saas-auth-patterns

# SaaS Auth Patterns Authentication and authorization patterns for multi-tenant SaaS applications. ## Auth Strategy Decision Matrix | Strategy | Stateless | Scalable | Revocable | Best For | |----------|-----------|----------|-----------|----------| | JWT + Refresh | Yes | High | Hard (needs blocklist) | API-first, mobile clients | | Session (server) | No | Medium (sticky/shared store) | Instant | Traditional web apps | | OAuth 2.0 + PKCE | Yes | High | Via provider | Third-party login, SSO | Pick JWT when you control both client and server and need horizontal scaling. Pick sessions when you need instant revocation and serve server-rendered pages. Pick OAuth when users expect "Sign in with Google/GitHub" or you federate identity. ## Multi-Tenant Auth ### Tenant Isolation Middleware ```typescript interface TenantContext { tenantId: string userId: string role: string } // Extract tenant from JWT claims or subdomain function resolveTenant(req: Request): TenantContext { const token = req.headers.get('authorization')?.replace('Bearer ', '') if (!token) throw new AuthError('Missing token') const payload = verifyJwt(token) return { tenantId: payload.tenantId, userId: payload.sub, role: payload.role, } } // Every DB query scoped to tenant - no cross-tenant leakage async function getTenantUsers(ctx: TenantContext): Promise<User[]> { return db.users.findMany({ where: { tenantId: ctx.tenantId }, }) } ``` ### Shared DB vs Isolated DB ```typ...