courses

Building Multi-Tenant Enterprise SaaS with Next.js, SurrealDB, Auth, RBAC, SSO, Billing, Admin Portal, and Audit Logs

Build a production-minded multi-tenant SaaS foundation in 60 minutes using Next.js App Router, SurrealDB as the complete backend, custom functions for business logic, and a deployable architecture for Vercel and Cloudflare.

Course Snapshot

Who This Is For

This course is for founders, product engineers, full-stack developers, and AI SaaS builders who want to move from a single-tenant prototype to an enterprise-ready SaaS architecture.

Prerequisites

What You Will Build

A compact but production-oriented SaaS starter that includes:

60-Minute Agenda

0-5 min: Architecture Overview

5-12 min: Next.js App Router Foundation

Suggested structure:

app/
  (marketing)/
  (auth)/login/
  (app)/dashboard/
  (admin)/admin/
  api/auth/[...nextauth]/
lib/
  auth/
  db/
  permissions/
  billing/
  audit/

12-22 min: SurrealDB as the Complete Backend

Core records:

DEFINE TABLE tenant SCHEMAFULL;
DEFINE FIELD name ON tenant TYPE string;
DEFINE FIELD slug ON tenant TYPE string;
DEFINE FIELD created_at ON tenant TYPE datetime DEFAULT time::now();

DEFINE TABLE app_user SCHEMAFULL;
DEFINE FIELD email ON app_user TYPE string;
DEFINE FIELD name ON app_user TYPE option<string>;
DEFINE FIELD created_at ON app_user TYPE datetime DEFAULT time::now();

DEFINE TABLE membership SCHEMAFULL;
DEFINE FIELD user ON membership TYPE record<app_user>;
DEFINE FIELD tenant ON membership TYPE record<tenant>;
DEFINE FIELD role ON membership TYPE string;
DEFINE FIELD created_at ON membership TYPE datetime DEFAULT time::now();

DEFINE TABLE audit_log SCHEMAFULL;
DEFINE FIELD tenant ON audit_log TYPE record<tenant>;
DEFINE FIELD actor ON audit_log TYPE option<record<app_user>>;
DEFINE FIELD action ON audit_log TYPE string;
DEFINE FIELD target ON audit_log TYPE option<string>;
DEFINE FIELD metadata ON audit_log TYPE object;
DEFINE FIELD created_at ON audit_log TYPE datetime DEFAULT time::now();

22-32 min: Authentication and SSO-Ready Identity

Implementation goals:

32-40 min: RBAC and Permission Checks

Example permission helper:

export async function requirePermission({
  userId,
  tenantId,
  permission,
}: {
  userId: string;
  tenantId: string;
  permission: string;
}) {
  const membership = await getMembership(userId, tenantId);
  if (!membership) throw new Error("Tenant access denied");

  const allowed = rolePermissions[membership.role]?.includes(permission);
  if (!allowed) throw new Error("Permission denied");

  return membership;
}

40-47 min: Extensions and Custom Functions for Business Logic

Example custom function concept:

DEFINE FUNCTION fn::write_audit_log($tenant, $actor, $action, $target, $metadata) {
  CREATE audit_log SET
    tenant = $tenant,
    actor = $actor,
    action = $action,
    target = $target,
    metadata = $metadata,
    created_at = time::now();
};

47-53 min: Billing, Entitlements, and Admin Portal

Admin portal sections:

53-58 min: Audit Logs and Enterprise Controls

Audit event examples:

member.invited
member.role_changed
billing.subscription_updated
sso.provider_connected
data.export_requested
admin.security_setting_changed

58-60 min: Deployment with Vercel and Cloudflare

Recommended deployment split:

Cloudflare DNS/WAF/CDN -> Vercel Next.js App -> SurrealDB Cloud/Self-hosted
                         -> Billing Provider Webhooks
                         -> Identity Provider SSO

Hands-On Checkpoints

By the end of the session, learners should be able to:

Reference Implementation Tasks

  1. Bootstrap the Next.js App Router project.
  2. Add SurrealDB connection utilities.
  3. Create tenant, user, membership, subscription, and audit log tables.
  4. Add authentication and tenant selection.
  5. Implement RBAC helpers.
  6. Add SurrealDB custom functions for audit logging and entitlement checks.
  7. Create admin portal pages.
  8. Add billing webhook route and subscription state updates.
  9. Add audit log viewer.
  10. Deploy through Vercel with Cloudflare DNS and security controls.

Suggested Follow-Up Projects

Final Takeaway

A multi-tenant enterprise SaaS app is not just a login screen and a database. The durable foundation is tenant isolation, role-based authorization, SSO-ready identity, billing-aware entitlements, admin visibility, auditability, and a deployment model that can scale safely.