">Value</span> <span class="p">??</span> <span class="k">throw</span> <span class="k">new</span> <span class="nf">UnauthorizedAccessException</span><span class="p">());</span> <span class="p">}</span> <span class="p">}</span> </code></pre> </div> <p>And the <code>ApplicationDbContext</code> automatically filters by tenant using <strong>EF Core Global Query Filters</strong>:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight csharp"><code><span class="k">protected</span> <span class="k">override</span> <span class="k">void</span> <span class="nf">OnModelCreating</span><span class="p">(</span><span class="n">ModelBuilder</span> <span class="n">builder</span><span class="p">)</span> <span class="p">{</span> <span class="k">foreach</span> <span class="p">(</span><span class="kt">var</span> <span class="n">entityType</span> <span class="k">in</span> <span class="n">builder</span><span class="p">.</span><span class="n">Model</span><span class="p">.</span><span class="nf">GetEntityTypes</span><span class="p">())</span> <span class="p">{</span> <span class="k">if</span> <span class="p">(</span><span class="k">typeof</span><span class="p">(</span><span class="n">ITenantEntity</span><span class="p">).</span><span class="nf">IsAssignableFrom</span><span class="p">(</span><span class="n">entityType</span><span class="p">.</span><span class="n">ClrType</span><span class="p">))</span> <span class="p">{</span> <span class="n">builder</span><span class="p">.</span><span class="nf">Entity</span><span class="p">(</span><span class="n">entityType</span><span class="p">.</span><span class="n">ClrType</span><span class="p">)</span> <span class="p">.</span><span class="nf">HasQueryFilter</span><span class="p">(</span><span class="nf">BuildTenantFilter</span><span class="p">(</span><span class="n">entityType</span><span class="p">.</span><span class="n">ClrType</span><span class="p">));</span> <span class="p">}</span> <span class="p">}</span> <span class="p">}</span> </code></pre> </div> <p>Every <code>DbSet</code> query is now automatically scoped to the current tenant. No risk of data leaking between customers.</p> <h2> Authentication &amp; JWT </h2> <p>The boilerplate uses <strong>ASP.NET Core Identity + JWT Bearer tokens</strong> for stateless authentication — perfect for API-first SaaS apps.</p> <p>A few things I did differently from the typical tutorial approach:</p> <h3> 1. Refresh tokens stored in the database </h3> <p>Access tokens are short-lived (15 minutes). Refresh tokens are stored in the <code>UserTokens</code> table and rotated on every use, protecting against token theft.</p> <h3> 2. Claims-based permissions (not just roles) </h3> <p>Instead of checking <code>[Authorize(Roles = "Admin")]</code>, permissions are granular claims:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight csharp"><code><span class="p">[</span><span class="nf">Authorize</span><span class="p">(</span><span class="n">Policy</span> <span class="p">=</span> <span class="s">"CanManageUsers"</span><span class="p">)]</span> <span class="p">[</span><span class="nf">HttpDelete</span><span class="p">(</span><span class="s">"users/{id}"</span><span class="p">)]</span> <span class="k">public</span> <span class="k">async</span> <span class="n">Task</span><span class="p">&lt;</span><span class="n">IActionResult</span><span class="p">&gt;</span> <span class="nf">DeleteUser</span><span class="p">(</span><span class="n">Guid</span> <span class="n">id</span><span class="p">)</span> <span class="p">{</span> <span class="p">...</span> <span class="p">}</span> </code></pre> </div> <p>This lets you give a user specific permissions without promoting them to a full admin role — critical in multi-tenant SaaS where tenant admins manage their own users.</p> <h3> 3. Tenant claims in the token </h3> <div class="highlight js-code-highlight"> <pre class="highlight json"><code><span class="p">{</span><span class="w"> </span><span class="nl">"sub"</span><span class="p">:</span><span class="w"> </span><span class="s2">"user-guid"</span><span class="p">,</span><span class="w"> </span><span class="nl">"tenant_id"</span><span class="p">:</span><span class="w"> </span><span class="s2">"tenant-guid"</span><span class="p">,</span><span class="w"> </span><span class="nl">"permissions"</span><span class="p">:</span><span class="w"> </span><span class="p">[</span><span class="s2">"manage_users"</span><span class="p">,</span><span class="w"> </span><span class="s2">"view_billing"</span><span class="p">],</span><span class="w"> </span><span class="nl">"exp"</span><span class="p">:</span><span class="w"> </span><span class="mi">1735689600</span><span class="w"> </span><span class="p">}</span><span class="w"> </span></code></pre> </div> <h2> FluentValidation Pipeline Behaviour </h2> <p>One of my favourite parts of the boilerplate is the automatic validation pipeline. Any command or query with a corresponding <code>AbstractValidator&lt;T&gt;</code> is validated <em>before</em> it reaches the handler:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight csharp"><code><span class="k">public</span> <span class="k">class</span> <span class="nc">CreateTenantCommandValidator</span> <span class="p">:</span> <span class="n">AbstractValidator</span><span class="p">&lt;</span><span class="n">CreateTenantCommand</span><span class="p">&gt;</span> <span class="p">{</span> <span class="k">public</span> <span class="nf">CreateTenantCommandValidator</span><span class="p">()</span> <span class="p">{</span> <span class="nf">RuleFor</span><span class="p">(</span><span class="n">x</span> <span class="p">=&gt;</span> <span class="n">x</span><span class="p">.</span><span class="n">Name</span><span class="p">)</span> <span class="p">.</span><span class="nf">NotEmpty</span><span class="p">()</span> <span class="p">.</span><span class="nf">MaximumLength</span><span class="p">(</span><span class="m">100</span><span class="p">);</span> <span class="nf">RuleFor</span><span class="p">(</span><span class="n">x</span> <span class="p">=&gt;</span> <span class="n">x</span><span class="p">.</span><span class="n">AdminEmail</span><span class="p">)</span> <span class="p">.</span><span class="nf">NotEmpty</span><span class="p">()</span> <span class="p">.</span><span class="nf">EmailAddress</span><span class="p">();</span> <span class="p">}</span> <span class="p">}</span> </code></pre> </div> <p>The MediatR pipeline behaviour catches validation failures and returns a structured <code>400 Bad Request</code> automatically — no manual validation code in controllers.</p> <h2> Global Exception Handling </h2> <p>Nothing breaks SaaS apps faster than unhandled exceptions leaking stack traces to users (or worse, to the browser console).</p> <p>The boilerplate includes a middleware that maps domain exceptions to HTTP responses:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight csharp"><code><span class="n">app</span><span class="p">.</span><span class="nf">UseExceptionHandler</span><span class="p">(</span><span class="n">exceptionHandlerApp</span> <span class="p">=&gt;</span> <span class="p">{</span> <span class="n">exceptionHandlerApp</span><span class="p">.</span><span class="nf">Run</span><span class="p">(</span><span class="k">async</span> <span class="n">context</span> <span class="p">=&gt;</span> <span class="p">{</span> <span class="kt">var</span> <span class="n">exception</span> <span class="p">=</span> <span class="n">context</span><span class="p">.</span><span class="n">Features</span><span class="p">.</span><span class="n">Get</span><span class="p">&lt;</span><span class="n">IExceptionHandlerFeature</span><span class="p">&gt;()?.</span><span class="n">Error</span><span class="p">;</span> <span class="kt">var</span> <span class="p">(</span><span class="n">statusCode</span><span class="p">,</span> <span class="n">message</span><span class="p">)</span> <span class="p">=</span> <span class="n">exception</span> <span class="k">switch</span> <span class="p">{</span> <span class="n">NotFoundException</span> <span class="p">=&gt;</span> <span class="p">(</span><span class="m">404</span><span class="p">,</span> <span class="n">exception</span><span class="p">.</span><span class="n">Message</span><span class="p">),</span> <span class="n">UnauthorizedAccessException</span> <span class="p">=&gt;</span> <span class="p">(</span><span class="m">401</span><span class="p">,</span> <span class="s">"Unauthorized"</span><span class="p">),</span> <span class="n">ValidationException</span> <span class="n">ve</span> <span class="p">=&gt;</span> <span class="p">(</span><span class="m">400</span><span class="p">,</span> <span class="n">ve</span><span class="p">.</span><span class="n">Message</span><span class="p">),</span> <span class="n">_</span> <span class="p">=&gt;</span> <span class="p">(</span><span class="m">500</span><span class="p">,</span> <span class="s">"An unexpected error occurred"</span><span class="p">)</span> <span class="p">};</span> <span class="n">context</span><span class="p">.</span><span class="n">Response</span><span class="p">.</span><span class="n">StatusCode</span> <span class="p">=</span> <span class="n">statusCode</span><span class="p">;</span> <span class="k">await</span> <span class="n">context</span><span class="p">.</span><span class="n">Response</span><span class="p">.</span><span class="nf">WriteAsJsonAsync</span><span class="p">(</span><span class="k">new</span> <span class="p">{</span> <span class="n">error</span> <span class="p">=</span> <span class="n">message</span> <span class="p">});</span> <span class="p">});</span> <span class="p">});</span> </code></pre> </div> <h2> What's Included in the Boilerplate </h2> <p>To summarise everything that's pre-built and ready to go:</p> <div class="table-wrapper-paragraph"><table> <thead> <tr> <th>Feature</th> <th>Detail</th> </tr> </thead> <tbody> <tr> <td>Clean Architecture layers</td> <td>Domain, Application, Infrastructure, WebAPI</td> </tr> <tr> <td>CQRS + MediatR</td> <td>Commands, queries, pipeline behaviours</td> </tr> <tr> <td>Multi-tenancy</td> <td>Shared DB with EF Core global query filters</td> </tr> <tr> <td>Authentication</td> <td>ASP.NET Identity + JWT + refresh tokens</td> </tr> <tr> <td>Authorization</td> <td>Claims-based permission policies</td> </tr> <tr> <td>Validation</td> <td>FluentValidation via MediatR pipeline</td> </tr> <tr> <td>Error handling</td> <td>Global exception middleware</td> </tr> <tr> <td>Logging</td> <td>Structured logging with Serilog</td> </tr> <tr> <td>API documentation</td> <td>Swagger/OpenAPI with JWT support</td> </tr> <tr> <td>Unit test project</td> <td>xUnit + Moq setup included</td> </tr> </tbody> </table></div> <h2> How Much Time Does This Save? </h2> <p>Based on my own experience (and feedback from developers who've used it), setting all of this up from scratch typically takes <strong>3–6 weeks</strong> for a solo developer:</p> <ul> <li>Clean Architecture setup &amp; conventions: ~3 days</li> <li>Multi-tenancy implementation: ~5 days</li> <li>Auth with JWT + refresh tokens + permissions: ~5 days</li> <li>CQRS + validation pipeline: ~2 days</li> <li>Error handling, logging, Swagger: ~2 days</li> <li>Testing setup: ~2 days</li> </ul> <p>The boilerplate brings that down to <strong>a single afternoon</strong> of configuration — updating connection strings, setting your JWT secret, and deploying.</p> <h2> Who Is This For? </h2> <p>This boilerplate is best suited for:</p> <ul> <li> <strong>.NET / C# developers</strong> building their first or second SaaS product</li> <li> <strong>Indie hackers</strong> who want to ship fast without compromising architecture</li> <li> <strong>Small teams</strong> who want an opinionated, well-structured starting point</li> <li> <strong>Developers learning</strong> Clean Architecture through a real, complete codebase</li> </ul> <p>It is <em>not</em> a tutorial codebase — it's a production-ready starting point. Every pattern used is one you'd find in enterprise .NET projects.</p> <h2> Get the Boilerplate </h2> <p>The full <strong>.NET 8 Clean Architecture SaaS Boilerplate</strong> is available here:</p> <p>👉 <strong><a href="https://hiteshpreneur.gumroad.com/l/uairt" rel="noopener noreferrer">Download on Gumroad</a></strong></p> <p>It includes the complete source code, a detailed README with setup instructions, and all the patterns described in this article.</p> <h2> Questions? </h2> <p>Drop a comment below — happy to discuss any of the architectural decisions, why I chose one approach over another, or how to adapt the boilerplate for specific use cases.</p> <p>If you found this useful, a ❤️ or 🦄 means a lot. And if you know another .NET developer who's about to spend 4 weeks reinventing the same wheel — share this with them!</p> <p><em>Built with .NET 8 · ASP.NET Core · Entity Framework Core · MediatR · FluentValidation · Serilog</em></p> dotnet csharp saas cleanarchitecture