js

How to Build Multi-Tenant SaaS Authentication with NestJS, Prisma, JWT and RBAC

Learn to build secure multi-tenant SaaS auth with NestJS, Prisma & JWT. Complete guide covers tenant isolation, RBAC, and scalable architecture.

How to Build Multi-Tenant SaaS Authentication with NestJS, Prisma, JWT and RBAC

I’ve been thinking about multi-tenant systems lately while designing a new SaaS product. The challenge? Creating one application that securely serves multiple clients with completely isolated data. If you’re building scalable software, this approach saves resources while maintaining security. Today I’ll show you how I built a production-ready authentication system using NestJS, Prisma, and JWT.

When starting, I asked: How can we efficiently separate tenant data without duplicating code? The solution lies in middleware and database design. We’ll use a shared database with separate schemas, identified through subdomains or headers. This keeps costs manageable while preventing data leaks between clients.

First, let’s set up the foundation:

npm i @nestjs/jwt passport-jwt @prisma/client bcryptjs
npx prisma init

The database schema defines our multi-tenant structure. Notice how every user, role, and token links to a specific tenant:

model Tenant {
  id        String   @id @default(cuid())
  subdomain String   @unique
  users     User[]
}

model User {
  id       String @id @default(cuid())
  email    String
  tenant   Tenant @relation(fields: [tenantId], references: [id])
  tenantId String
}

Ever wonder how the system knows which tenant you’re accessing? The middleware extracts tenant context from incoming requests:

// tenant.middleware.ts
@Injectable()
export class TenantMiddleware implements NestMiddleware {
  async use(req: Request, res: Response, next: NextFunction) {
    const tenantId = req.headers['x-tenant-id'] || req.hostname.split('.')[0];
    const tenant = await this.prisma.tenant.findUnique({ 
      where: { subdomain: tenantId }
    });
    
    if (!tenant) throw new BadRequestException('Invalid tenant');
    req['tenant'] = tenant;
    next();
  }
}

Now the authentication service. We’ll implement secure password handling and token generation:

// auth.service.ts
@Injectable()
export class AuthService {
  async login(email: string, password: string, tenantId: string) {
    const user = await this.prisma.user.findFirst({
      where: { email, tenantId }
    });
    
    if (!user || !bcrypt.compareSync(password, user.password)) {
      throw new UnauthorizedException();
    }
    
    return this.generateTokens(user, tenantId);
  }
  
  private generateTokens(user: User, tenantId: string) {
    const payload = { 
      sub: user.id, 
      tenant: tenantId,
      email: user.email 
    };
    
    return {
      access_token: this.jwtService.sign(payload),
      refresh_token: this.jwtService.sign(payload, { expiresIn: '7d' })
    };
  }
}

What happens if a user tries accessing another tenant’s data? Our JWT strategy adds tenant validation:

// jwt.strategy.ts
@Injectable()
export class JwtStrategy extends PassportStrategy(Strategy) {
  constructor(private tenantService: TenantService) {
    super({
      jwtFromRequest: ExtractJwt.fromAuthHeaderAsBearerToken(),
      secretOrKey: process.env.JWT_SECRET,
    });
  }

  async validate(payload: any) {
    const validTenant = await this.tenantService.isActive(payload.tenant);
    if (!validTenant) throw new UnauthorizedException();
    return { userId: payload.sub, tenant: payload.tenant };
  }
}

For role-based access, we create a custom guard that checks permissions:

// roles.guard.ts
@Injectable()
export class RolesGuard implements CanActivate {
  constructor(
    private reflector: Reflector,
    private prisma: PrismaService
  ) {}

  async canActivate(context: ExecutionContext): Promise<boolean> {
    const requiredRoles = this.reflector.get<string[]>('roles', context.getHandler());
    if (!requiredRoles) return true;

    const { user } = context.switchToHttp().getRequest();
    const userRoles = await this.prisma.userRole.findMany({
      where: { userId: user.userId },
      include: { role: true }
    });

    return userRoles.some(ur => requiredRoles.includes(ur.role.name));
  }
}

Testing is critical. I always verify these scenarios:

  • Can users from Tenant A access Tenant B’s data?
  • Do refresh tokens work only within their original tenant?
  • Are admin roles restricted to their own tenant?

Performance tip: Add indexing on tenant columns. Prisma makes this straightforward:

model User {
  tenantId String
  @@index([tenantId])
}

Common pitfalls I’ve encountered:

  • Forgetting tenant context in background jobs
  • Caching tokens without tenant isolation
  • Not auditing cross-tenant access attempts

Building this system taught me that security and scalability aren’t mutually exclusive. With proper tenant isolation at every layer - database, middleware, and tokens - we create robust SaaS applications. What other multi-tenant challenges have you faced?

If you found this guide helpful, share it with your team. Have questions or improvements? Let’s discuss in the comments below - your real-world experiences help everyone build better systems.

Share: Facebook Twitter Reddit LinkedIn WhatsApp Telegram Pinterest Email Instagram

Keywords: multi-tenant SaaS authentication, NestJS multi-tenant architecture, Prisma JWT authentication, tenant isolation database, role-based access control RBAC, JWT refresh tokens implementation, NestJS Prisma integration, SaaS authentication system, multi-tenant security middleware, scalable tenant management

Our Creations

Be sure to check out our creations

Investor Central Investor Central Spanish Investor Central German Smart Living Epochs & Echoes Puzzling Mysteries Hindutva Elite Dev JS Schools

We are on Medium

Tech Koala Insights Epochs & Echoes World Investor Central Medium Puzzling Mysteries Medium Science & Epochs Medium Modern Hindutva

Similar Posts
Blog Image
Building Distributed Event-Driven Architecture with Node.js EventStore and Docker Complete Guide

Learn to build distributed event-driven architecture with Node.js, EventStore & Docker. Master event sourcing, CQRS, microservices & monitoring. Start building scalable systems today!

Read More
Blog Image
Complete Guide to Next.js Prisma Integration: Build Type-Safe Database Apps Fast

Learn how to integrate Next.js with Prisma ORM for type-safe, database-driven web applications. Build faster with automated migrations and seamless TypeScript support.

Read More
Blog Image
Complete Guide to Integrating Next.js with Prisma ORM for Type-Safe Full-Stack Development

Learn how to integrate Next.js with Prisma ORM for type-safe full-stack development. Build modern web apps with seamless database operations and improved DX.

Read More
Blog Image
How Next.js and Prisma Simplify Full-Stack Development with Type Safety

Discover how combining Next.js and Prisma creates a seamless, type-safe path from your database to your UI components.

Read More
Blog Image
Build High-Performance Event-Driven File Processing with Node.js Streams and Bull Queue

Build a scalable Node.js file processing system using streams, Bull Queue & Redis. Learn real-time progress tracking, memory optimization & deployment strategies for production-ready file handling.

Read More
Blog Image
Complete Guide to Integrating Nest.js with Prisma ORM for Type-Safe Backend Development

Learn how to integrate Nest.js with Prisma ORM for type-safe database operations, scalable backend architecture, and enterprise-grade applications with our guide.

Read More