js

How to Build Multi-Tenant SaaS Authentication with NestJS, Prisma, JWT and RBAC

Learn to build secure multi-tenant SaaS auth with NestJS, Prisma & JWT. Complete guide covers tenant isolation, RBAC, and scalable architecture.

How to Build Multi-Tenant SaaS Authentication with NestJS, Prisma, JWT and RBAC

I’ve been thinking about multi-tenant systems lately while designing a new SaaS product. The challenge? Creating one application that securely serves multiple clients with completely isolated data. If you’re building scalable software, this approach saves resources while maintaining security. Today I’ll show you how I built a production-ready authentication system using NestJS, Prisma, and JWT.

When starting, I asked: How can we efficiently separate tenant data without duplicating code? The solution lies in middleware and database design. We’ll use a shared database with separate schemas, identified through subdomains or headers. This keeps costs manageable while preventing data leaks between clients.

First, let’s set up the foundation:

npm i @nestjs/jwt passport-jwt @prisma/client bcryptjs
npx prisma init

The database schema defines our multi-tenant structure. Notice how every user, role, and token links to a specific tenant:

model Tenant {
  id        String   @id @default(cuid())
  subdomain String   @unique
  users     User[]
}

model User {
  id       String @id @default(cuid())
  email    String
  tenant   Tenant @relation(fields: [tenantId], references: [id])
  tenantId String
}

Ever wonder how the system knows which tenant you’re accessing? The middleware extracts tenant context from incoming requests:

// tenant.middleware.ts
@Injectable()
export class TenantMiddleware implements NestMiddleware {
  async use(req: Request, res: Response, next: NextFunction) {
    const tenantId = req.headers['x-tenant-id'] || req.hostname.split('.')[0];
    const tenant = await this.prisma.tenant.findUnique({ 
      where: { subdomain: tenantId }
    });
    
    if (!tenant) throw new BadRequestException('Invalid tenant');
    req['tenant'] = tenant;
    next();
  }
}

Now the authentication service. We’ll implement secure password handling and token generation:

// auth.service.ts
@Injectable()
export class AuthService {
  async login(email: string, password: string, tenantId: string) {
    const user = await this.prisma.user.findFirst({
      where: { email, tenantId }
    });
    
    if (!user || !bcrypt.compareSync(password, user.password)) {
      throw new UnauthorizedException();
    }
    
    return this.generateTokens(user, tenantId);
  }
  
  private generateTokens(user: User, tenantId: string) {
    const payload = { 
      sub: user.id, 
      tenant: tenantId,
      email: user.email 
    };
    
    return {
      access_token: this.jwtService.sign(payload),
      refresh_token: this.jwtService.sign(payload, { expiresIn: '7d' })
    };
  }
}

What happens if a user tries accessing another tenant’s data? Our JWT strategy adds tenant validation:

// jwt.strategy.ts
@Injectable()
export class JwtStrategy extends PassportStrategy(Strategy) {
  constructor(private tenantService: TenantService) {
    super({
      jwtFromRequest: ExtractJwt.fromAuthHeaderAsBearerToken(),
      secretOrKey: process.env.JWT_SECRET,
    });
  }

  async validate(payload: any) {
    const validTenant = await this.tenantService.isActive(payload.tenant);
    if (!validTenant) throw new UnauthorizedException();
    return { userId: payload.sub, tenant: payload.tenant };
  }
}

For role-based access, we create a custom guard that checks permissions:

// roles.guard.ts
@Injectable()
export class RolesGuard implements CanActivate {
  constructor(
    private reflector: Reflector,
    private prisma: PrismaService
  ) {}

  async canActivate(context: ExecutionContext): Promise<boolean> {
    const requiredRoles = this.reflector.get<string[]>('roles', context.getHandler());
    if (!requiredRoles) return true;

    const { user } = context.switchToHttp().getRequest();
    const userRoles = await this.prisma.userRole.findMany({
      where: { userId: user.userId },
      include: { role: true }
    });

    return userRoles.some(ur => requiredRoles.includes(ur.role.name));
  }
}

Testing is critical. I always verify these scenarios:

  • Can users from Tenant A access Tenant B’s data?
  • Do refresh tokens work only within their original tenant?
  • Are admin roles restricted to their own tenant?

Performance tip: Add indexing on tenant columns. Prisma makes this straightforward:

model User {
  tenantId String
  @@index([tenantId])
}

Common pitfalls I’ve encountered:

  • Forgetting tenant context in background jobs
  • Caching tokens without tenant isolation
  • Not auditing cross-tenant access attempts

Building this system taught me that security and scalability aren’t mutually exclusive. With proper tenant isolation at every layer - database, middleware, and tokens - we create robust SaaS applications. What other multi-tenant challenges have you faced?

If you found this guide helpful, share it with your team. Have questions or improvements? Let’s discuss in the comments below - your real-world experiences help everyone build better systems.

Share: Facebook Twitter Reddit LinkedIn WhatsApp Telegram Pinterest Email Instagram

Keywords: multi-tenant SaaS authentication, NestJS multi-tenant architecture, Prisma JWT authentication, tenant isolation database, role-based access control RBAC, JWT refresh tokens implementation, NestJS Prisma integration, SaaS authentication system, multi-tenant security middleware, scalable tenant management

Our Creations

Be sure to check out our creations

Investor Central Investor Central Spanish Investor Central German Smart Living Epochs & Echoes Puzzling Mysteries Hindutva Elite Dev JS Schools

We are on Medium

Tech Koala Insights Epochs & Echoes World Investor Central Medium Puzzling Mysteries Medium Science & Epochs Medium Modern Hindutva

Similar Posts
Blog Image
Node.js Event-Driven Microservices: Complete RabbitMQ MongoDB Architecture Tutorial 2024

Learn to build scalable event-driven microservices with Node.js, RabbitMQ & MongoDB. Master message queues, Saga patterns, error handling & deployment strategies.

Read More
Blog Image
Complete Next.js Prisma Integration Guide: Build Type-Safe Full-Stack Applications with Modern Database Operations

Learn how to integrate Next.js with Prisma ORM for type-safe, scalable web applications. Build powerful full-stack apps with seamless database operations.

Read More
Blog Image
Complete Guide to Next.js Prisma ORM Integration: Build Type-Safe Full-Stack Applications

Learn how to integrate Next.js with Prisma ORM for type-safe full-stack development. Build modern web apps with seamless database connectivity and SSR.

Read More
Blog Image
Complete Guide to Integrating Next.js with Prisma ORM for Type-Safe Database Operations

Learn how to integrate Next.js with Prisma ORM for type-safe, full-stack web applications. Build powerful database-driven apps with seamless API routes and deployment.

Read More
Blog Image
Build a Real-Time Analytics Dashboard with Fastify, Redis Streams, and WebSockets Tutorial

Build real-time analytics with Fastify, Redis Streams & WebSockets. Learn data streaming, aggregation, and production deployment. Master high-performance dashboards now!

Read More
Blog Image
Build High-Performance Node.js File Upload System with Multer Sharp AWS S3 Integration

Master Node.js file uploads with Multer, Sharp & AWS S3. Build secure, scalable systems with image processing, validation & performance optimization.

Read More