Auth · RBAC · Multi-Tenant · API Security

Auth is not a weekend project.
It's a month-long trap.

Roles. Permissions. Team member access. Multi-tenant isolation. Per-endpoint protection. Every project needs all of it. Most teams spend 3–6 weeks getting it right — with security gaps discovered in production. CodeNx generates the complete auth stack from your schema definition in seconds.

JWT + refresh tokens, HttpOnly cookies
Role-based access control (RBAC) with permission slugs
Multi-tenant isolation enforced at query and middleware level
API endpoints protected by role with one line of code
Generate auth system → See every layer
⊕ Generated Auth Flow
Incoming Request POST /api/products
Auth Middleware Verify JWT · decode claims
Tenant Middleware Resolve tenantId · check membership
Permission Check protect('products:create')
Handler Executes tenantId auto-injected into query
✓ Request authorised · Tenant isolated 2ms overhead
Generated DB schema (excerpt)
users · roles · permissions · role_permissions
tenants · user_tenants · user_tenant_roles · api_keys

Four security layers. All generated.

Each layer enforces isolation independently — defense in depth, out of the box.

Layer 1
Authentication
  • JWT + refresh tokens
  • HttpOnly cookie storage
  • Signup / login / logout
  • Email verification
  • Password reset flow
  • OAuth ready (Google, GitHub)
Layer 2
Roles & Permissions
  • Flexible RBAC system
  • Roles: admin, editor, viewer…
  • Permission slugs per resource
  • Role assignment UI
  • Per-tenant role override
  • Super-admin global access
Layer 3
Multi-Tenancy
  • Tenant-scoped queries
  • Tenant-specific API keys
  • Per-tenant schema overrides
  • White-label admin UI
  • Tenant membership middleware
  • Optional RLS at DB level
Layer 4
API Protection
  • protect() middleware per route
  • Permission check on every call
  • Tenant isolation enforced
  • Rate limiting per API key
  • Audit log on sensitive actions
  • OpenAPI spec with auth docs
API Protection

One line to protect any endpoint by role

The generated protect() middleware handles token verification, role lookup, tenant resolution, and 401/403 responses automatically. You declare intent — it enforces it.

Token expired → 401, refresh hint in response
Valid token, wrong role → 403 with permission slug
Valid token, wrong tenant → 403, no data leaked
All checked before your handler runs
src/routes/api/products/+server.ts
// Auto-generated. Customise as needed.
import { protect } from '$lib/auth'
export const POST = protect(
'products:create',
async (request, locals) => {
// tenantId, userId, role auto-injected
const { tenantId } = locals.auth
const data = await request.json()
return createProduct(tenantId, data)
}
)
✓ Tenant isolated · Role checked · Audit logged

Multi-tenant, correctly implemented

Tenant isolation done wrong is the most common source of data leaks in SaaS. The generated implementation makes cross-tenant access structurally impossible.

API Key Scoping

Each tenant gets unique API keys. Keys are verified before any handler runs and automatically attach the tenantId to every request context.

Query-Level Isolation

Every data access function requires a tenantId parameter. There is no way to accidentally query across tenant boundaries.

Per-Tenant Roles

An admin in Tenant A is still a viewer in Tenant B unless explicitly granted — resolved on every request from user_tenant_roles.

White-Label Admin

Each tenant gets a branded admin UI at their subdomain. They see only their data and their team members — enforced at route guard level.

Tenant Onboarding Flow

Generated signup flow handles tenant creation, owner assignment, and initial role setup. Invite team members with role pre-selection — all wired up.

Audit Log Per Tenant

All create, update, delete events are logged per tenant. Tenant admins view their own log. Super-admins see across all tenants.

Auth & permissions questions answered

Auth done right.
From the first commit.

JWT auth, RBAC, multi-tenant isolation, and per-role API protection — generated in seconds from your schema. No security gaps, no auth library glue, no 3-week detour.

Generate auth system → Read auth docs

Pro plan · Multi-tenant included · 14-day free trial