What you get with SaasKitFy
Not just scaffolding. Every feature is built, tested, and production-ready. Here's exactly what's inside.
Authentication
Five auth methods, account lockout, session management, and enterprise SSO — all in your codebase.
Registration with validation and password strength rules. Bcrypt hashing. Account lockout after 5 failed attempts (15-minute cooldown). Password reset via signed email links. Email verification with resend and rate limiting. Toggleable from admin panel.
One-time login links via email. 15-minute expiry, single-use tokens. JIT provisioning — auto-creates accounts for new emails when registration is enabled.
Four providers via Laravel Socialite. JIT account creation on first login. Auto email verification. Avatar sync. Enable/disable each from admin without code.
Google Authenticator-compatible TOTP with QR setup, 6-digit verification, and 8 encrypted recovery codes. Admins can enforce MFA org-wide for compliance.
Global or per-org IdP configuration. Supports Okta, Azure AD, any SAML 2.0 provider. Domain verification, auto-provisioning, attribute mapping, and forced SSO mode.
View all active sessions with IP and user agent. Revoke individual sessions or sign out everywhere. Personal access tokens for programmatic API use. Short-lived MFA challenge tokens (10 min).
Multi-Tenancy & Teams
Organization workspaces with automatic data isolation, invitations, custom roles, and two tenant modes.
Users create and switch between organizations. All queries auto-scoped to active org via middleware. Two tenant modes: multi-org (B2B) or personal workspace (B2C).
Organization mode (B2B): users create/join multiple orgs. Personal mode (B2C): each user gets one auto-created workspace on registration. Switch modes from config without code changes. Exposed to frontend via /user endpoint.
Invite by email with role assignment. Token-based with expiration and revocation. Existing users get in-app notification; new users guided through registration. Seat billing auto-syncs on accept.
Built-in: Owner (all permissions), Admin, Member. Create custom roles in admin with any combination of permissions. Core: manage_members, manage_billing, manage_settings, manage_api_keys, manage_webhooks, view_usage. Extend with your own via config/custom.php.
Transfer ownership to another admin. Members can self-remove. Org-level MFA enforcement with timestamp tracking. Org admins can view and revoke sessions for all members.
Billing & Subscriptions
Stripe, Paddle, MercadoPago, Lemon Squeezy, PayPal. Switch from the admin panel without code changes.
Stripe, Paddle, MercadoPago, Lemon Squeezy, and PayPal — each with live & test modes. Same BillingGateway interface. Configure credentials from admin settings.
Recurring (monthly/yearly), One-time, Per-seat (price × members), Metered (base + usage), Credits (buy a pack). Each with features, limits, trial days, and per-gateway price IDs.
Configure included seats and per-extra-seat price. SeatSyncService auto-updates the gateway quantity when members join, leave, or invitations are accepted.
Gate routes with entitled:feature middleware (checks global toggle AND plan access). Enforce limits: $org->isOverLimit('api_keys'). Check remaining: $org->remaining('webhooks'). Frontend GET /entitlements returns visibility, access, and limits.
Admin Panel
A complete back-office for super admins and support agents.
Total users (verified, suspended), total organizations, signup rates, 30-day growth charts, recent audit events, and top 5 orgs by member count.
Search by name/email. Suspend/unsuspend. Delete. Assign/remove global roles. Impersonate any user with a 1-hour scoped token.
CRUD plans with pricing, features, limits, and gateway IDs. CRUD global/org roles with permissions. 12 editable email templates with variable substitution, preview, test send, and reset to defaults.
Create flags with enable/disable toggle. Rules: target specific org IDs, user IDs, or percentage-based rollout (deterministic per seed). Evaluated at runtime via GET /feature-flags.
App branding, auth providers, SSO config, 5 billing gateways (live/test), mail driver (SMTP, Mailgun, Postmark, Resend, SES), storage (S3/R2), onboarding, theme presets, infrastructure (queue/cache/session drivers). Secret values never exposed via API.
Audit logs: filter by event, user, org, IP. Toggle on/off. Purge. Queues: pending/failed counts, retry/purge, Redis/DB/SQS. Health: database, Redis, cache, queue, mail, storage. Server info, PHP/Laravel versions, disk usage.
API Keys & Webhooks
Programmatic access with scoped permissions and real-time event notifications.
Per-org keys (lk_ prefix). SHA-256 hashed storage — plain key shown once on creation. Scoped permissions (read, write, members, billing, api_keys, webhooks + custom scopes). Per-key rate limiting. Expiration dates. Webhook dispatch and email notification on creation.
HTTPS endpoints per org. HMAC-SHA256 signature in X-Signature header. Subscribe to specific events or wildcard (*). Core events: api_key.created, member.joined, etc. Custom events from config/custom.php. Queued delivery via DeliverWebhook job. Delivery history with status codes.
Developer Experience
Modular architecture. Add features without touching core code.
Routes in routes/custom.php, controllers in Controllers/Custom/, models in Models/Custom/. Frontend: custom/routes.tsx and custom/navItems.ts. Register features, permissions, webhook events, and limits in config/custom.php.
Full CRUD with comments, org-scoped permissions (view, create, update, delete), plan-based feature gating, webhook events (project.created, status_changed, comment.added), and resource limits. Follow the pattern to build your own features.
8 seeders: demo users, orgs, plans, permissions, org roles, email templates, and app settings. Docker Compose with MySQL, Redis, and Mailpit. composer dev starts server, queue, logs, and Vite concurrently. OpenAPI spec at /openapi.yaml.
Mail: SMTP, Mailgun, Postmark, Resend, SES — switch from admin settings. Runtime config from DB (no restart). Test email endpoint. Storage: Local, S3, Cloudflare R2. Signed URLs for private files.
Also included
Features that don't need a full section but you'll be glad they're there.
Audit Logs
Tracks every mutation with user, IP, user agent, and old/new value diffs
Usage Metering
Record custom metrics per org. Daily series for charts. Ties into metered billing
Feature Flags
Percentage rollouts, user & org targeting, deterministic evaluation, admin toggle
Notifications
Email + in-app channels. 11 notification classes. Unread count, mark read, delete
File Uploads
Avatars, org logos, signed URLs for private files. S3 and Cloudflare R2 compatible
Security
Rate limiting, account lockout, CSP headers, CSRF, hashed keys, token expiration
Session Management
View active sessions with IP & user agent. Revoke individual or all. Org-level view
Email Templates
12 editable templates with variable substitution, preview, test send, and reset
Build vs. Buy
How much time does SaasKitFy actually save you?
| Feature | Build from scratch | With SaasKitFy |
|---|---|---|
| Auth (5 methods + MFA + SSO) | 3-5 weeks | Included |
| Multi-tenancy & teams | 2-4 weeks | Included |
| Billing (5 gateways, 5 plan types) | 3-5 weeks | Included |
| Admin panel (14 controllers) | 4-6 weeks | Included |
| RBAC with custom roles | 1-2 weeks | Included |
| API keys, webhooks, audit logs | 2-3 weeks | Included |
| Feature flags, usage metering, notifications | 1-2 weeks | Included |
| Total | 16-27 weeks | Day 1 |