<?xml version="1.0" encoding="UTF-8"?>
<rss version="2.0" xmlns:atom="http://www.w3.org/2005/Atom" xmlns:dc="http://purl.org/dc/elements/1.1/">
  <channel>
    <title>DEV Community: tarik haddadi</title>
    <description>The latest articles on DEV Community by tarik haddadi (@tarik_haddadi_4f933f0e217).</description>
    <link>https://dev.to/tarik_haddadi_4f933f0e217</link>
    <image>
      <url>https://media2.dev.to/dynamic/image/width=90,height=90,fit=cover,gravity=auto,format=auto/https:%2F%2Fdev-to-uploads.s3.us-east-2.amazonaws.com%2Fuploads%2Fuser%2Fprofile_image%2F3986328%2Fdeaf1780-d0ee-4e7b-8450-e140ad5a6722.jpeg</url>
      <title>DEV Community: tarik haddadi</title>
      <link>https://dev.to/tarik_haddadi_4f933f0e217</link>
    </image>
    <atom:link rel="self" type="application/rss+xml" href="https://dev.to/feed/tarik_haddadi_4f933f0e217"/>
    <language>en</language>
    <item>
      <title>The Hidden Architecture Behind AI SaaS: Lessons From Building an Enterprise Automation Platform</title>
      <dc:creator>tarik haddadi</dc:creator>
      <pubDate>Mon, 22 Jun 2026 15:07:34 +0000</pubDate>
      <link>https://dev.to/tarik_haddadi_4f933f0e217/the-hidden-architecture-behind-ai-saas-lessons-from-building-an-enterprise-automation-platform-56f2</link>
      <guid>https://dev.to/tarik_haddadi_4f933f0e217/the-hidden-architecture-behind-ai-saas-lessons-from-building-an-enterprise-automation-platform-56f2</guid>
      <description>&lt;p&gt;Building an AI-powered SaaS platform taught me something I underestimated at the beginning:&lt;/p&gt;

&lt;p&gt;The hard part is not calling an LLM.&lt;/p&gt;

&lt;p&gt;The hard part is making AI work inside a real business environment.&lt;/p&gt;

&lt;p&gt;At first, everything looks manageable.&lt;/p&gt;

&lt;p&gt;You think:&lt;/p&gt;

&lt;ul&gt;
&lt;li&gt;API keys are just generated secrets.&lt;/li&gt;
&lt;li&gt;SSO is just connecting an identity provider.&lt;/li&gt;
&lt;li&gt;Billing is just plugging Stripe.&lt;/li&gt;
&lt;li&gt;Monitoring is just adding dashboards.&lt;/li&gt;
&lt;li&gt;Deployment is just Docker and Kubernetes.&lt;/li&gt;
&lt;li&gt;AI is just calling OpenAI, Mistral, Anthropic or another provider.&lt;/li&gt;
&lt;/ul&gt;

&lt;p&gt;Then the platform starts becoming real.&lt;/p&gt;

&lt;p&gt;And every “simple” topic turns into an architectural system.&lt;/p&gt;

&lt;h2&gt;
  
  
  API Keys Are Not Just API Keys
&lt;/h2&gt;

&lt;p&gt;At the beginning, an API key looks like this:&lt;br&gt;
&lt;/p&gt;

&lt;div class="highlight js-code-highlight"&gt;
&lt;pre class="highlight plaintext"&gt;&lt;code&gt;generate key
store hash
return secret once
&lt;/code&gt;&lt;/pre&gt;

&lt;/div&gt;



&lt;p&gt;But in a real SaaS environment, API keys quickly become:&lt;br&gt;
&lt;/p&gt;

&lt;div class="highlight js-code-highlight"&gt;
&lt;pre class="highlight plaintext"&gt;&lt;code&gt;scopes
expiration
revocation
tenant boundaries
audit logs
rate limits
privileged access
plan-based access
surface-level permissions
&lt;/code&gt;&lt;/pre&gt;

&lt;/div&gt;



&lt;p&gt;A key should not only answer:&lt;br&gt;
&lt;/p&gt;

&lt;div class="highlight js-code-highlight"&gt;
&lt;pre class="highlight plaintext"&gt;&lt;code&gt;Is this key valid?
&lt;/code&gt;&lt;/pre&gt;

&lt;/div&gt;



&lt;p&gt;It should answer:&lt;br&gt;
&lt;/p&gt;

&lt;div class="highlight js-code-highlight"&gt;
&lt;pre class="highlight plaintext"&gt;&lt;code&gt;Who owns this key?
Which tenant does it belong to?
Which resources can it access?
Which actions can it perform?
Which plan allows this action?
When does it expire?
Can it be revoked?
Can it be audited?
&lt;/code&gt;&lt;/pre&gt;

&lt;/div&gt;



&lt;p&gt;That is the moment you realize that API keys are part of your authorization model, not just your authentication model.&lt;/p&gt;

&lt;h2&gt;
  
  
  SSO Is Not Just Login
&lt;/h2&gt;

&lt;p&gt;SSO looks simple until you deal with tenants.&lt;/p&gt;

&lt;p&gt;Connecting Keycloak, Google, Microsoft, or any OIDC provider is not the hardest part.&lt;/p&gt;

&lt;p&gt;The hard part is deciding what you trust.&lt;/p&gt;

&lt;p&gt;Do you trust the email domain?&lt;/p&gt;

&lt;p&gt;Do you trust the subject claim?&lt;/p&gt;

&lt;p&gt;Do you trust groups?&lt;/p&gt;

&lt;p&gt;Do you trust roles coming from the external IdP?&lt;/p&gt;

&lt;p&gt;Can a tenant admin map roles?&lt;/p&gt;

&lt;p&gt;Can a tenant admin accidentally create a platform admin?&lt;/p&gt;

&lt;p&gt;What happens when a user belongs to multiple tenants?&lt;/p&gt;

&lt;p&gt;What happens when the token is valid, but issued for another audience?&lt;/p&gt;

&lt;p&gt;Real SSO architecture becomes:&lt;br&gt;
&lt;/p&gt;

&lt;div class="highlight js-code-highlight"&gt;
&lt;pre class="highlight plaintext"&gt;&lt;code&gt;issuer validation
audience validation
nonce validation
PKCE
role mapping
tenant membership
identity authority
fallback prevention
session isolation
external IdP configuration
&lt;/code&gt;&lt;/pre&gt;

&lt;/div&gt;



&lt;p&gt;In enterprise SaaS, login is only the entry point.&lt;/p&gt;

&lt;p&gt;The real question is:&lt;br&gt;
&lt;/p&gt;

&lt;div class="highlight js-code-highlight"&gt;
&lt;pre class="highlight plaintext"&gt;&lt;code&gt;Can identity be trusted across users, tenants, projects and execution contexts?
&lt;/code&gt;&lt;/pre&gt;

&lt;/div&gt;



&lt;h2&gt;
  
  
  AI Usage Is Not Just Calling a Model
&lt;/h2&gt;

&lt;p&gt;Calling a model is easy.&lt;/p&gt;

&lt;p&gt;Operating AI is not.&lt;/p&gt;

&lt;p&gt;Once AI becomes part of a product, you need to think about:&lt;br&gt;
&lt;/p&gt;

&lt;div class="highlight js-code-highlight"&gt;
&lt;pre class="highlight plaintext"&gt;&lt;code&gt;token consumption
cost visibility
provider usage
model usage
rate limits
latency
retries
timeouts
fallbacks
tool calls
traceability
prompt governance
data boundaries
&lt;/code&gt;&lt;/pre&gt;

&lt;/div&gt;



&lt;p&gt;For a demo, a model response is enough.&lt;/p&gt;

&lt;p&gt;For a business platform, you need to answer:&lt;br&gt;
&lt;/p&gt;

&lt;div class="highlight js-code-highlight"&gt;
&lt;pre class="highlight plaintext"&gt;&lt;code&gt;Which tenant used the model?
Which workflow triggered it?
Which user started the execution?
Which provider was used?
How many tokens were consumed?
How much did it cost?
Was the output reviewed?
Can the result be traced?
Can the process be repeated?
&lt;/code&gt;&lt;/pre&gt;

&lt;/div&gt;



&lt;p&gt;That is where AI stops being a feature and becomes an operational system.&lt;/p&gt;

&lt;h2&gt;
  
  
  Billing Is Not Just Stripe
&lt;/h2&gt;

&lt;p&gt;Stripe can process payments.&lt;/p&gt;

&lt;p&gt;But Stripe does not define your product model for you.&lt;/p&gt;

&lt;p&gt;A serious SaaS needs to connect billing to:&lt;br&gt;
&lt;/p&gt;

&lt;div class="highlight js-code-highlight"&gt;
&lt;pre class="highlight plaintext"&gt;&lt;code&gt;plans
quotas
capabilities
feature gates
tenant limits
token limits
storage limits
execution limits
subscription status
license keys
deployment mode
&lt;/code&gt;&lt;/pre&gt;

&lt;/div&gt;



&lt;p&gt;If your product can be deployed as:&lt;br&gt;
&lt;/p&gt;

&lt;div class="highlight js-code-highlight"&gt;
&lt;pre class="highlight plaintext"&gt;&lt;code&gt;managed SaaS
customer cloud
on-prem
BYOC
&lt;/code&gt;&lt;/pre&gt;

&lt;/div&gt;



&lt;p&gt;then billing becomes more than payment.&lt;/p&gt;

&lt;p&gt;It becomes commercial governance.&lt;/p&gt;

&lt;p&gt;The system needs to understand:&lt;br&gt;
&lt;/p&gt;

&lt;div class="highlight js-code-highlight"&gt;
&lt;pre class="highlight plaintext"&gt;&lt;code&gt;What is the customer allowed to use?
Where is the product deployed?
Is the subscription active?
Is this an enterprise contract?
Is Stripe even involved?
Is there a license key?
What happens when quotas are exceeded?
&lt;/code&gt;&lt;/pre&gt;

&lt;/div&gt;



&lt;p&gt;This is where pricing, architecture and runtime enforcement meet.&lt;/p&gt;

&lt;h2&gt;
  
  
  Kubernetes Does Not Automatically Mean Scalable
&lt;/h2&gt;

&lt;p&gt;Using Kubernetes does not automatically make a platform scalable.&lt;/p&gt;

&lt;p&gt;A real execution platform needs to think about workloads.&lt;/p&gt;

&lt;p&gt;Some jobs are lightweight.&lt;/p&gt;

&lt;p&gt;Some jobs run AI calls.&lt;/p&gt;

&lt;p&gt;Some jobs process files.&lt;/p&gt;

&lt;p&gt;Some jobs generate documents.&lt;/p&gt;

&lt;p&gt;Some jobs ingest knowledge.&lt;/p&gt;

&lt;p&gt;Some jobs run long workflows.&lt;/p&gt;

&lt;p&gt;That means you start separating:&lt;br&gt;
&lt;/p&gt;

&lt;div class="highlight js-code-highlight"&gt;
&lt;pre class="highlight plaintext"&gt;&lt;code&gt;queues
workers
lanes
timeouts
resource limits
probes
autoscaling
storage
network policies
observability
&lt;/code&gt;&lt;/pre&gt;

&lt;/div&gt;



&lt;p&gt;At some point, “deployment” becomes an execution architecture.&lt;/p&gt;

&lt;p&gt;You need to know:&lt;br&gt;
&lt;/p&gt;

&lt;div class="highlight js-code-highlight"&gt;
&lt;pre class="highlight plaintext"&gt;&lt;code&gt;Which queue is saturated?
Which worker is failing?
Which jobs are delayed?
Which execution lane is overloaded?
Which process consumes memory?
Which tenant creates most load?
&lt;/code&gt;&lt;/pre&gt;

&lt;/div&gt;



&lt;p&gt;Without that visibility, scaling is mostly guessing.&lt;/p&gt;

&lt;h2&gt;
  
  
  Observability Is Not Optional
&lt;/h2&gt;

&lt;p&gt;When automation becomes part of business operations, monitoring is not a technical bonus.&lt;/p&gt;

&lt;p&gt;It is part of the product.&lt;/p&gt;

&lt;p&gt;You need metrics for:&lt;br&gt;
&lt;/p&gt;

&lt;div class="highlight js-code-highlight"&gt;
&lt;pre class="highlight plaintext"&gt;&lt;code&gt;queue depth
execution success rate
execution failures
average duration
P95 / P99 latency
AI token usage
provider usage
storage usage
auth failures
webhook failures
backup status
SLA / SLO
&lt;/code&gt;&lt;/pre&gt;

&lt;/div&gt;



&lt;p&gt;For engineers, observability answers:&lt;br&gt;
&lt;/p&gt;

&lt;div class="highlight js-code-highlight"&gt;
&lt;pre class="highlight plaintext"&gt;&lt;code&gt;What is broken?
&lt;/code&gt;&lt;/pre&gt;

&lt;/div&gt;



&lt;p&gt;For leadership, observability answers:&lt;br&gt;
&lt;/p&gt;

&lt;div class="highlight js-code-highlight"&gt;
&lt;pre class="highlight plaintext"&gt;&lt;code&gt;Where is value created?
Where is time saved?
Where is cost increasing?
Which process is failing?
Which team is adopting the platform?
&lt;/code&gt;&lt;/pre&gt;

&lt;/div&gt;



&lt;p&gt;That is a different level of visibility.&lt;/p&gt;

&lt;h2&gt;
  
  
  Configuration Eventually Becomes a Product Surface
&lt;/h2&gt;

&lt;p&gt;At first, environment variables are enough.&lt;/p&gt;

&lt;p&gt;Then customers ask for different settings.&lt;/p&gt;

&lt;p&gt;Different providers.&lt;/p&gt;

&lt;p&gt;Different limits.&lt;/p&gt;

&lt;p&gt;Different identity configurations.&lt;/p&gt;

&lt;p&gt;Different storage.&lt;/p&gt;

&lt;p&gt;Different security policies.&lt;/p&gt;

&lt;p&gt;Different integrations.&lt;/p&gt;

&lt;p&gt;Different deployment models.&lt;/p&gt;

&lt;p&gt;And suddenly, redeploying for every change becomes unacceptable.&lt;/p&gt;

&lt;p&gt;That is when configuration needs to move into an admin surface.&lt;/p&gt;

&lt;p&gt;Not everything should be editable from the UI, of course.&lt;/p&gt;

&lt;p&gt;But a serious platform needs to distinguish:&lt;br&gt;
&lt;/p&gt;

&lt;div class="highlight js-code-highlight"&gt;
&lt;pre class="highlight plaintext"&gt;&lt;code&gt;bootstrap configuration
runtime configuration
tenant configuration
secret-backed configuration
platform-managed configuration
customer-managed configuration
&lt;/code&gt;&lt;/pre&gt;

&lt;/div&gt;



&lt;p&gt;The more enterprise your product becomes, the more your back office becomes part of the product itself.&lt;/p&gt;

&lt;h2&gt;
  
  
  The Real SaaS + AI Correlation
&lt;/h2&gt;

&lt;p&gt;The biggest lesson is that these systems cannot be designed in isolation.&lt;/p&gt;

&lt;p&gt;They are connected.&lt;br&gt;
&lt;/p&gt;

&lt;div class="highlight js-code-highlight"&gt;
&lt;pre class="highlight plaintext"&gt;&lt;code&gt;Business model ↔ Plans
Plans ↔ Capabilities
Capabilities ↔ Roles
Roles ↔ Access control
Access control ↔ Security
Security ↔ Trust
AI usage ↔ Cost visibility
Workflows ↔ Measurable outcomes
Infrastructure ↔ Reliability
Observability ↔ Better decisions
&lt;/code&gt;&lt;/pre&gt;

&lt;/div&gt;



&lt;p&gt;If one part is weak, the entire platform becomes harder to operate.&lt;/p&gt;

&lt;p&gt;A workflow engine without governance becomes risky.&lt;/p&gt;

&lt;p&gt;AI without metering becomes expensive.&lt;/p&gt;

&lt;p&gt;SSO without tenant isolation becomes dangerous.&lt;/p&gt;

&lt;p&gt;Kubernetes without observability becomes blind.&lt;/p&gt;

&lt;p&gt;Billing without runtime enforcement becomes cosmetic.&lt;/p&gt;

&lt;p&gt;Admin features without backend enforcement become security theater.&lt;/p&gt;

&lt;h2&gt;
  
  
  The Real Questions
&lt;/h2&gt;

&lt;p&gt;For CEOs, the question is not only:&lt;br&gt;
&lt;/p&gt;

&lt;div class="highlight js-code-highlight"&gt;
&lt;pre class="highlight plaintext"&gt;&lt;code&gt;Can we use AI?
&lt;/code&gt;&lt;/pre&gt;

&lt;/div&gt;



&lt;p&gt;It is:&lt;br&gt;
&lt;/p&gt;

&lt;div class="highlight js-code-highlight"&gt;
&lt;pre class="highlight plaintext"&gt;&lt;code&gt;Can we recover operational capacity, measure the impact and scale it safely?
&lt;/code&gt;&lt;/pre&gt;

&lt;/div&gt;



&lt;p&gt;For CTOs, the question is not only:&lt;br&gt;
&lt;/p&gt;

&lt;div class="highlight js-code-highlight"&gt;
&lt;pre class="highlight plaintext"&gt;&lt;code&gt;Can we build this?
&lt;/code&gt;&lt;/pre&gt;

&lt;/div&gt;



&lt;p&gt;It is:&lt;br&gt;
&lt;/p&gt;

&lt;div class="highlight js-code-highlight"&gt;
&lt;pre class="highlight plaintext"&gt;&lt;code&gt;Can we govern it, secure it, deploy it, monitor it and maintain it across real environments?
&lt;/code&gt;&lt;/pre&gt;

&lt;/div&gt;



&lt;p&gt;For Heads of AI, the question is not only:&lt;br&gt;
&lt;/p&gt;

&lt;div class="highlight js-code-highlight"&gt;
&lt;pre class="highlight plaintext"&gt;&lt;code&gt;Which model should we use?
&lt;/code&gt;&lt;/pre&gt;

&lt;/div&gt;



&lt;p&gt;It is:&lt;br&gt;
&lt;/p&gt;

&lt;div class="highlight js-code-highlight"&gt;
&lt;pre class="highlight plaintext"&gt;&lt;code&gt;How do we turn AI from isolated experiments into controlled business execution?
&lt;/code&gt;&lt;/pre&gt;

&lt;/div&gt;



&lt;h2&gt;
  
  
  Final Thought
&lt;/h2&gt;

&lt;p&gt;The hardest part of building AI SaaS is not the prompt.&lt;/p&gt;

&lt;p&gt;It is not the first demo.&lt;/p&gt;

&lt;p&gt;It is not the first integration.&lt;/p&gt;

&lt;p&gt;The hard part is making identity, data, permissions, costs, infrastructure, workflows, observability and user experience move together.&lt;/p&gt;

&lt;p&gt;That is where AI becomes enterprise-ready.&lt;/p&gt;

&lt;p&gt;And that is where SaaS architecture becomes a serious discipline.&lt;/p&gt;

</description>
      <category>ai</category>
      <category>architecture</category>
      <category>saas</category>
      <category>softwareengineering</category>
    </item>
    <item>
      <title>Building an Enterprise AI Automation Platform: Lessons Learned</title>
      <dc:creator>tarik haddadi</dc:creator>
      <pubDate>Mon, 15 Jun 2026 22:52:36 +0000</pubDate>
      <link>https://dev.to/tarik_haddadi_4f933f0e217/building-an-enterprise-ai-automation-platform-lessons-learned-3ppk</link>
      <guid>https://dev.to/tarik_haddadi_4f933f0e217/building-an-enterprise-ai-automation-platform-lessons-learned-3ppk</guid>
      <description>&lt;p&gt;&lt;a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fvwcd843vpi24f3ljf5n8.jpeg" class="article-body-image-wrapper"&gt;&lt;img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fvwcd843vpi24f3ljf5n8.jpeg" alt=" " width="800" height="800"&gt;&lt;/a&gt;&lt;/p&gt;

&lt;p&gt;Over the last few years, we’ve seen an explosion of AI tools.&lt;/p&gt;

&lt;p&gt;LLMs became more capable.&lt;br&gt;
Agents became more autonomous.&lt;br&gt;
RAG architectures became mainstream.&lt;/p&gt;

&lt;p&gt;Yet most organizations still struggle to move AI initiatives into production.&lt;/p&gt;

&lt;p&gt;The reason is surprisingly simple:&lt;/p&gt;

&lt;p&gt;The problem is rarely the model.&lt;/p&gt;

&lt;p&gt;The real challenge is everything around it.&lt;/p&gt;

&lt;p&gt;The Missing Layer&lt;/p&gt;

&lt;p&gt;When teams start experimenting with AI, they quickly discover that a successful solution requires much more than prompting an LLM.&lt;/p&gt;

&lt;p&gt;You need:&lt;/p&gt;

&lt;ul&gt;
&lt;li&gt;access to internal knowledge&lt;/li&gt;
&lt;li&gt;workflow orchestration&lt;/li&gt;
&lt;li&gt;integrations with business systems&lt;/li&gt;
&lt;li&gt;document processing&lt;/li&gt;
&lt;li&gt;observability&lt;/li&gt;
&lt;li&gt;security&lt;/li&gt;
&lt;li&gt;governance&lt;/li&gt;
&lt;li&gt;deployment flexibility&lt;/li&gt;
&lt;/ul&gt;

&lt;p&gt;Without these components, even the most impressive AI demo remains just that: a demo.&lt;/p&gt;

&lt;p&gt;From AI to Execution&lt;/p&gt;

&lt;p&gt;One of the biggest lessons we learned while building Flexit is that organizations are not looking for another chatbot.&lt;/p&gt;

&lt;p&gt;They are looking for execution.&lt;/p&gt;

&lt;p&gt;They want systems that can:&lt;/p&gt;

&lt;ul&gt;
&lt;li&gt;read documents&lt;/li&gt;
&lt;li&gt;access internal knowledge&lt;/li&gt;
&lt;li&gt;interact with applications&lt;/li&gt;
&lt;li&gt;trigger workflows&lt;/li&gt;
&lt;li&gt;generate reports&lt;/li&gt;
&lt;li&gt;monitor processes&lt;/li&gt;
&lt;li&gt;automate repetitive work&lt;/li&gt;
&lt;/ul&gt;

&lt;p&gt;In other words, they need an operational layer connecting knowledge to action.&lt;/p&gt;

&lt;p&gt;Why Workflows Matter&lt;/p&gt;

&lt;p&gt;Workflows provide structure.&lt;/p&gt;

&lt;p&gt;Agents provide reasoning.&lt;/p&gt;

&lt;p&gt;Knowledge provides context.&lt;/p&gt;

&lt;p&gt;Integrations provide reach.&lt;/p&gt;

&lt;p&gt;Combining these elements creates something much more valuable than any individual component.&lt;/p&gt;

&lt;p&gt;A platform where information can flow across systems, decisions can be automated, and processes can be monitored end-to-end.&lt;/p&gt;

&lt;p&gt;The Future&lt;/p&gt;

&lt;p&gt;I believe the future of enterprise software will not be centered around individual applications.&lt;/p&gt;

&lt;p&gt;It will be centered around orchestration.&lt;/p&gt;

&lt;p&gt;Organizations will increasingly rely on platforms capable of connecting AI, workflows, knowledge, integrations, and operational systems into a unified environment.&lt;/p&gt;

&lt;p&gt;The winners won’t necessarily be those with the biggest models.&lt;/p&gt;

&lt;p&gt;They will be those who make execution reliable, observable, and scalable.&lt;/p&gt;

&lt;p&gt;Because AI becomes truly valuable when it moves beyond conversation and starts delivering outcomes.&lt;/p&gt;

</description>
      <category>ai</category>
      <category>webdev</category>
      <category>programming</category>
      <category>saas</category>
    </item>
  </channel>
</rss>
