The latest articles on DEV Community by Shola Jegede (@sholajegede). https://dev.to/sholajegede https://media2.dev.to/dynamic/image/width=90,height=90,fit=cover,gravity=auto,format=auto/https:%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Fuser%2Fprofile_image%2F1705040%2F3266d189-ef54-4f0e-ae81-ecabae5aac1c.jpg https://dev.to/sholajegede en Shola Jegede Thu, 16 Apr 2026 17:29:50 +0000 https://dev.to/sholajegede/how-to-add-device-authorization-flow-to-your-app-with-kinde-1o69 https://dev.to/sholajegede/how-to-add-device-authorization-flow-to-your-app-with-kinde-1o69 <p><em>Most auth tutorials assume there is a browser. Here is what to do when there is not.</em></p> <p>In this article, you will learn:</p> <ul> <li>What the device authorization flow is and why it exists</li> <li>When to use it over other OAuth flows</li> <li>How to set up a Device and IoT application in Kinde</li> <li>How to implement the full flow end to end in Node.js</li> <li>How to poll for tokens correctly and handle every error state</li> <li>How to validate the access token on your API</li> </ul> <p>Let's dive in!</p> <h2> The Problem With Browser-Based Auth </h2> <p>Every standard OAuth flow assumes the same thing: the user is sitting in front of a browser, they can get redirected to a login page, and they can type their credentials into a form.</p> <p>That assumption breaks the moment you step outside the browser. A CLI tool cannot open a redirect. A smart TV has no way to display a full login form usably. A Raspberry Pi running a background process has no UI at all. An AI agent executing tasks on behalf of a user has no session to attach to.</p> <p>For all of these cases, the OAuth 2.0 Device Authorization Grant (defined in RFC 8628) is the right answer. Instead of redirecting the device to a login page, the device asks the authorization server for a short user code and a URL, displays them to the user, and then polls for a token while the user completes login on a separate device — their phone or laptop — that actually has a browser.</p> <p>The device never handles credentials. The user authenticates on a device they trust. The token lands on the original device once the user approves.</p> <p>This flow is why logging into Netflix on a smart TV works the way it does. It is also how tools like the GitHub CLI, the Vercel CLI, and the AWS CLI authenticate their users without opening a browser window programmatically.</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fu4z3hprp6krhskac2s0m.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fu4z3hprp6krhskac2s0m.png" alt="Two-path flow. Left path labeled " width="800" height="213"></a></p> <h2> When to Use the Device Flow </h2> <p>The device flow is not a general-purpose replacement for the authorization code flow. Use it specifically when:</p> <ul> <li>Your application runs in a terminal or CLI and cannot reliably open a browser</li> <li>Your application runs on a device with limited or no input capabilities (smart TVs, set-top boxes, IoT hardware)</li> <li>You are building an AI agent or automation that needs to authenticate on behalf of a human user but runs in a headless environment</li> <li>You are building a desktop background process or daemon that needs user-level tokens without a UI</li> </ul> <p>For standard web apps, mobile apps, or SPAs where a browser is available, stick with the authorization code flow with PKCE. The device flow adds polling complexity that you do not need when a redirect is possible.</p> <h2> Prerequisites </h2> <p>Before writing any code, make sure you have:</p> <ul> <li>A <a href="https://kinde.com?utm_source=devto&amp;utm_medium=content&amp;utm_campaign=shola&amp;campaignid=chatgptapp&amp;network=&amp;adgroup=&amp;keyword=&amp;matchtype=&amp;creative=7&amp;device=&amp;adposition=" rel="noopener noreferrer">Kinde</a> account — free to sign up, no credit card required</li> <li>Node.js 18 or later installed locally</li> <li>A basic understanding of OAuth 2.0 token concepts</li> </ul> <h2> Step #1: Create a Device and IoT Application in Kinde </h2> <p>The device authorization flow requires a specific application type in Kinde. You cannot use an existing web or SPA application for this — the application type determines which OAuth grants are allowed.</p> <p>In your Kinde dashboard, navigate to <strong>Applications</strong> and select <strong>Add application</strong>. Give it a descriptive name like <code>My CLI Tool</code> or <code>Device App</code>. Under application type, select <strong>Device and IoT</strong>. Select <strong>Save</strong>.</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Ftqnaiio9tfjslzu2baqm.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Ftqnaiio9tfjslzu2baqm.png" alt="Kinde dashboard showing the Add application modal with " width="800" height="501"></a></p> <p>Once created, open the application details and note the <strong>Client ID</strong>. You will need this in every request. Device and IoT applications in Kinde do not have a client secret — the flow is designed for public clients that cannot securely store secrets.</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fuk12rjurjc9o10x697p9.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fuk12rjurjc9o10x697p9.png" alt="The newly created Device and IoT application details page showing the Client ID field." width="800" height="502"></a></p> <p>Next, configure the authentication method for this application. Navigate to <strong>Settings &gt; Authentication</strong>, select <strong>Configure</strong> on the <strong>Passwordless &gt; Email + code</strong> card, and under <strong>Applications</strong> select the Device and IoT application you just created. Select <strong>Save</strong>.</p> <p>This tells Kinde to use email OTP as the authentication method when a user goes to the verification URL from this application. Users will receive a one-time code by email rather than needing a password.</p> <h2> Step #2: Understand the Full Flow </h2> <p>Before writing code, it helps to see the complete sequence clearly.</p> <p><strong>Phase 1 — Device requests authorization:</strong><br> Your device (the CLI, the TV, the background process) sends a POST request to Kinde's device authorization endpoint. Kinde responds with a <code>device_code</code>, a <code>user_code</code>, a <code>verification_uri</code>, and a <code>verification_uri_complete</code>.</p> <p><strong>Phase 2 — User authenticates:</strong><br> Your device displays the <code>user_code</code> and the <code>verification_uri</code> to the user. The user visits the URL on their phone or laptop, enters the code, and authenticates through Kinde's normal login flow.</p> <p><strong>Phase 3 — Device polls for token:</strong><br> While the user is authenticating, your device polls Kinde's token endpoint every few seconds using the <code>device_code</code>. Kinde returns <code>authorization_pending</code> until the user completes login, at which point it returns the access token.</p> <p><strong>Phase 4 — Device uses the token:</strong><br> Your device now has a standard OAuth 2.0 Bearer token. It uses this to call your API.</p> <p>The <code>device_code</code> is what your device uses internally. The <code>user_code</code> is what the human types. The <code>verification_uri_complete</code> is the full URL with the code pre-filled — useful for generating a QR code so the user does not have to type anything.</p> <h2> Step #3: Request the Device Code </h2> <p>Here is the first API call your device makes:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="c1">// src/auth.ts</span> <span class="k">import</span> <span class="nx">https</span> <span class="k">from</span> <span class="dl">"</span><span class="s2">https</span><span class="dl">"</span><span class="p">;</span> <span class="k">import</span> <span class="p">{</span> <span class="nx">URLSearchParams</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">"</span><span class="s2">url</span><span class="dl">"</span><span class="p">;</span> <span class="kd">const</span> <span class="nx">KINDE_DOMAIN</span> <span class="o">=</span> <span class="dl">"</span><span class="s2">YOUR_SUBDOMAIN.kinde.com</span><span class="dl">"</span><span class="p">;</span> <span class="kd">const</span> <span class="nx">CLIENT_ID</span> <span class="o">=</span> <span class="dl">"</span><span class="s2">YOUR_CLIENT_ID</span><span class="dl">"</span><span class="p">;</span> <span class="kr">interface</span> <span class="nx">DeviceCodeResponse</span> <span class="p">{</span> <span class="nl">device_code</span><span class="p">:</span> <span class="kr">string</span><span class="p">;</span> <span class="nl">user_code</span><span class="p">:</span> <span class="kr">string</span><span class="p">;</span> <span class="nl">verification_uri</span><span class="p">:</span> <span class="kr">string</span><span class="p">;</span> <span class="nl">verification_uri_complete</span><span class="p">:</span> <span class="kr">string</span><span class="p">;</span> <span class="nl">expires_in</span><span class="p">:</span> <span class="kr">number</span><span class="p">;</span> <span class="c1">// how long the codes are valid (seconds)</span> <span class="nl">interval</span><span class="p">:</span> <span class="kr">number</span><span class="p">;</span> <span class="c1">// minimum polling interval (seconds)</span> <span class="p">}</span> <span class="k">async</span> <span class="kd">function</span> <span class="nf">requestDeviceCode</span><span class="p">():</span> <span class="nb">Promise</span><span class="o">&lt;</span><span class="nx">DeviceCodeResponse</span><span class="o">&gt;</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">params</span> <span class="o">=</span> <span class="k">new</span> <span class="nc">URLSearchParams</span><span class="p">({</span> <span class="na">client_id</span><span class="p">:</span> <span class="nx">CLIENT_ID</span><span class="p">,</span> <span class="na">scope</span><span class="p">:</span> <span class="dl">"</span><span class="s2">openid profile email offline</span><span class="dl">"</span><span class="p">,</span> <span class="p">});</span> <span class="kd">const</span> <span class="nx">response</span> <span class="o">=</span> <span class="k">await</span> <span class="nf">fetch</span><span class="p">(</span> <span class="s2">`https://</span><span class="p">${</span><span class="nx">KINDE_DOMAIN</span><span class="p">}</span><span class="s2">/oauth2/device/auth`</span><span class="p">,</span> <span class="p">{</span> <span class="na">method</span><span class="p">:</span> <span class="dl">"</span><span class="s2">POST</span><span class="dl">"</span><span class="p">,</span> <span class="na">headers</span><span class="p">:</span> <span class="p">{</span> <span class="dl">"</span><span class="s2">Content-Type</span><span class="dl">"</span><span class="p">:</span> <span class="dl">"</span><span class="s2">application/x-www-form-urlencoded</span><span class="dl">"</span><span class="p">,</span> <span class="p">},</span> <span class="na">body</span><span class="p">:</span> <span class="nx">params</span><span class="p">.</span><span class="nf">toString</span><span class="p">(),</span> <span class="p">}</span> <span class="p">);</span> <span class="k">if </span><span class="p">(</span><span class="o">!</span><span class="nx">response</span><span class="p">.</span><span class="nx">ok</span><span class="p">)</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">error</span> <span class="o">=</span> <span class="k">await</span> <span class="nx">response</span><span class="p">.</span><span class="nf">text</span><span class="p">();</span> <span class="k">throw</span> <span class="k">new</span> <span class="nc">Error</span><span class="p">(</span><span class="s2">`Device code request failed: </span><span class="p">${</span><span class="nx">error</span><span class="p">}</span><span class="s2">`</span><span class="p">);</span> <span class="p">}</span> <span class="k">return</span> <span class="nx">response</span><span class="p">.</span><span class="nf">json</span><span class="p">()</span> <span class="k">as</span> <span class="nb">Promise</span><span class="o">&lt;</span><span class="nx">DeviceCodeResponse</span><span class="o">&gt;</span><span class="p">;</span> <span class="p">}</span> </code></pre> </div> <p>The <code>scope</code> values follow the standard OIDC conventions: <code>openid</code> requests an ID token, <code>profile</code> and <code>email</code> include the user's name and email in the token claims, and <code>offline</code> requests a refresh token so you can obtain new access tokens without requiring the user to re-authenticate.</p> <p>The response from Kinde looks like this:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight json"><code><span class="p">{</span><span class="w"> </span><span class="nl">"device_code"</span><span class="p">:</span><span class="w"> </span><span class="s2">"kinde_dc_..."</span><span class="p">,</span><span class="w"> </span><span class="nl">"user_code"</span><span class="p">:</span><span class="w"> </span><span class="s2">"CSLDFDUU"</span><span class="p">,</span><span class="w"> </span><span class="nl">"verification_uri"</span><span class="p">:</span><span class="w"> </span><span class="s2">"https://your-subdomain.kinde.com/device"</span><span class="p">,</span><span class="w"> </span><span class="nl">"verification_uri_complete"</span><span class="p">:</span><span class="w"> </span><span class="s2">"https://your-subdomain.kinde.com/device?user_code=CSLDFDUU"</span><span class="p">,</span><span class="w"> </span><span class="nl">"expires_in"</span><span class="p">:</span><span class="w"> </span><span class="mi">600</span><span class="p">,</span><span class="w"> </span><span class="nl">"interval"</span><span class="p">:</span><span class="w"> </span><span class="mi">5</span><span class="p">,</span><span class="w"> </span><span class="nl">"qr_code"</span><span class="p">:</span><span class="w"> </span><span class="s2">"data:image/png;base64,..."</span><span class="w"> </span><span class="p">}</span><span class="w"> </span></code></pre> </div> <p>The <code>user_code</code> in Kinde is formatted as 8 uppercase characters for easy manual entry. The <code>expires_in</code> is 600 seconds (10 minutes) — that is how long the user has to complete the login before the codes expire. The <code>qr_code</code> field is a base64-encoded PNG image that you can render directly on screen, which means users with a camera can scan it instead of typing the URL and code manually.</p> <h2> Step #4: Display the Code to the User </h2> <p>Once you have the device code response, show the user what they need to do. For a CLI tool this is straightforward:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="c1">// src/cli.ts</span> <span class="k">async</span> <span class="kd">function</span> <span class="nf">startAuth</span><span class="p">()</span> <span class="p">{</span> <span class="nx">console</span><span class="p">.</span><span class="nf">log</span><span class="p">(</span><span class="dl">"</span><span class="se">\n</span><span class="s2">Requesting authorization...</span><span class="se">\n</span><span class="dl">"</span><span class="p">);</span> <span class="kd">const</span> <span class="nx">deviceCodeData</span> <span class="o">=</span> <span class="k">await</span> <span class="nf">requestDeviceCode</span><span class="p">();</span> <span class="nx">console</span><span class="p">.</span><span class="nf">log</span><span class="p">(</span><span class="dl">"</span><span class="s2">To authenticate, visit:</span><span class="dl">"</span><span class="p">);</span> <span class="nx">console</span><span class="p">.</span><span class="nf">log</span><span class="p">(</span><span class="s2">`\n </span><span class="p">${</span><span class="nx">deviceCodeData</span><span class="p">.</span><span class="nx">verification_uri</span><span class="p">}</span><span class="s2">\n`</span><span class="p">);</span> <span class="nx">console</span><span class="p">.</span><span class="nf">log</span><span class="p">(</span><span class="s2">`Enter this code: </span><span class="p">${</span><span class="nx">deviceCodeData</span><span class="p">.</span><span class="nx">user_code</span><span class="p">}</span><span class="s2">`</span><span class="p">);</span> <span class="nx">console</span><span class="p">.</span><span class="nf">log</span><span class="p">(</span><span class="s2">`\nOr open this URL directly (code pre-filled):`</span><span class="p">);</span> <span class="nx">console</span><span class="p">.</span><span class="nf">log</span><span class="p">(</span><span class="s2">`\n </span><span class="p">${</span><span class="nx">deviceCodeData</span><span class="p">.</span><span class="nx">verification_uri_complete</span><span class="p">}</span><span class="s2">\n`</span><span class="p">);</span> <span class="nx">console</span><span class="p">.</span><span class="nf">log</span><span class="p">(</span><span class="s2">`Or scan the QR code if your device can display images.\n`</span><span class="p">);</span> <span class="nx">console</span><span class="p">.</span><span class="nf">log</span><span class="p">(</span> <span class="s2">`Waiting for you to authenticate... (expires in </span><span class="p">${</span><span class="nb">Math</span><span class="p">.</span><span class="nf">floor</span><span class="p">(</span><span class="nx">deviceCodeData</span><span class="p">.</span><span class="nx">expires_in</span> <span class="o">/</span> <span class="mi">60</span><span class="p">)}</span><span class="s2"> minutes)\n`</span> <span class="p">);</span> <span class="c1">// Begin polling</span> <span class="kd">const</span> <span class="nx">token</span> <span class="o">=</span> <span class="k">await</span> <span class="nf">pollForToken</span><span class="p">(</span><span class="nx">deviceCodeData</span><span class="p">);</span> <span class="k">return</span> <span class="nx">token</span><span class="p">;</span> <span class="p">}</span> </code></pre> </div> <p>For a smart TV or embedded device, you would render the <code>user_code</code> prominently on screen alongside the <code>verification_uri</code>, or generate a QR code from <code>verification_uri_complete</code> so the user can scan it with their phone without typing anything.</p> <h2> Step #5: Poll for the Token </h2> <p>This is where most implementations go wrong. Polling is not just "keep hitting the token endpoint until it works." There are specific error states you must handle correctly.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="c1">// src/auth.ts</span> <span class="kr">interface</span> <span class="nx">TokenResponse</span> <span class="p">{</span> <span class="nl">access_token</span><span class="p">:</span> <span class="kr">string</span><span class="p">;</span> <span class="nl">id_token</span><span class="p">?:</span> <span class="kr">string</span><span class="p">;</span> <span class="nl">refresh_token</span><span class="p">?:</span> <span class="kr">string</span><span class="p">;</span> <span class="nl">expires_in</span><span class="p">:</span> <span class="kr">number</span><span class="p">;</span> <span class="nl">token_type</span><span class="p">:</span> <span class="kr">string</span><span class="p">;</span> <span class="p">}</span> <span class="kd">type</span> <span class="nx">PollError</span> <span class="o">=</span> <span class="o">|</span> <span class="dl">"</span><span class="s2">authorization_pending</span><span class="dl">"</span> <span class="c1">// user has not finished yet — keep polling</span> <span class="o">|</span> <span class="dl">"</span><span class="s2">slow_down</span><span class="dl">"</span> <span class="c1">// polling too fast — increase interval by 5 seconds</span> <span class="o">|</span> <span class="dl">"</span><span class="s2">access_denied</span><span class="dl">"</span> <span class="c1">// user explicitly denied — stop polling</span> <span class="o">|</span> <span class="dl">"</span><span class="s2">expired_token</span><span class="dl">"</span><span class="p">;</span> <span class="c1">// codes have expired — restart the flow</span> <span class="k">async</span> <span class="kd">function</span> <span class="nf">pollForToken</span><span class="p">(</span> <span class="nx">deviceCodeData</span><span class="p">:</span> <span class="nx">DeviceCodeResponse</span> <span class="p">):</span> <span class="nb">Promise</span><span class="o">&lt;</span><span class="nx">TokenResponse</span><span class="o">&gt;</span> <span class="p">{</span> <span class="kd">let</span> <span class="nx">interval</span> <span class="o">=</span> <span class="nx">deviceCodeData</span><span class="p">.</span><span class="nx">interval</span><span class="p">;</span> <span class="c1">// start at 5 seconds</span> <span class="kd">const</span> <span class="nx">expiresAt</span> <span class="o">=</span> <span class="nb">Date</span><span class="p">.</span><span class="nf">now</span><span class="p">()</span> <span class="o">+</span> <span class="nx">deviceCodeData</span><span class="p">.</span><span class="nx">expires_in</span> <span class="o">*</span> <span class="mi">1000</span><span class="p">;</span> <span class="k">while </span><span class="p">(</span><span class="nb">Date</span><span class="p">.</span><span class="nf">now</span><span class="p">()</span> <span class="o">&lt;</span> <span class="nx">expiresAt</span><span class="p">)</span> <span class="p">{</span> <span class="c1">// Wait the current interval before polling</span> <span class="k">await</span> <span class="nf">sleep</span><span class="p">(</span><span class="nx">interval</span> <span class="o">*</span> <span class="mi">1000</span><span class="p">);</span> <span class="kd">const</span> <span class="nx">params</span> <span class="o">=</span> <span class="k">new</span> <span class="nc">URLSearchParams</span><span class="p">({</span> <span class="na">grant_type</span><span class="p">:</span> <span class="dl">"</span><span class="s2">urn:ietf:params:oauth:grant-type:device_code</span><span class="dl">"</span><span class="p">,</span> <span class="na">client_id</span><span class="p">:</span> <span class="nx">CLIENT_ID</span><span class="p">,</span> <span class="na">device_code</span><span class="p">:</span> <span class="nx">deviceCodeData</span><span class="p">.</span><span class="nx">device_code</span><span class="p">,</span> <span class="p">});</span> <span class="kd">const</span> <span class="nx">response</span> <span class="o">=</span> <span class="k">await</span> <span class="nf">fetch</span><span class="p">(</span><span class="s2">`https://</span><span class="p">${</span><span class="nx">KINDE_DOMAIN</span><span class="p">}</span><span class="s2">/oauth2/token`</span><span class="p">,</span> <span class="p">{</span> <span class="na">method</span><span class="p">:</span> <span class="dl">"</span><span class="s2">POST</span><span class="dl">"</span><span class="p">,</span> <span class="na">headers</span><span class="p">:</span> <span class="p">{</span> <span class="dl">"</span><span class="s2">Content-Type</span><span class="dl">"</span><span class="p">:</span> <span class="dl">"</span><span class="s2">application/x-www-form-urlencoded</span><span class="dl">"</span><span class="p">,</span> <span class="p">},</span> <span class="na">body</span><span class="p">:</span> <span class="nx">params</span><span class="p">.</span><span class="nf">toString</span><span class="p">(),</span> <span class="p">});</span> <span class="k">if </span><span class="p">(</span><span class="nx">response</span><span class="p">.</span><span class="nx">ok</span><span class="p">)</span> <span class="p">{</span> <span class="c1">// User authenticated — we have a token</span> <span class="k">return</span> <span class="nx">response</span><span class="p">.</span><span class="nf">json</span><span class="p">()</span> <span class="k">as</span> <span class="nb">Promise</span><span class="o">&lt;</span><span class="nx">TokenResponse</span><span class="o">&gt;</span><span class="p">;</span> <span class="p">}</span> <span class="kd">const</span> <span class="nx">error</span> <span class="o">=</span> <span class="k">await</span> <span class="nx">response</span><span class="p">.</span><span class="nf">json</span><span class="p">()</span> <span class="k">as</span> <span class="p">{</span> <span class="na">error</span><span class="p">:</span> <span class="nx">PollError</span><span class="p">;</span> <span class="nl">error_description</span><span class="p">?:</span> <span class="kr">string</span> <span class="p">};</span> <span class="k">switch </span><span class="p">(</span><span class="nx">error</span><span class="p">.</span><span class="nx">error</span><span class="p">)</span> <span class="p">{</span> <span class="k">case</span> <span class="dl">"</span><span class="s2">authorization_pending</span><span class="dl">"</span><span class="p">:</span> <span class="c1">// Normal state — user has not finished yet, keep waiting</span> <span class="k">continue</span><span class="p">;</span> <span class="k">case</span> <span class="dl">"</span><span class="s2">slow_down</span><span class="dl">"</span><span class="p">:</span> <span class="c1">// We are polling too fast — increase interval by 5 seconds</span> <span class="nx">interval</span> <span class="o">+=</span> <span class="mi">5</span><span class="p">;</span> <span class="nx">console</span><span class="p">.</span><span class="nf">log</span><span class="p">(</span><span class="s2">`Slowing down polling to every </span><span class="p">${</span><span class="nx">interval</span><span class="p">}</span><span class="s2"> seconds...`</span><span class="p">);</span> <span class="k">continue</span><span class="p">;</span> <span class="k">case</span> <span class="dl">"</span><span class="s2">access_denied</span><span class="dl">"</span><span class="p">:</span> <span class="c1">// User explicitly denied the authorization</span> <span class="k">throw</span> <span class="k">new</span> <span class="nc">Error</span><span class="p">(</span><span class="dl">"</span><span class="s2">Authorization was denied by the user.</span><span class="dl">"</span><span class="p">);</span> <span class="k">case</span> <span class="dl">"</span><span class="s2">expired_token</span><span class="dl">"</span><span class="p">:</span> <span class="c1">// The device code has expired — need to restart</span> <span class="k">throw</span> <span class="k">new</span> <span class="nc">Error</span><span class="p">(</span> <span class="dl">"</span><span class="s2">The authorization code expired. Please run the command again.</span><span class="dl">"</span> <span class="p">);</span> <span class="nl">default</span><span class="p">:</span> <span class="k">throw</span> <span class="k">new</span> <span class="nc">Error</span><span class="p">(</span> <span class="s2">`Unexpected error during polling: </span><span class="p">${</span><span class="nx">error</span><span class="p">.</span><span class="nx">error</span><span class="p">}</span><span class="s2"> — </span><span class="p">${</span><span class="nx">error</span><span class="p">.</span><span class="nx">error_description</span><span class="p">}</span><span class="s2">`</span> <span class="p">);</span> <span class="p">}</span> <span class="p">}</span> <span class="k">throw</span> <span class="k">new</span> <span class="nc">Error</span><span class="p">(</span> <span class="dl">"</span><span class="s2">Authentication timed out. Please run the command again.</span><span class="dl">"</span> <span class="p">);</span> <span class="p">}</span> <span class="kd">function</span> <span class="nf">sleep</span><span class="p">(</span><span class="nx">ms</span><span class="p">:</span> <span class="kr">number</span><span class="p">):</span> <span class="nb">Promise</span><span class="o">&lt;</span><span class="k">void</span><span class="o">&gt;</span> <span class="p">{</span> <span class="k">return</span> <span class="k">new</span> <span class="nc">Promise</span><span class="p">((</span><span class="nx">resolve</span><span class="p">)</span> <span class="o">=&gt;</span> <span class="nf">setTimeout</span><span class="p">(</span><span class="nx">resolve</span><span class="p">,</span> <span class="nx">ms</span><span class="p">));</span> <span class="p">}</span> </code></pre> </div> <p>A few things to pay attention to here:</p> <p><strong>Always wait before the first poll.</strong> The <code>interval</code> from the response is the minimum time between requests. Make the first poll after waiting that interval, not immediately after displaying the code to the user.</p> <p><strong>Handle <code>slow_down</code> correctly.</strong> When Kinde returns <code>slow_down</code>, you must increase your polling interval by 5 seconds for that request and all subsequent requests. Ignoring this and continuing at the original interval will result in your requests being rejected.</p> <p><strong>Respect <code>expires_in</code>.</strong> Stop polling when the device code expires. Do not continue indefinitely. If the code expires, the user needs to restart the process.</p> <p><strong>Distinguish <code>authorization_pending</code> from errors.</strong> <code>authorization_pending</code> is not an error — it just means the user has not finished yet. Everything else in the error response is a real problem that requires action.</p> <h2> Step #6: Store and Use the Token </h2> <p>Once polling succeeds, you have a standard OAuth 2.0 Bearer token. Store it securely and use it to authenticate API requests.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="c1">// src/token-store.ts</span> <span class="k">import</span> <span class="nx">fs</span> <span class="k">from</span> <span class="dl">"</span><span class="s2">fs</span><span class="dl">"</span><span class="p">;</span> <span class="k">import</span> <span class="nx">os</span> <span class="k">from</span> <span class="dl">"</span><span class="s2">os</span><span class="dl">"</span><span class="p">;</span> <span class="k">import</span> <span class="nx">path</span> <span class="k">from</span> <span class="dl">"</span><span class="s2">path</span><span class="dl">"</span><span class="p">;</span> <span class="kd">const</span> <span class="nx">TOKEN_PATH</span> <span class="o">=</span> <span class="nx">path</span><span class="p">.</span><span class="nf">join</span><span class="p">(</span><span class="nx">os</span><span class="p">.</span><span class="nf">homedir</span><span class="p">(),</span> <span class="dl">"</span><span class="s2">.myapp</span><span class="dl">"</span><span class="p">,</span> <span class="dl">"</span><span class="s2">token.json</span><span class="dl">"</span><span class="p">);</span> <span class="kr">interface</span> <span class="nx">StoredToken</span> <span class="p">{</span> <span class="nl">access_token</span><span class="p">:</span> <span class="kr">string</span><span class="p">;</span> <span class="nl">refresh_token</span><span class="p">?:</span> <span class="kr">string</span><span class="p">;</span> <span class="nl">expires_at</span><span class="p">:</span> <span class="kr">number</span><span class="p">;</span> <span class="c1">// Unix timestamp in ms</span> <span class="p">}</span> <span class="k">export</span> <span class="kd">function</span> <span class="nf">saveToken</span><span class="p">(</span><span class="nx">tokenResponse</span><span class="p">:</span> <span class="nx">TokenResponse</span><span class="p">):</span> <span class="k">void</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">dir</span> <span class="o">=</span> <span class="nx">path</span><span class="p">.</span><span class="nf">dirname</span><span class="p">(</span><span class="nx">TOKEN_PATH</span><span class="p">);</span> <span class="k">if </span><span class="p">(</span><span class="o">!</span><span class="nx">fs</span><span class="p">.</span><span class="nf">existsSync</span><span class="p">(</span><span class="nx">dir</span><span class="p">))</span> <span class="p">{</span> <span class="nx">fs</span><span class="p">.</span><span class="nf">mkdirSync</span><span class="p">(</span><span class="nx">dir</span><span class="p">,</span> <span class="p">{</span> <span class="na">recursive</span><span class="p">:</span> <span class="kc">true</span> <span class="p">});</span> <span class="p">}</span> <span class="kd">const</span> <span class="na">stored</span><span class="p">:</span> <span class="nx">StoredToken</span> <span class="o">=</span> <span class="p">{</span> <span class="na">access_token</span><span class="p">:</span> <span class="nx">tokenResponse</span><span class="p">.</span><span class="nx">access_token</span><span class="p">,</span> <span class="na">refresh_token</span><span class="p">:</span> <span class="nx">tokenResponse</span><span class="p">.</span><span class="nx">refresh_token</span><span class="p">,</span> <span class="na">expires_at</span><span class="p">:</span> <span class="nb">Date</span><span class="p">.</span><span class="nf">now</span><span class="p">()</span> <span class="o">+</span> <span class="nx">tokenResponse</span><span class="p">.</span><span class="nx">expires_in</span> <span class="o">*</span> <span class="mi">1000</span><span class="p">,</span> <span class="p">};</span> <span class="nx">fs</span><span class="p">.</span><span class="nf">writeFileSync</span><span class="p">(</span><span class="nx">TOKEN_PATH</span><span class="p">,</span> <span class="nx">JSON</span><span class="p">.</span><span class="nf">stringify</span><span class="p">(</span><span class="nx">stored</span><span class="p">,</span> <span class="kc">null</span><span class="p">,</span> <span class="mi">2</span><span class="p">),</span> <span class="p">{</span> <span class="na">mode</span><span class="p">:</span> <span class="mo">0o600</span><span class="p">,</span> <span class="c1">// owner read/write only</span> <span class="p">});</span> <span class="p">}</span> <span class="k">export</span> <span class="kd">function</span> <span class="nf">loadToken</span><span class="p">():</span> <span class="nx">StoredToken</span> <span class="o">|</span> <span class="kc">null</span> <span class="p">{</span> <span class="k">if </span><span class="p">(</span><span class="o">!</span><span class="nx">fs</span><span class="p">.</span><span class="nf">existsSync</span><span class="p">(</span><span class="nx">TOKEN_PATH</span><span class="p">))</span> <span class="k">return</span> <span class="kc">null</span><span class="p">;</span> <span class="k">try</span> <span class="p">{</span> <span class="k">return</span> <span class="nx">JSON</span><span class="p">.</span><span class="nf">parse</span><span class="p">(</span><span class="nx">fs</span><span class="p">.</span><span class="nf">readFileSync</span><span class="p">(</span><span class="nx">TOKEN_PATH</span><span class="p">,</span> <span class="dl">"</span><span class="s2">utf-8</span><span class="dl">"</span><span class="p">))</span> <span class="k">as</span> <span class="nx">StoredToken</span><span class="p">;</span> <span class="p">}</span> <span class="k">catch</span> <span class="p">{</span> <span class="k">return</span> <span class="kc">null</span><span class="p">;</span> <span class="p">}</span> <span class="p">}</span> <span class="k">export</span> <span class="kd">function</span> <span class="nf">isTokenExpired</span><span class="p">(</span><span class="nx">token</span><span class="p">:</span> <span class="nx">StoredToken</span><span class="p">):</span> <span class="nx">boolean</span> <span class="p">{</span> <span class="c1">// Add a 60-second buffer to account for clock skew</span> <span class="k">return</span> <span class="nb">Date</span><span class="p">.</span><span class="nf">now</span><span class="p">()</span> <span class="o">&gt;=</span> <span class="nx">token</span><span class="p">.</span><span class="nx">expires_at</span> <span class="o">-</span> <span class="mi">60</span><span class="nx">_000</span><span class="p">;</span> <span class="p">}</span> </code></pre> </div> <p>The file permissions on the token file (<code>0o600</code>) are important. This ensures only the current user can read the stored token, which matters when your tool runs on a shared machine.</p> <p>To call your API with the token:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="c1">// src/api.ts</span> <span class="k">import</span> <span class="p">{</span> <span class="nx">loadToken</span><span class="p">,</span> <span class="nx">isTokenExpired</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">"</span><span class="s2">./token-store</span><span class="dl">"</span><span class="p">;</span> <span class="k">async</span> <span class="kd">function</span> <span class="nf">callApi</span><span class="p">(</span><span class="nx">endpoint</span><span class="p">:</span> <span class="kr">string</span><span class="p">):</span> <span class="nb">Promise</span><span class="o">&lt;</span><span class="nx">unknown</span><span class="o">&gt;</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">stored</span> <span class="o">=</span> <span class="nf">loadToken</span><span class="p">();</span> <span class="k">if </span><span class="p">(</span><span class="o">!</span><span class="nx">stored</span> <span class="o">||</span> <span class="nf">isTokenExpired</span><span class="p">(</span><span class="nx">stored</span><span class="p">))</span> <span class="p">{</span> <span class="k">throw</span> <span class="k">new</span> <span class="nc">Error</span><span class="p">(</span> <span class="dl">"</span><span class="s2">Not authenticated or session expired. Run `myapp login` to authenticate.</span><span class="dl">"</span> <span class="p">);</span> <span class="p">}</span> <span class="kd">const</span> <span class="nx">response</span> <span class="o">=</span> <span class="k">await</span> <span class="nf">fetch</span><span class="p">(</span><span class="s2">`https://api.yourapp.com</span><span class="p">${</span><span class="nx">endpoint</span><span class="p">}</span><span class="s2">`</span><span class="p">,</span> <span class="p">{</span> <span class="na">headers</span><span class="p">:</span> <span class="p">{</span> <span class="na">Authorization</span><span class="p">:</span> <span class="s2">`Bearer </span><span class="p">${</span><span class="nx">stored</span><span class="p">.</span><span class="nx">access_token</span><span class="p">}</span><span class="s2">`</span><span class="p">,</span> <span class="dl">"</span><span class="s2">Content-Type</span><span class="dl">"</span><span class="p">:</span> <span class="dl">"</span><span class="s2">application/json</span><span class="dl">"</span><span class="p">,</span> <span class="p">},</span> <span class="p">});</span> <span class="k">if </span><span class="p">(</span><span class="nx">response</span><span class="p">.</span><span class="nx">status</span> <span class="o">===</span> <span class="mi">401</span><span class="p">)</span> <span class="p">{</span> <span class="k">throw</span> <span class="k">new</span> <span class="nc">Error</span><span class="p">(</span> <span class="dl">"</span><span class="s2">Authentication failed. Run `myapp login` to re-authenticate.</span><span class="dl">"</span> <span class="p">);</span> <span class="p">}</span> <span class="k">return</span> <span class="nx">response</span><span class="p">.</span><span class="nf">json</span><span class="p">();</span> <span class="p">}</span> </code></pre> </div> <h2> Step #7: Validate the Token on Your API </h2> <p>The device receives a standard JWT access token issued by Kinde. Your API validates it the same way it validates tokens from any other Kinde flow — by checking the signature against Kinde's public JWKS endpoint.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="c1">// api-server/middleware/auth.ts</span> <span class="k">import</span> <span class="nx">jwt</span> <span class="k">from</span> <span class="dl">"</span><span class="s2">jsonwebtoken</span><span class="dl">"</span><span class="p">;</span> <span class="k">import</span> <span class="nx">jwksClient</span> <span class="k">from</span> <span class="dl">"</span><span class="s2">jwks-rsa</span><span class="dl">"</span><span class="p">;</span> <span class="kd">const</span> <span class="nx">KINDE_DOMAIN</span> <span class="o">=</span> <span class="dl">"</span><span class="s2">YOUR_SUBDOMAIN.kinde.com</span><span class="dl">"</span><span class="p">;</span> <span class="kd">const</span> <span class="nx">client</span> <span class="o">=</span> <span class="nf">jwksClient</span><span class="p">({</span> <span class="na">jwksUri</span><span class="p">:</span> <span class="s2">`https://</span><span class="p">${</span><span class="nx">KINDE_DOMAIN</span><span class="p">}</span><span class="s2">/.well-known/jwks.json`</span><span class="p">,</span> <span class="na">cache</span><span class="p">:</span> <span class="kc">true</span><span class="p">,</span> <span class="na">cacheMaxAge</span><span class="p">:</span> <span class="mi">600</span><span class="nx">_000</span><span class="p">,</span> <span class="c1">// cache keys for 10 minutes</span> <span class="p">});</span> <span class="kd">function</span> <span class="nf">getSigningKey</span><span class="p">(</span> <span class="nx">header</span><span class="p">:</span> <span class="nx">jwt</span><span class="p">.</span><span class="nx">JwtHeader</span><span class="p">,</span> <span class="nx">callback</span><span class="p">:</span> <span class="nx">jwt</span><span class="p">.</span><span class="nx">SigningKeyCallback</span> <span class="p">)</span> <span class="p">{</span> <span class="nx">client</span><span class="p">.</span><span class="nf">getSigningKey</span><span class="p">(</span><span class="nx">header</span><span class="p">.</span><span class="nx">kid</span><span class="o">!</span><span class="p">,</span> <span class="p">(</span><span class="nx">err</span><span class="p">,</span> <span class="nx">key</span><span class="p">)</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="k">if </span><span class="p">(</span><span class="nx">err</span><span class="p">)</span> <span class="k">return</span> <span class="nf">callback</span><span class="p">(</span><span class="nx">err</span><span class="p">);</span> <span class="nf">callback</span><span class="p">(</span><span class="kc">null</span><span class="p">,</span> <span class="nx">key</span><span class="o">!</span><span class="p">.</span><span class="nf">getPublicKey</span><span class="p">());</span> <span class="p">});</span> <span class="p">}</span> <span class="k">export</span> <span class="kd">function</span> <span class="nf">verifyToken</span><span class="p">(</span> <span class="nx">req</span><span class="p">:</span> <span class="nx">Request</span><span class="p">,</span> <span class="nx">res</span><span class="p">:</span> <span class="nx">Response</span><span class="p">,</span> <span class="nx">next</span><span class="p">:</span> <span class="nx">NextFunction</span> <span class="p">)</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">authHeader</span> <span class="o">=</span> <span class="nx">req</span><span class="p">.</span><span class="nx">headers</span><span class="p">[</span><span class="dl">"</span><span class="s2">authorization</span><span class="dl">"</span><span class="p">];</span> <span class="kd">const</span> <span class="nx">token</span> <span class="o">=</span> <span class="nx">authHeader</span><span class="p">?.</span><span class="nf">split</span><span class="p">(</span><span class="dl">"</span><span class="s2"> </span><span class="dl">"</span><span class="p">)[</span><span class="mi">1</span><span class="p">];</span> <span class="k">if </span><span class="p">(</span><span class="o">!</span><span class="nx">token</span><span class="p">)</span> <span class="p">{</span> <span class="k">return</span> <span class="nx">res</span><span class="p">.</span><span class="nf">status</span><span class="p">(</span><span class="mi">401</span><span class="p">).</span><span class="nf">json</span><span class="p">({</span> <span class="na">error</span><span class="p">:</span> <span class="dl">"</span><span class="s2">No token provided</span><span class="dl">"</span> <span class="p">});</span> <span class="p">}</span> <span class="nx">jwt</span><span class="p">.</span><span class="nf">verify</span><span class="p">(</span> <span class="nx">token</span><span class="p">,</span> <span class="nx">getSigningKey</span><span class="p">,</span> <span class="p">{</span> <span class="na">algorithms</span><span class="p">:</span> <span class="p">[</span><span class="dl">"</span><span class="s2">RS256</span><span class="dl">"</span><span class="p">],</span> <span class="na">issuer</span><span class="p">:</span> <span class="s2">`https://</span><span class="p">${</span><span class="nx">KINDE_DOMAIN</span><span class="p">}</span><span class="s2">`</span><span class="p">,</span> <span class="p">},</span> <span class="p">(</span><span class="nx">err</span><span class="p">,</span> <span class="nx">decoded</span><span class="p">)</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="k">if </span><span class="p">(</span><span class="nx">err</span><span class="p">)</span> <span class="p">{</span> <span class="k">return</span> <span class="nx">res</span><span class="p">.</span><span class="nf">status</span><span class="p">(</span><span class="mi">403</span><span class="p">).</span><span class="nf">json</span><span class="p">({</span> <span class="na">error</span><span class="p">:</span> <span class="dl">"</span><span class="s2">Invalid token</span><span class="dl">"</span> <span class="p">});</span> <span class="p">}</span> <span class="c1">// Attach the decoded claims to the request for use in route handlers</span> <span class="p">(</span><span class="nx">req</span> <span class="k">as</span> <span class="kr">any</span><span class="p">).</span><span class="nx">user</span> <span class="o">=</span> <span class="nx">decoded</span><span class="p">;</span> <span class="nf">next</span><span class="p">();</span> <span class="p">}</span> <span class="p">);</span> <span class="p">}</span> </code></pre> </div> <p>The token issued via device flow contains the same claims as any other Kinde access token: <code>sub</code> (the user's Kinde ID), <code>email</code>, <code>name</code>, <code>org_code</code> if the user is in an organization, and any roles and permissions you have configured. Your API does not need to know or care that the token came from a device flow — the validation is identical.</p> <h2> Putting It All Together </h2> <p>Here is a complete CLI entry point that wires up everything above:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="c1">// src/index.ts</span> <span class="k">import</span> <span class="p">{</span> <span class="nx">startAuth</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">"</span><span class="s2">./auth</span><span class="dl">"</span><span class="p">;</span> <span class="k">import</span> <span class="p">{</span> <span class="nx">saveToken</span><span class="p">,</span> <span class="nx">loadToken</span><span class="p">,</span> <span class="nx">isTokenExpired</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">"</span><span class="s2">./token-store</span><span class="dl">"</span><span class="p">;</span> <span class="k">import</span> <span class="p">{</span> <span class="nx">callApi</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">"</span><span class="s2">./api</span><span class="dl">"</span><span class="p">;</span> <span class="k">async</span> <span class="kd">function</span> <span class="nf">main</span><span class="p">()</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">command</span> <span class="o">=</span> <span class="nx">process</span><span class="p">.</span><span class="nx">argv</span><span class="p">[</span><span class="mi">2</span><span class="p">];</span> <span class="k">if </span><span class="p">(</span><span class="nx">command</span> <span class="o">===</span> <span class="dl">"</span><span class="s2">login</span><span class="dl">"</span><span class="p">)</span> <span class="p">{</span> <span class="nx">console</span><span class="p">.</span><span class="nf">log</span><span class="p">(</span><span class="dl">"</span><span class="s2">Starting authentication...</span><span class="dl">"</span><span class="p">);</span> <span class="kd">const</span> <span class="nx">token</span> <span class="o">=</span> <span class="k">await</span> <span class="nf">startAuth</span><span class="p">();</span> <span class="nf">saveToken</span><span class="p">(</span><span class="nx">token</span><span class="p">);</span> <span class="nx">console</span><span class="p">.</span><span class="nf">log</span><span class="p">(</span><span class="dl">"</span><span class="se">\n</span><span class="s2">Authenticated successfully. You can now use the CLI.</span><span class="se">\n</span><span class="dl">"</span><span class="p">);</span> <span class="k">return</span><span class="p">;</span> <span class="p">}</span> <span class="k">if </span><span class="p">(</span><span class="nx">command</span> <span class="o">===</span> <span class="dl">"</span><span class="s2">whoami</span><span class="dl">"</span><span class="p">)</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">stored</span> <span class="o">=</span> <span class="nf">loadToken</span><span class="p">();</span> <span class="k">if </span><span class="p">(</span><span class="o">!</span><span class="nx">stored</span> <span class="o">||</span> <span class="nf">isTokenExpired</span><span class="p">(</span><span class="nx">stored</span><span class="p">))</span> <span class="p">{</span> <span class="nx">console</span><span class="p">.</span><span class="nf">error</span><span class="p">(</span><span class="dl">"</span><span class="s2">Not authenticated. Run `myapp login` first.</span><span class="dl">"</span><span class="p">);</span> <span class="nx">process</span><span class="p">.</span><span class="nf">exit</span><span class="p">(</span><span class="mi">1</span><span class="p">);</span> <span class="p">}</span> <span class="kd">const</span> <span class="nx">user</span> <span class="o">=</span> <span class="k">await</span> <span class="nf">callApi</span><span class="p">(</span><span class="dl">"</span><span class="s2">/me</span><span class="dl">"</span><span class="p">);</span> <span class="nx">console</span><span class="p">.</span><span class="nf">log</span><span class="p">(</span><span class="nx">user</span><span class="p">);</span> <span class="k">return</span><span class="p">;</span> <span class="p">}</span> <span class="k">if </span><span class="p">(</span><span class="nx">command</span> <span class="o">===</span> <span class="dl">"</span><span class="s2">logout</span><span class="dl">"</span><span class="p">)</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">tokenPath</span> <span class="o">=</span> <span class="nx">path</span><span class="p">.</span><span class="nf">join</span><span class="p">(</span><span class="nx">os</span><span class="p">.</span><span class="nf">homedir</span><span class="p">(),</span> <span class="dl">"</span><span class="s2">.myapp</span><span class="dl">"</span><span class="p">,</span> <span class="dl">"</span><span class="s2">token.json</span><span class="dl">"</span><span class="p">);</span> <span class="k">if </span><span class="p">(</span><span class="nx">fs</span><span class="p">.</span><span class="nf">existsSync</span><span class="p">(</span><span class="nx">tokenPath</span><span class="p">))</span> <span class="p">{</span> <span class="nx">fs</span><span class="p">.</span><span class="nf">unlinkSync</span><span class="p">(</span><span class="nx">tokenPath</span><span class="p">);</span> <span class="nx">console</span><span class="p">.</span><span class="nf">log</span><span class="p">(</span><span class="dl">"</span><span class="s2">Logged out successfully.</span><span class="dl">"</span><span class="p">);</span> <span class="p">}</span> <span class="k">else</span> <span class="p">{</span> <span class="nx">console</span><span class="p">.</span><span class="nf">log</span><span class="p">(</span><span class="dl">"</span><span class="s2">No active session found.</span><span class="dl">"</span><span class="p">);</span> <span class="p">}</span> <span class="k">return</span><span class="p">;</span> <span class="p">}</span> <span class="nx">console</span><span class="p">.</span><span class="nf">log</span><span class="p">(</span><span class="dl">"</span><span class="s2">Usage: myapp &lt;login|whoami|logout&gt;</span><span class="dl">"</span><span class="p">);</span> <span class="p">}</span> <span class="nf">main</span><span class="p">().</span><span class="k">catch</span><span class="p">((</span><span class="nx">err</span><span class="p">)</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="nx">console</span><span class="p">.</span><span class="nf">error</span><span class="p">(</span><span class="nx">err</span><span class="p">.</span><span class="nx">message</span><span class="p">);</span> <span class="nx">process</span><span class="p">.</span><span class="nf">exit</span><span class="p">(</span><span class="mi">1</span><span class="p">);</span> <span class="p">});</span> </code></pre> </div> <p>Running <code>myapp login</code> kicks off the device flow, shows the user a code and URL, polls until they authenticate, and saves the token locally. Every subsequent command loads the token silently from disk and uses it without interrupting the user.</p> <h2> Common Mistakes to Avoid </h2> <p><strong>Polling immediately after displaying the code.</strong> Always wait the <code>interval</code> before the first poll. Hitting the token endpoint immediately wastes a request and may trigger rate limiting.</p> <p><strong>Not handling <code>slow_down</code>.</strong> If you receive a <code>slow_down</code> error and keep polling at the same rate, your requests will continue to fail. Increase the interval by 5 seconds and keep increasing it if you receive the error again.</p> <p><strong>Restarting the whole flow when <code>authorization_pending</code> is returned.</strong> <code>authorization_pending</code> means keep waiting, not start over. Only restart the flow if you receive <code>expired_token</code> or if the <code>expires_in</code> window has elapsed.</p> <p><strong>Storing the token with world-readable permissions.</strong> A token file stored at <code>~/.myapp/token.json</code> with permissions <code>0o644</code> can be read by other users on the same machine. Always write token files with <code>0o600</code>.</p> <p><strong>Not handling token expiry.</strong> Access tokens from Kinde expire after one hour by default. Check the expiry before every API call and prompt the user to re-authenticate if the token is expired. If you requested a refresh token (by including <code>offline</code> in your scopes), you can use it to get a new access token silently.</p> <h2> What This Enables </h2> <p>With device authorization flow in place, your CLI, IoT device, or headless process can authenticate real users through Kinde's full auth stack — including MFA, SSO, and org-scoped tokens — without any of that logic living in your device code. The user authenticates on a device they trust, your device gets a token, and your API validates it the same way it validates every other token.</p> <p>For AI agents and automation workflows that need to act on behalf of authenticated users, this flow is the right foundation. The agent does not handle credentials. The user authorizes it explicitly. The token carries the same org and permission claims as any browser-based session.</p> <p><a href="https://kinde.com?utm_source=devto&amp;utm_medium=content&amp;utm_campaign=shola&amp;campaignid=chatgptapp&amp;network=&amp;adgroup=&amp;keyword=&amp;matchtype=&amp;creative=7&amp;device=&amp;adposition=" rel="noopener noreferrer">Kinde</a> handles the auth infrastructure — the user code generation, the verification page, the token issuance, the JWKS endpoint — so the only code you write is the polling loop and the token storage. Sign up for free and have your first device flow working in under an hour.</p> webdev kinde learning programming Shola Jegede Thu, 16 Apr 2026 11:48:28 +0000 https://dev.to/sholajegede/how-to-audit-who-did-what-in-your-multi-tenant-app-building-an-activity-log-with-convex-and-kinde-4n25 https://dev.to/sholajegede/how-to-audit-who-did-what-in-your-multi-tenant-app-building-an-activity-log-with-convex-and-kinde-4n25 <p><em>Enterprise customers will not sign on the dotted line until they can answer: "Who did what, and when?" Here is how to build the activity log that closes that gap.</em></p> <p>In this article, you will learn:</p> <ul> <li>Why audit logs are no longer optional for multi-tenant SaaS — and what it costs you when they are missing</li> <li>How to design an <code>activityLogs</code> schema in Convex that handles high-volume writes without slowing down your queries</li> <li>Why you should denormalize actor fields at write time and what happens when you do not</li> <li>How to build a single <code>auditLog</code> helper that every mutation calls — and why it being transactional is the whole point</li> <li>How to pull actor identity from Kinde's server session and attach it to every log entry</li> <li>How to build a filterable, paginated, real-time activity feed that org members can view</li> <li>How to export activity logs as CSV for compliance teams</li> <li>How to guarantee that no organization ever sees another organization's activity</li> </ul> <p>Let's dive in!</p> <h2> The Audit Log Gap That Costs You Enterprise Deals </h2> <p>There is a specific moment in enterprise procurement that catches most SaaS founders off guard. You have passed the security review. The procurement lead likes the product. Then someone from IT or legal asks: "If an admin deletes something or changes a permission, can we see who did it and when?"</p> <p>If the answer is no, the deal stalls — sometimes indefinitely. Enterprise customers are not being bureaucratic. They have legal obligations around data access records, SOC 2 and ISO 27001 auditors who ask for evidence of access trails, and internal IT teams that need to investigate incidents when they happen. An audit log is not a backlog item. It is infrastructure that determines whether your app is deployable inside a governed organization.</p> <p>The other problem is internal. When a team member emails asking why a document disappeared, or when a customer opens a support ticket claiming their settings were changed without their knowledge, you have nothing to show them without an activity log. You either stare at database timestamps trying to reconstruct what happened, or you tell them you cannot find out. Neither is acceptable once you have paying customers.</p> <p>Building this correctly is not complicated if you do it at the right layer. This article builds a complete, production-ready activity log for a multi-tenant Next.js app using Convex and <a href="https://kinde.com?utm_source=fcc&amp;utm_medium=content&amp;utm_campaign=shola&amp;campaignid=chatgptapp&amp;network=&amp;adgroup=&amp;keyword=&amp;matchtype=&amp;creative=4&amp;device=&amp;adposition=" rel="noopener noreferrer">Kinde</a>. The pattern it establishes — a single helper, called inside every mutation, committed in the same transaction as the action itself — means you will never have a mutation that fires without a corresponding log entry.</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fale0j1x7ed8664fxvnmo.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fale0j1x7ed8664fxvnmo.png" alt="Three columns connected by arrows. Left column labeled " width="800" height="361"></a></p> <h2> Why Convex Is the Right Database for Audit Logs </h2> <p>Audit logs have a write pattern that is unusual compared to most application data. Entries are inserted at high frequency, almost never updated, never deleted within your retention window, and queried in time-range windows filtered by organization, actor, or resource type.</p> <p><a href="https://dashboard.convex.dev" rel="noopener noreferrer">Convex</a> handles this well for three reasons.</p> <p><strong>Writes are transactional and co-located with your mutations.</strong> Because your mutation and your <code>auditLog</code> call live in the same Convex function and commit in the same transaction, you cannot have a state where a document was deleted but no log entry was written. Either both commit or neither does. This property is not free in architectures where you fire a side-effect call to a separate logging service after the mutation returns — a network failure between the two leaves your audit trail permanently inconsistent.</p> <p><strong>Compound indexes make time-range queries fast.</strong> Filtering by <code>organizationId</code> and then ordering by creation time is exactly the access pattern an activity feed needs. Convex's index system keeps that query fast as the table grows into hundreds of thousands of rows.</p> <p><strong>Reactive queries give you a live feed for free.</strong> A feed component that uses <code>useQuery</code> on your log query will update in real time whenever new entries are written — without polling, without manual WebSocket management, without any extra code. Convex tracks the query's data dependencies and pushes updates automatically.</p> <h2> Schema </h2> <p>Add the <code>activityLogs</code> table to your <code>convex/schema.ts</code>.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="c1">// convex/schema.ts</span> <span class="k">import</span> <span class="p">{</span> <span class="nx">defineSchema</span><span class="p">,</span> <span class="nx">defineTable</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">"</span><span class="s2">convex/server</span><span class="dl">"</span><span class="p">;</span> <span class="k">import</span> <span class="p">{</span> <span class="nx">v</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">"</span><span class="s2">convex/values</span><span class="dl">"</span><span class="p">;</span> <span class="k">export</span> <span class="k">default</span> <span class="nf">defineSchema</span><span class="p">({</span> <span class="c1">// ... your existing tables</span> <span class="na">activityLogs</span><span class="p">:</span> <span class="nf">defineTable</span><span class="p">({</span> <span class="na">organizationId</span><span class="p">:</span> <span class="nx">v</span><span class="p">.</span><span class="nf">id</span><span class="p">(</span><span class="dl">"</span><span class="s2">organizations</span><span class="dl">"</span><span class="p">),</span> <span class="na">actorId</span><span class="p">:</span> <span class="nx">v</span><span class="p">.</span><span class="nf">string</span><span class="p">(),</span> <span class="c1">// Kinde user ID — e.g. "kp_123abc"</span> <span class="na">actorEmail</span><span class="p">:</span> <span class="nx">v</span><span class="p">.</span><span class="nf">string</span><span class="p">(),</span> <span class="c1">// Denormalized for display — no join required</span> <span class="na">actorName</span><span class="p">:</span> <span class="nx">v</span><span class="p">.</span><span class="nf">string</span><span class="p">(),</span> <span class="c1">// Same reason: accounts get deleted, names change</span> <span class="na">action</span><span class="p">:</span> <span class="nx">v</span><span class="p">.</span><span class="nf">string</span><span class="p">(),</span> <span class="c1">// "document.created", "member.role_changed", etc.</span> <span class="na">resourceType</span><span class="p">:</span> <span class="nx">v</span><span class="p">.</span><span class="nf">string</span><span class="p">(),</span> <span class="c1">// "document", "member", "role", "settings"</span> <span class="na">resourceId</span><span class="p">:</span> <span class="nx">v</span><span class="p">.</span><span class="nf">optional</span><span class="p">(</span><span class="nx">v</span><span class="p">.</span><span class="nf">string</span><span class="p">()),</span> <span class="c1">// ID of the affected resource</span> <span class="na">resourceLabel</span><span class="p">:</span> <span class="nx">v</span><span class="p">.</span><span class="nf">optional</span><span class="p">(</span><span class="nx">v</span><span class="p">.</span><span class="nf">string</span><span class="p">()),</span> <span class="c1">// Human-readable name at the time of action</span> <span class="na">metadata</span><span class="p">:</span> <span class="nx">v</span><span class="p">.</span><span class="nf">optional</span><span class="p">(</span><span class="nx">v</span><span class="p">.</span><span class="nf">any</span><span class="p">()),</span> <span class="c1">// Action-specific context: before/after diffs, etc.</span> <span class="na">ipAddress</span><span class="p">:</span> <span class="nx">v</span><span class="p">.</span><span class="nf">optional</span><span class="p">(</span><span class="nx">v</span><span class="p">.</span><span class="nf">string</span><span class="p">()),</span> <span class="p">})</span> <span class="p">.</span><span class="nf">index</span><span class="p">(</span><span class="dl">"</span><span class="s2">by_organization</span><span class="dl">"</span><span class="p">,</span> <span class="p">[</span><span class="dl">"</span><span class="s2">organizationId</span><span class="dl">"</span><span class="p">])</span> <span class="p">.</span><span class="nf">index</span><span class="p">(</span><span class="dl">"</span><span class="s2">by_org_and_actor</span><span class="dl">"</span><span class="p">,</span> <span class="p">[</span><span class="dl">"</span><span class="s2">organizationId</span><span class="dl">"</span><span class="p">,</span> <span class="dl">"</span><span class="s2">actorId</span><span class="dl">"</span><span class="p">])</span> <span class="p">.</span><span class="nf">index</span><span class="p">(</span><span class="dl">"</span><span class="s2">by_org_and_resource_type</span><span class="dl">"</span><span class="p">,</span> <span class="p">[</span><span class="dl">"</span><span class="s2">organizationId</span><span class="dl">"</span><span class="p">,</span> <span class="dl">"</span><span class="s2">resourceType</span><span class="dl">"</span><span class="p">]),</span> <span class="p">});</span> </code></pre> </div> <p>Several design decisions here are worth explaining before you move on.</p> <p><strong>Denormalize actor fields.</strong> <code>actorEmail</code> and <code>actorName</code> are stored directly on the log entry — not as foreign keys to a users table. This means you never need a join to render the activity feed, and the log permanently records who performed the action at the time it happened, not who the account belongs to now. User display names change. Accounts get suspended or deleted. People leave companies. The audit trail must be immutable after write, which means capturing the actor's identity at write time.</p> <p><strong>Use a string for <code>actorId</code>, not a Convex document ID.</strong> Kinde user IDs are strings (e.g. <code>kp_abc123def</code>). Storing the Kinde ID directly means no lookup layer and no dependency on your local <code>users</code> table — the ID remains valid and meaningful even if you migrate or restructure your user data.</p> <p><strong>Store <code>resourceLabel</code>.</strong> When a document is deleted, the document is gone. If you only stored the resource ID, the log entry for <code>document.deleted</code> would show a dead reference with no human-readable context. Capture the label at write time, before the deletion.</p> <p><strong>Three indexes, not one.</strong> The primary access pattern is all logs for an org ordered by time descending. The secondary patterns are filtering by actor ("show me everything Alice did this week") and filtering by resource type ("show me all role changes"). Three focused indexes handle all three without full table scans. Per Convex best practices, <code>by_org_and_resource_type</code> is compound — you always scope to an organization first, so a standalone <code>by_resource_type</code> index would be redundant.</p> <p><strong><code>metadata</code> is typed loosely by design.</strong> A <code>document.shared</code> event needs to capture who it was shared with. A <code>member.role_changed</code> event needs the before and after role values. A <code>settings.updated</code> event needs the field that changed and its old and new values. Rather than adding a column for every possible shape, <code>metadata</code> holds the action-specific payload and you validate it at the call site.</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F2erpqw17p7u923ny4e39.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F2erpqw17p7u923ny4e39.png" alt="The activityLogs table schema with all fields and their types listed. A dotted arrow connects organizationId to a separate organizations table box, labeled " id="" width="800" height="648"></a></p> <h2> The <code>auditLog</code> Helper </h2> <p>Create <code>convex/lib/audit.ts</code>. Every mutation in your app will call this one function. Centralizing it here means you change audit log behavior in exactly one place.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="c1">// convex/lib/audit.ts</span> <span class="k">import</span> <span class="p">{</span> <span class="nx">MutationCtx</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">"</span><span class="s2">../_generated/server</span><span class="dl">"</span><span class="p">;</span> <span class="k">import</span> <span class="p">{</span> <span class="nx">Id</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">"</span><span class="s2">../_generated/dataModel</span><span class="dl">"</span><span class="p">;</span> <span class="k">export</span> <span class="kd">type</span> <span class="nx">AuditAction</span> <span class="o">=</span> <span class="o">|</span> <span class="dl">"</span><span class="s2">document.created</span><span class="dl">"</span> <span class="o">|</span> <span class="dl">"</span><span class="s2">document.updated</span><span class="dl">"</span> <span class="o">|</span> <span class="dl">"</span><span class="s2">document.deleted</span><span class="dl">"</span> <span class="o">|</span> <span class="dl">"</span><span class="s2">document.shared</span><span class="dl">"</span> <span class="o">|</span> <span class="dl">"</span><span class="s2">document.unshared</span><span class="dl">"</span> <span class="o">|</span> <span class="dl">"</span><span class="s2">member.invited</span><span class="dl">"</span> <span class="o">|</span> <span class="dl">"</span><span class="s2">member.removed</span><span class="dl">"</span> <span class="o">|</span> <span class="dl">"</span><span class="s2">member.role_changed</span><span class="dl">"</span> <span class="o">|</span> <span class="dl">"</span><span class="s2">invitation.accepted</span><span class="dl">"</span> <span class="o">|</span> <span class="dl">"</span><span class="s2">invitation.revoked</span><span class="dl">"</span> <span class="o">|</span> <span class="dl">"</span><span class="s2">role.created</span><span class="dl">"</span> <span class="o">|</span> <span class="dl">"</span><span class="s2">role.updated</span><span class="dl">"</span> <span class="o">|</span> <span class="dl">"</span><span class="s2">role.deleted</span><span class="dl">"</span> <span class="o">|</span> <span class="dl">"</span><span class="s2">settings.updated</span><span class="dl">"</span> <span class="o">|</span> <span class="dl">"</span><span class="s2">billing.plan_changed</span><span class="dl">"</span> <span class="o">|</span> <span class="dl">"</span><span class="s2">org.created</span><span class="dl">"</span><span class="p">;</span> <span class="k">export</span> <span class="kd">type</span> <span class="nx">ResourceType</span> <span class="o">=</span> <span class="o">|</span> <span class="dl">"</span><span class="s2">document</span><span class="dl">"</span> <span class="o">|</span> <span class="dl">"</span><span class="s2">member</span><span class="dl">"</span> <span class="o">|</span> <span class="dl">"</span><span class="s2">invitation</span><span class="dl">"</span> <span class="o">|</span> <span class="dl">"</span><span class="s2">role</span><span class="dl">"</span> <span class="o">|</span> <span class="dl">"</span><span class="s2">settings</span><span class="dl">"</span> <span class="o">|</span> <span class="dl">"</span><span class="s2">billing</span><span class="dl">"</span> <span class="o">|</span> <span class="dl">"</span><span class="s2">org</span><span class="dl">"</span><span class="p">;</span> <span class="kr">interface</span> <span class="nx">AuditLogParams</span> <span class="p">{</span> <span class="nl">ctx</span><span class="p">:</span> <span class="nx">MutationCtx</span><span class="p">;</span> <span class="nl">organizationId</span><span class="p">:</span> <span class="nx">Id</span><span class="o">&lt;</span><span class="dl">"</span><span class="s2">organizations</span><span class="dl">"</span><span class="o">&gt;</span><span class="p">;</span> <span class="nl">actorId</span><span class="p">:</span> <span class="kr">string</span><span class="p">;</span> <span class="nl">actorEmail</span><span class="p">:</span> <span class="kr">string</span><span class="p">;</span> <span class="nl">actorName</span><span class="p">:</span> <span class="kr">string</span><span class="p">;</span> <span class="nl">action</span><span class="p">:</span> <span class="nx">AuditAction</span><span class="p">;</span> <span class="nl">resourceType</span><span class="p">:</span> <span class="nx">ResourceType</span><span class="p">;</span> <span class="nl">resourceId</span><span class="p">?:</span> <span class="kr">string</span><span class="p">;</span> <span class="nl">resourceLabel</span><span class="p">?:</span> <span class="kr">string</span><span class="p">;</span> <span class="nl">metadata</span><span class="p">?:</span> <span class="nb">Record</span><span class="o">&lt;</span><span class="kr">string</span><span class="p">,</span> <span class="nx">unknown</span><span class="o">&gt;</span><span class="p">;</span> <span class="nl">ipAddress</span><span class="p">?:</span> <span class="kr">string</span><span class="p">;</span> <span class="p">}</span> <span class="k">export</span> <span class="k">async</span> <span class="kd">function</span> <span class="nf">auditLog</span><span class="p">({</span> <span class="nx">ctx</span><span class="p">,</span> <span class="nx">organizationId</span><span class="p">,</span> <span class="nx">actorId</span><span class="p">,</span> <span class="nx">actorEmail</span><span class="p">,</span> <span class="nx">actorName</span><span class="p">,</span> <span class="nx">action</span><span class="p">,</span> <span class="nx">resourceType</span><span class="p">,</span> <span class="nx">resourceId</span><span class="p">,</span> <span class="nx">resourceLabel</span><span class="p">,</span> <span class="nx">metadata</span><span class="p">,</span> <span class="nx">ipAddress</span><span class="p">,</span> <span class="p">}:</span> <span class="nx">AuditLogParams</span><span class="p">):</span> <span class="nb">Promise</span><span class="o">&lt;</span><span class="k">void</span><span class="o">&gt;</span> <span class="p">{</span> <span class="k">await</span> <span class="nx">ctx</span><span class="p">.</span><span class="nx">db</span><span class="p">.</span><span class="nf">insert</span><span class="p">(</span><span class="dl">"</span><span class="s2">activityLogs</span><span class="dl">"</span><span class="p">,</span> <span class="p">{</span> <span class="nx">organizationId</span><span class="p">,</span> <span class="nx">actorId</span><span class="p">,</span> <span class="nx">actorEmail</span><span class="p">,</span> <span class="nx">actorName</span><span class="p">,</span> <span class="nx">action</span><span class="p">,</span> <span class="nx">resourceType</span><span class="p">,</span> <span class="nx">resourceId</span><span class="p">,</span> <span class="nx">resourceLabel</span><span class="p">,</span> <span class="nx">metadata</span><span class="p">,</span> <span class="nx">ipAddress</span><span class="p">,</span> <span class="p">});</span> <span class="p">}</span> </code></pre> </div> <p>The function signature is explicit by design. <code>AuditAction</code> and <code>ResourceType</code> are union types — TypeScript enforces them at compile time, so a typo like <code>"document.creatd"</code> fails the build rather than silently writing a malformed entry into your audit trail. The function does exactly one thing: insert. Any filtering, validation, or transformation happens at the call site inside the mutation that needs it.</p> <h2> Pulling Actor Identity From Kinde </h2> <p>Before looking at how mutations call <code>auditLog</code>, you need a reliable way to get the current user's Kinde ID, email, and display name inside a Convex mutation.</p> <p>The standard pattern is a <code>getCurrentUser</code> helper that queries your local <code>users</code> table using the Kinde user ID embedded in the Convex auth token. Your <code>users</code> table gets populated during the post-login callback — either via a Convex mutation called from the Next.js auth handler, or by checking on first load.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="c1">// convex/lib/auth.ts</span> <span class="k">import</span> <span class="p">{</span> <span class="nx">QueryCtx</span><span class="p">,</span> <span class="nx">MutationCtx</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">"</span><span class="s2">../_generated/server</span><span class="dl">"</span><span class="p">;</span> <span class="k">export</span> <span class="k">async</span> <span class="kd">function</span> <span class="nf">getCurrentUser</span><span class="p">(</span><span class="nx">ctx</span><span class="p">:</span> <span class="nx">QueryCtx</span> <span class="o">|</span> <span class="nx">MutationCtx</span><span class="p">)</span> <span class="p">{</span> <span class="c1">// ctx.auth.getUserIdentity() reads the JWT Kinde issues after login.</span> <span class="c1">// The `subject` claim is the Kinde user ID (e.g. "kp_abc123def").</span> <span class="kd">const</span> <span class="nx">identity</span> <span class="o">=</span> <span class="k">await</span> <span class="nx">ctx</span><span class="p">.</span><span class="nx">auth</span><span class="p">.</span><span class="nf">getUserIdentity</span><span class="p">();</span> <span class="k">if </span><span class="p">(</span><span class="o">!</span><span class="nx">identity</span><span class="p">)</span> <span class="k">return</span> <span class="kc">null</span><span class="p">;</span> <span class="kd">const</span> <span class="nx">kindeId</span> <span class="o">=</span> <span class="nx">identity</span><span class="p">.</span><span class="nx">subject</span><span class="p">;</span> <span class="kd">const</span> <span class="nx">user</span> <span class="o">=</span> <span class="k">await</span> <span class="nx">ctx</span><span class="p">.</span><span class="nx">db</span> <span class="p">.</span><span class="nf">query</span><span class="p">(</span><span class="dl">"</span><span class="s2">users</span><span class="dl">"</span><span class="p">)</span> <span class="p">.</span><span class="nf">withIndex</span><span class="p">(</span><span class="dl">"</span><span class="s2">by_kinde_id</span><span class="dl">"</span><span class="p">,</span> <span class="p">(</span><span class="nx">q</span><span class="p">)</span> <span class="o">=&gt;</span> <span class="nx">q</span><span class="p">.</span><span class="nf">eq</span><span class="p">(</span><span class="dl">"</span><span class="s2">kindeId</span><span class="dl">"</span><span class="p">,</span> <span class="nx">kindeId</span><span class="p">))</span> <span class="p">.</span><span class="nf">unique</span><span class="p">();</span> <span class="k">return</span> <span class="nx">user</span><span class="p">;</span> <span class="p">}</span> </code></pre> </div> <p>Your <code>users</code> table needs <code>kindeId</code>, <code>email</code>, and <code>name</code> fields. When a user first authenticates through Kinde, those three values are written to the table from the token claims. The <code>auditLog</code> helper reads them and writes them directly onto the log entry — no live lookup, no join, immutable from that point forward.</p> <p><a href="https://kinde.com?utm_source=fcc&amp;utm_medium=content&amp;utm_campaign=shola&amp;campaignid=chatgptapp&amp;network=&amp;adgroup=&amp;keyword=&amp;matchtype=&amp;creative=4&amp;device=&amp;adposition=" rel="noopener noreferrer">Kinde's</a> <code>@kinde-oss/kinde-auth-nextjs</code> SDK handles token issuance on the Next.js side. Convex picks up the token automatically when you configure it to use Kinde as the auth provider via the Convex dashboard's authentication settings.</p> <h2> Step #1: Call <code>auditLog</code> Inside Your Mutations </h2> <p>The pattern is identical across every mutation: do the database write, then call <code>auditLog</code> before returning. Because Convex mutations are transactional, the primary write and the log entry commit together or not at all.</p> <h3> Document creation </h3> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="c1">// convex/documents.ts</span> <span class="k">import</span> <span class="p">{</span> <span class="nx">mutation</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">"</span><span class="s2">./_generated/server</span><span class="dl">"</span><span class="p">;</span> <span class="k">import</span> <span class="p">{</span> <span class="nx">v</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">"</span><span class="s2">convex/values</span><span class="dl">"</span><span class="p">;</span> <span class="k">import</span> <span class="p">{</span> <span class="nx">getCurrentUser</span><span class="p">,</span> <span class="nx">requirePermission</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">"</span><span class="s2">./lib/auth</span><span class="dl">"</span><span class="p">;</span> <span class="k">import</span> <span class="p">{</span> <span class="nx">auditLog</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">"</span><span class="s2">./lib/audit</span><span class="dl">"</span><span class="p">;</span> <span class="k">export</span> <span class="kd">const</span> <span class="nx">create</span> <span class="o">=</span> <span class="nf">mutation</span><span class="p">({</span> <span class="na">args</span><span class="p">:</span> <span class="p">{</span> <span class="na">organizationId</span><span class="p">:</span> <span class="nx">v</span><span class="p">.</span><span class="nf">id</span><span class="p">(</span><span class="dl">"</span><span class="s2">organizations</span><span class="dl">"</span><span class="p">),</span> <span class="na">title</span><span class="p">:</span> <span class="nx">v</span><span class="p">.</span><span class="nf">string</span><span class="p">(),</span> <span class="na">content</span><span class="p">:</span> <span class="nx">v</span><span class="p">.</span><span class="nf">optional</span><span class="p">(</span><span class="nx">v</span><span class="p">.</span><span class="nf">string</span><span class="p">()),</span> <span class="p">},</span> <span class="na">handler</span><span class="p">:</span> <span class="k">async </span><span class="p">(</span><span class="nx">ctx</span><span class="p">,</span> <span class="nx">args</span><span class="p">)</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="kd">const</span> <span class="p">{</span> <span class="nx">user</span> <span class="p">}</span> <span class="o">=</span> <span class="k">await</span> <span class="nf">requirePermission</span><span class="p">(</span><span class="nx">ctx</span><span class="p">,</span> <span class="nx">args</span><span class="p">.</span><span class="nx">organizationId</span><span class="p">,</span> <span class="dl">"</span><span class="s2">documents:create</span><span class="dl">"</span><span class="p">);</span> <span class="kd">const</span> <span class="nx">documentId</span> <span class="o">=</span> <span class="k">await</span> <span class="nx">ctx</span><span class="p">.</span><span class="nx">db</span><span class="p">.</span><span class="nf">insert</span><span class="p">(</span><span class="dl">"</span><span class="s2">documents</span><span class="dl">"</span><span class="p">,</span> <span class="p">{</span> <span class="na">organizationId</span><span class="p">:</span> <span class="nx">args</span><span class="p">.</span><span class="nx">organizationId</span><span class="p">,</span> <span class="na">title</span><span class="p">:</span> <span class="nx">args</span><span class="p">.</span><span class="nx">title</span><span class="p">,</span> <span class="na">content</span><span class="p">:</span> <span class="nx">args</span><span class="p">.</span><span class="nx">content</span> <span class="o">??</span> <span class="dl">""</span><span class="p">,</span> <span class="na">createdBy</span><span class="p">:</span> <span class="nx">user</span><span class="p">.</span><span class="nx">_id</span><span class="p">,</span> <span class="na">createdAt</span><span class="p">:</span> <span class="nb">Date</span><span class="p">.</span><span class="nf">now</span><span class="p">(),</span> <span class="na">updatedAt</span><span class="p">:</span> <span class="nb">Date</span><span class="p">.</span><span class="nf">now</span><span class="p">(),</span> <span class="p">});</span> <span class="k">await</span> <span class="nf">auditLog</span><span class="p">({</span> <span class="nx">ctx</span><span class="p">,</span> <span class="na">organizationId</span><span class="p">:</span> <span class="nx">args</span><span class="p">.</span><span class="nx">organizationId</span><span class="p">,</span> <span class="na">actorId</span><span class="p">:</span> <span class="nx">user</span><span class="p">.</span><span class="nx">kindeId</span><span class="p">,</span> <span class="na">actorEmail</span><span class="p">:</span> <span class="nx">user</span><span class="p">.</span><span class="nx">email</span><span class="p">,</span> <span class="na">actorName</span><span class="p">:</span> <span class="nx">user</span><span class="p">.</span><span class="nx">name</span><span class="p">,</span> <span class="na">action</span><span class="p">:</span> <span class="dl">"</span><span class="s2">document.created</span><span class="dl">"</span><span class="p">,</span> <span class="na">resourceType</span><span class="p">:</span> <span class="dl">"</span><span class="s2">document</span><span class="dl">"</span><span class="p">,</span> <span class="na">resourceId</span><span class="p">:</span> <span class="nx">documentId</span><span class="p">,</span> <span class="na">resourceLabel</span><span class="p">:</span> <span class="nx">args</span><span class="p">.</span><span class="nx">title</span><span class="p">,</span> <span class="p">});</span> <span class="k">return</span> <span class="nx">documentId</span><span class="p">;</span> <span class="p">},</span> <span class="p">});</span> </code></pre> </div> <h3> Document deletion </h3> <p>Read the title before the delete. Once <code>ctx.db.delete</code> runs, that document is gone. If you try to fetch the title after, you get nothing.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="k">export</span> <span class="kd">const</span> <span class="nx">remove</span> <span class="o">=</span> <span class="nf">mutation</span><span class="p">({</span> <span class="na">args</span><span class="p">:</span> <span class="p">{</span> <span class="na">organizationId</span><span class="p">:</span> <span class="nx">v</span><span class="p">.</span><span class="nf">id</span><span class="p">(</span><span class="dl">"</span><span class="s2">organizations</span><span class="dl">"</span><span class="p">),</span> <span class="na">documentId</span><span class="p">:</span> <span class="nx">v</span><span class="p">.</span><span class="nf">id</span><span class="p">(</span><span class="dl">"</span><span class="s2">documents</span><span class="dl">"</span><span class="p">),</span> <span class="p">},</span> <span class="na">handler</span><span class="p">:</span> <span class="k">async </span><span class="p">(</span><span class="nx">ctx</span><span class="p">,</span> <span class="nx">args</span><span class="p">)</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="kd">const</span> <span class="p">{</span> <span class="nx">user</span> <span class="p">}</span> <span class="o">=</span> <span class="k">await</span> <span class="nf">requirePermission</span><span class="p">(</span><span class="nx">ctx</span><span class="p">,</span> <span class="nx">args</span><span class="p">.</span><span class="nx">organizationId</span><span class="p">,</span> <span class="dl">"</span><span class="s2">documents:delete</span><span class="dl">"</span><span class="p">);</span> <span class="kd">const</span> <span class="nb">document</span> <span class="o">=</span> <span class="k">await</span> <span class="nx">ctx</span><span class="p">.</span><span class="nx">db</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="nx">args</span><span class="p">.</span><span class="nx">documentId</span><span class="p">);</span> <span class="k">if </span><span class="p">(</span><span class="o">!</span><span class="nb">document</span><span class="p">)</span> <span class="k">throw</span> <span class="k">new</span> <span class="nc">Error</span><span class="p">(</span><span class="dl">"</span><span class="s2">Document not found</span><span class="dl">"</span><span class="p">);</span> <span class="k">if </span><span class="p">(</span><span class="nb">document</span><span class="p">.</span><span class="nx">organizationId</span> <span class="o">!==</span> <span class="nx">args</span><span class="p">.</span><span class="nx">organizationId</span><span class="p">)</span> <span class="k">throw</span> <span class="k">new</span> <span class="nc">Error</span><span class="p">(</span><span class="dl">"</span><span class="s2">Document not found</span><span class="dl">"</span><span class="p">);</span> <span class="c1">// Capture the label BEFORE the delete — after, it no longer exists</span> <span class="kd">const</span> <span class="nx">documentTitle</span> <span class="o">=</span> <span class="nb">document</span><span class="p">.</span><span class="nx">title</span><span class="p">;</span> <span class="k">await</span> <span class="nx">ctx</span><span class="p">.</span><span class="nx">db</span><span class="p">.</span><span class="k">delete</span><span class="p">(</span><span class="nx">args</span><span class="p">.</span><span class="nx">documentId</span><span class="p">);</span> <span class="k">await</span> <span class="nf">auditLog</span><span class="p">({</span> <span class="nx">ctx</span><span class="p">,</span> <span class="na">organizationId</span><span class="p">:</span> <span class="nx">args</span><span class="p">.</span><span class="nx">organizationId</span><span class="p">,</span> <span class="na">actorId</span><span class="p">:</span> <span class="nx">user</span><span class="p">.</span><span class="nx">kindeId</span><span class="p">,</span> <span class="na">actorEmail</span><span class="p">:</span> <span class="nx">user</span><span class="p">.</span><span class="nx">email</span><span class="p">,</span> <span class="na">actorName</span><span class="p">:</span> <span class="nx">user</span><span class="p">.</span><span class="nx">name</span><span class="p">,</span> <span class="na">action</span><span class="p">:</span> <span class="dl">"</span><span class="s2">document.deleted</span><span class="dl">"</span><span class="p">,</span> <span class="na">resourceType</span><span class="p">:</span> <span class="dl">"</span><span class="s2">document</span><span class="dl">"</span><span class="p">,</span> <span class="na">resourceId</span><span class="p">:</span> <span class="nx">args</span><span class="p">.</span><span class="nx">documentId</span><span class="p">,</span> <span class="na">resourceLabel</span><span class="p">:</span> <span class="nx">documentTitle</span><span class="p">,</span> <span class="p">});</span> <span class="p">},</span> <span class="p">});</span> </code></pre> </div> <h3> Member role change </h3> <p>This one captures a before/after diff in <code>metadata</code>. When someone reviews the log later, they see exactly what changed without querying another table.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="c1">// convex/organizations.ts</span> <span class="k">export</span> <span class="kd">const</span> <span class="nx">updateMemberRole</span> <span class="o">=</span> <span class="nf">mutation</span><span class="p">({</span> <span class="na">args</span><span class="p">:</span> <span class="p">{</span> <span class="na">organizationId</span><span class="p">:</span> <span class="nx">v</span><span class="p">.</span><span class="nf">id</span><span class="p">(</span><span class="dl">"</span><span class="s2">organizations</span><span class="dl">"</span><span class="p">),</span> <span class="na">membershipId</span><span class="p">:</span> <span class="nx">v</span><span class="p">.</span><span class="nf">id</span><span class="p">(</span><span class="dl">"</span><span class="s2">organizationMembers</span><span class="dl">"</span><span class="p">),</span> <span class="na">newRole</span><span class="p">:</span> <span class="nx">v</span><span class="p">.</span><span class="nf">string</span><span class="p">(),</span> <span class="p">},</span> <span class="na">handler</span><span class="p">:</span> <span class="k">async </span><span class="p">(</span><span class="nx">ctx</span><span class="p">,</span> <span class="nx">args</span><span class="p">)</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="kd">const</span> <span class="p">{</span> <span class="nx">user</span> <span class="p">}</span> <span class="o">=</span> <span class="k">await</span> <span class="nf">requirePermission</span><span class="p">(</span><span class="nx">ctx</span><span class="p">,</span> <span class="nx">args</span><span class="p">.</span><span class="nx">organizationId</span><span class="p">,</span> <span class="dl">"</span><span class="s2">members:manage</span><span class="dl">"</span><span class="p">);</span> <span class="kd">const</span> <span class="nx">membership</span> <span class="o">=</span> <span class="k">await</span> <span class="nx">ctx</span><span class="p">.</span><span class="nx">db</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="nx">args</span><span class="p">.</span><span class="nx">membershipId</span><span class="p">);</span> <span class="k">if </span><span class="p">(</span><span class="o">!</span><span class="nx">membership</span><span class="p">)</span> <span class="k">throw</span> <span class="k">new</span> <span class="nc">Error</span><span class="p">(</span><span class="dl">"</span><span class="s2">Member not found</span><span class="dl">"</span><span class="p">);</span> <span class="k">if </span><span class="p">(</span><span class="nx">membership</span><span class="p">.</span><span class="nx">organizationId</span> <span class="o">!==</span> <span class="nx">args</span><span class="p">.</span><span class="nx">organizationId</span><span class="p">)</span> <span class="k">throw</span> <span class="k">new</span> <span class="nc">Error</span><span class="p">(</span><span class="dl">"</span><span class="s2">Member not found</span><span class="dl">"</span><span class="p">);</span> <span class="c1">// Read the previous role before patching</span> <span class="kd">const</span> <span class="nx">previousRole</span> <span class="o">=</span> <span class="nx">membership</span><span class="p">.</span><span class="nx">role</span><span class="p">;</span> <span class="k">await</span> <span class="nx">ctx</span><span class="p">.</span><span class="nx">db</span><span class="p">.</span><span class="nf">patch</span><span class="p">(</span><span class="nx">args</span><span class="p">.</span><span class="nx">membershipId</span><span class="p">,</span> <span class="p">{</span> <span class="na">role</span><span class="p">:</span> <span class="nx">args</span><span class="p">.</span><span class="nx">newRole</span><span class="p">,</span> <span class="p">});</span> <span class="c1">// Fetch the affected user's display info for the log label</span> <span class="kd">const</span> <span class="nx">affectedUser</span> <span class="o">=</span> <span class="k">await</span> <span class="nx">ctx</span><span class="p">.</span><span class="nx">db</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="nx">membership</span><span class="p">.</span><span class="nx">userId</span><span class="p">);</span> <span class="k">await</span> <span class="nf">auditLog</span><span class="p">({</span> <span class="nx">ctx</span><span class="p">,</span> <span class="na">organizationId</span><span class="p">:</span> <span class="nx">args</span><span class="p">.</span><span class="nx">organizationId</span><span class="p">,</span> <span class="na">actorId</span><span class="p">:</span> <span class="nx">user</span><span class="p">.</span><span class="nx">kindeId</span><span class="p">,</span> <span class="na">actorEmail</span><span class="p">:</span> <span class="nx">user</span><span class="p">.</span><span class="nx">email</span><span class="p">,</span> <span class="na">actorName</span><span class="p">:</span> <span class="nx">user</span><span class="p">.</span><span class="nx">name</span><span class="p">,</span> <span class="na">action</span><span class="p">:</span> <span class="dl">"</span><span class="s2">member.role_changed</span><span class="dl">"</span><span class="p">,</span> <span class="na">resourceType</span><span class="p">:</span> <span class="dl">"</span><span class="s2">member</span><span class="dl">"</span><span class="p">,</span> <span class="na">resourceId</span><span class="p">:</span> <span class="nx">membership</span><span class="p">.</span><span class="nx">userId</span><span class="p">,</span> <span class="na">resourceLabel</span><span class="p">:</span> <span class="nx">affectedUser</span><span class="p">?.</span><span class="nx">name</span> <span class="o">??</span> <span class="nx">affectedUser</span><span class="p">?.</span><span class="nx">email</span> <span class="o">??</span> <span class="dl">"</span><span class="s2">Unknown user</span><span class="dl">"</span><span class="p">,</span> <span class="na">metadata</span><span class="p">:</span> <span class="p">{</span> <span class="nx">previousRole</span><span class="p">,</span> <span class="na">newRole</span><span class="p">:</span> <span class="nx">args</span><span class="p">.</span><span class="nx">newRole</span><span class="p">,</span> <span class="p">},</span> <span class="p">});</span> <span class="p">},</span> <span class="p">});</span> </code></pre> </div> <h3> Settings update </h3> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="c1">// convex/settings.ts</span> <span class="k">export</span> <span class="kd">const</span> <span class="nx">update</span> <span class="o">=</span> <span class="nf">mutation</span><span class="p">({</span> <span class="na">args</span><span class="p">:</span> <span class="p">{</span> <span class="na">organizationId</span><span class="p">:</span> <span class="nx">v</span><span class="p">.</span><span class="nf">id</span><span class="p">(</span><span class="dl">"</span><span class="s2">organizations</span><span class="dl">"</span><span class="p">),</span> <span class="na">field</span><span class="p">:</span> <span class="nx">v</span><span class="p">.</span><span class="nf">string</span><span class="p">(),</span> <span class="na">value</span><span class="p">:</span> <span class="nx">v</span><span class="p">.</span><span class="nf">any</span><span class="p">(),</span> <span class="p">},</span> <span class="na">handler</span><span class="p">:</span> <span class="k">async </span><span class="p">(</span><span class="nx">ctx</span><span class="p">,</span> <span class="nx">args</span><span class="p">)</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="kd">const</span> <span class="p">{</span> <span class="nx">user</span> <span class="p">}</span> <span class="o">=</span> <span class="k">await</span> <span class="nf">requirePermission</span><span class="p">(</span><span class="nx">ctx</span><span class="p">,</span> <span class="nx">args</span><span class="p">.</span><span class="nx">organizationId</span><span class="p">,</span> <span class="dl">"</span><span class="s2">settings:manage</span><span class="dl">"</span><span class="p">);</span> <span class="kd">const</span> <span class="nx">settings</span> <span class="o">=</span> <span class="k">await</span> <span class="nx">ctx</span><span class="p">.</span><span class="nx">db</span> <span class="p">.</span><span class="nf">query</span><span class="p">(</span><span class="dl">"</span><span class="s2">organizationSettings</span><span class="dl">"</span><span class="p">)</span> <span class="p">.</span><span class="nf">withIndex</span><span class="p">(</span><span class="dl">"</span><span class="s2">by_organization</span><span class="dl">"</span><span class="p">,</span> <span class="p">(</span><span class="nx">q</span><span class="p">)</span> <span class="o">=&gt;</span> <span class="nx">q</span><span class="p">.</span><span class="nf">eq</span><span class="p">(</span><span class="dl">"</span><span class="s2">organizationId</span><span class="dl">"</span><span class="p">,</span> <span class="nx">args</span><span class="p">.</span><span class="nx">organizationId</span><span class="p">)</span> <span class="p">)</span> <span class="p">.</span><span class="nf">unique</span><span class="p">();</span> <span class="k">if </span><span class="p">(</span><span class="o">!</span><span class="nx">settings</span><span class="p">)</span> <span class="k">throw</span> <span class="k">new</span> <span class="nc">Error</span><span class="p">(</span><span class="dl">"</span><span class="s2">Settings not found</span><span class="dl">"</span><span class="p">);</span> <span class="kd">const</span> <span class="nx">previousValue</span> <span class="o">=</span> <span class="p">(</span><span class="nx">settings</span> <span class="k">as</span> <span class="kr">any</span><span class="p">)[</span><span class="nx">args</span><span class="p">.</span><span class="nx">field</span><span class="p">];</span> <span class="k">await</span> <span class="nx">ctx</span><span class="p">.</span><span class="nx">db</span><span class="p">.</span><span class="nf">patch</span><span class="p">(</span><span class="nx">settings</span><span class="p">.</span><span class="nx">_id</span><span class="p">,</span> <span class="p">{</span> <span class="p">[</span><span class="nx">args</span><span class="p">.</span><span class="nx">field</span><span class="p">]:</span> <span class="nx">args</span><span class="p">.</span><span class="nx">value</span><span class="p">,</span> <span class="na">updatedAt</span><span class="p">:</span> <span class="nb">Date</span><span class="p">.</span><span class="nf">now</span><span class="p">(),</span> <span class="p">});</span> <span class="k">await</span> <span class="nf">auditLog</span><span class="p">({</span> <span class="nx">ctx</span><span class="p">,</span> <span class="na">organizationId</span><span class="p">:</span> <span class="nx">args</span><span class="p">.</span><span class="nx">organizationId</span><span class="p">,</span> <span class="na">actorId</span><span class="p">:</span> <span class="nx">user</span><span class="p">.</span><span class="nx">kindeId</span><span class="p">,</span> <span class="na">actorEmail</span><span class="p">:</span> <span class="nx">user</span><span class="p">.</span><span class="nx">email</span><span class="p">,</span> <span class="na">actorName</span><span class="p">:</span> <span class="nx">user</span><span class="p">.</span><span class="nx">name</span><span class="p">,</span> <span class="na">action</span><span class="p">:</span> <span class="dl">"</span><span class="s2">settings.updated</span><span class="dl">"</span><span class="p">,</span> <span class="na">resourceType</span><span class="p">:</span> <span class="dl">"</span><span class="s2">settings</span><span class="dl">"</span><span class="p">,</span> <span class="na">resourceLabel</span><span class="p">:</span> <span class="nx">args</span><span class="p">.</span><span class="nx">field</span><span class="p">,</span> <span class="na">metadata</span><span class="p">:</span> <span class="p">{</span> <span class="na">field</span><span class="p">:</span> <span class="nx">args</span><span class="p">.</span><span class="nx">field</span><span class="p">,</span> <span class="nx">previousValue</span><span class="p">,</span> <span class="na">newValue</span><span class="p">:</span> <span class="nx">args</span><span class="p">.</span><span class="nx">value</span><span class="p">,</span> <span class="p">},</span> <span class="p">});</span> <span class="p">},</span> <span class="p">});</span> </code></pre> </div> <p>The metadata pattern is consistent across all mutations: capture what changed, what it was before, what it is now. The log entry is self-contained — a compliance auditor reading it does not need to cross-reference other tables or reconstruct state from timestamps.</p> <h2> Step #2: Query the Activity Log </h2> <p>Create the query functions in <code>convex/activityLogs.ts</code>. These are what the frontend subscribes to.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="c1">// convex/activityLogs.ts</span> <span class="k">import</span> <span class="p">{</span> <span class="nx">query</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">"</span><span class="s2">./_generated/server</span><span class="dl">"</span><span class="p">;</span> <span class="k">import</span> <span class="p">{</span> <span class="nx">v</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">"</span><span class="s2">convex/values</span><span class="dl">"</span><span class="p">;</span> <span class="k">import</span> <span class="p">{</span> <span class="nx">requireOrganizationAccess</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">"</span><span class="s2">./lib/auth</span><span class="dl">"</span><span class="p">;</span> <span class="c1">// All activity for an org, paginated, most recent first</span> <span class="k">export</span> <span class="kd">const</span> <span class="nx">list</span> <span class="o">=</span> <span class="nf">query</span><span class="p">({</span> <span class="na">args</span><span class="p">:</span> <span class="p">{</span> <span class="na">organizationId</span><span class="p">:</span> <span class="nx">v</span><span class="p">.</span><span class="nf">id</span><span class="p">(</span><span class="dl">"</span><span class="s2">organizations</span><span class="dl">"</span><span class="p">),</span> <span class="na">paginationOpts</span><span class="p">:</span> <span class="nx">v</span><span class="p">.</span><span class="nf">object</span><span class="p">({</span> <span class="na">numItems</span><span class="p">:</span> <span class="nx">v</span><span class="p">.</span><span class="nf">number</span><span class="p">(),</span> <span class="na">cursor</span><span class="p">:</span> <span class="nx">v</span><span class="p">.</span><span class="nf">union</span><span class="p">(</span><span class="nx">v</span><span class="p">.</span><span class="nf">string</span><span class="p">(),</span> <span class="nx">v</span><span class="p">.</span><span class="nf">null</span><span class="p">()),</span> <span class="p">}),</span> <span class="p">},</span> <span class="na">handler</span><span class="p">:</span> <span class="k">async </span><span class="p">(</span><span class="nx">ctx</span><span class="p">,</span> <span class="p">{</span> <span class="nx">organizationId</span><span class="p">,</span> <span class="nx">paginationOpts</span> <span class="p">})</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="k">await</span> <span class="nf">requireOrganizationAccess</span><span class="p">(</span><span class="nx">ctx</span><span class="p">,</span> <span class="nx">organizationId</span><span class="p">);</span> <span class="k">return</span> <span class="nx">ctx</span><span class="p">.</span><span class="nx">db</span> <span class="p">.</span><span class="nf">query</span><span class="p">(</span><span class="dl">"</span><span class="s2">activityLogs</span><span class="dl">"</span><span class="p">)</span> <span class="p">.</span><span class="nf">withIndex</span><span class="p">(</span><span class="dl">"</span><span class="s2">by_organization</span><span class="dl">"</span><span class="p">,</span> <span class="p">(</span><span class="nx">q</span><span class="p">)</span> <span class="o">=&gt;</span> <span class="nx">q</span><span class="p">.</span><span class="nf">eq</span><span class="p">(</span><span class="dl">"</span><span class="s2">organizationId</span><span class="dl">"</span><span class="p">,</span> <span class="nx">organizationId</span><span class="p">)</span> <span class="p">)</span> <span class="p">.</span><span class="nf">order</span><span class="p">(</span><span class="dl">"</span><span class="s2">desc</span><span class="dl">"</span><span class="p">)</span> <span class="p">.</span><span class="nf">paginate</span><span class="p">(</span><span class="nx">paginationOpts</span><span class="p">);</span> <span class="p">},</span> <span class="p">});</span> <span class="c1">// Filtered by actor — "show me everything Alice did"</span> <span class="k">export</span> <span class="kd">const</span> <span class="nx">listByActor</span> <span class="o">=</span> <span class="nf">query</span><span class="p">({</span> <span class="na">args</span><span class="p">:</span> <span class="p">{</span> <span class="na">organizationId</span><span class="p">:</span> <span class="nx">v</span><span class="p">.</span><span class="nf">id</span><span class="p">(</span><span class="dl">"</span><span class="s2">organizations</span><span class="dl">"</span><span class="p">),</span> <span class="na">actorId</span><span class="p">:</span> <span class="nx">v</span><span class="p">.</span><span class="nf">string</span><span class="p">(),</span> <span class="na">paginationOpts</span><span class="p">:</span> <span class="nx">v</span><span class="p">.</span><span class="nf">object</span><span class="p">({</span> <span class="na">numItems</span><span class="p">:</span> <span class="nx">v</span><span class="p">.</span><span class="nf">number</span><span class="p">(),</span> <span class="na">cursor</span><span class="p">:</span> <span class="nx">v</span><span class="p">.</span><span class="nf">union</span><span class="p">(</span><span class="nx">v</span><span class="p">.</span><span class="nf">string</span><span class="p">(),</span> <span class="nx">v</span><span class="p">.</span><span class="nf">null</span><span class="p">()),</span> <span class="p">}),</span> <span class="p">},</span> <span class="na">handler</span><span class="p">:</span> <span class="k">async </span><span class="p">(</span><span class="nx">ctx</span><span class="p">,</span> <span class="p">{</span> <span class="nx">organizationId</span><span class="p">,</span> <span class="nx">actorId</span><span class="p">,</span> <span class="nx">paginationOpts</span> <span class="p">})</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="k">await</span> <span class="nf">requireOrganizationAccess</span><span class="p">(</span><span class="nx">ctx</span><span class="p">,</span> <span class="nx">organizationId</span><span class="p">);</span> <span class="k">return</span> <span class="nx">ctx</span><span class="p">.</span><span class="nx">db</span> <span class="p">.</span><span class="nf">query</span><span class="p">(</span><span class="dl">"</span><span class="s2">activityLogs</span><span class="dl">"</span><span class="p">)</span> <span class="p">.</span><span class="nf">withIndex</span><span class="p">(</span><span class="dl">"</span><span class="s2">by_org_and_actor</span><span class="dl">"</span><span class="p">,</span> <span class="p">(</span><span class="nx">q</span><span class="p">)</span> <span class="o">=&gt;</span> <span class="nx">q</span><span class="p">.</span><span class="nf">eq</span><span class="p">(</span><span class="dl">"</span><span class="s2">organizationId</span><span class="dl">"</span><span class="p">,</span> <span class="nx">organizationId</span><span class="p">).</span><span class="nf">eq</span><span class="p">(</span><span class="dl">"</span><span class="s2">actorId</span><span class="dl">"</span><span class="p">,</span> <span class="nx">actorId</span><span class="p">)</span> <span class="p">)</span> <span class="p">.</span><span class="nf">order</span><span class="p">(</span><span class="dl">"</span><span class="s2">desc</span><span class="dl">"</span><span class="p">)</span> <span class="p">.</span><span class="nf">paginate</span><span class="p">(</span><span class="nx">paginationOpts</span><span class="p">);</span> <span class="p">},</span> <span class="p">});</span> <span class="c1">// Filtered by resource type — "show me all role changes"</span> <span class="k">export</span> <span class="kd">const</span> <span class="nx">listByResourceType</span> <span class="o">=</span> <span class="nf">query</span><span class="p">({</span> <span class="na">args</span><span class="p">:</span> <span class="p">{</span> <span class="na">organizationId</span><span class="p">:</span> <span class="nx">v</span><span class="p">.</span><span class="nf">id</span><span class="p">(</span><span class="dl">"</span><span class="s2">organizations</span><span class="dl">"</span><span class="p">),</span> <span class="na">resourceType</span><span class="p">:</span> <span class="nx">v</span><span class="p">.</span><span class="nf">string</span><span class="p">(),</span> <span class="na">paginationOpts</span><span class="p">:</span> <span class="nx">v</span><span class="p">.</span><span class="nf">object</span><span class="p">({</span> <span class="na">numItems</span><span class="p">:</span> <span class="nx">v</span><span class="p">.</span><span class="nf">number</span><span class="p">(),</span> <span class="na">cursor</span><span class="p">:</span> <span class="nx">v</span><span class="p">.</span><span class="nf">union</span><span class="p">(</span><span class="nx">v</span><span class="p">.</span><span class="nf">string</span><span class="p">(),</span> <span class="nx">v</span><span class="p">.</span><span class="nf">null</span><span class="p">()),</span> <span class="p">}),</span> <span class="p">},</span> <span class="na">handler</span><span class="p">:</span> <span class="k">async </span><span class="p">(</span><span class="nx">ctx</span><span class="p">,</span> <span class="p">{</span> <span class="nx">organizationId</span><span class="p">,</span> <span class="nx">resourceType</span><span class="p">,</span> <span class="nx">paginationOpts</span> <span class="p">})</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="k">await</span> <span class="nf">requireOrganizationAccess</span><span class="p">(</span><span class="nx">ctx</span><span class="p">,</span> <span class="nx">organizationId</span><span class="p">);</span> <span class="k">return</span> <span class="nx">ctx</span><span class="p">.</span><span class="nx">db</span> <span class="p">.</span><span class="nf">query</span><span class="p">(</span><span class="dl">"</span><span class="s2">activityLogs</span><span class="dl">"</span><span class="p">)</span> <span class="p">.</span><span class="nf">withIndex</span><span class="p">(</span><span class="dl">"</span><span class="s2">by_org_and_resource_type</span><span class="dl">"</span><span class="p">,</span> <span class="p">(</span><span class="nx">q</span><span class="p">)</span> <span class="o">=&gt;</span> <span class="nx">q</span><span class="p">.</span><span class="nf">eq</span><span class="p">(</span><span class="dl">"</span><span class="s2">organizationId</span><span class="dl">"</span><span class="p">,</span> <span class="nx">organizationId</span><span class="p">).</span><span class="nf">eq</span><span class="p">(</span><span class="dl">"</span><span class="s2">resourceType</span><span class="dl">"</span><span class="p">,</span> <span class="nx">resourceType</span><span class="p">)</span> <span class="p">)</span> <span class="p">.</span><span class="nf">order</span><span class="p">(</span><span class="dl">"</span><span class="s2">desc</span><span class="dl">"</span><span class="p">)</span> <span class="p">.</span><span class="nf">paginate</span><span class="p">(</span><span class="nx">paginationOpts</span><span class="p">);</span> <span class="p">},</span> <span class="p">});</span> <span class="c1">// Used by the CSV export endpoint — fetches all entries within a time window</span> <span class="k">export</span> <span class="kd">const</span> <span class="nx">listAllForExport</span> <span class="o">=</span> <span class="nf">query</span><span class="p">({</span> <span class="na">args</span><span class="p">:</span> <span class="p">{</span> <span class="na">organizationId</span><span class="p">:</span> <span class="nx">v</span><span class="p">.</span><span class="nf">id</span><span class="p">(</span><span class="dl">"</span><span class="s2">organizations</span><span class="dl">"</span><span class="p">),</span> <span class="na">since</span><span class="p">:</span> <span class="nx">v</span><span class="p">.</span><span class="nf">optional</span><span class="p">(</span><span class="nx">v</span><span class="p">.</span><span class="nf">number</span><span class="p">()),</span> <span class="c1">// Unix timestamp in ms</span> <span class="p">},</span> <span class="na">handler</span><span class="p">:</span> <span class="k">async </span><span class="p">(</span><span class="nx">ctx</span><span class="p">,</span> <span class="p">{</span> <span class="nx">organizationId</span><span class="p">,</span> <span class="nx">since</span> <span class="p">})</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="k">await</span> <span class="nf">requireOrganizationAccess</span><span class="p">(</span><span class="nx">ctx</span><span class="p">,</span> <span class="nx">organizationId</span><span class="p">);</span> <span class="kd">const</span> <span class="nx">results</span> <span class="o">=</span> <span class="k">await</span> <span class="nx">ctx</span><span class="p">.</span><span class="nx">db</span> <span class="p">.</span><span class="nf">query</span><span class="p">(</span><span class="dl">"</span><span class="s2">activityLogs</span><span class="dl">"</span><span class="p">)</span> <span class="p">.</span><span class="nf">withIndex</span><span class="p">(</span><span class="dl">"</span><span class="s2">by_organization</span><span class="dl">"</span><span class="p">,</span> <span class="p">(</span><span class="nx">q</span><span class="p">)</span> <span class="o">=&gt;</span> <span class="nx">q</span><span class="p">.</span><span class="nf">eq</span><span class="p">(</span><span class="dl">"</span><span class="s2">organizationId</span><span class="dl">"</span><span class="p">,</span> <span class="nx">organizationId</span><span class="p">)</span> <span class="p">)</span> <span class="p">.</span><span class="nf">order</span><span class="p">(</span><span class="dl">"</span><span class="s2">desc</span><span class="dl">"</span><span class="p">)</span> <span class="p">.</span><span class="nf">collect</span><span class="p">();</span> <span class="k">if </span><span class="p">(</span><span class="nx">since</span><span class="p">)</span> <span class="p">{</span> <span class="k">return</span> <span class="nx">results</span><span class="p">.</span><span class="nf">filter</span><span class="p">((</span><span class="nx">entry</span><span class="p">)</span> <span class="o">=&gt;</span> <span class="nx">entry</span><span class="p">.</span><span class="nx">_creationTime</span> <span class="o">&gt;=</span> <span class="nx">since</span><span class="p">);</span> <span class="p">}</span> <span class="k">return</span> <span class="nx">results</span><span class="p">;</span> <span class="p">},</span> <span class="p">});</span> </code></pre> </div> <p>Every query starts with <code>requireOrganizationAccess</code>. This is not optional. Audit log data is sensitive — the fact that it is read-only does not make it public. A user with access to Org A must not be able to call <code>activityLogs.list</code> with Org B's ID and receive results. The access check runs before any data is read.</p> <h2> Step #3: Build the Activity Feed UI </h2> <p>Add the page at <code>/org/[slug]/activity</code>. It shows all activity with filter pills for resource type, loads more entries on scroll, and updates in real time as new entries arrive.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight tsx"><code><span class="c1">// app/org/[slug]/activity/page.tsx</span> <span class="dl">"</span><span class="s2">use client</span><span class="dl">"</span><span class="p">;</span> <span class="k">import</span> <span class="p">{</span> <span class="nx">usePaginatedQuery</span><span class="p">,</span> <span class="nx">useQuery</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">"</span><span class="s2">convex/react</span><span class="dl">"</span><span class="p">;</span> <span class="k">import</span> <span class="p">{</span> <span class="nx">api</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">"</span><span class="s2">@/convex/_generated/api</span><span class="dl">"</span><span class="p">;</span> <span class="k">import</span> <span class="p">{</span> <span class="nx">useState</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">"</span><span class="s2">react</span><span class="dl">"</span><span class="p">;</span> <span class="k">import</span> <span class="p">{</span> <span class="nx">formatDistanceToNow</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">"</span><span class="s2">date-fns</span><span class="dl">"</span><span class="p">;</span> <span class="kd">const</span> <span class="nx">ACTION_LABELS</span><span class="p">:</span> <span class="nb">Record</span><span class="o">&lt;</span><span class="kr">string</span><span class="p">,</span> <span class="kr">string</span><span class="o">&gt;</span> <span class="o">=</span> <span class="p">{</span> <span class="dl">"</span><span class="s2">document.created</span><span class="dl">"</span><span class="p">:</span> <span class="dl">"</span><span class="s2">created a document</span><span class="dl">"</span><span class="p">,</span> <span class="dl">"</span><span class="s2">document.updated</span><span class="dl">"</span><span class="p">:</span> <span class="dl">"</span><span class="s2">updated a document</span><span class="dl">"</span><span class="p">,</span> <span class="dl">"</span><span class="s2">document.deleted</span><span class="dl">"</span><span class="p">:</span> <span class="dl">"</span><span class="s2">deleted a document</span><span class="dl">"</span><span class="p">,</span> <span class="dl">"</span><span class="s2">document.shared</span><span class="dl">"</span><span class="p">:</span> <span class="dl">"</span><span class="s2">shared a document</span><span class="dl">"</span><span class="p">,</span> <span class="dl">"</span><span class="s2">document.unshared</span><span class="dl">"</span><span class="p">:</span> <span class="dl">"</span><span class="s2">unshared a document</span><span class="dl">"</span><span class="p">,</span> <span class="dl">"</span><span class="s2">member.invited</span><span class="dl">"</span><span class="p">:</span> <span class="dl">"</span><span class="s2">invited a member</span><span class="dl">"</span><span class="p">,</span> <span class="dl">"</span><span class="s2">member.removed</span><span class="dl">"</span><span class="p">:</span> <span class="dl">"</span><span class="s2">removed a member</span><span class="dl">"</span><span class="p">,</span> <span class="dl">"</span><span class="s2">member.role_changed</span><span class="dl">"</span><span class="p">:</span> <span class="dl">"</span><span class="s2">changed a member's role</span><span class="dl">"</span><span class="p">,</span> <span class="dl">"</span><span class="s2">invitation.accepted</span><span class="dl">"</span><span class="p">:</span> <span class="dl">"</span><span class="s2">accepted an invitation</span><span class="dl">"</span><span class="p">,</span> <span class="dl">"</span><span class="s2">invitation.revoked</span><span class="dl">"</span><span class="p">:</span> <span class="dl">"</span><span class="s2">revoked an invitation</span><span class="dl">"</span><span class="p">,</span> <span class="dl">"</span><span class="s2">role.created</span><span class="dl">"</span><span class="p">:</span> <span class="dl">"</span><span class="s2">created a role</span><span class="dl">"</span><span class="p">,</span> <span class="dl">"</span><span class="s2">role.updated</span><span class="dl">"</span><span class="p">:</span> <span class="dl">"</span><span class="s2">updated a role</span><span class="dl">"</span><span class="p">,</span> <span class="dl">"</span><span class="s2">role.deleted</span><span class="dl">"</span><span class="p">:</span> <span class="dl">"</span><span class="s2">deleted a role</span><span class="dl">"</span><span class="p">,</span> <span class="dl">"</span><span class="s2">settings.updated</span><span class="dl">"</span><span class="p">:</span> <span class="dl">"</span><span class="s2">updated settings</span><span class="dl">"</span><span class="p">,</span> <span class="dl">"</span><span class="s2">billing.plan_changed</span><span class="dl">"</span><span class="p">:</span> <span class="dl">"</span><span class="s2">changed the billing plan</span><span class="dl">"</span><span class="p">,</span> <span class="dl">"</span><span class="s2">org.created</span><span class="dl">"</span><span class="p">:</span> <span class="dl">"</span><span class="s2">created the organization</span><span class="dl">"</span><span class="p">,</span> <span class="p">};</span> <span class="kd">const</span> <span class="nx">RESOURCE_TYPE_FILTERS</span> <span class="o">=</span> <span class="p">[</span> <span class="p">{</span> <span class="na">value</span><span class="p">:</span> <span class="dl">""</span><span class="p">,</span> <span class="na">label</span><span class="p">:</span> <span class="dl">"</span><span class="s2">All activity</span><span class="dl">"</span> <span class="p">},</span> <span class="p">{</span> <span class="na">value</span><span class="p">:</span> <span class="dl">"</span><span class="s2">document</span><span class="dl">"</span><span class="p">,</span> <span class="na">label</span><span class="p">:</span> <span class="dl">"</span><span class="s2">Documents</span><span class="dl">"</span> <span class="p">},</span> <span class="p">{</span> <span class="na">value</span><span class="p">:</span> <span class="dl">"</span><span class="s2">member</span><span class="dl">"</span><span class="p">,</span> <span class="na">label</span><span class="p">:</span> <span class="dl">"</span><span class="s2">Members</span><span class="dl">"</span> <span class="p">},</span> <span class="p">{</span> <span class="na">value</span><span class="p">:</span> <span class="dl">"</span><span class="s2">role</span><span class="dl">"</span><span class="p">,</span> <span class="na">label</span><span class="p">:</span> <span class="dl">"</span><span class="s2">Roles</span><span class="dl">"</span> <span class="p">},</span> <span class="p">{</span> <span class="na">value</span><span class="p">:</span> <span class="dl">"</span><span class="s2">settings</span><span class="dl">"</span><span class="p">,</span> <span class="na">label</span><span class="p">:</span> <span class="dl">"</span><span class="s2">Settings</span><span class="dl">"</span> <span class="p">},</span> <span class="p">{</span> <span class="na">value</span><span class="p">:</span> <span class="dl">"</span><span class="s2">billing</span><span class="dl">"</span><span class="p">,</span> <span class="na">label</span><span class="p">:</span> <span class="dl">"</span><span class="s2">Billing</span><span class="dl">"</span> <span class="p">},</span> <span class="p">];</span> <span class="k">export</span> <span class="k">default</span> <span class="kd">function</span> <span class="nf">ActivityPage</span><span class="p">({</span> <span class="nx">params</span> <span class="p">}:</span> <span class="p">{</span> <span class="nl">params</span><span class="p">:</span> <span class="p">{</span> <span class="na">slug</span><span class="p">:</span> <span class="kr">string</span> <span class="p">}</span> <span class="p">})</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">org</span> <span class="o">=</span> <span class="nf">useQuery</span><span class="p">(</span><span class="nx">api</span><span class="p">.</span><span class="nx">organizations</span><span class="p">.</span><span class="nx">getBySlug</span><span class="p">,</span> <span class="p">{</span> <span class="na">slug</span><span class="p">:</span> <span class="nx">params</span><span class="p">.</span><span class="nx">slug</span> <span class="p">});</span> <span class="kd">const</span> <span class="p">[</span><span class="nx">resourceTypeFilter</span><span class="p">,</span> <span class="nx">setResourceTypeFilter</span><span class="p">]</span> <span class="o">=</span> <span class="nf">useState</span><span class="p">(</span><span class="dl">""</span><span class="p">);</span> <span class="kd">const</span> <span class="p">{</span> <span class="nx">results</span><span class="p">,</span> <span class="nx">status</span><span class="p">,</span> <span class="nx">loadMore</span> <span class="p">}</span> <span class="o">=</span> <span class="nf">usePaginatedQuery</span><span class="p">(</span> <span class="nx">resourceTypeFilter</span> <span class="p">?</span> <span class="nx">api</span><span class="p">.</span><span class="nx">activityLogs</span><span class="p">.</span><span class="nx">listByResourceType</span> <span class="p">:</span> <span class="nx">api</span><span class="p">.</span><span class="nx">activityLogs</span><span class="p">.</span><span class="nx">list</span><span class="p">,</span> <span class="nx">org</span> <span class="p">?</span> <span class="nx">resourceTypeFilter</span> <span class="p">?</span> <span class="p">{</span> <span class="na">organizationId</span><span class="p">:</span> <span class="nx">org</span><span class="p">.</span><span class="nx">_id</span><span class="p">,</span> <span class="na">resourceType</span><span class="p">:</span> <span class="nx">resourceTypeFilter</span> <span class="p">}</span> <span class="p">:</span> <span class="p">{</span> <span class="na">organizationId</span><span class="p">:</span> <span class="nx">org</span><span class="p">.</span><span class="nx">_id</span> <span class="p">}</span> <span class="p">:</span> <span class="dl">"</span><span class="s2">skip</span><span class="dl">"</span><span class="p">,</span> <span class="p">{</span> <span class="na">initialNumItems</span><span class="p">:</span> <span class="mi">25</span> <span class="p">}</span> <span class="p">);</span> <span class="k">if </span><span class="p">(</span><span class="o">!</span><span class="nx">org</span><span class="p">)</span> <span class="p">{</span> <span class="k">return</span> <span class="p">&lt;</span><span class="nt">div</span> <span class="na">className</span><span class="p">=</span><span class="s">"p-8 text-sm text-gray-500"</span><span class="p">&gt;</span>Loading...<span class="p">&lt;/</span><span class="nt">div</span><span class="p">&gt;;</span> <span class="p">}</span> <span class="k">return </span><span class="p">(</span> <span class="p">&lt;</span><span class="nt">div</span> <span class="na">className</span><span class="p">=</span><span class="s">"max-w-2xl mx-auto py-8 space-y-6"</span><span class="p">&gt;</span> <span class="p">&lt;</span><span class="nt">div</span> <span class="na">className</span><span class="p">=</span><span class="s">"flex items-center justify-between"</span><span class="p">&gt;</span> <span class="p">&lt;</span><span class="nt">div</span><span class="p">&gt;</span> <span class="p">&lt;</span><span class="nt">h1</span> <span class="na">className</span><span class="p">=</span><span class="s">"text-xl font-semibold"</span><span class="p">&gt;</span>Activity<span class="p">&lt;/</span><span class="nt">h1</span><span class="p">&gt;</span> <span class="p">&lt;</span><span class="nt">p</span> <span class="na">className</span><span class="p">=</span><span class="s">"text-sm text-gray-500 mt-0.5"</span><span class="p">&gt;</span> A record of every action taken in this organization. <span class="p">&lt;/</span><span class="nt">p</span><span class="p">&gt;</span> <span class="p">&lt;/</span><span class="nt">div</span><span class="p">&gt;</span> <span class="p">&lt;</span><span class="nt">a</span> <span class="na">href</span><span class="p">=</span><span class="si">{</span><span class="s2">`/api/activity/export?orgId=</span><span class="p">${</span><span class="nx">org</span><span class="p">.</span><span class="nx">_id</span><span class="p">}</span><span class="s2">`</span><span class="si">}</span> <span class="na">className</span><span class="p">=</span><span class="s">"text-sm text-gray-500 hover:text-gray-900 underline underline-offset-2"</span> <span class="p">&gt;</span> Export CSV <span class="p">&lt;/</span><span class="nt">a</span><span class="p">&gt;</span> <span class="p">&lt;/</span><span class="nt">div</span><span class="p">&gt;</span> <span class="si">{</span><span class="cm">/* Filter pills */</span><span class="si">}</span> <span class="p">&lt;</span><span class="nt">div</span> <span class="na">className</span><span class="p">=</span><span class="s">"flex gap-2 flex-wrap"</span><span class="p">&gt;</span> <span class="si">{</span><span class="nx">RESOURCE_TYPE_FILTERS</span><span class="p">.</span><span class="nf">map</span><span class="p">((</span><span class="nx">filter</span><span class="p">)</span> <span class="o">=&gt;</span> <span class="p">(</span> <span class="p">&lt;</span><span class="nt">button</span> <span class="na">key</span><span class="p">=</span><span class="si">{</span><span class="nx">filter</span><span class="p">.</span><span class="nx">value</span><span class="si">}</span> <span class="na">onClick</span><span class="p">=</span><span class="si">{</span><span class="p">()</span> <span class="o">=&gt;</span> <span class="nf">setResourceTypeFilter</span><span class="p">(</span><span class="nx">filter</span><span class="p">.</span><span class="nx">value</span><span class="p">)</span><span class="si">}</span> <span class="na">className</span><span class="p">=</span><span class="si">{</span><span class="s2">`px-3 py-1.5 rounded-full text-xs font-medium transition-colors </span><span class="p">${</span> <span class="nx">resourceTypeFilter</span> <span class="o">===</span> <span class="nx">filter</span><span class="p">.</span><span class="nx">value</span> <span class="p">?</span> <span class="dl">"</span><span class="s2">bg-black text-white</span><span class="dl">"</span> <span class="p">:</span> <span class="dl">"</span><span class="s2">bg-gray-100 text-gray-600 hover:bg-gray-200</span><span class="dl">"</span> <span class="p">}</span><span class="s2">`</span><span class="si">}</span> <span class="p">&gt;</span> <span class="si">{</span><span class="nx">filter</span><span class="p">.</span><span class="nx">label</span><span class="si">}</span> <span class="p">&lt;/</span><span class="nt">button</span><span class="p">&gt;</span> <span class="p">))</span><span class="si">}</span> <span class="p">&lt;/</span><span class="nt">div</span><span class="p">&gt;</span> <span class="si">{</span><span class="cm">/* Log entries */</span><span class="si">}</span> <span class="p">&lt;</span><span class="nt">div</span> <span class="na">className</span><span class="p">=</span><span class="s">"space-y-1"</span><span class="p">&gt;</span> <span class="si">{</span><span class="nx">results</span><span class="p">.</span><span class="nx">length</span> <span class="o">===</span> <span class="mi">0</span> <span class="o">&amp;&amp;</span> <span class="nx">status</span> <span class="o">===</span> <span class="dl">"</span><span class="s2">Exhausted</span><span class="dl">"</span> <span class="p">?</span> <span class="p">(</span> <span class="p">&lt;</span><span class="nt">p</span> <span class="na">className</span><span class="p">=</span><span class="s">"text-sm text-gray-400 py-8 text-center"</span><span class="p">&gt;</span>No activity yet.<span class="p">&lt;/</span><span class="nt">p</span><span class="p">&gt;</span> <span class="p">)</span> <span class="p">:</span> <span class="p">(</span> <span class="nx">results</span><span class="p">.</span><span class="nf">map</span><span class="p">((</span><span class="nx">entry</span><span class="p">)</span> <span class="o">=&gt;</span> <span class="p">(</span> <span class="p">&lt;</span><span class="nt">div</span> <span class="na">key</span><span class="p">=</span><span class="si">{</span><span class="nx">entry</span><span class="p">.</span><span class="nx">_id</span><span class="si">}</span> <span class="na">className</span><span class="p">=</span><span class="s">"flex items-start gap-3 py-3 border-b border-gray-100 last:border-0"</span> <span class="p">&gt;</span> <span class="si">{</span><span class="cm">/* Actor avatar */</span><span class="si">}</span> <span class="p">&lt;</span><span class="nt">div</span> <span class="na">className</span><span class="p">=</span><span class="s">"w-7 h-7 rounded-full bg-gray-200 flex items-center justify-center flex-shrink-0 mt-0.5"</span><span class="p">&gt;</span> <span class="p">&lt;</span><span class="nt">span</span> <span class="na">className</span><span class="p">=</span><span class="s">"text-xs font-medium text-gray-600"</span><span class="p">&gt;</span> <span class="si">{</span><span class="nx">entry</span><span class="p">.</span><span class="nx">actorName</span><span class="p">?.[</span><span class="mi">0</span><span class="p">]?.</span><span class="nf">toUpperCase</span><span class="p">()</span> <span class="o">??</span> <span class="dl">"</span><span class="s2">?</span><span class="dl">"</span><span class="si">}</span> <span class="p">&lt;/</span><span class="nt">span</span><span class="p">&gt;</span> <span class="p">&lt;/</span><span class="nt">div</span><span class="p">&gt;</span> <span class="p">&lt;</span><span class="nt">div</span> <span class="na">className</span><span class="p">=</span><span class="s">"flex-1 min-w-0"</span><span class="p">&gt;</span> <span class="p">&lt;</span><span class="nt">p</span> <span class="na">className</span><span class="p">=</span><span class="s">"text-sm text-gray-900"</span><span class="p">&gt;</span> <span class="p">&lt;</span><span class="nt">span</span> <span class="na">className</span><span class="p">=</span><span class="s">"font-medium"</span><span class="p">&gt;</span><span class="si">{</span><span class="nx">entry</span><span class="p">.</span><span class="nx">actorName</span><span class="si">}</span><span class="p">&lt;/</span><span class="nt">span</span><span class="p">&gt;</span> <span class="si">{</span><span class="dl">"</span><span class="s2"> </span><span class="dl">"</span><span class="si">}</span> <span class="p">&lt;</span><span class="nt">span</span> <span class="na">className</span><span class="p">=</span><span class="s">"text-gray-600"</span><span class="p">&gt;</span> <span class="si">{</span><span class="nx">ACTION_LABELS</span><span class="p">[</span><span class="nx">entry</span><span class="p">.</span><span class="nx">action</span><span class="p">]</span> <span class="o">??</span> <span class="nx">entry</span><span class="p">.</span><span class="nx">action</span><span class="si">}</span> <span class="p">&lt;/</span><span class="nt">span</span><span class="p">&gt;</span> <span class="si">{</span><span class="nx">entry</span><span class="p">.</span><span class="nx">resourceLabel</span> <span class="o">&amp;&amp;</span> <span class="p">(</span> <span class="p">&lt;&gt;</span> <span class="si">{</span><span class="dl">"</span><span class="s2">: </span><span class="dl">"</span><span class="si">}</span> <span class="p">&lt;</span><span class="nt">span</span> <span class="na">className</span><span class="p">=</span><span class="s">"font-medium text-gray-900"</span><span class="p">&gt;</span> <span class="si">{</span><span class="nx">entry</span><span class="p">.</span><span class="nx">resourceLabel</span><span class="si">}</span> <span class="p">&lt;/</span><span class="nt">span</span><span class="p">&gt;</span> <span class="p">&lt;/&gt;</span> <span class="p">)</span><span class="si">}</span> <span class="p">&lt;/</span><span class="nt">p</span><span class="p">&gt;</span> <span class="si">{</span><span class="cm">/* Show before/after for role changes */</span><span class="si">}</span> <span class="si">{</span><span class="nx">entry</span><span class="p">.</span><span class="nx">action</span> <span class="o">===</span> <span class="dl">"</span><span class="s2">member.role_changed</span><span class="dl">"</span> <span class="o">&amp;&amp;</span> <span class="nx">entry</span><span class="p">.</span><span class="nx">metadata</span> <span class="o">&amp;&amp;</span> <span class="p">(</span> <span class="p">&lt;</span><span class="nt">p</span> <span class="na">className</span><span class="p">=</span><span class="s">"text-xs text-gray-400 mt-0.5"</span><span class="p">&gt;</span> <span class="si">{</span><span class="p">(</span><span class="nx">entry</span><span class="p">.</span><span class="nx">metadata</span> <span class="k">as</span> <span class="kr">any</span><span class="p">).</span><span class="nx">previousRole</span><span class="si">}</span> → <span class="si">{</span><span class="p">(</span><span class="nx">entry</span><span class="p">.</span><span class="nx">metadata</span> <span class="k">as</span> <span class="kr">any</span><span class="p">).</span><span class="nx">newRole</span><span class="si">}</span> <span class="p">&lt;/</span><span class="nt">p</span><span class="p">&gt;</span> <span class="p">)</span><span class="si">}</span> <span class="si">{</span><span class="cm">/* Show which field changed for settings updates */</span><span class="si">}</span> <span class="si">{</span><span class="nx">entry</span><span class="p">.</span><span class="nx">action</span> <span class="o">===</span> <span class="dl">"</span><span class="s2">settings.updated</span><span class="dl">"</span> <span class="o">&amp;&amp;</span> <span class="nx">entry</span><span class="p">.</span><span class="nx">metadata</span> <span class="o">&amp;&amp;</span> <span class="p">(</span> <span class="p">&lt;</span><span class="nt">p</span> <span class="na">className</span><span class="p">=</span><span class="s">"text-xs text-gray-400 mt-0.5"</span><span class="p">&gt;</span> Field: <span class="si">{</span><span class="p">(</span><span class="nx">entry</span><span class="p">.</span><span class="nx">metadata</span> <span class="k">as</span> <span class="kr">any</span><span class="p">).</span><span class="nx">field</span><span class="si">}</span> <span class="p">&lt;/</span><span class="nt">p</span><span class="p">&gt;</span> <span class="p">)</span><span class="si">}</span> <span class="p">&lt;</span><span class="nt">p</span> <span class="na">className</span><span class="p">=</span><span class="s">"text-xs text-gray-400 mt-0.5"</span><span class="p">&gt;</span> <span class="si">{</span><span class="nf">formatDistanceToNow</span><span class="p">(</span><span class="nx">entry</span><span class="p">.</span><span class="nx">_creationTime</span><span class="p">,</span> <span class="p">{</span> <span class="na">addSuffix</span><span class="p">:</span> <span class="kc">true</span> <span class="p">})</span><span class="si">}</span> <span class="si">{</span><span class="dl">"</span><span class="s2"> · </span><span class="dl">"</span><span class="si">}</span> <span class="si">{</span><span class="nx">entry</span><span class="p">.</span><span class="nx">actorEmail</span><span class="si">}</span> <span class="p">&lt;/</span><span class="nt">p</span><span class="p">&gt;</span> <span class="p">&lt;/</span><span class="nt">div</span><span class="p">&gt;</span> <span class="p">&lt;/</span><span class="nt">div</span><span class="p">&gt;</span> <span class="p">))</span> <span class="p">)</span><span class="si">}</span> <span class="p">&lt;/</span><span class="nt">div</span><span class="p">&gt;</span> <span class="si">{</span><span class="nx">status</span> <span class="o">===</span> <span class="dl">"</span><span class="s2">CanLoadMore</span><span class="dl">"</span> <span class="o">&amp;&amp;</span> <span class="p">(</span> <span class="p">&lt;</span><span class="nt">div</span> <span class="na">className</span><span class="p">=</span><span class="s">"flex justify-center pt-2"</span><span class="p">&gt;</span> <span class="p">&lt;</span><span class="nt">button</span> <span class="na">onClick</span><span class="p">=</span><span class="si">{</span><span class="p">()</span> <span class="o">=&gt;</span> <span class="nf">loadMore</span><span class="p">(</span><span class="mi">25</span><span class="p">)</span><span class="si">}</span> <span class="na">className</span><span class="p">=</span><span class="s">"text-sm text-gray-500 hover:text-gray-900 underline underline-offset-2"</span> <span class="p">&gt;</span> Load more <span class="p">&lt;/</span><span class="nt">button</span><span class="p">&gt;</span> <span class="p">&lt;/</span><span class="nt">div</span><span class="p">&gt;</span> <span class="p">)</span><span class="si">}</span> <span class="si">{</span><span class="nx">status</span> <span class="o">===</span> <span class="dl">"</span><span class="s2">LoadingMore</span><span class="dl">"</span> <span class="o">&amp;&amp;</span> <span class="p">(</span> <span class="p">&lt;</span><span class="nt">p</span> <span class="na">className</span><span class="p">=</span><span class="s">"text-center text-sm text-gray-400"</span><span class="p">&gt;</span>Loading...<span class="p">&lt;/</span><span class="nt">p</span><span class="p">&gt;</span> <span class="p">)</span><span class="si">}</span> <span class="p">&lt;/</span><span class="nt">div</span><span class="p">&gt;</span> <span class="p">);</span> <span class="p">}</span> </code></pre> </div> <p>The feed is reactive. Convex tracks the query's data dependencies and pushes updates to the component whenever a new log entry is written. An org member watching the activity page will see new entries appear in real time — without a page refresh, without polling, without any extra setup.</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F3z7zis3h6bvv6k55odey.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F3z7zis3h6bvv6k55odey.png" alt="The activity feed UI. Top row shows " width="800" height="502"></a></p> <h2> Step #4: Export as CSV for Compliance </h2> <p>When a compliance team or auditor asks for the activity history, they want a file — not a browser tab. Add a Next.js API route that fetches all logs for an org and returns them as a downloadable CSV.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="c1">// app/api/activity/export/route.ts</span> <span class="k">import</span> <span class="p">{</span> <span class="nx">NextRequest</span><span class="p">,</span> <span class="nx">NextResponse</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">"</span><span class="s2">next/server</span><span class="dl">"</span><span class="p">;</span> <span class="k">import</span> <span class="p">{</span> <span class="nx">getKindeServerSession</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">"</span><span class="s2">@kinde-oss/kinde-auth-nextjs/server</span><span class="dl">"</span><span class="p">;</span> <span class="k">import</span> <span class="p">{</span> <span class="nx">ConvexHttpClient</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">"</span><span class="s2">convex/browser</span><span class="dl">"</span><span class="p">;</span> <span class="k">import</span> <span class="p">{</span> <span class="nx">api</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">"</span><span class="s2">@/convex/_generated/api</span><span class="dl">"</span><span class="p">;</span> <span class="k">import</span> <span class="p">{</span> <span class="nx">Id</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">"</span><span class="s2">@/convex/_generated/dataModel</span><span class="dl">"</span><span class="p">;</span> <span class="kd">const</span> <span class="nx">convex</span> <span class="o">=</span> <span class="k">new</span> <span class="nc">ConvexHttpClient</span><span class="p">(</span><span class="nx">process</span><span class="p">.</span><span class="nx">env</span><span class="p">.</span><span class="nx">NEXT_PUBLIC_CONVEX_URL</span><span class="o">!</span><span class="p">);</span> <span class="k">export</span> <span class="k">async</span> <span class="kd">function</span> <span class="nf">GET</span><span class="p">(</span><span class="nx">req</span><span class="p">:</span> <span class="nx">NextRequest</span><span class="p">)</span> <span class="p">{</span> <span class="kd">const</span> <span class="p">{</span> <span class="nx">isAuthenticated</span> <span class="p">}</span> <span class="o">=</span> <span class="nf">getKindeServerSession</span><span class="p">();</span> <span class="kd">const</span> <span class="nx">authenticated</span> <span class="o">=</span> <span class="k">await</span> <span class="nf">isAuthenticated</span><span class="p">();</span> <span class="k">if </span><span class="p">(</span><span class="o">!</span><span class="nx">authenticated</span><span class="p">)</span> <span class="p">{</span> <span class="k">return</span> <span class="k">new</span> <span class="nc">NextResponse</span><span class="p">(</span><span class="dl">"</span><span class="s2">Unauthorized</span><span class="dl">"</span><span class="p">,</span> <span class="p">{</span> <span class="na">status</span><span class="p">:</span> <span class="mi">401</span> <span class="p">});</span> <span class="p">}</span> <span class="kd">const</span> <span class="nx">orgId</span> <span class="o">=</span> <span class="nx">req</span><span class="p">.</span><span class="nx">nextUrl</span><span class="p">.</span><span class="nx">searchParams</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="dl">"</span><span class="s2">orgId</span><span class="dl">"</span><span class="p">);</span> <span class="k">if </span><span class="p">(</span><span class="o">!</span><span class="nx">orgId</span><span class="p">)</span> <span class="p">{</span> <span class="k">return</span> <span class="k">new</span> <span class="nc">NextResponse</span><span class="p">(</span><span class="dl">"</span><span class="s2">Missing orgId</span><span class="dl">"</span><span class="p">,</span> <span class="p">{</span> <span class="na">status</span><span class="p">:</span> <span class="mi">400</span> <span class="p">});</span> <span class="p">}</span> <span class="c1">// Optional: limit to last 90 days with ?since=&lt;timestamp&gt;</span> <span class="kd">const</span> <span class="nx">since</span> <span class="o">=</span> <span class="nx">req</span><span class="p">.</span><span class="nx">nextUrl</span><span class="p">.</span><span class="nx">searchParams</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="dl">"</span><span class="s2">since</span><span class="dl">"</span><span class="p">);</span> <span class="kd">const</span> <span class="nx">logs</span> <span class="o">=</span> <span class="k">await</span> <span class="nx">convex</span><span class="p">.</span><span class="nf">query</span><span class="p">(</span><span class="nx">api</span><span class="p">.</span><span class="nx">activityLogs</span><span class="p">.</span><span class="nx">listAllForExport</span><span class="p">,</span> <span class="p">{</span> <span class="na">organizationId</span><span class="p">:</span> <span class="nx">orgId</span> <span class="k">as</span> <span class="nx">Id</span><span class="o">&lt;</span><span class="dl">"</span><span class="s2">organizations</span><span class="dl">"</span><span class="o">&gt;</span><span class="p">,</span> <span class="na">since</span><span class="p">:</span> <span class="nx">since</span> <span class="p">?</span> <span class="nc">Number</span><span class="p">(</span><span class="nx">since</span><span class="p">)</span> <span class="p">:</span> <span class="kc">undefined</span><span class="p">,</span> <span class="p">});</span> <span class="kd">const</span> <span class="nx">csvRows</span> <span class="o">=</span> <span class="p">[</span> <span class="p">[</span><span class="dl">"</span><span class="s2">Timestamp</span><span class="dl">"</span><span class="p">,</span> <span class="dl">"</span><span class="s2">Actor Name</span><span class="dl">"</span><span class="p">,</span> <span class="dl">"</span><span class="s2">Actor Email</span><span class="dl">"</span><span class="p">,</span> <span class="dl">"</span><span class="s2">Action</span><span class="dl">"</span><span class="p">,</span> <span class="dl">"</span><span class="s2">Resource Type</span><span class="dl">"</span><span class="p">,</span> <span class="dl">"</span><span class="s2">Resource</span><span class="dl">"</span><span class="p">,</span> <span class="dl">"</span><span class="s2">Details</span><span class="dl">"</span><span class="p">].</span><span class="nf">join</span><span class="p">(</span><span class="dl">"</span><span class="s2">,</span><span class="dl">"</span><span class="p">),</span> <span class="p">...</span><span class="nx">logs</span><span class="p">.</span><span class="nf">map</span><span class="p">((</span><span class="nx">entry</span><span class="p">)</span> <span class="o">=&gt;</span> <span class="p">[</span> <span class="k">new</span> <span class="nc">Date</span><span class="p">(</span><span class="nx">entry</span><span class="p">.</span><span class="nx">_creationTime</span><span class="p">).</span><span class="nf">toISOString</span><span class="p">(),</span> <span class="s2">`"</span><span class="p">${</span><span class="nx">entry</span><span class="p">.</span><span class="nx">actorName</span><span class="p">.</span><span class="nf">replace</span><span class="p">(</span><span class="sr">/"/g</span><span class="p">,</span> <span class="dl">'</span><span class="s1">""</span><span class="dl">'</span><span class="p">)}</span><span class="s2">"`</span><span class="p">,</span> <span class="nx">entry</span><span class="p">.</span><span class="nx">actorEmail</span><span class="p">,</span> <span class="nx">entry</span><span class="p">.</span><span class="nx">action</span><span class="p">,</span> <span class="nx">entry</span><span class="p">.</span><span class="nx">resourceType</span><span class="p">,</span> <span class="s2">`"</span><span class="p">${(</span><span class="nx">entry</span><span class="p">.</span><span class="nx">resourceLabel</span> <span class="o">??</span> <span class="dl">""</span><span class="p">).</span><span class="nf">replace</span><span class="p">(</span><span class="sr">/"/g</span><span class="p">,</span> <span class="dl">'</span><span class="s1">""</span><span class="dl">'</span><span class="p">)}</span><span class="s2">"`</span><span class="p">,</span> <span class="s2">`"</span><span class="p">${</span><span class="nx">entry</span><span class="p">.</span><span class="nx">metadata</span> <span class="p">?</span> <span class="nx">JSON</span><span class="p">.</span><span class="nf">stringify</span><span class="p">(</span><span class="nx">entry</span><span class="p">.</span><span class="nx">metadata</span><span class="p">).</span><span class="nf">replace</span><span class="p">(</span><span class="sr">/"/g</span><span class="p">,</span> <span class="dl">'</span><span class="s1">""</span><span class="dl">'</span><span class="p">)</span> <span class="p">:</span> <span class="dl">""</span><span class="p">}</span><span class="s2">"`</span><span class="p">,</span> <span class="p">].</span><span class="nf">join</span><span class="p">(</span><span class="dl">"</span><span class="s2">,</span><span class="dl">"</span><span class="p">)</span> <span class="p">),</span> <span class="p">].</span><span class="nf">join</span><span class="p">(</span><span class="dl">"</span><span class="se">\n</span><span class="dl">"</span><span class="p">);</span> <span class="k">return</span> <span class="k">new</span> <span class="nc">NextResponse</span><span class="p">(</span><span class="nx">csvRows</span><span class="p">,</span> <span class="p">{</span> <span class="na">status</span><span class="p">:</span> <span class="mi">200</span><span class="p">,</span> <span class="na">headers</span><span class="p">:</span> <span class="p">{</span> <span class="dl">"</span><span class="s2">Content-Type</span><span class="dl">"</span><span class="p">:</span> <span class="dl">"</span><span class="s2">text/csv</span><span class="dl">"</span><span class="p">,</span> <span class="dl">"</span><span class="s2">Content-Disposition</span><span class="dl">"</span><span class="p">:</span> <span class="s2">`attachment; filename="activity-</span><span class="p">${</span><span class="nx">orgId</span><span class="p">}</span><span class="s2">-</span><span class="p">${</span><span class="nb">Date</span><span class="p">.</span><span class="nf">now</span><span class="p">()}</span><span class="s2">.csv"`</span><span class="p">,</span> <span class="p">},</span> <span class="p">});</span> <span class="p">}</span> </code></pre> </div> <p><code>getKindeServerSession</code> from <code>@kinde-oss/kinde-auth-nextjs/server</code> verifies the user is authenticated before any data is touched. The <code>ConvexHttpClient</code> is the correct way to call Convex from a Next.js API route or server action — outside of a React component, <code>useQuery</code> is not available, so you use the HTTP client directly.</p> <p>You now have a complete audit log — write path, read path, real-time feed, and CSV export in one clean pipeline.</p> <h2> Step #5: Guarantee Org Isolation </h2> <p>Org isolation is not automatic. You enforce it explicitly at every query boundary with <code>requireOrganizationAccess</code>. Here is what that helper looks like and why the order of checks matters.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="c1">// convex/lib/auth.ts</span> <span class="k">import</span> <span class="p">{</span> <span class="nx">QueryCtx</span><span class="p">,</span> <span class="nx">MutationCtx</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">"</span><span class="s2">../_generated/server</span><span class="dl">"</span><span class="p">;</span> <span class="k">import</span> <span class="p">{</span> <span class="nx">Id</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">"</span><span class="s2">../_generated/dataModel</span><span class="dl">"</span><span class="p">;</span> <span class="k">export</span> <span class="k">async</span> <span class="kd">function</span> <span class="nf">requireOrganizationAccess</span><span class="p">(</span> <span class="nx">ctx</span><span class="p">:</span> <span class="nx">QueryCtx</span> <span class="o">|</span> <span class="nx">MutationCtx</span><span class="p">,</span> <span class="nx">organizationId</span><span class="p">:</span> <span class="nx">Id</span><span class="o">&lt;</span><span class="dl">"</span><span class="s2">organizations</span><span class="dl">"</span><span class="o">&gt;</span> <span class="p">)</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">identity</span> <span class="o">=</span> <span class="k">await</span> <span class="nx">ctx</span><span class="p">.</span><span class="nx">auth</span><span class="p">.</span><span class="nf">getUserIdentity</span><span class="p">();</span> <span class="k">if </span><span class="p">(</span><span class="o">!</span><span class="nx">identity</span><span class="p">)</span> <span class="k">throw</span> <span class="k">new</span> <span class="nc">Error</span><span class="p">(</span><span class="dl">"</span><span class="s2">Not authenticated</span><span class="dl">"</span><span class="p">);</span> <span class="kd">const</span> <span class="nx">user</span> <span class="o">=</span> <span class="k">await</span> <span class="nx">ctx</span><span class="p">.</span><span class="nx">db</span> <span class="p">.</span><span class="nf">query</span><span class="p">(</span><span class="dl">"</span><span class="s2">users</span><span class="dl">"</span><span class="p">)</span> <span class="p">.</span><span class="nf">withIndex</span><span class="p">(</span><span class="dl">"</span><span class="s2">by_kinde_id</span><span class="dl">"</span><span class="p">,</span> <span class="p">(</span><span class="nx">q</span><span class="p">)</span> <span class="o">=&gt;</span> <span class="nx">q</span><span class="p">.</span><span class="nf">eq</span><span class="p">(</span><span class="dl">"</span><span class="s2">kindeId</span><span class="dl">"</span><span class="p">,</span> <span class="nx">identity</span><span class="p">.</span><span class="nx">subject</span><span class="p">))</span> <span class="p">.</span><span class="nf">unique</span><span class="p">();</span> <span class="k">if </span><span class="p">(</span><span class="o">!</span><span class="nx">user</span><span class="p">)</span> <span class="k">throw</span> <span class="k">new</span> <span class="nc">Error</span><span class="p">(</span><span class="dl">"</span><span class="s2">User not found</span><span class="dl">"</span><span class="p">);</span> <span class="kd">const</span> <span class="nx">membership</span> <span class="o">=</span> <span class="k">await</span> <span class="nx">ctx</span><span class="p">.</span><span class="nx">db</span> <span class="p">.</span><span class="nf">query</span><span class="p">(</span><span class="dl">"</span><span class="s2">organizationMembers</span><span class="dl">"</span><span class="p">)</span> <span class="p">.</span><span class="nf">withIndex</span><span class="p">(</span><span class="dl">"</span><span class="s2">by_org_and_user</span><span class="dl">"</span><span class="p">,</span> <span class="p">(</span><span class="nx">q</span><span class="p">)</span> <span class="o">=&gt;</span> <span class="nx">q</span><span class="p">.</span><span class="nf">eq</span><span class="p">(</span><span class="dl">"</span><span class="s2">organizationId</span><span class="dl">"</span><span class="p">,</span> <span class="nx">organizationId</span><span class="p">).</span><span class="nf">eq</span><span class="p">(</span><span class="dl">"</span><span class="s2">userId</span><span class="dl">"</span><span class="p">,</span> <span class="nx">user</span><span class="p">.</span><span class="nx">_id</span><span class="p">)</span> <span class="p">)</span> <span class="p">.</span><span class="nf">unique</span><span class="p">();</span> <span class="c1">// No membership record = no access. This check runs before any log data is read.</span> <span class="k">if </span><span class="p">(</span><span class="o">!</span><span class="nx">membership</span><span class="p">)</span> <span class="k">throw</span> <span class="k">new</span> <span class="nc">Error</span><span class="p">(</span><span class="dl">"</span><span class="s2">Access denied</span><span class="dl">"</span><span class="p">);</span> <span class="k">return</span> <span class="p">{</span> <span class="nx">user</span><span class="p">,</span> <span class="nx">membership</span> <span class="p">};</span> <span class="p">}</span> </code></pre> </div> <p>When <code>activityLogs.list</code> is called with an organization ID, <code>requireOrganizationAccess</code> checks for a membership record in that specific org before the log query runs. A member of Org A cannot call the query with Org B's ID and receive results — the check throws before any database read happens.</p> <p>The isolation guarantee has two layers. First, the membership check in the query handler. Second, the <code>organizationId</code> field on every log entry — each query is scoped to one org's index range. Even if the membership check somehow failed, a query hitting <code>by_organization</code> would only return entries for that specific org.</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fo81a5ngrjzc9c3y21gv6.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fo81a5ngrjzc9c3y21gv6.png" alt="Two side-by-side columns labeled " width="800" height="661"></a></p> <h2> Testing the System </h2> <p>Do not skip this. An audit log that silently misses entries is worse than no audit log — it creates false confidence. These five tests verify the critical paths.</p> <p><strong>Test 1: Transactional commit</strong></p> <p>Call <code>documents.remove</code> with a valid document ID. After it succeeds, open the Convex dashboard and check the <code>activityLogs</code> table — a <code>document.deleted</code> entry should exist with the correct <code>resourceLabel</code>. Now temporarily patch the mutation to throw an error after <code>ctx.db.delete</code> but before <code>auditLog</code>. Call it again. Both the deletion and the log entry should roll back together. If the document gets deleted but no log entry appears, your <code>auditLog</code> call is outside the mutation handler — move it inside.</p> <p><strong>Test 2: Actor identity per session</strong></p> <p>Sign in as two different users and each create a document in the same organization. Check <code>activityLogs</code> — the two entries should have different <code>actorId</code>, <code>actorEmail</code>, and <code>actorName</code> values. If both entries show the same actor, <code>getCurrentUser</code> is reading from a stale or shared identity source.</p> <p><strong>Test 3: Org isolation under direct API call</strong></p> <p>From the Convex dashboard, call <code>activityLogs.list</code> with the ID of an organization the currently authenticated user does not belong to. You should receive:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>Error: Access denied </code></pre> </div> <p>If the query returns data, <code>requireOrganizationAccess</code> is either missing or not throwing correctly.</p> <p><strong>Test 4: Resource label captured before deletion</strong></p> <p>Create a document titled "Q2 Vendor Report". Delete it. Find the <code>document.deleted</code> entry in <code>activityLogs</code>. The <code>resourceLabel</code> field should read <code>"Q2 Vendor Report"</code>. If it is null or undefined, the delete is happening before the title is read. Reverse the order.</p> <p><strong>Test 5: Metadata correctness on role changes</strong></p> <p>Change a member's role from <code>member</code> to <code>admin</code>. Find the <code>member.role_changed</code> log entry and expand <code>metadata</code>. It should contain <code>{ "previousRole": "member", "newRole": "admin" }</code>. If <code>previousRole</code> is <code>null</code>, the membership record is being read after the patch — capture the previous role before calling <code>ctx.db.patch</code>.</p> <h2> Common Mistakes to Avoid </h2> <p><strong>Capturing resource labels after the mutation.</strong> Read everything you need from the affected resource before modifying or deleting it. After <code>ctx.db.delete</code>, the document is gone. After <code>ctx.db.patch</code>, the original field values are overwritten in the current context. Read first, write second, log third.</p> <p><strong>Calling a side-effect logging service after the mutation returns.</strong> If you call an external logging service after the Convex mutation completes, the log entry and the action are not transactionally coupled. A network failure or a crash between the mutation completing and the side-effect firing gives you a permanent inconsistency in your audit trail. Keep <code>auditLog</code> inside the Convex mutation.</p> <p><strong>Skipping <code>requireOrganizationAccess</code> on log queries.</strong> Audit log data is sensitive. The fact that it is read-only does not make it safe to skip the access check. Every query that reads <code>activityLogs</code> needs the membership check, no exceptions.</p> <p><strong>Storing a Convex document ID instead of the Kinde user ID as <code>actorId</code>.</strong> Convex document IDs change if you migrate or restructure data. Kinde user IDs are stable identifiers issued by the identity provider. Use the Kinde ID.</p> <p><strong>Not filtering by <code>organizationId</code> on every log query.</strong> A query that reads from <code>activityLogs</code> without an <code>organizationId</code> constraint is a full table scan that will slow down as the table grows and expose cross-org data. Every query goes through an index that starts with <code>organizationId</code>.</p> <h2> What This Enables </h2> <p>An enterprise customer's IT team can answer "who accessed what and when" directly from the activity feed — no support ticket, no engineering involvement.</p> <p>Your compliance team can export a CSV of all activity within any date range and hand it to an auditor without writing a single SQL query.</p> <p>When a user claims their settings were changed without their knowledge, you check the log and show them exactly who made the change and when — in under a minute.</p> <p>Enterprise deals that stalled on the audit log question now have a concrete answer: every action is logged at write time, every entry is scoped to one organization, the data is exportable on demand, and the log is tamper-evident by design.</p> <h2> What Is Next </h2> <p><strong>Retention policies.</strong> Add a scheduled Convex function that runs nightly and deletes log entries older than your configured retention window. Store the retention duration on the organization record so you can offer longer retention as a paid feature for enterprise tiers.</p> <p><strong>Admin-only visibility.</strong> Right now any org member who can reach the activity route can view the feed. Add a <code>audit:read</code> permission check inside the query handler — the membership check is already there, it is a small addition — and gate the page to admins and owners only.</p> <p><strong>Webhook delivery.</strong> Enterprise customers with SIEM (security information and event management) tools will ask for activity data pushed to them in real time. Add a Convex action that fires a webhook to a customer-configured URL after each log entry is written. The payload is the log entry itself.</p> <p><strong>Full-text search.</strong> For orgs with high activity volume, time-range and resource-type filters are not always enough. Convex supports full-text search indexes. Adding one on <code>action</code> and <code>resourceLabel</code> lets you support queries like "show all activity mentioning 'Q2 Report'".</p> webdev kinde convex learning Shola Jegede Tue, 14 Apr 2026 14:28:29 +0000 https://dev.to/sholajegede/how-to-use-feature-flags-to-safely-roll-out-features-in-production-with-kinde-cdg https://dev.to/sholajegede/how-to-use-feature-flags-to-safely-roll-out-features-in-production-with-kinde-cdg <p>In this article, you will learn:</p> <ul> <li>What feature flags are and why they matter for production releases</li> <li>The four flag types Kinde supports and when to use each one</li> <li>How Kinde delivers flag values through the auth token — no extra SDK required</li> <li>How to create your first feature flag in the Kinde dashboard</li> <li>How to read flags in a Next.js application using the Kinde SDK</li> <li>How to override flags per environment, per organization, and per user</li> <li>How to use flags for gradual AI feature rollouts</li> <li>How to use string flags for A/B testing UI copy</li> <li>How to use integer flags to control per-user AI token limits</li> <li>How to use JSON flags for complex feature configurations</li> <li>The flag lifecycle: creation, rollout, cleanup</li> </ul> <p>Let's dive in!</p> <h2> Why Feature Flags Exist </h2> <p>Every developer has shipped a feature to production and immediately wished they had not. Something works fine in staging. It breaks in production. Users are affected. A rollback means a redeployment — and redeployments take time, require coordination, and sometimes break other things in the process.</p> <p>Feature flags decouple deployment from release. You merge the code, you deploy it, but the feature stays hidden behind a flag set to <code>false</code>. When you are ready to release — or when you want to release to just 10 users first — you flip the flag. No redeployment. No code change. Instant.</p> <p>For AI products specifically, this matters more than for most software. AI features have a different risk profile. A new model might behave unexpectedly under production load. A new AI agent capability might produce output you did not anticipate. A new prompting strategy might increase latency. You want to be able to release these changes to a subset of users, monitor behavior, and either expand the rollout or kill the feature with a single dashboard toggle.</p> <p>That is exactly what Kinde's feature flags give you — and unlike standalone feature flag tools, Kinde's flags live in the same auth token as your user's identity and permissions. No separate SDK. No separate API call. No synchronization problem between your auth state and your flag state.</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fawbsd9ofq6meq95h2msx.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fawbsd9ofq6meq95h2msx.png" alt="Two deployment flows side by side. LEFT " width="800" height="932"></a></p> <h2> How Kinde Feature Flags Work </h2> <p>Most feature flag services require you to install a separate SDK, make an API call at runtime to fetch flag values, and cache them in localStorage or memory. This adds latency, adds a dependency, and creates a potential desync between what your auth system knows about the user and what your flag system thinks.</p> <p>Kinde takes a different approach. Flag values are embedded directly in the JWT access token under the <code>feature_flags</code> claim. Every time the user's token refreshes, their flag values refresh with it. No separate call. No extra SDK. The flags arrive with the auth token.</p> <p>Here is what that claim looks like in a real Kinde access token:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight json"><code><span class="p">{</span><span class="w"> </span><span class="nl">"sub"</span><span class="p">:</span><span class="w"> </span><span class="s2">"kp_abc123"</span><span class="p">,</span><span class="w"> </span><span class="nl">"email"</span><span class="p">:</span><span class="w"> </span><span class="s2">"alice@example.com"</span><span class="p">,</span><span class="w"> </span><span class="nl">"feature_flags"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"new_ai_model"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"t"</span><span class="p">:</span><span class="w"> </span><span class="s2">"b"</span><span class="p">,</span><span class="w"> </span><span class="nl">"v"</span><span class="p">:</span><span class="w"> </span><span class="kc">false</span><span class="w"> </span><span class="p">},</span><span class="w"> </span><span class="nl">"ai_token_limit"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"t"</span><span class="p">:</span><span class="w"> </span><span class="s2">"i"</span><span class="p">,</span><span class="w"> </span><span class="nl">"v"</span><span class="p">:</span><span class="w"> </span><span class="mi">1000</span><span class="w"> </span><span class="p">},</span><span class="w"> </span><span class="nl">"prompt_variant"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"t"</span><span class="p">:</span><span class="w"> </span><span class="s2">"s"</span><span class="p">,</span><span class="w"> </span><span class="nl">"v"</span><span class="p">:</span><span class="w"> </span><span class="s2">"control"</span><span class="w"> </span><span class="p">},</span><span class="w"> </span><span class="nl">"model_config"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"t"</span><span class="p">:</span><span class="w"> </span><span class="s2">"j"</span><span class="p">,</span><span class="w"> </span><span class="nl">"v"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"temperature"</span><span class="p">:</span><span class="w"> </span><span class="mf">0.7</span><span class="p">,</span><span class="w"> </span><span class="nl">"max_tokens"</span><span class="p">:</span><span class="w"> </span><span class="mi">500</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="p">},</span><span class="w"> </span><span class="nl">"permissions"</span><span class="p">:</span><span class="w"> </span><span class="p">[</span><span class="s2">"reports:view"</span><span class="p">],</span><span class="w"> </span><span class="nl">"org_code"</span><span class="p">:</span><span class="w"> </span><span class="s2">"org_xyz789"</span><span class="w"> </span><span class="p">}</span><span class="w"> </span></code></pre> </div> <p>The <code>"t"</code> field is the type (<code>"b"</code> = boolean, <code>"i"</code> = integer, <code>"s"</code> = string, <code>"j"</code> = JSON) and <code>"v"</code> is the value. The Kinde SDK wraps this cleanly so you never have to parse the raw token.</p> <p>Note: Kinde feature flags are completely free on every plan, for every user.</p> <h2> The Four Flag Types </h2> <p>Kinde supports four flag types. The type is set at creation and <strong>cannot be changed later</strong> — the key also cannot be changed, so choose carefully before saving.</p> <p><strong>Boolean</strong> is the classic on/off switch. Use it for anything that is either enabled or disabled: a new feature, a beta programme, a kill switch for a misbehaving AI capability.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>Flag key: new_ai_model Type: Boolean Default: false Use case: Hide the new GPT-5 integration until ready for gradual rollout </code></pre> </div> <p><strong>String</strong> passes configuration values as text. Use it for A/B testing copy, selecting between variants of a feature, or setting environment-specific values.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>Flag key: prompt_variant Type: String Default: "control" Use case: Test different AI prompt strategies: "control" vs "chain_of_thought" vs "few_shot" </code></pre> </div> <p><strong>Integer</strong> passes numeric limits. Use it to set per-user or per-organization quotas, limits, or thresholds.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>Flag key: ai_token_limit Type: Integer Default: 1000 Use case: Control how many AI tokens each user can consume per session </code></pre> </div> <p><strong>JSON</strong> passes structured configuration objects. Use it for complex feature configurations that involve multiple related values.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight json"><code><span class="err">Flag</span><span class="w"> </span><span class="err">key:</span><span class="w"> </span><span class="err">model_config</span><span class="w"> </span><span class="err">Type:</span><span class="w"> </span><span class="err">JSON</span><span class="w"> </span><span class="err">Default:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"temperature"</span><span class="p">:</span><span class="w"> </span><span class="mf">0.7</span><span class="p">,</span><span class="w"> </span><span class="nl">"max_tokens"</span><span class="p">:</span><span class="w"> </span><span class="mi">500</span><span class="p">,</span><span class="w"> </span><span class="nl">"model"</span><span class="p">:</span><span class="w"> </span><span class="s2">"gpt-4o"</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="err">Use</span><span class="w"> </span><span class="err">case:</span><span class="w"> </span><span class="err">Send</span><span class="w"> </span><span class="err">the</span><span class="w"> </span><span class="err">full</span><span class="w"> </span><span class="err">AI</span><span class="w"> </span><span class="err">model</span><span class="w"> </span><span class="err">configuration</span><span class="w"> </span><span class="err">to</span><span class="w"> </span><span class="err">the</span><span class="w"> </span><span class="err">app</span><span class="w"> </span><span class="err">without</span><span class="w"> </span><span class="err">a</span><span class="w"> </span><span class="err">redeployment</span><span class="w"> </span></code></pre> </div> <div class="table-wrapper-paragraph"><table> <thead> <tr> <th>Type</th> <th>SDK method</th> <th>Best for</th> </tr> </thead> <tbody> <tr> <td>Boolean</td> <td><code>getBooleanFlag</code></td> <td>Feature on/off, kill switches, beta access</td> </tr> <tr> <td>String</td> <td><code>getStringFlag</code></td> <td>A/B variants, copy testing, environment labels</td> </tr> <tr> <td>Integer</td> <td><code>getIntegerFlag</code></td> <td>Rate limits, quotas, timeouts, seat counts</td> </tr> <tr> <td>JSON</td> <td> <code>getFlag</code> (with type)</td> <td>Model configs, complex feature settings</td> </tr> </tbody> </table></div> <h2> Step #1: Create a Feature Flag in Kinde </h2> <p>Navigate to <strong>Releases</strong> → <strong>Feature flags</strong> → <strong>Add feature flag</strong> in your Kinde dashboard.</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fvpcd0y051hvwrte4yc2u.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fvpcd0y051hvwrte4yc2u.png" alt="Kinde dashboard Releases &gt; Feature flags page showing the " value="" width="800" height="502"></a></p> <p>Fill in the flag details:</p> <p><strong>Name:</strong> A human-readable label, for example "New AI Model". This can be changed later.</p> <p><strong>Key:</strong> The identifier your code uses, for example <code>new_ai_model</code>. Use lowercase with underscores. This <strong>cannot be changed after creation</strong>.</p> <p><strong>Type:</strong> Select one of Boolean, String, Integer, or JSON. This also <strong>cannot be changed after creation</strong>.</p> <p><strong>Default value:</strong> The value every user gets unless overridden. For a new feature you are not ready to release, the default is <code>false</code> for Boolean.</p> <p><strong>Allow overrides:</strong> Select whether the flag value can be overridden per environment, per organization, or per user. Enable organizations — you will want the flexibility.</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F898ks2rmfyfag9o0ntfg.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F898ks2rmfyfag9o0ntfg.png" alt="Kinde " value="" width="800" height="502"></a></p> <p>Select <strong>Save</strong>. The flag now exists with a global default of <code>false</code>. Every user in every organization gets <code>false</code> until you explicitly enable it somewhere.</p> <p>Wonderful! The flag is created and safely off. Now wire it into your application.</p> <h2> Step #2: Read Flags in a Next.js Application </h2> <p>The Kinde Next.js SDK exposes flag methods through <code>getKindeServerSession()</code> on the server and <code>useKindeBrowserClient()</code> on the client. For most production use cases, read flags server-side.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="c1">// app/dashboard/page.tsx</span> <span class="k">import</span> <span class="p">{</span> <span class="nx">getKindeServerSession</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">"</span><span class="s2">@kinde-oss/kinde-auth-nextjs/server</span><span class="dl">"</span><span class="p">;</span> <span class="k">import</span> <span class="p">{</span> <span class="nx">redirect</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">"</span><span class="s2">next/navigation</span><span class="dl">"</span><span class="p">;</span> <span class="k">export</span> <span class="k">default</span> <span class="k">async</span> <span class="kd">function</span> <span class="nf">DashboardPage</span><span class="p">()</span> <span class="p">{</span> <span class="kd">const</span> <span class="p">{</span> <span class="nx">isAuthenticated</span><span class="p">,</span> <span class="nx">getUser</span><span class="p">,</span> <span class="nx">getBooleanFlag</span><span class="p">,</span> <span class="nx">getIntegerFlag</span><span class="p">,</span> <span class="nx">getStringFlag</span><span class="p">,</span> <span class="p">}</span> <span class="o">=</span> <span class="nf">getKindeServerSession</span><span class="p">();</span> <span class="k">if </span><span class="p">(</span><span class="o">!</span><span class="p">(</span><span class="k">await</span> <span class="nf">isAuthenticated</span><span class="p">()))</span> <span class="p">{</span> <span class="nf">redirect</span><span class="p">(</span><span class="dl">"</span><span class="s2">/api/auth/login</span><span class="dl">"</span><span class="p">);</span> <span class="p">}</span> <span class="kd">const</span> <span class="nx">user</span> <span class="o">=</span> <span class="k">await</span> <span class="nf">getUser</span><span class="p">();</span> <span class="c1">// Read each flag with a default value as fallback</span> <span class="c1">// The default value is used if the flag doesn't exist in the token</span> <span class="kd">const</span> <span class="nx">showNewAIModel</span> <span class="o">=</span> <span class="k">await</span> <span class="nf">getBooleanFlag</span><span class="p">(</span><span class="dl">"</span><span class="s2">new_ai_model</span><span class="dl">"</span><span class="p">,</span> <span class="kc">false</span><span class="p">);</span> <span class="kd">const</span> <span class="nx">aiTokenLimit</span> <span class="o">=</span> <span class="k">await</span> <span class="nf">getIntegerFlag</span><span class="p">(</span><span class="dl">"</span><span class="s2">ai_token_limit</span><span class="dl">"</span><span class="p">,</span> <span class="mi">1000</span><span class="p">);</span> <span class="kd">const</span> <span class="nx">promptVariant</span> <span class="o">=</span> <span class="k">await</span> <span class="nf">getStringFlag</span><span class="p">(</span><span class="dl">"</span><span class="s2">prompt_variant</span><span class="dl">"</span><span class="p">,</span> <span class="dl">"</span><span class="s2">control</span><span class="dl">"</span><span class="p">);</span> <span class="k">return </span><span class="p">(</span> <span class="o">&lt;</span><span class="nx">main</span> <span class="nx">className</span><span class="o">=</span><span class="dl">"</span><span class="s2">p-8</span><span class="dl">"</span><span class="o">&gt;</span> <span class="o">&lt;</span><span class="nx">h1</span><span class="o">&gt;</span><span class="nx">Dashboard</span><span class="o">&lt;</span><span class="sr">/h1</span><span class="err">&gt; </span> <span class="p">{</span><span class="cm">/* Only render the new AI section if the flag is on */</span><span class="p">}</span> <span class="p">{</span><span class="nx">showNewAIModel</span> <span class="o">&amp;&amp;</span> <span class="p">(</span> <span class="o">&lt;</span><span class="nx">section</span> <span class="nx">className</span><span class="o">=</span><span class="dl">"</span><span class="s2">mt-6 rounded-lg bg-purple-50 p-6</span><span class="dl">"</span><span class="o">&gt;</span> <span class="o">&lt;</span><span class="nx">h2</span> <span class="nx">className</span><span class="o">=</span><span class="dl">"</span><span class="s2">font-semibold text-purple-900</span><span class="dl">"</span><span class="o">&gt;</span> <span class="err">✨</span> <span class="nx">New</span> <span class="nx">AI</span> <span class="nc">Model </span><span class="p">(</span><span class="nx">Beta</span><span class="p">)</span> <span class="o">&lt;</span><span class="sr">/h2</span><span class="err">&gt; </span> <span class="o">&lt;</span><span class="nx">p</span> <span class="nx">className</span><span class="o">=</span><span class="dl">"</span><span class="s2">text-sm text-purple-700 mt-1</span><span class="dl">"</span><span class="o">&gt;</span> <span class="nx">You</span> <span class="nx">have</span> <span class="nx">early</span> <span class="nx">access</span> <span class="nx">to</span> <span class="nx">our</span> <span class="nx">upgraded</span> <span class="nx">AI</span> <span class="nx">model</span><span class="p">.</span> <span class="o">&lt;</span><span class="sr">/p</span><span class="err">&gt; </span> <span class="o">&lt;</span><span class="nx">AIModelInterface</span> <span class="nx">tokenLimit</span><span class="o">=</span><span class="p">{</span><span class="nx">aiTokenLimit</span><span class="p">}</span> <span class="nx">promptVariant</span><span class="o">=</span><span class="p">{</span><span class="nx">promptVariant</span><span class="p">}</span> <span class="sr">/</span><span class="err">&gt; </span> <span class="o">&lt;</span><span class="sr">/section</span><span class="err">&gt; </span> <span class="p">)}</span> <span class="p">{</span><span class="cm">/* Standard content visible to all users */</span><span class="p">}</span> <span class="o">&lt;</span><span class="nx">section</span> <span class="nx">className</span><span class="o">=</span><span class="dl">"</span><span class="s2">mt-6</span><span class="dl">"</span><span class="o">&gt;</span> <span class="o">&lt;</span><span class="nx">h2</span> <span class="nx">className</span><span class="o">=</span><span class="dl">"</span><span class="s2">font-semibold</span><span class="dl">"</span><span class="o">&gt;</span><span class="nx">Standard</span> <span class="nx">Features</span><span class="o">&lt;</span><span class="sr">/h2</span><span class="err">&gt; </span> <span class="o">&lt;</span><span class="nx">StandardInterface</span> <span class="nx">tokenLimit</span><span class="o">=</span><span class="p">{</span><span class="nx">aiTokenLimit</span><span class="p">}</span> <span class="sr">/</span><span class="err">&gt; </span> <span class="o">&lt;</span><span class="sr">/section</span><span class="err">&gt; </span> <span class="o">&lt;</span><span class="sr">/main</span><span class="err">&gt; </span> <span class="p">);</span> <span class="p">}</span> <span class="c1">// Placeholder components</span> <span class="kd">function</span> <span class="nf">AIModelInterface</span><span class="p">({</span> <span class="nx">tokenLimit</span><span class="p">,</span> <span class="nx">promptVariant</span><span class="p">,</span> <span class="p">}:</span> <span class="p">{</span> <span class="nl">tokenLimit</span><span class="p">:</span> <span class="kr">number</span><span class="p">;</span> <span class="nl">promptVariant</span><span class="p">:</span> <span class="kr">string</span><span class="p">;</span> <span class="p">})</span> <span class="p">{</span> <span class="k">return </span><span class="p">(</span> <span class="o">&lt;</span><span class="nx">div</span> <span class="nx">className</span><span class="o">=</span><span class="dl">"</span><span class="s2">mt-4</span><span class="dl">"</span><span class="o">&gt;</span> <span class="o">&lt;</span><span class="nx">p</span> <span class="nx">className</span><span class="o">=</span><span class="dl">"</span><span class="s2">text-xs text-purple-500</span><span class="dl">"</span><span class="o">&gt;</span> <span class="nx">Token</span> <span class="nx">limit</span><span class="p">:</span> <span class="p">{</span><span class="nx">tokenLimit</span><span class="p">}</span> <span class="o">|</span> <span class="nx">Variant</span><span class="p">:</span> <span class="p">{</span><span class="nx">promptVariant</span><span class="p">}</span> <span class="o">&lt;</span><span class="sr">/p</span><span class="err">&gt; </span> <span class="o">&lt;</span><span class="sr">/div</span><span class="err">&gt; </span> <span class="p">);</span> <span class="p">}</span> <span class="kd">function</span> <span class="nf">StandardInterface</span><span class="p">({</span> <span class="nx">tokenLimit</span> <span class="p">}:</span> <span class="p">{</span> <span class="nl">tokenLimit</span><span class="p">:</span> <span class="kr">number</span> <span class="p">})</span> <span class="p">{</span> <span class="k">return</span> <span class="o">&lt;</span><span class="nx">p</span> <span class="nx">className</span><span class="o">=</span><span class="dl">"</span><span class="s2">text-sm text-gray-500</span><span class="dl">"</span><span class="o">&gt;</span><span class="nx">Token</span> <span class="nx">limit</span><span class="p">:</span> <span class="p">{</span><span class="nx">tokenLimit</span><span class="p">}</span><span class="o">&lt;</span><span class="sr">/p&gt;</span><span class="err">; </span><span class="p">}</span> </code></pre> </div> <p>Note: <code>getBooleanFlag("new_ai_model", false)</code> takes the flag key and a default value. If the flag does not exist in the user's token for any reason (flag not created yet, SDK version mismatch), the default value is returned. This makes your application safe to deploy before the flag exists in Kinde.</p> <h2> Step #3: Override Flags Per Environment </h2> <p>The most common override pattern: the new feature is <code>false</code> globally, but <code>true</code> in your staging environment so your team can test it before any users see it.</p> <p>Navigate to <strong>Settings</strong> → <strong>Environment</strong> → <strong>Feature flags</strong> (make sure you are in your staging environment, not production).</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fz8875zkdihbaixyjwr65.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fz8875zkdihbaixyjwr65.png" alt="Kinde Settings &gt; Environment &gt; Feature flags page showing a list of flags with their values. The " value="" width="800" height="502"></a></p> <p>Find <code>new_ai_model</code> and select <strong>Edit value</strong>. Switch it to <code>true</code>. Select <strong>Save</strong>.</p> <p>Now everyone in your staging environment sees the new AI feature. Everyone in production still sees <code>false</code>. Your team tests it, confirms it works, and when ready you flip it on in production — no code change, no redeployment.</p> <p>The cascade order for flag evaluation is:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>Business default → Environment override → Organization override → User override </code></pre> </div> <p>The most specific level wins. A user override takes precedence over everything. An organization override takes precedence over the environment. The business default is the fallback when nothing else is set.</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fahzx05girpypw0tbynez.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fahzx05girpypw0tbynez.png" alt="Cascade waterfall showing: Business default (false) → Environment override (staging: true, production: false) → Org override (AcmeCorp: true) → User override (alice@test.com: true). At each level, the value either inherits from above or is explicitly set. The user's final value is the lowest-level explicit setting or the inherited value if nothing is set below" width="800" height="810"></a></p> <h2> Step #4: Override Flags Per Organization for Gradual Rollouts </h2> <p>For B2B AI products, you often want to enable a new feature for specific customer organizations before rolling it out globally. An org-level override is exactly how you do this.</p> <p>Navigate to <strong>Organizations</strong> → select your pilot customer's org → <strong>Feature flags</strong>.</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F6e1gwdozp7mz1btulayn.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F6e1gwdozp7mz1btulayn.png" alt="Kinde Organizations &gt; [Org name] &gt; Feature flags page showing the list of flags and their values for this specific organization" width="800" height="502"></a></p> <p>Select <strong>Edit value</strong> next to <code>secondn_ai_model</code> and set it to <code>true</code>. That organization's users now see the new AI feature. Every other organization still inherits the <code>false</code> default.</p> <p>This is gradual rollout in practice. Your rollout sequence for a significant AI feature might look like this:</p> <p><strong>Week 1:</strong> Enable for your own organization (internal testing)</p> <p><strong>Week 2:</strong> Enable for 2-3 design partner organizations (trusted early adopters)</p> <p><strong>Week 3:</strong> Enable for 10% of organizations (broader beta)</p> <p><strong>Week 4:</strong> Set business default to <code>true</code> (full rollout) and remove org overrides</p> <p>No deployments. No feature branches. No big-bang release. Each step is a toggle in the Kinde dashboard.</p> <h2> Step #5: Override Flags Per User for Beta Access </h2> <p>Sometimes you want to give specific individuals early access — a power user who has asked for beta features, a journalist reviewing the product, or your own test account.</p> <p>Navigate to <strong>Users</strong> → select the user → <strong>Feature flags</strong>.</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fsmqmwsh3i2kg049bvk29.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fsmqmwsh3i2kg049bvk29.png" alt="Kinde Users &gt; [User name] &gt; Feature flags tab showing the list of all flags and the user's current values. The " value="" width="800" height="502"></a></p> <p>Find <code>third_ai_model</code> and select <strong>Edit value</strong>. Set it to <code>true</code>. This user now has the new AI feature regardless of which organization they belong to and regardless of the environment default.</p> <p>Note: User-level overrides apply across all organizations and environments for that user. They are the most specific level and cannot be further scoped. If you want to give a user access in one org but not another, use org-level overrides instead.</p> <h2> Step #6: Use String Flags for AI Prompt A/B Testing </h2> <p>String flags unlock a particularly powerful pattern for AI products: testing different prompt strategies without redeployment.</p> <p>Create a flag called <code>ai_prompt_strategy</code> of type <strong>String</strong> with a default value of <code>"standard"</code>. Enable environment and organization overrides.</p> <p>In your API route that calls the AI:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="c1">// app/api/ai/chat/route.ts</span> <span class="k">import</span> <span class="p">{</span> <span class="nx">getKindeServerSession</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">"</span><span class="s2">@kinde-oss/kinde-auth-nextjs/server</span><span class="dl">"</span><span class="p">;</span> <span class="k">import</span> <span class="p">{</span> <span class="nx">NextRequest</span><span class="p">,</span> <span class="nx">NextResponse</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">"</span><span class="s2">next/server</span><span class="dl">"</span><span class="p">;</span> <span class="c1">// Prompt templates for each variant</span> <span class="kd">const</span> <span class="nx">PROMPT_STRATEGIES</span> <span class="o">=</span> <span class="p">{</span> <span class="na">standard</span><span class="p">:</span> <span class="p">(</span><span class="na">userMessage</span><span class="p">:</span> <span class="kr">string</span><span class="p">)</span> <span class="o">=&gt;</span> <span class="s2">`You are a helpful assistant. User: </span><span class="p">${</span><span class="nx">userMessage</span><span class="p">}</span><span class="s2">`</span><span class="p">,</span> <span class="na">chain_of_thought</span><span class="p">:</span> <span class="p">(</span><span class="na">userMessage</span><span class="p">:</span> <span class="kr">string</span><span class="p">)</span> <span class="o">=&gt;</span> <span class="s2">`You are a helpful assistant. Think step-by-step before answering. User: </span><span class="p">${</span><span class="nx">userMessage</span><span class="p">}</span><span class="s2"> Let me work through this carefully:`</span><span class="p">,</span> <span class="na">few_shot</span><span class="p">:</span> <span class="p">(</span><span class="na">userMessage</span><span class="p">:</span> <span class="kr">string</span><span class="p">)</span> <span class="o">=&gt;</span> <span class="s2">`You are a helpful assistant. Here are examples of good responses: Q: What is 2+2? A: 4. Q: What is the capital of France? A: Paris. Now answer: </span><span class="p">${</span><span class="nx">userMessage</span><span class="p">}</span><span class="s2">`</span><span class="p">,</span> <span class="p">}</span> <span class="k">as</span> <span class="kd">const</span><span class="p">;</span> <span class="kd">type</span> <span class="nx">PromptStrategy</span> <span class="o">=</span> <span class="kr">keyof</span> <span class="k">typeof</span> <span class="nx">PROMPT_STRATEGIES</span><span class="p">;</span> <span class="k">export</span> <span class="k">async</span> <span class="kd">function</span> <span class="nf">POST</span><span class="p">(</span><span class="nx">request</span><span class="p">:</span> <span class="nx">NextRequest</span><span class="p">)</span> <span class="p">{</span> <span class="kd">const</span> <span class="p">{</span> <span class="nx">isAuthenticated</span><span class="p">,</span> <span class="nx">getStringFlag</span><span class="p">,</span> <span class="nx">getIntegerFlag</span> <span class="p">}</span> <span class="o">=</span> <span class="nf">getKindeServerSession</span><span class="p">();</span> <span class="k">if </span><span class="p">(</span><span class="o">!</span><span class="p">(</span><span class="k">await</span> <span class="nf">isAuthenticated</span><span class="p">()))</span> <span class="p">{</span> <span class="k">return</span> <span class="nx">NextResponse</span><span class="p">.</span><span class="nf">json</span><span class="p">({</span> <span class="na">error</span><span class="p">:</span> <span class="dl">"</span><span class="s2">Unauthenticated</span><span class="dl">"</span> <span class="p">},</span> <span class="p">{</span> <span class="na">status</span><span class="p">:</span> <span class="mi">401</span> <span class="p">});</span> <span class="p">}</span> <span class="c1">// Read the prompt strategy flag for this user</span> <span class="kd">const</span> <span class="nx">strategy</span> <span class="o">=</span> <span class="p">(</span><span class="k">await</span> <span class="nf">getStringFlag</span><span class="p">(</span> <span class="dl">"</span><span class="s2">ai_prompt_strategy</span><span class="dl">"</span><span class="p">,</span> <span class="dl">"</span><span class="s2">standard</span><span class="dl">"</span> <span class="p">))</span> <span class="k">as</span> <span class="nx">PromptStrategy</span><span class="p">;</span> <span class="c1">// Read the token limit flag for this user</span> <span class="kd">const</span> <span class="nx">maxTokens</span> <span class="o">=</span> <span class="k">await</span> <span class="nf">getIntegerFlag</span><span class="p">(</span><span class="dl">"</span><span class="s2">ai_token_limit</span><span class="dl">"</span><span class="p">,</span> <span class="mi">1000</span><span class="p">);</span> <span class="kd">const</span> <span class="p">{</span> <span class="nx">message</span> <span class="p">}</span> <span class="o">=</span> <span class="k">await</span> <span class="nx">request</span><span class="p">.</span><span class="nf">json</span><span class="p">();</span> <span class="c1">// Build the prompt based on the user's assigned variant</span> <span class="kd">const</span> <span class="nx">promptBuilder</span> <span class="o">=</span> <span class="nx">PROMPT_STRATEGIES</span><span class="p">[</span><span class="nx">strategy</span><span class="p">]</span> <span class="o">??</span> <span class="nx">PROMPT_STRATEGIES</span><span class="p">.</span><span class="nx">standard</span><span class="p">;</span> <span class="kd">const</span> <span class="nx">prompt</span> <span class="o">=</span> <span class="nf">promptBuilder</span><span class="p">(</span><span class="nx">message</span><span class="p">);</span> <span class="c1">// Call your AI provider with the variant prompt and limit</span> <span class="kd">const</span> <span class="nx">aiResponse</span> <span class="o">=</span> <span class="k">await</span> <span class="nf">callAIProvider</span><span class="p">({</span> <span class="nx">prompt</span><span class="p">,</span> <span class="nx">maxTokens</span><span class="p">,</span> <span class="c1">// Log which variant was used for analytics</span> <span class="na">metadata</span><span class="p">:</span> <span class="p">{</span> <span class="nx">strategy</span><span class="p">,</span> <span class="na">userId</span><span class="p">:</span> <span class="dl">"</span><span class="s2">from_session</span><span class="dl">"</span> <span class="p">},</span> <span class="p">});</span> <span class="k">return</span> <span class="nx">NextResponse</span><span class="p">.</span><span class="nf">json</span><span class="p">({</span> <span class="na">response</span><span class="p">:</span> <span class="nx">aiResponse</span><span class="p">,</span> <span class="c1">// Optionally surface the variant in the response for debugging</span> <span class="na">_variant</span><span class="p">:</span> <span class="nx">process</span><span class="p">.</span><span class="nx">env</span><span class="p">.</span><span class="nx">NODE_ENV</span> <span class="o">===</span> <span class="dl">"</span><span class="s2">development</span><span class="dl">"</span> <span class="p">?</span> <span class="nx">strategy</span> <span class="p">:</span> <span class="kc">undefined</span><span class="p">,</span> <span class="p">});</span> <span class="p">}</span> <span class="k">async</span> <span class="kd">function</span> <span class="nf">callAIProvider</span><span class="p">({</span> <span class="nx">prompt</span><span class="p">,</span> <span class="nx">maxTokens</span><span class="p">,</span> <span class="nx">metadata</span><span class="p">,</span> <span class="p">}:</span> <span class="p">{</span> <span class="nl">prompt</span><span class="p">:</span> <span class="kr">string</span><span class="p">;</span> <span class="nl">maxTokens</span><span class="p">:</span> <span class="kr">number</span><span class="p">;</span> <span class="nl">metadata</span><span class="p">:</span> <span class="nb">Record</span><span class="o">&lt;</span><span class="kr">string</span><span class="p">,</span> <span class="kr">string</span><span class="o">&gt;</span><span class="p">;</span> <span class="p">})</span> <span class="p">{</span> <span class="c1">// Replace with your actual AI provider call</span> <span class="nx">console</span><span class="p">.</span><span class="nf">log</span><span class="p">(</span><span class="dl">"</span><span class="s2">Calling AI with strategy:</span><span class="dl">"</span><span class="p">,</span> <span class="nx">metadata</span><span class="p">.</span><span class="nx">strategy</span><span class="p">);</span> <span class="k">return</span> <span class="dl">"</span><span class="s2">AI response placeholder</span><span class="dl">"</span><span class="p">;</span> <span class="p">}</span> </code></pre> </div> <p>To run the A/B test: set <code>ai_prompt_strategy</code> to <code>"chain_of_thought"</code> for half your organizations in Kinde's org overrides. The other half inherits <code>"standard"</code>. Monitor which variant produces better outcomes in your analytics. When you have a winner, update the business default to the winning strategy and remove the overrides.</p> <h2> Step #7: Use Integer Flags for AI Token Limits </h2> <p>AI API costs are directly proportional to token consumption. Integer flags let you set per-user or per-plan token limits without redeploying when you need to adjust them.</p> <p>Create a flag called <code>ai_token_limit</code> of type <strong>Integer</strong> with a default value of <code>1000</code>. Enable all overrides.</p> <p>Use it in your AI route handler:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="c1">// In your AI route handler — enforce the token limit before calling the AI</span> <span class="kd">const</span> <span class="nx">maxTokens</span> <span class="o">=</span> <span class="k">await</span> <span class="nf">getIntegerFlag</span><span class="p">(</span><span class="dl">"</span><span class="s2">ai_token_limit</span><span class="dl">"</span><span class="p">,</span> <span class="mi">1000</span><span class="p">);</span> <span class="c1">// Validate the requested tokens against the user's limit</span> <span class="kd">const</span> <span class="nx">requestedTokens</span> <span class="o">=</span> <span class="nx">body</span><span class="p">.</span><span class="nx">max_tokens</span> <span class="o">??</span> <span class="mi">500</span><span class="p">;</span> <span class="kd">const</span> <span class="nx">enforcedTokens</span> <span class="o">=</span> <span class="nb">Math</span><span class="p">.</span><span class="nf">min</span><span class="p">(</span><span class="nx">requestedTokens</span><span class="p">,</span> <span class="nx">maxTokens</span><span class="p">);</span> <span class="k">if </span><span class="p">(</span><span class="nx">requestedTokens</span> <span class="o">&gt;</span> <span class="nx">maxTokens</span><span class="p">)</span> <span class="p">{</span> <span class="nx">console</span><span class="p">.</span><span class="nf">log</span><span class="p">(</span> <span class="s2">`User requested </span><span class="p">${</span><span class="nx">requestedTokens</span><span class="p">}</span><span class="s2"> tokens, capped to </span><span class="p">${</span><span class="nx">maxTokens</span><span class="p">}</span><span class="s2">`</span> <span class="p">);</span> <span class="p">}</span> <span class="c1">// Use enforcedTokens in your AI call</span> <span class="kd">const</span> <span class="nx">response</span> <span class="o">=</span> <span class="k">await</span> <span class="nx">openai</span><span class="p">.</span><span class="nx">chat</span><span class="p">.</span><span class="nx">completions</span><span class="p">.</span><span class="nf">create</span><span class="p">({</span> <span class="na">model</span><span class="p">:</span> <span class="dl">"</span><span class="s2">gpt-4o</span><span class="dl">"</span><span class="p">,</span> <span class="na">messages</span><span class="p">:</span> <span class="p">[{</span> <span class="na">role</span><span class="p">:</span> <span class="dl">"</span><span class="s2">user</span><span class="dl">"</span><span class="p">,</span> <span class="na">content</span><span class="p">:</span> <span class="nx">prompt</span> <span class="p">}],</span> <span class="na">max_tokens</span><span class="p">:</span> <span class="nx">enforcedTokens</span><span class="p">,</span> <span class="p">});</span> </code></pre> </div> <p>Now adjust limits per organization without touching code:</p> <ul> <li>Free plan orgs: set <code>ai_token_limit</code> to <code>500</code> via org override</li> <li>Pro plan orgs: inherit the default of <code>1000</code> </li> <li>Enterprise orgs: set <code>ai_token_limit</code> to <code>5000</code> via org override</li> <li>Your own internal org: set <code>ai_token_limit</code> to <code>10000</code> for testing</li> </ul> <p>When your infrastructure changes and you need to globally reduce the default limit, change the business default in the Kinde dashboard. Every user's limit updates at their next token refresh — no deployment.</p> <h2> Step #8: Use JSON Flags for Complex AI Configurations </h2> <p>When multiple related configuration values need to change together, JSON flags keep them atomic. If you use separate flags for each value, you can end up in a state where some values have been updated and others have not, which can cause subtle bugs.</p> <p>Create a flag called <code>ai_model_config</code> of type <strong>JSON</strong> with a default value:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight json"><code><span class="p">{</span><span class="w"> </span><span class="nl">"model"</span><span class="p">:</span><span class="w"> </span><span class="s2">"gpt-4o"</span><span class="p">,</span><span class="w"> </span><span class="nl">"temperature"</span><span class="p">:</span><span class="w"> </span><span class="mf">0.7</span><span class="p">,</span><span class="w"> </span><span class="nl">"max_tokens"</span><span class="p">:</span><span class="w"> </span><span class="mi">500</span><span class="p">,</span><span class="w"> </span><span class="nl">"system_prompt"</span><span class="p">:</span><span class="w"> </span><span class="s2">"You are a helpful AI assistant."</span><span class="w"> </span><span class="p">}</span><span class="w"> </span></code></pre> </div> <p>Enable environment and organization overrides. Now use it in your application:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="c1">// app/api/ai/generate/route.ts</span> <span class="k">import</span> <span class="p">{</span> <span class="nx">getKindeServerSession</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">"</span><span class="s2">@kinde-oss/kinde-auth-nextjs/server</span><span class="dl">"</span><span class="p">;</span> <span class="k">import</span> <span class="p">{</span> <span class="nx">NextRequest</span><span class="p">,</span> <span class="nx">NextResponse</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">"</span><span class="s2">next/server</span><span class="dl">"</span><span class="p">;</span> <span class="kr">interface</span> <span class="nx">AIModelConfig</span> <span class="p">{</span> <span class="nl">model</span><span class="p">:</span> <span class="kr">string</span><span class="p">;</span> <span class="nl">temperature</span><span class="p">:</span> <span class="kr">number</span><span class="p">;</span> <span class="nl">max_tokens</span><span class="p">:</span> <span class="kr">number</span><span class="p">;</span> <span class="nl">system_prompt</span><span class="p">:</span> <span class="kr">string</span><span class="p">;</span> <span class="p">}</span> <span class="kd">const</span> <span class="nx">DEFAULT_CONFIG</span><span class="p">:</span> <span class="nx">AIModelConfig</span> <span class="o">=</span> <span class="p">{</span> <span class="na">model</span><span class="p">:</span> <span class="dl">"</span><span class="s2">gpt-4o</span><span class="dl">"</span><span class="p">,</span> <span class="na">temperature</span><span class="p">:</span> <span class="mf">0.7</span><span class="p">,</span> <span class="na">max_tokens</span><span class="p">:</span> <span class="mi">500</span><span class="p">,</span> <span class="na">system_prompt</span><span class="p">:</span> <span class="dl">"</span><span class="s2">You are a helpful AI assistant.</span><span class="dl">"</span><span class="p">,</span> <span class="p">};</span> <span class="k">export</span> <span class="k">async</span> <span class="kd">function</span> <span class="nf">POST</span><span class="p">(</span><span class="nx">request</span><span class="p">:</span> <span class="nx">NextRequest</span><span class="p">)</span> <span class="p">{</span> <span class="kd">const</span> <span class="p">{</span> <span class="nx">isAuthenticated</span><span class="p">,</span> <span class="nx">getFlag</span> <span class="p">}</span> <span class="o">=</span> <span class="nf">getKindeServerSession</span><span class="p">();</span> <span class="k">if </span><span class="p">(</span><span class="o">!</span><span class="p">(</span><span class="k">await</span> <span class="nf">isAuthenticated</span><span class="p">()))</span> <span class="p">{</span> <span class="k">return</span> <span class="nx">NextResponse</span><span class="p">.</span><span class="nf">json</span><span class="p">({</span> <span class="na">error</span><span class="p">:</span> <span class="dl">"</span><span class="s2">Unauthenticated</span><span class="dl">"</span> <span class="p">},</span> <span class="p">{</span> <span class="na">status</span><span class="p">:</span> <span class="mi">401</span> <span class="p">});</span> <span class="p">}</span> <span class="c1">// Read the JSON flag — use getFlag with type "j" for JSON</span> <span class="kd">const</span> <span class="nx">configFlag</span> <span class="o">=</span> <span class="k">await</span> <span class="nf">getFlag</span><span class="p">(</span> <span class="dl">"</span><span class="s2">ai_model_config</span><span class="dl">"</span><span class="p">,</span> <span class="nx">DEFAULT_CONFIG</span><span class="p">,</span> <span class="dl">"</span><span class="s2">j</span><span class="dl">"</span> <span class="c1">// "j" = JSON type</span> <span class="p">);</span> <span class="c1">// configFlag.value contains the parsed JSON object</span> <span class="kd">const</span> <span class="nx">config</span> <span class="o">=</span> <span class="p">(</span><span class="nx">configFlag</span><span class="p">?.</span><span class="nx">value</span> <span class="k">as</span> <span class="nx">AIModelConfig</span><span class="p">)</span> <span class="o">??</span> <span class="nx">DEFAULT_CONFIG</span><span class="p">;</span> <span class="kd">const</span> <span class="p">{</span> <span class="nx">message</span> <span class="p">}</span> <span class="o">=</span> <span class="k">await</span> <span class="nx">request</span><span class="p">.</span><span class="nf">json</span><span class="p">();</span> <span class="c1">// Use the full config from the flag — one atomic update in Kinde</span> <span class="c1">// changes model, temperature, max_tokens, and system_prompt together</span> <span class="kd">const</span> <span class="nx">response</span> <span class="o">=</span> <span class="k">await</span> <span class="nf">callAI</span><span class="p">({</span> <span class="na">model</span><span class="p">:</span> <span class="nx">config</span><span class="p">.</span><span class="nx">model</span><span class="p">,</span> <span class="na">temperature</span><span class="p">:</span> <span class="nx">config</span><span class="p">.</span><span class="nx">temperature</span><span class="p">,</span> <span class="na">maxTokens</span><span class="p">:</span> <span class="nx">config</span><span class="p">.</span><span class="nx">max_tokens</span><span class="p">,</span> <span class="na">systemPrompt</span><span class="p">:</span> <span class="nx">config</span><span class="p">.</span><span class="nx">system_prompt</span><span class="p">,</span> <span class="na">userMessage</span><span class="p">:</span> <span class="nx">message</span><span class="p">,</span> <span class="p">});</span> <span class="k">return</span> <span class="nx">NextResponse</span><span class="p">.</span><span class="nf">json</span><span class="p">({</span> <span class="nx">response</span> <span class="p">});</span> <span class="p">}</span> <span class="k">async</span> <span class="kd">function</span> <span class="nf">callAI</span><span class="p">({</span> <span class="nx">model</span><span class="p">,</span> <span class="nx">temperature</span><span class="p">,</span> <span class="nx">maxTokens</span><span class="p">,</span> <span class="nx">systemPrompt</span><span class="p">,</span> <span class="nx">userMessage</span><span class="p">,</span> <span class="p">}:</span> <span class="p">{</span> <span class="nl">model</span><span class="p">:</span> <span class="kr">string</span><span class="p">;</span> <span class="nl">temperature</span><span class="p">:</span> <span class="kr">number</span><span class="p">;</span> <span class="nl">maxTokens</span><span class="p">:</span> <span class="kr">number</span><span class="p">;</span> <span class="nl">systemPrompt</span><span class="p">:</span> <span class="kr">string</span><span class="p">;</span> <span class="nl">userMessage</span><span class="p">:</span> <span class="kr">string</span><span class="p">;</span> <span class="p">})</span> <span class="p">{</span> <span class="c1">// Your AI provider call using the flag-configured values</span> <span class="nx">console</span><span class="p">.</span><span class="nf">log</span><span class="p">(</span><span class="s2">`Using model: </span><span class="p">${</span><span class="nx">model</span><span class="p">}</span><span class="s2">, temp: </span><span class="p">${</span><span class="nx">temperature</span><span class="p">}</span><span class="s2">, max_tokens: </span><span class="p">${</span><span class="nx">maxTokens</span><span class="p">}</span><span class="s2">`</span><span class="p">);</span> <span class="k">return</span> <span class="dl">"</span><span class="s2">AI response placeholder</span><span class="dl">"</span><span class="p">;</span> <span class="p">}</span> </code></pre> </div> <p>When you want to test a newer model with different parameters, update the JSON flag value for your staging environment. If it works well, update the production environment override. If there is a problem, revert the JSON flag — all four values revert atomically.</p> <h2> Putting It All Together </h2> <p>Here is a complete rollout lifecycle for a major AI feature using flags:</p> <p><strong>Phase 1 — Development (flag default: <code>false</code>):</strong><br> Code is deployed behind the flag. Nothing changes for users. Your team iterates freely.</p> <p><strong>Phase 2 — Internal testing (environment override: staging <code>true</code>):</strong><br> The feature is live in staging. Your team tests it thoroughly against real data. Production users are unaffected.</p> <p><strong>Phase 3 — Beta access (user overrides: specific users <code>true</code>):</strong><br> You enable the flag for 5 power users and your own account. Collect feedback. Fix issues without touching code.</p> <p><strong>Phase 4 — Gradual rollout (org overrides: pilot orgs <code>true</code>):</strong><br> Enable for 3 design partner organizations. Monitor AI token consumption, error rates, user satisfaction. Expand to 20% of orgs if metrics look good.</p> <p><strong>Phase 5 — Full release (business default: <code>true</code>):</strong><br> Update the global default to <code>true</code>. All remaining users see the feature. Remove org-level overrides — they are no longer needed.</p> <p><strong>Phase 6 — Cleanup (delete the flag):</strong><br> Once the feature is stable and you are confident you will not need to roll back, remove the flag from your code and delete it from Kinde. Temporary flags are technical debt. A flag that controls a permanent feature state can stay; a flag that was used to control a release should go.</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fbuosy1lopjug4mfb6efw.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fbuosy1lopjug4mfb6efw.png" alt="Six-phase rollout timeline as a horizontal flow: Dev (flag off, code deployed) → Internal Testing (staging override on) → Beta Users (user overrides on) → Gradual Rollout (org overrides expanding) → Full Release (global default on) → Cleanup (flag deleted). Each phase is a labeled box with the flag configuration state shown below it. Arrows connect each phase. This is the canonical feature flag lifecycle readers should internalize" width="800" height="74"></a></p> <h2> Flag Naming Conventions </h2> <p>A flag library grows fast. Without conventions it becomes unmanageable. Use these patterns from the start:</p> <p><strong>Prefix by category:</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="s">ai_* AI feature flags (ai_new_model, ai_token_limit, ai_prompt_strategy)</span> <span class="s">ui_* UI and design flags (ui_dark_mode, ui_new_nav)</span> <span class="s">billing_* Billing and plan flags (billing_annual_discount)</span> <span class="s">beta_* Beta features (beta_voice_input, beta_export_pdf)</span> </code></pre> </div> <p><strong>Use positive names for booleans:</strong> <code>show_new_dashboard</code> not <code>hide_old_dashboard</code>. Double negatives in code (<code>if (!hideOldDashboard)</code>) cause bugs.</p> <p><strong>Use descriptive names for strings and integers:</strong> <code>ai_model_name</code> not <code>model</code>, <code>ai_max_tokens_per_request</code> not <code>limit</code>.</p> <p><strong>Document the flag purpose in the description field.</strong> Kinde lets you add a description when creating the flag. Write what the flag does, what the rollout plan is, and when it should be deleted. Future you will appreciate it.</p> <h2> Conclusion </h2> <p>In this article, you learned how to use Kinde feature flags to safely roll out features in production — using all four flag types, managing overrides at the environment, organization, and user levels, and running a phased rollout from internal testing to full release without a single redeployment.</p> <p>The key insight that makes Kinde's approach different: flags are delivered in the auth token, not fetched separately. The same token that authenticates your user also carries their flag values, their permissions, and their organization context. One integration. One token. Everything your application needs to make runtime decisions.</p> <p>Kinde is free for up to 10,500 monthly active users, no credit card required. Feature flags are available on every plan. Create your account at <a href="https://kinde.com" rel="noopener noreferrer">kinde.com</a> and start shipping code with confidence.</p> webdev kinde featureflags programming Shola Jegede Tue, 14 Apr 2026 12:47:33 +0000 https://dev.to/sholajegede/how-to-add-enterprise-sso-to-your-ai-app-with-kinde-saml-oidc-and-beyond-438a https://dev.to/sholajegede/how-to-add-enterprise-sso-to-your-ai-app-with-kinde-saml-oidc-and-beyond-438a <p><em>Enterprise buyers will not deploy your AI app without SSO. Here is everything you need to know to pass that security review.</em></p> <p>In this article, you will learn:</p> <ul> <li>Why enterprise SSO is now non-negotiable for AI apps that sell to businesses</li> <li>The difference between SAML and OIDC — and which one to use when</li> <li>How Kinde models enterprise connections with organizations</li> <li>How to configure a custom SAML connection in Kinde step by step</li> <li>How to configure a Microsoft Entra ID (Azure AD) SAML connection</li> <li>What home realm discovery is and why it makes the login experience seamless</li> <li>How JIT (just-in-time) provisioning works in Kinde</li> <li>How IdP-initiated SSO works (Kinde shipped this in February 2026)</li> <li>How to let enterprise customers configure their own SSO via the self-serve portal</li> <li>How to use Kinde's suspend organization feature when a customer churns or has a security incident</li> </ul> <p>Let's dive in!</p> <h2> Why Enterprise SSO Is No Longer Optional for AI Apps </h2> <p>There is a question every AI founder building for enterprise customers will hear sooner or later, usually from IT security during a procurement review: "Do you support SSO?"</p> <p>The wrong answer ends the deal. Not "we're working on it." Not "we have Google login." SSO — specifically SAML 2.0 or enterprise OIDC federated to the company's identity provider — is a hard requirement for any AI app that wants to handle company data at scale.</p> <p>The reason is not bureaucracy. It is a genuine security need that AI tools make more acute than most SaaS products. When a 30-person team at a financial services firm deploys your AI app to analyze internal documents, every one of those 30 users needs to be automatically deprovisioned the moment they leave the company. With SSO, that happens instantly — their IdP account is deactivated and they cannot access your app, your AI's context, or your data. Without SSO, some offboarding ticket eventually gets filed and one of those users might still have access six weeks after their last day.</p> <p>Enterprise IT teams also need your AI app to be visible in their identity governance stack. If your app lives outside their IdP's audit trail, it will not pass a SOC 2 or ISO 27001 review. SSO is what makes your app governable.</p> <p>The good news: adding enterprise SSO no longer requires weeks of work. Kinde handles the SAML/OIDC infrastructure — you configure connections in a dashboard, your app code stays exactly as it is, and enterprise customers connect their Okta, Entra ID, or other IdP the same day they ask for it.</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fqsdbkcat7v5i2qejkyiw.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fqsdbkcat7v5i2qejkyiw.png" alt="Two columns showing " width="800" height="913"></a></p> <h2> SAML vs OIDC: Choosing the Right Protocol </h2> <p>Before touching any configuration, understand which protocol your customer needs. Getting this wrong means starting over.</p> <p><strong>SAML 2.0</strong> is the enterprise legacy standard. XML-based, widely supported by every major enterprise IdP including Okta, Microsoft Entra ID (Azure AD), Google Workspace, and Ping Identity. If your customer has been in business for more than 10 years or works in financial services, healthcare, or government, they almost certainly have SAML infrastructure. This is the protocol you will encounter most often in enterprise procurement reviews.</p> <p><strong>OIDC (OpenID Connect)</strong> is the modern standard, built on OAuth 2.0. JSON-based, simpler to implement, better suited for mobile and API-driven authentication. Increasingly preferred by newer enterprises and tech companies. If your customer uses Okta with OIDC configured, or runs a modern identity stack, OIDC is the cleaner choice.</p> <p>Both are fully supported by Kinde. Here is a practical decision guide:</p> <div class="table-wrapper-paragraph"><table> <thead> <tr> <th>Scenario</th> <th>Recommended protocol</th> </tr> </thead> <tbody> <tr> <td>Customer uses Okta, Ping, or ADFS</td> <td>SAML 2.0</td> </tr> <tr> <td>Customer uses Microsoft Entra ID (Azure AD)</td> <td>SAML or Entra ID OIDC — both work</td> </tr> <tr> <td>Customer is a modern tech company with Google Workspace</td> <td>SAML (Google Workspace SAML)</td> </tr> <tr> <td>Customer uses a modern cloud-native IdP</td> <td>OIDC</td> </tr> <tr> <td>Customer has no strong preference</td> <td>OIDC — simpler to configure</td> </tr> <tr> <td>Customer's IT team sends you XML metadata</td> <td>SAML — that is their preference</td> </tr> </tbody> </table></div> <p>Note: If a customer sends you an XML metadata URL, they are using SAML. If they send you a discovery endpoint URL ending in <code>.well-known/openid-configuration</code>, they are using OIDC. The format of what they provide tells you the protocol.</p> <h2> How Kinde Models Enterprise SSO </h2> <p>Kinde's SSO model is built around two concepts you need to understand before configuring anything.</p> <p><strong>Kinde acts as the Service Provider (SP).</strong> Your enterprise customer acts as (or connects to) the Identity Provider (IdP). This means the IdP owns the user identities — their Okta, Entra ID, or Google Workspace is the source of truth. Kinde receives the authentication assertion from the IdP and issues its own session token to your app. Your application code always talks to Kinde — never directly to the customer's IdP.</p> <p><strong>Enterprise connections live on organizations.</strong> In Kinde, each enterprise customer is a Kinde organization. Their SSO connection is attached to that organization. This is the right model for multi-tenant AI apps: one connection per customer, each isolated, each independently configurable. Acme Corp's Okta SAML setup has no effect on Globex Inc's Entra ID configuration.</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fjimafznoxsh3xp3ftktq.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fjimafznoxsh3xp3ftktq.png" alt="Architecture showing Your AI App → Kinde (SP) → multiple IdPs (Okta, Entra ID, Google Workspace). Each IdP connection maps to a specific Kinde Organization (Acme Corp → Okta, Globex Inc → Entra ID, Startup LLC → Google SAML). Kinde issues tokens to your app after validating the SAML/OIDC assertion. Your app code is unchanged — it always calls Kinde, never the individual IdPs" width="800" height="296"></a></p> <h2> Step #1: Create an Organization for Your Enterprise Customer </h2> <p>Each enterprise customer gets their own Kinde organization. If you already have organizations set up, skip to Step #2.</p> <p>Navigate to <strong>Organizations</strong> in your Kinde dashboard and select <strong>Create organization</strong>. Give it the name of the enterprise customer — this is internal to your Kinde account, not visible to end users. Note the org code assigned; you will use it when scoping the connection.</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Ft723o2hcrtg6xa0ekmye.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Ft723o2hcrtg6xa0ekmye.png" alt="Kinde Organizations page showing the " width="800" height="502"></a></p> <p>For multi-tenant AI apps, each customer organization is also where you will attach billing, custom roles, and per-org MFA requirements. The enterprise connection is just one of many things scoped per organization.</p> <h2> Step #2: Configure a Custom SAML Connection </h2> <p>This is the generic SAML path that works with any SAML 2.0-compliant IdP. Go through this if your customer uses an IdP not covered by Kinde's named integrations (Okta, Entra ID, Google Workspace, Cloudflare, LastPass).</p> <p>In your Kinde dashboard, navigate to <strong>Settings</strong> → <strong>Environment</strong> → <strong>Authentication</strong> and scroll to the <strong>Enterprise connection</strong> section. Select <strong>Add connection</strong>.</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fs4nfli89cqkcj3vj27hn.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fs4nfli89cqkcj3vj27hn.png" alt="Kinde Settings &gt; Authentication page showing the Enterprise connections section with an " width="800" height="504"></a></p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fofzz5jajxvwsmxd88rfs.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fofzz5jajxvwsmxd88rfs.png" alt="The list of available connection types is visible: Custom SAML, Microsoft Entra ID (SAML), Okta (SAML), Google Workspace (SAML), and others" width="800" height="502"></a></p> <p>Select <strong>Custom SAML</strong> and click <strong>Next</strong>. You will now configure the connection:</p> <p><strong>Step 2a: Connection name.</strong> Enter a descriptive name like <code>Acme Corp Okta SAML</code>. This is internal — use whatever helps you identify it.</p> <p><strong>Step 2b: Entity ID.</strong> Generate a random alphanumeric string, for example <code>hEb876ZZlkg99Dwat64Mnbvyh129</code>. Copy it — you will add this to your customer's IdP configuration as the SP Entity ID (also called Audience URI in some IdPs).</p> <p><strong>Step 2c: ACS URL.</strong> Kinde generates this for you. It is the URL where the IdP will send the SAML response after authentication. It looks like:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code># Without custom domain https://your-subdomain.kinde.com/login/saml/callback # With custom domain https://auth.yourdomain.com/login/saml/callback </code></pre> </div> <p>Copy the ACS URL — your customer's IT team needs this to configure their IdP.</p> <p><strong>Step 2d: IdP metadata URL.</strong> Your customer's IT team provides this. It is a URL that Kinde fetches to get the IdP's public certificate and endpoints. In Okta it is typically <code>https://your-okta-domain.okta.com/app/your-app-id/sso/saml/metadata</code>. In other IdPs it may be called the Federation Metadata URL.</p> <p><strong>Step 2e: Email attribute.</strong> This tells Kinde which SAML attribute contains the user's email address. The standard value is <code>http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress</code> for Entra ID or simply <code>email</code> for most others. If left blank, Kinde defaults to <code>email</code>.</p> <p><strong>Step 2f: Home realm domains.</strong> Enter the email domains that route to this connection, for example <code>acmecorp.com</code>. When a user enters their email during login and it matches this domain, Kinde silently routes them to the Acme Corp SAML IdP without showing an SSO button. This is home realm discovery — users experience seamless, invisible SSO.</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fywyt50yds2lvx2fmcpos.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fywyt50yds2lvx2fmcpos.png" alt="Kinde SAML connection configuration form showing the fields: Connection name (filled: " id="" width="800" height="502"></a></p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fa2f4ib0hr2stsrm88cbs.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fa2f4ib0hr2stsrm88cbs.png" alt="ACS URL (shown, greyed out — generated by Kinde), Email attribute, Home realm domains (filled: " width="800" height="502"></a></p> <p><strong>Step 2g: JIT provisioning.</strong> Enable <strong>Create a user record in Kinde</strong> if you want users to be automatically created in Kinde on their first SSO login. This is almost always the right choice for enterprise customers — it means you do not have to pre-provision users manually. They sign in through their IdP and Kinde creates their account automatically.</p> <p><strong>Step 2h: Trust email addresses.</strong> Enable this if you want Kinde to match SSO users to existing Kinde users by email. For example, if a user already has an account in Kinde via email/password, enabling this merges them with the incoming SSO identity. If disabled, a new separate identity is created regardless.</p> <p>Select <strong>Save</strong>. The connection is created. Now give your customer's IT team the following information:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight properties"><code><span class="err">SP</span> <span class="err">Entity</span> <span class="err">ID</span> <span class="err">(Audience</span> <span class="err">URI):</span> <span class="err">[your</span> <span class="err">Entity</span> <span class="err">ID</span> <span class="err">string]</span> <span class="err">ACS</span> <span class="err">URL</span> <span class="err">(Reply</span> <span class="err">URL):</span> <span class="py">https</span><span class="p">:</span><span class="s">//your-subdomain.kinde.com/login/saml/callback</span> <span class="err">Name</span> <span class="err">ID</span> <span class="py">format</span><span class="p">:</span> <span class="s">Email address (urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress)</span> </code></pre> </div> <p>That is all the IT team needs to configure their IdP. Once they complete setup and activate the connection on their side, test by having a user from their domain attempt to log in to your app.</p> <p>A working SAML connection in about 10 minutes of configuration on each side.</p> <h2> Step #3: Configure Microsoft Entra ID (Azure AD) SAML </h2> <p>Microsoft Entra ID is the most common enterprise IdP for AI apps selling into corporate accounts. Kinde has a dedicated Entra ID connection type that handles Entra-specific quirks — including a note that older Entra tenants require the Entity ID to have a <code>spn:</code> prefix.</p> <p>Navigate to <strong>Settings</strong> → <strong>Authentication</strong> → <strong>Add connection</strong> → <strong>Microsoft Entra ID (SAML)</strong>.</p> <p>The configuration is similar to custom SAML with a few Entra-specific fields:</p> <p><strong>Step 3a: Connection name.</strong> For example <code>Acme Corp Entra ID</code>.</p> <p><strong>Step 3b: Entity ID.</strong> Generate a random string as before. If your connection fails after setup, try prefixing it with <code>spn:</code> — this is an older Entra ID requirement some tenants still have.</p> <p><strong>Step 3c: IdP metadata URL.</strong> From the Microsoft Entra admin center, navigate to <strong>Enterprise applications</strong> → your app → <strong>Single sign-on</strong> → <strong>SAML</strong> → <strong>App Federation Metadata URL</strong>. Copy this URL and paste it into Kinde.</p> <p><strong>Step 3d: Email attribute.</strong> For Entra ID SAML, the email attribute is:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress </code></pre> </div> <p>Enter this value exactly. Getting this wrong is the most common cause of Entra ID SAML failures — Kinde receives the SAML assertion but cannot find the email claim.</p> <p><strong>Step 3e: Home realm domains.</strong> Enter the corporate domain(s), for example <code>acmecorp.com</code>, <code>acmecorp.onmicrosoft.com</code>.</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F2n72d249gd97obq5vl8u.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F2n72d249gd97obq5vl8u.png" alt="Kinde Entra ID SAML connection form showing the Email attribute field filled with the Entra ID schema URL. The ACS URL is highlighted — this is what the Entra IT admin needs to enter as the Reply URL in the Azure portal" width="800" height="502"></a></p> <p>On the Entra ID side, your customer's IT admin needs to create an Enterprise Application in the Azure portal with:</p> <ul> <li> <strong>Reply URL (ACS URL):</strong> The ACS URL from Kinde</li> <li> <strong>Identifier (Entity ID):</strong> The Entity ID string you created in Kinde</li> <li> <strong>Sign on URL:</strong> Your app's login URL (optional)</li> <li> <strong>Attributes &amp; Claims:</strong> Ensure the email claim is mapped to the user's email attribute</li> </ul> <p>Note: If you need additional Entra ID attributes in Kinde (like department, phone number, or group membership), you can sync them using a Kinde post-authentication workflow. The workflow reads the SAML assertion attributes and writes them to Kinde custom user properties.</p> <h2> Step #4: Enable IdP-Initiated SSO </h2> <p>Standard SAML flow is SP-initiated: the user starts at your app, clicks login, gets redirected to the IdP, authenticates, and comes back. This is the most common setup.</p> <p>Kinde shipped <strong>IdP-initiated SSO</strong> in February 2026. With IdP-initiated flow, users start the login from their IdP portal — for example, clicking your app's tile in Okta or the Microsoft MyApps dashboard. They are authenticated at the IdP first, and Kinde handles the unsolicited SAML response when it arrives.</p> <p>To enable IdP-initiated SSO for a connection, navigate to the connection in Kinde and toggle on <strong>Allow IdP-initiated SSO</strong>. When this is enabled, Kinde also uses the email from the SAML response to pre-fill the login screen if the user ends up being redirected back to an SP-initiated flow, reducing friction.</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F3us99pghbmi3wshuefmf.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F3us99pghbmi3wshuefmf.png" alt="Kinde enterprise connection detail page showing the " width="800" height="502"></a></p> <p>Enterprise customers who use a company intranet or application portal (like Okta's dashboard or Microsoft MyApps) often require IdP-initiated flow. Without it, they cannot tile your app in their portal — and tiling apps is how IT controls visibility and access across the company. Enabling this expands your deployment options inside enterprise accounts significantly.</p> <h2> Step #5: Set Up Home Realm Discovery for Seamless Login </h2> <p>Home realm discovery is what makes enterprise SSO feel invisible to end users. Instead of showing a generic "Sign in with SSO" button that users may not understand, Kinde detects the user's email domain and automatically routes them to the correct IdP.</p> <p>You already set home realm domains in Step #2. Here is how the experience works once configured:</p> <ol> <li>User navigates to your AI app and reaches the Kinde login page</li> <li>User enters their email address: <code>alice@acmecorp.com</code> </li> <li>Kinde matches the <code>acmecorp.com</code> domain to the Acme Corp SAML connection</li> <li>Kinde silently redirects Alice to Acme Corp's Okta for authentication</li> <li>Alice authenticates with Okta (likely already SSO'd from her device)</li> <li>Okta sends the SAML assertion back to Kinde</li> <li>Kinde issues a session token and Alice lands in your app</li> </ol> <p>Steps 3 through 6 happen in under a second. From Alice's perspective, she typed her email and landed in the app. No separate SSO button. No understanding of SAML required.</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F3rnbhg17uhfl1inglgjv.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F3rnbhg17uhfl1inglgjv.png" alt="Home realm discovery flow — User types email (alice@acmecorp.com) → Kinde checks home realm domains → Matches " width="800" height="1071"></a></p> <p>Note: Home realm domains must be unique across all connections in your Kinde environment. If you add <code>acmecorp.com</code> to one connection, no other connection can also claim it.</p> <h2> Step #6: Let Enterprise Customers Configure Their Own SSO </h2> <p>For AI apps with many enterprise customers, having your team configure each SAML connection manually does not scale. Kinde supports <strong>self-serve SSO configuration</strong> (available on Scale plans) — enterprise customers can configure their own SSO connection through the Kinde self-serve portal.</p> <p>When self-serve SSO is enabled for an organization, the customer's admin (a user with the appropriate role in your app) can visit the self-serve portal, navigate to <strong>Security</strong> or <strong>Connections</strong>, and configure their SAML or OIDC connection themselves.</p> <p>They enter their IdP metadata URL, set their attribute mappings, and submit. Kinde validates the configuration and creates the connection. Your team gets notified but does not need to be involved in the data entry.</p> <p>To enable this, navigate to <strong>Settings</strong> → <strong>Self-serve portal</strong> → and enable SSO self-management for the relevant organizations. You can control which organizations have this capability — you might enable it only for enterprise-tier customers.</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F2f039c2r8lu78s8x74ft.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F2f039c2r8lu78s8x74ft.png" alt="Kinde Settings &gt; Self-serve portal showing the SSO configuration option with a toggle to enable customers to manage their own enterprise connections. The description text explains what customers can configure" width="800" height="502"></a></p> <p>This is the SSO motion that scales. Your enterprise sales team closes the deal and mentions SSO as a feature the customer can configure themselves on day one. No engineering ticket. No back-and-forth over Entity IDs. The customer's IT admin does the setup in your self-serve portal in 20 minutes.</p> <h2> Step #7: Read Enterprise Identity in Your App </h2> <p>Once enterprise SSO is configured, the user's Kinde session looks exactly the same as any other authenticated session. Your application code does not need to know or care whether the user authenticated via email OTP, Google login, or enterprise SAML. The same Kinde SDK methods work for all of them.</p> <p>In a Next.js application:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="c1">// app/dashboard/page.tsx</span> <span class="k">import</span> <span class="p">{</span> <span class="nx">getKindeServerSession</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">"</span><span class="s2">@kinde-oss/kinde-auth-nextjs/server</span><span class="dl">"</span><span class="p">;</span> <span class="k">import</span> <span class="p">{</span> <span class="nx">redirect</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">"</span><span class="s2">next/navigation</span><span class="dl">"</span><span class="p">;</span> <span class="k">export</span> <span class="k">default</span> <span class="k">async</span> <span class="kd">function</span> <span class="nf">DashboardPage</span><span class="p">()</span> <span class="p">{</span> <span class="kd">const</span> <span class="p">{</span> <span class="nx">isAuthenticated</span><span class="p">,</span> <span class="nx">getUser</span><span class="p">,</span> <span class="nx">getOrganization</span> <span class="p">}</span> <span class="o">=</span> <span class="nf">getKindeServerSession</span><span class="p">();</span> <span class="k">if </span><span class="p">(</span><span class="o">!</span><span class="p">(</span><span class="k">await</span> <span class="nf">isAuthenticated</span><span class="p">()))</span> <span class="p">{</span> <span class="nf">redirect</span><span class="p">(</span><span class="dl">"</span><span class="s2">/api/auth/login</span><span class="dl">"</span><span class="p">);</span> <span class="p">}</span> <span class="kd">const</span> <span class="nx">user</span> <span class="o">=</span> <span class="k">await</span> <span class="nf">getUser</span><span class="p">();</span> <span class="kd">const</span> <span class="nx">org</span> <span class="o">=</span> <span class="k">await</span> <span class="nf">getOrganization</span><span class="p">();</span> <span class="c1">// user.email comes from the SAML assertion for SSO users</span> <span class="c1">// org.orgCode identifies which enterprise customer this is</span> <span class="c1">// No special handling needed for SSO vs non-SSO users</span> <span class="k">return </span><span class="p">(</span> <span class="o">&lt;</span><span class="nx">main</span> <span class="nx">className</span><span class="o">=</span><span class="dl">"</span><span class="s2">p-8</span><span class="dl">"</span><span class="o">&gt;</span> <span class="o">&lt;</span><span class="nx">h1</span><span class="o">&gt;</span><span class="nx">Welcome</span><span class="p">,</span> <span class="p">{</span><span class="nx">user</span><span class="p">?.</span><span class="nx">given_name</span><span class="p">}</span><span class="o">&lt;</span><span class="sr">/h1</span><span class="err">&gt; </span> <span class="o">&lt;</span><span class="nx">p</span> <span class="nx">className</span><span class="o">=</span><span class="dl">"</span><span class="s2">text-gray-500</span><span class="dl">"</span><span class="o">&gt;</span> <span class="nx">Signed</span> <span class="k">in</span> <span class="nx">via</span> <span class="p">{</span><span class="nx">org</span><span class="p">?.</span><span class="nx">name</span> <span class="o">??</span> <span class="dl">"</span><span class="s2">your organization</span><span class="dl">"</span><span class="p">}</span> <span class="o">&lt;</span><span class="sr">/p</span><span class="err">&gt; </span> <span class="o">&lt;</span><span class="sr">/main</span><span class="err">&gt; </span> <span class="p">);</span> <span class="p">}</span> </code></pre> </div> <p>If you want to know which authentication method the user used (useful for audit logs or analytics), you can check the <code>identities</code> from the Kinde Management API. But for most application logic, you simply use <code>getUser()</code> and <code>getOrganization()</code> without worrying about the underlying auth method.</p> <p>For AI apps that need to enforce that specific customers must use SSO and cannot fall back to email/password, configure an <strong>org-level access policy</strong> in Kinde. Navigate to <strong>Organizations</strong> → select the org → <strong>Access policies</strong> → enable <strong>Require enterprise connection</strong>. Users who try to log in to this organization via email/password will be blocked and prompted to use SSO instead.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="c1">// Verify the user is authenticated via enterprise SSO for sensitive AI operations</span> <span class="c1">// This is an optional extra layer — Kinde's access policies handle the enforcement,</span> <span class="c1">// but you can also check in your API routes for audit purposes</span> <span class="k">import</span> <span class="p">{</span> <span class="nx">getKindeServerSession</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">"</span><span class="s2">@kinde-oss/kinde-auth-nextjs/server</span><span class="dl">"</span><span class="p">;</span> <span class="k">import</span> <span class="p">{</span> <span class="nx">NextRequest</span><span class="p">,</span> <span class="nx">NextResponse</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">"</span><span class="s2">next/server</span><span class="dl">"</span><span class="p">;</span> <span class="k">export</span> <span class="k">async</span> <span class="kd">function</span> <span class="nf">POST</span><span class="p">(</span><span class="nx">request</span><span class="p">:</span> <span class="nx">NextRequest</span><span class="p">)</span> <span class="p">{</span> <span class="kd">const</span> <span class="p">{</span> <span class="nx">isAuthenticated</span><span class="p">,</span> <span class="nx">getOrganization</span> <span class="p">}</span> <span class="o">=</span> <span class="nf">getKindeServerSession</span><span class="p">();</span> <span class="k">if </span><span class="p">(</span><span class="o">!</span><span class="p">(</span><span class="k">await</span> <span class="nf">isAuthenticated</span><span class="p">()))</span> <span class="p">{</span> <span class="k">return</span> <span class="nx">NextResponse</span><span class="p">.</span><span class="nf">json</span><span class="p">({</span> <span class="na">error</span><span class="p">:</span> <span class="dl">"</span><span class="s2">Unauthenticated</span><span class="dl">"</span> <span class="p">},</span> <span class="p">{</span> <span class="na">status</span><span class="p">:</span> <span class="mi">401</span> <span class="p">});</span> <span class="p">}</span> <span class="kd">const</span> <span class="nx">org</span> <span class="o">=</span> <span class="k">await</span> <span class="nf">getOrganization</span><span class="p">();</span> <span class="c1">// Log the org for audit trail — critical for enterprise AI compliance</span> <span class="nx">console</span><span class="p">.</span><span class="nf">log</span><span class="p">(</span><span class="s2">`AI request from org: </span><span class="p">${</span><span class="nx">org</span><span class="p">?.</span><span class="nx">orgCode</span><span class="p">}</span><span class="s2">, user: </span><span class="p">${(</span><span class="k">await</span> <span class="nf">getKindeServerSession</span><span class="p">().</span><span class="nf">getUser</span><span class="p">())?.</span><span class="nx">id</span><span class="p">}</span><span class="s2">`</span><span class="p">);</span> <span class="c1">// Execute AI operation</span> <span class="c1">// ...</span> <span class="k">return</span> <span class="nx">NextResponse</span><span class="p">.</span><span class="nf">json</span><span class="p">({</span> <span class="na">result</span><span class="p">:</span> <span class="dl">"</span><span class="s2">...</span><span class="dl">"</span> <span class="p">});</span> <span class="p">}</span> </code></pre> </div> <h2> Step #8: Suspend an Organization Instantly </h2> <p>Enterprise contracts end. Security incidents happen. When either occurs, you need to cut off an entire organization's access immediately — not one user at a time.</p> <p>Kinde added <strong>organization suspension</strong> in February 2026. When you suspend an org, every active token is revoked and every session is invalidated instantly. No user from that organization can log in to your app, regardless of how they authenticated.</p> <p>Navigate to <strong>Organizations</strong> → select the org → <strong>Settings</strong> → <strong>Suspend organization</strong>. Select <strong>Suspend</strong>. Done.</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fpde6ri1b7f5ztsxmjxcu.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fpde6ri1b7f5ztsxmjxcu.png" alt="Kinde Organization settings page showing the " width="800" height="502"></a></p> <p>Unsuspending restores access just as quickly — toggle the same setting off and all users can log back in at their next login attempt.</p> <p>This feature is essential for enterprise AI apps for two reasons. First, when a customer churns or does not renew, you need access revocation to happen immediately, not when individual users try to log in and find their tokens expired. Second, if a customer reports a security incident (a compromised account, suspicious AI queries, a potential data breach), suspension gives you a one-click kill switch while you investigate.</p> <h2> Putting It All Together </h2> <p>Here is the full enterprise SSO setup checklist for your AI app:</p> <p><strong>In Kinde dashboard:</strong></p> <ul> <li>Organization created for each enterprise customer</li> <li>SAML or OIDC connection configured and saved</li> <li>Home realm domain(s) set for seamless routing</li> <li>JIT provisioning enabled for automatic user creation</li> <li>IdP-initiated SSO enabled (if customer uses an app portal)</li> <li>Org-level access policy set to require enterprise connection (optional but recommended for security-sensitive customers)</li> <li>Self-serve SSO enabled for enterprise-tier orgs (Scale plan)</li> </ul> <p><strong>What you give the customer's IT team:</strong></p> <ul> <li>SP Entity ID (Audience URI)</li> <li>ACS URL (Reply URL)</li> <li>Name ID format: <code>urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress</code> </li> </ul> <p><strong>What the customer's IT team gives you:</strong></p> <ul> <li>IdP metadata URL (or the XML metadata itself)</li> <li>Email attribute name (if non-standard)</li> <li>Home realm domains to register</li> </ul> <p><strong>In your application code:</strong></p> <ul> <li>No changes required to authentication logic</li> <li>Use <code>getUser()</code> and <code>getOrganization()</code> as normal</li> <li>Add org-level access policy enforcement in API routes if needed</li> <li>Log <code>orgCode</code> in audit trails for all AI operations</li> </ul> <h2> SAML Troubleshooting Reference </h2> <p>These are the most common SAML configuration problems and how to fix them in Kinde:</p> <div class="table-wrapper-paragraph"><table> <thead> <tr> <th>Symptom</th> <th>Likely cause</th> <th>Fix</th> </tr> </thead> <tbody> <tr> <td>"Invalid assertion" error</td> <td>Certificate mismatch or expired IdP cert</td> <td>Re-fetch the IdP metadata URL in Kinde to refresh the certificate</td> </tr> <tr> <td>User authenticated but no email</td> <td>Wrong email attribute name</td> <td>Check the Entra/Okta attribute configuration and update the email attribute field in Kinde</td> </tr> <tr> <td>Loop between app and IdP</td> <td>ACS URL misconfigured</td> <td>Verify the ACS URL in the IdP exactly matches what Kinde shows (including protocol and path)</td> </tr> <tr> <td>"Entity ID not found"</td> <td>SP Entity ID mismatch</td> <td>Confirm the Entity ID in your IdP matches the string you set in Kinde exactly</td> </tr> <tr> <td>Users get separate accounts</td> <td>Trust email not enabled</td> <td>Enable "Trust email addresses" in the connection settings to merge existing users</td> </tr> <tr> <td>Old Entra ID tenant fails</td> <td>Entity ID format</td> <td>Prefix the Entity ID with <code>spn:</code> — required by some older Entra tenants</td> </tr> <tr> <td>SSO button shows for home realm users</td> <td>Home realm domain not set</td> <td>Add the email domain to the connection's home realm domains</td> </tr> </tbody> </table></div> <p>Navigate to <strong>Settings</strong> → <strong>Logs</strong> → <strong>Authentication logs</strong> in Kinde to see detailed SAML assertion logs for failed authentication attempts. This is the fastest way to identify configuration issues.</p> <h2> Conclusion </h2> <p>In this article, you configured enterprise SSO for your AI app — custom SAML, Microsoft Entra ID SAML, home realm discovery, JIT provisioning, IdP-initiated flow, customer self-serve setup, and organization suspension. Your AI app can now pass enterprise security reviews, integrate with any major corporate identity provider, and automatically revoke access when users leave a customer's organization.</p> <p>The entire configuration lives in Kinde. Your application code is completely unchanged — the same <code>getUser()</code> and <code>getOrganization()</code> calls that work for email login work for enterprise SAML. Kinde normalizes all authentication methods into the same session model.</p> <p>Enterprise SSO used to be the feature that required a dedicated engineering sprint and an enterprise-tier contract with your auth provider. With Kinde, it is a configuration that takes an afternoon and is available on all paid plans.</p> <p>Create a free Kinde account at <a href="https://kinde.com" rel="noopener noreferrer">kinde.com</a> — 10,500 monthly active users, no credit card required — and have your first enterprise connection configured before your next security review.</p> webdev kinde ai development Shola Jegede Tue, 14 Apr 2026 10:35:04 +0000 https://dev.to/sholajegede/how-to-implement-rbac-in-a-nextjs-16-app-with-kinde-a-step-by-step-guide-1ic1 https://dev.to/sholajegede/how-to-implement-rbac-in-a-nextjs-16-app-with-kinde-a-step-by-step-guide-1ic1 <p><em>Next.js 16 ships with <code>proxy.ts</code>, React Compiler, and React 19.2. Your access control should be as modern as your stack.</em></p> <p>In this article, you will learn:</p> <ul> <li>What RBAC is and why it belongs in your auth layer, not your database</li> <li>How Kinde models roles and permissions and why that maps cleanly to Next.js 16</li> <li>How to set up the Kinde Next.js SDK in a Next.js 16.2 project</li> <li>How to configure the auth handler and environment variables</li> <li>How to protect routes using <code>proxy.ts</code> — the new Next.js 16 network boundary file</li> <li>How to define roles and permissions in the Kinde dashboard</li> <li>How to enforce permissions in React Server Components</li> <li>How to enforce permissions in Route Handlers (API routes)</li> <li>How to render conditional UI based on a user's role</li> <li>How to handle the <code>use cache</code> directive safely alongside permission checks</li> </ul> <p>Let's dive in!</p> <h2> Prerequisites </h2> <p>Before starting this tutorial, make sure you have:</p> <ul> <li>Node.js 18.18 or later installed</li> <li>A Kinde account — free at <a href="https://kinde.com" rel="noopener noreferrer">kinde.com</a>, no credit card required</li> <li>Familiarity with Next.js App Router fundamentals</li> <li>Basic knowledge of TypeScript</li> </ul> <h2> What Is RBAC and Why Does It Belong in Auth? </h2> <p>Role-Based Access Control (RBAC) is the mechanism that decides what authenticated users are allowed to do. Authentication answers "who are you?" — RBAC answers "what can you do?"</p> <p>The wrong place to implement RBAC is your database. Many teams check a <code>role</code> column on the user record mid-request, which means a round-trip to the database every time your application needs to make an access decision. That is slow, adds complexity, and couples your permission logic to your data layer.</p> <p>The right place is your auth token. When a user logs in, Kinde issues a JWT that includes their roles and the exact permissions those roles grant. Your application reads from the token. No extra database query. No round-trip. The permission answer is cryptographically included at the start of every authenticated request.</p> <p>This is what makes Kinde's RBAC model a natural fit for Next.js 16's Server Components architecture — every Server Component can check permissions synchronously from the session without adding a waterfall of database queries.</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fcg3stcjj0uid1kmys719.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fcg3stcjj0uid1kmys719.png" alt="Two paths side by side. LEFT " width="800" height="496"></a></p> <h2> How Kinde's RBAC Model Works </h2> <p>Kinde structures access control in three layers that are worth understanding before you write any code:</p> <p><strong>Permissions</strong> are the granular capabilities your application checks: <code>posts:create</code>, <code>posts:delete</code>, <code>users:manage</code>, <code>billing:view</code>. You define these in the Kinde dashboard. They are the atoms of your access system — every access decision in your code should reference a permission key, not a role name.</p> <p><strong>Roles</strong> are named bundles of permissions. <code>admin</code>, <code>editor</code>, <code>viewer</code> are roles. You define roles and attach permissions to them in Kinde. Roles exist so you can assign a coherent set of capabilities to a user in one operation.</p> <p><strong>Users</strong> are assigned roles. When a user logs in, their JWT token contains both their roles and the expanded set of permissions those roles grant. Your code checks permissions — the role is just the management abstraction that groups them.</p> <p>The access check in your Next.js components is always <code>getPermission("posts:create")</code>, never <code>getRole() === "admin"</code>. This decoupling means you can restructure your roles in the Kinde dashboard without touching a line of application code.</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fvae7n634f6b33pssc4ja.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fvae7n634f6b33pssc4ja.png" alt="Three-layer pyramid — Permissions (base, many small blocks: posts:create, posts:delete, users:manage, billing:view), Roles (middle: admin has all permissions, editor has posts:create + posts:delete, viewer has none), Users (top: Alice assigned admin, Bob assigned editor). Arrow from " width="800" height="533"></a></p> <h2> What's New in Next.js 16 That Affects This Tutorial </h2> <p>Next.js 16 introduced <code>proxy.ts</code> as the new file for handling network boundary logic, replacing <code>middleware.ts</code> for most use cases. The <code>middleware.ts</code> file is deprecated in 16 and will be removed in a future version.</p> <p>For RBAC, this matters in one specific way: <code>proxy.ts</code> runs before any route in your application and is where you redirect unauthenticated users. The Kinde <code>withAuth</code> helper plugs into this file just as cleanly as it did into <code>middleware.ts</code>.</p> <p>Next.js 16 also stabilised the React Compiler, which automatically memoises components. You do not need to manually wrap permission-checking components in <code>useMemo</code> or <code>memo</code> — the compiler handles it.</p> <p>One important note about <code>use cache</code> in Next.js 16: do not cache pages or components that render based on user-specific permission data. Cached outputs are shared across users. The code in this tutorial keeps permission-sensitive components outside of <code>use cache</code> boundaries.</p> <h2> Step #1: Create a Next.js 16 Project </h2> <p>Start a fresh Next.js 16.2 project with the App Router and TypeScript:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>npx create-next-app@latest my-rbac-app <span class="se">\</span> <span class="nt">--typescript</span> <span class="se">\</span> <span class="nt">--app</span> <span class="se">\</span> <span class="nt">--tailwind</span> <span class="se">\</span> <span class="nt">--src-dir</span> </code></pre> </div> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F3cqwkdwhrezz254cffgv.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F3cqwkdwhrezz254cffgv.png" alt="Terminal output of raw `create-next-app` endraw completing successfully, showing the project structure being created" width="800" height="605"></a></p> <p>Navigate into the project directory and install the Kinde Next.js SDK:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nb">cd </span>my-rbac-app npm <span class="nb">install</span> @kinde-oss/kinde-auth-nextjs </code></pre> </div> <h2> Step #2: Configure Kinde and Set Environment Variables </h2> <p>In your Kinde dashboard, navigate to <strong>Settings</strong> → <strong>Applications</strong> → <strong>Add application</strong> and select <strong>Back-end web</strong>. Give it a name like <code>My Next.js 16 App</code>. Once created, open the application details and copy the following values:</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fiatwuyykg0f3ex61wdi2.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fiatwuyykg0f3ex61wdi2.png" alt="Kinde dashboard Settings &gt; Applications showing an application with " width="800" height="502"></a></p> <p>Create a <code>.env.local</code> file in the root of your project:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># Kinde application credentials</span> <span class="nv">KINDE_CLIENT_ID</span><span class="o">=</span>your_kinde_client_id <span class="nv">KINDE_CLIENT_SECRET</span><span class="o">=</span>your_kinde_client_secret <span class="nv">KINDE_ISSUER_URL</span><span class="o">=</span>https://your-subdomain.kinde.com <span class="c"># Application URLs</span> <span class="nv">KINDE_SITE_URL</span><span class="o">=</span>http://localhost:3000 <span class="nv">KINDE_POST_LOGOUT_REDIRECT_URL</span><span class="o">=</span>http://localhost:3000 <span class="nv">KINDE_POST_LOGIN_REDIRECT_URL</span><span class="o">=</span>http://localhost:3000/dashboard </code></pre> </div> <p>Replace <code>your_kinde_client_id</code>, <code>your_kinde_client_secret</code>, and <code>your-subdomain</code> with the values from your Kinde dashboard. The <code>KINDE_ISSUER_URL</code> is your Kinde domain, typically <code>https://yourappname.kinde.com</code>.</p> <p>Next, add the callback URLs in Kinde. Still in your application's settings, find the <strong>Callback URLs</strong> section and add:</p> <ul> <li> <strong>Allowed callback URLs</strong>: <code>http://localhost:3000/api/auth/kinde_callback</code> </li> <li> <strong>Allowed logout redirect URLs</strong>: <code>http://localhost:3000</code> </li> </ul> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fw6xqt5pmw5dofytf2s3h.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fw6xqt5pmw5dofytf2s3h.png" alt="Kinde application settings showing the Callback URLs section with the localhost callback URL and logout redirect URL filled in" width="800" height="502"></a></p> <h2> Step #3: Set Up the Auth Route Handler </h2> <p>Create the Kinde auth handler at <code>app/api/auth/[kindeAuth]/route.ts</code>. This single file handles all of Kinde's auth endpoints — login, logout, register, and the callback:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="c1">// app/api/auth/[kindeAuth]/route.ts</span> <span class="k">import</span> <span class="p">{</span> <span class="nx">handleAuth</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">"</span><span class="s2">@kinde-oss/kinde-auth-nextjs/server</span><span class="dl">"</span><span class="p">;</span> <span class="k">export</span> <span class="kd">const</span> <span class="nx">GET</span> <span class="o">=</span> <span class="nf">handleAuth</span><span class="p">();</span> </code></pre> </div> <p>That is the entire auth route. Kinde handles the OAuth flow, token exchange, session management, and redirect logic. Your application does not need to implement any of this.</p> <h2> Step #4: Wrap the Root Layout with KindeProvider </h2> <p>Open <code>app/layout.tsx</code> and wrap the children with <code>KindeProvider</code>. This is a server component — import from the server path, not the client path:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="c1">// layout.ts</span> <span class="k">import</span> <span class="kd">type</span> <span class="p">{</span> <span class="nx">Metadata</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">"</span><span class="s2">next</span><span class="dl">"</span><span class="p">;</span> <span class="k">import</span> <span class="p">{</span> <span class="nx">Geist</span><span class="p">,</span> <span class="nx">Geist_Mono</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">"</span><span class="s2">next/font/google</span><span class="dl">"</span><span class="p">;</span> <span class="k">import</span> <span class="dl">"</span><span class="s2">./globals.css</span><span class="dl">"</span><span class="p">;</span> <span class="kd">const</span> <span class="nx">geistSans</span> <span class="o">=</span> <span class="nc">Geist</span><span class="p">({</span> <span class="na">variable</span><span class="p">:</span> <span class="dl">"</span><span class="s2">--font-geist-sans</span><span class="dl">"</span><span class="p">,</span> <span class="na">subsets</span><span class="p">:</span> <span class="p">[</span><span class="dl">"</span><span class="s2">latin</span><span class="dl">"</span><span class="p">],</span> <span class="p">});</span> <span class="kd">const</span> <span class="nx">geistMono</span> <span class="o">=</span> <span class="nc">Geist_Mono</span><span class="p">({</span> <span class="na">variable</span><span class="p">:</span> <span class="dl">"</span><span class="s2">--font-geist-mono</span><span class="dl">"</span><span class="p">,</span> <span class="na">subsets</span><span class="p">:</span> <span class="p">[</span><span class="dl">"</span><span class="s2">latin</span><span class="dl">"</span><span class="p">],</span> <span class="p">});</span> <span class="k">export</span> <span class="kd">const</span> <span class="nx">metadata</span><span class="p">:</span> <span class="nx">Metadata</span> <span class="o">=</span> <span class="p">{</span> <span class="na">title</span><span class="p">:</span> <span class="dl">"</span><span class="s2">My RBAC App</span><span class="dl">"</span><span class="p">,</span> <span class="na">description</span><span class="p">:</span> <span class="dl">"</span><span class="s2">Built with Next.js 16 and Kinde</span><span class="dl">"</span><span class="p">,</span> <span class="p">};</span> <span class="k">export</span> <span class="k">default</span> <span class="kd">function</span> <span class="nf">RootLayout</span><span class="p">({</span> <span class="nx">children</span><span class="p">,</span> <span class="p">}:</span> <span class="nb">Readonly</span><span class="o">&lt;</span><span class="p">{</span> <span class="na">children</span><span class="p">:</span> <span class="nx">React</span><span class="p">.</span><span class="nx">ReactNode</span><span class="p">;</span> <span class="p">}</span><span class="o">&gt;</span><span class="p">)</span> <span class="p">{</span> <span class="k">return </span><span class="p">(</span> <span class="o">&lt;</span><span class="nx">html</span> <span class="nx">lang</span><span class="o">=</span><span class="dl">"</span><span class="s2">en</span><span class="dl">"</span> <span class="nx">className</span><span class="o">=</span><span class="p">{</span><span class="s2">`</span><span class="p">${</span><span class="nx">geistSans</span><span class="p">.</span><span class="nx">variable</span><span class="p">}</span><span class="s2"> </span><span class="p">${</span><span class="nx">geistMono</span><span class="p">.</span><span class="nx">variable</span><span class="p">}</span><span class="s2"> h-full antialiased`</span><span class="p">}</span> <span class="o">&gt;</span> <span class="o">&lt;</span><span class="nx">body</span> <span class="nx">className</span><span class="o">=</span><span class="dl">"</span><span class="s2">min-h-full flex flex-col</span><span class="dl">"</span><span class="o">&gt;</span><span class="p">{</span><span class="nx">children</span><span class="p">}</span><span class="o">&lt;</span><span class="sr">/body</span><span class="err">&gt; </span> <span class="o">&lt;</span><span class="sr">/html</span><span class="err">&gt; </span> <span class="p">);</span> <span class="p">}</span> </code></pre> </div> <h2> Step #5: Protect Routes Using proxy.ts </h2> <p>In Next.js 16, <code>proxy.ts</code> is the new file for network boundary logic. The <code>middleware.ts</code> file is deprecated — use <code>proxy.ts</code> instead for new projects.</p> <p>Create <code>proxy.ts</code> in your project root (at the same level as <code>app</code>):<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="c1">// proxy.ts</span> <span class="k">import</span> <span class="p">{</span> <span class="nx">withAuth</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">"</span><span class="s2">@kinde-oss/kinde-auth-nextjs/middleware</span><span class="dl">"</span><span class="p">;</span> <span class="k">import</span> <span class="kd">type</span> <span class="p">{</span> <span class="nx">NextRequest</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">"</span><span class="s2">next/server</span><span class="dl">"</span><span class="p">;</span> <span class="k">export</span> <span class="k">default</span> <span class="nx">withAuth</span><span class="p">;</span> <span class="k">export</span> <span class="kd">const</span> <span class="nx">config</span> <span class="o">=</span> <span class="p">{</span> <span class="na">matcher</span><span class="p">:</span> <span class="p">[</span><span class="dl">"</span><span class="s2">/dashboard/:path*</span><span class="dl">"</span><span class="p">,</span> <span class="dl">"</span><span class="s2">/admin/:path*</span><span class="dl">"</span><span class="p">],</span> <span class="p">};</span> </code></pre> </div> <p>Note: If you have an existing project using <code>middleware.ts</code>, it continues to work in Next.js 16 for Edge runtime use cases. But for new projects, <code>proxy.ts</code> is the correct file. The <code>withAuth</code> import path and usage are identical between the two.</p> <p>Any unauthenticated user who tries to reach a matched route is automatically redirected to Kinde's login page. Once they authenticate, Kinde redirects them back to the page they originally requested.</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fumzoemusc6szkzzf34md.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fumzoemusc6szkzzf34md.png" alt="Browser showing an unauthenticated user being redirected to the Kinde login page when they try to access /dashboard directly. The Kinde login UI is visible with the email OTP input field" width="800" height="483"></a></p> <h2> Step #6: Define Roles and Permissions in Kinde </h2> <p>Before writing any permission-checking code, set up your roles and permissions in the Kinde dashboard.</p> <p>Navigate to <strong>Roles &amp; Permissions</strong> → <strong>Permissions</strong> → <strong>Add permission</strong>. Create each permission with a <code>resource:action</code> naming convention:</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F3jn97y4avimzalezx18n.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F3jn97y4avimzalezx18n.png" alt="Kinde Roles &amp; Permissions &gt; Permissions page showing a list of permissions: posts:create, posts:update, posts:delete, posts:publish, users:view, users:manage. Each has its key visible" width="800" height="502"></a></p> <p>For this tutorial, create these permissions:</p> <div class="table-wrapper-paragraph"><table> <thead> <tr> <th>Key</th> <th>Description</th> </tr> </thead> <tbody> <tr> <td><code>posts:create</code></td> <td>Create new posts</td> </tr> <tr> <td><code>posts:update</code></td> <td>Edit existing posts</td> </tr> <tr> <td><code>posts:delete</code></td> <td>Delete posts permanently</td> </tr> <tr> <td><code>posts:publish</code></td> <td>Publish or unpublish posts</td> </tr> <tr> <td><code>users:view</code></td> <td>View the user list</td> </tr> <tr> <td><code>users:manage</code></td> <td>Edit user details and roles</td> </tr> </tbody> </table></div> <p>Now navigate to <strong>Roles &amp; Permissions</strong> → <strong>Roles</strong> → <strong>Add role</strong> and create three roles:</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fvrvyka49l33v87kqp5do.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fvrvyka49l33v87kqp5do.png" alt="Kinde Roles &amp; Permissions &gt; Roles page showing three roles: Admin (key: admin), Editor (key: editor), Viewer (key: viewer" width="800" height="502"></a></p> <p>Assign permissions to each role:</p> <div class="table-wrapper-paragraph"><table> <thead> <tr> <th>Permission</th> <th>Admin</th> <th>Editor</th> <th>Viewer</th> </tr> </thead> <tbody> <tr> <td><code>posts:create</code></td> <td>✓</td> <td>✓</td> <td></td> </tr> <tr> <td><code>posts:update</code></td> <td>✓</td> <td>✓</td> <td></td> </tr> <tr> <td><code>posts:delete</code></td> <td>✓</td> <td></td> <td></td> </tr> <tr> <td><code>posts:publish</code></td> <td>✓</td> <td>✓</td> <td></td> </tr> <tr> <td><code>users:view</code></td> <td>✓</td> <td></td> <td></td> </tr> <tr> <td><code>users:manage</code></td> <td>✓</td> <td></td> <td></td> </tr> </tbody> </table></div> <p>Assign a role to your own user for testing. Navigate to <strong>Users</strong> → select your user → <strong>Roles</strong> → assign <code>admin</code>. You will test the other roles by reassigning later.</p> <p>Terrific! The permission model is ready. Time to use it in code.</p> <h2> Step #7: Check Permissions in Server Components </h2> <p><code>getKindeServerSession()</code> is the main SDK helper for checking authentication state and accessing user data in Server Components. It reads directly from the server-side session — no network request, no database query.</p> <p>Create a protected dashboard page at <code>app/dashboard/page.tsx</code>:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="c1">// app/dashboard/page.tsx</span> <span class="k">import</span> <span class="p">{</span> <span class="nx">getKindeServerSession</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">"</span><span class="s2">@kinde-oss/kinde-auth-nextjs/server</span><span class="dl">"</span><span class="p">;</span> <span class="k">import</span> <span class="p">{</span> <span class="nx">redirect</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">"</span><span class="s2">next/navigation</span><span class="dl">"</span><span class="p">;</span> <span class="k">import</span> <span class="p">{</span> <span class="nx">PermissionGate</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">"</span><span class="s2">@/components/PermissionGate</span><span class="dl">"</span><span class="p">;</span> <span class="k">export</span> <span class="k">default</span> <span class="k">async</span> <span class="kd">function</span> <span class="nf">DashboardPage</span><span class="p">()</span> <span class="p">{</span> <span class="kd">const</span> <span class="p">{</span> <span class="nx">isAuthenticated</span><span class="p">,</span> <span class="nx">getUser</span> <span class="p">}</span> <span class="o">=</span> <span class="nf">getKindeServerSession</span><span class="p">();</span> <span class="k">if </span><span class="p">(</span><span class="o">!</span><span class="p">(</span><span class="k">await</span> <span class="nf">isAuthenticated</span><span class="p">()))</span> <span class="nf">redirect</span><span class="p">(</span><span class="dl">"</span><span class="s2">/api/auth/login</span><span class="dl">"</span><span class="p">);</span> <span class="kd">const</span> <span class="nx">user</span> <span class="o">=</span> <span class="k">await</span> <span class="nf">getUser</span><span class="p">();</span> <span class="k">return </span><span class="p">(</span> <span class="o">&lt;</span><span class="nx">main</span> <span class="nx">className</span><span class="o">=</span><span class="dl">"</span><span class="s2">p-8</span><span class="dl">"</span><span class="o">&gt;</span> <span class="o">&lt;</span><span class="nx">h1</span> <span class="nx">className</span><span class="o">=</span><span class="dl">"</span><span class="s2">text-2xl font-bold mb-1</span><span class="dl">"</span><span class="o">&gt;</span><span class="nx">Dashboard</span><span class="o">&lt;</span><span class="sr">/h1</span><span class="err">&gt; </span> <span class="o">&lt;</span><span class="nx">p</span> <span class="nx">className</span><span class="o">=</span><span class="dl">"</span><span class="s2">text-gray-500 mb-8</span><span class="dl">"</span><span class="o">&gt;</span> <span class="nx">Welcome</span> <span class="nx">back</span><span class="p">,</span> <span class="p">{</span><span class="nx">user</span><span class="p">?.</span><span class="nx">given_name</span> <span class="o">??</span> <span class="dl">"</span><span class="s2">User</span><span class="dl">"</span><span class="p">}</span> <span class="o">&lt;</span><span class="sr">/p</span><span class="err">&gt; </span> <span class="o">&lt;</span><span class="nx">div</span> <span class="nx">className</span><span class="o">=</span><span class="dl">"</span><span class="s2">grid grid-cols-1 gap-4 md:grid-cols-3</span><span class="dl">"</span><span class="o">&gt;</span> <span class="p">{</span><span class="cm">/* Visible to all authenticated users */</span><span class="p">}</span> <span class="o">&lt;</span><span class="nx">div</span> <span class="nx">className</span><span class="o">=</span><span class="dl">"</span><span class="s2">rounded-lg border p-6</span><span class="dl">"</span><span class="o">&gt;</span> <span class="o">&lt;</span><span class="nx">h2</span> <span class="nx">className</span><span class="o">=</span><span class="dl">"</span><span class="s2">font-semibold mb-2</span><span class="dl">"</span><span class="o">&gt;</span><span class="nx">Posts</span><span class="o">&lt;</span><span class="sr">/h2</span><span class="err">&gt; </span> <span class="o">&lt;</span><span class="nx">p</span> <span class="nx">className</span><span class="o">=</span><span class="dl">"</span><span class="s2">text-sm text-gray-500 mb-4</span><span class="dl">"</span><span class="o">&gt;</span><span class="nx">Manage</span> <span class="nx">your</span> <span class="nx">content</span><span class="o">&lt;</span><span class="sr">/p</span><span class="err">&gt; </span> <span class="o">&lt;</span><span class="nx">PermissionGate</span> <span class="nx">permission</span><span class="o">=</span><span class="dl">"</span><span class="s2">posts:create</span><span class="dl">"</span><span class="o">&gt;</span> <span class="o">&lt;</span><span class="nx">a</span> <span class="nx">href</span><span class="o">=</span><span class="dl">"</span><span class="s2">/dashboard/posts/new</span><span class="dl">"</span> <span class="nx">className</span><span class="o">=</span><span class="dl">"</span><span class="s2">text-sm font-medium text-blue-600 hover:underline</span><span class="dl">"</span> <span class="o">&gt;</span> <span class="o">+</span> <span class="nx">New</span> <span class="nx">post</span> <span class="o">&lt;</span><span class="sr">/a</span><span class="err">&gt; </span> <span class="o">&lt;</span><span class="sr">/PermissionGate</span><span class="err">&gt; </span> <span class="o">&lt;</span><span class="sr">/div</span><span class="err">&gt; </span> <span class="p">{</span><span class="cm">/* Only users with users:manage see this card */</span><span class="p">}</span> <span class="o">&lt;</span><span class="nx">PermissionGate</span> <span class="nx">permission</span><span class="o">=</span><span class="dl">"</span><span class="s2">users:manage</span><span class="dl">"</span><span class="o">&gt;</span> <span class="o">&lt;</span><span class="nx">div</span> <span class="nx">className</span><span class="o">=</span><span class="dl">"</span><span class="s2">rounded-lg border p-6 bg-amber-50</span><span class="dl">"</span><span class="o">&gt;</span> <span class="o">&lt;</span><span class="nx">h2</span> <span class="nx">className</span><span class="o">=</span><span class="dl">"</span><span class="s2">font-semibold mb-2</span><span class="dl">"</span><span class="o">&gt;</span><span class="nx">Users</span><span class="o">&lt;</span><span class="sr">/h2</span><span class="err">&gt; </span> <span class="o">&lt;</span><span class="nx">p</span> <span class="nx">className</span><span class="o">=</span><span class="dl">"</span><span class="s2">text-sm text-gray-500 mb-4</span><span class="dl">"</span><span class="o">&gt;</span> <span class="nx">Manage</span> <span class="nx">team</span> <span class="nx">members</span> <span class="nx">and</span> <span class="nx">access</span> <span class="o">&lt;</span><span class="sr">/p</span><span class="err">&gt; </span> <span class="o">&lt;</span><span class="nx">a</span> <span class="nx">href</span><span class="o">=</span><span class="dl">"</span><span class="s2">/admin/users</span><span class="dl">"</span> <span class="nx">className</span><span class="o">=</span><span class="dl">"</span><span class="s2">text-sm font-medium text-amber-700 hover:underline</span><span class="dl">"</span> <span class="o">&gt;</span> <span class="nx">View</span> <span class="nx">all</span> <span class="nx">users</span> <span class="o">&lt;</span><span class="sr">/a</span><span class="err">&gt; </span> <span class="o">&lt;</span><span class="sr">/div</span><span class="err">&gt; </span> <span class="o">&lt;</span><span class="sr">/PermissionGate</span><span class="err">&gt; </span> <span class="p">{</span><span class="cm">/* Only users with posts:delete see this card */</span><span class="p">}</span> <span class="o">&lt;</span><span class="nx">PermissionGate</span> <span class="nx">permission</span><span class="o">=</span><span class="dl">"</span><span class="s2">posts:delete</span><span class="dl">"</span><span class="o">&gt;</span> <span class="o">&lt;</span><span class="nx">div</span> <span class="nx">className</span><span class="o">=</span><span class="dl">"</span><span class="s2">rounded-lg border border-red-200 p-6 bg-red-50</span><span class="dl">"</span><span class="o">&gt;</span> <span class="o">&lt;</span><span class="nx">h2</span> <span class="nx">className</span><span class="o">=</span><span class="dl">"</span><span class="s2">font-semibold text-red-800 mb-2</span><span class="dl">"</span><span class="o">&gt;</span> <span class="nx">Content</span> <span class="nx">Management</span> <span class="o">&lt;</span><span class="sr">/h2</span><span class="err">&gt; </span> <span class="o">&lt;</span><span class="nx">p</span> <span class="nx">className</span><span class="o">=</span><span class="dl">"</span><span class="s2">text-sm text-red-600 mb-4</span><span class="dl">"</span><span class="o">&gt;</span> <span class="nx">Delete</span> <span class="nx">and</span> <span class="nx">bulk</span><span class="o">-</span><span class="nx">manage</span> <span class="nx">content</span> <span class="o">&lt;</span><span class="sr">/p</span><span class="err">&gt; </span> <span class="o">&lt;</span><span class="nx">a</span> <span class="nx">href</span><span class="o">=</span><span class="dl">"</span><span class="s2">/admin/content</span><span class="dl">"</span> <span class="nx">className</span><span class="o">=</span><span class="dl">"</span><span class="s2">text-sm font-medium text-red-700 hover:underline</span><span class="dl">"</span> <span class="o">&gt;</span> <span class="nx">Manage</span> <span class="nx">content</span> <span class="o">&lt;</span><span class="sr">/a</span><span class="err">&gt; </span> <span class="o">&lt;</span><span class="sr">/div</span><span class="err">&gt; </span> <span class="o">&lt;</span><span class="sr">/PermissionGate</span><span class="err">&gt; </span> <span class="o">&lt;</span><span class="sr">/div</span><span class="err">&gt; </span> <span class="o">&lt;</span><span class="sr">/main</span><span class="err">&gt; </span> <span class="p">);</span> <span class="p">}</span> </code></pre> </div> <p>Note: The <code>isGranted</code> property is what you check — not just whether <code>canCreatePosts</code> is truthy. <code>getPermission()</code> always returns an object; <code>isGranted</code> is <code>false</code> when the user does not have the permission rather than returning <code>null</code>. This makes the check explicit and safe.</p> <h2> Step #8: Enforce Permissions in Route Handlers </h2> <p>Client-side permission checks are for UX — they hide controls that would fail. Server-side checks in API routes are the real security gate. You need both.</p> <p>Create a protected API route at <code>app/api/protected/posts/route.ts</code>:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="c1">// app/api/protected/posts/route.ts</span> <span class="k">import</span> <span class="p">{</span> <span class="nx">getKindeServerSession</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">"</span><span class="s2">@kinde-oss/kinde-auth-nextjs/server</span><span class="dl">"</span><span class="p">;</span> <span class="k">import</span> <span class="p">{</span> <span class="nx">NextRequest</span><span class="p">,</span> <span class="nx">NextResponse</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">"</span><span class="s2">next/server</span><span class="dl">"</span><span class="p">;</span> <span class="k">export</span> <span class="k">async</span> <span class="kd">function</span> <span class="nf">POST</span><span class="p">(</span><span class="nx">request</span><span class="p">:</span> <span class="nx">NextRequest</span><span class="p">)</span> <span class="p">{</span> <span class="kd">const</span> <span class="p">{</span> <span class="nx">isAuthenticated</span><span class="p">,</span> <span class="nx">getPermission</span><span class="p">,</span> <span class="nx">getUser</span> <span class="p">}</span> <span class="o">=</span> <span class="nf">getKindeServerSession</span><span class="p">();</span> <span class="c1">// Step 1: Check authentication</span> <span class="k">if </span><span class="p">(</span><span class="o">!</span><span class="p">(</span><span class="k">await</span> <span class="nf">isAuthenticated</span><span class="p">()))</span> <span class="p">{</span> <span class="k">return</span> <span class="nx">NextResponse</span><span class="p">.</span><span class="nf">json</span><span class="p">(</span> <span class="p">{</span> <span class="na">error</span><span class="p">:</span> <span class="dl">"</span><span class="s2">Unauthenticated. Please sign in.</span><span class="dl">"</span> <span class="p">},</span> <span class="p">{</span> <span class="na">status</span><span class="p">:</span> <span class="mi">401</span> <span class="p">}</span> <span class="p">);</span> <span class="p">}</span> <span class="c1">// Step 2: Check the specific permission required for this action</span> <span class="kd">const</span> <span class="nx">canCreatePosts</span> <span class="o">=</span> <span class="k">await</span> <span class="nf">getPermission</span><span class="p">(</span><span class="dl">"</span><span class="s2">posts:create</span><span class="dl">"</span><span class="p">);</span> <span class="k">if </span><span class="p">(</span><span class="o">!</span><span class="nx">canCreatePosts</span><span class="p">?.</span><span class="nx">isGranted</span><span class="p">)</span> <span class="p">{</span> <span class="k">return</span> <span class="nx">NextResponse</span><span class="p">.</span><span class="nf">json</span><span class="p">(</span> <span class="p">{</span> <span class="na">error</span><span class="p">:</span> <span class="dl">"</span><span class="s2">Forbidden</span><span class="dl">"</span><span class="p">,</span> <span class="na">message</span><span class="p">:</span> <span class="dl">"</span><span class="s2">You do not have permission to create posts.</span><span class="dl">"</span><span class="p">,</span> <span class="p">},</span> <span class="p">{</span> <span class="na">status</span><span class="p">:</span> <span class="mi">403</span> <span class="p">}</span> <span class="p">);</span> <span class="p">}</span> <span class="c1">// Step 3: Parse the request</span> <span class="kd">const</span> <span class="nx">body</span> <span class="o">=</span> <span class="k">await</span> <span class="nx">request</span><span class="p">.</span><span class="nf">json</span><span class="p">();</span> <span class="kd">const</span> <span class="p">{</span> <span class="nx">title</span><span class="p">,</span> <span class="nx">content</span> <span class="p">}</span> <span class="o">=</span> <span class="nx">body</span><span class="p">;</span> <span class="k">if </span><span class="p">(</span><span class="o">!</span><span class="nx">title</span> <span class="o">||</span> <span class="o">!</span><span class="nx">content</span><span class="p">)</span> <span class="p">{</span> <span class="k">return</span> <span class="nx">NextResponse</span><span class="p">.</span><span class="nf">json</span><span class="p">(</span> <span class="p">{</span> <span class="na">error</span><span class="p">:</span> <span class="dl">"</span><span class="s2">Title and content are required.</span><span class="dl">"</span> <span class="p">},</span> <span class="p">{</span> <span class="na">status</span><span class="p">:</span> <span class="mi">400</span> <span class="p">}</span> <span class="p">);</span> <span class="p">}</span> <span class="c1">// Step 4: Execute the action — safe to proceed</span> <span class="kd">const</span> <span class="nx">user</span> <span class="o">=</span> <span class="k">await</span> <span class="nf">getUser</span><span class="p">();</span> <span class="c1">// Replace this with your actual database logic</span> <span class="kd">const</span> <span class="nx">post</span> <span class="o">=</span> <span class="p">{</span> <span class="na">id</span><span class="p">:</span> <span class="nx">crypto</span><span class="p">.</span><span class="nf">randomUUID</span><span class="p">(),</span> <span class="nx">title</span><span class="p">,</span> <span class="nx">content</span><span class="p">,</span> <span class="na">authorId</span><span class="p">:</span> <span class="nx">user</span><span class="p">?.</span><span class="nx">id</span><span class="p">,</span> <span class="na">createdAt</span><span class="p">:</span> <span class="k">new</span> <span class="nc">Date</span><span class="p">().</span><span class="nf">toISOString</span><span class="p">(),</span> <span class="p">};</span> <span class="k">return</span> <span class="nx">NextResponse</span><span class="p">.</span><span class="nf">json</span><span class="p">({</span> <span class="nx">post</span> <span class="p">},</span> <span class="p">{</span> <span class="na">status</span><span class="p">:</span> <span class="mi">201</span> <span class="p">});</span> <span class="p">}</span> <span class="k">export</span> <span class="k">async</span> <span class="kd">function</span> <span class="nf">DELETE</span><span class="p">(</span><span class="nx">request</span><span class="p">:</span> <span class="nx">NextRequest</span><span class="p">)</span> <span class="p">{</span> <span class="kd">const</span> <span class="p">{</span> <span class="nx">isAuthenticated</span><span class="p">,</span> <span class="nx">getPermission</span> <span class="p">}</span> <span class="o">=</span> <span class="nf">getKindeServerSession</span><span class="p">();</span> <span class="k">if </span><span class="p">(</span><span class="o">!</span><span class="p">(</span><span class="k">await</span> <span class="nf">isAuthenticated</span><span class="p">()))</span> <span class="p">{</span> <span class="k">return</span> <span class="nx">NextResponse</span><span class="p">.</span><span class="nf">json</span><span class="p">(</span> <span class="p">{</span> <span class="na">error</span><span class="p">:</span> <span class="dl">"</span><span class="s2">Unauthenticated.</span><span class="dl">"</span> <span class="p">},</span> <span class="p">{</span> <span class="na">status</span><span class="p">:</span> <span class="mi">401</span> <span class="p">}</span> <span class="p">);</span> <span class="p">}</span> <span class="c1">// Delete requires a more privileged permission than create</span> <span class="kd">const</span> <span class="nx">canDeletePosts</span> <span class="o">=</span> <span class="k">await</span> <span class="nf">getPermission</span><span class="p">(</span><span class="dl">"</span><span class="s2">posts:delete</span><span class="dl">"</span><span class="p">);</span> <span class="k">if </span><span class="p">(</span><span class="o">!</span><span class="nx">canDeletePosts</span><span class="p">?.</span><span class="nx">isGranted</span><span class="p">)</span> <span class="p">{</span> <span class="k">return</span> <span class="nx">NextResponse</span><span class="p">.</span><span class="nf">json</span><span class="p">(</span> <span class="p">{</span> <span class="na">error</span><span class="p">:</span> <span class="dl">"</span><span class="s2">Forbidden</span><span class="dl">"</span><span class="p">,</span> <span class="na">message</span><span class="p">:</span> <span class="dl">"</span><span class="s2">You do not have permission to delete posts.</span><span class="dl">"</span><span class="p">,</span> <span class="p">},</span> <span class="p">{</span> <span class="na">status</span><span class="p">:</span> <span class="mi">403</span> <span class="p">}</span> <span class="p">);</span> <span class="p">}</span> <span class="kd">const</span> <span class="p">{</span> <span class="nx">searchParams</span> <span class="p">}</span> <span class="o">=</span> <span class="k">new</span> <span class="nc">URL</span><span class="p">(</span><span class="nx">request</span><span class="p">.</span><span class="nx">url</span><span class="p">);</span> <span class="kd">const</span> <span class="nx">postId</span> <span class="o">=</span> <span class="nx">searchParams</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="dl">"</span><span class="s2">id</span><span class="dl">"</span><span class="p">);</span> <span class="k">if </span><span class="p">(</span><span class="o">!</span><span class="nx">postId</span><span class="p">)</span> <span class="p">{</span> <span class="k">return</span> <span class="nx">NextResponse</span><span class="p">.</span><span class="nf">json</span><span class="p">(</span> <span class="p">{</span> <span class="na">error</span><span class="p">:</span> <span class="dl">"</span><span class="s2">Post ID is required.</span><span class="dl">"</span> <span class="p">},</span> <span class="p">{</span> <span class="na">status</span><span class="p">:</span> <span class="mi">400</span> <span class="p">}</span> <span class="p">);</span> <span class="p">}</span> <span class="c1">// Your delete logic here</span> <span class="k">return</span> <span class="nx">NextResponse</span><span class="p">.</span><span class="nf">json</span><span class="p">({</span> <span class="na">deleted</span><span class="p">:</span> <span class="kc">true</span><span class="p">,</span> <span class="nx">postId</span> <span class="p">});</span> <span class="p">}</span> </code></pre> </div> <h2> Step #9: Build a Reusable Permission Guard Component </h2> <p>Checking permissions inline in every component gets repetitive. A <code>PermissionGate</code> component keeps the pattern clean and consistent:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="c1">// components/PermissionGate.tsx</span> <span class="k">import</span> <span class="p">{</span> <span class="nx">getKindeServerSession</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">"</span><span class="s2">@kinde-oss/kinde-auth-nextjs/server</span><span class="dl">"</span><span class="p">;</span> <span class="kr">interface</span> <span class="nx">PermissionGateProps</span> <span class="p">{</span> <span class="nl">permission</span><span class="p">:</span> <span class="kr">string</span><span class="p">;</span> <span class="nl">children</span><span class="p">:</span> <span class="nx">React</span><span class="p">.</span><span class="nx">ReactNode</span><span class="p">;</span> <span class="c1">// Optional: what to show if the user lacks the permission</span> <span class="nl">fallback</span><span class="p">?:</span> <span class="nx">React</span><span class="p">.</span><span class="nx">ReactNode</span><span class="p">;</span> <span class="p">}</span> <span class="k">export</span> <span class="k">async</span> <span class="kd">function</span> <span class="nf">PermissionGate</span><span class="p">({</span> <span class="nx">permission</span><span class="p">,</span> <span class="nx">children</span><span class="p">,</span> <span class="nx">fallback</span> <span class="o">=</span> <span class="kc">null</span><span class="p">,</span> <span class="p">}:</span> <span class="nx">PermissionGateProps</span><span class="p">)</span> <span class="p">{</span> <span class="kd">const</span> <span class="p">{</span> <span class="nx">getPermission</span> <span class="p">}</span> <span class="o">=</span> <span class="nf">getKindeServerSession</span><span class="p">();</span> <span class="kd">const</span> <span class="nx">result</span> <span class="o">=</span> <span class="k">await</span> <span class="nf">getPermission</span><span class="p">(</span><span class="nx">permission</span><span class="p">);</span> <span class="k">if </span><span class="p">(</span><span class="o">!</span><span class="nx">result</span><span class="p">?.</span><span class="nx">isGranted</span><span class="p">)</span> <span class="p">{</span> <span class="k">return</span> <span class="o">&lt;&gt;</span><span class="p">{</span><span class="nx">fallback</span><span class="p">}</span><span class="o">&lt;</span><span class="sr">/&gt;</span><span class="err">; </span> <span class="p">}</span> <span class="k">return</span> <span class="o">&lt;&gt;</span><span class="p">{</span><span class="nx">children</span><span class="p">}</span><span class="o">&lt;</span><span class="sr">/&gt;</span><span class="err">; </span><span class="p">}</span> </code></pre> </div> <p>Now any Server Component in your app can use it cleanly:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="c1">// app/dashboard/posts/page.tsx</span> <span class="k">import</span> <span class="p">{</span> <span class="nx">getKindeServerSession</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">"</span><span class="s2">@kinde-oss/kinde-auth-nextjs/server</span><span class="dl">"</span><span class="p">;</span> <span class="k">import</span> <span class="p">{</span> <span class="nx">redirect</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">"</span><span class="s2">next/navigation</span><span class="dl">"</span><span class="p">;</span> <span class="k">import</span> <span class="p">{</span> <span class="nx">PermissionGate</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">"</span><span class="s2">@/components/PermissionGate</span><span class="dl">"</span><span class="p">;</span> <span class="k">export</span> <span class="k">default</span> <span class="k">async</span> <span class="kd">function</span> <span class="nf">PostsPage</span><span class="p">()</span> <span class="p">{</span> <span class="kd">const</span> <span class="p">{</span> <span class="nx">isAuthenticated</span> <span class="p">}</span> <span class="o">=</span> <span class="nf">getKindeServerSession</span><span class="p">();</span> <span class="k">if </span><span class="p">(</span><span class="o">!</span><span class="p">(</span><span class="k">await</span> <span class="nf">isAuthenticated</span><span class="p">()))</span> <span class="p">{</span> <span class="nf">redirect</span><span class="p">(</span><span class="dl">"</span><span class="s2">/api/auth/login</span><span class="dl">"</span><span class="p">);</span> <span class="p">}</span> <span class="k">return </span><span class="p">(</span> <span class="o">&lt;</span><span class="nx">main</span> <span class="nx">className</span><span class="o">=</span><span class="dl">"</span><span class="s2">p-8</span><span class="dl">"</span><span class="o">&gt;</span> <span class="o">&lt;</span><span class="nx">div</span> <span class="nx">className</span><span class="o">=</span><span class="dl">"</span><span class="s2">flex items-center justify-between mb-8</span><span class="dl">"</span><span class="o">&gt;</span> <span class="o">&lt;</span><span class="nx">h1</span> <span class="nx">className</span><span class="o">=</span><span class="dl">"</span><span class="s2">text-2xl font-bold</span><span class="dl">"</span><span class="o">&gt;</span><span class="nx">Posts</span><span class="o">&lt;</span><span class="sr">/h1</span><span class="err">&gt; </span> <span class="p">{</span><span class="cm">/* Only users with posts:create see this button */</span><span class="p">}</span> <span class="o">&lt;</span><span class="nx">PermissionGate</span> <span class="nx">permission</span><span class="o">=</span><span class="dl">"</span><span class="s2">posts:create</span><span class="dl">"</span><span class="o">&gt;</span> <span class="o">&lt;</span><span class="nx">a</span> <span class="nx">href</span><span class="o">=</span><span class="dl">"</span><span class="s2">/dashboard/posts/new</span><span class="dl">"</span> <span class="nx">className</span><span class="o">=</span><span class="dl">"</span><span class="s2">rounded-md bg-blue-600 px-4 py-2 text-sm font-medium text-white hover:bg-blue-700</span><span class="dl">"</span> <span class="o">&gt;</span> <span class="nx">New</span> <span class="nx">post</span> <span class="o">&lt;</span><span class="sr">/a</span><span class="err">&gt; </span> <span class="o">&lt;</span><span class="sr">/PermissionGate</span><span class="err">&gt; </span> <span class="o">&lt;</span><span class="sr">/div</span><span class="err">&gt; </span> <span class="p">{</span><span class="cm">/* Post list visible to everyone */</span><span class="p">}</span> <span class="o">&lt;</span><span class="nx">PostList</span> <span class="o">/&gt;</span> <span class="p">{</span><span class="cm">/* Bulk delete only for users with posts:delete */</span><span class="p">}</span> <span class="o">&lt;</span><span class="nx">PermissionGate</span> <span class="nx">permission</span><span class="o">=</span><span class="dl">"</span><span class="s2">posts:delete</span><span class="dl">"</span> <span class="nx">fallback</span><span class="o">=</span><span class="p">{</span> <span class="o">&lt;</span><span class="nx">p</span> <span class="nx">className</span><span class="o">=</span><span class="dl">"</span><span class="s2">mt-8 text-sm text-gray-400</span><span class="dl">"</span><span class="o">&gt;</span> <span class="nx">You</span> <span class="nx">have</span> <span class="nx">view</span><span class="o">-</span><span class="nx">only</span> <span class="nx">access</span> <span class="nx">to</span> <span class="k">this</span> <span class="nx">section</span><span class="p">.</span> <span class="o">&lt;</span><span class="sr">/p</span><span class="err">&gt; </span> <span class="p">}</span> <span class="o">&gt;</span> <span class="o">&lt;</span><span class="nx">BulkDeleteControls</span> <span class="o">/&gt;</span> <span class="o">&lt;</span><span class="sr">/PermissionGate</span><span class="err">&gt; </span> <span class="o">&lt;</span><span class="sr">/main</span><span class="err">&gt; </span> <span class="p">);</span> <span class="p">}</span> <span class="c1">// Placeholder components — replace with your real implementations</span> <span class="kd">function</span> <span class="nf">PostList</span><span class="p">()</span> <span class="p">{</span> <span class="k">return</span> <span class="o">&lt;</span><span class="nx">div</span> <span class="nx">className</span><span class="o">=</span><span class="dl">"</span><span class="s2">space-y-4</span><span class="dl">"</span><span class="o">&gt;</span><span class="p">{</span><span class="cm">/* Post items */</span><span class="p">}</span><span class="o">&lt;</span><span class="sr">/div&gt;</span><span class="err">; </span><span class="p">}</span> <span class="kd">function</span> <span class="nf">BulkDeleteControls</span><span class="p">()</span> <span class="p">{</span> <span class="k">return </span><span class="p">(</span> <span class="o">&lt;</span><span class="nx">div</span> <span class="nx">className</span><span class="o">=</span><span class="dl">"</span><span class="s2">mt-8 rounded-lg border border-red-200 p-4</span><span class="dl">"</span><span class="o">&gt;</span> <span class="o">&lt;</span><span class="nx">p</span> <span class="nx">className</span><span class="o">=</span><span class="dl">"</span><span class="s2">text-sm font-medium text-red-700</span><span class="dl">"</span><span class="o">&gt;</span><span class="nx">Bulk</span> <span class="nx">actions</span><span class="o">&lt;</span><span class="sr">/p</span><span class="err">&gt; </span> <span class="o">&lt;</span><span class="sr">/div</span><span class="err">&gt; </span> <span class="p">);</span> <span class="p">}</span> </code></pre> </div> <p>Wonderful! <code>PermissionGate</code> works as a clean wrapper everywhere. No repeated <code>getPermission</code> calls spread across components — just one consistent primitive.</p> <h2> Step #10: Add Sign In and Sign Out </h2> <p>With protection and permissions in place, add the authentication links. Kinde provides <code>LoginLink</code>, <code>RegisterLink</code>, and <code>LogoutLink</code> components that generate the correct Kinde auth URLs:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="c1">// app/page.tsx</span> <span class="k">import</span> <span class="p">{</span> <span class="nx">LoginLink</span><span class="p">,</span> <span class="nx">RegisterLink</span><span class="p">,</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">"</span><span class="s2">@kinde-oss/kinde-auth-nextjs/components</span><span class="dl">"</span><span class="p">;</span> <span class="k">import</span> <span class="p">{</span> <span class="nx">getKindeServerSession</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">"</span><span class="s2">@kinde-oss/kinde-auth-nextjs/server</span><span class="dl">"</span><span class="p">;</span> <span class="k">import</span> <span class="p">{</span> <span class="nx">redirect</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">"</span><span class="s2">next/navigation</span><span class="dl">"</span><span class="p">;</span> <span class="k">export</span> <span class="k">default</span> <span class="k">async</span> <span class="kd">function</span> <span class="nf">Home</span><span class="p">()</span> <span class="p">{</span> <span class="kd">const</span> <span class="p">{</span> <span class="nx">isAuthenticated</span> <span class="p">}</span> <span class="o">=</span> <span class="nf">getKindeServerSession</span><span class="p">();</span> <span class="c1">// If already authenticated, send to dashboard</span> <span class="k">if </span><span class="p">(</span><span class="k">await</span> <span class="nf">isAuthenticated</span><span class="p">())</span> <span class="p">{</span> <span class="nf">redirect</span><span class="p">(</span><span class="dl">"</span><span class="s2">/dashboard</span><span class="dl">"</span><span class="p">);</span> <span class="p">}</span> <span class="k">return </span><span class="p">(</span> <span class="o">&lt;</span><span class="nx">main</span> <span class="nx">className</span><span class="o">=</span><span class="dl">"</span><span class="s2">flex min-h-screen flex-col items-center justify-center p-24</span><span class="dl">"</span><span class="o">&gt;</span> <span class="o">&lt;</span><span class="nx">h1</span> <span class="nx">className</span><span class="o">=</span><span class="dl">"</span><span class="s2">text-4xl font-bold mb-4</span><span class="dl">"</span><span class="o">&gt;</span><span class="nx">My</span> <span class="nx">RBAC</span> <span class="nx">App</span><span class="o">&lt;</span><span class="sr">/h1</span><span class="err">&gt; </span> <span class="o">&lt;</span><span class="nx">p</span> <span class="nx">className</span><span class="o">=</span><span class="dl">"</span><span class="s2">text-gray-500 mb-8 text-center max-w-md</span><span class="dl">"</span><span class="o">&gt;</span> <span class="nx">Sign</span> <span class="k">in</span> <span class="nx">to</span> <span class="nx">access</span> <span class="nx">your</span> <span class="nx">dashboard</span><span class="p">.</span> <span class="nx">Your</span> <span class="nx">permissions</span> <span class="nx">are</span> <span class="nx">automatically</span> <span class="nx">loaded</span> <span class="k">from</span> <span class="nx">your</span> <span class="nx">role</span><span class="p">.</span> <span class="o">&lt;</span><span class="sr">/p</span><span class="err">&gt; </span> <span class="o">&lt;</span><span class="nx">div</span> <span class="nx">className</span><span class="o">=</span><span class="dl">"</span><span class="s2">flex gap-4</span><span class="dl">"</span><span class="o">&gt;</span> <span class="o">&lt;</span><span class="nx">LoginLink</span> <span class="nx">className</span><span class="o">=</span><span class="dl">"</span><span class="s2">rounded-md bg-blue-600 px-6 py-2 text-sm font-medium text-white hover:bg-blue-700</span><span class="dl">"</span><span class="o">&gt;</span> <span class="nx">Sign</span> <span class="k">in</span> <span class="o">&lt;</span><span class="sr">/LoginLink</span><span class="err">&gt; </span> <span class="o">&lt;</span><span class="nx">RegisterLink</span> <span class="nx">className</span><span class="o">=</span><span class="dl">"</span><span class="s2">rounded-md border border-gray-300 px-6 py-2 text-sm font-medium hover:bg-gray-50</span><span class="dl">"</span><span class="o">&gt;</span> <span class="nx">Create</span> <span class="nx">account</span> <span class="o">&lt;</span><span class="sr">/RegisterLink</span><span class="err">&gt; </span> <span class="o">&lt;</span><span class="sr">/div</span><span class="err">&gt; </span> <span class="o">&lt;</span><span class="sr">/main</span><span class="err">&gt; </span> <span class="p">);</span> <span class="p">}</span> </code></pre> </div> <p>For sign out, create a simple server action or use the <code>LogoutLink</code> component anywhere in your authenticated layout:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="c1">// app/dashboard/layout.tsx</span> <span class="k">import</span> <span class="p">{</span> <span class="nx">LogoutLink</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">"</span><span class="s2">@kinde-oss/kinde-auth-nextjs/components</span><span class="dl">"</span><span class="p">;</span> <span class="k">import</span> <span class="p">{</span> <span class="nx">getKindeServerSession</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">"</span><span class="s2">@kinde-oss/kinde-auth-nextjs/server</span><span class="dl">"</span><span class="p">;</span> <span class="k">import</span> <span class="p">{</span> <span class="nx">redirect</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">"</span><span class="s2">next/navigation</span><span class="dl">"</span><span class="p">;</span> <span class="k">export</span> <span class="k">default</span> <span class="k">async</span> <span class="kd">function</span> <span class="nf">DashboardLayout</span><span class="p">({</span> <span class="nx">children</span><span class="p">,</span> <span class="p">}:</span> <span class="p">{</span> <span class="nl">children</span><span class="p">:</span> <span class="nx">React</span><span class="p">.</span><span class="nx">ReactNode</span><span class="p">;</span> <span class="p">})</span> <span class="p">{</span> <span class="kd">const</span> <span class="p">{</span> <span class="nx">isAuthenticated</span><span class="p">,</span> <span class="nx">getUser</span><span class="p">,</span> <span class="nx">getRoles</span> <span class="p">}</span> <span class="o">=</span> <span class="nf">getKindeServerSession</span><span class="p">();</span> <span class="k">if </span><span class="p">(</span><span class="o">!</span><span class="p">(</span><span class="k">await</span> <span class="nf">isAuthenticated</span><span class="p">()))</span> <span class="p">{</span> <span class="nf">redirect</span><span class="p">(</span><span class="dl">"</span><span class="s2">/api/auth/login</span><span class="dl">"</span><span class="p">);</span> <span class="p">}</span> <span class="kd">const</span> <span class="nx">user</span> <span class="o">=</span> <span class="k">await</span> <span class="nf">getUser</span><span class="p">();</span> <span class="kd">const</span> <span class="nx">roles</span> <span class="o">=</span> <span class="k">await</span> <span class="nf">getRoles</span><span class="p">();</span> <span class="c1">// Show the first role for display purposes</span> <span class="c1">// Your app might show this differently</span> <span class="kd">const</span> <span class="nx">displayRole</span> <span class="o">=</span> <span class="nx">roles</span><span class="p">?.[</span><span class="mi">0</span><span class="p">]?.</span><span class="nx">name</span> <span class="o">??</span> <span class="dl">"</span><span class="s2">User</span><span class="dl">"</span><span class="p">;</span> <span class="k">return </span><span class="p">(</span> <span class="o">&lt;</span><span class="nx">div</span> <span class="nx">className</span><span class="o">=</span><span class="dl">"</span><span class="s2">min-h-screen bg-gray-50</span><span class="dl">"</span><span class="o">&gt;</span> <span class="p">{</span><span class="cm">/* Navigation bar */</span><span class="p">}</span> <span class="o">&lt;</span><span class="nx">nav</span> <span class="nx">className</span><span class="o">=</span><span class="dl">"</span><span class="s2">border-b bg-white px-6 py-4</span><span class="dl">"</span><span class="o">&gt;</span> <span class="o">&lt;</span><span class="nx">div</span> <span class="nx">className</span><span class="o">=</span><span class="dl">"</span><span class="s2">flex items-center justify-between</span><span class="dl">"</span><span class="o">&gt;</span> <span class="o">&lt;</span><span class="nx">span</span> <span class="nx">className</span><span class="o">=</span><span class="dl">"</span><span class="s2">font-semibold</span><span class="dl">"</span><span class="o">&gt;</span><span class="nx">My</span> <span class="nx">RBAC</span> <span class="nx">App</span><span class="o">&lt;</span><span class="sr">/span</span><span class="err">&gt; </span> <span class="o">&lt;</span><span class="nx">div</span> <span class="nx">className</span><span class="o">=</span><span class="dl">"</span><span class="s2">flex items-center gap-4</span><span class="dl">"</span><span class="o">&gt;</span> <span class="o">&lt;</span><span class="nx">span</span> <span class="nx">className</span><span class="o">=</span><span class="dl">"</span><span class="s2">text-sm text-gray-600</span><span class="dl">"</span><span class="o">&gt;</span> <span class="p">{</span><span class="nx">user</span><span class="p">?.</span><span class="nx">email</span><span class="p">}</span> <span class="o">&lt;</span><span class="sr">/span</span><span class="err">&gt; </span> <span class="p">{</span><span class="cm">/* Role badge — for display only, never for access control */</span><span class="p">}</span> <span class="o">&lt;</span><span class="nx">span</span> <span class="nx">className</span><span class="o">=</span><span class="dl">"</span><span class="s2">rounded-full bg-blue-100 px-3 py-1 text-xs font-medium text-blue-800</span><span class="dl">"</span><span class="o">&gt;</span> <span class="p">{</span><span class="nx">displayRole</span><span class="p">}</span> <span class="o">&lt;</span><span class="sr">/span</span><span class="err">&gt; </span> <span class="o">&lt;</span><span class="nx">LogoutLink</span> <span class="nx">className</span><span class="o">=</span><span class="dl">"</span><span class="s2">text-sm text-gray-600 hover:text-gray-900</span><span class="dl">"</span><span class="o">&gt;</span> <span class="nx">Sign</span> <span class="nx">out</span> <span class="o">&lt;</span><span class="sr">/LogoutLink</span><span class="err">&gt; </span> <span class="o">&lt;</span><span class="sr">/div</span><span class="err">&gt; </span> <span class="o">&lt;</span><span class="sr">/div</span><span class="err">&gt; </span> <span class="o">&lt;</span><span class="sr">/nav</span><span class="err">&gt; </span> <span class="o">&lt;</span><span class="nx">main</span><span class="o">&gt;</span><span class="p">{</span><span class="nx">children</span><span class="p">}</span><span class="o">&lt;</span><span class="sr">/main</span><span class="err">&gt; </span> <span class="o">&lt;</span><span class="sr">/div</span><span class="err">&gt; </span> <span class="p">);</span> <span class="p">}</span> </code></pre> </div> <p>Note: The role badge in the nav is display-only. It tells the user what their role is, which is good UX. But your access decisions in code never read this display value — they always call <code>getPermission("permission:key")</code>.</p> <h2> Putting It All Together </h2> <p>Here is the complete file structure for the RBAC setup you have just built:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>my-rbac-app/ ├── app/ │ ├── api/ │ │ └── auth/ │ │ └── [kindeAuth]/ │ │ └── route.ts ← Kinde auth handler │ │ └── protected/ │ │ └── posts/ │ │ └── route.ts ← Permission-checked API route │ ├── dashboard/ │ │ ├── layout.tsx ← Nav with user/role display │ │ ├── page.tsx ← Permission-based UI │ │ └── posts/ │ │ └── page.tsx ← Uses PermissionGate │ ├── admin/ │ │ └── users/ │ │ └── page.tsx ← Admin-only page │ ├── layout.tsx ← KindeProvider wrapper │ └── page.tsx ← Login / register landing ├── components/ │ └── PermissionGate.tsx ← Reusable permission guard ├── proxy.ts ← Next.js 16 route protection └── .env.local ← Kinde credentials </code></pre> </div> <p>The flow for every protected request:</p> <p><strong>Step 1:</strong> <code>proxy.ts</code> intercepts the request. If the route matches the matcher and the user is unauthenticated, Kinde redirects to login. Authenticated users pass through.</p> <p><strong>Step 2:</strong> The Server Component or Route Handler calls <code>getKindeServerSession()</code> and reads permissions from the token. No database query.</p> <p><strong>Step 3:</strong> <code>getPermission("permission:key")</code> returns <code>{ isGranted: boolean }</code>. If <code>false</code>, the component renders the fallback or the route handler returns 403.</p> <p><strong>Step 4:</strong> The user sees exactly what their role allows them to see. The role definition lives in Kinde — change a role's permissions in the dashboard and every user with that role sees the updated access on their next session.</p> <h2> A Note on <code>use cache</code> in Next.js 16 </h2> <p>Next.js 16 introduces <code>use cache</code> as a new opt-in caching primitive. You can add it to pages, components, and functions to cache their output.</p> <p>Do not add <code>use cache</code> to any page or component that renders based on the authenticated user's permissions. Cached outputs are stored and reused across requests — if you cache a dashboard page that shows admin controls for one user, the next user to hit that route may see the cached admin UI regardless of their actual permissions.</p> <p>Keep permission-checked components and pages entirely outside <code>use cache</code> boundaries. If you need to cache parts of a permission-protected page, use React's <code>Suspense</code> to split the cacheable sections from the permission-gated sections:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="c1">// ✓ Correct: cache the public section, NOT the permission-gated section</span> <span class="k">export</span> <span class="k">default</span> <span class="k">async</span> <span class="kd">function</span> <span class="nf">PostsPage</span><span class="p">()</span> <span class="p">{</span> <span class="kd">const</span> <span class="p">{</span> <span class="nx">isAuthenticated</span> <span class="p">}</span> <span class="o">=</span> <span class="nf">getKindeServerSession</span><span class="p">();</span> <span class="k">if </span><span class="p">(</span><span class="o">!</span><span class="p">(</span><span class="k">await</span> <span class="nf">isAuthenticated</span><span class="p">()))</span> <span class="nf">redirect</span><span class="p">(</span><span class="dl">"</span><span class="s2">/api/auth/login</span><span class="dl">"</span><span class="p">);</span> <span class="k">return </span><span class="p">(</span> <span class="o">&lt;</span><span class="nx">main</span><span class="o">&gt;</span> <span class="p">{</span><span class="cm">/* This section is the same for all authenticated users — safe to cache */</span><span class="p">}</span> <span class="o">&lt;</span><span class="nx">Suspense</span> <span class="nx">fallback</span><span class="o">=</span><span class="p">{</span><span class="o">&lt;</span><span class="nx">p</span><span class="o">&gt;</span><span class="nx">Loading</span> <span class="nx">posts</span><span class="p">...</span><span class="o">&lt;</span><span class="sr">/p&gt;}</span><span class="err">&gt; </span> <span class="o">&lt;</span><span class="nx">PublicPostList</span> <span class="o">/&gt;</span> <span class="p">{</span><span class="cm">/* Has "use cache" inside */</span><span class="p">}</span> <span class="o">&lt;</span><span class="sr">/Suspense</span><span class="err">&gt; </span> <span class="p">{</span><span class="cm">/* This section is specific to the user's permissions — never cache */</span><span class="p">}</span> <span class="o">&lt;</span><span class="nx">PermissionGate</span> <span class="nx">permission</span><span class="o">=</span><span class="dl">"</span><span class="s2">posts:delete</span><span class="dl">"</span><span class="o">&gt;</span> <span class="o">&lt;</span><span class="nx">BulkDeleteControls</span> <span class="o">/&gt;</span> <span class="o">&lt;</span><span class="sr">/PermissionGate</span><span class="err">&gt; </span> <span class="o">&lt;</span><span class="sr">/main</span><span class="err">&gt; </span> <span class="p">);</span> <span class="p">}</span> </code></pre> </div> <h2> Testing Your RBAC Implementation </h2> <p>Verify your setup by testing these scenarios:</p> <p><strong>Test 1 — Unauthenticated access.</strong> Open an incognito window and navigate to <code>/dashboard</code>. You should be redirected to the Kinde login page.</p> <p><strong>Test 2 — Role-based UI.</strong> Log in as your admin user. Confirm the Users card and bulk delete controls are visible. Navigate to <strong>Users</strong> in Kinde, change your role to <code>editor</code>, and refresh. The Users card and delete controls should disappear.</p> <p><strong>Test 3 — API enforcement.</strong> Using a REST client like Postman or curl, send a <code>DELETE</code> request to <code>/api/protected/posts?id=123</code> without an authenticated session. You should receive a 401. Log in with an editor-role user and try again — you should receive a 403, because editors have <code>posts:create</code> and <code>posts:update</code> but not <code>posts:delete</code>.</p> <p><strong>Test 4 — Permission updates.</strong> In Kinde, add the <code>users:view</code> permission to the <code>editor</code> role. Refresh the page while logged in as an editor — the Users section should now appear, with no code change on your part.</p> <h2> Conclusion </h2> <p>In this article, you built a complete RBAC system for a Next.js 16.2 application using Kinde. You used <code>proxy.ts</code> — the new Next.js 16 network boundary file — for route protection, <code>getKindeServerSession()</code> for server-side permission reads, <code>getPermission()</code> for granular access checks, and a reusable <code>PermissionGate</code> component for clean conditional rendering.</p> <p>The most important thing you built is not the code — it is the separation. Roles and permissions live in Kinde. Code checks permissions. The two halves are cleanly decoupled. When your product evolves and you need to add a new role or change what an editor can do, you change a configuration in the Kinde dashboard. Your Next.js application does not need to be redeployed.</p> <p>Kinde is free for up to 10,500 monthly active users, no credit card required. Get started at <a href="https://kinde.com" rel="noopener noreferrer">kinde.com</a>.</p> kinde webdev programming tutorial Shola Jegede Sun, 22 Mar 2026 00:42:57 +0000 https://dev.to/sholajegede/how-to-scope-permissions-per-tenant-in-a-multi-tenant-app-27dj https://dev.to/sholajegede/how-to-scope-permissions-per-tenant-in-a-multi-tenant-app-27dj <p><em>The same user, Sarah, is an admin at Acme Corp and a read-only viewer at Startup Inc. She should see completely different things in the same product depending on which tenant she is operating in. Here is how to build that correctly.</em></p> <p>In this article, you will learn:</p> <ul> <li>What "per-tenant permissions" actually means and why it is different from global RBAC</li> <li>How Kinde models multi-tenancy with organizations, and how tenant context flows into every token</li> <li>How to define roles and permissions in Kinde that scope per organization</li> <li>How to read tenant-scoped permissions from the Kinde token in a Next.js API route</li> <li>How to build a reusable permission guard that you can drop into any route</li> <li>How to gate UI components in React based on the current tenant's permissions</li> <li>How to isolate data at the database query level using the org code from the token</li> <li>How to handle the user-switching-tenants scenario correctly</li> <li>The two most common multi-tenant permission bugs and how to avoid them</li> </ul> <p>Let's dive in!</p> <h2> The Problem With Global Permissions </h2> <p>Most developers reach for a simple RBAC model first: define some roles globally, assign users to roles, check roles in your code. Admin can do everything, member can do some things, viewer can only read.</p> <p>This works fine for single-tenant apps. It falls apart the moment one user belongs to more than one tenant.</p> <p>Consider Sarah. She joined Acme Corp as an admin — she manages billing, invites colleagues, and deletes stale projects. She was also invited to Startup Inc as an outside consultant — read-only access, she can view reports but touch nothing.</p> <p>In a global RBAC model, you cannot express this. Sarah has one set of roles in your system. If she is an admin, she is an admin everywhere. If you restrict her globally to viewer, she loses the ability to manage Acme Corp.</p> <p>The correct model is tenant-scoped permissions: Sarah's role and permissions are defined per organization. When she logs into Acme Corp, her token says admin with full permissions. When she logs into Startup Inc, the same user's token says viewer with read-only permissions. Same user identity, completely different permission set, determined by which tenant context she authenticated into.</p> <p>This is exactly how Kinde handles multi-tenancy, and it is the right mental model for any B2B SaaS product.</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fjzisxw6yxvrwtjmq7var.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fjzisxw6yxvrwtjmq7var.png" alt="User " width="793" height="1004"></a></p> <h2> How Kinde Models This </h2> <p>In <a href="https://kinde.com?utm_source=devto&amp;utm_medium=content&amp;utm_campaign=shola&amp;campaignid=chatgptapp&amp;network=&amp;adgroup=&amp;keyword=&amp;matchtype=&amp;creative=10&amp;device=&amp;adposition=" rel="noopener noreferrer">Kinde</a>, every customer of your SaaS product is an <strong>organization</strong>. Acme Corp is one org. Startup Inc is another. Each has its own isolated context — its own members, its own roles assigned to those members, its own feature flags, and optionally its own auth settings.</p> <p>When a user logs in, they authenticate within an organization context. Kinde issues a JWT access token that includes the <code>org_code</code> — the unique identifier for the tenant they are currently operating in. Every permission, every role, every feature flag in that token is scoped to that specific organization.</p> <p>The token for Sarah logged into Acme Corp looks like this:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight json"><code><span class="p">{</span><span class="w"> </span><span class="nl">"sub"</span><span class="p">:</span><span class="w"> </span><span class="s2">"kp_123abc"</span><span class="p">,</span><span class="w"> </span><span class="nl">"email"</span><span class="p">:</span><span class="w"> </span><span class="s2">"sarah@example.com"</span><span class="p">,</span><span class="w"> </span><span class="nl">"org_code"</span><span class="p">:</span><span class="w"> </span><span class="s2">"org_acme_corp"</span><span class="p">,</span><span class="w"> </span><span class="nl">"roles"</span><span class="p">:</span><span class="w"> </span><span class="p">[</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"id"</span><span class="p">:</span><span class="w"> </span><span class="s2">"rol_001"</span><span class="p">,</span><span class="w"> </span><span class="nl">"key"</span><span class="p">:</span><span class="w"> </span><span class="s2">"admin"</span><span class="p">,</span><span class="w"> </span><span class="nl">"name"</span><span class="p">:</span><span class="w"> </span><span class="s2">"Admin"</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="p">],</span><span class="w"> </span><span class="nl">"permissions"</span><span class="p">:</span><span class="w"> </span><span class="p">[</span><span class="w"> </span><span class="s2">"projects:create"</span><span class="p">,</span><span class="w"> </span><span class="s2">"projects:read"</span><span class="p">,</span><span class="w"> </span><span class="s2">"projects:delete"</span><span class="p">,</span><span class="w"> </span><span class="s2">"billing:manage"</span><span class="p">,</span><span class="w"> </span><span class="s2">"members:invite"</span><span class="w"> </span><span class="p">],</span><span class="w"> </span><span class="nl">"iss"</span><span class="p">:</span><span class="w"> </span><span class="s2">"https://yourapp.kinde.com"</span><span class="p">,</span><span class="w"> </span><span class="nl">"exp"</span><span class="p">:</span><span class="w"> </span><span class="mi">1740000000</span><span class="w"> </span><span class="p">}</span><span class="w"> </span></code></pre> </div> <p>The same Sarah logged into Startup Inc gets a new token:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight json"><code><span class="p">{</span><span class="w"> </span><span class="nl">"sub"</span><span class="p">:</span><span class="w"> </span><span class="s2">"kp_123abc"</span><span class="p">,</span><span class="w"> </span><span class="nl">"email"</span><span class="p">:</span><span class="w"> </span><span class="s2">"sarah@example.com"</span><span class="p">,</span><span class="w"> </span><span class="nl">"org_code"</span><span class="p">:</span><span class="w"> </span><span class="s2">"org_startup_inc"</span><span class="p">,</span><span class="w"> </span><span class="nl">"roles"</span><span class="p">:</span><span class="w"> </span><span class="p">[</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"id"</span><span class="p">:</span><span class="w"> </span><span class="s2">"rol_003"</span><span class="p">,</span><span class="w"> </span><span class="nl">"key"</span><span class="p">:</span><span class="w"> </span><span class="s2">"viewer"</span><span class="p">,</span><span class="w"> </span><span class="nl">"name"</span><span class="p">:</span><span class="w"> </span><span class="s2">"Viewer"</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="p">],</span><span class="w"> </span><span class="nl">"permissions"</span><span class="p">:</span><span class="w"> </span><span class="p">[</span><span class="w"> </span><span class="s2">"projects:read"</span><span class="p">,</span><span class="w"> </span><span class="s2">"reports:read"</span><span class="w"> </span><span class="p">],</span><span class="w"> </span><span class="nl">"iss"</span><span class="p">:</span><span class="w"> </span><span class="s2">"https://yourapp.kinde.com"</span><span class="p">,</span><span class="w"> </span><span class="nl">"exp"</span><span class="p">:</span><span class="w"> </span><span class="mi">1740000000</span><span class="w"> </span><span class="p">}</span><span class="w"> </span></code></pre> </div> <p>Same <code>sub</code>. Different <code>org_code</code>, <code>roles</code>, and <code>permissions</code>. Your application reads these claims and enforces them. Kinde's job is to put the right claims into each token based on what role the user holds in each specific org.</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F9j2mxbv233scr7ttenc5.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F9j2mxbv233scr7ttenc5.png" alt="Two JWTs side by side, both showing " width="800" height="472"></a></p> <h2> Step #1: Define Roles and Permissions in Kinde </h2> <p>Before writing a single line of application code, configure the roles and permissions that express your access model in the Kinde dashboard.</p> <h3> Defining permissions </h3> <p>Navigate to <strong>Roles &amp; Permissions</strong> → <strong>Permissions</strong> → <strong>Add permission</strong>.</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F8iaivk2zosgybepundn4.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F8iaivk2zosgybepundn4.png" alt="Kinde dashboard Roles &amp; Permissions &gt; Permissions page showing a list of defined permissions with columns for key and description." width="800" height="501"></a></p> <p>Create one permission per discrete action in your product. The <code>resource:action</code> naming pattern keeps permissions readable as your product grows:</p> <div class="table-wrapper-paragraph"><table> <thead> <tr> <th>Permission key</th> <th>Description</th> </tr> </thead> <tbody> <tr> <td><code>projects:create</code></td> <td>Create new projects</td> </tr> <tr> <td><code>projects:read</code></td> <td>View projects and details</td> </tr> <tr> <td><code>projects:delete</code></td> <td>Permanently delete projects</td> </tr> <tr> <td><code>members:invite</code></td> <td>Invite new members to the organization</td> </tr> <tr> <td><code>members:remove</code></td> <td>Remove members from the organization</td> </tr> <tr> <td><code>billing:manage</code></td> <td>Manage subscription and billing</td> </tr> <tr> <td><code>reports:read</code></td> <td>View analytics and reports</td> </tr> <tr> <td><code>reports:export</code></td> <td>Export report data</td> </tr> </tbody> </table></div> <p>Note: Permission keys must be defined centrally in Kinde before they can appear in any token. A permission that is not defined will never show up in the <code>permissions</code> array, regardless of what roles you assign.</p> <h3> Defining roles </h3> <p>Navigate to <strong>Roles &amp; Permissions</strong> → <strong>Roles</strong> → <strong>Add role</strong>.</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fbrlg272n95yvrk9e2j71.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fbrlg272n95yvrk9e2j71.png" alt="Kinde dashboard Roles page showing three roles: Admin (description: " width="800" height="501"></a></p> <p>For the project management example, three roles cover most B2B SaaS access models:</p> <p><strong>Admin:</strong> <code>projects:create</code>, <code>projects:read</code>, <code>projects:delete</code>, <code>members:invite</code>, <code>members:remove</code>, <code>billing:manage</code>, <code>reports:read</code>, <code>reports:export</code></p> <p><strong>Member:</strong> <code>projects:create</code>, <code>projects:read</code>, <code>reports:read</code></p> <p><strong>Viewer:</strong> <code>projects:read</code>, <code>reports:read</code></p> <p>These role-to-permission mappings are what Kinde resolves when building the <code>permissions</code> array in the user's token. Assign a user the <code>admin</code> role within a specific org, and every permission attached to that role flows into their token for that org.</p> <h3> Assigning roles per organization </h3> <p>When a user joins an organization, they are assigned a role for that organization specifically. Navigate to an organization in Kinde → <strong>Members</strong> → select a member → assign their role.</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fip7atcktmve98zkf0sjt.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fip7atcktmve98zkf0sjt.png" alt="Kinde dashboard showing an organization's member list with three members: Alice (Admin badge), Bob (Member badge), Sarah (Viewer badge)." width="800" height="501"></a></p> <p>This is the per-tenant scoping in action. Sarah's role in this specific organization is Viewer. Navigate to a different organization, find Sarah there, and she might have a completely different role assignment.</p> <p>Terrific! Kinde is configured. Time to use these permissions in the application.</p> <h2> Step #2: Read Tenant-Scoped Permissions in a Next.js API Route </h2> <p>With the Kinde Next.js SDK installed and configured, reading tenant-scoped permissions server-side requires one import.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="c1">// app/api/projects/route.ts</span> <span class="k">import</span> <span class="p">{</span> <span class="nx">getKindeServerSession</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">"</span><span class="s2">@kinde-oss/kinde-auth-nextjs/server</span><span class="dl">"</span><span class="p">;</span> <span class="k">import</span> <span class="p">{</span> <span class="nx">NextResponse</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">"</span><span class="s2">next/server</span><span class="dl">"</span><span class="p">;</span> <span class="k">export</span> <span class="k">async</span> <span class="kd">function</span> <span class="nf">GET</span><span class="p">()</span> <span class="p">{</span> <span class="kd">const</span> <span class="p">{</span> <span class="nx">isAuthenticated</span><span class="p">,</span> <span class="nx">getOrganization</span><span class="p">,</span> <span class="nx">getPermissions</span> <span class="p">}</span> <span class="o">=</span> <span class="nf">getKindeServerSession</span><span class="p">();</span> <span class="c1">// Step 1: Confirm the user is authenticated</span> <span class="k">if </span><span class="p">(</span><span class="o">!</span><span class="p">(</span><span class="k">await</span> <span class="nf">isAuthenticated</span><span class="p">()))</span> <span class="p">{</span> <span class="k">return</span> <span class="nx">NextResponse</span><span class="p">.</span><span class="nf">json</span><span class="p">({</span> <span class="na">error</span><span class="p">:</span> <span class="dl">"</span><span class="s2">Unauthorized</span><span class="dl">"</span> <span class="p">},</span> <span class="p">{</span> <span class="na">status</span><span class="p">:</span> <span class="mi">401</span> <span class="p">});</span> <span class="p">}</span> <span class="c1">// Step 2: Get the current tenant context from the token</span> <span class="c1">// org_code is the tenant identifier — comes from the signed JWT, not the request</span> <span class="kd">const</span> <span class="nx">org</span> <span class="o">=</span> <span class="k">await</span> <span class="nf">getOrganization</span><span class="p">();</span> <span class="k">if </span><span class="p">(</span><span class="o">!</span><span class="nx">org</span><span class="p">?.</span><span class="nx">orgCode</span><span class="p">)</span> <span class="p">{</span> <span class="k">return</span> <span class="nx">NextResponse</span><span class="p">.</span><span class="nf">json</span><span class="p">(</span> <span class="p">{</span> <span class="na">error</span><span class="p">:</span> <span class="dl">"</span><span class="s2">No organization context</span><span class="dl">"</span> <span class="p">},</span> <span class="p">{</span> <span class="na">status</span><span class="p">:</span> <span class="mi">403</span> <span class="p">}</span> <span class="p">);</span> <span class="p">}</span> <span class="c1">// Step 3: Get this user's permissions for this specific org</span> <span class="c1">// getPermissions() returns { permissions: string[], orgCode: string }</span> <span class="kd">const</span> <span class="p">{</span> <span class="nx">permissions</span><span class="p">,</span> <span class="nx">orgCode</span> <span class="p">}</span> <span class="o">=</span> <span class="k">await</span> <span class="nf">getPermissions</span><span class="p">();</span> <span class="c1">// Step 4: Check the required permission</span> <span class="k">if </span><span class="p">(</span><span class="o">!</span><span class="nx">permissions</span><span class="p">.</span><span class="nf">includes</span><span class="p">(</span><span class="dl">"</span><span class="s2">projects:read</span><span class="dl">"</span><span class="p">))</span> <span class="p">{</span> <span class="k">return</span> <span class="nx">NextResponse</span><span class="p">.</span><span class="nf">json</span><span class="p">(</span> <span class="p">{</span> <span class="na">error</span><span class="p">:</span> <span class="dl">"</span><span class="s2">You do not have permission to view projects</span><span class="dl">"</span> <span class="p">},</span> <span class="p">{</span> <span class="na">status</span><span class="p">:</span> <span class="mi">403</span> <span class="p">}</span> <span class="p">);</span> <span class="p">}</span> <span class="c1">// Step 5: Fetch data scoped to this tenant</span> <span class="c1">// ALWAYS use org.orgCode from the token — never a client-supplied tenant ID</span> <span class="kd">const</span> <span class="nx">projects</span> <span class="o">=</span> <span class="k">await</span> <span class="nx">db</span><span class="p">.</span><span class="nx">projects</span><span class="p">.</span><span class="nf">findMany</span><span class="p">({</span> <span class="na">where</span><span class="p">:</span> <span class="p">{</span> <span class="na">orgCode</span><span class="p">:</span> <span class="nx">org</span><span class="p">.</span><span class="nx">orgCode</span> <span class="p">},</span> <span class="p">});</span> <span class="k">return</span> <span class="nx">NextResponse</span><span class="p">.</span><span class="nf">json</span><span class="p">({</span> <span class="nx">projects</span> <span class="p">});</span> <span class="p">}</span> </code></pre> </div> <p>Two things to pay attention to here.</p> <p><code>getPermissions()</code> returns both the <code>permissions</code> array and the <code>orgCode</code> — confirming which org these permissions apply to. This is useful for logging and debugging: if a permission check fails unexpectedly, you can verify the org context is what you expected.</p> <p>The database query filters by <code>org.orgCode</code> from the token, not a tenant ID from the request body or query string. The org code in the JWT is cryptographically signed — a client-supplied value is not. This is the fundamental data isolation guarantee of the multi-tenant model.</p> <h2> Step #3: Build a Reusable Permission Guard </h2> <p>Repeating the same auth and permission check logic in every route is tedious and error-prone. Extract it into a single reusable guard function.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="c1">// lib/permissions.ts</span> <span class="k">import</span> <span class="p">{</span> <span class="nx">getKindeServerSession</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">"</span><span class="s2">@kinde-oss/kinde-auth-nextjs/server</span><span class="dl">"</span><span class="p">;</span> <span class="k">import</span> <span class="p">{</span> <span class="nx">NextResponse</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">"</span><span class="s2">next/server</span><span class="dl">"</span><span class="p">;</span> <span class="c1">// Enumerate all permissions in one place — catches typos at compile time</span> <span class="kd">type</span> <span class="nx">Permission</span> <span class="o">=</span> <span class="o">|</span> <span class="dl">"</span><span class="s2">projects:create</span><span class="dl">"</span> <span class="o">|</span> <span class="dl">"</span><span class="s2">projects:read</span><span class="dl">"</span> <span class="o">|</span> <span class="dl">"</span><span class="s2">projects:delete</span><span class="dl">"</span> <span class="o">|</span> <span class="dl">"</span><span class="s2">members:invite</span><span class="dl">"</span> <span class="o">|</span> <span class="dl">"</span><span class="s2">members:remove</span><span class="dl">"</span> <span class="o">|</span> <span class="dl">"</span><span class="s2">billing:manage</span><span class="dl">"</span> <span class="o">|</span> <span class="dl">"</span><span class="s2">reports:read</span><span class="dl">"</span> <span class="o">|</span> <span class="dl">"</span><span class="s2">reports:export</span><span class="dl">"</span><span class="p">;</span> <span class="c1">// What a successful auth context looks like</span> <span class="kr">interface</span> <span class="nx">AuthContext</span> <span class="p">{</span> <span class="nl">userId</span><span class="p">:</span> <span class="kr">string</span><span class="p">;</span> <span class="nl">orgCode</span><span class="p">:</span> <span class="kr">string</span><span class="p">;</span> <span class="nl">permissions</span><span class="p">:</span> <span class="nx">Permission</span><span class="p">[];</span> <span class="p">}</span> <span class="cm">/** * Checks authentication, org context, and required permissions. * Returns AuthContext on success, NextResponse error on failure. * * Usage: * const auth = await requirePermission("projects:read"); * if (auth instanceof NextResponse) return auth; * // auth.orgCode and auth.permissions are now available */</span> <span class="k">export</span> <span class="k">async</span> <span class="kd">function</span> <span class="nf">requirePermission</span><span class="p">(</span> <span class="p">...</span><span class="nx">required</span><span class="p">:</span> <span class="nx">Permission</span><span class="p">[]</span> <span class="p">):</span> <span class="nb">Promise</span><span class="o">&lt;</span><span class="nx">AuthContext</span> <span class="o">|</span> <span class="nx">NextResponse</span><span class="o">&gt;</span> <span class="p">{</span> <span class="kd">const</span> <span class="p">{</span> <span class="nx">isAuthenticated</span><span class="p">,</span> <span class="nx">getOrganization</span><span class="p">,</span> <span class="nx">getPermissions</span><span class="p">,</span> <span class="nx">getUser</span> <span class="p">}</span> <span class="o">=</span> <span class="nf">getKindeServerSession</span><span class="p">();</span> <span class="k">if </span><span class="p">(</span><span class="o">!</span><span class="p">(</span><span class="k">await</span> <span class="nf">isAuthenticated</span><span class="p">()))</span> <span class="p">{</span> <span class="k">return</span> <span class="nx">NextResponse</span><span class="p">.</span><span class="nf">json</span><span class="p">({</span> <span class="na">error</span><span class="p">:</span> <span class="dl">"</span><span class="s2">Unauthorized</span><span class="dl">"</span> <span class="p">},</span> <span class="p">{</span> <span class="na">status</span><span class="p">:</span> <span class="mi">401</span> <span class="p">});</span> <span class="p">}</span> <span class="kd">const</span> <span class="p">[</span><span class="nx">user</span><span class="p">,</span> <span class="nx">org</span><span class="p">,</span> <span class="p">{</span> <span class="nx">permissions</span> <span class="p">}]</span> <span class="o">=</span> <span class="k">await</span> <span class="nb">Promise</span><span class="p">.</span><span class="nf">all</span><span class="p">([</span> <span class="nf">getUser</span><span class="p">(),</span> <span class="nf">getOrganization</span><span class="p">(),</span> <span class="nf">getPermissions</span><span class="p">(),</span> <span class="p">]);</span> <span class="k">if </span><span class="p">(</span><span class="o">!</span><span class="nx">org</span><span class="p">?.</span><span class="nx">orgCode</span><span class="p">)</span> <span class="p">{</span> <span class="k">return</span> <span class="nx">NextResponse</span><span class="p">.</span><span class="nf">json</span><span class="p">(</span> <span class="p">{</span> <span class="na">error</span><span class="p">:</span> <span class="dl">"</span><span class="s2">No organization context — authenticate within an organization</span><span class="dl">"</span> <span class="p">},</span> <span class="p">{</span> <span class="na">status</span><span class="p">:</span> <span class="mi">403</span> <span class="p">}</span> <span class="p">);</span> <span class="p">}</span> <span class="kd">const</span> <span class="nx">hasPermission</span> <span class="o">=</span> <span class="nx">required</span><span class="p">.</span><span class="nf">some</span><span class="p">((</span><span class="nx">perm</span><span class="p">)</span> <span class="o">=&gt;</span> <span class="p">(</span><span class="nx">permissions</span> <span class="k">as</span> <span class="kr">string</span><span class="p">[]).</span><span class="nf">includes</span><span class="p">(</span><span class="nx">perm</span><span class="p">)</span> <span class="p">);</span> <span class="k">if </span><span class="p">(</span><span class="o">!</span><span class="nx">hasPermission</span><span class="p">)</span> <span class="p">{</span> <span class="k">return</span> <span class="nx">NextResponse</span><span class="p">.</span><span class="nf">json</span><span class="p">(</span> <span class="p">{</span> <span class="na">error</span><span class="p">:</span> <span class="dl">"</span><span class="s2">Insufficient permissions</span><span class="dl">"</span><span class="p">,</span> <span class="nx">required</span><span class="p">,</span> <span class="na">granted</span><span class="p">:</span> <span class="nx">permissions</span><span class="p">,</span> <span class="p">},</span> <span class="p">{</span> <span class="na">status</span><span class="p">:</span> <span class="mi">403</span> <span class="p">}</span> <span class="p">);</span> <span class="p">}</span> <span class="k">return</span> <span class="p">{</span> <span class="na">userId</span><span class="p">:</span> <span class="nx">user</span><span class="p">?.</span><span class="nx">id</span> <span class="o">??</span> <span class="dl">""</span><span class="p">,</span> <span class="na">orgCode</span><span class="p">:</span> <span class="nx">org</span><span class="p">.</span><span class="nx">orgCode</span><span class="p">,</span> <span class="na">permissions</span><span class="p">:</span> <span class="nx">permissions</span> <span class="k">as</span> <span class="nx">Permission</span><span class="p">[],</span> <span class="p">};</span> <span class="p">}</span> </code></pre> </div> <p>Every protected API route now becomes a clean two-step: check permissions, run logic.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="c1">// app/api/projects/route.ts</span> <span class="k">import</span> <span class="p">{</span> <span class="nx">requirePermission</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">"</span><span class="s2">@/lib/permissions</span><span class="dl">"</span><span class="p">;</span> <span class="k">import</span> <span class="p">{</span> <span class="nx">NextResponse</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">"</span><span class="s2">next/server</span><span class="dl">"</span><span class="p">;</span> <span class="c1">// GET — requires projects:read</span> <span class="k">export</span> <span class="k">async</span> <span class="kd">function</span> <span class="nf">GET</span><span class="p">()</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">auth</span> <span class="o">=</span> <span class="k">await</span> <span class="nf">requirePermission</span><span class="p">(</span><span class="dl">"</span><span class="s2">projects:read</span><span class="dl">"</span><span class="p">);</span> <span class="k">if </span><span class="p">(</span><span class="nx">auth</span> <span class="k">instanceof</span> <span class="nx">NextResponse</span><span class="p">)</span> <span class="k">return</span> <span class="nx">auth</span><span class="p">;</span> <span class="kd">const</span> <span class="nx">projects</span> <span class="o">=</span> <span class="k">await</span> <span class="nx">db</span><span class="p">.</span><span class="nx">projects</span><span class="p">.</span><span class="nf">findMany</span><span class="p">({</span> <span class="na">where</span><span class="p">:</span> <span class="p">{</span> <span class="na">orgCode</span><span class="p">:</span> <span class="nx">auth</span><span class="p">.</span><span class="nx">orgCode</span> <span class="p">},</span> <span class="c1">// tenant-scoped</span> <span class="p">});</span> <span class="k">return</span> <span class="nx">NextResponse</span><span class="p">.</span><span class="nf">json</span><span class="p">({</span> <span class="nx">projects</span> <span class="p">});</span> <span class="p">}</span> <span class="c1">// POST — requires projects:create</span> <span class="k">export</span> <span class="k">async</span> <span class="kd">function</span> <span class="nf">POST</span><span class="p">(</span><span class="nx">request</span><span class="p">:</span> <span class="nx">Request</span><span class="p">)</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">auth</span> <span class="o">=</span> <span class="k">await</span> <span class="nf">requirePermission</span><span class="p">(</span><span class="dl">"</span><span class="s2">projects:create</span><span class="dl">"</span><span class="p">);</span> <span class="k">if </span><span class="p">(</span><span class="nx">auth</span> <span class="k">instanceof</span> <span class="nx">NextResponse</span><span class="p">)</span> <span class="k">return</span> <span class="nx">auth</span><span class="p">;</span> <span class="kd">const</span> <span class="nx">body</span> <span class="o">=</span> <span class="k">await</span> <span class="nx">request</span><span class="p">.</span><span class="nf">json</span><span class="p">();</span> <span class="kd">const</span> <span class="nx">project</span> <span class="o">=</span> <span class="k">await</span> <span class="nx">db</span><span class="p">.</span><span class="nx">projects</span><span class="p">.</span><span class="nf">create</span><span class="p">({</span> <span class="na">data</span><span class="p">:</span> <span class="p">{</span> <span class="p">...</span><span class="nx">body</span><span class="p">,</span> <span class="na">orgCode</span><span class="p">:</span> <span class="nx">auth</span><span class="p">.</span><span class="nx">orgCode</span><span class="p">,</span> <span class="c1">// stamp the tenant from the token</span> <span class="na">createdBy</span><span class="p">:</span> <span class="nx">auth</span><span class="p">.</span><span class="nx">userId</span><span class="p">,</span> <span class="p">},</span> <span class="p">});</span> <span class="k">return</span> <span class="nx">NextResponse</span><span class="p">.</span><span class="nf">json</span><span class="p">({</span> <span class="nx">project</span> <span class="p">},</span> <span class="p">{</span> <span class="na">status</span><span class="p">:</span> <span class="mi">201</span> <span class="p">});</span> <span class="p">}</span> <span class="c1">// DELETE — requires projects:delete</span> <span class="k">export</span> <span class="k">async</span> <span class="kd">function</span> <span class="nf">DELETE</span><span class="p">(</span> <span class="nx">_request</span><span class="p">:</span> <span class="nx">Request</span><span class="p">,</span> <span class="p">{</span> <span class="nx">params</span> <span class="p">}:</span> <span class="p">{</span> <span class="nl">params</span><span class="p">:</span> <span class="p">{</span> <span class="na">id</span><span class="p">:</span> <span class="kr">string</span> <span class="p">}</span> <span class="p">}</span> <span class="p">)</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">auth</span> <span class="o">=</span> <span class="k">await</span> <span class="nf">requirePermission</span><span class="p">(</span><span class="dl">"</span><span class="s2">projects:delete</span><span class="dl">"</span><span class="p">);</span> <span class="k">if </span><span class="p">(</span><span class="nx">auth</span> <span class="k">instanceof</span> <span class="nx">NextResponse</span><span class="p">)</span> <span class="k">return</span> <span class="nx">auth</span><span class="p">;</span> <span class="c1">// orgCode in the where clause prevents cross-tenant deletion</span> <span class="c1">// Even if a wrong ID is passed, this query will not find it</span> <span class="c1">// unless it belongs to the current user's tenant</span> <span class="k">await</span> <span class="nx">db</span><span class="p">.</span><span class="nx">projects</span><span class="p">.</span><span class="k">delete</span><span class="p">({</span> <span class="na">where</span><span class="p">:</span> <span class="p">{</span> <span class="na">id</span><span class="p">:</span> <span class="nx">params</span><span class="p">.</span><span class="nx">id</span><span class="p">,</span> <span class="na">orgCode</span><span class="p">:</span> <span class="nx">auth</span><span class="p">.</span><span class="nx">orgCode</span><span class="p">,</span> <span class="p">},</span> <span class="p">});</span> <span class="k">return</span> <span class="nx">NextResponse</span><span class="p">.</span><span class="nf">json</span><span class="p">({</span> <span class="na">deleted</span><span class="p">:</span> <span class="kc">true</span> <span class="p">});</span> <span class="p">}</span> </code></pre> </div> <p>The <code>orgCode</code> filter on every write and delete is the data isolation layer. It is the database-level defense that ensures even a logic bug cannot cause cross-tenant data leakage.</p> <p>Amazing!</p> <h2> Step #4: Gate UI Components by Permission </h2> <p>The API layer is the security boundary — it rejects unauthorized requests. The UI layer is the experience boundary — it hides controls the user cannot use, preventing confusion without exposing a wall of 403 errors.</p> <p>Create a client-side permission hook:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="c1">// hooks/usePermissions.ts</span> <span class="dl">"</span><span class="s2">use client</span><span class="dl">"</span><span class="p">;</span> <span class="k">import</span> <span class="p">{</span> <span class="nx">useKindeBrowserClient</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">"</span><span class="s2">@kinde-oss/kinde-auth-nextjs</span><span class="dl">"</span><span class="p">;</span> <span class="kd">type</span> <span class="nx">Permission</span> <span class="o">=</span> <span class="o">|</span> <span class="dl">"</span><span class="s2">projects:create</span><span class="dl">"</span> <span class="o">|</span> <span class="dl">"</span><span class="s2">projects:read</span><span class="dl">"</span> <span class="o">|</span> <span class="dl">"</span><span class="s2">projects:delete</span><span class="dl">"</span> <span class="o">|</span> <span class="dl">"</span><span class="s2">members:invite</span><span class="dl">"</span> <span class="o">|</span> <span class="dl">"</span><span class="s2">members:remove</span><span class="dl">"</span> <span class="o">|</span> <span class="dl">"</span><span class="s2">billing:manage</span><span class="dl">"</span> <span class="o">|</span> <span class="dl">"</span><span class="s2">reports:read</span><span class="dl">"</span> <span class="o">|</span> <span class="dl">"</span><span class="s2">reports:export</span><span class="dl">"</span><span class="p">;</span> <span class="k">export</span> <span class="kd">function</span> <span class="nf">usePermissions</span><span class="p">()</span> <span class="p">{</span> <span class="kd">const</span> <span class="p">{</span> <span class="nx">getPermission</span><span class="p">,</span> <span class="nx">getOrganization</span> <span class="p">}</span> <span class="o">=</span> <span class="nf">useKindeBrowserClient</span><span class="p">();</span> <span class="c1">// getPermission returns { isGranted: boolean, orgCode: string }</span> <span class="c1">// isGranted is org-scoped — it reflects permissions for the current org context</span> <span class="kd">const</span> <span class="nx">can</span> <span class="o">=</span> <span class="p">(</span><span class="nx">permission</span><span class="p">:</span> <span class="nx">Permission</span><span class="p">):</span> <span class="nx">boolean</span> <span class="o">=&gt;</span> <span class="nf">getPermission</span><span class="p">(</span><span class="nx">permission</span><span class="p">)?.</span><span class="nx">isGranted</span> <span class="o">??</span> <span class="kc">false</span><span class="p">;</span> <span class="kd">const</span> <span class="nx">org</span> <span class="o">=</span> <span class="nf">getOrganization</span><span class="p">();</span> <span class="k">return</span> <span class="p">{</span> <span class="nx">can</span><span class="p">,</span> <span class="na">orgCode</span><span class="p">:</span> <span class="nx">org</span><span class="p">?.</span><span class="nx">orgCode</span> <span class="o">??</span> <span class="kc">null</span><span class="p">,</span> <span class="na">orgName</span><span class="p">:</span> <span class="nx">org</span><span class="p">?.</span><span class="nx">name</span> <span class="o">??</span> <span class="kc">null</span><span class="p">,</span> <span class="p">};</span> <span class="p">}</span> </code></pre> </div> <p>Use the hook in your components for conditional rendering:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight tsx"><code><span class="c1">// components/ProjectCard.tsx</span> <span class="dl">"</span><span class="s2">use client</span><span class="dl">"</span><span class="p">;</span> <span class="k">import</span> <span class="p">{</span> <span class="nx">usePermissions</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">"</span><span class="s2">@/hooks/usePermissions</span><span class="dl">"</span><span class="p">;</span> <span class="k">export</span> <span class="kd">function</span> <span class="nf">ProjectCard</span><span class="p">({</span> <span class="nx">project</span> <span class="p">}:</span> <span class="p">{</span> <span class="nl">project</span><span class="p">:</span> <span class="nx">Project</span> <span class="p">})</span> <span class="p">{</span> <span class="kd">const</span> <span class="p">{</span> <span class="nx">can</span> <span class="p">}</span> <span class="o">=</span> <span class="nf">usePermissions</span><span class="p">();</span> <span class="k">return </span><span class="p">(</span> <span class="p">&lt;</span><span class="nt">div</span> <span class="na">className</span><span class="p">=</span><span class="s">"project-card"</span><span class="p">&gt;</span> <span class="p">&lt;</span><span class="nt">h3</span><span class="p">&gt;</span><span class="si">{</span><span class="nx">project</span><span class="p">.</span><span class="nx">name</span><span class="si">}</span><span class="p">&lt;/</span><span class="nt">h3</span><span class="p">&gt;</span> <span class="p">&lt;</span><span class="nt">div</span> <span class="na">className</span><span class="p">=</span><span class="s">"project-actions"</span><span class="p">&gt;</span> <span class="si">{</span><span class="cm">/* Members and admins can edit */</span><span class="si">}</span> <span class="si">{</span><span class="nf">can</span><span class="p">(</span><span class="dl">"</span><span class="s2">projects:create</span><span class="dl">"</span><span class="p">)</span> <span class="o">&amp;&amp;</span> <span class="p">(</span> <span class="p">&lt;</span><span class="nt">button</span> <span class="na">onClick</span><span class="p">=</span><span class="si">{</span><span class="p">()</span> <span class="o">=&gt;</span> <span class="nf">editProject</span><span class="p">(</span><span class="nx">project</span><span class="p">.</span><span class="nx">id</span><span class="p">)</span><span class="si">}</span><span class="p">&gt;</span>Edit<span class="p">&lt;/</span><span class="nt">button</span><span class="p">&gt;</span> <span class="p">)</span><span class="si">}</span> <span class="si">{</span><span class="cm">/* Only admins can delete — not rendered at all for members/viewers */</span><span class="si">}</span> <span class="si">{</span><span class="nf">can</span><span class="p">(</span><span class="dl">"</span><span class="s2">projects:delete</span><span class="dl">"</span><span class="p">)</span> <span class="o">&amp;&amp;</span> <span class="p">(</span> <span class="p">&lt;</span><span class="nt">button</span> <span class="na">onClick</span><span class="p">=</span><span class="si">{</span><span class="p">()</span> <span class="o">=&gt;</span> <span class="nf">deleteProject</span><span class="p">(</span><span class="nx">project</span><span class="p">.</span><span class="nx">id</span><span class="p">)</span><span class="si">}</span> <span class="na">className</span><span class="p">=</span><span class="s">"destructive"</span> <span class="p">&gt;</span> Delete <span class="p">&lt;/</span><span class="nt">button</span><span class="p">&gt;</span> <span class="p">)</span><span class="si">}</span> <span class="p">&lt;/</span><span class="nt">div</span><span class="p">&gt;</span> <span class="p">&lt;/</span><span class="nt">div</span><span class="p">&gt;</span> <span class="p">);</span> <span class="p">}</span> <span class="c1">// components/Sidebar.tsx</span> <span class="dl">"</span><span class="s2">use client</span><span class="dl">"</span><span class="p">;</span> <span class="k">import</span> <span class="p">{</span> <span class="nx">usePermissions</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">"</span><span class="s2">@/hooks/usePermissions</span><span class="dl">"</span><span class="p">;</span> <span class="k">import</span> <span class="nx">Link</span> <span class="k">from</span> <span class="dl">"</span><span class="s2">next/link</span><span class="dl">"</span><span class="p">;</span> <span class="k">export</span> <span class="kd">function</span> <span class="nf">Sidebar</span><span class="p">()</span> <span class="p">{</span> <span class="kd">const</span> <span class="p">{</span> <span class="nx">can</span><span class="p">,</span> <span class="nx">orgName</span> <span class="p">}</span> <span class="o">=</span> <span class="nf">usePermissions</span><span class="p">();</span> <span class="k">return </span><span class="p">(</span> <span class="p">&lt;</span><span class="nt">nav</span> <span class="na">className</span><span class="p">=</span><span class="s">"sidebar"</span><span class="p">&gt;</span> <span class="si">{</span><span class="cm">/* Show current org context at the top */</span><span class="si">}</span> <span class="si">{</span><span class="nx">orgName</span> <span class="o">&amp;&amp;</span> <span class="p">&lt;</span><span class="nt">div</span> <span class="na">className</span><span class="p">=</span><span class="s">"workspace-name"</span><span class="p">&gt;</span><span class="si">{</span><span class="nx">orgName</span><span class="si">}</span><span class="p">&lt;/</span><span class="nt">div</span><span class="p">&gt;</span><span class="si">}</span> <span class="si">{</span><span class="cm">/* Always visible to authenticated org members */</span><span class="si">}</span> <span class="p">&lt;</span><span class="nc">Link</span> <span class="na">href</span><span class="p">=</span><span class="s">"/projects"</span><span class="p">&gt;</span>Projects<span class="p">&lt;/</span><span class="nc">Link</span><span class="p">&gt;</span> <span class="si">{</span><span class="cm">/* Only visible if user has reports:read */</span><span class="si">}</span> <span class="si">{</span><span class="nf">can</span><span class="p">(</span><span class="dl">"</span><span class="s2">reports:read</span><span class="dl">"</span><span class="p">)</span> <span class="o">&amp;&amp;</span> <span class="p">&lt;</span><span class="nc">Link</span> <span class="na">href</span><span class="p">=</span><span class="s">"/reports"</span><span class="p">&gt;</span>Reports<span class="p">&lt;/</span><span class="nc">Link</span><span class="p">&gt;</span><span class="si">}</span> <span class="si">{</span><span class="cm">/* Only visible if user can invite members (admin) */</span><span class="si">}</span> <span class="si">{</span><span class="nf">can</span><span class="p">(</span><span class="dl">"</span><span class="s2">members:invite</span><span class="dl">"</span><span class="p">)</span> <span class="o">&amp;&amp;</span> <span class="p">&lt;</span><span class="nc">Link</span> <span class="na">href</span><span class="p">=</span><span class="s">"/members"</span><span class="p">&gt;</span>Team Members<span class="p">&lt;/</span><span class="nc">Link</span><span class="p">&gt;</span><span class="si">}</span> <span class="si">{</span><span class="cm">/* Only visible if user can manage billing (admin) */</span><span class="si">}</span> <span class="si">{</span><span class="nf">can</span><span class="p">(</span><span class="dl">"</span><span class="s2">billing:manage</span><span class="dl">"</span><span class="p">)</span> <span class="o">&amp;&amp;</span> <span class="p">(</span> <span class="p">&lt;</span><span class="nc">Link</span> <span class="na">href</span><span class="p">=</span><span class="s">"/settings/billing"</span><span class="p">&gt;</span>Billing<span class="p">&lt;/</span><span class="nc">Link</span><span class="p">&gt;</span> <span class="p">)</span><span class="si">}</span> <span class="p">&lt;/</span><span class="nt">nav</span><span class="p">&gt;</span> <span class="p">);</span> <span class="p">}</span> </code></pre> </div> <p>The same component file produces three completely different outputs<br> depending on who is logged in:</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fu3deocq7moytx7cvrxcy.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fu3deocq7moytx7cvrxcy.png" alt="Admin view — full sidebar with Projects, Reports, Team Members,&lt;br&gt; and Billing. Cards show both Edit and Delete buttons.&lt;br&gt; Badge shows Admin · Sarah Chen" width="800" height="501"></a></p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F4xwvjye0hfu6m9qeuncx.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F4xwvjye0hfu6m9qeuncx.png" alt="Member view — sidebar shows Projects and Reports only.&lt;br&gt; Cards show Edit button only, no Delete.&lt;br&gt; Badge shows Member · Sarah Chen" width="800" height="501"></a></p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F51bzevuawixfug14u15m.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F51bzevuawixfug14u15m.png" alt="Viewer view — sidebar shows Projects only.&lt;br&gt; Cards show No actions available — no buttons at all.&lt;br&gt; Badge shows Viewer · Sarah Chen" width="800" height="501"></a></p> <p>Note: Conditional rendering hides controls but does not enforce access. A user can still call API routes directly with tools like curl. The <code>requirePermission</code> guard in the API layer is what enforces authorization — the UI gate is for experience, not security.</p> <h2> Step #5: Handle Tenant Switching Correctly </h2> <p>When Sarah switches from Acme Corp to Startup Inc, she needs a new token scoped to the new organization. The existing token's <code>org_code</code> is <code>org_acme_corp</code> — you cannot change a signed JWT's claims without issuing a new one.</p> <p>The correct approach is to redirect the user through Kinde's authentication with the target org specified:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight tsx"><code><span class="c1">// components/OrgSwitcher.tsx</span> <span class="dl">"</span><span class="s2">use client</span><span class="dl">"</span><span class="p">;</span> <span class="k">import</span> <span class="p">{</span> <span class="nx">useKindeBrowserClient</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">"</span><span class="s2">@kinde-oss/kinde-auth-nextjs</span><span class="dl">"</span><span class="p">;</span> <span class="k">import</span> <span class="p">{</span> <span class="nx">LoginLink</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">"</span><span class="s2">@kinde-oss/kinde-auth-nextjs/components</span><span class="dl">"</span><span class="p">;</span> <span class="kr">interface</span> <span class="nx">Org</span> <span class="p">{</span> <span class="nl">code</span><span class="p">:</span> <span class="kr">string</span><span class="p">;</span> <span class="nl">name</span><span class="p">:</span> <span class="kr">string</span><span class="p">;</span> <span class="p">}</span> <span class="k">export</span> <span class="kd">function</span> <span class="nf">OrgSwitcher</span><span class="p">({</span> <span class="nx">orgs</span> <span class="p">}:</span> <span class="p">{</span> <span class="nl">orgs</span><span class="p">:</span> <span class="nx">Org</span><span class="p">[]</span> <span class="p">})</span> <span class="p">{</span> <span class="kd">const</span> <span class="p">{</span> <span class="nx">getOrganization</span> <span class="p">}</span> <span class="o">=</span> <span class="nf">useKindeBrowserClient</span><span class="p">();</span> <span class="kd">const</span> <span class="nx">currentOrg</span> <span class="o">=</span> <span class="nf">getOrganization</span><span class="p">();</span> <span class="k">return </span><span class="p">(</span> <span class="p">&lt;</span><span class="nt">div</span> <span class="na">className</span><span class="p">=</span><span class="s">"org-switcher"</span><span class="p">&gt;</span> <span class="si">{</span><span class="nx">orgs</span><span class="p">.</span><span class="nf">map</span><span class="p">((</span><span class="nx">org</span><span class="p">)</span> <span class="o">=&gt;</span> <span class="nx">org</span><span class="p">.</span><span class="nx">code</span> <span class="o">===</span> <span class="nx">currentOrg</span><span class="p">?.</span><span class="nx">orgCode</span> <span class="p">?</span> <span class="p">(</span> <span class="c1">// Already in this org — highlight it as current</span> <span class="p">&lt;</span><span class="nt">div</span> <span class="na">key</span><span class="p">=</span><span class="si">{</span><span class="nx">org</span><span class="p">.</span><span class="nx">code</span><span class="si">}</span> <span class="na">className</span><span class="p">=</span><span class="s">"org-item current"</span><span class="p">&gt;</span> <span class="si">{</span><span class="nx">org</span><span class="p">.</span><span class="nx">name</span><span class="si">}</span> <span class="p">&lt;</span><span class="nt">span</span> <span class="na">className</span><span class="p">=</span><span class="s">"badge"</span><span class="p">&gt;</span>Current<span class="p">&lt;/</span><span class="nt">span</span><span class="p">&gt;</span> <span class="p">&lt;/</span><span class="nt">div</span><span class="p">&gt;</span> <span class="p">)</span> <span class="p">:</span> <span class="p">(</span> <span class="c1">// Switch to this org — triggers a new Kinde token for org.code</span> <span class="p">&lt;</span><span class="nc">LoginLink</span> <span class="na">key</span><span class="p">=</span><span class="si">{</span><span class="nx">org</span><span class="p">.</span><span class="nx">code</span><span class="si">}</span> <span class="na">authUrlParams</span><span class="p">=</span><span class="si">{</span><span class="p">{</span> <span class="na">org_code</span><span class="p">:</span> <span class="nx">org</span><span class="p">.</span><span class="nx">code</span> <span class="p">}</span><span class="si">}</span> <span class="na">className</span><span class="p">=</span><span class="s">"org-item"</span> <span class="p">&gt;</span> <span class="si">{</span><span class="nx">org</span><span class="p">.</span><span class="nx">name</span><span class="si">}</span> <span class="p">&lt;/</span><span class="nc">LoginLink</span><span class="p">&gt;</span> <span class="p">)</span> <span class="p">)</span><span class="si">}</span> <span class="p">&lt;/</span><span class="nt">div</span><span class="p">&gt;</span> <span class="p">);</span> <span class="p">}</span> </code></pre> </div> <p>The <code>org_code</code> parameter in <code>authUrlParams</code> tells Kinde which organization to issue the token for. After the brief authentication redirect, the user's token contains the <code>org_code</code>, <code>roles</code>, and <code>permissions</code> for the switched-to org. Every permission check in both the API and the UI immediately reflects the new tenant context.</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F41y3hw4hwwz0uycbm92n.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F41y3hw4hwwz0uycbm92n.png" alt="Org switching flow — " width="800" height="307"></a></p> <h2> Putting It All Together </h2> <p>Here is the complete per-tenant permission system mapped across all layers:</p> <div class="table-wrapper-paragraph"><table> <thead> <tr> <th>Layer</th> <th>What it does</th> <th>Where it lives</th> </tr> </thead> <tbody> <tr> <td><strong>Kinde (config)</strong></td> <td>Defines permissions globally, bundles them into roles, assigns roles per org</td> <td>Kinde dashboard</td> </tr> <tr> <td><strong>JWT token</strong></td> <td>Carries <code>org_code</code> + <code>permissions</code> for the current org context</td> <td>Issued by Kinde, verified by SDK</td> </tr> <tr> <td><strong><code>requirePermission()</code> (API)</strong></td> <td>Rejects requests missing auth, org context, or required permissions</td> <td><code>lib/permissions.ts</code></td> </tr> <tr> <td><strong>DB queries</strong></td> <td>Filter every read/write/delete by <code>auth.orgCode</code> from the token</td> <td>All API route handlers</td> </tr> <tr> <td><strong><code>usePermissions()</code> hook (UI)</strong></td> <td>Conditionally renders controls based on <code>getPermission(key).isGranted</code> </td> <td>React components</td> </tr> <tr> <td><strong><code>OrgSwitcher</code> (UI)</strong></td> <td>Issues a new token for the selected org via <code>LoginLink</code> + <code>org_code</code> </td> <td> <code>OrgSwitcher</code> component</td> </tr> </tbody> </table></div> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fvohduygmjntuqf34g21z.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fvohduygmjntuqf34g21z.png" alt="Full architecture — Kinde (left box: permissions → roles → orgs with role assignments) issues a signed JWT → the JWT flows to both the API Layer (center box: requirePermission guard → DB queries filtered by orgCode) and the React Layer (right box: usePermissions hook → conditional rendering)." width="800" height="276"></a></p> <h2> The Two Most Common Multi-Tenant Permission Bugs </h2> <p><strong>Bug #1: Trusting the client-supplied tenant ID</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="c1">// ❌ Wrong — org code from the request body is attacker-controlled</span> <span class="k">export</span> <span class="k">async</span> <span class="kd">function</span> <span class="nf">GET</span><span class="p">(</span><span class="nx">request</span><span class="p">:</span> <span class="nx">Request</span><span class="p">)</span> <span class="p">{</span> <span class="kd">const</span> <span class="p">{</span> <span class="nx">orgCode</span> <span class="p">}</span> <span class="o">=</span> <span class="k">await</span> <span class="nx">request</span><span class="p">.</span><span class="nf">json</span><span class="p">();</span> <span class="kd">const</span> <span class="nx">projects</span> <span class="o">=</span> <span class="k">await</span> <span class="nx">db</span><span class="p">.</span><span class="nx">projects</span><span class="p">.</span><span class="nf">findMany</span><span class="p">({</span> <span class="na">where</span><span class="p">:</span> <span class="p">{</span> <span class="nx">orgCode</span> <span class="p">},</span> <span class="c1">// a user can pass any org's code here</span> <span class="p">});</span> <span class="p">}</span> <span class="c1">// ✅ Correct — org code from the signed JWT cannot be forged</span> <span class="k">export</span> <span class="k">async</span> <span class="kd">function</span> <span class="nf">GET</span><span class="p">()</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">auth</span> <span class="o">=</span> <span class="k">await</span> <span class="nf">requirePermission</span><span class="p">(</span><span class="dl">"</span><span class="s2">projects:read</span><span class="dl">"</span><span class="p">);</span> <span class="k">if </span><span class="p">(</span><span class="nx">auth</span> <span class="k">instanceof</span> <span class="nx">NextResponse</span><span class="p">)</span> <span class="k">return</span> <span class="nx">auth</span><span class="p">;</span> <span class="kd">const</span> <span class="nx">projects</span> <span class="o">=</span> <span class="k">await</span> <span class="nx">db</span><span class="p">.</span><span class="nx">projects</span><span class="p">.</span><span class="nf">findMany</span><span class="p">({</span> <span class="na">where</span><span class="p">:</span> <span class="p">{</span> <span class="na">orgCode</span><span class="p">:</span> <span class="nx">auth</span><span class="p">.</span><span class="nx">orgCode</span> <span class="p">},</span> <span class="p">});</span> <span class="p">}</span> </code></pre> </div> <p>A user controls what goes in a request body. They cannot forge a claim in a signed JWT. Always read the tenant context from the token.</p> <p><strong>Bug #2: Checking role names instead of permissions</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="c1">// ❌ Wrong — brittle, breaks when roles are renamed or restructured</span> <span class="kd">const</span> <span class="nx">roles</span> <span class="o">=</span> <span class="k">await</span> <span class="nf">getRoles</span><span class="p">();</span> <span class="kd">const</span> <span class="nx">isAdmin</span> <span class="o">=</span> <span class="nx">roles</span><span class="p">?.</span><span class="nf">some</span><span class="p">(</span><span class="nx">r</span> <span class="o">=&gt;</span> <span class="nx">r</span><span class="p">.</span><span class="nx">key</span> <span class="o">===</span> <span class="dl">"</span><span class="s2">admin</span><span class="dl">"</span><span class="p">);</span> <span class="k">if </span><span class="p">(</span><span class="o">!</span><span class="nx">isAdmin</span><span class="p">)</span> <span class="k">return</span> <span class="nf">forbidden</span><span class="p">();</span> <span class="c1">// ✅ Correct — checks the specific action, decoupled from role names</span> <span class="kd">const</span> <span class="nx">auth</span> <span class="o">=</span> <span class="k">await</span> <span class="nf">requirePermission</span><span class="p">(</span><span class="dl">"</span><span class="s2">projects:delete</span><span class="dl">"</span><span class="p">);</span> <span class="k">if </span><span class="p">(</span><span class="nx">auth</span> <span class="k">instanceof</span> <span class="nx">NextResponse</span><span class="p">)</span> <span class="k">return</span> <span class="nx">auth</span><span class="p">;</span> </code></pre> </div> <p>Role names can change. New roles can be created. A "super_admin" or "owner" role might need delete access too. When you check role names, you have to update every check site when your role structure evolves. When you check permissions, the mapping from roles to permissions is managed in Kinde's configuration and your code stays unchanged.</p> <h2> Conclusion </h2> <p>In this article, you built a complete per-tenant permission system for a multi-tenant Next.js app using Kinde organizations. The same user now has completely different permissions depending on which org they are operating in — because those permissions come from the org-scoped token claims, not from a global role attached to the user.</p> <p>The model is clear: Kinde puts the right claims in the token for each org context (trust layer). Your API guard enforces permissions before any logic runs (security layer). Your UI hook hides controls the user cannot use (experience layer). Your database queries filter by the org code from the token (isolation layer).</p> <p>Four layers, one source of truth: the token.</p> <p>Kinde is free for up to 10,500 monthly active users, no credit card required. Create your account at <a href="https://kinde.com?utm_source=devto&amp;utm_medium=content&amp;utm_campaign=shola&amp;campaignid=chatgptapp&amp;network=&amp;adgroup=&amp;keyword=&amp;matchtype=&amp;creative=10&amp;device=&amp;adposition=" rel="noopener noreferrer">kinde.com</a> and have multi-tenant permissions running today.</p> kinde webdev programming tutorial Shola Jegede Sun, 22 Mar 2026 00:27:29 +0000 https://dev.to/sholajegede/your-free-trial-isnt-converting-because-your-upgrade-flow-has-too-much-friction-1e9j https://dev.to/sholajegede/your-free-trial-isnt-converting-because-your-upgrade-flow-has-too-much-friction-1e9j <p><em>A technical founder asked me why only 8% of their trial users were upgrading. We spent an hour going through their funnel. The product was good. The problem was everything around it.</em></p> <p>In this article, you will learn:</p> <ul> <li>Why most free trial conversion problems are not actually product problems</li> <li>What the data says about where trial users actually drop off</li> <li>The five friction points that kill conversion — and which ones founders keep building themselves</li> <li>Why auth and upgrade flows are the worst place to build from scratch</li> <li>How Kinde handles the login, onboarding, upgrade, and access layers so you do not have to</li> <li>What your team should be spending its friction-reduction energy on instead</li> <li>How to audit your own funnel in 30 minutes and find the leaks</li> </ul> <p>Let's dive in!</p> <h2> The Conversation That Prompted This Article </h2> <p>A technical founder — building a SaaS tool for operations teams — reached out with a familiar problem. Their trial-to-paid conversion was hovering around 8%. They had good traffic, decent trial signups, and they knew from user interviews that people liked the product. But when the trial ended, most users just did not upgrade.</p> <p>They had already done the obvious things. They had shortened the trial from 30 days to 14. They had added in-app upgrade prompts. They had set up reminder emails. The conversion number barely moved.</p> <p>When we walked through their full funnel together, the product was not the problem. The product did what it promised. But surrounding it was a web of friction that accumulated across every touchpoint — friction that the founding team had built themselves, piece by piece, never stepping back to look at the whole thing from a new user's perspective.</p> <p>The login flow asked for email, password, first name, last name, company name, and team size before the user saw a single feature. The upgrade page required re-entering credit card information even if the user had already paid for something. The "upgrade to Pro" button existed in exactly one place in the entire product. Inviting a team member required the admin to first create the team member's role, then generate an invite link, then email it externally, then wait for the user to set up their own password. None of these problems were product problems. They were infrastructure problems. And the founding team had built every one of them.</p> <p>This article is about that category of friction: the stuff around your product that you probably built yourself and never had to build at all.</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fxdg30r0zjgzk832pz9eo.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fxdg30r0zjgzk832pz9eo.png" alt="A funnel showing a typical SaaS trial journey with friction points marked at each stage — Signup (form fields), First login (email verification delay), Onboarding (required setup before seeing value), Upgrade prompt (single location, one path), Payment (re-entry, redirect), Invite teammate (multi-step manual flow)." width="560" height="2480"></a></p> <h2> What the Data Actually Says </h2> <p>Before diagnosing where friction hides, it is worth grounding this in numbers.</p> <p>Opt-in free trials — the model where users sign up without a credit card — convert to paid at around 18 to 25% on average. Freemium products, where users stay on a free tier indefinitely, convert around 2.6 to 5%. If your product is genuinely solving a real problem and your conversion rate is sitting well below these benchmarks, you almost certainly have a friction problem, not a product problem.</p> <p>A few statistics that should make every technical founder uncomfortable:</p> <p>Each additional field in a signup form reduces completion by an average of 5 to 7%. When one company dropped the credit card requirement from their signup, they immediately saw a 71% increase in users willing to start a trial. Removing just three form fields from a payment page lifted conversion by 8%. Users who experience core product value within the first 15 minutes are three times more likely to retain than those who wait 30 minutes or longer. Users who complete an onboarding flow are five times more likely to convert than those who do not.</p> <p>The pattern is consistent: every second between a user's decision to try your product and the moment they experience its value is a second where they can change their mind. And the irony is that the friction accumulates most heavily in the parts of the product that have nothing to do with what makes your product valuable.</p> <p>Nobody's aha moment is "I successfully created an account." Nobody upgrades to Pro because "the payment page was really elegant." But a bad login experience, a broken invite flow, or an upgrade page that sends the user off-site and back can absolutely stop a conversion that was about to happen.</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Furul1zcb2b8jptrehvlz.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Furul1zcb2b8jptrehvlz.png" alt="A simple comparison card with two columns — " width="800" height="791"></a></p> <h2> The Five Friction Points That Kill Free Trial Conversion </h2> <p>These are the five places where trial conversion typically bleeds out. Two of them are product problems you genuinely need to solve. Three of them are infrastructure problems you should never have had to build.</p> <h3> Friction Point #1: The Signup Wall (Infrastructure) </h3> <p>The most common version of this: a new user lands on your product, decides they want to try it, and is immediately presented with a form. Email. Password. Confirm password. First name. Last name. Company. Team size. Job title. Use case. Newsletter opt-in. Terms checkbox.</p> <p>This is not onboarding. This is interrogation. And it happens at exactly the wrong moment — before the user has experienced a single second of your product's value.</p> <p>The right version of signup asks for as little as possible. An email address and a way to verify it is enough. Better yet, a single "Sign in with Google" button is one click. Users who have already experienced your product and then are asked for their email to save their work convert significantly better than users asked to commit before they have seen anything.</p> <p>This is a pure infrastructure problem. It is not about your product. It is about how you authenticate users. And it is completely solved by not building your own auth system.</p> <h3> Friction Point #2: Email Verification Delay (Infrastructure) </h3> <p>The single most underestimated conversion killer in SaaS. User signs up, checks email, verification email is in spam or takes 90 seconds, user moves on and never comes back.</p> <p>Email verifications that go to spam folders, that arrive late, or that require the user to leave the product and return to it introduce a break in momentum that most users never recover from. The user was ready to try your product. Now they are checking their spam folder.</p> <p>The fix is passwordless authentication with email OTPs — users enter their email, get a short code, enter it, and they are in. No password to create, no verification link to chase, no spam filter to defeat. Kinde's default authentication is email + code, not a magic link. A six-digit OTP that the user enters manually. The user stays in the flow the entire time. No tab-switching.</p> <h3> Friction Point #3: The First-Run Empty State (Product) </h3> <p>This is a genuine product problem — and arguably the most important one to solve, because it sits right after the authentication friction that you have just removed.</p> <p>A new user logs in for the first time and sees a completely blank dashboard. No data, no examples, no clear next action. The product looks empty because it is empty. This is the "blank canvas problem" and it is responsible for an enormous share of early churn.</p> <p>The fix is not complex: pre-populate the user's account with example data, a sample project, or a guided first action that gets them to their aha moment within the first five minutes. Trello puts users directly into a pre-configured board. Figma opens a default file. Notion creates a sample workspace. None of them leave the user staring at an empty screen wondering what to do.</p> <p>This is the friction point that is worth spending your engineering team's time on. It is specific to your product's value proposition and cannot be handled by any external tool.</p> <h3> Friction Point #4: The Upgrade Moment (Infrastructure) </h3> <p>This is where the founder I talked to lost most of their conversions. The user has been using the product for a week. They have hit a feature limit or they have decided the product is worth paying for. They look for the upgrade button.</p> <p>It is not in the navigation. It is not in the settings. It is not in the feature they just hit the limit on. It is on a pricing page linked from the marketing site footer.</p> <p>Even when users find the upgrade path, the friction continues: they are redirected to a separate page, asked to choose a plan, asked to enter payment details, redirected to a third-party checkout, and then redirected back to the product. At each hop, some percentage of users drop off.</p> <p>The right upgrade flow is in-context: the upgrade prompt appears exactly where the user hits the limit, the payment is handled without leaving the product, and the new feature is unlocked immediately after payment with zero additional steps required.</p> <p>This is almost entirely an infrastructure problem. Wiring together your auth system, your plan state, your billing provider, and your feature flags in a way that makes this experience seamless is weeks of engineering work. Or it is a Kinde configuration that takes an afternoon.</p> <h3> Friction Point #5: The Team Invite Friction (Infrastructure and Product) </h3> <p>Many SaaS products live or die on team adoption. A single user converts to paid, but the product is much stickier once teammates are inside it too. This is the expansion motion that drives net revenue retention above 100%.</p> <p>But the invite flow in most early-stage products is brutal. Admin has to set up roles. Generate an invite link. Copy it. Email it manually. The invitee signs up, creates a password, and waits for an admin to approve. The teammate who signed up on Tuesday shows up in the admin's queue on Thursday. The admin gets an email notification, clicks through, approves, and the new user can finally access the product.</p> <p>Three days of friction for what should be a one-minute experience.</p> <p>The right invite flow sends an invitation email with a single link. The invitee clicks the link, authenticates in one step (social login or OTP), and is inside the product with the correct role already assigned. No manual queue. No password creation. No admin approval step for standard roles.</p> <p>Again: this is infrastructure. The invitation, authentication, role assignment, and access provisioning are not features of your product. They are plumbing that most teams spend weeks building.</p> <h2> The Category of Friction You Should Stop Building </h2> <p>Notice the pattern across friction points #1, #2, #4, and #5. They are all infrastructure. They are all part of the login and access layer. And they are all things that the founding team of the product I described above had built themselves, from scratch, because that seemed like the right call at the time.</p> <p>It was not the right call. Here is why.</p> <p>When you build your own auth system, you are making a bet that your implementation of signup flows, email verification, social login, OTP delivery, password reset, session management, multi-tenant org logic, role assignment, invite flows, plan gating, and upgrade checkout will be good enough not to cost you conversions. That bet almost always loses, for a simple reason: none of these things are your product. You are not optimizing them. You are not testing them. You are not studying the best practices the way Stripe studied payment UX or the way Kinde has studied auth UX.</p> <p>Every hour your team spends debugging email deliverability or adding a Google login button or wiring up a Stripe webhook to update a user's plan state in your database is an hour not spent on friction point #3 — the blank canvas problem, which is the one that is genuinely specific to your product and genuinely worth your team's engineering attention.</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F68fudatz734py871aj5a.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F68fudatz734py871aj5a.png" alt="A simple " value="" width="800" height="534"></a></p> <h2> What Kinde Gets Right Out of the Box </h2> <p><a href="https://kinde.com?utm_source=devto&amp;utm_medium=content&amp;utm_campaign=shola&amp;campaignid=chatgptapp&amp;network=&amp;adgroup=&amp;keyword=&amp;matchtype=&amp;creative=11&amp;device=&amp;adposition=" rel="noopener noreferrer">Kinde</a> is auth, user management, and billing in one platform. The reason this matters for free trial conversion is not because Kinde does those things — it is that Kinde does those things well, so you do not have to.</p> <p>Here is what you get without writing any infrastructure code:</p> <p><strong>Passwordless authentication by default.</strong> Kinde's default auth method is email + OTP, not a password. Users enter their email and a six-digit code. No password to create, no verification link to follow, no confirmation email that might land in spam. Users stay in your product from the moment they decide to sign up.</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fjfuukp5zkqzo238sfz3n.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fjfuukp5zkqzo238sfz3n.png" alt="Kinde's default login/signup page showing the email field and OTP code entry — clean, minimal, no password field." width="800" height="501"></a></p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fjl6otjk3ddnejib1oz05.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fjl6otjk3ddnejib1oz05.png" alt="This is what users see when they first encounter your product's auth layer." width="800" height="501"></a></p> <p><strong>Social login out of the box.</strong> Google, GitHub, Microsoft, Apple, and others can be enabled in the Kinde dashboard in under two minutes. One-click signup removes all the form-field friction from new user acquisition. Users who already have a Google account can be inside your product in a single click.</p> <p><strong>No credit card required for Kinde itself.</strong> Kinde's free plan supports up to 10,500 monthly active users — no credit card required to get started. This is important because it means you can mirror the same no-credit-card opt-in model for your own users that the data shows converts best, without paying anything for the auth infrastructure that enables it.</p> <p><strong>Upgrade flows that stay in-product.</strong> Kinde's billing integration puts the pricing table, plan selection, and Stripe checkout inside your product. When a user hits a feature limit and sees an upgrade prompt, they complete the upgrade without leaving the product. The new plan is active immediately. Feature flags tied to that plan update in the same request.</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fw0nwv1c981grmwd0kz71.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fw0nwv1c981grmwd0kz71.png" alt="Kinde's plan selection UI — Free and Pro cards with " width="800" height="633"></a></p> <p><strong>Feature flags tied to plan state.</strong> The moment a user upgrades, the feature flags attached to that plan activate without any webhook handling or database updates from your team. The user does not have to log out and back in. The feature is simply available. This is what makes in-context upgrade prompts work: "You've hit the limit on the free plan. Upgrade to Pro to unlock this." The user clicks, pays, and the feature unlocks in that same session.</p> <p><strong>Organization-based team management.</strong> For B2B products, Kinde organizations give every customer their own isolated workspace, with their own members, roles, and plan state. The invite flow sends a Kinde-powered email with a join link. The invitee authenticates (social login or OTP), and their role in the organization is already assigned. No admin queue, no password creation ceremony, no manual step for the inviting user after they send the invitation.</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Faan4s0ug775m96n16jqy.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Faan4s0ug775m96n16jqy.png" alt="Kinde dashboard showing the Organization view — expanded to show member list with roles (Admin, Member, Viewer) and an " width="800" height="501"></a></p> <p><strong>Roles and permissions that express in your product's UI.</strong> Using <code>getPermissions()</code> or feature flag checks from the Kinde SDK, your product can conditionally show or hide features based on a user's role and plan state. An admin on the Pro plan sees everything. A member on the free plan sees what they should see. This all comes from the Kinde token — no database query required to determine what a user can see.</p> <h2> Applying This to Your Own Funnel </h2> <p>The founder I described at the start ended up migrating to Kinde and rebuilding their auth and upgrade layer on top of it. The signup form went from six fields to one. Social login accounted for 60% of new signups within the first two weeks. The upgrade flow moved inside the product. The invite flow dropped from a five-step manual process to a single email.</p> <p>Their trial-to-paid conversion went from 8% to 21% over the following 90 days.</p> <p>That is not a product change. The product did not change. The friction around the product changed.</p> <p>If you want to audit your own funnel, here is a 30-minute process:</p> <p><strong>Step 1 (5 min): Walk the signup flow yourself.</strong> Open an incognito window and sign up for your own product. Count every field, every click, every page navigation, every email you have to check. Every step is potential churn.</p> <p><strong>Step 2 (5 min): Measure time to first value.</strong> From the moment you complete signup to the moment you see something genuinely useful in the product — how long does that take? If it is more than five minutes, you have a problem.</p> <p><strong>Step 3 (5 min): Find the upgrade path.</strong> Without knowing where it is, try to find the upgrade button. Time yourself. If it takes more than 30 seconds, most users will not find it at the moment they are ready to pay.</p> <p><strong>Step 4 (5 min): Walk the invite flow.</strong> Go through the process of inviting a team member. Count every step the inviting user has to take. Then count every step the invited user has to take. Multiply both by the cognitive overhead of switching contexts and waiting for emails. That is your expansion friction.</p> <p><strong>Step 5 (10 min): Look at your drop-off data.</strong> Where in the funnel are users leaving? If the biggest drop is between signup and first meaningful action, you have an onboarding problem. If the biggest drop is at the end of the trial, you likely have an upgrade friction problem. If users activate but do not invite teammates, you have an expansion friction problem.</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fzxr6m9t7ejgrwnyndhnv.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fzxr6m9t7ejgrwnyndhnv.png" alt="A funnel audit template — five numbered rows (Signup Flow, Time to First Value, Upgrade Path, Invite Flow, Drop-off Data) with columns for " width="700" height="3460"></a></p> <h2> The Division of Labor That Works </h2> <p>The founders who convert at 20%+ typically have an implicit understanding of this division:</p> <p><strong>Kinde's job:</strong> Handle every interaction a user has with authentication, access, plan state, and team membership. Make these interactions fast, polished, and invisible. No friction that the user notices, no engineering hours that the team notices.</p> <p><strong>Your team's job:</strong> Handle every interaction a user has with your actual product. Make the first-run experience genuinely delightful. Get users to their aha moment in under five minutes. Build the features that make people want to upgrade because the product is worth it — not because the upgrade flow tricked them into it.</p> <p>This is the right division. The user's experience of your auth layer is not a differentiator. Nobody upgrades to Pro because your login page was beautiful. But users will not upgrade at all if the upgrade path is hard to find, the payment flow is clunky, or the new features do not unlock immediately after payment.</p> <p><a href="https://kinde.com?utm_source=devto&amp;utm_medium=content&amp;utm_campaign=shola&amp;campaignid=chatgptapp&amp;network=&amp;adgroup=&amp;keyword=&amp;matchtype=&amp;creative=11&amp;device=&amp;adposition=" rel="noopener noreferrer">Kinde</a> handles the layer that should be invisible and frictionless. Your team handles the layer that should be delightful and differentiated.</p> <h2> Conclusion </h2> <p>In this article, you audited the five friction points that kill free trial conversion, identified which ones are infrastructure problems you should stop building from scratch, and saw how Kinde handles the login, onboarding, upgrade, and team access layers so that your engineering team can focus on what actually makes your product worth paying for.</p> <p>The founder's 8% conversion rate was not a product failure. It was a resource allocation failure. Every hour spent debugging email verification or building invite flows is an hour taken from the blank canvas problem — the one genuine product problem that only your team can solve.</p> <p>Free up those hours. Let Kinde handle the plumbing. Spend your engineering attention on the aha moment.</p> <p>Kinde is free for up to 10,500 monthly active users, no credit card required. Create your account at <a href="https://kinde.com?utm_source=devto&amp;utm_medium=content&amp;utm_campaign=shola&amp;campaignid=chatgptapp&amp;network=&amp;adgroup=&amp;keyword=&amp;matchtype=&amp;creative=11&amp;device=&amp;adposition=" rel="noopener noreferrer">kinde.com</a> and have authentication running before lunch.</p> webdev kinde architecture development Shola Jegede Sun, 22 Mar 2026 00:15:55 +0000 https://dev.to/sholajegede/how-to-build-a-secure-mcp-server-for-ai-agents-551g https://dev.to/sholajegede/how-to-build-a-secure-mcp-server-for-ai-agents-551g <p><em>OpenClaw proved that millions of developers will build with MCP first and think about security second. Here is how to not be that developer.</em></p> <p>In this article, you will learn:</p> <ul> <li>What OpenClaw and Moltbook revealed about the state of agentic AI security</li> <li>Why most MCP servers are architecturally insecure by default</li> <li>What "tool-level auth" means and why it is the right mental model for MCP security</li> <li>How Kinde's own MCP server (shipped January 2026) handles scoped access as a real-world reference</li> <li>How to set up a Kinde M2M application as the authorization layer for your MCP server</li> <li>How to issue and validate scoped JWT tokens per tool category</li> <li>How to write a Node.js MCP server that enforces permissions at the tool boundary</li> <li>How to test that your auth layer actually holds under adversarial conditions</li> </ul> <p>Let's dive in!</p> <h2> OpenClaw, Moltbook, and the Security Wake-Up Call </h2> <p>In late January 2026, two things happened simultaneously that changed how the developer community thinks about agentic AI security.</p> <p><strong>OpenClaw</strong> — an open-source self-hosted AI agent formerly called Clawdbot and briefly Moltbot — crossed 180,000 GitHub stars in a week. It turned any messaging app (WhatsApp, Telegram, Discord, Signal) into an AI agent interface, extended by a Skills system built entirely on MCP servers. Security researchers scanning the internet found over 1,800 exposed OpenClaw instances leaking API keys, chat histories, and account credentials. Cisco's AI security team tested a third-party OpenClaw skill from the ClawHub marketplace and found it performed data exfiltration and prompt injection without user awareness. One of OpenClaw's own maintainers, known as Shadow, warned on Discord that the project was "far too dangerous" for anyone who could not understand command-line basics.</p> <p><strong>Moltbook</strong> — a Reddit-style social network built by Matt Schlicht exclusively for AI agents — launched on January 28 and hit 1.6 million registered agents by February. It was built via vibe coding and contained a misconfigured Supabase database that granted full read and write access to its data — exposing 1.5 million agents belonging to only 17,000 registered humans. Cybersecurity researchers at Vectra AI and PointGuard AI identified Moltbook as a vector for indirect prompt injection: a malicious post on Moltbook could cascade into every MCP tool an agent had access to. Moltbook was acquired by Meta on March 10, 2026.</p> <p>The pattern that connected both incidents was the same: agents were granted sweeping, unscoped access to tools. No authentication. No per-tool permissions. No way to answer the question "which agent did this and what were they authorized to do?" A static API key — if there was one at all — gave full access to everything.</p> <p>Security researcher Itamar Golan (founder of Prompt Security, now part of SentinelOne) put it plainly in a VentureBeat interview: treat agents as production infrastructure, not a productivity app — least privilege, scoped tokens, allowlisted actions, strong authentication on every integration, and auditability end-to-end.</p> <p>This article is about building exactly that.</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fhlo3q1atq8ylnh9wge9v.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fhlo3q1atq8ylnh9wge9v.png" alt="Timeline showing OpenClaw going viral (Jan 2026) → Moltbook launching (Jan 28) → 1,800+ exposed OpenClaw instances found → Moltbook Supabase breach → Meta acquires Moltbook (Mar 10)." width="639" height="311"></a></p> <h2> Why Most MCP Servers Are Architecturally Insecure </h2> <p>The MCP spec (finalized in late 2024, updated through 2025) mandates OAuth 2.1 with PKCE for public remote servers. But the ecosystem reality is starkly different. A 2026 survey of production MCP servers found that 53% rely on static API keys and only 8.5% use OAuth. The rest have no authentication at all.</p> <p>This is not because developers are careless. It is because the default path is the insecure path. The most commonly copied MCP server examples use static bearer tokens or no auth. The "get something working" version of MCP has no concept of which agent is calling or what it is allowed to do. And when 180,000 developers adopt OpenClaw and start wiring up Skills, they inherit those insecure defaults at scale.</p> <p>The specific problems with unscoped MCP access are worth naming precisely, because they map directly to what happened with OpenClaw and Moltbook:</p> <p><strong>No tool-level permissions.</strong> A token that grants access to your MCP server grants access to every tool on it. An agent authorized to read files can also delete them. An agent authorized to query a database can also drop tables. There is no granularity.</p> <p><strong>No agent identity.</strong> When five different OpenClaw instances connect to your MCP server, can you tell them apart? Can you see which user delegated authority to each one? With a static API key, the answer is no. All you know is that something with the key made a request.</p> <p><strong>Prompt injection cascades.</strong> Because agents are granted broad tool access, a successful prompt injection attack has a large blast radius. The Moltbook incident demonstrated this: a malicious post in an agent's context could instruct the agent to call tools it had no business calling — and because tools were unscoped, the agent could comply.</p> <p><strong>No revocation granularity.</strong> If you need to cut off one agent's access, you have to rotate the key for everyone.</p> <p>What you need instead is a model where each agent has a cryptographically verified identity, each token carries specific scopes that enumerate exactly which tools the agent can call, and every tool call is validated against those scopes before execution. That is what Kinde's own MCP server — shipped in January 2026 — demonstrates in production.</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fkwed0y5nvy4crdpwx0kh.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fkwed0y5nvy4crdpwx0kh.png" alt="Two architecture diagrams side by side. LEFT: " width="800" height="274"></a></p> <h2> The Kinde MCP Server as a Reference Model </h2> <p><a href="https://kinde.com?utm_source=devto&amp;utm_medium=content&amp;utm_campaign=shola&amp;campaignid=chatgptapp&amp;network=&amp;adgroup=&amp;keyword=&amp;matchtype=&amp;creative=9&amp;device=&amp;adposition=" rel="noopener noreferrer">Kinde</a> shipped its own MCP server in January 2026. It lets AI assistants like Claude Code connect to your Kinde business and manage users, organizations, roles, and permissions through natural language — things like "create a new organization for Acme Corp" or "list all users with the admin role."</p> <p>The security model it uses is the right reference for anyone building their own MCP server:</p> <p><strong>M2M (Machine-to-Machine) applications</strong> are the identity primitive for agents. Not user accounts. Not API keys. Dedicated M2M applications that have their own client ID and secret, exist as first-class entities in Kinde, and can be granted or revoked access independently of human users.</p> <p><strong>Scopes enumerate exact permissions.</strong> The Kinde MCP server defines specific scopes for each category of operation — scopes for reading users, different scopes for writing users, separate scopes for managing organizations. An M2M application that has not been granted a scope cannot call the tools that require it. The authorization decision happens at the token issuance level, not at runtime guesswork.</p> <p><strong>JWT validation on every request.</strong> Tokens are short-lived (one hour by default for M2M), signed with Kinde's private key, and verified against Kinde's public JWKS endpoint on every inbound request. A token cannot be forged, replayed beyond its expiry, or accepted by a different server than the one it was issued for.</p> <p><strong>Revocability.</strong> To cut off an agent's access, you revoke or remove the M2M application in Kinde. It stops working immediately. No key rotation, no impact on other agents.</p> <p>This is the pattern you should apply to your own MCP server. The steps below show you exactly how to implement it.</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fhhfk6dtgrn5917f2hq35.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fhhfk6dtgrn5917f2hq35.png" alt="Kinde dashboard MCP Server section — showing the setup page or the operations/scopes list that Kinde's own MCP server exposes (e.g., list_users scope, create_organization scope, manage_roles scope)." width="800" height="502"></a></p> <h2> Step #1: Create a Kinde M2M Application for Your MCP Server </h2> <p>Before writing any server code, set up the authorization layer in Kinde. This takes about three minutes.</p> <p>Create a free Kinde account at <a href="https://kinde.com" rel="noopener noreferrer">kinde.com</a> if you do not have one. Then navigate to <strong>Settings</strong> → <strong>Applications</strong> → <strong>Add application</strong> and select <strong>Machine to machine</strong>.</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fnpep5iw6cko1ozjgob57.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fnpep5iw6cko1ozjgob57.png" alt="Kinde Settings &gt; Applications page showing the " width="800" height="502"></a></p> <p>Give it a descriptive name like <code>My MCP Server Agent</code>. Once created, open the application details and note down:</p> <ul> <li> <strong>Client ID</strong> — the agent's unique identity</li> <li> <strong>Client Secret</strong> — the credential used to obtain tokens (treat this like a password)</li> <li> <strong>Token endpoint</strong> — <code>https://YOUR_DOMAIN.kinde.com/oauth2/token</code> </li> <li> <strong>JWKS endpoint</strong> — <code>https://YOUR_DOMAIN.kinde.com/.well-known/jwks.json</code> </li> </ul> <p>Now register your MCP server as an API in Kinde. Navigate to <strong>APIs</strong> → <strong>Add API</strong>. Give it a name (e.g. <code>My MCP Server</code>) and an audience identifier (e.g. <code>https://mcp.yourapp.com</code>). This audience value will be embedded in every token issued for your server — your server checks it on every request to ensure the token was meant for it specifically, preventing token passthrough attacks.</p> <h2> Step #2: Define Scopes for Tool-Level Permissions </h2> <p>This is the step most MCP servers skip entirely, and it is the most important one.</p> <p>In your Kinde API definition (under <strong>APIs</strong> → select your API → <strong>Scopes</strong>), define one scope per logical group of tools. Do not define one global scope — that defeats the purpose. Think about the categories of capability your MCP server exposes and create a scope for each.</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fnepm7ysulx301gn4gsiw.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fnepm7ysulx301gn4gsiw.png" alt="Kinde API scopes page showing several scopes defined for the MCP server, e.g., tools:read, tools:write, admin:users, admin:orgs. Each scope has a name and description visible" width="800" height="502"></a></p> <p>For a hypothetical MCP server that manages a SaaS product's users and data, the scopes might look like this:</p> <div class="table-wrapper-paragraph"><table> <thead> <tr> <th>Scope</th> <th>Tools it authorizes</th> <th>Who gets it</th> </tr> </thead> <tbody> <tr> <td><code>users:read</code></td> <td> <code>get_user</code>, <code>list_users</code>, <code>search_users</code> </td> <td>Read-only agents, analytics pipelines</td> </tr> <tr> <td><code>users:write</code></td> <td> <code>create_user</code>, <code>update_user</code>, <code>invite_user</code> </td> <td>CRM agents, onboarding automations</td> </tr> <tr> <td><code>users:delete</code></td> <td> <code>delete_user</code>, <code>suspend_user</code> </td> <td>Admin agents only</td> </tr> <tr> <td><code>data:read</code></td> <td> <code>query_records</code>, <code>export_data</code> </td> <td>Reporting agents</td> </tr> <tr> <td><code>data:write</code></td> <td> <code>create_record</code>, <code>update_record</code> </td> <td>Integration agents</td> </tr> <tr> <td><code>admin</code></td> <td>All tools</td> <td>Trusted internal agents only</td> </tr> </tbody> </table></div> <p>Now grant your M2M application the scopes it actually needs. Navigate to your M2M application → <strong>APIs</strong> → select your API → check only the scopes this specific agent should have. An agent that only needs to read users gets <code>users:read</code>. It cannot request a token with <code>users:delete</code> even if it tries — Kinde will not issue it.</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F4hmhlv5e9pu29y9jhoua.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F4hmhlv5e9pu29y9jhoua.png" alt="Kinde M2M application details showing the API scopes section with some scopes checked (users:read, data:read) and others unchecked (users:delete, admin" width="800" height="502"></a></p> <p>The authorization policy is now defined. Time to build the server.</p> <h2> Step #3: Build the MCP Server with Token Validation </h2> <p>Now write the MCP server itself. This is a Node.js server using the <code>@modelcontextprotocol/sdk</code> package. The key additions over a basic MCP server are the JWT validation middleware and the per-tool scope enforcement.</p> <p>First, install the dependencies:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>npm init <span class="nt">-y</span> npm <span class="nb">install</span> @modelcontextprotocol/sdk jwks-rsa jsonwebtoken express </code></pre> </div> <p>Create the server file:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="c1">// server.ts</span> <span class="k">import</span> <span class="p">{</span> <span class="nx">McpServer</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">"</span><span class="s2">@modelcontextprotocol/sdk/server/mcp.js</span><span class="dl">"</span><span class="p">;</span> <span class="k">import</span> <span class="p">{</span> <span class="nx">StreamableHTTPServerTransport</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">"</span><span class="s2">@modelcontextprotocol/sdk/server/streamableHttp.js</span><span class="dl">"</span><span class="p">;</span> <span class="k">import</span> <span class="nx">express</span><span class="p">,</span> <span class="p">{</span> <span class="nx">Request</span><span class="p">,</span> <span class="nx">Response</span><span class="p">,</span> <span class="nx">NextFunction</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">"</span><span class="s2">express</span><span class="dl">"</span><span class="p">;</span> <span class="k">import</span> <span class="nx">jwt</span> <span class="k">from</span> <span class="dl">"</span><span class="s2">jsonwebtoken</span><span class="dl">"</span><span class="p">;</span> <span class="k">import</span> <span class="nx">jwksClient</span> <span class="k">from</span> <span class="dl">"</span><span class="s2">jwks-rsa</span><span class="dl">"</span><span class="p">;</span> <span class="k">import</span> <span class="p">{</span> <span class="nx">z</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">"</span><span class="s2">zod</span><span class="dl">"</span><span class="p">;</span> <span class="c1">// ─── Configuration ──────────────────────────────────────────────────────────</span> <span class="kd">const</span> <span class="nx">KINDE_DOMAIN</span> <span class="o">=</span> <span class="nx">process</span><span class="p">.</span><span class="nx">env</span><span class="p">.</span><span class="nx">KINDE_DOMAIN</span><span class="o">!</span><span class="p">;</span> <span class="c1">// e.g. "yourapp.kinde.com"</span> <span class="kd">const</span> <span class="nx">MCP_AUDIENCE</span> <span class="o">=</span> <span class="nx">process</span><span class="p">.</span><span class="nx">env</span><span class="p">.</span><span class="nx">MCP_AUDIENCE</span><span class="o">!</span><span class="p">;</span> <span class="c1">// e.g. "https://mcp.yourapp.com"</span> <span class="c1">// JWKS client — fetches Kinde's public signing keys</span> <span class="c1">// Used to verify that incoming tokens were genuinely signed by Kinde</span> <span class="kd">const</span> <span class="nx">jwks</span> <span class="o">=</span> <span class="nf">jwksClient</span><span class="p">({</span> <span class="na">jwksUri</span><span class="p">:</span> <span class="s2">`https://</span><span class="p">${</span><span class="nx">KINDE_DOMAIN</span><span class="p">}</span><span class="s2">/.well-known/jwks.json`</span><span class="p">,</span> <span class="na">cache</span><span class="p">:</span> <span class="kc">true</span><span class="p">,</span> <span class="na">cacheMaxEntries</span><span class="p">:</span> <span class="mi">5</span><span class="p">,</span> <span class="na">cacheMaxAge</span><span class="p">:</span> <span class="mi">600</span><span class="nx">_000</span><span class="p">,</span> <span class="c1">// 10 minutes</span> <span class="p">});</span> <span class="c1">// ─── JWT Validation ──────────────────────────────────────────────────────────</span> <span class="kr">interface</span> <span class="nx">TokenPayload</span> <span class="p">{</span> <span class="nl">sub</span><span class="p">:</span> <span class="kr">string</span><span class="p">;</span> <span class="c1">// agent identity (M2M app client ID)</span> <span class="nl">scp</span><span class="p">?:</span> <span class="kr">string</span><span class="p">;</span> <span class="c1">// space-separated scopes</span> <span class="nl">permissions</span><span class="p">?:</span> <span class="kr">string</span><span class="p">[];</span> <span class="c1">// Kinde also surfaces permissions here</span> <span class="nl">aud</span><span class="p">:</span> <span class="kr">string</span> <span class="o">|</span> <span class="kr">string</span><span class="p">[];</span> <span class="nl">iss</span><span class="p">:</span> <span class="kr">string</span><span class="p">;</span> <span class="nl">exp</span><span class="p">:</span> <span class="kr">number</span><span class="p">;</span> <span class="p">}</span> <span class="k">async</span> <span class="kd">function</span> <span class="nf">validateToken</span><span class="p">(</span><span class="nx">authHeader</span><span class="p">:</span> <span class="kr">string</span> <span class="o">|</span> <span class="kc">undefined</span><span class="p">):</span> <span class="nb">Promise</span><span class="o">&lt;</span><span class="nx">TokenPayload</span><span class="o">&gt;</span> <span class="p">{</span> <span class="k">if </span><span class="p">(</span><span class="o">!</span><span class="nx">authHeader</span><span class="p">?.</span><span class="nf">startsWith</span><span class="p">(</span><span class="dl">"</span><span class="s2">Bearer </span><span class="dl">"</span><span class="p">))</span> <span class="p">{</span> <span class="k">throw</span> <span class="k">new</span> <span class="nc">Error</span><span class="p">(</span><span class="dl">"</span><span class="s2">Missing or malformed Authorization header</span><span class="dl">"</span><span class="p">);</span> <span class="p">}</span> <span class="kd">const</span> <span class="nx">token</span> <span class="o">=</span> <span class="nx">authHeader</span><span class="p">.</span><span class="nf">slice</span><span class="p">(</span><span class="mi">7</span><span class="p">);</span> <span class="c1">// Decode the header to find the key ID (kid)</span> <span class="kd">const</span> <span class="nx">decoded</span> <span class="o">=</span> <span class="nx">jwt</span><span class="p">.</span><span class="nf">decode</span><span class="p">(</span><span class="nx">token</span><span class="p">,</span> <span class="p">{</span> <span class="na">complete</span><span class="p">:</span> <span class="kc">true</span> <span class="p">});</span> <span class="k">if </span><span class="p">(</span><span class="o">!</span><span class="nx">decoded</span> <span class="o">||</span> <span class="k">typeof</span> <span class="nx">decoded</span> <span class="o">===</span> <span class="dl">"</span><span class="s2">string</span><span class="dl">"</span><span class="p">)</span> <span class="p">{</span> <span class="k">throw</span> <span class="k">new</span> <span class="nc">Error</span><span class="p">(</span><span class="dl">"</span><span class="s2">Invalid token format</span><span class="dl">"</span><span class="p">);</span> <span class="p">}</span> <span class="kd">const</span> <span class="nx">kid</span> <span class="o">=</span> <span class="nx">decoded</span><span class="p">.</span><span class="nx">header</span><span class="p">.</span><span class="nx">kid</span><span class="p">;</span> <span class="k">if </span><span class="p">(</span><span class="o">!</span><span class="nx">kid</span><span class="p">)</span> <span class="p">{</span> <span class="k">throw</span> <span class="k">new</span> <span class="nc">Error</span><span class="p">(</span><span class="dl">"</span><span class="s2">Token missing key ID (kid)</span><span class="dl">"</span><span class="p">);</span> <span class="p">}</span> <span class="c1">// Fetch the public key from Kinde's JWKS endpoint</span> <span class="kd">const</span> <span class="nx">signingKey</span> <span class="o">=</span> <span class="k">await</span> <span class="nx">jwks</span><span class="p">.</span><span class="nf">getSigningKey</span><span class="p">(</span><span class="nx">kid</span><span class="p">);</span> <span class="kd">const</span> <span class="nx">publicKey</span> <span class="o">=</span> <span class="nx">signingKey</span><span class="p">.</span><span class="nf">getPublicKey</span><span class="p">();</span> <span class="c1">// Verify the token — this checks signature, expiry, issuer, and audience</span> <span class="kd">const</span> <span class="nx">payload</span> <span class="o">=</span> <span class="nx">jwt</span><span class="p">.</span><span class="nf">verify</span><span class="p">(</span><span class="nx">token</span><span class="p">,</span> <span class="nx">publicKey</span><span class="p">,</span> <span class="p">{</span> <span class="na">algorithms</span><span class="p">:</span> <span class="p">[</span><span class="dl">"</span><span class="s2">RS256</span><span class="dl">"</span><span class="p">],</span> <span class="na">issuer</span><span class="p">:</span> <span class="s2">`https://</span><span class="p">${</span><span class="nx">KINDE_DOMAIN</span><span class="p">}</span><span class="s2">`</span><span class="p">,</span> <span class="na">audience</span><span class="p">:</span> <span class="nx">MCP_AUDIENCE</span><span class="p">,</span> <span class="c1">// prevents token passthrough attacks</span> <span class="p">})</span> <span class="k">as</span> <span class="nx">TokenPayload</span><span class="p">;</span> <span class="k">return</span> <span class="nx">payload</span><span class="p">;</span> <span class="p">}</span> <span class="c1">// ─── Scope Enforcement ───────────────────────────────────────────────────────</span> <span class="kd">function</span> <span class="nf">requireScope</span><span class="p">(</span><span class="nx">requiredScope</span><span class="p">:</span> <span class="kr">string</span><span class="p">)</span> <span class="p">{</span> <span class="k">return </span><span class="p">(</span><span class="nx">payload</span><span class="p">:</span> <span class="nx">TokenPayload</span><span class="p">):</span> <span class="k">void</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="c1">// Kinde puts scopes in the `scp` claim as a space-separated string</span> <span class="kd">const</span> <span class="nx">tokenScopes</span> <span class="o">=</span> <span class="nx">payload</span><span class="p">.</span><span class="nx">scp</span><span class="p">?.</span><span class="nf">split</span><span class="p">(</span><span class="dl">"</span><span class="s2"> </span><span class="dl">"</span><span class="p">)</span> <span class="o">??</span> <span class="p">[];</span> <span class="c1">// Also check the `permissions` array (Kinde's permission system)</span> <span class="kd">const</span> <span class="nx">permissions</span> <span class="o">=</span> <span class="nx">payload</span><span class="p">.</span><span class="nx">permissions</span> <span class="o">??</span> <span class="p">[];</span> <span class="kd">const</span> <span class="nx">hasScope</span> <span class="o">=</span> <span class="nx">tokenScopes</span><span class="p">.</span><span class="nf">includes</span><span class="p">(</span><span class="nx">requiredScope</span><span class="p">)</span> <span class="o">||</span> <span class="nx">tokenScopes</span><span class="p">.</span><span class="nf">includes</span><span class="p">(</span><span class="dl">"</span><span class="s2">admin</span><span class="dl">"</span><span class="p">)</span> <span class="o">||</span> <span class="nx">permissions</span><span class="p">.</span><span class="nf">includes</span><span class="p">(</span><span class="nx">requiredScope</span><span class="p">)</span> <span class="o">||</span> <span class="nx">permissions</span><span class="p">.</span><span class="nf">includes</span><span class="p">(</span><span class="dl">"</span><span class="s2">admin</span><span class="dl">"</span><span class="p">);</span> <span class="k">if </span><span class="p">(</span><span class="o">!</span><span class="nx">hasScope</span><span class="p">)</span> <span class="p">{</span> <span class="k">throw</span> <span class="k">new</span> <span class="nc">Error</span><span class="p">(</span> <span class="s2">`Insufficient permissions. Required: </span><span class="p">${</span><span class="nx">requiredScope</span><span class="p">}</span><span class="s2">. `</span> <span class="o">+</span> <span class="s2">`Token has: </span><span class="p">${</span><span class="nx">tokenScopes</span><span class="p">.</span><span class="nf">join</span><span class="p">(</span><span class="dl">"</span><span class="s2">, </span><span class="dl">"</span><span class="p">)</span> <span class="o">||</span> <span class="dl">"</span><span class="s2">none</span><span class="dl">"</span><span class="p">}</span><span class="s2">`</span> <span class="p">);</span> <span class="p">}</span> <span class="p">};</span> <span class="p">}</span> <span class="c1">// ─── Auth Middleware ──────────────────────────────────────────────────────────</span> <span class="c1">// Store the validated token payload on the request object</span> <span class="c1">// so tool handlers can access it without re-validating</span> <span class="kr">declare</span> <span class="nb">global</span> <span class="p">{</span> <span class="k">namespace</span> <span class="nx">Express</span> <span class="p">{</span> <span class="kr">interface</span> <span class="nx">Request</span> <span class="p">{</span> <span class="nl">agentToken</span><span class="p">?:</span> <span class="nx">TokenPayload</span><span class="p">;</span> <span class="p">}</span> <span class="p">}</span> <span class="p">}</span> <span class="k">async</span> <span class="kd">function</span> <span class="nf">authMiddleware</span><span class="p">(</span><span class="nx">req</span><span class="p">:</span> <span class="nx">Request</span><span class="p">,</span> <span class="nx">res</span><span class="p">:</span> <span class="nx">Response</span><span class="p">,</span> <span class="nx">next</span><span class="p">:</span> <span class="nx">NextFunction</span><span class="p">)</span> <span class="p">{</span> <span class="k">try</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">payload</span> <span class="o">=</span> <span class="k">await</span> <span class="nf">validateToken</span><span class="p">(</span><span class="nx">req</span><span class="p">.</span><span class="nx">headers</span><span class="p">.</span><span class="nx">authorization</span><span class="p">);</span> <span class="nx">req</span><span class="p">.</span><span class="nx">agentToken</span> <span class="o">=</span> <span class="nx">payload</span><span class="p">;</span> <span class="nx">console</span><span class="p">.</span><span class="nf">log</span><span class="p">(</span><span class="s2">`Agent authenticated: </span><span class="p">${</span><span class="nx">payload</span><span class="p">.</span><span class="nx">sub</span><span class="p">}</span><span class="s2"> with scopes: </span><span class="p">${</span><span class="nx">payload</span><span class="p">.</span><span class="nx">scp</span><span class="p">}</span><span class="s2">`</span><span class="p">);</span> <span class="nf">next</span><span class="p">();</span> <span class="p">}</span> <span class="k">catch </span><span class="p">(</span><span class="nx">err</span><span class="p">)</span> <span class="p">{</span> <span class="nx">console</span><span class="p">.</span><span class="nf">warn</span><span class="p">(</span><span class="s2">`Auth failed: </span><span class="p">${(</span><span class="nx">err</span> <span class="k">as</span> <span class="nb">Error</span><span class="p">).</span><span class="nx">message</span><span class="p">}</span><span class="s2">`</span><span class="p">);</span> <span class="nx">res</span><span class="p">.</span><span class="nf">status</span><span class="p">(</span><span class="mi">401</span><span class="p">).</span><span class="nf">json</span><span class="p">({</span> <span class="na">error</span><span class="p">:</span> <span class="dl">"</span><span class="s2">unauthorized</span><span class="dl">"</span><span class="p">,</span> <span class="na">message</span><span class="p">:</span> <span class="p">(</span><span class="nx">err</span> <span class="k">as</span> <span class="nb">Error</span><span class="p">).</span><span class="nx">message</span><span class="p">,</span> <span class="p">});</span> <span class="p">}</span> <span class="p">}</span> <span class="c1">// ─── MCP Server Definition ────────────────────────────────────────────────────</span> <span class="kd">const</span> <span class="nx">server</span> <span class="o">=</span> <span class="k">new</span> <span class="nc">McpServer</span><span class="p">({</span> <span class="na">name</span><span class="p">:</span> <span class="dl">"</span><span class="s2">secure-mcp-server</span><span class="dl">"</span><span class="p">,</span> <span class="na">version</span><span class="p">:</span> <span class="dl">"</span><span class="s2">1.0.0</span><span class="dl">"</span><span class="p">,</span> <span class="p">});</span> <span class="c1">// Tool #1: get_user — requires users:read scope</span> <span class="nx">server</span><span class="p">.</span><span class="nf">tool</span><span class="p">(</span> <span class="dl">"</span><span class="s2">get_user</span><span class="dl">"</span><span class="p">,</span> <span class="dl">"</span><span class="s2">Retrieve a user by their ID</span><span class="dl">"</span><span class="p">,</span> <span class="p">{</span> <span class="na">user_id</span><span class="p">:</span> <span class="nx">z</span><span class="p">.</span><span class="nf">string</span><span class="p">().</span><span class="nf">describe</span><span class="p">(</span><span class="dl">"</span><span class="s2">The unique identifier of the user to retrieve</span><span class="dl">"</span><span class="p">),</span> <span class="p">},</span> <span class="k">async </span><span class="p">({</span> <span class="nx">user_id</span> <span class="p">},</span> <span class="p">{</span> <span class="nx">_meta</span> <span class="p">})</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="c1">// Access the validated token from the request context</span> <span class="c1">// The token was validated and attached by authMiddleware before this handler runs</span> <span class="kd">const</span> <span class="nx">token</span> <span class="o">=</span> <span class="p">(</span><span class="nx">_meta</span> <span class="k">as</span> <span class="kr">any</span><span class="p">)?.</span><span class="nx">agentToken</span> <span class="k">as</span> <span class="nx">TokenPayload</span><span class="p">;</span> <span class="nf">requireScope</span><span class="p">(</span><span class="dl">"</span><span class="s2">users:read</span><span class="dl">"</span><span class="p">)(</span><span class="nx">token</span><span class="p">);</span> <span class="c1">// Your actual business logic here</span> <span class="c1">// This is a placeholder — replace with real data fetching</span> <span class="k">return</span> <span class="p">{</span> <span class="na">content</span><span class="p">:</span> <span class="p">[</span> <span class="p">{</span> <span class="na">type</span><span class="p">:</span> <span class="dl">"</span><span class="s2">text</span><span class="dl">"</span> <span class="k">as</span> <span class="kd">const</span><span class="p">,</span> <span class="na">text</span><span class="p">:</span> <span class="nx">JSON</span><span class="p">.</span><span class="nf">stringify</span><span class="p">({</span> <span class="na">id</span><span class="p">:</span> <span class="nx">user_id</span><span class="p">,</span> <span class="na">email</span><span class="p">:</span> <span class="dl">"</span><span class="s2">user@example.com</span><span class="dl">"</span><span class="p">,</span> <span class="na">name</span><span class="p">:</span> <span class="dl">"</span><span class="s2">Jane Smith</span><span class="dl">"</span><span class="p">,</span> <span class="na">created_at</span><span class="p">:</span> <span class="dl">"</span><span class="s2">2025-01-15T10:30:00Z</span><span class="dl">"</span><span class="p">,</span> <span class="p">}),</span> <span class="p">},</span> <span class="p">],</span> <span class="p">};</span> <span class="p">}</span> <span class="p">);</span> <span class="c1">// Tool #2: create_user — requires users:write scope</span> <span class="nx">server</span><span class="p">.</span><span class="nf">tool</span><span class="p">(</span> <span class="dl">"</span><span class="s2">create_user</span><span class="dl">"</span><span class="p">,</span> <span class="dl">"</span><span class="s2">Create a new user account</span><span class="dl">"</span><span class="p">,</span> <span class="p">{</span> <span class="na">email</span><span class="p">:</span> <span class="nx">z</span><span class="p">.</span><span class="nf">string</span><span class="p">().</span><span class="nf">email</span><span class="p">().</span><span class="nf">describe</span><span class="p">(</span><span class="dl">"</span><span class="s2">Email address for the new user</span><span class="dl">"</span><span class="p">),</span> <span class="na">name</span><span class="p">:</span> <span class="nx">z</span><span class="p">.</span><span class="nf">string</span><span class="p">().</span><span class="nf">describe</span><span class="p">(</span><span class="dl">"</span><span class="s2">Full name of the user</span><span class="dl">"</span><span class="p">),</span> <span class="na">role</span><span class="p">:</span> <span class="nx">z</span><span class="p">.</span><span class="nf">enum</span><span class="p">([</span><span class="dl">"</span><span class="s2">admin</span><span class="dl">"</span><span class="p">,</span> <span class="dl">"</span><span class="s2">member</span><span class="dl">"</span><span class="p">,</span> <span class="dl">"</span><span class="s2">viewer</span><span class="dl">"</span><span class="p">]).</span><span class="k">default</span><span class="p">(</span><span class="dl">"</span><span class="s2">member</span><span class="dl">"</span><span class="p">),</span> <span class="p">},</span> <span class="k">async </span><span class="p">({</span> <span class="nx">email</span><span class="p">,</span> <span class="nx">name</span><span class="p">,</span> <span class="nx">role</span> <span class="p">},</span> <span class="p">{</span> <span class="nx">_meta</span> <span class="p">})</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">token</span> <span class="o">=</span> <span class="p">(</span><span class="nx">_meta</span> <span class="k">as</span> <span class="kr">any</span><span class="p">)?.</span><span class="nx">agentToken</span> <span class="k">as</span> <span class="nx">TokenPayload</span><span class="p">;</span> <span class="nf">requireScope</span><span class="p">(</span><span class="dl">"</span><span class="s2">users:write</span><span class="dl">"</span><span class="p">)(</span><span class="nx">token</span><span class="p">);</span> <span class="c1">// Log who created the user for audit purposes</span> <span class="nx">console</span><span class="p">.</span><span class="nf">log</span><span class="p">(</span><span class="s2">`User creation requested by agent: </span><span class="p">${</span><span class="nx">token</span><span class="p">.</span><span class="nx">sub</span><span class="p">}</span><span class="s2">`</span><span class="p">);</span> <span class="c1">// Your actual user creation logic here</span> <span class="k">return</span> <span class="p">{</span> <span class="na">content</span><span class="p">:</span> <span class="p">[</span> <span class="p">{</span> <span class="na">type</span><span class="p">:</span> <span class="dl">"</span><span class="s2">text</span><span class="dl">"</span> <span class="k">as</span> <span class="kd">const</span><span class="p">,</span> <span class="na">text</span><span class="p">:</span> <span class="nx">JSON</span><span class="p">.</span><span class="nf">stringify</span><span class="p">({</span> <span class="na">id</span><span class="p">:</span> <span class="s2">`usr_</span><span class="p">${</span><span class="nb">Date</span><span class="p">.</span><span class="nf">now</span><span class="p">()}</span><span class="s2">`</span><span class="p">,</span> <span class="nx">email</span><span class="p">,</span> <span class="nx">name</span><span class="p">,</span> <span class="nx">role</span><span class="p">,</span> <span class="na">created_by_agent</span><span class="p">:</span> <span class="nx">token</span><span class="p">.</span><span class="nx">sub</span><span class="p">,</span> <span class="na">created_at</span><span class="p">:</span> <span class="k">new</span> <span class="nc">Date</span><span class="p">().</span><span class="nf">toISOString</span><span class="p">(),</span> <span class="p">}),</span> <span class="p">},</span> <span class="p">],</span> <span class="p">};</span> <span class="p">}</span> <span class="p">);</span> <span class="c1">// Tool #3: delete_user — requires users:delete scope (most restrictive)</span> <span class="nx">server</span><span class="p">.</span><span class="nf">tool</span><span class="p">(</span> <span class="dl">"</span><span class="s2">delete_user</span><span class="dl">"</span><span class="p">,</span> <span class="dl">"</span><span class="s2">Permanently delete a user account</span><span class="dl">"</span><span class="p">,</span> <span class="p">{</span> <span class="na">user_id</span><span class="p">:</span> <span class="nx">z</span><span class="p">.</span><span class="nf">string</span><span class="p">().</span><span class="nf">describe</span><span class="p">(</span><span class="dl">"</span><span class="s2">ID of the user to delete</span><span class="dl">"</span><span class="p">),</span> <span class="na">reason</span><span class="p">:</span> <span class="nx">z</span><span class="p">.</span><span class="nf">string</span><span class="p">().</span><span class="nf">describe</span><span class="p">(</span><span class="dl">"</span><span class="s2">Reason for deletion (required for audit trail)</span><span class="dl">"</span><span class="p">),</span> <span class="p">},</span> <span class="k">async </span><span class="p">({</span> <span class="nx">user_id</span><span class="p">,</span> <span class="nx">reason</span> <span class="p">},</span> <span class="p">{</span> <span class="nx">_meta</span> <span class="p">})</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">token</span> <span class="o">=</span> <span class="p">(</span><span class="nx">_meta</span> <span class="k">as</span> <span class="kr">any</span><span class="p">)?.</span><span class="nx">agentToken</span> <span class="k">as</span> <span class="nx">TokenPayload</span><span class="p">;</span> <span class="c1">// This scope is only granted to trusted admin agents</span> <span class="c1">// Read-only agents cannot call this tool even if they know it exists</span> <span class="nf">requireScope</span><span class="p">(</span><span class="dl">"</span><span class="s2">users:delete</span><span class="dl">"</span><span class="p">)(</span><span class="nx">token</span><span class="p">);</span> <span class="nx">console</span><span class="p">.</span><span class="nf">log</span><span class="p">(</span> <span class="s2">`AUDIT: User </span><span class="p">${</span><span class="nx">user_id</span><span class="p">}</span><span class="s2"> deleted by agent </span><span class="p">${</span><span class="nx">token</span><span class="p">.</span><span class="nx">sub</span><span class="p">}</span><span class="s2">. Reason: </span><span class="p">${</span><span class="nx">reason</span><span class="p">}</span><span class="s2">`</span> <span class="p">);</span> <span class="k">return</span> <span class="p">{</span> <span class="na">content</span><span class="p">:</span> <span class="p">[</span> <span class="p">{</span> <span class="na">type</span><span class="p">:</span> <span class="dl">"</span><span class="s2">text</span><span class="dl">"</span> <span class="k">as</span> <span class="kd">const</span><span class="p">,</span> <span class="na">text</span><span class="p">:</span> <span class="nx">JSON</span><span class="p">.</span><span class="nf">stringify</span><span class="p">({</span> <span class="na">deleted</span><span class="p">:</span> <span class="kc">true</span><span class="p">,</span> <span class="nx">user_id</span><span class="p">,</span> <span class="na">deleted_by</span><span class="p">:</span> <span class="nx">token</span><span class="p">.</span><span class="nx">sub</span><span class="p">,</span> <span class="nx">reason</span><span class="p">,</span> <span class="na">timestamp</span><span class="p">:</span> <span class="k">new</span> <span class="nc">Date</span><span class="p">().</span><span class="nf">toISOString</span><span class="p">(),</span> <span class="p">}),</span> <span class="p">},</span> <span class="p">],</span> <span class="p">};</span> <span class="p">}</span> <span class="p">);</span> <span class="c1">// ─── HTTP Server ──────────────────────────────────────────────────────────────</span> <span class="kd">const</span> <span class="nx">app</span> <span class="o">=</span> <span class="nf">express</span><span class="p">();</span> <span class="nx">app</span><span class="p">.</span><span class="nf">use</span><span class="p">(</span><span class="nx">express</span><span class="p">.</span><span class="nf">json</span><span class="p">());</span> <span class="c1">// The auth middleware runs on every MCP request before the tool handlers</span> <span class="nx">app</span><span class="p">.</span><span class="nf">post</span><span class="p">(</span><span class="dl">"</span><span class="s2">/mcp</span><span class="dl">"</span><span class="p">,</span> <span class="nx">authMiddleware</span><span class="p">,</span> <span class="k">async </span><span class="p">(</span><span class="nx">req</span><span class="p">,</span> <span class="nx">res</span><span class="p">)</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">transport</span> <span class="o">=</span> <span class="k">new</span> <span class="nc">StreamableHTTPServerTransport</span><span class="p">({</span> <span class="na">sessionIdGenerator</span><span class="p">:</span> <span class="kc">undefined</span><span class="p">,</span> <span class="p">});</span> <span class="c1">// Pass the validated token into the MCP request context</span> <span class="c1">// so tool handlers can access it via _meta.agentToken</span> <span class="p">(</span><span class="nx">req</span> <span class="k">as</span> <span class="kr">any</span><span class="p">).</span><span class="nx">agentToken</span> <span class="o">=</span> <span class="nx">req</span><span class="p">.</span><span class="nx">agentToken</span><span class="p">;</span> <span class="k">await</span> <span class="nx">server</span><span class="p">.</span><span class="nf">connect</span><span class="p">(</span><span class="nx">transport</span><span class="p">);</span> <span class="k">await</span> <span class="nx">transport</span><span class="p">.</span><span class="nf">handleRequest</span><span class="p">(</span><span class="nx">req</span><span class="p">,</span> <span class="nx">res</span><span class="p">,</span> <span class="nx">req</span><span class="p">.</span><span class="nx">body</span><span class="p">);</span> <span class="p">});</span> <span class="c1">// Protected resource metadata endpoint — required for OAuth 2.1 discovery</span> <span class="c1">// MCP clients fetch this to learn where to get tokens</span> <span class="nx">app</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="dl">"</span><span class="s2">/.well-known/oauth-protected-resource</span><span class="dl">"</span><span class="p">,</span> <span class="p">(</span><span class="nx">_req</span><span class="p">,</span> <span class="nx">res</span><span class="p">)</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="nx">res</span><span class="p">.</span><span class="nf">json</span><span class="p">({</span> <span class="na">resource</span><span class="p">:</span> <span class="nx">MCP_AUDIENCE</span><span class="p">,</span> <span class="na">authorization_servers</span><span class="p">:</span> <span class="p">[</span><span class="s2">`https://</span><span class="p">${</span><span class="nx">KINDE_DOMAIN</span><span class="p">}</span><span class="s2">`</span><span class="p">],</span> <span class="na">scopes_supported</span><span class="p">:</span> <span class="p">[</span> <span class="dl">"</span><span class="s2">users:read</span><span class="dl">"</span><span class="p">,</span> <span class="dl">"</span><span class="s2">users:write</span><span class="dl">"</span><span class="p">,</span> <span class="dl">"</span><span class="s2">users:delete</span><span class="dl">"</span><span class="p">,</span> <span class="dl">"</span><span class="s2">data:read</span><span class="dl">"</span><span class="p">,</span> <span class="dl">"</span><span class="s2">data:write</span><span class="dl">"</span><span class="p">,</span> <span class="dl">"</span><span class="s2">admin</span><span class="dl">"</span><span class="p">,</span> <span class="p">],</span> <span class="na">bearer_methods_supported</span><span class="p">:</span> <span class="p">[</span><span class="dl">"</span><span class="s2">header</span><span class="dl">"</span><span class="p">],</span> <span class="p">});</span> <span class="p">});</span> <span class="kd">const</span> <span class="nx">PORT</span> <span class="o">=</span> <span class="nx">process</span><span class="p">.</span><span class="nx">env</span><span class="p">.</span><span class="nx">PORT</span> <span class="o">??</span> <span class="mi">3000</span><span class="p">;</span> <span class="nx">app</span><span class="p">.</span><span class="nf">listen</span><span class="p">(</span><span class="nx">PORT</span><span class="p">,</span> <span class="p">()</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="nx">console</span><span class="p">.</span><span class="nf">log</span><span class="p">(</span><span class="s2">`Secure MCP Server running on port </span><span class="p">${</span><span class="nx">PORT</span><span class="p">}</span><span class="s2">`</span><span class="p">);</span> <span class="nx">console</span><span class="p">.</span><span class="nf">log</span><span class="p">(</span><span class="s2">`Protected resource metadata: http://localhost:</span><span class="p">${</span><span class="nx">PORT</span><span class="p">}</span><span class="s2">/.well-known/oauth-protected-resource`</span><span class="p">);</span> <span class="p">});</span> </code></pre> </div> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fvw1yk6dwfxqlumsu0l9x.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fvw1yk6dwfxqlumsu0l9x.png" alt="Terminal showing the MCP server running, with log output like " width="800" height="269"></a></p> <h2> Step #4: How Agents Obtain Tokens </h2> <p>Your MCP server is now a protected resource. To call it, an agent needs a token. Here is how an OpenClaw-style agent — or any MCP client — would obtain one using Kinde's client credentials flow:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="c1">// agent-token.ts</span> <span class="c1">// This code runs in the AGENT (the MCP client), not in the MCP server</span> <span class="k">async</span> <span class="kd">function</span> <span class="nf">getAgentToken</span><span class="p">():</span> <span class="nb">Promise</span><span class="o">&lt;</span><span class="kr">string</span><span class="o">&gt;</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">tokenResponse</span> <span class="o">=</span> <span class="k">await</span> <span class="nf">fetch</span><span class="p">(</span> <span class="s2">`https://</span><span class="p">${</span><span class="nx">process</span><span class="p">.</span><span class="nx">env</span><span class="p">.</span><span class="nx">KINDE_DOMAIN</span><span class="p">}</span><span class="s2">/oauth2/token`</span><span class="p">,</span> <span class="p">{</span> <span class="na">method</span><span class="p">:</span> <span class="dl">"</span><span class="s2">POST</span><span class="dl">"</span><span class="p">,</span> <span class="na">headers</span><span class="p">:</span> <span class="p">{</span> <span class="dl">"</span><span class="s2">Content-Type</span><span class="dl">"</span><span class="p">:</span> <span class="dl">"</span><span class="s2">application/x-www-form-urlencoded</span><span class="dl">"</span> <span class="p">},</span> <span class="na">body</span><span class="p">:</span> <span class="k">new</span> <span class="nc">URLSearchParams</span><span class="p">({</span> <span class="na">grant_type</span><span class="p">:</span> <span class="dl">"</span><span class="s2">client_credentials</span><span class="dl">"</span><span class="p">,</span> <span class="na">client_id</span><span class="p">:</span> <span class="nx">process</span><span class="p">.</span><span class="nx">env</span><span class="p">.</span><span class="nx">KINDE_M2M_CLIENT_ID</span><span class="o">!</span><span class="p">,</span> <span class="na">client_secret</span><span class="p">:</span> <span class="nx">process</span><span class="p">.</span><span class="nx">env</span><span class="p">.</span><span class="nx">KINDE_M2M_CLIENT_SECRET</span><span class="o">!</span><span class="p">,</span> <span class="na">audience</span><span class="p">:</span> <span class="nx">process</span><span class="p">.</span><span class="nx">env</span><span class="p">.</span><span class="nx">MCP_AUDIENCE</span><span class="o">!</span><span class="p">,</span> <span class="c1">// your MCP server's audience</span> <span class="na">scope</span><span class="p">:</span> <span class="dl">"</span><span class="s2">users:read data:read</span><span class="dl">"</span><span class="p">,</span> <span class="c1">// only request what this agent needs</span> <span class="p">}),</span> <span class="p">}</span> <span class="p">);</span> <span class="k">if </span><span class="p">(</span><span class="o">!</span><span class="nx">tokenResponse</span><span class="p">.</span><span class="nx">ok</span><span class="p">)</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">error</span> <span class="o">=</span> <span class="k">await</span> <span class="nx">tokenResponse</span><span class="p">.</span><span class="nf">json</span><span class="p">();</span> <span class="k">throw</span> <span class="k">new</span> <span class="nc">Error</span><span class="p">(</span><span class="s2">`Token request failed: </span><span class="p">${</span><span class="nx">JSON</span><span class="p">.</span><span class="nf">stringify</span><span class="p">(</span><span class="nx">error</span><span class="p">)}</span><span class="s2">`</span><span class="p">);</span> <span class="p">}</span> <span class="kd">const</span> <span class="p">{</span> <span class="nx">access_token</span> <span class="p">}</span> <span class="o">=</span> <span class="k">await</span> <span class="nx">tokenResponse</span><span class="p">.</span><span class="nf">json</span><span class="p">();</span> <span class="k">return</span> <span class="nx">access_token</span><span class="p">;</span> <span class="p">}</span> <span class="c1">// Then use the token in every MCP request</span> <span class="k">async</span> <span class="kd">function</span> <span class="nf">callMcpTool</span><span class="p">(</span><span class="nx">tool</span><span class="p">:</span> <span class="kr">string</span><span class="p">,</span> <span class="nx">params</span><span class="p">:</span> <span class="nx">object</span><span class="p">)</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">token</span> <span class="o">=</span> <span class="k">await</span> <span class="nf">getAgentToken</span><span class="p">();</span> <span class="kd">const</span> <span class="nx">response</span> <span class="o">=</span> <span class="k">await</span> <span class="nf">fetch</span><span class="p">(</span><span class="dl">"</span><span class="s2">https://mcp.yourapp.com/mcp</span><span class="dl">"</span><span class="p">,</span> <span class="p">{</span> <span class="na">method</span><span class="p">:</span> <span class="dl">"</span><span class="s2">POST</span><span class="dl">"</span><span class="p">,</span> <span class="na">headers</span><span class="p">:</span> <span class="p">{</span> <span class="dl">"</span><span class="s2">Content-Type</span><span class="dl">"</span><span class="p">:</span> <span class="dl">"</span><span class="s2">application/json</span><span class="dl">"</span><span class="p">,</span> <span class="dl">"</span><span class="s2">Authorization</span><span class="dl">"</span><span class="p">:</span> <span class="s2">`Bearer </span><span class="p">${</span><span class="nx">token</span><span class="p">}</span><span class="s2">`</span><span class="p">,</span> <span class="c1">// Kinde-issued JWT</span> <span class="p">},</span> <span class="na">body</span><span class="p">:</span> <span class="nx">JSON</span><span class="p">.</span><span class="nf">stringify</span><span class="p">({</span> <span class="na">jsonrpc</span><span class="p">:</span> <span class="dl">"</span><span class="s2">2.0</span><span class="dl">"</span><span class="p">,</span> <span class="na">method</span><span class="p">:</span> <span class="dl">"</span><span class="s2">tools/call</span><span class="dl">"</span><span class="p">,</span> <span class="na">params</span><span class="p">:</span> <span class="p">{</span> <span class="na">name</span><span class="p">:</span> <span class="nx">tool</span><span class="p">,</span> <span class="na">arguments</span><span class="p">:</span> <span class="nx">params</span> <span class="p">},</span> <span class="na">id</span><span class="p">:</span> <span class="mi">1</span><span class="p">,</span> <span class="p">}),</span> <span class="p">});</span> <span class="k">return</span> <span class="nx">response</span><span class="p">.</span><span class="nf">json</span><span class="p">();</span> <span class="p">}</span> </code></pre> </div> <p>Note: Tokens issued via client credentials are valid for one hour by default in Kinde. Agents should cache the token and only request a new one when it is close to expiry — not on every tool call. Check the <code>expires_in</code> field in the token response and refresh when there are 60 seconds or fewer remaining.</p> <h2> Step #5: Configure an OpenClaw Skill With Proper Auth </h2> <p>To connect a properly authenticated MCP server to an OpenClaw agent, you configure the skill in <code>openclaw.json</code> with the token endpoint details. Here is what a secure skill configuration looks like:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight json"><code><span class="p">{</span><span class="w"> </span><span class="nl">"plugins"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"entries"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"my-secure-tool"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"enabled"</span><span class="p">:</span><span class="w"> </span><span class="kc">true</span><span class="p">,</span><span class="w"> </span><span class="nl">"type"</span><span class="p">:</span><span class="w"> </span><span class="s2">"mcp"</span><span class="p">,</span><span class="w"> </span><span class="nl">"transport"</span><span class="p">:</span><span class="w"> </span><span class="s2">"streamable-http"</span><span class="p">,</span><span class="w"> </span><span class="nl">"url"</span><span class="p">:</span><span class="w"> </span><span class="s2">"https://mcp.yourapp.com/mcp"</span><span class="p">,</span><span class="w"> </span><span class="nl">"auth"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"type"</span><span class="p">:</span><span class="w"> </span><span class="s2">"oauth2"</span><span class="p">,</span><span class="w"> </span><span class="nl">"flow"</span><span class="p">:</span><span class="w"> </span><span class="s2">"client_credentials"</span><span class="p">,</span><span class="w"> </span><span class="nl">"token_endpoint"</span><span class="p">:</span><span class="w"> </span><span class="s2">"https://YOUR_DOMAIN.kinde.com/oauth2/token"</span><span class="p">,</span><span class="w"> </span><span class="nl">"client_id"</span><span class="p">:</span><span class="w"> </span><span class="s2">"your_m2m_client_id"</span><span class="p">,</span><span class="w"> </span><span class="nl">"client_secret_env"</span><span class="p">:</span><span class="w"> </span><span class="s2">"MY_TOOL_CLIENT_SECRET"</span><span class="p">,</span><span class="w"> </span><span class="nl">"audience"</span><span class="p">:</span><span class="w"> </span><span class="s2">"https://mcp.yourapp.com"</span><span class="p">,</span><span class="w"> </span><span class="nl">"scopes"</span><span class="p">:</span><span class="w"> </span><span class="p">[</span><span class="s2">"users:read"</span><span class="p">,</span><span class="w"> </span><span class="s2">"data:read"</span><span class="p">]</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="p">}</span><span class="w"> </span></code></pre> </div> <p>Note: <code>client_secret_env</code> points to an environment variable rather than embedding the secret inline — critical for anyone publishing skill configurations or committing them to version control. The secret itself lives in the environment, not in the config file.</p> <p>This configuration gives your agent the specific scopes it needs and nothing more. If someone performs a prompt injection attack via Moltbook and tries to get this agent to call <code>delete_user</code>, the token does not have the <code>users:delete</code> scope — the MCP server rejects the call before it can execute.</p> <h2> Putting It All Together </h2> <p>Here is the complete security architecture you have built:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>┌─────────────────────────────────────────────────────────────────┐ │ Kinde │ │ │ │ M2M Application (Agent Identity) │ │ ├── Client ID: m2m_abc123 │ │ ├── Granted scopes: users:read, data:read │ │ └── NOT granted: users:write, users:delete, admin │ │ │ │ JWKS Endpoint: /well-known/jwks.json (public key verification) │ │ Token Endpoint: /oauth2/token (client credentials flow) │ └───────────────────────────────┬─────────────────────────────────┘ │ issues signed JWT (1hr TTL) │ with scopes: users:read data:read ▼ ┌─────────────────────────────────────────────────────────────────┐ │ Agent (OpenClaw) │ │ │ │ Holds JWT in memory (never stored on disk) │ │ Sends: Authorization: Bearer &lt;JWT&gt; on every MCP request │ └───────────────────────────────┬─────────────────────────────────┘ │ HTTPS POST /mcp │ Authorization: Bearer &lt;JWT&gt; ▼ ┌─────────────────────────────────────────────────────────────────┐ │ Secure MCP Server │ │ │ │ 1. authMiddleware: validates JWT signature via JWKS │ │ → checks issuer, audience, expiry │ │ │ │ 2. Per-tool scope check: requireScope("users:read") │ │ → tools/get_user ✓ (scope present) │ │ → tools/delete_user ✗ (scope missing → 401) │ │ │ │ 3. Audit log: agent ID, tool called, timestamp │ └─────────────────────────────────────────────────────────────────┘ </code></pre> </div> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fus3n8mdjusy3hbcep5xw.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fus3n8mdjusy3hbcep5xw.png" alt="Clean visual version of the ASCII architecture above — showing Kinde (auth layer) on the left, Agent (OpenClaw) in the middle, Secure MCP Server on the right. Arrows show the token flow. The scope check at the tool boundary is highlighted." width="800" height="274"></a></p> <p>The security properties you now have that OpenClaw's default Skills did not:</p> <div class="table-wrapper-paragraph"><table> <thead> <tr> <th>Property</th> <th>Insecure MCP (OpenClaw default)</th> <th>Secure MCP (with Kinde)</th> </tr> </thead> <tbody> <tr> <td><strong>Agent identity</strong></td> <td>Anonymous / shared API key</td> <td>Cryptographic JWT (<code>sub</code> claim = M2M app ID)</td> </tr> <tr> <td><strong>Token forgability</strong></td> <td>API key can be shared/leaked</td> <td>RS256 JWT signed by Kinde — cannot be forged</td> </tr> <tr> <td><strong>Tool-level permissions</strong></td> <td>All tools accessible to all callers</td> <td>Per-tool scope enforcement</td> </tr> <tr> <td><strong>Prompt injection blast radius</strong></td> <td>Agent can call any tool if injected</td> <td>Injected instruction can only call scoped tools</td> </tr> <tr> <td><strong>Token expiry</strong></td> <td>API keys never expire</td> <td>1-hour TTL — breach window is bounded</td> </tr> <tr> <td><strong>Revocation</strong></td> <td>Must rotate key for all agents</td> <td>Revoke one M2M app, others unaffected</td> </tr> <tr> <td><strong>Audit trail</strong></td> <td>None</td> <td>Agent ID + scope logged on every tool call</td> </tr> </tbody> </table></div> <h2> Testing Your Security Layer </h2> <p>Before deploying, verify these four scenarios:</p> <p><strong>Test 1 — Valid token, allowed scope.</strong> Call <code>get_user</code> with a token that has <code>users:read</code>. You should receive the user data. This confirms the happy path works.</p> <p><strong>Test 2 — Valid token, insufficient scope.</strong> Call <code>delete_user</code> with a token that only has <code>users:read</code>. You should receive a 401 with a message like "Insufficient permissions. Required: users:delete." This confirms scope enforcement works.</p> <p><strong>Test 3 — Expired token.</strong> Manually modify the <code>exp</code> claim of a token or wait for it to expire, then attempt a call. You should receive a 401 with a JWT expiry error. This confirms token lifecycle enforcement works.</p> <p><strong>Test 4 — Wrong audience.</strong> Use a token issued for a different API (different <code>aud</code> claim) and attempt a call to your MCP server. You should receive a 401 with an audience mismatch error. This confirms that token passthrough attacks are blocked.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># Test 2 example — calling a tool without the required scope</span> curl <span class="nt">-X</span> POST https://your-mcp-server.com/mcp <span class="se">\</span> <span class="nt">-H</span> <span class="s2">"Content-Type: application/json"</span> <span class="se">\</span> <span class="nt">-H</span> <span class="s2">"Authorization: Bearer </span><span class="nv">$READ_ONLY_TOKEN</span><span class="s2">"</span> <span class="se">\</span> <span class="nt">-d</span> <span class="s1">'{ "jsonrpc": "2.0", "method": "tools/call", "params": { "name": "delete_user", "arguments": { "user_id": "usr_123", "reason": "Test deletion attempt" } }, "id": 1 }'</span> <span class="c"># Expected response:</span> <span class="c"># HTTP 401 Unauthorized</span> <span class="c"># { "error": "unauthorized", "message": "Insufficient permissions. Required: users:delete. Token has: users:read" }</span> </code></pre> </div> <p>Amazing! Your MCP server is now hardened against the attack patterns that took down OpenClaw deployments and turned Moltbook into a security incident.</p> <h2> Conclusion </h2> <p>In this article, you built a secure MCP server with scoped, tool-level authentication — the approach that the OpenClaw and Moltbook incidents showed was critically missing from most agentic AI deployments. Your server now knows who every connecting agent is, what they are allowed to do, and rejects anything outside those boundaries at the tool boundary before execution.</p> <p>The key insight from Kinde's own MCP server — shipped in January 2026 as a working reference implementation — is that security for AI agents is not fundamentally different from security for any other kind of software. M2M identities, scoped tokens, short TTLs, and JWT validation are not new concepts. What is new is applying them consistently to MCP servers, which the ecosystem has been slow to do.</p> <p>Agentic AI is not going away. OpenClaw proved that. The question is whether the infrastructure it runs on is built securely. That starts with the MCP server you control.</p> <p><a href="https://kinde.com?utm_source=devto&amp;utm_medium=content&amp;utm_campaign=shola&amp;campaignid=chatgptapp&amp;network=&amp;adgroup=&amp;keyword=&amp;matchtype=&amp;creative=9&amp;device=&amp;adposition=" rel="noopener noreferrer">Kinde is free</a> for up to 10,500 monthly active users, no credit card required. Create your account at <a href="https://kinde.com" rel="noopener noreferrer">kinde.com</a> and start treating your agents as the production infrastructure they are.</p> kinde ai mcp agents Shola Jegede Sat, 21 Mar 2026 23:40:03 +0000 https://dev.to/sholajegede/stop-treating-ai-agents-like-users-why-your-auth-model-needs-a-new-layer-for-non-human-identities-57ni https://dev.to/sholajegede/stop-treating-ai-agents-like-users-why-your-auth-model-needs-a-new-layer-for-non-human-identities-57ni <p><em>Your auth system was built for humans. AI agents are not humans. Something has to give.</em></p> <p>In this article, you will learn:</p> <ul> <li>Why the traditional user auth model breaks down for AI agents</li> <li>What non-human identities are and why they need their own auth layer</li> <li>The difference between global and org-scoped machine identity</li> <li>How the OAuth 2.0 client credentials flow works for non-human callers</li> <li>How to use Kinde M2M applications to authenticate AI agents properly</li> <li>How to scope agent access to a specific tenant using org-scoped M2M apps</li> <li>The biggest security mistakes developers make when adding agent auth and how to avoid them</li> </ul> <p>Let's dive in!</p> <h2> The Problem Nobody Warned You About </h2> <p>You shipped auth. Users can sign up, sign in, and get sessions. You followed the OAuth flow, you set up JWTs, you protected your routes. Everything works.</p> <p>Then someone on your team says: "We're adding an AI agent that acts on behalf of users."</p> <p>And suddenly you have a question your auth system was never designed to answer: how do you authenticate something that has no browser, no session, no email address, and no ability to type in a password?</p> <p>The lazy answer is to create a fake user account for the agent. Give it an email like <code>agent@yourapp.com</code>, hand it a password, and call it done. It works — until it becomes a security nightmare. You have an account with full user-level access, no MFA, credentials that never rotate, and no audit trail that distinguishes what the agent did from what a real user did. That is not an auth model. That is a ticking clock.</p> <p>The real answer is that AI agents are not users. They are non-human identities. They need their own authentication layer, their own token type, their own scopes, and their own access boundaries. And in 2026, with AI agents becoming a core part of SaaS products, getting this right is no longer optional.</p> <p>Here is what that looks like in practice, and how <a href="https://kinde.com?utm_source=devto&amp;utm_medium=content&amp;utm_campaign=shola&amp;campaignid=chatgptapp&amp;network=&amp;adgroup=&amp;keyword=&amp;matchtype=&amp;creative=8&amp;device=&amp;adposition=" rel="noopener noreferrer">Kinde's M2M</a> application system handles it properly.</p> <h2> What Is a Non-Human Identity? </h2> <p>A non-human identity (NHI) is any software principal that needs to authenticate and call APIs without a human being directly involved in the auth flow. In the context of modern SaaS products, non-human identities include things like backend services, CI/CD pipelines, scheduled jobs, microservices, and — increasingly — AI agents.</p> <p>What all of these have in common is that they cannot participate in an interactive auth flow. There is no redirect. There is no browser. There is no one sitting at a keyboard to enter a verification code. A human auth flow is fundamentally the wrong tool for the job.</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Flmyuynfucw7qvduzu2pm.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Flmyuynfucw7qvduzu2pm.png" alt="Side-by-side comparison — Human auth flow (Browser → Login page → Redirect → Token) vs Non-human auth flow (Service → Token endpoint → Token)." width="800" height="622"></a></p> <p>The problem is that most auth systems — and most developer mental models — were built around human identities first. Non-human auth was bolted on later, often improperly, as an afterthought.</p> <h2> Why the Fake User Approach Fails </h2> <p>Before getting into the right solution, it is worth being specific about why the fake user workaround is dangerous. These are not theoretical risks.</p> <p><strong>Over-permissioned by default.</strong> A user account typically has all the permissions of a regular user. For an AI agent that only needs to read data from one endpoint and write to another, that is massive over-permission. Least-privilege is the foundational principle of access control, and fake user accounts violate it immediately.</p> <p><strong>No credential rotation.</strong> User passwords are designed to be long-lived and human-memorable. They are not designed to be rotated on a schedule the way service credentials should be. In practice, the fake user's password never changes, which means a leaked credential is a permanent breach.</p> <p><strong>No audit trail separation.</strong> When an agent operating as <code>agent@yourapp.com</code> makes a write operation, your logs show a user action. You cannot distinguish agent activity from human activity. Debugging becomes a nightmare, compliance becomes impossible, and incident response becomes guesswork.</p> <p><strong>Sessions and cookies do not make sense.</strong> User auth produces sessions tied to browsers. Agents do not have browsers. They do not maintain state across requests the same way users do. Forcing them through a session-based flow creates fragile plumbing that breaks under load or on token expiry.</p> <p><strong>MFA breaks the whole thing.</strong> If you ever enforce MFA for user accounts — and you should — your fake agent account will be locked out the moment MFA is required. Either you exempt it, which creates a security hole, or you break your automation.</p> <h2> The Right Mental Model: Machine-to-Machine Authentication </h2> <p>The correct solution has existed in the OAuth 2.0 specification for years. It is called the client credentials flow, and it is specifically designed for non-human identities authenticating without user involvement.</p> <p>Instead of a user logging in with credentials, a machine authenticates using a <code>client_id</code> and <code>client_secret</code>. It sends those credentials directly to the token endpoint and receives an access token in return. No redirects. No browser. No session. Just a token that the machine can use to call APIs on its own behalf.</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Ff75bm6e0z1f9zgqnluda.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Ff75bm6e0z1f9zgqnluda.png" alt="Client credentials flow — Machine sends client_id + client_secret to Token endpoint → receives Access Token → calls API with Bearer token." width="800" height="293"></a></p> <p>The access token issued through the client credentials flow is structurally different from a user token. It does not have a <code>sub</code> claim representing a user. It does not expire into a refresh token cycle the way user sessions do. It is scoped to the capabilities of the machine application, not the permissions of a specific person. This distinction is crucial.</p> <p>In Kinde, this pattern is implemented through <strong>M2M applications</strong> — Machine-to-Machine applications. An M2M application is a registered identity in Kinde with its own <code>client_id</code> and <code>client_secret</code>, its own set of API scopes, and its own token. It is the right primitive for any non-human caller: a CI/CD pipeline, a backend service, an automation script, or an AI agent.</p> <h2> Two Types of Machine Identity in Kinde </h2> <p><a href="https://kinde.com?utm_source=devto&amp;utm_medium=content&amp;utm_campaign=shola&amp;campaignid=chatgptapp&amp;network=&amp;adgroup=&amp;keyword=&amp;matchtype=&amp;creative=8&amp;device=&amp;adposition=" rel="noopener noreferrer">Kinde</a> supports two types of M2M applications, and understanding the difference is important for building the right auth model for your product.</p> <h3> Global M2M Applications </h3> <p>A global M2M application is not tied to any specific organization in your Kinde setup. It operates across your entire tenant space. This makes it suitable for internal tooling, admin automation, infrastructure scripts, and anything that needs to operate at the system level rather than within a specific customer's context.</p> <p>A typical use case is a CI/CD pipeline that needs to call the Kinde Management API to create users, update flags, or deploy configuration changes across all of your organizations. It does not need to be scoped to one tenant — it needs cross-tenant access, and a global M2M app provides exactly that.</p> <h3> Org-Scoped M2M Applications </h3> <p>An org-scoped M2M application is tied to a specific organization — a specific tenant — in your Kinde setup. Tokens issued to this app automatically include the <code>org_code</code> claim, which enforces that all API calls made by this machine identity are restricted to that organization's context.</p> <p>This is the right pattern for AI agents acting on behalf of a specific customer. If Acme Corp has an AI agent that reads their data, writes to their workspace, and takes actions in their context, that agent should not have any access to the data or context of Beta Inc. Org-scoped M2M applications enforce this boundary at the token level — before your API even has to think about it.</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fhnmksyvij8wb7mb2tw0c.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fhnmksyvij8wb7mb2tw0c.png" alt="Two-column comparison — Global M2M (one key, access to all orgs, used for admin/infra) vs Org-scoped M2M (one key per org, access locked to org_code, used for per-tenant agents)." width="800" height="633"></a></p> <p>Note: Org-scoped M2M applications are available on the Kinde Plus and Kinde Scale plans.</p> <h2> Global vs Org-Scoped M2M: At a Glance </h2> <div class="table-wrapper-paragraph"><table> <thead> <tr> <th>Feature</th> <th>Global M2M App</th> <th>Org-Scoped M2M App</th> </tr> </thead> <tbody> <tr> <td>Org context in token</td> <td>No</td> <td>Yes (<code>org_code</code> claim)</td> </tr> <tr> <td>Tenant data isolation</td> <td>Manual (your API must enforce it)</td> <td>Enforced at token issuance</td> </tr> <tr> <td>Best for</td> <td>Admin scripts, internal automation, infra</td> <td>Per-tenant AI agents, scoped APIs</td> </tr> <tr> <td>Token restrictions</td> <td>None</td> <td>Scoped to one organization</td> </tr> <tr> <td>Credential rotation</td> <td>Manual, in Kinde dashboard</td> <td>Manual, in Kinde dashboard</td> </tr> <tr> <td>Available on</td> <td>All plans</td> <td>Kinde Plus and Scale</td> </tr> </tbody> </table></div> <h2> How the Client Credentials Flow Works in Kinde </h2> <p>When an M2M application needs to call an API, it follows the OAuth 2.0 client credentials flow. Here is exactly what that looks like in code.</p> <h3> Step #1: Request a Token </h3> <p>The machine application sends a <code>POST</code> request to your Kinde domain's token endpoint. It authenticates with its <code>client_id</code> and <code>client_secret</code> and requests the scopes it needs.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>curl <span class="nt">--request</span> POST <span class="se">\</span> <span class="nt">--url</span> https://YOUR_KINDE_DOMAIN.kinde.com/oauth2/token <span class="se">\</span> <span class="nt">--header</span> <span class="s1">'Content-Type: application/x-www-form-urlencoded'</span> <span class="se">\</span> <span class="nt">--data</span> <span class="nv">grant_type</span><span class="o">=</span>client_credentials <span class="se">\</span> <span class="nt">--data</span> <span class="nv">client_id</span><span class="o">=</span>YOUR_M2M_CLIENT_ID <span class="se">\</span> <span class="nt">--data</span> <span class="nv">client_secret</span><span class="o">=</span>YOUR_M2M_CLIENT_SECRET <span class="se">\</span> <span class="nt">--data</span> <span class="nv">audience</span><span class="o">=</span>https://YOUR_KINDE_DOMAIN.kinde.com/api <span class="se">\</span> <span class="nt">--data</span> <span class="nv">scope</span><span class="o">=</span><span class="nb">read</span>:users write:flags </code></pre> </div> <p>Note: Replace <code>YOUR_KINDE_DOMAIN</code>, <code>YOUR_M2M_CLIENT_ID</code>, and <code>YOUR_M2M_CLIENT_SECRET</code> with the values from your Kinde dashboard.</p> <h3> Step #2: Receive the Access Token </h3> <p>Kinde responds with an access token:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight json"><code><span class="p">{</span><span class="w"> </span><span class="nl">"access_token"</span><span class="p">:</span><span class="w"> </span><span class="s2">"eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9..."</span><span class="p">,</span><span class="w"> </span><span class="nl">"token_type"</span><span class="p">:</span><span class="w"> </span><span class="s2">"bearer"</span><span class="p">,</span><span class="w"> </span><span class="nl">"expires_in"</span><span class="p">:</span><span class="w"> </span><span class="mi">86400</span><span class="p">,</span><span class="w"> </span><span class="nl">"scope"</span><span class="p">:</span><span class="w"> </span><span class="s2">"read:users write:flags"</span><span class="w"> </span><span class="p">}</span><span class="w"> </span></code></pre> </div> <p>For an org-scoped M2M app, the decoded token payload will also include the <code>org_code</code> claim:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight json"><code><span class="p">{</span><span class="w"> </span><span class="nl">"iss"</span><span class="p">:</span><span class="w"> </span><span class="s2">"https://YOUR_KINDE_DOMAIN.kinde.com"</span><span class="p">,</span><span class="w"> </span><span class="nl">"sub"</span><span class="p">:</span><span class="w"> </span><span class="s2">"YOUR_M2M_CLIENT_ID"</span><span class="p">,</span><span class="w"> </span><span class="nl">"aud"</span><span class="p">:</span><span class="w"> </span><span class="p">[</span><span class="s2">"https://YOUR_KINDE_DOMAIN.kinde.com/api"</span><span class="p">],</span><span class="w"> </span><span class="nl">"exp"</span><span class="p">:</span><span class="w"> </span><span class="mi">1234567890</span><span class="p">,</span><span class="w"> </span><span class="nl">"iat"</span><span class="p">:</span><span class="w"> </span><span class="mi">1234567890</span><span class="p">,</span><span class="w"> </span><span class="nl">"scope"</span><span class="p">:</span><span class="w"> </span><span class="s2">"read:users write:flags"</span><span class="p">,</span><span class="w"> </span><span class="nl">"org_code"</span><span class="p">:</span><span class="w"> </span><span class="s2">"org_abc123"</span><span class="w"> </span><span class="p">}</span><span class="w"> </span></code></pre> </div> <p>The <code>org_code</code> claim is embedded at token issuance time and cannot be modified. Your API can trust it completely.</p> <h3> Step #3: Call Your API with the Token </h3> <p>The agent uses the access token as a Bearer token in subsequent API calls:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="c1">// Node.js example — calling your API as an M2M client</span> <span class="kd">const</span> <span class="nx">response</span> <span class="o">=</span> <span class="k">await</span> <span class="nf">fetch</span><span class="p">(</span><span class="dl">"</span><span class="s2">https://api.yourapp.com/v1/users</span><span class="dl">"</span><span class="p">,</span> <span class="p">{</span> <span class="na">method</span><span class="p">:</span> <span class="dl">"</span><span class="s2">GET</span><span class="dl">"</span><span class="p">,</span> <span class="na">headers</span><span class="p">:</span> <span class="p">{</span> <span class="c1">// pass the M2M token as a Bearer token</span> <span class="na">Authorization</span><span class="p">:</span> <span class="s2">`Bearer </span><span class="p">${</span><span class="nx">accessToken</span><span class="p">}</span><span class="s2">`</span><span class="p">,</span> <span class="dl">"</span><span class="s2">Content-Type</span><span class="dl">"</span><span class="p">:</span> <span class="dl">"</span><span class="s2">application/json</span><span class="dl">"</span><span class="p">,</span> <span class="p">},</span> <span class="p">});</span> <span class="kd">const</span> <span class="nx">data</span> <span class="o">=</span> <span class="k">await</span> <span class="nx">response</span><span class="p">.</span><span class="nf">json</span><span class="p">();</span> </code></pre> </div> <h3> Step #4: Verify the Token on Your API </h3> <p>Your API receives the token and verifies it. For an org-scoped M2M app, you can trust the <code>org_code</code> claim directly from the verified token to enforce tenant isolation without any additional lookup:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="c1">// Express.js middleware — verifying and using the org_code from an M2M token</span> <span class="k">import</span> <span class="nx">jwt</span> <span class="k">from</span> <span class="dl">"</span><span class="s2">jsonwebtoken</span><span class="dl">"</span><span class="p">;</span> <span class="k">import</span> <span class="nx">jwksClient</span> <span class="k">from</span> <span class="dl">"</span><span class="s2">jwks-rsa</span><span class="dl">"</span><span class="p">;</span> <span class="kd">const</span> <span class="nx">client</span> <span class="o">=</span> <span class="nf">jwksClient</span><span class="p">({</span> <span class="na">jwksUri</span><span class="p">:</span> <span class="s2">`https://YOUR_KINDE_DOMAIN.kinde.com/.well-known/jwks.json`</span><span class="p">,</span> <span class="p">});</span> <span class="kd">function</span> <span class="nf">getKey</span><span class="p">(</span><span class="nx">header</span><span class="p">,</span> <span class="nx">callback</span><span class="p">)</span> <span class="p">{</span> <span class="nx">client</span><span class="p">.</span><span class="nf">getSigningKey</span><span class="p">(</span><span class="nx">header</span><span class="p">.</span><span class="nx">kid</span><span class="p">,</span> <span class="p">(</span><span class="nx">err</span><span class="p">,</span> <span class="nx">key</span><span class="p">)</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">signingKey</span> <span class="o">=</span> <span class="nx">key</span><span class="p">.</span><span class="nf">getPublicKey</span><span class="p">();</span> <span class="nf">callback</span><span class="p">(</span><span class="kc">null</span><span class="p">,</span> <span class="nx">signingKey</span><span class="p">);</span> <span class="p">});</span> <span class="p">}</span> <span class="kd">function</span> <span class="nf">verifyM2MToken</span><span class="p">(</span><span class="nx">req</span><span class="p">,</span> <span class="nx">res</span><span class="p">,</span> <span class="nx">next</span><span class="p">)</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">authHeader</span> <span class="o">=</span> <span class="nx">req</span><span class="p">.</span><span class="nx">headers</span><span class="p">[</span><span class="dl">"</span><span class="s2">authorization</span><span class="dl">"</span><span class="p">];</span> <span class="kd">const</span> <span class="nx">token</span> <span class="o">=</span> <span class="nx">authHeader</span> <span class="o">&amp;&amp;</span> <span class="nx">authHeader</span><span class="p">.</span><span class="nf">split</span><span class="p">(</span><span class="dl">"</span><span class="s2"> </span><span class="dl">"</span><span class="p">)[</span><span class="mi">1</span><span class="p">];</span> <span class="k">if </span><span class="p">(</span><span class="o">!</span><span class="nx">token</span><span class="p">)</span> <span class="p">{</span> <span class="k">return</span> <span class="nx">res</span><span class="p">.</span><span class="nf">status</span><span class="p">(</span><span class="mi">401</span><span class="p">).</span><span class="nf">json</span><span class="p">({</span> <span class="na">error</span><span class="p">:</span> <span class="dl">"</span><span class="s2">No token provided</span><span class="dl">"</span> <span class="p">});</span> <span class="p">}</span> <span class="nx">jwt</span><span class="p">.</span><span class="nf">verify</span><span class="p">(</span> <span class="nx">token</span><span class="p">,</span> <span class="nx">getKey</span><span class="p">,</span> <span class="p">{</span> <span class="na">audience</span><span class="p">:</span> <span class="dl">"</span><span class="s2">https://YOUR_KINDE_DOMAIN.kinde.com/api</span><span class="dl">"</span><span class="p">,</span> <span class="na">issuer</span><span class="p">:</span> <span class="dl">"</span><span class="s2">https://YOUR_KINDE_DOMAIN.kinde.com</span><span class="dl">"</span><span class="p">,</span> <span class="p">},</span> <span class="p">(</span><span class="nx">err</span><span class="p">,</span> <span class="nx">decoded</span><span class="p">)</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="k">if </span><span class="p">(</span><span class="nx">err</span><span class="p">)</span> <span class="p">{</span> <span class="k">return</span> <span class="nx">res</span><span class="p">.</span><span class="nf">status</span><span class="p">(</span><span class="mi">403</span><span class="p">).</span><span class="nf">json</span><span class="p">({</span> <span class="na">error</span><span class="p">:</span> <span class="dl">"</span><span class="s2">Invalid token</span><span class="dl">"</span> <span class="p">});</span> <span class="p">}</span> <span class="c1">// org_code is now trusted and available — no additional lookup needed</span> <span class="nx">req</span><span class="p">.</span><span class="nx">orgCode</span> <span class="o">=</span> <span class="nx">decoded</span><span class="p">.</span><span class="nx">org_code</span><span class="p">;</span> <span class="nx">req</span><span class="p">.</span><span class="nx">scopes</span> <span class="o">=</span> <span class="nx">decoded</span><span class="p">.</span><span class="nx">scope</span> <span class="p">?</span> <span class="nx">decoded</span><span class="p">.</span><span class="nx">scope</span><span class="p">.</span><span class="nf">split</span><span class="p">(</span><span class="dl">"</span><span class="s2"> </span><span class="dl">"</span><span class="p">)</span> <span class="p">:</span> <span class="p">[];</span> <span class="nf">next</span><span class="p">();</span> <span class="p">}</span> <span class="p">);</span> <span class="p">}</span> <span class="c1">// Use in a route to enforce org isolation</span> <span class="nx">app</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="dl">"</span><span class="s2">/v1/users</span><span class="dl">"</span><span class="p">,</span> <span class="nx">verifyM2MToken</span><span class="p">,</span> <span class="k">async </span><span class="p">(</span><span class="nx">req</span><span class="p">,</span> <span class="nx">res</span><span class="p">)</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="c1">// All queries are automatically scoped to this organization</span> <span class="kd">const</span> <span class="nx">users</span> <span class="o">=</span> <span class="k">await</span> <span class="nx">db</span><span class="p">.</span><span class="nx">users</span><span class="p">.</span><span class="nf">findAll</span><span class="p">({</span> <span class="na">where</span><span class="p">:</span> <span class="p">{</span> <span class="na">org_code</span><span class="p">:</span> <span class="nx">req</span><span class="p">.</span><span class="nx">orgCode</span> <span class="p">},</span> <span class="p">});</span> <span class="nx">res</span><span class="p">.</span><span class="nf">json</span><span class="p">({</span> <span class="nx">users</span> <span class="p">});</span> <span class="p">});</span> </code></pre> </div> <p>Wonderful! Your API now enforces tenant isolation based entirely on what is in the verified token — no additional queries, no custom middleware logic, no trust-but-verify gymnastics.</p> <h2> Setting Up an M2M Application in Kinde </h2> <h3> Creating a Global M2M Application </h3> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fuu3p7j0eqodelb82nzpy.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fuu3p7j0eqodelb82nzpy.png" alt="Kinde dashboard — Settings &gt; Applications &gt; Add application, with " width="800" height="502"></a></p> <ol> <li>In your Kinde dashboard, navigate to <strong>Settings</strong> → <strong>Applications</strong>.</li> <li>Select <strong>Add application</strong>.</li> <li>Give your application a name — something descriptive like <code>"Reporting Pipeline"</code> or <code>"Internal Automation Agent"</code>.</li> <li>Select <strong>Machine to machine</strong> as the application type.</li> <li>Select <strong>Save</strong>.</li> </ol> <p>Kinde generates a <code>client_id</code> and <code>client_secret</code> for your new application. Save the secret immediately — it is only shown once.</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F25bv0wpxpouym3w9geh1.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F25bv0wpxpouym3w9geh1.png" alt="The newly created M2M application's detail page in Kinde, showing the client_id and client_secret fields with the " width="800" height="502"></a></p> <h3> Assigning Scopes to the M2M Application </h3> <p>Before your M2M application can call any API, you need to assign the scopes it is permitted to request. Scopes define the boundaries of what the token can do.</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Ffjn8nbg9vltkvny6xgv0.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Ffjn8nbg9vltkvny6xgv0.png" alt="M2M application detail page — the " width="800" height="502"></a></p> <p>Navigate to the <strong>APIs</strong> section of your M2M application and select the APIs the application needs access to. For each API, choose only the scopes genuinely required by the agent. A reporting agent that only reads data should have <code>read:reports</code>, not <code>write:reports</code> or <code>delete:reports</code>. Least privilege applies here just as much as it does for users.</p> <h3> Creating an Org-Scoped M2M Application </h3> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F186czcebzvmcjsotba3p.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F186czcebzvmcjsotba3p.png" alt="Kinde dashboard — Organizations &gt; [specific org] &gt; M2M apps tab, showing the " width="800" height="502"></a></p> <ol> <li>In your Kinde dashboard, navigate to <strong>Organizations</strong>.</li> <li>Select the organization you want to scope the M2M app to.</li> <li>Select the <strong>M2M apps</strong> tab.</li> <li>Enter a name for the application — for example, <code>"Acme Corp AI Agent"</code>.</li> <li>Select <strong>M2M application</strong> as the type.</li> <li>Select <strong>Save</strong>.</li> </ol> <p>Kinde generates a <code>client_id</code> and <code>client_secret</code> tied specifically to that organization. Tokens issued with these credentials will automatically include the <code>org_code</code> claim set to that organization's code.</p> <h2> A Real-World Scenario: Per-Tenant AI Agent </h2> <p>Here is a concrete scenario to make this tangible. You are building a B2B SaaS product with an AI feature that automatically summarizes activity for each customer's workspace. The agent needs to read data from your API, process it, and write a summary back.</p> <p>Without org-scoped M2M, your agent either has global access (dangerous) or you build custom tenant-checking middleware on every endpoint (fragile). With org-scoped M2M in Kinde, each customer's agent gets its own set of credentials that are cryptographically tied to their organization. The token tells your API exactly which tenant it belongs to, and your API can trust that claim without any additional work.</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fsu20mz2qcim9by2z2g28.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fsu20mz2qcim9by2z2g28.png" alt="Multi-tenant agent architecture — three organization boxes (Acme Corp, Beta Inc, Gamma Ltd), each with their own M2M credentials, each token carrying org_code, all hitting the same API endpoint which enforces isolation based on org_code from the token. No cross-org access possible" width="800" height="332"></a></p> <p>The full flow for this scenario looks like:</p> <ol> <li>On onboarding, create an org-scoped M2M application for the new customer's organization in Kinde.</li> <li>Store the <code>client_id</code> and <code>client_secret</code> securely (environment variables, secrets manager, etc.).</li> <li>When the agent needs to act, it requests a token using the client credentials flow.</li> <li>It calls your API with the token as a Bearer header.</li> <li>Your API verifies the token, extracts <code>org_code</code>, and scopes all database queries to that organization.</li> <li>The agent can never access another tenant's data, even if its credentials were somehow leaked — because the token itself is bound to one org.</li> </ol> <h2> What About Kinde's MCP Server? </h2> <p>In January 2026, Kinde shipped an MCP (Model Context Protocol) server. This lets AI agents and AI tools connect to Kinde directly using the MCP protocol — which is rapidly becoming the standard interface for AI-to-tool communication.</p> <p>What this means in practice is that AI agents using MCP-compatible frameworks (like Claude Code, Cursor, or any agent built on an MCP client library) can interact with Kinde's management capabilities — creating users, managing organizations, checking permissions, and more — through a standardized tool interface rather than raw API calls.</p> <p>For teams building AI-native products, this is a big deal. Instead of writing custom integration code to give your agent access to Kinde's capabilities, you can connect it via the MCP server and let it use those capabilities as native tools.</p> <p>The MCP server and M2M applications complement each other. M2M handles the authentication layer — proving the agent's identity and authorizing its access. The MCP server handles the interface layer — giving the agent a structured way to use Kinde's functionality once it is authenticated.</p> <h2> Security Best Practices for M2M Auth </h2> <p>There are a few principles that are non-negotiable when running machine identities in production.</p> <p><strong>One M2M application per service.</strong> Do not share credentials across multiple agents or services. If one service is compromised, its credentials can be revoked without affecting anything else. Shared credentials mean shared blast radius.</p> <p><strong>Minimum necessary scopes.</strong> Every M2M application should be granted only the scopes it genuinely needs to do its job. An agent that reads data should not have write access. An agent that writes to one resource should not have write access to all resources. Define your API scopes granularly and assign them carefully.</p> <p><strong>Rotate client secrets on a schedule.</strong> Client secrets are long-lived credentials and they should be rotated periodically. Kinde provides secret rotation directly in the dashboard. Build secret rotation into your operational runbook and do not treat it as optional.</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Ffda8ldjtvt3wnvj9isky.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Ffda8ldjtvt3wnvj9isky.png" alt="Kinde dashboard — Application details page showing the " width="800" height="502"></a></p> <p><strong>Never put client secrets in client-side code.</strong> M2M credentials authenticate a service, not a user. They must live server-side — in environment variables, in a secrets manager, in a secure deployment config. Putting them anywhere that gets shipped to a browser is an immediate credential leak.</p> <p><strong>Track <code>client_id</code> and <code>org_code</code> in your logs.</strong> When an M2M token is used to call your API, log the <code>client_id</code> alongside the <code>org_code</code>. This gives you a clean audit trail that distinguishes what each agent did, in which tenant's context, at what time. When something goes wrong — and eventually something will — this makes debugging and incident response dramatically faster.</p> <p><strong>Token expiry is your friend.</strong> M2M tokens expire. Do not try to cache them indefinitely. Let them expire and re-request as needed. Short expiry windows limit the blast radius of a leaked token significantly. Kinde issues M2M tokens with configurable expiry — keep it as short as your use case allows.</p> <h2> Conclusion </h2> <p>In this article, you learned why the traditional user auth model breaks down for AI agents, what non-human identities are and why they need their own auth layer, and how the OAuth 2.0 client credentials flow provides the right foundation for machine authentication. You also saw how Kinde's M2M applications implement this properly — with global apps for internal tooling and org-scoped apps for per-tenant AI agents that enforce isolation at the token level.</p> <p>The shift to AI-native products is not slowing down. Every SaaS product built in 2026 is adding or planning to add agent capabilities. The teams that get non-human identity right from the beginning are the ones that avoid the security incidents, the audit nightmares, and the architectural rewrites that come from bolting fake user accounts onto a system that was never designed for them.</p> <p>Kinde gives you the primitives to do this properly from day one. <a href="https://kinde.com?utm_source=devto&amp;utm_medium=content&amp;utm_campaign=shola&amp;campaignid=chatgptapp&amp;network=&amp;adgroup=&amp;keyword=&amp;matchtype=&amp;creative=8&amp;device=&amp;adposition=" rel="noopener noreferrer">Create a free Kinde account</a> and start building your M2M auth layer today.</p> webdev kinde ai auth Shola Jegede Tue, 10 Mar 2026 08:14:08 +0000 https://dev.to/sholajegede/building-a-live-ai-market-research-terminal-how-bright-data-and-convex-replace-polling-with-mm https://dev.to/sholajegede/building-a-live-ai-market-research-terminal-how-bright-data-and-convex-replace-polling-with-mm <p>Most AI tools fall apart at the same point: making sure the output is grounded in what's happening right now, not what the model was trained on months ago.</p> <p><a href="https://brightdata.com" rel="noopener noreferrer">Bright Data</a> built an open-source demo that solves this. It's called the <a href="https://demos.brightdata.com/market-terminal" rel="noopener noreferrer">Signal Terminal</a>, a financial research tool built around that problem.</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fzt9ly527zi2yad16kq3b.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fzt9ly527zi2yad16kq3b.png" alt="The Signal Terminal homepage. Showing a clean search interface with the " width="800" height="445"></a></p> <h2> Why This Tool Exists </h2> <p><a href="https://www.linkedin.com/in/hello-agents" rel="noopener noreferrer">Meir Kadosh</a> is an AI Engineer at Bright Data, and he kept noticing the same thing happening with financial customers. They would pull Google search results, pass them to an LLM, scrape the relevant pages for deeper context, and try to piece together why a stock had moved. The pipeline was almost identical every time. Different teams, same use case, everyone rebuilding from scratch.</p> <p>So Meir built the canonical version — an open-source reference architecture that financial customers can use directly and developers can build on.</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fx5m5o5buz9bi0szrhr9j.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fx5m5o5buz9bi0szrhr9j.png" alt="An image of a completed research run. Shows the full dashboard with Breaking Tape, Evidence Map, and Sources panel visible" width="800" height="500"></a></p> <h2> What Happens When You Ask a Question </h2> <p>Type <em>"Why did Nvidia's stock drop today?"</em> and the app runs a structured pipeline:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>plan → search → scrape → extract → link → cluster → render </code></pre> </div> <p>Each stage is visible and each source is attributed.</p> <p>The planning stage comes first. The model generates specific search angles based on the question: what to look for, how recent, which categories of signals matter, things like macro events, earnings surprises, analyst actions, and news catalysts.</p> <p>Then Bright Data's SERP API fires across Google and returns structured JSON for the most relevant sources in under a second. For pages that need deeper analysis, Bright Data's Web Unlocker fetches the full content as clean Markdown, handling the sites that block standard scrapers.</p> <p>From there the LLM pulls named entities, causal relationships, and key figures from the content, those entities get connected into an evidence graph, related signals cluster into narrative themes, and everything surfaces in a live multi-panel dashboard.</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fv6y5mps9jvlrhtbpk37q.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fv6y5mps9jvlrhtbpk37q.png" alt="An image of the evidence map in graph mode. Shows nodes and edges connecting entities, sources, and narratives" width="800" height="491"></a></p> <p>The evidence map shows exactly which sources contributed which claims, how they connect to each other, and which narratives the evidence actually supports.</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fvs43p568uc7p4ww9veoi.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fvs43p568uc7p4ww9veoi.png" alt="An image of the evidence map in flow mode." width="800" height="500"></a></p> <h2> Two Paths, Depending on What You Need </h2> <p>Not every query needs the same depth.</p> <p>The fast path uses SERP results only. Bright Data's SERP API returns structured JSON for each result (URL, description, position) and that passes directly to the LLM. Standard SERP delivers in 1-2 seconds, and with Bright Data's premium infrastructure, complete results come back in under one second. For real-time chat interfaces where latency is the whole point, this is the right path.</p> <p>The deep path, which Meir calls <strong>"search and extract"</strong> internally, adds a second layer. After SERP identifies the relevant sources, Web Unlocker fetches each page's full content as clean Markdown, which then goes to the LLM for extraction and analysis. It takes longer, but for a full research run where completeness matters more than speed, that tradeoff makes sense.</p> <p>The SERP route maps the incoming format param to Bright Data's format string and fires the request:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="c1">// app/api/serp/route.ts</span> <span class="kd">const</span> <span class="nx">results</span> <span class="o">=</span> <span class="k">await</span> <span class="nf">brightDataSerpGoogle</span><span class="p">({</span> <span class="na">query</span><span class="p">:</span> <span class="nx">parsed</span><span class="p">.</span><span class="nx">data</span><span class="p">.</span><span class="nx">q</span><span class="p">,</span> <span class="na">format</span><span class="p">:</span> <span class="nx">format</span> <span class="o">===</span> <span class="dl">'</span><span class="s1">full</span><span class="dl">'</span> <span class="p">?</span> <span class="dl">'</span><span class="s1">full_json_google</span><span class="dl">'</span> <span class="p">:</span> <span class="nx">format</span> <span class="o">===</span> <span class="dl">'</span><span class="s1">markdown</span><span class="dl">'</span> <span class="p">?</span> <span class="dl">'</span><span class="s1">markdown</span><span class="dl">'</span> <span class="p">:</span> <span class="dl">'</span><span class="s1">light_json_google</span><span class="dl">'</span><span class="p">,</span> <span class="nx">vertical</span><span class="p">,</span> <span class="c1">// 'web' | 'news'</span> <span class="nx">recency</span><span class="p">,</span> <span class="c1">// 'h' | 'd' | 'w' | 'm' | 'y'</span> <span class="p">});</span> </code></pre> </div> <p>The token is <code>BRIGHTDATA_API_TOKEN</code> (with <code>API_TOKEN</code> as fallback). The SERP zone resolves through <code>BRIGHTDATA_SERP_ZONE</code> then <code>BRIGHTDATA_SERP_ZONE_NAME</code>, falling back to the Web Unlocker zone if neither is set. The Web Unlocker zone has its own resolution chain, defaulting to <code>mcp_unlocker</code> if nothing is configured.</p> <h2> Why Bright Data and Not Something Else </h2> <p>If you've built a scraper before, you already know how this story goes. It works locally. You deploy it. It gets blocked. You add proxy rotation and now some sites work, but LinkedIn doesn't, and Reddit doesn't, and when you look up how to handle TLS fingerprinting you're suddenly two weeks deep into a rabbit hole that has nothing to do with your actual product.</p> <p>Getting clean data from LinkedIn, Reddit, X, and TikTok means solving years of adversarial engineering: TLS fingerprinting, browser fingerprinting, behavioral analysis, rotating CAPTCHAs. Web Unlocker handles all of that. The platforms that reliably block everything else.</p> <p>Coverage spans seven major search engines and 195 countries with city-level targeting, so the results reflect what someone in a specific location actually sees.</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F01kqwkjb8fpnoasucy7q.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F01kqwkjb8fpnoasucy7q.png" alt="An image showing Bright Data's SERP API documentation showing the sub-second response time for premium infrastructure" width="800" height="500"></a></p> <h2> The Part Most Developers Skip </h2> <p>There's a failure mode that shows up constantly in LLM pipelines built on web data. You fetch a full page, pass it to the model, and the output is worse than you expected. The instinct is to blame the model. Usually the model is fine. The context is the problem.</p> <p>A full webpage is mostly noise. Navigation menus, cookie banners, author bios, related articles, advertisement slots. All of that lands in the context window alongside the three paragraphs that actually matter to your query. Flooding the model with irrelevant tokens makes the output worse, drives up token costs, and gives the model more surface area to hallucinate from.</p> <p>The Signal Terminal handles this with a reflection stage that runs between fetching and analysing. Before the main analysis call, an extraction step strips everything irrelevant from the Markdown. Only the facts, named entities, causal statements, and figures directly related to the original query reach the analysis model.</p> <p>Each stage has a dedicated prompt-builder function. The summarization stage looks like this:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="c1">// lib/prompts/signal-terminal.ts</span> <span class="k">export</span> <span class="kd">function</span> <span class="nf">buildSignalTerminalSummariesPrompt</span><span class="p">({</span> <span class="nx">topic</span><span class="p">,</span> <span class="nx">evidenceExcerpts</span> <span class="p">})</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">system</span> <span class="o">=</span> <span class="p">[</span> <span class="dl">'</span><span class="s1">You are a market news summarizer for active traders.</span><span class="dl">'</span><span class="p">,</span> <span class="dl">'</span><span class="s1">Use only the provided excerpts; do not invent facts.</span><span class="dl">'</span><span class="p">,</span> <span class="dl">'</span><span class="s1">If an excerpt is low-signal (navigation/menus/price page), omit it.</span><span class="dl">'</span><span class="p">,</span> <span class="dl">'</span><span class="s1">Return strict JSON only.</span><span class="dl">'</span><span class="p">,</span> <span class="p">].</span><span class="nf">join</span><span class="p">(</span><span class="dl">'</span><span class="se">\n</span><span class="dl">'</span><span class="p">);</span> <span class="kd">const</span> <span class="nx">user</span> <span class="o">=</span> <span class="p">[</span> <span class="s2">`Topic: </span><span class="p">${</span><span class="nx">topic</span><span class="p">}</span><span class="s2">`</span><span class="p">,</span> <span class="dl">'</span><span class="s1">Evidence excerpts (JSON):</span><span class="dl">'</span><span class="p">,</span> <span class="nx">JSON</span><span class="p">.</span><span class="nf">stringify</span><span class="p">(</span><span class="nx">evidenceExcerpts</span><span class="p">),</span> <span class="dl">''</span><span class="p">,</span> <span class="dl">'</span><span class="s1">Return JSON: { items: [{ id, bullets: string[2..5], entities?, catalysts?, sentiment?, confidence? }] }</span><span class="dl">'</span><span class="p">,</span> <span class="dl">'</span><span class="s1">- Write for traders: prefer concrete nouns, numbers, and named actors.</span><span class="dl">'</span><span class="p">,</span> <span class="dl">'</span><span class="s1">- Sentiment: "bullish" | "bearish" | "mixed" | "neutral" — reflect the excerpt, not your opinion.</span><span class="dl">'</span><span class="p">,</span> <span class="dl">'</span><span class="s1">- Confidence: 0..1 based on excerpt specificity (dates/numbers/attribution increases confidence).</span><span class="dl">'</span><span class="p">,</span> <span class="p">].</span><span class="nf">join</span><span class="p">(</span><span class="dl">'</span><span class="se">\n</span><span class="dl">'</span><span class="p">);</span> <span class="k">return</span> <span class="p">{</span> <span class="nx">system</span><span class="p">,</span> <span class="nx">user</span> <span class="p">};</span> <span class="p">}</span> </code></pre> </div> <p>Every stage has its own function like this: planning, impact graph expansion, chat. The model never gets a freeform prompt and a wall of raw text. It gets a tightly scoped system instruction, a JSON payload of curated evidence, and a strict output schema. The analysis model cannot fabricate beyond what it's been given.</p> <h2> Where Convex Comes In </h2> <p>Once Bright Data has acquired the evidence, it needs somewhere to go that can stream each pipeline stage to the UI as it completes, persist the results for follow-up queries, and stay fast enough that the interface actually feels live.</p> <p>Meir’s first choice for this layer was Supabase. He switched to Convex because the latency difference in the real-time chat experience was noticeable enough to change the stack.</p> <p>Relational databases have no built-in reactivity. If you want to know when something changes, you build it yourself — polling, pub/sub servers, WebSocket management layered on top of your existing stack.</p> <p><a href="https://www.convex.dev" rel="noopener noreferrer">Convex</a> tracks the data dependencies of every active query, and the moment any of those dependencies change, it reruns the affected query and pushes the updated result to every subscribed client over a persistent WebSocket. For a pipeline that executes in sequential stages, you want the frontend to reflect each stage as it lands, not on the next poll cycle.</p> <p>Beyond reactivity, Convex brought two things that would have required separate infrastructure elsewhere: full-text search built into the database, and a transactional scheduler for TTL cleanup. No cron jobs, no external queue, no search service.</p> <p>Convex ends up serving three distinct roles in the Signal Terminal.</p> <h3> Role 1: Streaming Pipeline Events in Real Time </h3> <p>Each stage of the pipeline writes its results to Convex the moment it completes, and the frontend subscribes with a single <code>useQuery</code> hook.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="c1">// convex/schema.ts</span> <span class="k">export</span> <span class="k">default</span> <span class="nf">defineSchema</span><span class="p">({</span> <span class="na">sessions</span><span class="p">:</span> <span class="nf">defineTable</span><span class="p">({</span> <span class="na">sessionId</span><span class="p">:</span> <span class="nx">v</span><span class="p">.</span><span class="nf">string</span><span class="p">(),</span> <span class="na">topic</span><span class="p">:</span> <span class="nx">v</span><span class="p">.</span><span class="nf">string</span><span class="p">(),</span> <span class="na">status</span><span class="p">:</span> <span class="nx">v</span><span class="p">.</span><span class="nf">string</span><span class="p">(),</span> <span class="na">step</span><span class="p">:</span> <span class="nx">v</span><span class="p">.</span><span class="nf">string</span><span class="p">(),</span> <span class="na">progress</span><span class="p">:</span> <span class="nx">v</span><span class="p">.</span><span class="nf">float64</span><span class="p">(),</span> <span class="na">meta</span><span class="p">:</span> <span class="nx">v</span><span class="p">.</span><span class="nf">optional</span><span class="p">(</span><span class="nx">v</span><span class="p">.</span><span class="nf">any</span><span class="p">()),</span> <span class="p">})</span> <span class="p">.</span><span class="nf">index</span><span class="p">(</span><span class="dl">"</span><span class="s2">by_sessionId</span><span class="dl">"</span><span class="p">,</span> <span class="p">[</span><span class="dl">"</span><span class="s2">sessionId</span><span class="dl">"</span><span class="p">])</span> <span class="p">.</span><span class="nf">searchIndex</span><span class="p">(</span><span class="dl">"</span><span class="s2">search_topic</span><span class="dl">"</span><span class="p">,</span> <span class="p">{</span> <span class="na">searchField</span><span class="p">:</span> <span class="dl">"</span><span class="s2">topic</span><span class="dl">"</span> <span class="p">}),</span> <span class="na">sessionEvents</span><span class="p">:</span> <span class="nf">defineTable</span><span class="p">({</span> <span class="na">sessionId</span><span class="p">:</span> <span class="nx">v</span><span class="p">.</span><span class="nf">string</span><span class="p">(),</span> <span class="na">type</span><span class="p">:</span> <span class="nx">v</span><span class="p">.</span><span class="nf">string</span><span class="p">(),</span> <span class="na">payload</span><span class="p">:</span> <span class="nx">v</span><span class="p">.</span><span class="nf">any</span><span class="p">(),</span> <span class="p">}).</span><span class="nf">index</span><span class="p">(</span><span class="dl">"</span><span class="s2">by_sessionId</span><span class="dl">"</span><span class="p">,</span> <span class="p">[</span><span class="dl">"</span><span class="s2">sessionId</span><span class="dl">"</span><span class="p">]),</span> <span class="p">});</span> </code></pre> </div> <p>The server writes an event every time a stage completes: <code>search.partial</code>, <code>evidence</code>, <code>graph</code>, <code>clusters</code>. The client sees it the moment it lands. No polling interval to tune, no missed transitions.</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F20p27iqw426yyeuambw8.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F20p27iqw426yyeuambw8.png" alt="An image of the Breaking Tape panel updating in real time as each pipeline stage completes" width="800" height="249"></a></p> <h3> Role 2: Topic-Indexed Search for Follow-Up Chat (RAG Without Vectors) </h3> <p>After a research run completes, users can ask follow-up questions like <em>"What did the Reuters article say about supply chain risk?"</em> The app retrieves relevant past evidence without re-running the full Bright Data pipeline.</p> <p>Convex handles this by indexing the <code>topic</code> field and enabling text-based search across historical sessions. No embeddings, no vector database, no additional infrastructure.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="c1">// convex/sessions.ts — search past sessions by topic keyword</span> <span class="k">export</span> <span class="kd">const</span> <span class="nx">list</span> <span class="o">=</span> <span class="nf">query</span><span class="p">({</span> <span class="na">args</span><span class="p">:</span> <span class="p">{</span> <span class="na">limit</span><span class="p">:</span> <span class="nx">v</span><span class="p">.</span><span class="nf">optional</span><span class="p">(</span><span class="nx">v</span><span class="p">.</span><span class="nf">float64</span><span class="p">()),</span> <span class="na">status</span><span class="p">:</span> <span class="nx">v</span><span class="p">.</span><span class="nf">optional</span><span class="p">(</span><span class="nx">v</span><span class="p">.</span><span class="nf">string</span><span class="p">()),</span> <span class="na">q</span><span class="p">:</span> <span class="nx">v</span><span class="p">.</span><span class="nf">optional</span><span class="p">(</span><span class="nx">v</span><span class="p">.</span><span class="nf">string</span><span class="p">()),</span> <span class="p">},</span> <span class="na">handler</span><span class="p">:</span> <span class="k">async </span><span class="p">(</span><span class="nx">ctx</span><span class="p">,</span> <span class="nx">args</span><span class="p">)</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">limit</span> <span class="o">=</span> <span class="p">(</span><span class="nx">args</span><span class="p">.</span><span class="nx">limit</span> <span class="o">??</span> <span class="mi">50</span><span class="p">)</span> <span class="k">as</span> <span class="kr">number</span><span class="p">;</span> <span class="k">if </span><span class="p">(</span><span class="nx">args</span><span class="p">.</span><span class="nx">q</span> <span class="o">&amp;&amp;</span> <span class="nx">args</span><span class="p">.</span><span class="nx">q</span><span class="p">.</span><span class="nf">trim</span><span class="p">())</span> <span class="p">{</span> <span class="c1">// Full-text search across the topic field via searchIndex</span> <span class="kd">let</span> <span class="nx">results</span> <span class="o">=</span> <span class="k">await</span> <span class="nx">ctx</span><span class="p">.</span><span class="nx">db</span> <span class="p">.</span><span class="nf">query</span><span class="p">(</span><span class="dl">"</span><span class="s2">sessions</span><span class="dl">"</span><span class="p">)</span> <span class="p">.</span><span class="nf">withSearchIndex</span><span class="p">(</span><span class="dl">"</span><span class="s2">search_topic</span><span class="dl">"</span><span class="p">,</span> <span class="p">(</span><span class="nx">q</span><span class="p">)</span> <span class="o">=&gt;</span> <span class="nx">q</span><span class="p">.</span><span class="nf">search</span><span class="p">(</span><span class="dl">"</span><span class="s2">topic</span><span class="dl">"</span><span class="p">,</span> <span class="nx">args</span><span class="p">.</span><span class="nx">q</span><span class="o">!</span><span class="p">.</span><span class="nf">trim</span><span class="p">()))</span> <span class="p">.</span><span class="nf">take</span><span class="p">(</span><span class="nx">limit</span><span class="p">);</span> <span class="k">if </span><span class="p">(</span><span class="nx">args</span><span class="p">.</span><span class="nx">status</span><span class="p">)</span> <span class="nx">results</span> <span class="o">=</span> <span class="nx">results</span><span class="p">.</span><span class="nf">filter</span><span class="p">((</span><span class="nx">s</span><span class="p">)</span> <span class="o">=&gt;</span> <span class="nx">s</span><span class="p">.</span><span class="nx">status</span> <span class="o">===</span> <span class="nx">args</span><span class="p">.</span><span class="nx">status</span><span class="p">);</span> <span class="k">return</span> <span class="nx">results</span><span class="p">;</span> <span class="p">}</span> <span class="kd">let</span> <span class="nx">results</span> <span class="o">=</span> <span class="k">await</span> <span class="nx">ctx</span><span class="p">.</span><span class="nx">db</span><span class="p">.</span><span class="nf">query</span><span class="p">(</span><span class="dl">"</span><span class="s2">sessions</span><span class="dl">"</span><span class="p">).</span><span class="nf">order</span><span class="p">(</span><span class="dl">"</span><span class="s2">desc</span><span class="dl">"</span><span class="p">).</span><span class="nf">take</span><span class="p">(</span><span class="nx">limit</span><span class="p">);</span> <span class="k">if </span><span class="p">(</span><span class="nx">args</span><span class="p">.</span><span class="nx">status</span><span class="p">)</span> <span class="nx">results</span> <span class="o">=</span> <span class="nx">results</span><span class="p">.</span><span class="nf">filter</span><span class="p">((</span><span class="nx">s</span><span class="p">)</span> <span class="o">=&gt;</span> <span class="nx">s</span><span class="p">.</span><span class="nx">status</span> <span class="o">===</span> <span class="nx">args</span><span class="p">.</span><span class="nx">status</span><span class="p">);</span> <span class="k">return</span> <span class="nx">results</span><span class="p">;</span> <span class="p">},</span> <span class="p">});</span> </code></pre> </div> <p>No separate index on <code>topic</code>. Convex's <code>searchIndex</code> handles full-text retrieval.</p> <p>The same mechanism that powers the follow-up chat also powers session history browsing. And because this is a Convex query, it's reactive: if a new session for the same topic completes while the user is in chat, the context updates automatically.</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Ftc2u8i932owr83bc5dq7.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Ftc2u8i932owr83bc5dq7.png" alt="An image of the chat interface showing a follow-up question being answered. Demonstrates that the conversation references the evidence from the research run" width="800" height="500"></a></p> <h3> Role 3: Scheduled Cleanup </h3> <p>Convex's built-in scheduler handles cleanup without a cron job. When a session is created, a cleanup task is scheduled to run exactly 24 hours later.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="c1">// convex/sessions.ts — TTL scheduled at creation time</span> <span class="kd">const</span> <span class="nx">TTL_MS</span> <span class="o">=</span> <span class="mi">24</span> <span class="o">*</span> <span class="mi">60</span> <span class="o">*</span> <span class="mi">60</span> <span class="o">*</span> <span class="mi">1000</span><span class="p">;</span> <span class="k">export</span> <span class="kd">const</span> <span class="nx">create</span> <span class="o">=</span> <span class="nf">mutation</span><span class="p">({</span> <span class="na">args</span><span class="p">:</span> <span class="p">{</span> <span class="na">sessionId</span><span class="p">:</span> <span class="nx">v</span><span class="p">.</span><span class="nf">string</span><span class="p">(),</span> <span class="na">topic</span><span class="p">:</span> <span class="nx">v</span><span class="p">.</span><span class="nf">string</span><span class="p">(),</span> <span class="cm">/* ... */</span> <span class="p">},</span> <span class="na">handler</span><span class="p">:</span> <span class="k">async </span><span class="p">(</span><span class="nx">ctx</span><span class="p">,</span> <span class="nx">args</span><span class="p">)</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="k">await</span> <span class="nx">ctx</span><span class="p">.</span><span class="nx">db</span><span class="p">.</span><span class="nf">insert</span><span class="p">(</span><span class="dl">"</span><span class="s2">sessions</span><span class="dl">"</span><span class="p">,</span> <span class="nx">args</span><span class="p">);</span> <span class="c1">// Schedule cleanup for exactly this session, 24h from now</span> <span class="k">await</span> <span class="nx">ctx</span><span class="p">.</span><span class="nx">scheduler</span><span class="p">.</span><span class="nf">runAfter</span><span class="p">(</span><span class="nx">TTL_MS</span><span class="p">,</span> <span class="nx">internal</span><span class="p">.</span><span class="nx">sessions</span><span class="p">.</span><span class="nx">deleteExpired</span><span class="p">,</span> <span class="p">{</span> <span class="na">sessionId</span><span class="p">:</span> <span class="nx">args</span><span class="p">.</span><span class="nx">sessionId</span><span class="p">,</span> <span class="p">});</span> <span class="p">},</span> <span class="p">});</span> <span class="k">export</span> <span class="kd">const</span> <span class="nx">deleteExpired</span> <span class="o">=</span> <span class="nf">internalMutation</span><span class="p">({</span> <span class="na">args</span><span class="p">:</span> <span class="p">{</span> <span class="na">sessionId</span><span class="p">:</span> <span class="nx">v</span><span class="p">.</span><span class="nf">string</span><span class="p">()</span> <span class="p">},</span> <span class="na">handler</span><span class="p">:</span> <span class="k">async </span><span class="p">(</span><span class="nx">ctx</span><span class="p">,</span> <span class="p">{</span> <span class="nx">sessionId</span> <span class="p">})</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">session</span> <span class="o">=</span> <span class="k">await</span> <span class="nx">ctx</span><span class="p">.</span><span class="nx">db</span> <span class="p">.</span><span class="nf">query</span><span class="p">(</span><span class="dl">"</span><span class="s2">sessions</span><span class="dl">"</span><span class="p">)</span> <span class="p">.</span><span class="nf">withIndex</span><span class="p">(</span><span class="dl">"</span><span class="s2">by_sessionId</span><span class="dl">"</span><span class="p">,</span> <span class="p">(</span><span class="nx">q</span><span class="p">)</span> <span class="o">=&gt;</span> <span class="nx">q</span><span class="p">.</span><span class="nf">eq</span><span class="p">(</span><span class="dl">"</span><span class="s2">sessionId</span><span class="dl">"</span><span class="p">,</span> <span class="nx">sessionId</span><span class="p">))</span> <span class="p">.</span><span class="nf">first</span><span class="p">();</span> <span class="k">if </span><span class="p">(</span><span class="nx">session</span><span class="p">)</span> <span class="k">await</span> <span class="nx">ctx</span><span class="p">.</span><span class="nx">db</span><span class="p">.</span><span class="k">delete</span><span class="p">(</span><span class="nx">session</span><span class="p">.</span><span class="nx">_id</span><span class="p">);</span> <span class="kd">const</span> <span class="nx">events</span> <span class="o">=</span> <span class="k">await</span> <span class="nx">ctx</span><span class="p">.</span><span class="nx">db</span> <span class="p">.</span><span class="nf">query</span><span class="p">(</span><span class="dl">"</span><span class="s2">sessionEvents</span><span class="dl">"</span><span class="p">)</span> <span class="p">.</span><span class="nf">withIndex</span><span class="p">(</span><span class="dl">"</span><span class="s2">by_sessionId</span><span class="dl">"</span><span class="p">,</span> <span class="p">(</span><span class="nx">q</span><span class="p">)</span> <span class="o">=&gt;</span> <span class="nx">q</span><span class="p">.</span><span class="nf">eq</span><span class="p">(</span><span class="dl">"</span><span class="s2">sessionId</span><span class="dl">"</span><span class="p">,</span> <span class="nx">sessionId</span><span class="p">))</span> <span class="p">.</span><span class="nf">collect</span><span class="p">();</span> <span class="k">for </span><span class="p">(</span><span class="kd">const</span> <span class="nx">ev</span> <span class="k">of</span> <span class="nx">events</span><span class="p">)</span> <span class="k">await</span> <span class="nx">ctx</span><span class="p">.</span><span class="nx">db</span><span class="p">.</span><span class="k">delete</span><span class="p">(</span><span class="nx">ev</span><span class="p">.</span><span class="nx">_id</span><span class="p">);</span> <span class="p">},</span> <span class="p">});</span> </code></pre> </div> <p>Each session cleans up after itself. The scheduler fires once per session, 24 hours after creation, and deletes that session and all its events. Because scheduling from a mutation is atomic, if the session creation succeeds, the cleanup is guaranteed to be scheduled, and because it's a mutation, it's guaranteed to execute exactly once.</p> <h2> On the Model Choice </h2> <p>The app runs on Gemini 3.0 Flash via OpenRouter. The architecture supports full model configurability: different models per stage, per speed mode. Each stage (planning, summaries, artifacts, chat) can be independently configured with a base model, a fast variant, and a deep variant.</p> <p>At runtime, the selection logic works down a priority chain: explicit caller override first, then the stage-specific fast or deep model, then the stage base, then the provider default.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="c1">// lib/ai/model-selector.ts</span> <span class="k">export</span> <span class="kd">function</span> <span class="nf">selectStageModel</span><span class="p">({</span> <span class="nx">stage</span><span class="p">,</span> <span class="nx">mode</span><span class="p">,</span> <span class="nx">requestedModel</span> <span class="p">})</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">explicit</span> <span class="o">=</span> <span class="nf">firstNonEmpty</span><span class="p">(</span><span class="nx">requestedModel</span><span class="p">);</span> <span class="k">if </span><span class="p">(</span><span class="nx">explicit</span><span class="p">)</span> <span class="k">return</span> <span class="nx">explicit</span><span class="p">;</span> <span class="c1">// caller override wins</span> <span class="kd">const</span> <span class="nx">profile</span> <span class="o">=</span> <span class="nx">env</span><span class="p">.</span><span class="nx">ai</span><span class="p">.</span><span class="nx">openrouter</span><span class="p">;</span> <span class="kd">const</span> <span class="nx">stageProfile</span> <span class="o">=</span> <span class="nf">stageModels</span><span class="p">(</span><span class="nx">profile</span><span class="p">,</span> <span class="nx">stage</span><span class="p">);</span> <span class="c1">// plan | summaries | artifacts | chat</span> <span class="kd">const</span> <span class="nx">modeFallback</span> <span class="o">=</span> <span class="nx">mode</span> <span class="o">===</span> <span class="dl">'</span><span class="s1">fast</span><span class="dl">'</span> <span class="p">?</span> <span class="nx">profile</span><span class="p">.</span><span class="nx">modelFast</span> <span class="p">:</span> <span class="nx">profile</span><span class="p">.</span><span class="nx">modelDeep</span><span class="p">;</span> <span class="k">if </span><span class="p">(</span><span class="nx">mode</span> <span class="o">===</span> <span class="dl">'</span><span class="s1">fast</span><span class="dl">'</span><span class="p">)</span> <span class="p">{</span> <span class="k">return</span> <span class="nf">firstNonEmpty</span><span class="p">(</span><span class="nx">stageProfile</span><span class="p">.</span><span class="nx">fast</span><span class="p">,</span> <span class="nx">stageProfile</span><span class="p">.</span><span class="nx">base</span><span class="p">,</span> <span class="nx">modeFallback</span><span class="p">,</span> <span class="nx">profile</span><span class="p">.</span><span class="nx">model</span><span class="p">);</span> <span class="p">}</span> <span class="k">return</span> <span class="nf">firstNonEmpty</span><span class="p">(</span><span class="nx">stageProfile</span><span class="p">.</span><span class="nx">deep</span><span class="p">,</span> <span class="nx">stageProfile</span><span class="p">.</span><span class="nx">base</span><span class="p">,</span> <span class="nx">modeFallback</span><span class="p">,</span> <span class="nx">profile</span><span class="p">.</span><span class="nx">model</span><span class="p">);</span> <span class="p">}</span> </code></pre> </div> <p>This matters in multi-stage pipelines because latency compounds. Planning, summarization, graph expansion, and chat all run in sequence, and a slow model at each step multiplies into a slow tool. A fast model at planning and summarization with a deeper model only for chat is a meaningful architectural choice.</p> <h2> What Bright Data and Convex Have in Common </h2> <p>Both solve the same class of problem in their respective layers. You could build what either one does yourself: proxy rotation and bot evasion on the data side, WebSocket management and pub/sub infrastructure on the persistence side.</p> <p>Both are years of engineering work that exist so you don't have to do them. Bright Data delivers structured, fresh web data at the moment you ask for it. Convex delivers that data to every subscribed client the moment it lands in the database. The application code gets to be about the product, not the infrastructure.</p> <h2> The Architecture You Can Take With You </h2> <p>The Signal Terminal is a financial research tool, but the pattern applies anywhere you need an AI that reasons about what's happening now: competitive intelligence, news monitoring, lead research, price tracking, sentiment analysis, supply chain surveillance.</p> <p>Bright Data handles the outside world — fresh, compliant web data at scale, with unlocking across platforms that block everything else. Convex handles the inside world: reactive persistence, streaming to the UI, querying without a vector database, housekeeping on a schedule. The LLM reasons only from what it's been given, because the reflection stage ensures it only receives what's relevant.</p> <h2> Try It, Fork It, Build With It </h2> <p>Go to <a href="https://demos.brightdata.com/market-terminal" rel="noopener noreferrer">demos.brightdata.com/market-terminal</a> and ask it a real question about a company or market event you already know something about. Watch each pipeline stage complete. See the evidence map build. Ask a follow-up in the chat and see whether the output matches what you already know.</p> <p>The code is at <a href="https://github.com/brightdata/market-terminal" rel="noopener noreferrer">github.com/brightdata/market-terminal</a>. Open source, contributions welcome.</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F8bq6plv6gnb98fsjm1pd.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F8bq6plv6gnb98fsjm1pd.png" alt="An image of the GitHub repository page" width="800" height="460"></a></p> <p>The <a href="https://discord.com/invite/convex" rel="noopener noreferrer">Convex community Discord</a> is a strong resource for questions about the reactive database layer.</p> <p>Thanks to Meir Kadosh at Bright Data for walking me through all of this and building something worth writing about.</p> ai brightdata convex webdev Shola Jegede Tue, 27 Jan 2026 22:34:23 +0000 https://dev.to/sholajegede/how-to-build-passwordless-authentication-magic-links-one-time-codes-and-best-practices-1gh9 https://dev.to/sholajegede/how-to-build-passwordless-authentication-magic-links-one-time-codes-and-best-practices-1gh9 <p><em>Passwordless auth is supposed to make signing in easier. Here is why most implementations make it worse — and how to get it right.</em></p> <p>In this article, you will learn:</p> <ul> <li>Why passwordless authentication exists and what problem it actually solves</li> <li>The real difference between magic links and one-time codes — and why Kinde chose OTPs over magic links</li> <li>The UX mistakes that turn passwordless into a frustration machine</li> <li>What the full range of passwordless options looks like: email OTP, SMS OTP, username + code, and social login</li> <li>How to enable and configure each method in Kinde</li> <li>How to set per-app and per-org authentication rules</li> <li>Attack protection settings you should configure before going live</li> <li>What actually works and what to avoid</li> </ul> <p>Let's dive in!</p> <h2> The Problem with Passwords (and Why Replacing Them Is Harder Than It Looks) </h2> <p>Passwords are a disaster. Users reuse them, forget them, choose weak ones, get phished with them, and abandon your signup flow because of them. The average person manages dozens of accounts, and the reality of password hygiene in 2026 is grim: most people use the same five passwords across everything they care about.</p> <p>So the instinct to go passwordless is correct. Remove the password and you remove a huge class of security problems and UX friction at once. No "Forgot password?" flows. No "Password must contain one uppercase letter, one symbol, and the blood of a dragon." Just an identity and a verification step.</p> <p>The problem is that most passwordless implementations trade one frustration for another. Instead of a forgotten password, users face a magic link that expired. Instead of a weak password, they face an OTP email that landed in spam. Instead of a clear error message, they face a confusing redirect loop across browser tabs.</p> <p>Done right, passwordless is a dramatic improvement. Done poorly, it makes users nostalgic for the password box.</p> <p>Here is how to do it right, and how Kinde structures its passwordless authentication options to actually serve users instead of annoying them.</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fo47pqay2ejn32lj8e2rk.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fo47pqay2ejn32lj8e2rk.png" alt="Side-by-side UX flow — Password flow (Email → Password field → " width="800" height="753"></a></p> <h2> Magic Links vs One-Time Codes: The Real Difference </h2> <p>Before getting into implementation, it is worth understanding the actual security and UX tradeoff between the two most common passwordless approaches, because they are not equivalent.</p> <p>A <strong>magic link</strong> is a URL sent to the user's email that, when clicked, signs them in immediately. One click, no input required.</p> <p>A <strong>one-time passcode (OTP)</strong> is a short code — typically 6 digits — sent to the user's email or phone. The user must actively type it into your sign-in page.</p> <p>Magic links sound more convenient. Fewer steps, lower friction, just click. But Kinde deliberately does not support magic links as a password alternative. Here is the reasoning, and it is worth understanding because it shapes how you think about passwordless security.</p> <p><strong>Magic links have a single-click attack surface.</strong> Anyone with access to the user's email can click the link and be instantly signed in. If the user's email is open on a shared or unlocked device, a family member, colleague, or attacker can click the link without knowing anything else. There is no second factor implied by the act of clicking.</p> <p><strong>OTPs require active participation.</strong> To use an OTP, you have to have initiated the correct sign-in flow on the correct device, and then separately retrieve and type the code. If someone else has access to your email and they see an OTP, they cannot use it unless they are also sitting at the browser tab where the sign-in flow started. If the OTP arrives via SMS, they need the physical device and its unlock code.</p> <p>This is a meaningful security distinction, especially for B2B and SaaS products where account compromise can have real consequences for the user's organization — not just their personal data.</p> <p>Kinde's position is clear: OTPs are more secure and still offer a dramatically better user experience than passwords. The OTP flow is a bit more manual than a magic link click, but it is fundamentally more defensible. That is a trade-off worth making.</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fzdnnc6pkxjovj6qd1lrh.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fzdnnc6pkxjovj6qd1lrh.png" alt="Security comparison — Magic link attack scenario (Shared device → Attacker sees email → Clicks link → Signed in, no resistance) vs OTP attack scenario (Shared device → Attacker sees email → Gets code → But: must have initiated correct sign-in flow → Cannot use code alone)" width="800" height="732"></a></p> <h2> What Passwordless Options Does Kinde Support? </h2> <p><a href="https://kinde.com?utm_source=devto&amp;utm_medium=content&amp;utm_campaign=shola&amp;campaignid=chatgptapp&amp;network=&amp;adgroup=&amp;keyword=&amp;matchtype=&amp;creative=4&amp;device=&amp;adposition=" rel="noopener noreferrer">Kinde</a> supports four passwordless authentication methods, covering email, phone, and username-based flows. Each method can be enabled independently and configured per application or per organization.</p> <p><strong>Email + code.</strong> The user enters their email address. Kinde sends a one-time passcode to that email. The user enters the code to complete sign-in. This is enabled by default in all new Kinde accounts — it is the recommended starting point for most products.</p> <p><strong>Phone + code (SMS OTP).</strong> The user enters their phone number. Kinde sends a passcode via SMS through Twilio. The user enters the code. This requires a Twilio account and a Kinde Pro plan or above. It is the right choice for products where users are more likely to have reliable phone access than email access, or where mobile-first UX is a priority.</p> <p><strong>Username + code.</strong> The user enters a username instead of an email as their sign-in identity. They still provide an email at signup, but sign in with a username and receive the OTP via that email. This is useful for products where usernames are part of the product identity — gaming platforms, community tools, and developer tools where GitHub-style handles matter.</p> <p><strong>Social connections.</strong> Google, GitHub, Microsoft, Apple, and 10+ other providers. Social login is a form of passwordless authentication — the user delegates the verification step to a provider they already trust. Kinde handles the OAuth flow and the token exchange. Social connections can be combined with email or phone OTP for fallback.</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fmy3k478q5y2pvmdg0c3z.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fmy3k478q5y2pvmdg0c3z.png" alt="Four quadrant grid showing the four passwordless options — Email + code, Phone + code, Username + code, Social — with a one-line description and the primary use case for each" width="800" height="180"></a></p> <h2> The Passwordless UX Mistakes That Frustrate Users </h2> <p>Before the implementation steps, a quick catalogue of the things that make passwordless authentication worse than passwords. These are avoidable if you know what to watch for.</p> <p><strong>Slow code delivery.</strong> If the OTP email takes 45 seconds to arrive, the user assumes something broke and refreshes or starts over. Target delivery under 5 seconds. Kinde delivers codes quickly, but your email sender reputation and deliverability setup affect this — see the section on custom email senders below.</p> <p><strong>Codes that expire too fast.</strong> Some implementations set 60-second or 90-second windows. That is often not enough time for the user to switch apps, unlock their phone, and type the code. Kinde's passcodes expire after 2 hours, which is a generous and sensible window that covers the common case of someone signing in, getting distracted, and returning to complete it.</p> <p><strong>No "resend code" option.</strong> Users will not receive their code sometimes. Spam filters, brief mail server delays, a typo in the email — all of these happen. Your sign-in page must have a clearly visible "Resend code" action. If users cannot find it, they assume the product is broken.</p> <p><strong>Too many authentication choices.</strong> Offering six different sign-in methods on one screen creates decision paralysis. Pick the one or two that match your users' context and present them cleanly. You can always add more later.</p> <p><strong>Unclear error messages.</strong> "Authentication failed" tells the user nothing. "That code has expired. Request a new one below." tells them exactly what happened and what to do next. Match the message to the actual failure mode.</p> <p><strong>Sending codes to a junk folder.</strong> This is the most common complaint about OTP-based auth. A code from an unknown sender ("<a href="mailto:noreply@kinde.com">noreply@kinde.com</a>") is more likely to hit spam than a code from your own domain. Configure a custom email sender in Kinde so codes arrive from your domain, not Kinde's.</p> <h2> Enabling Passwordless Authentication in Kinde </h2> <h3> Step #1: Access the Authentication Settings </h3> <p>In your Kinde dashboard, navigate to <strong>Settings</strong> → <strong>Environment</strong> → <strong>Authentication</strong>.</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F25v1x3p73ny7j7ouv84u.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F25v1x3p73ny7j7ouv84u.png" alt="Kinde dashboard — Settings &gt; Environment &gt; Authentication page, showing the full authentication options grid with Passwordless and Password sections, and the Social connections section below" width="800" height="502"></a></p> <p>You will see three sections: <strong>Passwordless</strong>, <strong>Password</strong>, and <strong>Social connections</strong>. For each authentication type, there is a tile with a <strong>Configure</strong> button. Note that you cannot enable both passwordless and password authentication for the same application — they are mutually exclusive per app.</p> <h3> Step #2: Enable Email + Code </h3> <p>Email + code is the foundational passwordless method and the one most products should start with. Kinde enables it by default for new accounts, but here is how to confirm and configure it.</p> <p>Select <strong>Configure</strong> on the <strong>Email</strong> tile in the <strong>Passwordless</strong> section.</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fqv6io11rvmjlm8fcbhax.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fqv6io11rvmjlm8fcbhax.png" alt="The " width="800" height="502"></a></p> <p>In the modal that appears, you will see a list of your applications. Toggle email + code on or off for each application independently. This means you can have passwordless on your main app and password auth on a separate admin portal if you need to. Select <strong>Save</strong>.</p> <h3> Step #3: Enable Phone (SMS) Authentication </h3> <p>Phone authentication is ideal for mobile-first products and audiences where SMS is more reliable than email. It requires a Twilio account and Kinde Pro plan or above.</p> <p>Select <strong>Configure</strong> on the <strong>Phone</strong> tile in the <strong>Passwordless</strong> section.</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F2aw9i4iji7ydopgzroz8.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F2aw9i4iji7ydopgzroz8.png" alt="The " width="800" height="502"></a></p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F5fb7jo2a6sscnfyz5kvt.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F5fb7jo2a6sscnfyz5kvt.png" alt="The " width="800" height="502"></a></p> <p>To complete the setup, you will need to connect your Twilio account. Navigate to <strong>Settings</strong> → <strong>Twilio</strong> and enter your Twilio account SID, auth token, and the phone number or messaging service SID you want to send from. Once connected, phone auth will work for the applications you toggled on.</p> <p>Note: SMS delivery is subject to carrier filtering and regional regulations. For international products, test OTP delivery across your target markets before launch. Kinde has documentation on SMS deliverability worth reading before enabling this at scale.</p> <h3> Step #4: Enable Username + Code </h3> <p>If your product uses usernames as the primary identity — rather than email addresses — this method lets users sign in with their username while still receiving OTPs via their registered email.</p> <p>Select <strong>Configure</strong> on the <strong>Username + code</strong> tile in the <strong>Passwordless</strong> section and toggle it on for the relevant applications.</p> <p>Note: Username + code requires users to have provided an email at signup. The OTP is sent to that email, not displayed next to the username field. Make sure your sign-in page clearly communicates that the code will go to their registered email.</p> <h3> Step #5: Add Social Connections </h3> <p>Social sign-in is a seamless form of passwordless auth for many users. Google in particular is dominant — a large proportion of users will choose "Continue with Google" over any other option if it is available.</p> <p>In the <strong>Social connections</strong> section, select <strong>Add connection</strong>.</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F2xxxu322aofkzczo7qkl.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F2xxxu322aofkzczo7qkl.png" alt="Social connections section in Kinde Authentication settings, showing the " width="800" height="502"></a></p> <p>Select the providers you want to add and select <strong>Save</strong>. After saving, each social connection you added needs to be configured with the provider's credentials — client ID and client secret from the provider's developer console. Select the individual provider tile and follow the setup steps. Kinde has dedicated setup guides for Google, GitHub, Microsoft, Apple, and all other supported providers.</p> <p>For most consumer SaaS products, Google is the one social connection that should be there from day one. For developer tools, add GitHub. For B2B with Microsoft-heavy enterprise customers, add Microsoft.</p> <h2> Configuring a Custom Email Sender </h2> <p>This is not optional if you care about OTP deliverability. By default, Kinde sends OTPs from its own domain. Emails from unknown senders hit spam filters more often than emails from a sender the user's mail system recognizes.</p> <p>To configure a custom sender, navigate to <strong>Settings</strong> → <strong>Email</strong> in your Kinde dashboard.</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fzqp8ks9a1ts574o1as4p.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fzqp8ks9a1ts574o1as4p.png" alt="Kinde Settings &gt; Email page showing the custom email sender configuration section with " width="800" height="502"></a></p> <p>You can set:</p> <ul> <li> <strong>From name</strong>: The display name users see in their email client (e.g. "YourApp")</li> <li> <strong>From address</strong>: The email address the code comes from (e.g. <code>auth@yourapp.com</code>)</li> </ul> <p>For the custom address to work, you need to verify the domain with Kinde by adding DNS records that Kinde provides. This typically takes a few minutes to propagate. Once verified, all OTPs sent from Kinde will use your domain.</p> <p>This single change reduces OTP spam classification significantly. Do it before launch.</p> <h2> Setting Per-App and Per-Org Authentication </h2> <p>One of Kinde's most practical capabilities is the ability to set different authentication methods for different applications and different organizations. This matters more than it seems.</p> <h3> Per-App Authentication </h3> <p>Consider a product that has a standard user-facing application and a separate internal admin portal. The user-facing app should use email OTP for maximum conversion and ease. The internal admin portal should use a password (or even enterprise SSO) for tighter control. These are different risk profiles and different user populations.</p> <p>In Kinde, every authentication method is configured per application via the toggles in the Configure modals you saw earlier. When you navigate to <strong>Settings</strong> → <strong>Authentication</strong> and open any method, you toggle it on or off independently for each registered application.</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fontb2e6m0mtighblcf8f.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fontb2e6m0mtighblcf8f.png" alt="The Configure modal for Email passwordless, showing multiple application rows with independent toggles — one app has it on, another has it off" width="800" height="502"></a></p> <h3> Per-Org Authentication </h3> <p>For B2B products, authentication requirements often differ by customer. An enterprise customer may have strict SSO requirements through Microsoft Entra ID. A startup customer may prefer the simplicity of Google social login. A particularly security-conscious customer may want to require MFA on top of OTP.</p> <p><a href="https://kinde.com?utm_source=devto&amp;utm_medium=content&amp;utm_campaign=shola&amp;campaignid=chatgptapp&amp;network=&amp;adgroup=&amp;keyword=&amp;matchtype=&amp;creative=4&amp;device=&amp;adposition=" rel="noopener noreferrer">In Kinde</a>, navigate to <strong>Organizations</strong> → select an organization → <strong>Authentication</strong> to see per-organization authentication overrides.</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fnvovg5cjzuo2sxjmdmpn.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fnvovg5cjzuo2sxjmdmpn.png" alt="Organization detail page showing the Authentication tab with options to override global authentication settings for this specific organization" width="800" height="501"></a></p> <p>You can set custom authentication experiences per organization without changing the global defaults for other tenants. This is the right architecture for B2B products where customer requirements vary.</p> <h2> Configuring Attack Protection </h2> <p>Passwordless auth is not magic — OTP-based systems have their own attack surfaces. Without rate limiting and brute-force protection, an attacker could try to enumerate codes or flood your users with OTP requests.</p> <p>Kinde provides built-in attack protection settings. Navigate to <strong>Settings</strong> → <strong>Security</strong> → <strong>Attack protection</strong>.</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Frj660k6csx3kms67jqb7.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Frj660k6csx3kms67jqb7.png" alt="Kinde Settings &gt; Security &gt; Attack protection page, showing the configurable fields: sign-in attempt limits, lockout duration, IP-level throttling" width="800" height="502"></a></p> <p>The settings you can configure include:</p> <ul> <li> <strong>Maximum sign-in attempts</strong>: How many failed attempts before the account is temporarily locked</li> <li> <strong>Lockout duration</strong>: How long the lockout lasts after the threshold is hit</li> <li> <strong>IP-level throttling</strong>: Rate limiting on OTP requests per IP address to prevent OTP flooding</li> </ul> <p>The right settings depend on your user base. A consumer app with millions of casual users needs more lenient lockout settings than a B2B tool with a small, known set of users who all know how to sign in. The defaults are reasonable starting points, but tune them based on your support tickets — if users are getting locked out unexpectedly, loosen the thresholds. If you are seeing OTP abuse, tighten them.</p> <h2> Implementing Passwordless in Your App: The Code Side </h2> <p>Once your Kinde settings are configured, your application needs to handle the authentication flow. Kinde's SDKs abstract away the OTP exchange entirely — you do not build the code-sending, code-verifying, or session-creating logic yourself.</p> <p>For a Next.js application using Kinde's App Router SDK, passwordless login looks like this:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="c1">// app/page.tsx — sign-in page with passwordless entry point</span> <span class="k">import</span> <span class="p">{</span> <span class="nx">LoginLink</span><span class="p">,</span> <span class="nx">RegisterLink</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">"</span><span class="s2">@kinde-oss/kinde-auth-nextjs/components</span><span class="dl">"</span><span class="p">;</span> <span class="k">export</span> <span class="k">default</span> <span class="kd">function</span> <span class="nf">Home</span><span class="p">()</span> <span class="p">{</span> <span class="k">return </span><span class="p">(</span> <span class="o">&lt;</span><span class="nx">main</span><span class="o">&gt;</span> <span class="o">&lt;</span><span class="nx">h1</span><span class="o">&gt;</span><span class="nx">Welcome</span> <span class="nx">to</span> <span class="nx">YourApp</span><span class="o">&lt;</span><span class="sr">/h1</span><span class="err">&gt; </span> <span class="o">&lt;</span><span class="nx">p</span><span class="o">&gt;</span><span class="nx">Sign</span> <span class="k">in</span> <span class="nx">to</span> <span class="k">continue</span> <span class="err">—</span> <span class="nx">no</span> <span class="nx">password</span> <span class="nx">required</span><span class="p">.</span><span class="o">&lt;</span><span class="sr">/p</span><span class="err">&gt; </span> <span class="p">{</span><span class="cm">/* Kinde handles the entire OTP flow on its hosted auth pages */</span><span class="p">}</span> <span class="o">&lt;</span><span class="nx">LoginLink</span> <span class="nx">className</span><span class="o">=</span><span class="dl">"</span><span class="s2">btn btn-primary</span><span class="dl">"</span><span class="o">&gt;</span> <span class="nx">Sign</span> <span class="k">in</span> <span class="o">&lt;</span><span class="sr">/LoginLink</span><span class="err">&gt; </span> <span class="o">&lt;</span><span class="nx">RegisterLink</span> <span class="nx">className</span><span class="o">=</span><span class="dl">"</span><span class="s2">btn btn-secondary</span><span class="dl">"</span><span class="o">&gt;</span> <span class="nx">Create</span> <span class="nx">account</span> <span class="o">&lt;</span><span class="sr">/RegisterLink</span><span class="err">&gt; </span> <span class="o">&lt;</span><span class="sr">/main</span><span class="err">&gt; </span> <span class="p">);</span> <span class="p">}</span> </code></pre> </div> <p>When the user clicks "Sign in", Kinde redirects them to the hosted authentication page where they enter their email, receive their OTP, and complete verification. After successful authentication, Kinde redirects back to your application with a session.</p> <p>To read the authenticated user's details in a server component:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="c1">// app/dashboard/page.tsx — protected page</span> <span class="k">import</span> <span class="p">{</span> <span class="nx">getKindeServerSession</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">"</span><span class="s2">@kinde-oss/kinde-auth-nextjs/server</span><span class="dl">"</span><span class="p">;</span> <span class="k">import</span> <span class="p">{</span> <span class="nx">redirect</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">"</span><span class="s2">next/navigation</span><span class="dl">"</span><span class="p">;</span> <span class="k">export</span> <span class="k">default</span> <span class="k">async</span> <span class="kd">function</span> <span class="nf">Dashboard</span><span class="p">()</span> <span class="p">{</span> <span class="kd">const</span> <span class="p">{</span> <span class="nx">isAuthenticated</span><span class="p">,</span> <span class="nx">getUser</span> <span class="p">}</span> <span class="o">=</span> <span class="nf">getKindeServerSession</span><span class="p">();</span> <span class="c1">// Redirect unauthenticated users to the sign-in page</span> <span class="k">if </span><span class="p">(</span><span class="o">!</span><span class="p">(</span><span class="k">await</span> <span class="nf">isAuthenticated</span><span class="p">()))</span> <span class="p">{</span> <span class="nf">redirect</span><span class="p">(</span><span class="dl">"</span><span class="s2">/api/auth/login</span><span class="dl">"</span><span class="p">);</span> <span class="p">}</span> <span class="kd">const</span> <span class="nx">user</span> <span class="o">=</span> <span class="k">await</span> <span class="nf">getUser</span><span class="p">();</span> <span class="k">return </span><span class="p">(</span> <span class="o">&lt;</span><span class="nx">div</span><span class="o">&gt;</span> <span class="o">&lt;</span><span class="nx">h1</span><span class="o">&gt;</span><span class="nx">Dashboard</span><span class="o">&lt;</span><span class="sr">/h1</span><span class="err">&gt; </span> <span class="p">{</span><span class="cm">/* user.given_name, user.email, user.picture are all available */</span><span class="p">}</span> <span class="o">&lt;</span><span class="nx">p</span><span class="o">&gt;</span><span class="nx">Welcome</span> <span class="nx">back</span><span class="p">,</span> <span class="p">{</span><span class="nx">user</span><span class="p">?.</span><span class="nx">given_name</span><span class="p">}.</span><span class="o">&lt;</span><span class="sr">/p</span><span class="err">&gt; </span> <span class="o">&lt;</span><span class="nx">p</span><span class="o">&gt;</span><span class="nx">Signed</span> <span class="k">in</span> <span class="k">as</span><span class="p">:</span> <span class="p">{</span><span class="nx">user</span><span class="p">?.</span><span class="nx">email</span><span class="p">}</span><span class="o">&lt;</span><span class="sr">/p</span><span class="err">&gt; </span> <span class="o">&lt;</span><span class="sr">/div</span><span class="err">&gt; </span> <span class="p">);</span> <span class="p">}</span> </code></pre> </div> <p>The route handler that manages the Kinde auth endpoints needs to exist in your project. Create it at <code>app/api/auth/[kindeAuth]/route.ts</code>:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="c1">// app/api/auth/[kindeAuth]/route.ts</span> <span class="k">import</span> <span class="p">{</span> <span class="nx">handleAuth</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">"</span><span class="s2">@kinde-oss/kinde-auth-nextjs/server</span><span class="dl">"</span><span class="p">;</span> <span class="k">export</span> <span class="kd">const</span> <span class="nx">GET</span> <span class="o">=</span> <span class="nf">handleAuth</span><span class="p">();</span> </code></pre> </div> <p>That single line handles login, logout, callback, and registration routes for your entire Kinde integration. No custom token verification, no session management, no OTP exchange logic — Kinde handles it all.</p> <p>And the middleware that protects your routes:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="c1">// middleware.ts</span> <span class="k">import</span> <span class="p">{</span> <span class="nx">withAuth</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">"</span><span class="s2">@kinde-oss/kinde-auth-nextjs/middleware</span><span class="dl">"</span><span class="p">;</span> <span class="k">export</span> <span class="k">default</span> <span class="nf">withAuth</span><span class="p">(</span> <span class="k">async</span> <span class="kd">function</span> <span class="nf">middleware</span><span class="p">(</span><span class="nx">req</span><span class="p">)</span> <span class="p">{</span> <span class="c1">// Optional: add custom logic using req.kindeAuth</span> <span class="p">},</span> <span class="p">{</span> <span class="c1">// Public routes that do not require authentication</span> <span class="na">publicPaths</span><span class="p">:</span> <span class="p">[</span><span class="dl">"</span><span class="s2">/</span><span class="dl">"</span><span class="p">,</span> <span class="dl">"</span><span class="s2">/about</span><span class="dl">"</span><span class="p">,</span> <span class="dl">"</span><span class="s2">/pricing</span><span class="dl">"</span><span class="p">],</span> <span class="p">}</span> <span class="p">);</span> <span class="k">export</span> <span class="kd">const</span> <span class="nx">config</span> <span class="o">=</span> <span class="p">{</span> <span class="na">matcher</span><span class="p">:</span> <span class="p">[</span> <span class="dl">"</span><span class="s2">/((?!_next|[^?]*</span><span class="se">\\</span><span class="s2">.(?:html?|css|js(?!on)|jpe?g|webp|png|gif|svg|ttf|woff2?|ico|csv|docx?|xlsx?|zip|webmanifest)).*)</span><span class="dl">"</span><span class="p">,</span> <span class="p">],</span> <span class="p">};</span> </code></pre> </div> <p>With this setup, users who try to access protected routes are automatically redirected to Kinde's passwordless sign-in page. After authenticating with their OTP, they are brought back to the protected page they originally tried to reach.</p> <h2> Testing Your Passwordless Flow </h2> <p>Before going live, run through this checklist:</p> <p><strong>Test the happy path.</strong> Enter a valid email, receive the code, enter it, confirm you land on the right page post-login. Do this in an incognito window to avoid cached sessions.</p> <p><strong>Test OTP email delivery.</strong> Check whether codes arrive promptly (under 10 seconds). Check your spam folder with the default Kinde sender. Then configure your custom sender and check again.</p> <p><strong>Test code expiry.</strong> Wait more than 2 hours without using the code, then try to use it. Confirm the error message is clear and offers a way to get a new code.</p> <p><strong>Test invalid codes.</strong> Enter a wrong code several times. Confirm the error message is clear and the account lockout behaviour matches your attack protection settings.</p> <p><strong>Test on mobile.</strong> Auth flows behave differently on mobile — especially when switching between the email app and the browser. Confirm the redirect back to your app works correctly on iOS and Android.</p> <p><strong>Test the "Resend code" path.</strong> If a user requests a second code, the first code should be invalidated. Confirm this is the case.</p> <p>Kinde has a dedicated testing section in the docs that covers testing passwordless flows specifically, including test user setup for development environments. Reference the testing documentation at <a href="https://docs.kinde.com/testing/testing-passwordless-flows/" rel="noopener noreferrer">docs.kinde.com</a> before launch.</p> <h2> Passwordless Methods: Comparison </h2> <div class="table-wrapper-paragraph"><table> <thead> <tr> <th>Method</th> <th>Best for</th> <th>Requires</th> <th>Plan</th> </tr> </thead> <tbody> <tr> <td>Email + code</td> <td>Most products, all audiences</td> <td>Nothing extra</td> <td>All plans</td> </tr> <tr> <td>Phone + code</td> <td>Mobile-first, SMS-comfortable users</td> <td>Twilio account</td> <td>Kinde Pro+</td> </tr> <tr> <td>Username + code</td> <td>Community/dev tools with usernames</td> <td>Nothing extra</td> <td>All plans</td> </tr> <tr> <td>Social (Google, GitHub, etc.)</td> <td>Consumer apps, developer tools</td> <td>Provider app setup</td> <td>All plans</td> </tr> </tbody> </table></div> <h2> Conclusion </h2> <p>In this article, you learned why passwordless authentication is worth doing, what separates a good implementation from a frustrating one, and why Kinde deliberately chose OTPs over magic links. You also saw how to enable and configure every passwordless option Kinde supports — email codes, SMS codes, username codes, and social login — along with attack protection, custom email senders, per-app settings, and per-org overrides.</p> <p>The pattern that actually works is simple: pick the fewest methods that genuinely serve your users, configure custom email sending before launch, write clear error messages, and let Kinde handle the OTP exchange so you can focus on your product.</p> <p>Passwords are yesterday's problem. <a href="https://kinde.com?utm_source=devto&amp;utm_medium=content&amp;utm_campaign=shola&amp;campaignid=chatgptapp&amp;network=&amp;adgroup=&amp;keyword=&amp;matchtype=&amp;creative=4&amp;device=&amp;adposition=" rel="noopener noreferrer">Create a free Kinde account</a> today and replace them with an authentication flow your users will actually enjoy.</p> webdev kinde programming tutorial Shola Jegede Tue, 27 Jan 2026 22:33:47 +0000 https://dev.to/sholajegede/how-to-add-team-collaboration-to-your-v0-apps-in-5-minutes-3f6m https://dev.to/sholajegede/how-to-add-team-collaboration-to-your-v0-apps-in-5-minutes-3f6m <p><em>You built an app with v0, Lovable, Bolt, or Base44 in minutes. Now your team needs to use it with different access levels. Here is how to add the entire collaboration layer without touching a single line of code yourself.</em></p> <p>In this article, you will learn:</p> <ul> <li>Why AI-generated apps ship without user management and what that means for your team</li> <li>What real multi-user collaboration actually requires under the hood</li> <li>How to build an AI-powered changelog tool in v0 as the demo app</li> <li>How to add Kinde auth, protected routes, roles, and organization workspaces through prompts alone</li> <li>How to test that the collaboration layer actually works</li> </ul> <p>Let's dive in!</p> <h2> What AI Builders Give You and What They Don't </h2> <p>v0, Lovable, Bolt, and Base44 are remarkable. You describe what you want, and in minutes you have a working, deployable application with UI, logic, and routes. This has genuinely changed what one person can ship in an afternoon.</p> <p>What none of them give you by default is user management. When your AI builder generates an app, everyone who visits the URL sees the same thing. There is no concept of "Alice is an admin and can publish" or "Bob is a viewer and can only read." There are no team workspaces. There is no authentication.</p> <p>Adding that layer after the fact is where most people get stuck, because it usually means diving into the generated code and understanding how it works, which defeats the whole point.</p> <p>This article shows you how to do it entirely through prompts, using <a href="https://kinde.com?utm_source=devto&amp;utm_medium=content&amp;utm_campaign=shola&amp;campaignid=chatgptapp&amp;network=&amp;adgroup=&amp;keyword=&amp;matchtype=&amp;creative=3&amp;device=&amp;adposition=" rel="noopener noreferrer">Kinde</a> for auth, roles, and team management. The demo app is an AI changelog generator, a tool your team can use to turn raw GitHub commits or release notes into polished public changelogs. Admins publish. Members draft. The public reads.</p> <h2> What Real Team Collaboration Requires </h2> <p>Before you prompt anything, being clear on what collaboration actually means in a web app saves a lot of confusion later. Four things need to work together:</p> <div class="table-wrapper-paragraph"><table> <thead> <tr> <th>Layer</th> <th>What it means</th> <th>What Kinde provides</th> </tr> </thead> <tbody> <tr> <td><strong>Authentication</strong></td> <td>Users can sign in and sign out</td> <td>Login, sign-up, passwordless OTP, social login</td> </tr> <tr> <td><strong>Identity</strong></td> <td>The app knows who is logged in</td> <td>User object with name, email, ID on every request</td> </tr> <tr> <td><strong>Roles</strong></td> <td>Different users can do different things</td> <td>Roles (admin, member, viewer) attached to users</td> </tr> <tr> <td><strong>Organizations</strong></td> <td>Users belong to a team workspace</td> <td>Orgs that group users with isolated data</td> </tr> </tbody> </table></div> <p>You need all four for a real product. A lot of AI-generated apps nail authentication but skip the rest, and then wonder why every user sees every other user's data.</p> <p><a href="https://kinde.com?utm_source=devto&amp;utm_medium=content&amp;utm_campaign=shola&amp;campaignid=chatgptapp&amp;network=&amp;adgroup=&amp;keyword=&amp;matchtype=&amp;creative=3&amp;device=&amp;adposition=" rel="noopener noreferrer">Kinde</a> handles all four out of the box, free for up to 10,500 monthly active users, no credit card required.</p> <h2> What You Need Before You Start </h2> <p><strong>A v0.app account.</strong> Sign up at <a href="https://v0.app/ref/GCD297" rel="noopener noreferrer">v0.app</a>. Free tier available. The prompts in this article are written for v0 but work in Lovable, Bolt, and Base44 with minor adjustments.</p> <p><strong>A Kinde account.</strong> Sign up at <a href="https://kinde.com?utm_source=devto&amp;utm_medium=content&amp;utm_campaign=shola&amp;campaignid=chatgptapp&amp;network=&amp;adgroup=&amp;keyword=&amp;matchtype=&amp;creative=3&amp;device=&amp;adposition=" rel="noopener noreferrer">kinde.com</a>. Free up to 10,500 monthly active users, no credit card.</p> <p>Once you have your Kinde account, create an application for your project. Navigate to <strong>Settings → Applications → Add application</strong>. Give it a name, select Back-end web as the application type, and hit Save.</p> <p>Then open the application you just created and navigate to <strong>View details</strong> to grab these values:</p> <ul> <li><code>KINDE_CLIENT_ID</code></li> <li><code>KINDE_CLIENT_SECRET</code></li> <li> <code>KINDE_ISSUER_URL</code> (your Kinde domain, e.g. <code>https://yourapp.kinde.com</code>)</li> </ul> <p>And two you define yourself:</p> <ul> <li> <code>KINDE_SITE_URL</code> where your app runs locally (<code>http://localhost:3000</code>)</li> <li> <code>KINDE_POST_LOGIN_REDIRECT_URL</code> where users land after login (<code>http://localhost:3000/dashboard</code>)</li> <li> <code>KINDE_POST_LOGOUT_REDIRECT_URL</code> where users land after logout (<code>http://localhost:3000</code>)</li> </ul> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fgcqv1r63892mc0c8iaih.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fgcqv1r63892mc0c8iaih.png" alt="Kinde dashboard — Settings &gt; Applications &gt; View details, showing the App keys section with KINDE_CLIENT_ID, KINDE_CLIENT_SECRET, and KINDE_ISSUER_URL fields visible" width="800" height="502"></a></p> <p>Keep these open in a tab. You will paste them into v0 shortly.</p> <h2> Step #1: Build the Base App in v0 </h2> <p>The demo app is an AI changelog generator. Teams paste in raw commit messages or release notes, the app uses an AI model to turn them into readable entries, and admins publish them to a public page.</p> <p>Open <a href="https://v0.app" rel="noopener noreferrer">v0.app</a> and use this prompt:</p> <p><strong>Prompt:</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>Build an AI changelog generator for software teams. The app should have: - A landing page with the product name "Changelog" and two buttons: "Sign in" and "Start free" - A dashboard at /dashboard with: - A sidebar with: Dashboard, New Entry, Published, Team, Settings - A main area showing a list of changelog entries as cards, each with: version number, title, date, status badge (Draft / Published), and Edit + Delete buttons - A "New Entry" page at /dashboard/new with: - A text area labeled "Paste your commits or release notes" - A "Generate with AI" button - A title field, version field, and content editor that populates after generation - A "Save as draft" and "Publish" button - A public changelog page at /changelog showing only published entries in clean readable format Use Next.js App Router with TypeScript. Clean, minimal design. Do not add any authentication yet. </code></pre> </div> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F9q2wvvj9wv3nsjwfg6g9.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F9q2wvvj9wv3nsjwfg6g9.png" alt="v0.app showing the changelog dashboard preview — sidebar on left, changelog entry cards in main area, status badges visible" width="800" height="502"></a></p> <p>Let v0 generate the app. Once the preview looks right, push it to GitHub using v0's built-in GitHub integration.</p> <h2> Step #2: Wire In Kinde Auth </h2> <p>Now prompt v0 to install Kinde and set up the auth infrastructure. One prompt handles everything.</p> <p><strong>Prompt:</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>Add Kinde authentication to this Next.js app using @kinde-oss/kinde-auth-nextjs. Do the following: 1. Install the package 2. Create the auth route handler at app/api/auth/[kindeAuth]/route.ts using handleAuth from @kinde-oss/kinde-auth-nextjs/server 3. Wrap the root layout in app/layout.tsx with KindeAuthProvider from @kinde-oss/kinde-auth-nextjs/server 4. Create a .env.local file with these placeholder variables: KINDE_CLIENT_ID= KINDE_CLIENT_SECRET= KINDE_ISSUER_URL= KINDE_SITE_URL=http://localhost:3000 KINDE_POST_LOGIN_REDIRECT_URL=http://localhost:3000/dashboard KINDE_POST_LOGOUT_REDIRECT_URL=http://localhost:3000 5. No UI changes yet — just the plumbing </code></pre> </div> <p>Once v0 finishes, click on the <strong>Settings</strong> button in v0's editor and then go to <strong>Environment Variables</strong> tab to fill in your actual Kinde values. Do not commit this file to GitHub. It is gitignored by default.</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fr68rkoomxirzsy3pp5s0.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fr68rkoomxirzsy3pp5s0.png" alt=" " width="800" height="502"></a></p> <p>Then add your callback URLs in the Kinde dashboard. Navigate to <strong>Settings → Applications → View details → Callback URLs</strong> and add:</p> <ul> <li>Allowed callback URL: <code>http://&lt;your_v0_published_url&gt;/api/auth/kinde_callback</code> </li> <li>Allowed logout redirect URL: <code>http://&lt;your_v0_published_url&gt;</code> </li> </ul> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fknn0n2d3gf9z80khh8ek.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fknn0n2d3gf9z80khh8ek.png" alt="Kinde dashboard — Settings &gt; Applications &gt; View details &gt; Callback URLs section with the localhost callback URL added" width="800" height="502"></a></p> <h2> Step #3: Add Login and Sign-Up Buttons </h2> <p><strong>Prompt:</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight tsx"><code><span class="nx">Update</span> <span class="nx">the</span> <span class="nx">landing</span> <span class="nx">page</span> <span class="nx">and</span> <span class="nx">dashboard</span> <span class="nx">to</span> <span class="nx">use</span> <span class="nx">Kinde</span> <span class="nx">auth</span> <span class="nx">components</span><span class="p">.</span> <span class="nx">Do</span> <span class="nx">the</span> <span class="nx">following</span><span class="p">:</span> <span class="mi">1</span><span class="p">.</span> <span class="nx">On</span> <span class="nx">the</span> <span class="nx">landing</span> <span class="nf">page </span><span class="p">(</span><span class="nx">app</span><span class="o">/</span><span class="nx">page</span><span class="p">.</span><span class="nx">tsx</span><span class="p">),</span> <span class="nx">replace</span> <span class="nx">the</span> <span class="dl">"</span><span class="s2">Sign in</span><span class="dl">"</span> <span class="nx">button</span> <span class="kd">with</span> <span class="nx">LoginLink</span> <span class="nx">and</span> <span class="dl">"</span><span class="s2">Start free</span><span class="dl">"</span> <span class="kd">with</span> <span class="nx">RegisterLink</span><span class="p">:</span> <span class="k">import</span> <span class="p">{</span> <span class="nx">LoginLink</span><span class="p">,</span> <span class="nx">RegisterLink</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">"</span><span class="s2">@kinde-oss/kinde-auth-nextjs/components</span><span class="dl">"</span><span class="p">;</span> <span class="p">&lt;</span><span class="nc">LoginLink</span> <span class="na">postLoginRedirectURL</span><span class="p">=</span><span class="s">"/dashboard"</span><span class="p">&gt;</span>Sign in<span class="p">&lt;/</span><span class="nc">LoginLink</span><span class="p">&gt;</span> <span class="p">&lt;</span><span class="nc">RegisterLink</span> <span class="na">postLoginRedirectURL</span><span class="p">=</span><span class="s">"/dashboard"</span><span class="p">&gt;</span>Start free<span class="p">&lt;/</span><span class="nc">RegisterLink</span><span class="p">&gt;</span> <span class="mi">2</span><span class="p">.</span> <span class="nx">In</span> <span class="nx">the</span> <span class="nx">dashboard</span> <span class="nx">sidebar</span><span class="p">,</span> <span class="nx">show</span> <span class="nx">the</span> <span class="nx">logged</span><span class="o">-</span><span class="k">in</span> <span class="nx">user</span><span class="dl">'</span><span class="s1">s name and email using getKindeServerSession: import { getKindeServerSession } from "@kinde-oss/kinde-auth-nextjs/server"; const { getUser } = getKindeServerSession(); const user = await getUser(); Show user.given_name and user.email in the sidebar footer. 3. Add a sign-out link at the bottom of the sidebar that links to /api/auth/logout </span></code></pre> </div> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fzzvwtdl3jde3b9yaokdd.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fzzvwtdl3jde3b9yaokdd.png" alt="The landing page with " width="800" height="502"></a></p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F6maayecnsfx732245rq2.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F6maayecnsfx732245rq2.png" alt="The dashboard sidebar showing the logged-in user's name and email in the footer with a sign-out link" width="800" height="1603"></a></p> <h2> Step #4: Protect the Dashboard Routes </h2> <p>Right now anyone can navigate directly to <code>/dashboard</code> without logging in. The Kinde middleware fixes this with one file.</p> <p><strong>Prompt:</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="nx">Add</span> <span class="nx">route</span> <span class="nx">protection</span> <span class="nx">using</span> <span class="nx">Kinde</span> <span class="nx">middleware</span><span class="p">.</span> <span class="nx">Create</span> <span class="nx">a</span> <span class="nx">file</span> <span class="nx">at</span> <span class="nx">middleware</span><span class="p">.</span><span class="nx">ts</span> <span class="k">in</span> <span class="nx">the</span> <span class="nx">project</span> <span class="nx">root</span> <span class="kd">with</span> <span class="nx">exactly</span> <span class="k">this</span> <span class="nx">content</span><span class="p">:</span> <span class="k">import</span> <span class="p">{</span> <span class="nx">withAuth</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">"</span><span class="s2">@kinde-oss/kinde-auth-nextjs/middleware</span><span class="dl">"</span><span class="p">;</span> <span class="k">export</span> <span class="k">default</span> <span class="nx">withAuth</span><span class="p">;</span> <span class="k">export</span> <span class="kd">const</span> <span class="nx">config</span> <span class="o">=</span> <span class="p">{</span> <span class="na">matcher</span><span class="p">:</span> <span class="p">[</span><span class="dl">"</span><span class="s2">/dashboard/:path*</span><span class="dl">"</span><span class="p">]</span> <span class="p">};</span> <span class="nx">This</span> <span class="nx">automatically</span> <span class="nx">redirects</span> <span class="kr">any</span> <span class="nx">unauthenticated</span> <span class="nx">request</span> <span class="nx">to</span> <span class="o">/</span><span class="nx">dashboard</span> <span class="nx">or</span> <span class="kr">any</span> <span class="nx">sub</span><span class="o">-</span><span class="nx">route</span> <span class="nx">to</span> <span class="nx">the</span> <span class="nx">Kinde</span> <span class="nx">login</span> <span class="nx">page</span><span class="p">.</span> <span class="nx">Also</span> <span class="nx">add</span> <span class="nx">an</span> <span class="nx">authentication</span> <span class="nx">check</span> <span class="nx">at</span> <span class="nx">the</span> <span class="nx">top</span> <span class="k">of</span> <span class="nx">app</span><span class="o">/</span><span class="nx">dashboard</span><span class="o">/</span><span class="nx">page</span><span class="p">.</span><span class="nx">tsx</span><span class="p">:</span> <span class="k">import</span> <span class="p">{</span> <span class="nx">getKindeServerSession</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">"</span><span class="s2">@kinde-oss/kinde-auth-nextjs/server</span><span class="dl">"</span><span class="p">;</span> <span class="k">import</span> <span class="p">{</span> <span class="nx">redirect</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">"</span><span class="s2">next/navigation</span><span class="dl">"</span><span class="p">;</span> <span class="kd">const</span> <span class="p">{</span> <span class="nx">isAuthenticated</span> <span class="p">}</span> <span class="o">=</span> <span class="nf">getKindeServerSession</span><span class="p">();</span> <span class="k">if </span><span class="p">(</span><span class="o">!</span><span class="p">(</span><span class="k">await</span> <span class="nf">isAuthenticated</span><span class="p">()))</span> <span class="p">{</span> <span class="nf">redirect</span><span class="p">(</span><span class="dl">"</span><span class="s2">/api/auth/login</span><span class="dl">"</span><span class="p">);</span> <span class="p">}</span> </code></pre> </div> <p>The public <code>/changelog</code> page stays open to anyone. Everything under <code>/dashboard</code> now requires a logged-in user.</p> <h2> Step #5: Add Roles for Admins, Members, and Viewers </h2> <p>This is where the collaboration layer becomes real. Not everyone on the team should be able to publish or delete changelog entries.</p> <p>First, create the roles in Kinde. Navigate to <strong>Roles → Add role</strong> and create three:</p> <ul> <li> <code>admin</code> — can publish, edit, delete all entries, and manage team</li> <li> <code>member</code> — can create and edit drafts, cannot publish or delete</li> <li> <code>viewer</code> — read-only access to the dashboard</li> </ul> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fyqv49ubuikw43qzbxj4n.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fyqv49ubuikw43qzbxj4n.png" alt="Kinde dashboard Roles page showing three roles: admin, member, and viewer, each with their key name visible" width="800" height="502"></a></p> <p>Assign yourself the <code>admin</code> role: navigate to <strong>Users → select your user → Roles → assign admin</strong>.</p> <p>Now prompt v0 to use those roles in the UI:</p> <p><strong>Prompt:</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight tsx"><code><span class="nx">Add</span> <span class="nx">role</span><span class="o">-</span><span class="nx">based</span> <span class="nx">access</span> <span class="nx">control</span> <span class="nx">to</span> <span class="nx">the</span> <span class="nx">dashboard</span> <span class="nx">using</span> <span class="nx">Kinde</span> <span class="nx">roles</span><span class="p">.</span> <span class="nx">The</span> <span class="nx">roles</span> <span class="nx">are</span><span class="p">:</span> <span class="nx">admin</span><span class="p">,</span> <span class="nx">member</span><span class="p">,</span> <span class="nx">viewer</span><span class="p">.</span> <span class="nx">These</span> <span class="nx">are</span> <span class="nx">configured</span> <span class="k">in</span> <span class="nx">the</span> <span class="nx">Kinde</span> <span class="nx">dashboard</span><span class="p">.</span> <span class="nx">Do</span> <span class="nx">the</span> <span class="nx">following</span><span class="p">:</span> <span class="mi">1</span><span class="p">.</span> <span class="nx">In</span> <span class="nx">app</span><span class="o">/</span><span class="nx">dashboard</span><span class="o">/</span><span class="nx">page</span><span class="p">.</span><span class="nx">tsx</span><span class="p">,</span> <span class="kd">get</span> <span class="nx">the</span> <span class="nx">user</span><span class="dl">'</span><span class="s1">s roles: const { getRoles } = getKindeServerSession(); const roles = await getRoles(); const isAdmin = roles?.some(role =&gt; role.key === "admin"); const isMember = roles?.some(role =&gt; role.key === "member" || role.key === "admin"); 2. On each changelog entry card: - Show "Edit" button for admins and members - Show "Delete" button only for admins - Show "Publish" button only for admins - Viewers see no action buttons 3. In the sidebar: - Show "New Entry" link for admins and members only - Show "Team" link for admins only - Viewers see Dashboard and Published only 4. On the "New Entry" page: - Show the "Publish" button only for admins - Members see "Save as draft" only Use conditional rendering, not CSS visibility, so the DOM does not contain controls the user cannot access. </span></code></pre> </div> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fxzcrzrtfaxgewr7lbenr.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fxzcrzrtfaxgewr7lbenr.png" alt="Side-by-side comparison — Admin view showing Edit, Delete, and Publish buttons on entries and full sidebar, vs Viewer view showing no action buttons and reduced sidebar" width="800" height="408"></a></p> <h2> Step #6: Add Organization Workspaces </h2> <p>Roles tell your app what a user can do. Organizations tell your app what data they can see. Without organizations, every user shares every changelog entry, which means one company's unreleased changelog is visible to everyone else.</p> <p>Kinde organizations are isolated team workspaces. Each organization has its own members and its own data.</p> <p>Kinde allows organization creation by default when is_create_org is passed during sign-up. No dashboard setting needs to change. If you ever want to disable this behaviour, the toggle is at Settings → Environment → Policies → Allow organization creation on sign up.</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F65ilndw70y6tyfv43ksp.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F65ilndw70y6tyfv43ksp.png" alt="Kinde Settings &gt; Organizations showing " width="800" height="502"></a></p> <p><strong>Prompt:</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight tsx"><code><span class="nx">Update</span> <span class="nx">the</span> <span class="nx">app</span> <span class="nx">to</span> <span class="nx">support</span> <span class="nx">Kinde</span> <span class="nx">organizations</span> <span class="k">as</span> <span class="nx">team</span> <span class="nx">workspaces</span><span class="p">.</span> <span class="nx">Do</span> <span class="nx">the</span> <span class="nx">following</span><span class="p">:</span> <span class="mi">1</span><span class="p">.</span> <span class="nx">Update</span> <span class="nx">the</span> <span class="dl">"</span><span class="s2">Start free</span><span class="dl">"</span> <span class="nx">RegisterLink</span> <span class="nx">on</span> <span class="nx">the</span> <span class="nx">landing</span> <span class="nx">page</span> <span class="nx">to</span> <span class="nx">create</span> <span class="nx">an</span> <span class="nx">org</span> <span class="nx">on</span> <span class="nx">sign</span><span class="o">-</span><span class="nx">up</span><span class="p">:</span> <span class="o">&lt;</span><span class="nx">RegisterLink</span> <span class="nx">authUrlParams</span><span class="o">=</span><span class="p">{{</span> <span class="na">is_create_org</span><span class="p">:</span> <span class="dl">"</span><span class="s2">true</span><span class="dl">"</span> <span class="p">}}</span> <span class="nx">postLoginRedirectURL</span><span class="o">=</span><span class="dl">"</span><span class="s2">/dashboard</span><span class="dl">"</span> <span class="o">&gt;</span> <span class="nx">Start</span> <span class="nx">free</span> <span class="o">&lt;</span><span class="sr">/RegisterLink</span><span class="err">&gt; </span> <span class="mi">2</span><span class="p">.</span> <span class="nx">In</span> <span class="nx">app</span><span class="o">/</span><span class="nx">dashboard</span><span class="o">/</span><span class="nx">page</span><span class="p">.</span><span class="nx">tsx</span><span class="p">,</span> <span class="kd">get</span> <span class="nx">the</span> <span class="nx">current</span> <span class="nx">org</span><span class="p">:</span> <span class="kd">const</span> <span class="p">{</span> <span class="nx">getOrganization</span> <span class="p">}</span> <span class="o">=</span> <span class="nf">getKindeServerSession</span><span class="p">();</span> <span class="kd">const</span> <span class="nx">org</span> <span class="o">=</span> <span class="k">await</span> <span class="nf">getOrganization</span><span class="p">();</span> <span class="kd">const</span> <span class="nx">orgCode</span> <span class="o">=</span> <span class="nx">org</span><span class="p">?.</span><span class="nx">orgCode</span><span class="p">;</span> <span class="mi">3</span><span class="p">.</span> <span class="nx">Show</span> <span class="nx">the</span> <span class="nx">organization</span> <span class="nf">name </span><span class="p">(</span><span class="nx">org</span><span class="p">?.</span><span class="nx">name</span><span class="p">)</span> <span class="nx">at</span> <span class="nx">the</span> <span class="nx">top</span> <span class="k">of</span> <span class="nx">the</span> <span class="nx">sidebar</span> <span class="nx">above</span> <span class="nx">the</span> <span class="nx">navigation</span> <span class="nx">links</span> <span class="nx">so</span> <span class="nx">users</span> <span class="nx">always</span> <span class="nx">know</span> <span class="nx">which</span> <span class="nx">workspace</span> <span class="nx">they</span> <span class="nx">are</span> <span class="k">in</span><span class="p">.</span> <span class="mi">4</span><span class="p">.</span> <span class="nx">Add</span> <span class="nx">a</span> <span class="dl">"</span><span class="s2">Switch workspace</span><span class="dl">"</span> <span class="nx">link</span> <span class="nx">below</span> <span class="nx">the</span> <span class="nx">org</span> <span class="nx">name</span> <span class="nx">linking</span> <span class="nx">to</span> <span class="o">/</span><span class="nx">api</span><span class="o">/</span><span class="nx">auth</span><span class="o">/</span><span class="nx">login</span><span class="p">?</span><span class="nx">prompt</span><span class="o">=</span><span class="nx">select_account</span> <span class="k">for</span> <span class="nx">users</span> <span class="nx">who</span> <span class="nx">belong</span> <span class="nx">to</span> <span class="nx">multiple</span> <span class="nx">organizations</span><span class="p">.</span> <span class="mi">5</span><span class="p">.</span> <span class="nx">For</span> <span class="nx">all</span> <span class="nx">data</span> <span class="nf">queries </span><span class="p">(</span><span class="nx">changelog</span> <span class="nx">entries</span><span class="p">),</span> <span class="nx">add</span> <span class="nx">a</span> <span class="nx">comment</span><span class="p">:</span> <span class="c1">// TODO: filter by orgCode so it is clear where the org scoping goes when a real database is connected.</span> </code></pre> </div> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fb9vpdx2ii5b5q49z73tt.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fb9vpdx2ii5b5q49z73tt.png" alt="Dashboard sidebar showing the organization name at the top (e.g. " width="800" height="501"></a></p> <h2> Step #7: Add the AI Generation Feature </h2> <p>The "Generate with AI" button on the New Entry page should take raw commit messages and return a polished changelog entry. v0 can wire this up using the Vercel AI SDK.</p> <p><strong>Prompt:</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight tsx"><code><span class="nx">Add</span> <span class="nx">AI</span><span class="o">-</span><span class="nx">powered</span> <span class="nx">changelog</span> <span class="nx">generation</span> <span class="nx">to</span> <span class="nx">the</span> <span class="nx">New</span> <span class="nx">Entry</span> <span class="nx">page</span> <span class="nx">using</span> <span class="nx">the</span> <span class="nx">Vercel</span> <span class="nx">AI</span> <span class="nx">SDK</span><span class="p">.</span> <span class="nx">Do</span> <span class="nx">the</span> <span class="nx">following</span><span class="p">:</span> <span class="mi">1</span><span class="p">.</span> <span class="nx">Install</span> <span class="nx">the</span> <span class="nx">ai</span> <span class="nx">and</span> <span class="p">@</span><span class="nd">ai</span><span class="o">-</span><span class="nx">sdk</span><span class="o">/</span><span class="nx">openai</span> <span class="nx">packages</span> <span class="mi">2</span><span class="p">.</span> <span class="nx">Create</span> <span class="nx">a</span> <span class="nx">server</span> <span class="nx">action</span> <span class="nx">at</span> <span class="nx">app</span><span class="o">/</span><span class="nx">actions</span><span class="o">/</span><span class="nx">generate</span><span class="p">.</span><span class="nx">ts</span><span class="p">:</span> <span class="dl">"</span><span class="s2">use server</span><span class="dl">"</span><span class="p">;</span> <span class="k">import</span> <span class="p">{</span> <span class="nx">generateText</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">"</span><span class="s2">ai</span><span class="dl">"</span><span class="p">;</span> <span class="k">import</span> <span class="p">{</span> <span class="nx">openai</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">"</span><span class="s2">@ai-sdk/openai</span><span class="dl">"</span><span class="p">;</span> <span class="k">export</span> <span class="k">async</span> <span class="kd">function</span> <span class="nf">generateChangelog</span><span class="p">(</span><span class="nx">rawInput</span><span class="p">:</span> <span class="kr">string</span><span class="p">)</span> <span class="p">{</span> <span class="kd">const</span> <span class="p">{</span> <span class="nx">text</span> <span class="p">}</span> <span class="o">=</span> <span class="k">await</span> <span class="nf">generateText</span><span class="p">({</span> <span class="na">model</span><span class="p">:</span> <span class="nf">openai</span><span class="p">(</span><span class="dl">"</span><span class="s2">gpt-4o-mini</span><span class="dl">"</span><span class="p">),</span> <span class="na">prompt</span><span class="p">:</span> <span class="s2">`You are a technical writer. Convert the following raw commit messages or release notes into a clean, professional changelog entry. Use plain language a non-technical reader can understand. Format it as a short paragraph followed by a bullet list of changes. Raw input: </span><span class="p">${</span><span class="nx">rawInput</span><span class="p">}</span><span class="s2"> Return only the changelog text, nothing else.`</span><span class="p">,</span> <span class="p">});</span> <span class="k">return</span> <span class="nx">text</span><span class="p">;</span> <span class="p">}</span> <span class="mi">3</span><span class="p">.</span> <span class="nx">On</span> <span class="nx">the</span> <span class="nx">New</span> <span class="nx">Entry</span> <span class="nx">page</span><span class="p">,</span> <span class="nx">wire</span> <span class="nx">the</span> <span class="dl">"</span><span class="s2">Generate with AI</span><span class="dl">"</span> <span class="nx">button</span> <span class="nx">to</span> <span class="nx">call</span> <span class="k">this</span> <span class="nx">action</span> <span class="kd">with</span> <span class="nx">the</span> <span class="nx">content</span> <span class="k">of</span> <span class="nx">the</span> <span class="nx">text</span> <span class="nx">area</span><span class="p">.</span> <span class="nx">Show</span> <span class="nx">a</span> <span class="nx">loading</span> <span class="nx">state</span> <span class="k">while</span> <span class="nx">generating</span><span class="p">.</span> <span class="nx">Populate</span> <span class="nx">the</span> <span class="nx">content</span> <span class="nx">editor</span> <span class="kd">with</span> <span class="nx">the</span> <span class="nx">result</span> <span class="nx">when</span> <span class="nx">done</span><span class="p">.</span> <span class="mi">4</span><span class="p">.</span> <span class="nx">Add</span> <span class="nx">OPENAI_API_KEY</span><span class="o">=</span> <span class="nx">to</span> <span class="p">.</span><span class="nx">env</span><span class="p">.</span><span class="nx">local</span> <span class="k">as</span> <span class="nx">a</span> <span class="nx">placeholder</span> <span class="err">—</span> <span class="nx">I</span> <span class="nx">will</span> <span class="nx">fill</span> <span class="k">this</span> <span class="k">in</span><span class="p">.</span> </code></pre> </div> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fkb6jvelyv94h2pbzmfcq.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fkb6jvelyv94h2pbzmfcq.png" alt="The New Entry page showing raw commits pasted in the top text area, the " width="800" height="502"></a></p> <h2> Putting It All Together </h2> <p>Here is every prompt in sequence and what each one adds:</p> <div class="table-wrapper-paragraph"><table> <thead> <tr> <th>Prompt</th> <th>What it built</th> <th>What Kinde provided</th> </tr> </thead> <tbody> <tr> <td>1 — Base app</td> <td>Changelog dashboard shell</td> <td>—</td> </tr> <tr> <td>2 — Kinde install</td> <td>Auth route handler, KindeAuthProvider</td> <td>Session management, JWT</td> </tr> <tr> <td>3 — Login UI</td> <td>LoginLink, RegisterLink, user in sidebar</td> <td>User identity</td> </tr> <tr> <td>4 — Route protection</td> <td>withAuth middleware</td> <td>Unauthenticated redirect</td> </tr> <tr> <td>5 — Roles</td> <td>getRoles(), conditional UI rendering</td> <td>RBAC — admin/member/viewer</td> </tr> <tr> <td>6 — Organizations</td> <td>getOrganization(), org name in sidebar</td> <td>Team workspace isolation</td> </tr> <tr> <td>7 — AI generation</td> <td>generateChangelog server action</td> <td>—</td> </tr> </tbody> </table></div> <p>Seven prompts. A complete collaboration layer. No hand-written code.</p> <h2> Testing Your Collaboration Layer </h2> <p>Before sharing the app, verify these scenarios work:</p> <p><strong>Test 1 — Unauthenticated block.</strong> Open an incognito window and navigate to <code>/dashboard</code>. You should land on the Kinde login page.</p> <p><strong>Test 2 — Sign up with workspace.</strong> Click "Start free" and complete sign-up. You should land on the dashboard with your organization name visible in the sidebar.</p> <p><strong>Test 3 — Role-based UI.</strong> Sign in as your admin user and confirm you see Publish, Delete, and the Team link. Then change your role to <code>viewer</code> in the Kinde dashboard, refresh, and confirm those controls are gone.</p> <p><strong>Test 4 — AI generation.</strong> Paste a few commit messages into the New Entry page and click "Generate with AI." The content editor should populate with a polished changelog entry.</p> <p><strong>Test 5 — Workspace isolation.</strong> Create a second Kinde user and have them sign up with a different organization name. Log in as user one, create a draft entry. Log in as user two and confirm they cannot see user one's entries.</p> <h2> What Is Next </h2> <p>This article built the collaboration shell. The next steps to make it production-ready:</p> <p><strong>Connect a real database.</strong> Add Convex or Supabase and filter all queries by <code>orgCode</code> from <code>getOrganization()</code>. Every entry and every piece of data scoped to the team that created it.</p> <p><strong>Add team invites.</strong> Use the Kinde Management API to let admins invite colleagues by email directly from the Team settings page.</p> <p><strong>Make the public changelog live.</strong> The <code>/changelog</code> route is already public. Connect it to the published entries in your database and it becomes a real public-facing changelog page for your product.</p> <p>The auth infrastructure is already in place. Everything else builds on top of it.</p> <p>Create a free <a href="https://kinde.com?utm_source=devto&amp;utm_medium=content&amp;utm_campaign=shola&amp;campaignid=chatgptapp&amp;network=&amp;adgroup=&amp;keyword=&amp;matchtype=&amp;creative=3&amp;device=&amp;adposition=" rel="noopener noreferrer">Kinde</a> account if you have not already, and try this on whatever app you are building.</p> webdev ai kinde tutorial