About This Skill

Authentication and multi-tenancy are the foundation every SaaS stands on, and the two things you cannot get wrong. They're also the parts most teams rush, copy from a tutorial, and quietly ship with holes in them. Auth & Multi-Tenant SaaS Foundation turns your AI agent into a senior platform engineer that scaffolds a complete, production-grade account and tenancy system end to end — wired to your app and database with the security edge cases already handled. The Problem The happy path of logging a user in is easy. The parts that cause breaches are everything else: a session token that never rotates after a password change, a reset flow that leaks whether an email exists, an OAuth callback that trusts an unverified email, a role check that lives in the frontend instead of the backend, and the most expensive mistake of all — a tenant boundary that almost works, so a user from one company can load another company's data by changing an ID in the URL. By the time these surface, you have a security incident or a painful migration on the layer that touches every request. What It Does 1. Authentication — Email/password auth with proper hashing, email verification, and a password-reset flow that does not leak account existence, plus session management with rotation, revocation, and secure cookies. 2. OAuth & SSO — Social login and SSO (Google, GitHub, Microsoft) behind one interface, with verified-email enforcement and account linking so a user is never silently duplicated. 3. Organizations & Teams — The multi-tenant model: organizations, memberships, team invitations with expiry, and ownership transfer, so your app supports real companies, not just lone users. 4. Role-Based Access Control — A backend-enforced RBAC layer (roles, permissions, guards) so authorization decisions live on the server, never in the UI. 5. Tenant Data Isolation — Row-level isolation via scoped queries and, on PostgreSQL, database row-level security policies, plus tests that deliberately try to break the boundary and confirm they fail. Why It's Worth It A billing bug costs you a refund. An auth or tenant-isolation bug costs you the company. This is the highest-stakes, highest-leverage layer in any SaaS, and the one most likely to be quietly broken in a hand-rolled build. This skill front-loads the security decisions that are painful to retrofit and hands you a foundation you can build every feature on top of with confidence. It pairs cleanly with a billing system: this owns accounts, roles, and tenancy; billing owns subscriptions and seats.