Everything a B2B SaaS needs on day one

Replace this page with your product's feature story. Until then, it documents what the boilerplate itself gives you.

Authentication

Sign up, sign in, and stay secure

Email and password authentication with bot protection, password reset, session management, and TOTP two-factor authentication. New signups land in their own workspace with a trial already running.

  • Registration with Cloudflare Turnstile
  • Password reset over email
  • TOTP two-factor authentication with QR setup
  • Session revocation and login throttling

Workspaces

Multi-tenant from the first migration

Accounts are the tenant boundary. Every domain record you add is scoped with acts_as_tenant, URLs carry the workspace slug, and background jobs restore tenant context automatically.

  • Workspace creation, switching, and settings
  • Slug-scoped URLs (/w/your-team/…)
  • Automatic tenant scoping on queries and jobs
  • Workspace logos and timezones

Team Management

Invite teammates with the right access

Owners invite people by email with a role. Invitations expire, can be resent or revoked, and count toward plan seat limits. Roles gate everything: viewers read, editors manage content, owners run the workspace.

  • Email invitations with expiry and resend
  • Viewer / editor / owner roles via Pundit policies
  • Seat limits enforced from plan entitlements
  • Member deactivation and removal

Billing

Trials, plans, and Stripe checkout

Signup creates a 14-day trial with full entitlements — no card required. Upgrading goes through Stripe Checkout; managing payment methods goes through the Customer Portal. Webhooks keep local state in sync.

  • Automatic trials on signup
  • Stripe Checkout and Customer Portal
  • Entitlement limits synced from product metadata
  • Offline fake billing for local development

Developer Platform

OAuth API, MCP server, and webhooks

A Doorkeeper OAuth 2.0 provider secures the REST API and the MCP endpoint. Owners mint scoped API keys in the UI; AI clients register themselves via dynamic client registration and discover the auth server per RFC 9728.

  • REST API v1 with rate limiting and OpenAPI reference
  • MCP server with whoami and webhook tools
  • Workspace-scoped API keys with scopes
  • HMAC-signed outbound webhooks with retries

Take it for a spin

Sign up, invite a teammate, start a trial, and call the API — the whole journey works out of the box.