Production-ready GoFrame + React template for building multi-tenant SaaS applications.
Start building your SaaS product today β with authentication, multi-tenancy, RBAC, and audit logging already solved.
Quick Start Β· Documentation Β· Roadmap Β· Contributing
A batteries-included SaaS control-plane that handles everything every multi-tenant application needs β so you can focus on your product's unique value instead of rebuilding auth, tenants, permissions, and audit trails from scratch.
The problem: Every SaaS product needs the same foundation: user registration, tenant isolation, role-based access control, API key management, audit logging. Rebuilding this for each new product wastes weeks.
This solution: Clone this template, add your business tables (bound to tenant_id), and you have a working SaaS product in hours, not months. It's intentionally stripped of billing, quotas, and package management β you add your own commercial model on top.
- Features
- Architecture
- Tech Stack
- Quick Start
- Usage
- Project Structure
- Documentation
- Roadmap
- Contributing
- License
- Password login with bcrypt-hashed credentials
- Session management with secure HTTP-only cookies
- CSRF protection via double-submit cookie pattern
- Login attempt tracking with configurable account lockout
- Password reset flow with time-limited tokens
- Email verification workflow
- Tenant context resolution β automatic tenant detection from request headers, path, or query parameters
- Tenant membership β invite users, manage roles (Owner, Admin, Member, Viewer)
- Tenant isolation β all queries scoped by tenant, enforced at the middleware layer
- Lazy tenant creation β tenants are created on first meaningful action, not at registration
- Tenant lifecycle jobs β automated provisioning and cleanup
- Tenant-level RBAC β 4 built-in roles with granular permissions
- Platform-level RBAC β separate admin roles (Super Admin, Support, Auditor) for managing the platform itself
- Permission middleware β declarative
RequirePermissionchecks on every endpoint - API key management β personal API keys with tenant-scoped grants
- Comprehensive audit logs β every write operation is recorded with actor, target, action, and metadata
- Tenant-scoped audit trail β tenants can view their own audit history
- Platform audit view β admins can search across all tenants
- OpenTelemetry tracing and Prometheus metrics endpoints
- Structured logging with request ID propagation
- System configuration UI β manage platform settings without touching code
- Setup wizard β guided first-time installation flow
- User management β platform admins can view and manage users across tenants
- CLI tooling β 12+ CLI commands for tenant/user/admin lifecycle management
- Docker Compose β one-command startup for the full stack
- Database migrations with up/down support (60+ versioned migrations)
- Go E2E test framework β full HTTP-level integration tests
- TypeScript frontend with lazy-loaded routes and TanStack Query
- Internationalization β built-in i18n with Chinese support
graph TB
subgraph "Frontend"
REACT[React 19 SPA<br/>Vite + Tailwind CSS]
end
subgraph "API Layer"
AUTH[Auth Middleware<br/>Session / API Key]
CSRF[CSRF Middleware]
TENANT[Tenant Resolver<br/>Header / Path / Query]
RBAC[RBAC Middleware<br/>Permission Check]
ADMIN[Platform Admin<br/>Middleware]
end
subgraph "Service Layer"
AUTH_SVC[Authentication]
USER_SVC[User Management]
TENANT_SVC[Tenant & Members]
INVITE_SVC[Invitations]
APIKEY_SVC[API Keys]
AUDIT_SVC[Audit Logging]
TOTP_SVC[TOTP 2FA]
SETUP_SVC[Setup Wizard]
CONFIG_SVC[System Config]
end
subgraph "Data"
PG[(PostgreSQL 16<br/>Control Plane DB)]
REDIS[(Redis<br/>Cache & Sessions)]
end
REACT -->|HTTP| AUTH
AUTH --> CSRF --> TENANT --> RBAC --> ADMIN
RBAC --> AUTH_SVC & USER_SVC & TENANT_SVC & INVITE_SVC & APIKEY_SVC & AUDIT_SVC & TOTP_SVC & SETUP_SVC & CONFIG_SVC
AUTH_SVC & USER_SVC & TENANT_SVC & INVITE_SVC & APIKEY_SVC & AUDIT_SVC --> PG
AUTH_SVC --> REDIS
Request flow: Rate Limit β Auth β CSRF β Tenant Resolver β RBAC β Platform Admin β Controller β Logic β DAO
Design principles:
- Tenant is the security, audit, and data isolation boundary
- Platform admins manage the platform but cannot bypass tenant audit
- Business tables only need a
tenant_idcolumn + a foreign key β isolation is automatic - The template deliberately excludes billing, quotas, subscriptions β you add your commercial model
| Layer | Technology | Version |
|---|---|---|
| Backend Framework | GoFrame | v2.10 |
| Language | Go | 1.25 |
| Frontend | React + TypeScript | 19 |
| Build Tool | Vite | latest |
| CSS | Tailwind CSS | v4 |
| Routing | React Router | v7 |
| Data Fetching | TanStack Query | latest |
| State | Zustand | latest |
| Validation | Zod | latest |
| Charts | Recharts | v3 |
| Icons | Lucide React | latest |
| i18n | i18next | v26 |
| Database | PostgreSQL | 16 |
| Cache | Redis | 7 |
| Migrations | golang-migrate | v4 |
| 2FA | pquerna/otp | v1 |
| OAuth2 | golang.org/x/oauth2 | latest |
| Telemetry | OpenTelemetry | latest |
- Docker and Docker Compose
- Or: Go 1.25+, Node.js 22+, PostgreSQL 16+, Redis 7
# Clone and start everything
git clone https://github.com/ChamHerry/multi-tenant-saas.git
cd multi-tenant-saas
scripts/manage-docker.sh start
# The app is at http://127.0.0.1:8000
# PostgreSQL is on localhost:55432 (inside Docker network only by default)# Start dev environment with source mounting
scripts/manage-docker.sh dev# Clone the repo
git clone https://github.com/ChamHerry/multi-tenant-saas.git
cd multi-tenant-saas
# Start infrastructure
docker compose up -d postgres redis
# Install frontend dependencies and build
cd web && npm install && npm run build && cd ..
# Run the server (serves both API and SPA)
go run .
# Or use Makefile targets
make dev # go run .
make web # npm run dev (frontend dev server)
make build # npm build + Go buildThe app will be available at http://127.0.0.1:8000.
On first launch, the Setup Wizard guides you through creating the initial platform admin account. Once set up, you can start creating tenants and inviting users.
scripts/manage-docker.sh help # Show all commands
scripts/manage-docker.sh start # Start all services
scripts/manage-docker.sh stop # Stop all services
scripts/manage-docker.sh logs # View logs
scripts/manage-docker.sh psql # Open PostgreSQL shell
scripts/manage-docker.sh clean # Stop and remove containers/volumes
scripts/manage-docker.sh status # Show service statusAll tenant-scoped endpoints require authentication and pass through the middleware chain.
# Authentication
POST /api/v1/auth/register # Register new user
POST /api/v1/auth/login # Login with password
POST /api/v1/auth/logout # End session
POST /api/v1/auth/forgot-password # Request password reset
POST /api/v1/auth/verify-email # Verify email address
# Current User
GET /api/v1/me # Get current user profile
GET /api/v1/me/sessions # List active sessions
# Tenants
GET /api/v1/tenants # List my tenants
POST /api/v1/tenants # Create a tenant
GET /api/v1/tenants/{id} # Get tenant details
PATCH /api/v1/tenants/{id} # Update tenant
# Members (tenant-scoped)
GET /api/v1/tenants/{tenant}/members # List members
POST /api/v1/tenants/{tenant}/members # Add member
# Invitations
POST /api/v1/tenants/{tenant}/invitations # Invite user
GET /api/v1/me/invitations # My pending invitations
# API Keys
POST /api/v1/api-keys # Create personal API key
GET /api/v1/api-keys # List my API keys
# Audit Logs
GET /api/v1/tenants/{tenant}/audit-logs # View tenant audit trail
# Platform Admin
GET /api/v1/admin/tenants # List all tenants
GET /api/v1/admin/users # List all users
GET /api/v1/admin/audit-logs # Cross-tenant audit view
GET /api/v1/admin/system-config # System configurationThe binary includes management commands for scripting and operations:
# Tenant management
repomind tenant-create --name "Acme Corp" --slug "acme-corp"
repomind tenant-member-add --tenant-id <id> --user-id <id> --role admin
repomind tenant-member-list --tenant-id <id>
repomind tenant-lifecycle-run
# User management
repomind user-upsert --email user@example.com --name "Jane Doe"
repomind user-password-set --user-id <id> --password <pw>
repomind user-session-revoke --user-id <id>
repomind user-tenant-list --user-id <id>
# Platform admin
repomind platform-admin-grant --user-id <id> --role super_admin
# Context debugging
repomind tenant-context-resolve --host example.com --header "X-Tenant-ID: acme-corp"make test # Unit tests + integration tests
make test-unit # Unit tests only (~1s)
make test-integration # Integration tests (requires PostgreSQL)
make test-e2e # Full end-to-end tests (starts Docker, runs test suite).
βββ api/ # API request/response struct definitions
β βββ auth/ # Auth endpoints (register, login, reset, verify)
β βββ tenant/ # Tenant CRUD endpoints
β βββ member/ # Membership management
β βββ invitation/ # Invitation flow
β βββ apikey/ # Personal API key management
β βββ audit/ # Audit log queries
β βββ admin/ # Platform admin endpoints
β βββ me/ # Current user endpoints
β βββ setup/ # Setup wizard endpoints
β βββ totp/ # 2FA endpoints
βββ internal/
β βββ controller/ # HTTP controllers (thin, delegates to logic)
β βββ middleware/ # Middleware chain (auth, csrf, tenant, rbac, ...)
β βββ service/ # Service interfaces (GoFrame DI)
β βββ logic/ # Business logic implementations
β βββ dao/ # Data access objects (auto-generated)
β βββ table/ # Database table structs (auto-generated)
β βββ cmd/ # CLI commands + server entry point
βββ web/ # React 19 SPA
β βββ src/
β βββ features/ # Domain modules (auth, tenants, audit, ...)
β βββ pages/ # Route-level page components
β βββ shared/ # Shared utilities, UI kit, API client
β βββ layouts/ # App shell, auth shell, menu config
β βββ app/ # Router, providers, auth guards
βββ manifest/
β βββ config/ # Application config (YAML)
β βββ migration/ # Database migrations (up/down SQL)
β βββ docker/ # Docker runtime config
β βββ deploy/ # Kubernetes Kustomize manifests
βββ docs/ # Full documentation (architecture, DB, API, ...)
βββ scripts/ # Docker management and dev scripts
βββ test/e2e/ # Go E2E test framework and test suites
βββ hack/ # GoFrame CLI tooling config
βββ utility/ # Shared utilities (crypto, redis, uuid)
βββ Makefile # Build, test, dev commands
βββ docker-compose.yml # Production-like Docker stack
βββ docker-compose.dev.yml # Development Docker stack (source mounts)
βββ LICENSE # GNU AGPL v3.0
| Document | Description |
|---|---|
| Overview | Project overview and core capabilities |
| Architecture | Four-layer architecture and design principles |
| Database Design | Table schemas, relationships, and migration guide |
| Multi-Tenancy | Tenant context resolution and isolation explained |
| API Design | API grouping, middleware chain, and endpoint reference |
| Extending the Platform | How to add your own tenant-bound business tables |
| Deployment | Production deployment guide and health endpoints |
| Roadmap | Planned features across 6 phases |
| Platform Admin & Roles | Two-tier RBAC system deep-dive |
| Lazy Tenant Creation | Default organization and tenant materialization |
See docs/roadmap.md for the full plan. Key upcoming milestones:
- Phase 1 β Auth completion: Password reset, email verification, TOTP 2FA, OAuth/social login, session management
- Phase 2 β Security hardening: CAPTCHA, login notifications, password policies, audit enhancements
- Phase 3 β Organization: Custom roles, teams/groups, tenant branding
- Phase 4 β Integration: Webhooks, email templates, file upload, bulk import/export
- Phase 5 β Monetization: Billing/subscriptions, usage metering, quotas
- Phase 6 β Enterprise: SAML/OIDC SSO, SCIM provisioning, GDPR compliance
Contributions are welcome! Here's how to get started:
# Clone and start dev environment
git clone https://github.com/ChamHerry/multi-tenant-saas.git
cd multi-tenant-saas
# Start infrastructure
docker compose up -d postgres redis
# Terminal 1: Go backend
go run .
# Terminal 2: React frontend dev server
cd web && npm install && npm run dev
# Frontend at http://127.0.0.1:5173, proxies API to :8000- Write tests for your changes
- Run
make testto ensure nothing breaks - Run
make test-e2efor full integration validation - Follow existing code style β the project uses GoFrame conventions and React/TypeScript best practices
- Keep PRs focused β one feature or fix per pull request
This project uses structured commit messages with sections: What, How, Why, Details, and Impact.
This project is licensed under the GNU Affero General Public License v3.0 (AGPL-3.0) β see the LICENSE file for details.
What this means:
- β You can use, modify, and distribute this software
- β You can use it for commercial purposes
β οΈ If you modify the code and provide it as a network service (SaaS), you must make your modifications publicly available under the same licenseβ οΈ Any derivative works must also be licensed under AGPL-3.0
For alternative licensing (e.g., commercial closed-source use), contact the copyright holder.