Stop building custom auth for your B2B SaaS: Meet Gate Identity

#devops #productivity #programming #startup

Hello, fellow developers! 🧑‍💻

If you’ve ever built a B2B SaaS, you know the drill. Building the core business logic is the fun part. But then you hit the authentication layer. Suddenly, you're not just writing a simple login form; you have to figure out multi-tenancy, data isolation, routing social logins for different workspaces, and managing secure tokens. It's a massive time sink that distracts you from shipping your actual product.

I’ve been there. Honestly, I was tired of reinventing the wheel or fighting with overly complex enterprise identity providers just to get a proper B2B auth running. I wanted an API-first approach that was fast, reliable, and didn't require a Ph.D. in security to set up.

That’s why I built Gate Identity (as part of my Verne Software ecosystem) — a developer-first 🔐 Auth-as-a-Service. It takes the pain out of multi-tenant authentication, allowing you to plug it in and get back to building your app. And the best part? The core functionality is already up and running, and you can use it for your next project completely for free (with a generous free tier for early-stage projects).

In this article, I’ll show you what’s under the hood of Gate Identity, what features you can start using right now, and share my roadmap for what's coming next.

Under the Hood: The Architecture and Tech Stack

As engineers, we all love peeking under the hood. When I started designing Gate Identity, I followed one golden rule: never write your own core security and cryptography logic. I didn't want to build an identity provider from scratch; I wanted to build a robust, multi-tenant layer on top of a battle-tested open-source engine.

Here is how the system is wired together to make that happen:

1. The Core Engine: Ory Kratos
At the heart of Gate Identity is Ory Kratos. If you haven't used it, Kratos is a phenomenal API-first identity server written in Go. It handles the heavy lifting: complex authentication flows, secure credential storage, and standard OIDC integrations. However, out of the box, Kratos doesn't natively solve B2B multi-tenancy the way a SaaS needs it to. It needs a smart gateway to manage who belongs to which workspace.

2. The Edge Gateway (Built with Rust 🦀)
This is where the magic happens. All incoming traffic is terminated by Traefik, which acts as the main reverse proxy. But right behind it sits the custom Edge Gateway (edge_gw), which I wrote entirely in Rust.

Why Rust? Because an API gateway needs to be blazingly fast, concurrent, and memory-safe. Every single authentication request passes through this node. The Rust gateway acts as the strict bouncer for the multi-tenant architecture:

It parses and validates your access tokens (gat_live_{hex}).

It checks the tenant-ownership (e.g., "Does this specific subject ID actually belong to the tenant making the API call?").

It handles rate limiting and routing, safely proxying the validated requests down to Kratos or the Core API.

3. State and Data Isolation (PostgreSQL + Redis)
A proper B2B auth system must keep tenant data strictly isolated. To achieve this without bottlenecks, I split the storage layer:

Identity Data: Stored in a dedicated 🐘 PostgreSQL database managed entirely by Kratos. Here, I use distinct JSON schemas to separate roles: user (your tenant's end-users) and tenant (you, the developers using Gate).

curl -X POST https://api.vernesoft.com/v1/gate/identities \
  -H 'Authorization: Bearer vrn_gate_live_sk_9f8a7...' \
  -H 'Content-Type: application/json' \
  -d '{
    "schema_id": "user",
    "traits": {
      "email": "user@example.com",
      "custom_data": { "role": "editor" }
    },
    "credentials": {
      "password": { "config": { "password": "StrongPassword123!" } }
    },
    "state": "active"
  }'

Business Logic & Profiles: Stored in the Core API’s PostgreSQL database.
Flow States & Tokens: Handled by Redis. When a user starts a login or settings flow, the state is cached in Redis with a strict mapping (gate:flow:{id} -> tenant_id). This allows the Rust gateway to instantly verify if a user is trying to access a flow that belongs to their specific workspace, effectively preventing cross-tenant data leaks.

By combining the raw speed of Rust at the edge with the security standards of Ory Kratos at the core, Gate Identity manages to isolate tenants efficiently without adding noticeable latency to your API calls.

What You Can Use Right Now

Enough with the architectural theory—let's look at what you can actually plug into your product today. I built Gate Identity aiming to cover 90% of a typical B2B SaaS's needs right from the start, without forcing you to write boilerplate code.

Here is what is running in production right now:

Basic Authentication
The classic, reliable email and password flow. Kratos handles the secure hashing and credential storage, while the Edge Gateway ensures that sessions are correctly bound to the specific workspace (tenant).
Highly Configurable Social Logins (OIDC)
B2B clients often demand corporate account logins. Out of the box, 11 providers are supported, including Google, GitHub, Apple, Microsoft, and Discord. But here is the killer feature: each of your tenants can individually enable or disable specific providers just for their own workspace.
Painless Token Management
No more messing around with complex client-side JWTs. Gate Identity issues secure, opaque access tokens (in the gat_live_{hex} format). They support scopes and configurable lifespans. There is also a ready-to-use introspection API, so your backend can instantly verify their validity.
Tenant-Isolated Identity CRUD API
You get full control over users via a REST API. You can programmatically create, update, and delete identities without ever worrying about cross-tenant data leaks. My gateway automatically verifies tenant-ownership—the system simply won't let a request through if you try to access a user from someone else's workspace.

The Roadmap: What’s Coming Next

Gate Identity is actively evolving. While the core API handles the heavy lifting right now, I am constantly working on unlocking more of Ory Kratos' advanced capabilities and routing them safely through the Rust Edge Gateway.

Here is what is on the immediate horizon:

User Self-Service (UX)

Settings Flow (Critical Priority): End-users will soon be able to natively manage their own profiles, update passwords, and link social accounts. This means you won't have to build custom account management UIs from scratch.
Recovery & Verification: API-driven password resets and programmable email verification flows to make user onboarding completely seamless.

Enterprise-Grade Security

MFA / TOTP: Multi-factor authentication using authenticator apps is a massive priority, especially if you are targeting enterprise B2B clients.
Passwordless (OTP): Support for One-Time Passwords via email for frictionless, consumer-like login experiences.
Session Management: Giving both tenant admins and end-users the ability to view and instantly revoke active sessions across all devices.

Advanced Developer Experience (DX)

Tenant Webhooks: This is the most anticipated feature for developers. Soon, you will be able to subscribe to real-time events (e.g., user.created, user.deleted, password.changed) to instantly sync identity data with your core application's database.
Custom Identity Metadata: I will be exposing Kratos' metadata_public field. This will allow you to attach arbitrary JSON data—like user roles, billing plans, or phone numbers—directly to the identity object, managed entirely via API.

Stop Building, Start Shipping

Building an authentication and multi-tenancy layer from scratch is almost never a competitive advantage for your business. It is a necessary evil.

By leveraging a battle-tested open-source engine like Ory Kratos and wrapping it in a blazingly fast, secure Rust gateway, Gate Identity gives you enterprise-grade isolation out of the box. You get to skip the infrastructure headache and go straight to building your core product.

You can check out the documentation and try it out for your next project right now. As promised, the core features are available for free with a generous tier designed specifically for early-stage and indie projects.

I’d love to hear your thoughts! What authentication feature do you usually struggle with the most when starting a new B2B SaaS? Are webhooks, MFA, or social logins your biggest blocker? Let's discuss in the comments below!