js

How to Build Multi-Tenant SaaS Authentication with NestJS, Prisma, JWT and RBAC

Learn to build secure multi-tenant SaaS auth with NestJS, Prisma & JWT. Complete guide covers tenant isolation, RBAC, and scalable architecture.

How to Build Multi-Tenant SaaS Authentication with NestJS, Prisma, JWT and RBAC

I’ve been thinking about multi-tenant systems lately while designing a new SaaS product. The challenge? Creating one application that securely serves multiple clients with completely isolated data. If you’re building scalable software, this approach saves resources while maintaining security. Today I’ll show you how I built a production-ready authentication system using NestJS, Prisma, and JWT.

When starting, I asked: How can we efficiently separate tenant data without duplicating code? The solution lies in middleware and database design. We’ll use a shared database with separate schemas, identified through subdomains or headers. This keeps costs manageable while preventing data leaks between clients.

First, let’s set up the foundation:

npm i @nestjs/jwt passport-jwt @prisma/client bcryptjs
npx prisma init

The database schema defines our multi-tenant structure. Notice how every user, role, and token links to a specific tenant:

model Tenant {
  id        String   @id @default(cuid())
  subdomain String   @unique
  users     User[]
}

model User {
  id       String @id @default(cuid())
  email    String
  tenant   Tenant @relation(fields: [tenantId], references: [id])
  tenantId String
}

Ever wonder how the system knows which tenant you’re accessing? The middleware extracts tenant context from incoming requests:

// tenant.middleware.ts
@Injectable()
export class TenantMiddleware implements NestMiddleware {
  async use(req: Request, res: Response, next: NextFunction) {
    const tenantId = req.headers['x-tenant-id'] || req.hostname.split('.')[0];
    const tenant = await this.prisma.tenant.findUnique({ 
      where: { subdomain: tenantId }
    });
    
    if (!tenant) throw new BadRequestException('Invalid tenant');
    req['tenant'] = tenant;
    next();
  }
}

Now the authentication service. We’ll implement secure password handling and token generation:

// auth.service.ts
@Injectable()
export class AuthService {
  async login(email: string, password: string, tenantId: string) {
    const user = await this.prisma.user.findFirst({
      where: { email, tenantId }
    });
    
    if (!user || !bcrypt.compareSync(password, user.password)) {
      throw new UnauthorizedException();
    }
    
    return this.generateTokens(user, tenantId);
  }
  
  private generateTokens(user: User, tenantId: string) {
    const payload = { 
      sub: user.id, 
      tenant: tenantId,
      email: user.email 
    };
    
    return {
      access_token: this.jwtService.sign(payload),
      refresh_token: this.jwtService.sign(payload, { expiresIn: '7d' })
    };
  }
}

What happens if a user tries accessing another tenant’s data? Our JWT strategy adds tenant validation:

// jwt.strategy.ts
@Injectable()
export class JwtStrategy extends PassportStrategy(Strategy) {
  constructor(private tenantService: TenantService) {
    super({
      jwtFromRequest: ExtractJwt.fromAuthHeaderAsBearerToken(),
      secretOrKey: process.env.JWT_SECRET,
    });
  }

  async validate(payload: any) {
    const validTenant = await this.tenantService.isActive(payload.tenant);
    if (!validTenant) throw new UnauthorizedException();
    return { userId: payload.sub, tenant: payload.tenant };
  }
}

For role-based access, we create a custom guard that checks permissions:

// roles.guard.ts
@Injectable()
export class RolesGuard implements CanActivate {
  constructor(
    private reflector: Reflector,
    private prisma: PrismaService
  ) {}

  async canActivate(context: ExecutionContext): Promise<boolean> {
    const requiredRoles = this.reflector.get<string[]>('roles', context.getHandler());
    if (!requiredRoles) return true;

    const { user } = context.switchToHttp().getRequest();
    const userRoles = await this.prisma.userRole.findMany({
      where: { userId: user.userId },
      include: { role: true }
    });

    return userRoles.some(ur => requiredRoles.includes(ur.role.name));
  }
}

Testing is critical. I always verify these scenarios:

  • Can users from Tenant A access Tenant B’s data?
  • Do refresh tokens work only within their original tenant?
  • Are admin roles restricted to their own tenant?

Performance tip: Add indexing on tenant columns. Prisma makes this straightforward:

model User {
  tenantId String
  @@index([tenantId])
}

Common pitfalls I’ve encountered:

  • Forgetting tenant context in background jobs
  • Caching tokens without tenant isolation
  • Not auditing cross-tenant access attempts

Building this system taught me that security and scalability aren’t mutually exclusive. With proper tenant isolation at every layer - database, middleware, and tokens - we create robust SaaS applications. What other multi-tenant challenges have you faced?

If you found this guide helpful, share it with your team. Have questions or improvements? Let’s discuss in the comments below - your real-world experiences help everyone build better systems.

Share: Facebook Twitter Reddit LinkedIn WhatsApp Telegram Pinterest Email Instagram

Keywords: multi-tenant SaaS authentication, NestJS multi-tenant architecture, Prisma JWT authentication, tenant isolation database, role-based access control RBAC, JWT refresh tokens implementation, NestJS Prisma integration, SaaS authentication system, multi-tenant security middleware, scalable tenant management

Our Creations

Be sure to check out our creations

Investor Central Investor Central Spanish Investor Central German Smart Living Epochs & Echoes Puzzling Mysteries Hindutva Elite Dev JS Schools

We are on Medium

Tech Koala Insights Epochs & Echoes World Investor Central Medium Puzzling Mysteries Medium Science & Epochs Medium Modern Hindutva

Similar Posts
Blog Image
Complete Guide to Next.js Prisma Integration: Build Type-Safe Full-Stack Applications in 2024

Learn to build powerful full-stack apps by integrating Next.js with Prisma ORM for type-safe database operations. Boost productivity with seamless TypeScript support.

Read More
Blog Image
Build Production-Ready Event Sourcing System: Node.js, TypeScript & PostgreSQL Complete Guide

Learn to build a production-ready event sourcing system with Node.js, TypeScript & PostgreSQL. Master event stores, aggregates, projections & snapshots.

Read More
Blog Image
Build Production-Ready GraphQL API with NestJS, Prisma and Redis Caching - Complete Tutorial

Learn to build scalable GraphQL APIs with NestJS, Prisma, and Redis caching. Master authentication, real-time subscriptions, and production deployment.

Read More
Blog Image
How to Build a Distributed Task Queue with BullMQ, Redis, and TypeScript (Complete Guide)

Learn to build scalable distributed task queues using BullMQ, Redis & TypeScript. Master job processing, scaling, monitoring & Express integration.

Read More
Blog Image
Complete Guide to Next.js Prisma Integration: Build Type-Safe Full-Stack Apps in 2024

Learn how to integrate Next.js with Prisma ORM for type-safe, scalable web applications. Build faster with seamless database operations and TypeScript support.

Read More
Blog Image
Build a High-Performance GraphQL Gateway with Apollo Federation and Redis Caching Tutorial

Learn to build a scalable GraphQL gateway using Apollo Federation, Redis caching, and microservices architecture. Master schema composition, authentication, and performance optimization strategies.

Read More