ADR-0003: Kinde for Authentication and Multi-Tenancy¶
Status: Accepted Date: 2025-01-15 (Estimated) Deciders: GetCimple Team Tags:
architecture,security,authentication,multi-tenant
Context¶
GetCimple requires authentication and multi-tenancy for a SaaS platform serving Australian businesses with boards. Key needs:
Requirements: - Multi-tenant architecture (orgs with multiple users, users in multiple orgs) - Role-based access control (Director, Manager, Staff) - Australian company preferred (data sovereignty considerations) - SSO/OAuth 2.0 support - MFA for compliance - Organization/tenant management - Simple developer experience - Startup-friendly pricing
Constraints: - Must integrate with Supabase backend (JWT validation) - Australian data residency preference - Budget: <$50/month for MVP authentication - 3-person team (no time to build custom auth)
Options Considered¶
Option A: Kinde¶
Description: Australian authentication and multi-tenancy platform with built-in organizations, roles, and SSO.
Pros: - β Australian company: Based in Australia, understands local compliance needs - β Multi-tenancy built-in: Organizations, roles, user management out-of-the-box - β Simple pricing: $25/month for up to 1000 MAU (Monthly Active Users) - β Excellent DX: SDKs for React, simple integration - β MFA included: Required for ACSC Essential 8 compliance - β SSO support: Can add enterprise SSO later - β OAuth 2.0 / OIDC: Standard protocols, works with Supabase - β Organization switching: Users can belong to multiple orgs - β Custom roles: Define Director, Manager, Staff roles - β Stripe billing integration: (verify current alpha/beta status)
Cons: - β Smaller vendor (less mature than Auth0/Okta) - β Fewer integrations than larger platforms - β Australian data center specifics unclear (need to verify) - β Some features in beta (Stripe integration)
Estimated Effort: 2-3 days integration
Option B: Auth0¶
Description: Enterprise authentication platform by Okta with comprehensive features.
Pros: - β Industry-leading platform - β Comprehensive features (SSO, MFA, organizations) - β Extensive integrations - β Proven at scale
Cons: - β Expensive: $240/month minimum for organizations feature - β US company (data sovereignty concerns) - β Complex pricing (per MAU, feature add-ons) - β Over-engineered for MVP needs - β Steeper learning curve
Estimated Effort: 3-5 days integration
Option C: Supabase Auth¶
Description: Built-in authentication in Supabase with OAuth providers.
Pros: - β Included free with Supabase - β OAuth 2.0 support - β Simple integration (already using Supabase) - β Row Level Security integration
Cons: - β No multi-tenant management: Must build org management manually - β No SSO: Limited to email/password and OAuth providers - β Basic role management (must implement custom RBAC) - β No organization switching features - β Additional development effort (2-3 weeks for multi-tenancy)
Estimated Effort: 3-4 weeks (building multi-tenancy layer)
Option D: Clerk¶
Description: Modern authentication platform with React-first design.
Pros: - β Excellent React integration - β Organizations feature available - β Beautiful pre-built UI components - β Good DX
Cons: - β $25/month + $0.02 per MAU (gets expensive quickly) - β US company - β Relatively new (less proven) - β Limited Australian market presence
Estimated Effort: 2-3 days integration
Decision¶
We chose: Option A - Kinde
Rationale: 1. Australian company: Aligns with target market and data sovereignty philosophy 2. Multi-tenancy built-in: Organizations, roles, user management saves 3-4 weeks of development 3. Cost-effective: $25/month for up to 1000 MAU is startup-friendly and scales reasonably 4. Perfect fit for use case: Designed exactly for multi-tenant B2B SaaS (our model) 5. Compliance ready: MFA, audit logs, organization isolation support ACSC Essential 8 6. Fast integration: 2-3 days vs 3-4 weeks building on Supabase Auth 7. Future-ready: Can add SSO for enterprise customers post-MVP
Key Trade-offs Accepted: - We're accepting smaller vendor risk because Kinde's OAuth/OIDC implementation is standard (can migrate to Auth0/Okta later if needed) - We're accepting some beta features (Stripe integration) by verifying stability before use - We're trusting Australian datacenter claims (need to verify and document)
Consequences¶
Positive¶
- β Development velocity: 3-4 weeks saved by not building custom multi-tenancy
- β Local alignment: Australian vendor understands our market and compliance needs
- β Complete auth solution: Organizations, roles, MFA, audit logs all included
- β Easy user experience: Pre-built login UI, smooth org switching
- β Compliance support: MFA required for Directors satisfies ACSC Essential 8
- β Supabase integration: JWT validation straightforward via Supabase functions
- β Billing integration: Stripe connection simplifies subscription management (verify status)
Negative¶
- β οΈ Vendor maturity: Kinde less proven than Auth0/Okta (acceptable for MVP)
- β οΈ Feature parity: Some enterprise features (SAML SSO) may lag behind larger vendors
- β οΈ Data residency verification needed: Must confirm Australian datacenter location
- β οΈ Migration complexity: Switching auth providers later requires user migration effort
Risks¶
| Risk | Likelihood | Impact | Mitigation |
|---|---|---|---|
| Kinde has service outage affecting login | LOW | HIGH | Monitor Kinde status page; implement session caching; acceptable downtime for MVP; consider multi-auth post-MVP |
| Kinde pricing increases significantly | MEDIUM | MEDIUM | Standard OAuth/OIDC allows migration to Auth0/Okta; estimate 2-week migration effort; lock in annual contract if pricing concerns arise |
| Australian datacenter not actually in Australia | LOW | HIGH | Verify with Kinde sales/support; document data residency guarantees in contract; audit via API responses |
| Stripe integration bugs (if in beta) | MEDIUM | LOW | Verify beta stability before use; manual invoicing fallback for MVP; delay billing integration if unstable |
Compliance Note¶
ACSC Essential 8 Impact: - Relevant Control: Multi-Factor Authentication (Maturity Level 2) - Requirement: MFA for all users accessing important data repositories - How Kinde Supports: Built-in MFA (SMS, authenticator app, email codes) - Implementation: Enforce MFA for Director and Manager roles
Australian Data Residency: - User Auth Data: [[NC:kinde-1 @alice]] Verify: Where does Kinde store authentication data? Australian datacenter? - Session Data: JWT tokens signed by Kinde, validated client-side and server-side - Guarantees: Need to document Kinde's data residency SLA in contract
Audit Trail: - Kinde provides audit logs for authentication events - Integration needed: Sync Kinde audit events to Supabase for compliance reporting
Implementation Notes¶
Prerequisites: - Kinde account created - Application configured in Kinde dashboard - Callback URLs configured for Cloudflare domains - Environment variables set (KINDE_CLIENT_ID, KINDE_CLIENT_SECRET, KINDE_DOMAIN)
Integration Points: - Frontend (React): @kinde-oss/kinde-auth-react SDK - Backend (Supabase): Validate Kinde JWT via Supabase Edge Functions - Database (RLS): Use Kinde user_id in Row Level Security policies - Billing (Stripe): Kinde organizations mapped to Stripe customers
Monitoring: - Track successful vs failed login attempts - Monitor MFA enrollment rates (target: 100% for Directors) - Alert on unusual authentication patterns (brute force attempts)
Documentation Updates Needed: - β Authentication flow in authentication-mvp.md - β Role definitions in database-design-mvp.md - β Integration guide in tech-stack-mvp.md
Revisit¶
Revisit By: 2025-06-01 or after 500 active users Blast Radius: CRITICAL - Affects all user authentication, authorization, multi-tenancy
Conditions for Revisit: - Kinde service reliability < 99.5% uptime - Australian datacenter verification fails - Pricing increases beyond startup budget - Enterprise customers require SAML SSO (Kinde doesn't support or too expensive) - Security incident related to Kinde platform
Next Review: 2025-04-01 (verify Australian datacenter location and MFA adoption rates)
References¶
- Kinde Documentation
- Kinde Pricing
- Kinde Multi-Tenancy Guide
- Tech Stack MVP
- Authentication MVP
- ADR-0001: Supabase Backend - Integration point
Version History¶
| Version | Date | Author | Changes |
|---|---|---|---|
| 1.0 | 2025-10-20 | Claude | Initial ADR capturing historical decision + [[NC:kinde-1]] marker for datacenter verification |