LogoSupaCode
FastAPI · Supabase · Billing · Multi-Tenancy . Headless SaaS

git clone to coding real features on Day One.

A production-grade spine for your SaaS — Supabase Auth, Multi‑Tenancy (Row-Level security - RLS), RBAC, Billing integration with idempotent webhook handlers, Entitlement enforcements, API Keys for workflows, Audit Trails — so you can stop plumbing and start shipping.

Get the Starter KitSee what's inside →
Founder's note

I kept losing weeks wiring the same auth, tenants, and billing. SupaCode is the kit I wished I had — so you ship the story that only you can tell.

Components of a SAAS Architecture
$ # Stripe checkout session (server)
session = stripe.checkout.Session.create(mode='subscription', ...)

The mountain between idea and launch

Authentication, tenants, Postgres RLS, roles, billing, entitlement enforcement, API key management, audit trails… Weeks disappear into plumbing.

"You’re building scaffolding, not the skyscraper."

~1 day
Auth
JWT, email verification
~2 days
Multi-Tenancy
RLS setup, tenant isolation
~2 days
Permissions (RBAC)
Role & access management
~3 days
Billing
Stripe/Dodo + webhooks

SupaCode ships all of this prewired — your “10 days of setup” becomes a single git clone.

What's inside

Ironclad Multi‑Tenancy (RLS)
Postgres Row‑Level Security creates a bank‑grade wall between tenants at the database layer. A bug in your app can't cause cross‑tenant leaks.
Unified Auth (JWT & API Keys)
Users authenticate via JWT; power users integrate via API Keys. Email verification and password reset flows included comes with Supabase.
Granular RBAC
Flexible, custom roles (e.g., Editor, Viewer, Accountant) protected by fine‑grained permission checks across endpoints.
API Keys
You can also expose your API to third parties or allow power users to script against it using secure, scoped API Keys.
Audit Trails
Critical events (invites, role changes, billing updates) recorded in a tenant‑isolated log for accountability.
Pluggable Billing
Stripe/Dodopayment providers, secure and idempotent webhook handlers, and feature gating via Flags, Limits, and Meters — charge confidently from day one. Entitlement tracking and enforcement included.
Entitlements Enforcement
Entitlement tracking and enforcement included. Limits, Meters, and Flags to gate features based on subscription plans.
Dynamic Builder
Define custom Objects & Fields if you do not want first class objects.
Customer Object
First‑class B2B customer management, separate from tenant users — perfect for CRM, projects, clients.
Secure File Storage
Supabase Storage with RLS policies — tenants can only access their own files.

Choose your path

DIY if you love to tinker, or build with me for speed.

DIY — Starter Kit
Self-Paced
  • FastAPI + Supabase RLS foundation
  • Auth, RBAC, Audit, Billing + Entitlements
  • Dynamic Object Builder & File Storage
  • Docs & Postman Collection
Start Building Right Away
With Us — Accelerator
Engagement
  • One‑week MVP sprint
  • Custom objects & roles for your domain
  • Payments wired + deploy plan
  • Handoff & backlog for next 30 days
Book a Free call

Try to build these apps using the SupaCode foundation

Micro‑CRM for a Niche Industry
  • Contacts via Customer object
  • Deals via Dynamic Builder
  • Attach contracts in File Storage
  • Entitlement‑based tiers
Project Management for Agencies
  • Tenant = Agency
  • Clients via Customer object
  • Projects & Tasks via Builder
  • Role‑based access
Invoicing for Freelancers
  • Invoices object (amount, due_date, status) via Dynamic Builder
  • Customer records with tenant‑isolated RLS
  • Stripe/Dodo subscription + secure webhooks for status sync
  • Entitlements: Flags (PDF export), Limits (invoices/month)
  • Audit trail for edits, sends, and payment events
  • File Storage for receipts/attachments, scoped per tenant
Vertical SaaS (e.g., Gym)
  • Members via Customer object (RLS‑secured)
  • Classes & Bookings as custom Objects (Dynamic Builder)
  • Membership tiers via Entitlements: Flags, Limits, Meters
  • RBAC roles: Manager, Coach, Frontdesk with fine‑grained access
  • Recurring billing + webhooks to pause/resume on past_due
  • Secure File Storage for waivers/photos; API Keys for kiosk/mobile

Transformation Realized

Setup time
2 hrs

From clone to authenticated, tenant‑aware API.

Included Tables
15

RLS + RBAC checks across critical tables and endpoints.

Billing providers
2

Stripe & Dodopayments — swappable via environment variable.

"SupaCode felt like hiring a senior backend engineer for 2 weeks. We shipped our billing‑ready MVP in three days."
— Early user, Indie Founder

Frequently asked

What is this, exactly? A boilerplate or a platform?+

It's both. It starts as a production-ready boilerplate with all the foundational code you'd spend months writing: secure multi-tenancy, authentication, billing, and permissions. But it becomes a platform with its powerful Dynamic Object Builder, allowing you to create a 'Salesforce-like' application without writing new backend code.

Can I use this for my existing project?+

This starter kit is designed for new projects. Its value comes from providing a complete, integrated foundation from the start. Migrating an existing, complex application into its multi-tenant architecture would be a significant undertaking.

Can I connect any frontend?+

Yes, absolutely. This is a 100% headless, API-first backend. It's designed to work with any modern frontend framework (like React, Next.js, Vue, Svelte), a mobile application, or even for purely programmatic, headless workflows.

How do I switch billing providers between Stripe and Dodopayments?+

It's designed to be plug-and-play. You simply change one environment variable (`PAYMENT_GATEWAY="stripe"` or `"dodo"`). The core logic is decoupled, and the webhook handlers are built to be robust, idempotent, and provider-specific.

Is the Row-Level Security (RLS) hard to work with?+

Not at all. We've done the hard part. All the complex PostgreSQL policies for tenant isolation are pre-written and included. Your application code remains simple and clean; you just get the RLS-scoped database session, and the database guarantees data isolation. The full SQL is in the repository, so you can easily extend it.

How 'dynamic' is the Dynamic Application Builder?+

It's incredibly powerful for building CRMs, project management tools, or any business application. You can define custom objects (like 'Deals' or 'Projects') and typed fields via the API. The starter kit automatically provides secure, tenant-isolated CRUD endpoints for any object you create. It's perfect for low-to-medium scale use cases.

What's the technology stack?+

We chose modern, high-performance, and developer-loved technologies: FastAPI (Python) for the backend API, PostgreSQL for the database, SQLAlchemy for the ORM, Pydantic for data validation, and Supabase for authentication and file storage.

Can a user belong to multiple tenants (organizations)?+

The current V1 is built on a 'siloed' multi-tenancy model, where one user belongs to one tenant. This is the most common and secure pattern for many B2B SaaS apps. A collaborative model (many-to-many) is on our roadmap as a potential future update for agency-focused use cases.

Clone it. Customize it. Ship it.

A modern, secure SaaS backend that keeps you focused on what's uniquely yours.

Get the Starter KitCompare paths →