The latest articles on Forem by Shola Jegede (@sholajegede). https://forem.com/sholajegede https://media2.dev.to/dynamic/image/width=90,height=90,fit=cover,gravity=auto,format=auto/https:%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Fuser%2Fprofile_image%2F1705040%2F3266d189-ef54-4f0e-ae81-ecabae5aac1c.jpg https://forem.com/sholajegede en Shola Jegede Fri, 15 May 2026 00:38:16 +0000 https://forem.com/sholajegede/how-to-send-auth-codes-via-whatsapp-in-your-app-with-kinde-6k9 https://forem.com/sholajegede/how-to-send-auth-codes-via-whatsapp-in-your-app-with-kinde-6k9 <p>Your users are in San Francisco, Jakarta, São Paulo, and Sydney. They have WhatsApp open all day. They check it before they check their SMS inbox. When your app sends an OTP to their phone number, it lands in a carrier SMS thread they barely look at. When it lands in WhatsApp, they see it instantly.</p> <p>In this article, you will learn:</p> <ul> <li>Why WhatsApp OTP delivers better completion rates than SMS in high-penetration markets</li> <li>How Kinde delivers phone OTPs via WhatsApp when configured, with automatic SMS fallback</li> <li>What you need before you start: Twilio account, WhatsApp Sender, Kinde Pro</li> <li>How to configure Twilio Verify with a WhatsApp Sender</li> <li>How to connect your Twilio account to Kinde</li> <li>How to enable phone authentication in your Next.js app</li> <li>How to enable WhatsApp as the delivery channel in Kinde</li> <li>How to configure SMS as the automatic fallback</li> <li>How to test the full flow before going live</li> <li>What to watch for in Africa, South Asia, and Southeast Asia specifically</li> </ul> <p>Let's dive in!</p> <h2> Why WhatsApp OTP Is the Right Choice for Your Market </h2> <p>If your users are in Europe or North America, SMS OTP is a reasonable default. Delivery is reliable, carrier infrastructure is solid, and most users check texts promptly.</p> <p>If your users are in Nigeria, Kenya, Indonesia, Brazil, India, or the Philippines, the calculation is different. WhatsApp penetration in these markets is near-universal. Users across sub-Saharan Africa and Southeast Asia treat WhatsApp as their primary communication channel. SMS sits behind it, sometimes significantly behind.</p> <p>The data on this is clear. Twilio has documented that in heavy WhatsApp countries, 20 to 40 percent of users pick the WhatsApp channel when given the option for OTP delivery. More importantly, WhatsApp OTPs arrive over Wi-Fi connections. A user whose cellular data signal is weak but who is on Wi-Fi still receives the WhatsApp message instantly. SMS requires telephony connectivity. In markets where cellular data coverage is more reliable than SMS delivery, WhatsApp is not just more convenient. It is more reliable.</p> <p>There is also a cost argument. WhatsApp authentication messages cost 50 to 99 percent less than SMS in most markets globally. In developing markets where SMS costs are highest, the savings are largest. At any meaningful scale, the economics strongly favor WhatsApp.</p> <p>The correct production setup is WhatsApp first with automatic SMS fallback for the minority of users who do not have WhatsApp. That is exactly what Kinde gives you.</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Frb16f82rql7whjv3c6m8.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Frb16f82rql7whjv3c6m8.png" alt="Two-column comparison. LEFT: SMS OTP delivery flow showing Phone number → Carrier network → SMS inbox (variable delivery time, carrier dependent, fails on weak signal). RIGHT: WhatsApp OTP delivery flow showing Phone number → WhatsApp Business API → WhatsApp inbox (instant, Wi-Fi compatible, end-to-end encrypted, automatic SMS fallback if WhatsApp unavailable)" width="800" height="565"></a></p> <h2> How Kinde Handles WhatsApp OTP </h2> <p>Kinde supports phone number as both a primary authentication method and a secondary MFA factor. When phone authentication is configured, Kinde uses Twilio to deliver OTP codes. When you configure a WhatsApp Sender in your Twilio account and connect it to Kinde, Kinde automatically prefers WhatsApp for delivery and falls back to SMS when WhatsApp is unavailable.</p> <p>This is Twilio's Verify WhatsApp feature working through Kinde's phone authentication layer. You do not write any message-routing logic. Kinde and Twilio handle it. When a user enters their phone number on your sign-in screen, the OTP arrives in their WhatsApp. If they do not have WhatsApp or the delivery fails, Twilio's Verify API automatically retries via SMS.</p> <p>There are a few important constraints to know before you start:</p> <p><strong>Kinde Pro is required for production phone authentication.</strong> Kinde gives you 10 free SMS test sends per month on any plan to experiment with the feature, but production phone authentication (including WhatsApp) requires upgrading to the Pro plan or above.</p> <p><strong>The OTP message format is not editable.</strong> Kinde uses a standardized SMS/WhatsApp template that complies with OTP best practices. The message arrives as: 123456 is your verification code. followed by For your security, do not share this code. No app name, no URL, no hash. The sender name shown at the top of the WhatsApp chat comes from your registered Twilio business display name, not the message body. You cannot customize the message text or format.</p> <p><strong>A Twilio business account is required.</strong> You cannot use a personal or trial Twilio account for production A2P (Application-to-Person) messaging. You need a Twilio business account with a configured phone number or Messaging Service.</p> <p><strong>10DLC registration may be required in the US.</strong> If your users are in the United States, Twilio requires 10DLC registration for SMS. Check Twilio's guidelines and A2P messaging requirements for your target countries before setting up.</p> <h2> What You Need Before You Start </h2> <p>Before touching the Kinde dashboard, have the following ready:</p> <p><strong>A Twilio business account</strong> with your Account SID and Auth Token from the Twilio Console.</p> <p><strong>A Twilio phone number or Messaging Service SID.</strong> Twilio gives you two options for identifying the sender: a specific phone number or a Messaging Service (a pool of numbers Twilio manages for deliverability). The Messaging Service is recommended for production because Twilio handles number rotation and deliverability automatically.</p> <p><strong>A WhatsApp Sender configured in Twilio.</strong> This is a WhatsApp Business Account (WABA) phone number registered with Meta and approved for authentication message templates. Twilio's Verify WhatsApp documentation walks through this process. You need Meta Business verification and an approved authentication template before WhatsApp delivery works.</p> <p><strong>A Kinde account on the Pro plan or above.</strong></p> <p><strong>A Next.js app with the Kinde SDK installed.</strong> If you are starting fresh, the Kinde Next.js quickstart at <a href="https://docs.kinde.com" rel="noopener noreferrer">docs.kinde.com</a> gets you to a working auth setup in under ten minutes.</p> <p>Note: You can complete the Kinde configuration and test with the 10 free SMS sends before completing the WhatsApp Sender setup in Twilio. This lets you verify the Kinde connection is working before adding WhatsApp to the mix.</p> <h2> Step #1: Configure Twilio for Phone and WhatsApp Delivery </h2> <p>Log in to your Twilio Console at <a href="https://console.twilio.com" rel="noopener noreferrer">console.twilio.com</a>.</p> <p><strong>Get your credentials.</strong> From the Console Dashboard, copy your Account SID and Auth Token. Keep the Auth Token private.</p> <p><strong>Set up a Messaging Service (recommended) or phone number.</strong> If using a Messaging Service, navigate to <strong>Messaging → Services → Create Messaging Service</strong>. Give it a name, add your sender number to it, and copy the Messaging Service SID.</p> <p>If using a specific Twilio phone number instead, navigate to <strong>Phone Numbers → Manage → Active numbers</strong> and copy the phone number in E.164 format (e.g. <code>+12025551234</code>).</p> <p><strong>Configure the WhatsApp Sender for Verify.</strong> This is the step that enables WhatsApp delivery. Navigate to <strong>Messaging → Senders → WhatsApp senders</strong> in the Twilio Console.</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F78y528rv9h693ly0nwi4.webp" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F78y528rv9h693ly0nwi4.webp" alt="Twilio Console showing the Verify section in the left sidebar, with WhatsApp Senders highlighted" width="800" height="520"></a></p> <p>Select <strong>Add Sender</strong>. You will be prompted to connect a WhatsApp Business Account. This requires:</p> <ul> <li>A Meta Business Account (verified)</li> <li>A phone number registered as a WhatsApp Business number</li> <li>An approved WhatsApp authentication message template</li> </ul> <p>Twilio auto-creates the authentication template in supported languages once you complete the WhatsApp Sender setup. The template uses the Copy Code format, which displays the OTP with a button users tap to copy it to their clipboard.</p> <p>Note: WhatsApp Sender approval from Meta typically takes one to three business days. Plan your timeline accordingly. You can continue with the Kinde setup and test using SMS while waiting for WhatsApp approval.</p> <h2> Step #2: Connect Twilio to Kinde </h2> <p>With Twilio credentials ready, connect them to Kinde.</p> <p>In your Kinde dashboard, navigate to <strong>Settings → Environment → Phone providers</strong>.</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F82l2xttxlh01kxc9fuqy.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F82l2xttxlh01kxc9fuqy.png" alt="Kinde Settings showing the Phone providers section with a form to enter Twilio credentials. Fields visible: Account SID, Auth Token, and the choice between Messaging Service SID or Twilio Phone Number. Show the fields partially filled" width="800" height="502"></a></p> <p>Enter your Twilio credentials:</p> <ul> <li> <strong>Account SID</strong>: from your Twilio Console dashboard</li> <li> <strong>Auth Token</strong>: from your Twilio Console dashboard</li> <li> <strong>Messaging service SID or Twilio phone number</strong>: enter whichever you set up in Step #1</li> </ul> <p>If you want to use a fallback in case the primary Twilio service is interrupted, enable the fallback service option and configure a secondary provider.</p> <p>Select <strong>Save</strong>.</p> <p>Terrific! Kinde can now route phone OTP delivery through Twilio. The WhatsApp channel activates automatically once your WhatsApp Sender is approved in Twilio.</p> <h2> Step #3: Enable Phone Authentication in Kinde </h2> <p>With Twilio connected, turn on phone as an authentication method for your application.</p> <p>Navigate to <strong>Settings → Environment → Authentication</strong>. In the <strong>Passwordless</strong> section, find the <strong>Phone</strong> tile and select <strong>Configure</strong>.</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F9ywuji2camdxln3odzu1.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F9ywuji2camdxln3odzu1.png" alt="Kinde Settings &gt; Environment &gt; Authentication page showing the Passwordless section with Email + code, Phone, and Username + code tiles. The Phone tile has a " width="800" height="502"></a></p> <p>In the configuration window, toggle phone authentication on for the applications you want it active for. If you have multiple applications in your Kinde environment, you can enable it selectively per application.</p> <p>Select <strong>Save</strong>.</p> <p>Your sign-in screen now includes a phone number input option alongside the existing email input. Users can choose to sign in with their phone number and receive an OTP instead of entering a password or email code.</p> <h2> Step #4: Enable WhatsApp as the Delivery Channel </h2> <p>With phone authentication active and Twilio connected, the final step is confirming that WhatsApp is set as the preferred delivery channel.</p> <p>In your Kinde dashboard, navigate to <strong>Settings → Environment → Phone providers</strong>. In your Twilio configuration, you will see the WhatsApp delivery option.</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fnitlv0mmfdu8wso5nne7.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fnitlv0mmfdu8wso5nne7.png" alt="Kinde Settings &gt; Phone providers showing the Twilio configuration with a WhatsApp section. Show the toggle or setting that enables WhatsApp as the preferred delivery channel, with SMS shown as the fallback" width="800" height="502"></a></p> <p>Enable the WhatsApp delivery option. Once enabled:</p> <ul> <li>Kinde sends the OTP via WhatsApp when the user's phone number is registered with WhatsApp</li> <li>If WhatsApp delivery fails (user does not have WhatsApp, or the delivery fails for any reason), Twilio's Verify API automatically falls back to SMS</li> <li>No code changes are needed in your application</li> </ul> <p>The fallback happens silently. Your users do not see an error or need to request a retry. Twilio detects the WhatsApp delivery failure and retries via SMS automatically.</p> <h2> Step #5: Configure Phone Auth as MFA (Optional) </h2> <p>If you want to use WhatsApp OTP as a second factor rather than (or in addition to) a primary authentication method, configure it at the MFA level.</p> <p>Navigate to <strong>Settings → Environment → Multi-factor auth</strong>.</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F4vdkmuzniccn2vr6q4mc.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F4vdkmuzniccn2vr6q4mc.png" alt="Kinde Settings &gt; Multi-factor auth page showing the " width="800" height="501"></a></p> <p>In the <strong>Additional authentication methods</strong> section, toggle on <strong>SMS</strong>. Per the Kinde docs, the SMS MFA option delivers via WhatsApp when configured, with automatic fallback to SMS. The WhatsApp preference follows from your Twilio configuration in Step #4 automatically.</p> <p>Set MFA to <strong>Yes</strong> (mandatory) or <strong>Optional</strong> depending on your product's security requirements:</p> <ul> <li> <strong>Yes</strong>: every user is required to set up MFA on first sign-in. For products targeting enterprise customers or handling sensitive data, this is the right default.</li> <li> <strong>Optional</strong>: users are prompted to set up MFA but can skip it. They can enable it later from their profile settings.</li> </ul> <p>Note: if your primary authentication method is already phone OTP (email OTP), do not set phone SMS as the secondary MFA factor. Kinde recommends against using the same channel for both primary and secondary factors. If your primary auth is email OTP, use phone SMS or authenticator app for MFA. If your primary auth is phone OTP, use email or authenticator app for MFA.</p> <p>Select <strong>Save</strong>.</p> <h2> Step #6: Wire Phone Authentication Into Your Next.js App </h2> <p><a href="https://kinde.com/?utm_source=devto&amp;utm_medium=content&amp;utm_campaign=shola&amp;campaignid=chatgptapp&amp;network=&amp;adgroup=&amp;keyword=&amp;matchtype=&amp;creative=14&amp;device=&amp;adposition=" rel="noopener noreferrer">Kinde's hosted sign-in</a> screen already includes the phone number input once you enable phone authentication. Your Next.js app does not need code changes to show the phone sign-in option. It appears automatically on the Kinde-hosted auth pages.</p> <p>However, if you want to pre-fill the phone number for users coming from a known context (for example, users you have invited via phone number), use the <code>login_hint</code> parameter to reduce friction:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="c1">// app/api/auth/[kindeAuth]/route.ts</span> <span class="c1">// Standard Kinde auth setup — no changes needed for basic WhatsApp OTP</span> <span class="c1">// For login with pre-filled phone number hint:</span> <span class="c1">// Pass login_hint in the authorization URL when you know the user's phone number</span> <span class="c1">// This skips the phone number entry step</span> <span class="k">import</span> <span class="p">{</span> <span class="nx">handleAuth</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">"</span><span class="s2">@kinde-oss/kinde-auth-nextjs/server</span><span class="dl">"</span><span class="p">;</span> <span class="k">export</span> <span class="kd">const</span> <span class="nx">GET</span> <span class="o">=</span> <span class="nf">handleAuth</span><span class="p">();</span> </code></pre> </div> <p>For inviting users with a known phone number and pre-filling the sign-in form:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight tsx"><code><span class="c1">// components/PhoneInviteButton.tsx</span> <span class="c1">// Pre-fills the phone number on the Kinde sign-in screen</span> <span class="c1">// Useful when you know the user's phone number before they authenticate</span> <span class="k">import</span> <span class="p">{</span> <span class="nx">LoginLink</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">"</span><span class="s2">@kinde-oss/kinde-auth-nextjs/components</span><span class="dl">"</span><span class="p">;</span> <span class="kr">interface</span> <span class="nx">PhoneInviteButtonProps</span> <span class="p">{</span> <span class="nl">phoneNumber</span><span class="p">:</span> <span class="kr">string</span><span class="p">;</span> <span class="c1">// E.164 format e.g. "+2348012345678"</span> <span class="p">}</span> <span class="k">export</span> <span class="kd">function</span> <span class="nf">PhoneInviteButton</span><span class="p">({</span> <span class="nx">phoneNumber</span> <span class="p">}:</span> <span class="nx">PhoneInviteButtonProps</span><span class="p">)</span> <span class="p">{</span> <span class="k">return </span><span class="p">(</span> <span class="p">&lt;</span><span class="nc">LoginLink</span> <span class="na">authUrlParams</span><span class="p">=</span><span class="si">{</span><span class="p">{</span> <span class="c1">// login_hint pre-fills the identity field on the Kinde sign-in screen</span> <span class="c1">// The user sees their phone number already entered and just confirms it</span> <span class="na">login_hint</span><span class="p">:</span> <span class="nx">phoneNumber</span><span class="p">,</span> <span class="c1">// connection_id routes directly to phone authentication</span> <span class="c1">// Skips the method selection screen</span> <span class="na">connection_id</span><span class="p">:</span> <span class="dl">"</span><span class="s2">phone</span><span class="dl">"</span><span class="p">,</span> <span class="p">}</span><span class="si">}</span> <span class="p">&gt;</span> Sign in with phone <span class="p">&lt;/</span><span class="nc">LoginLink</span><span class="p">&gt;</span> <span class="p">);</span> <span class="p">}</span> </code></pre> </div> <p>For protecting API routes on the server, the existing <code>getKindeServerSession</code> approach works identically regardless of whether the user authenticated via email or phone:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="c1">// app/api/example/route.ts</span> <span class="c1">// Phone-authenticated users produce the same session as email-authenticated users</span> <span class="c1">// No changes needed to protected route logic</span> <span class="k">import</span> <span class="p">{</span> <span class="nx">getKindeServerSession</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">"</span><span class="s2">@kinde-oss/kinde-auth-nextjs/server</span><span class="dl">"</span><span class="p">;</span> <span class="k">import</span> <span class="p">{</span> <span class="nx">NextResponse</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">"</span><span class="s2">next/server</span><span class="dl">"</span><span class="p">;</span> <span class="k">export</span> <span class="k">async</span> <span class="kd">function</span> <span class="nf">GET</span><span class="p">()</span> <span class="p">{</span> <span class="kd">const</span> <span class="p">{</span> <span class="nx">isAuthenticated</span><span class="p">,</span> <span class="nx">getUser</span> <span class="p">}</span> <span class="o">=</span> <span class="nf">getKindeServerSession</span><span class="p">();</span> <span class="k">if </span><span class="p">(</span><span class="o">!</span><span class="p">(</span><span class="k">await</span> <span class="nf">isAuthenticated</span><span class="p">()))</span> <span class="p">{</span> <span class="k">return</span> <span class="nx">NextResponse</span><span class="p">.</span><span class="nf">json</span><span class="p">({</span> <span class="na">error</span><span class="p">:</span> <span class="dl">"</span><span class="s2">Unauthorized</span><span class="dl">"</span> <span class="p">},</span> <span class="p">{</span> <span class="na">status</span><span class="p">:</span> <span class="mi">401</span> <span class="p">});</span> <span class="p">}</span> <span class="kd">const</span> <span class="nx">user</span> <span class="o">=</span> <span class="k">await</span> <span class="nf">getUser</span><span class="p">();</span> <span class="c1">// user.phone is populated when the user authenticated via phone number</span> <span class="c1">// user.email is populated when the user authenticated via email</span> <span class="c1">// Both may be present if the user has linked both identities</span> <span class="k">return</span> <span class="nx">NextResponse</span><span class="p">.</span><span class="nf">json</span><span class="p">({</span> <span class="na">userId</span><span class="p">:</span> <span class="nx">user</span><span class="p">?.</span><span class="nx">id</span><span class="p">,</span> <span class="na">phone</span><span class="p">:</span> <span class="nx">user</span><span class="p">?.</span><span class="nx">phone</span><span class="p">,</span> <span class="na">email</span><span class="p">:</span> <span class="nx">user</span><span class="p">?.</span><span class="nx">email</span><span class="p">,</span> <span class="p">});</span> <span class="p">}</span> </code></pre> </div> <p>Amazing!</p> <h2> Step #7: Test the Full WhatsApp OTP Flow </h2> <p>Before going live, test three scenarios in your Kinde non-production environment.</p> <p><strong>Test 1: WhatsApp delivery to a WhatsApp-registered number</strong></p> <p>Enter a phone number that is registered with WhatsApp. Kinde should route the OTP through Twilio Verify to WhatsApp. The code arrives in your WhatsApp with your Twilio-registered business name as the sender.</p> <p>Note: Kinde provides 10 free SMS sends per month for testing. These 10 free sends apply to SMS delivery. WhatsApp delivery tests use your Twilio Verify credits.</p> <p><strong>Test 2: Automatic SMS fallback</strong></p> <p>To test the fallback, enter a valid phone number that is not registered with WhatsApp, or temporarily disable WhatsApp in your Twilio account. Twilio Verify should detect the WhatsApp delivery failure and automatically send via SMS. The OTP code is the same in both channels.</p> <p><strong>Test 3: MFA flow (if configured)</strong></p> <p>If you have set phone SMS as an MFA factor, sign in with email OTP first. On the second factor screen, Kinde prompts for the phone-based code. Enter your phone number if not already registered, and confirm the WhatsApp delivery.</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F4tb6z7iwbxobnm73v6z9.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F4tb6z7iwbxobnm73v6z9.png" alt="Kinde-hosted sign-in screen showing the phone number input field. Show a clean phone number entry UI with the country code dropdown and the number field. This is what users see when they choose phone authentication" width="800" height="501"></a></p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F64934qlrvd9t0v31j2fh.webp" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F64934qlrvd9t0v31j2fh.webp" alt="A WhatsApp message on a phone showing a Kinde OTP delivery. The message shows the standard format" width="800" height="775"></a></p> <h2> Country-Specific Notes for African and Southeast Asian Markets </h2> <p><strong>Nigeria and Ghana:</strong> WhatsApp penetration is extremely high, above 90 percent of smartphone users. SMS delivery is inconsistent in some areas. WhatsApp OTP is strongly recommended as the primary channel. Twilio's A2P messaging in Nigeria requires pre-registered sender IDs. Check Twilio's Nigeria SMS guidelines before launch.</p> <p><strong>Kenya, Tanzania, Uganda:</strong> WhatsApp is widely used but M-Pesa and other mobile money services mean users are accustomed to SMS-based verification from financial services. WhatsApp OTP delivers a better experience but SMS fallback is particularly important in rural areas.</p> <p><strong>Indonesia, Philippines, Vietnam:</strong> Near-universal WhatsApp (and Line, in some markets) penetration. International SMS is expensive from most providers. WhatsApp OTP delivers significant cost savings at scale here.</p> <p><strong>India:</strong> WhatsApp has over 500 million users. However, Meta has implemented messaging limits for WhatsApp Business in India. Review the current Meta Business Platform limits for Indian traffic before projecting volume. Twilio's documentation covers the current limits.</p> <p><strong>Brazil:</strong> One of the highest WhatsApp penetration rates globally. WhatsApp OTP is effectively the standard for authentication flows built for Brazilian users.</p> <p>For all markets: always test with real numbers in the target country before launch. Carrier behavior, number formatting requirements (always use E.164 format), and delivery timing vary by region.</p> <h2> Troubleshooting Common Issues </h2> <p><strong>OTP not received via WhatsApp</strong></p> <p>Check that your WhatsApp Sender is approved in Twilio and that the authentication template is active. An unapproved or suspended sender silently fails delivery. Check Twilio's delivery logs for error codes. Error code 63024 from Twilio means the phone number is not associated with a WhatsApp account and the fallback to SMS should have triggered.</p> <p><strong>OTP received via SMS instead of WhatsApp</strong></p> <p>This is the expected behavior when WhatsApp delivery is not available. If you expected WhatsApp delivery but got SMS, check: Is the destination phone number registered with WhatsApp? Is the WhatsApp Sender active and approved in Twilio? Has the user blocked your business sender in WhatsApp?</p> <p><strong>"You need to enter your Twilio account details" message in Kinde</strong></p> <p>This appears when Kinde's phone authentication is configured but Twilio credentials have not been saved, or the credentials are invalid. Navigate to <strong>Settings → Environment → Phone providers</strong> and re-enter your Twilio Account SID and Auth Token.</p> <p><strong>Users in the United States not receiving SMS</strong></p> <p>US carriers require 10DLC registration for A2P SMS. If your Twilio account is not 10DLC registered for US traffic, messages to US numbers will fail. Complete 10DLC registration in Twilio before enabling phone authentication for US users.</p> <p><strong>Phone number formatting errors</strong></p> <p>Kinde and Twilio both require phone numbers in E.164 format (e.g. <code>+2348012345678</code> for a Nigerian number). If users enter numbers without country codes, the OTP send will fail. Kinde's hosted sign-in screen includes a country code dropdown to help users format numbers correctly. If you are pre-filling numbers via <code>login_hint</code>, always format them in E.164.</p> <h2> Putting It All Together </h2> <p>Here is a summary of the full setup:</p> <div class="table-wrapper-paragraph"><table> <thead> <tr> <th>Step</th> <th>What you do</th> <th>Where</th> </tr> </thead> <tbody> <tr> <td>Twilio business account</td> <td>Get Account SID, Auth Token, Messaging Service</td> <td>Twilio Console</td> </tr> <tr> <td>WhatsApp Sender</td> <td>Register WhatsApp Business number with Meta via Twilio</td> <td>Twilio Console &gt; Verify &gt; WhatsApp Senders</td> </tr> <tr> <td>Connect Twilio to Kinde</td> <td>Enter Twilio credentials</td> <td>Kinde &gt; Settings &gt; Phone providers</td> </tr> <tr> <td>Enable phone auth</td> <td>Toggle on Phone in Passwordless section</td> <td>Kinde &gt; Settings &gt; Authentication</td> </tr> <tr> <td>Enable WhatsApp delivery</td> <td>Configure WhatsApp as preferred channel</td> <td>Kinde &gt; Settings &gt; Phone providers</td> </tr> <tr> <td>Configure MFA (optional)</td> <td>Enable SMS as second factor</td> <td>Kinde &gt; Settings &gt; Multi-factor auth</td> </tr> <tr> <td>Test</td> <td>3-scenario flow test before going live</td> <td>Non-production environment</td> </tr> </tbody> </table></div> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F8ev7wazliuvfvd9fxos3.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F8ev7wazliuvfvd9fxos3.png" alt="Full delivery flow showing Your App (user enters phone number) → Kinde (routes to Twilio) → Twilio Verify (checks WhatsApp availability) → two paths: WhatsApp path (user has WhatsApp, message delivered via WhatsApp Business API, end-to-end encrypted) and SMS fallback path (user does not have WhatsApp or delivery fails, Twilio retries via SMS carrier network). Both paths return to user entering OTP in your app → Kinde verifies → user authenticatedn" width="800" height="1658"></a></p> <h2> Conclusion </h2> <p>In this article, you connected Twilio Verify to Kinde, registered a WhatsApp Business Sender, enabled phone authentication, and configured WhatsApp as the preferred OTP delivery channel with automatic SMS fallback. Users in markets where WhatsApp dominates now receive their authentication codes in the app they check first, over Wi-Fi when needed, at a fraction of the SMS cost.</p> <p>The setup is the same for phone as primary auth and as MFA. Once your Twilio credentials are in Kinde and your WhatsApp Sender is approved, the routing is handled entirely by Twilio Verify. Your application code does not change. Kinde issues the same JWT regardless of whether the OTP arrived via WhatsApp or SMS.</p> <p>Kinde is free for up to 10,500 monthly active users. Phone authentication and WhatsApp OTP require the Pro plan. Create your account at <a href="https://kinde.com/?utm_source=devto&amp;utm_medium=content&amp;utm_campaign=shola&amp;campaignid=chatgptapp&amp;network=&amp;adgroup=&amp;keyword=&amp;matchtype=&amp;creative=14&amp;device=&amp;adposition=" rel="noopener noreferrer">kinde.com</a> and meet your users where they already are.</p> kinde tutorial auth programming Shola Jegede Thu, 14 May 2026 12:25:03 +0000 https://forem.com/sholajegede/why-sms-auth-is-quietly-failing-your-users-and-how-to-fix-it-with-whatsapp-3d16 https://forem.com/sholajegede/why-sms-auth-is-quietly-failing-your-users-and-how-to-fix-it-with-whatsapp-3d16 <p>Here is something most developers shipping SMS OTP in 2026 do not want to sit with: the channel they are trusting to verify their users is failing roughly one in ten of them, costing the industry $71 billion per year in fraud, and is actively being legislated out of financial services in the UAE, Philippines, Singapore, Malaysia, and India.</p> <p>None of this shows up in your dashboard. That is the problem.</p> <p>SMS OTP failures are quiet. A user who never received their code does not generate an error log. They generate a support ticket, or more likely, they just leave. You see a slightly elevated drop-off at the verification step, you assume it is user error, and you move on. The system is technically working. It is just not working for everyone.</p> <p>This article is not going to tell you to abandon SMS entirely. For markets with low smartphone penetration or poor data connectivity, SMS is still the right fallback. What it is going to argue is that for the majority of your users in 2026, WhatsApp OTP is a demonstrably better primary channel, SMS has serious and growing structural problems that are not going to self-correct, and switching is neither difficult nor expensive. In fact, it is cheaper.</p> <p>Let's start with the failure modes you are not seeing.</p> <h2> The Silent Failure Rate You Are Not Measuring </h2> <p>Studies consistently show that 10 to 15 percent of SMS OTPs never reach their intended recipients. The causes compound on each other: carrier filtering, network congestion, DND lists, international routing failures, grey route fraud, and plain old delivery lag that outlasts the OTP expiry window.</p> <p>None of these show up as errors from your SMS provider's perspective. Twilio, Vonage, and every other SMS gateway report a message as "delivered" the moment a carrier accepts it. What happens between carrier acceptance and the user's phone is invisible to you. A message accepted by a carrier at 11:59pm that arrives at 12:04am after the user has given up and closed the app counts as successfully delivered in your analytics. Your success rate looks healthy. Your signup conversion does not.</p> <p>The carrier filtering problem is getting worse, not better. Since February 2025, US carriers block 100 percent of unregistered A2P traffic on 10-digit long codes. In 2025, Phone-Check.app found that 23 percent of properly formatted business messages never reach inboxes due to carrier filtering and sender reputation issues alone. These are messages that follow every formatting rule and compliance requirement. They just never arrive.</p> <p>The pattern is consistent across every market with aggressive spam filtering. India's DLT registration system, the UK's carrier-level filtering, and the US's 10DLC compliance regime are all responses to legitimate spam problems. The side effect is that legitimate OTP delivery gets caught in the same net. Your users pay for that friction.</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F8yozo4hjd0hbxkk1ud0y.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F8yozo4hjd0hbxkk1ud0y.png" alt="Funnel showing SMS OTP failure points. User requests OTP (100%) → SMS provider accepts (100%) → Carrier accepts (95%) → Passes carrier filtering (77%) → Arrives before OTP expiry (72%) → User reads and enters code (65%). Each stage labeled with the failure reason. Show the 35% total drop-off as the " width="800" height="436"></a></p> <h2> The Fraud Problem That Is Eating Your OTP Budget </h2> <p>The silent delivery failure is a conversion problem. The fraud problem is a financial one, and it is orders of magnitude larger.</p> <p>SMS pumping, also known as Artificially Inflated Traffic (AIT) or toll fraud, is a scheme where attackers abuse your OTP endpoint to generate revenue for themselves. The mechanics are straightforward: a fraudster partners with a premium-rate carrier, floods your phone verification form with bot-generated numbers on that carrier's network, and collects a share of the termination fees your SMS provider pays to deliver each message. Your users get nothing. You pay for everything.</p> <p>The numbers at the industry level are staggering. Messaging fraud losses were $80.5 billion in 2025, projected at $71 billion in 2026. AIT fraud specifically cost brands $1.16 billion in 2023 alone. OTPs now make up approximately 89 percent of all international A2P SMS traffic, which makes your OTP endpoint the single largest attack surface in your entire application.</p> <p>The most cited concrete example is Twitter. Elon Musk disclosed in 2022 that Twitter was losing approximately $60 million per year to SMS pumping through 2FA flows, driven by collusion with around 390 telecom operators. Twitter eventually cut off SMS-based two-factor authentication entirely. That is not a small company overreacting to a minor fraud problem. That is one of the largest user authentication systems in the world discovering that the default channel was being systematically exploited.</p> <p>The attack is not hypothetical for smaller teams either. Developers on Reddit and Hacker News regularly report waking up to five-figure surprise invoices after their OTP endpoint was pumped overnight. Most SMS providers will dispute these charges if caught quickly, but not all, and the process is slow and uncertain.</p> <p>What makes this particularly insidious is that it targets the exact markets where you most want phone verification to work. Africa has the highest density of high-risk SMS pumping markets globally, followed by Asia and the Caribbean. If you are building for Nigerian users, Kenyan users, Indonesian users, these are simultaneously the markets with the highest WhatsApp penetration and the highest SMS fraud risk. You are paying a premium for a channel that is both less reliable and more fraudulent in your target market than the alternative.</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Flq0mm45mier37jhg8qbo.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Flq0mm45mier37jhg8qbo.png" alt="SMS pumping attack flow. Your OTP form (exposed endpoint) → Bot floods with premium-rate numbers → Your SMS provider sends OTPs → Carrier delivers to fraudster-controlled numbers → Fraudster receives carrier revenue share → You receive the invoice" width="800" height="156"></a></p> <h2> The Regulatory Wall That Is Coming </h2> <p>The delivery failures and the fraud are operational problems. The regulatory picture is different. It is structural and permanent.</p> <p>Central banks and financial regulators around the world have spent the last two years reaching the same conclusion: SMS OTP is not a secure authentication factor for financial services. The policy responses are now binding.</p> <p>The Philippines Bangko Sentral ng Pilipinas issued Circular No. 1213 in June 2025, requiring banks to "limit the use of authentication mechanisms that can be shared with, or intercepted by, third parties unrelated to the transaction." This directly targets SMS OTP.</p> <p>The UAE Central Bank issued its directive in June 2025 giving financial institutions until March 2026 to completely eliminate SMS and email OTPs. That deadline has passed. UAE banks have already made the transition.</p> <p>Singapore's Monetary Authority directed major banks to phase out OTPs for account logins, moving toward digital tokens. Malaysia's Bank Negara directed financial institutions to stop using SMS OTPs to combat rising financial scams. India's Reserve Bank is planning to eliminate SMS OTP for digital payments. FINRA in the United States retired SMS as an acceptable authentication option by July 2025.</p> <p>These are not future concerns. They are enacted policies in major markets. If you are building fintech, payments, banking, or anything adjacent to financial services and you are still SMS-first in these markets, you are already out of compliance in some of them.</p> <p>The underlying technical reasoning is consistent across every regulator that has weighed in. SMS does not provide a meaningful possession factor because SIM swapping lets an attacker transfer a phone number to a device they control. SS7 network attacks allow interception of SMS in transit. The channel is unencrypted. A code that can be socially engineered out of the user, intercepted in transit, or accessed by compromising the carrier does not satisfy modern strong customer authentication requirements.</p> <p>This argument is not going away. The regulatory trajectory for SMS OTP in financial services is one direction.</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fxx63asq6rc3pfhot1wpn.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fxx63asq6rc3pfhot1wpn.png" alt="World map or timeline showing SMS OTP regulatory actions. Philippines (June 2025 - Circular 1213), UAE (June 2025 directive, March 2026 deadline), Singapore (MAS phaseout directive), Malaysia (BNM directive), India (RBI planned elimination), USA/FINRA (July 2025 retirement)" width="800" height="379"></a></p> <h2> What WhatsApp Actually Fixes </h2> <p>Before getting into the practical switch, let's be precise about what WhatsApp OTP solves and what it does not.</p> <p><strong>It fixes delivery reliability.</strong> WhatsApp messages achieve 90 to 95 percent open rates within three minutes of delivery. SMS sits at 70 to 80 percent, and that figure includes late deliveries that missed their OTP window. WhatsApp runs over data and Wi-Fi, which in most developing markets is more reliable than SMS carrier routing. A user in Lagos who has weak 2G signal but is connected to a building's Wi-Fi network will receive a WhatsApp OTP instantly and may never receive the SMS equivalent.</p> <p><strong>It eliminates SMS pumping as an attack vector.</strong> WhatsApp OTPs operate through Meta's messaging infrastructure, not through the telecom carrier network that SMS pumping exploits. The revenue-sharing fraud mechanics that make SMS pumping profitable simply do not exist in WhatsApp's system. Switching your OTP delivery to WhatsApp does not require you to implement additional fraud protection against AIT. The attack surface is gone.</p> <p><strong>It costs substantially less.</strong> A US OTP via SMS costs approximately $0.04 via Twilio. The WhatsApp authentication equivalent costs $0.006. That is 85 percent cheaper. An analysis of 219 countries found that 100 percent of countries see at least 44 percent savings when switching from SMS to WhatsApp OTP, and 58 percent of countries see 90 percent or greater savings. At 1 million monthly OTPs, the global-mix cost savings reach approximately $76,000 per month, or over $914,000 per year.</p> <p><strong>It is end-to-end encrypted.</strong> SMS travels over carrier infrastructure in plaintext and is vulnerable to SS7 attacks, SIM swapping, and interception. WhatsApp messages are end-to-end encrypted between Meta's servers and the recipient device. This does not make WhatsApp OTP invulnerable, but it eliminates the class of network-level interception attacks that have been used against SMS.</p> <p><strong>What it does not fix:</strong> WhatsApp requires the user to have the app installed and an active data or Wi-Fi connection. Roughly 5 to 10 percent of your users in most markets will not have WhatsApp. This is why the correct production setup is WhatsApp first with automatic SMS fallback, not WhatsApp as a complete replacement. You keep SMS as the safety net for the minority of users who cannot receive WhatsApp messages. You stop paying SMS rates and accepting SMS fraud risk for the 90 percent who can.</p> <div class="table-wrapper-paragraph"><table> <thead> <tr> <th>Feature</th> <th>SMS</th> <th>WhatsApp</th> </tr> </thead> <tbody> <tr> <td><strong>Delivery rate</strong></td> <td>~65-77%</td> <td>~95%+</td> </tr> <tr> <td><strong>Open rate within 3 min</strong></td> <td>~20%</td> <td>~98%</td> </tr> <tr> <td><strong>Cost per OTP (US market)</strong></td> <td>~$0.0079 (Twilio)</td> <td>~$0.005 (Spur.com)</td> </tr> <tr> <td><strong>Cost per OTP (Nigeria/India)</strong></td> <td>~$0.04</td> <td>~$0.006 (Spur.com)</td> </tr> <tr> <td><strong>End-to-end encryption</strong></td> <td>❌</td> <td>✅</td> </tr> <tr> <td><strong>Vulnerable to SMS pumping</strong></td> <td>✅ Yes</td> <td>❌ No</td> </tr> <tr> <td><strong>Vulnerable to SS7 attacks</strong></td> <td>✅ Yes</td> <td>❌ No</td> </tr> <tr> <td><strong>Wi-Fi delivery</strong></td> <td>❌</td> <td>✅</td> </tr> <tr> <td><strong>Regulatory pressure</strong></td> <td>⚠️ Active bans in 6+ markets</td> <td>✅ Preferred channel</td> </tr> </tbody> </table></div> <h2> The Developer Counterarguments (And Why They Do Not Hold Up) </h2> <p>Every time this argument comes up, three objections appear. They are worth addressing directly.</p> <p><strong>"Not all my users have WhatsApp."</strong></p> <p>This is true. It is also not an argument against WhatsApp OTP. It is an argument for WhatsApp-first with SMS fallback, which is exactly what Twilio Verify's channel selection feature provides. You configure WhatsApp as the primary channel and Twilio automatically falls back to SMS when WhatsApp delivery fails. Your users who do not have WhatsApp get an SMS. Your users who do get WhatsApp. You do not choose one. You choose both, with a preference.</p> <p><strong>"SMS is simpler to set up."</strong></p> <p>It was, four years ago. Today the compliance overhead for SMS (10DLC registration in the US, DLT registration in India, Sender ID registration in Nigeria) has made SMS a non-trivial setup in the markets that matter most. WhatsApp Sender setup through Twilio requires Meta Business verification and template approval, which typically takes two to five business days. That is comparable to the time required to complete US 10DLC registration, and you get a cleaner channel on the other side of it.</p> <p><strong>"WhatsApp is controlled by Meta. That is a single point of failure."</strong></p> <p>This is a legitimate concern, not a dismissible one. Meta does impose messaging limits, can suspend accounts, and the WhatsApp Business API has had outages. The correct response to this concern is not to avoid WhatsApp but to maintain SMS fallback, which is the recommended setup anyway. A WhatsApp-first, SMS-fallback architecture is more resilient than SMS-only because you have two delivery paths instead of one.</p> <h2> How Kinde Makes This a One-Afternoon Integration </h2> <p>If you are using Kinde for authentication, you do not need to build any of this delivery routing logic yourself. <a href="https://kinde.com/?utm_source=devto&amp;utm_medium=content&amp;utm_campaign=shola&amp;campaignid=chatgptapp&amp;network=&amp;adgroup=&amp;keyword=&amp;matchtype=&amp;creative=15&amp;device=&amp;adposition=" rel="noopener noreferrer">Kinde</a> handles phone OTP delivery through Twilio Verify, and when you configure a WhatsApp Sender in Twilio and connect it to Kinde, the routing is automatic. WhatsApp when available. SMS when not. No code changes.</p> <p>The setup is three things:</p> <p><strong>One.</strong> Connect your Twilio account to Kinde in Settings → Phone providers. You need your Twilio Account SID, Auth Token, and a Messaging Service SID or phone number.</p> <p><strong>Two.</strong> Register a WhatsApp Sender in Twilio Verify and wait for Meta approval (two to five business days). Once approved, Kinde automatically routes to WhatsApp first.</p> <p><strong>Three.</strong> Enable phone authentication in Settings → Authentication, or SMS as an MFA factor in Settings → Multi-factor auth. The WhatsApp preference follows from the Twilio configuration automatically.</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Futbdiypj6d2jwqq3kegw.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Futbdiypj6d2jwqq3kegw.png" alt="Kinde Settings &gt; Phone providers page showing the Twilio configuration panel with Account SID and Auth Token fields, and the WhatsApp delivery toggle enabled" width="800" height="501"></a></p> <p>That is the full configuration surface. Kinde gives you 10 free SMS sends per month for testing. Production phone authentication requires the Pro plan. The WhatsApp routing itself uses your Twilio Verify credits, billed at Meta's authentication rates through Twilio.</p> <p>The OTP message format is standardized by Kinde and cannot be customized. The delivery intelligence, the fallback logic, and the channel selection are all handled by Twilio Verify. Your application code does not change at all. A user who authenticated via WhatsApp OTP produces the same Kinde JWT as a user who authenticated via email OTP. Nothing downstream needs to know which channel was used.</p> <p>For full setup documentation including Twilio Sender configuration, Next.js SDK integration, and country-specific notes for Nigeria, Kenya, Indonesia, India, and Brazil, see <a href="https://dev.to">the companion tutorial on dev.to</a>.</p> <h2> The Actual Stakes </h2> <p>Here is the case stated plainly.</p> <p>You are likely losing 10 to 15 percent of the users who hit your OTP verification step to silent SMS delivery failures. You are paying $0.04 or more per SMS in markets where the WhatsApp equivalent costs $0.006. You are exposed to a fraud vector that cost the industry over $80 billion in 2025 and specifically targets your OTP endpoint. You are using a channel that is being legislated out of financial services in the UAE, Philippines, Singapore, Malaysia, India, and the United States.</p> <p>The alternative is end-to-end encrypted, operates over Wi-Fi, costs 85 percent less in the US market and more in most developing markets, eliminates SMS pumping as an attack vector, and reaches 2.7 billion active users globally. The fallback to SMS is automatic and handles the minority of users who cannot receive WhatsApp messages.</p> <p>The switch requires a Twilio account, a two-to-five business day wait for Meta's WhatsApp Sender approval, and a Kinde dashboard configuration that takes about ten minutes.</p> <p>The users who are quietly failing your verification step are not filing support tickets. They are just not coming back. The fraud attacking your OTP endpoint is not showing up in your error logs. It is showing up in your invoice.</p> <p>The channel you inherited as the default is not the best available option anymore. It has not been for a while.</p> <p><em><a href="https://kinde.com/?utm_source=devto&amp;utm_medium=content&amp;utm_campaign=shola&amp;campaignid=chatgptapp&amp;network=&amp;adgroup=&amp;keyword=&amp;matchtype=&amp;creative=15&amp;device=&amp;adposition=" rel="noopener noreferrer">Kinde</a> handles authentication, billing, and feature flags in one platform. Phone OTP via WhatsApp and SMS is available on the Pro plan. Free up to 10,500 monthly active users, no credit card required.]</em></p> kinde webdev auth programming Shola Jegede Thu, 14 May 2026 11:48:59 +0000 https://forem.com/sholajegede/how-to-add-free-trials-to-your-saas-without-friction-a-step-by-step-guide-with-kinde-23ce https://forem.com/sholajegede/how-to-add-free-trials-to-your-saas-without-friction-a-step-by-step-guide-with-kinde-23ce <p>Most SaaS products need free trials. Most free trial implementations are a mess — a <code>trial_expires_at</code> column in the database, a cron job nobody fully trusts, middleware that sometimes runs and sometimes does not, and an upgrade prompt that appears on the wrong page at the wrong moment.</p> <p>In this article, you will learn:</p> <ul> <li>Why most free trial implementations break down at the edges</li> <li>How Kinde's billing model works today and the honest state of native trial support</li> <li>How to use a $0.00 Free plan as a friction-free trial container — no credit card required</li> <li>How to stamp a <code>trial_start</code> date onto every new user using Kinde Workflows</li> <li>How to surface that date as a custom claim in the access token so your app never queries a database to check trial status</li> <li>How to build a <code>useTrialStatus</code> hook that drives every trial-aware UI decision in one place</li> <li>How to build the upgrade prompt that appears at day 7, day 13, and on expiry</li> <li>How to transition the user to a paid plan the moment the trial ends — smoothly, with no data loss</li> <li>How to test the full trial lifecycle without waiting 14 days</li> </ul> <p>Let's dive in!</p> <h2> The Free Trial Problem Nobody Talks About </h2> <p>Free trials are not hard to implement. They are hard to implement correctly. The obvious approach — store a trial end date in your database and check it on every request — works until it does not. The cron job that downgrades expired trial users runs at 3am but the user is in a different timezone. The middleware check runs on API routes but not on the WebSocket connection. The upgrade prompt fires but the user already paid ten minutes ago and the webhook has not processed yet.</p> <p>The underlying issue is that trial state lives in multiple places — your database, Stripe, your app's middleware — and those places are never perfectly in sync.</p> <p>The cleaner approach keeps trial state in one place: the Kinde access token. Every time the user makes a request, the token carries their <code>trial_start</code> date and their current plan. Your app reads those claims, computes whether the trial is active, expired, or converted, and acts accordingly. No database query. No sync lag. No cron jobs.</p> <p>Here is how to build that.</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F1o4ep9j546tntgr6a5bg.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F1o4ep9j546tntgr6a5bg.png" alt="LEFT " width="800" height="731"></a></p> <h2> How Kinde Billing Works Today — And One Important Caveat </h2> <p>Before writing a single line of code, one thing needs to be stated clearly: as of mid-2026, Kinde Billing does not have native free trial support built in. The Kinde docs list "support for plan models with free trial periods" as a known limitation that is actively being worked on.</p> <p>This article does not work around that limitation — it builds a production-grade trial system using the Kinde primitives that exist today: a $0.00 Free plan, custom user properties, Kinde Workflows, and feature flags. The result is a trial system that is arguably more flexible than a built-in trial toggle would be, because you control the logic entirely.</p> <p>When Kinde ships native trial support, the <code>trial_start</code> workflow and the expiry logic in your app can be replaced with a single plan configuration. The feature-gating code using <code>getBooleanFlag</code> stays exactly the same. The migration will be clean.</p> <p>Note: everything in this article uses Kinde's non-production environment for setup and Stripe test mode for payments. Do not touch production until you have walked the full flow in test mode.</p> <h2> The Architecture You Are Building </h2> <p>The trial system has four moving parts:</p> <p><strong>1. A Free plan</strong> configured in Kinde Billing with a $0.00 charge, credit card collection disabled, and the trial feature flags attached to it. This is what users land on when they sign up.</p> <p><strong>2. A Workflow</strong> that fires on user post-authentication and stamps a <code>trial_start</code> Unix timestamp onto the user's Kinde property record the first time they authenticate.</p> <p><strong>3. Token customization</strong> that surfaces the <code>trial_start</code> property and the user's current plan flags in the access token, so your app can read trial state without a database lookup.</p> <p><strong>4. A <code>useTrialStatus</code> hook</strong> in your Next.js app that reads those token claims, computes the trial state, and drives every trial-aware UI decision — the countdown banner, the upgrade prompt, the locked feature overlay, and the expired paywall.</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fmoc7cqbap7savvpmaddd.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fmoc7cqbap7savvpmaddd.png" alt="Four-part architecture showing Free plan (Kinde Billing) → Workflow stamps trial_start → Token carries trial_start + plan flags → useTrialStatus hook drives UI. Linear left-to-right flow with each component labeled and color coded" width="800" height="93"></a></p> <h2> Step #1: Create the Free Plan in Kinde Billing </h2> <p>Navigate to <strong>Billing → Plans → Add plan</strong>.</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fry89ofjkybx5e5k4te0d.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fry89ofjkybx5e5k4te0d.png" alt="Kinde Billing &gt; Plans page showing the " width="800" height="502"></a></p> <p>Configure the plan with these settings:</p> <ul> <li> <strong>Name</strong>: Free Trial (this is what users see on the pricing table)</li> <li> <strong>Description</strong>: 14 days of full Pro access, no credit card required</li> <li> <strong>Key</strong>: <code>free_trial</code> (this is how you reference it in code — cannot be changed after publishing)</li> <li> <strong>Plan type</strong>: Users (for B2C) or Organizations (for B2B)</li> </ul> <p>After saving the basic details, add a charge. Every plan in Kinde — including free plans — needs at least one charge so it syncs to Stripe correctly.</p> <p>Select <strong>Add charge</strong>. Configure it as:</p> <ul> <li> <strong>Name</strong>: Base subscription fee</li> <li> <strong>Amount</strong>: $0.00</li> <li> <strong>Interval</strong>: Monthly</li> </ul> <p>Select <strong>Save</strong>.</p> <p>Now configure the credit card collection setting. Because this is a free trial plan with a $0.00 charge, Kinde allows you to disable credit card collection. Scroll to the <strong>Payment collection</strong> section and disable the credit card requirement.</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fz1901zkpmqqvura1jc6f.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fz1901zkpmqqvura1jc6f.png" alt="Kinde plan settings showing the Payment collection section with the credit card requirement toggle disabled" width="800" height="502"></a></p> <p>Note: credit card collection can only be disabled for plans with no paid charges. The moment you add a charge above $0.00, Kinde requires card collection. Your Free Trial plan stays at $0.00 for this reason — users sign up without friction and you collect card details only when they upgrade.</p> <p>Now attach the feature flags that control what trial users can access. Navigate to the <strong>Features</strong> section of the plan and attach the flags that represent your Pro tier features — things like <code>advanced_analytics</code>, <code>api_access</code>, <code>export_data</code>. These flags will activate automatically for any user on the Free Trial plan.</p> <p>![Kinde plan features section showing three feature flags attached to the Free Trial plan: advanced_analytics (boolean, true), api_access (boolean, true), export_data (boolean, true). These represent the Pro features users get during the trial]](<a href="https://dev-to-uploads.s3.amazonaws.com/uploads/articles/uetjbd1rngmv91tvvu7d.png" rel="noopener noreferrer">https://dev-to-uploads.s3.amazonaws.com/uploads/articles/uetjbd1rngmv91tvvu7d.png</a>)</p> <p>Select <strong>Publish</strong> to make the plan live. Published plans sync to Stripe automatically.</p> <p>Terrific! The trial container plan exists. Now stamp the start date.</p> <h2> Step #2: Stamp the Trial Start Date With a Kinde Workflow </h2> <p>Kinde Workflows let you run custom code in response to Kinde events. The trigger you need is <code>user:post_authentication</code> — it fires after a user authenticates and before the token is issued, giving you a window to set properties on the user record.</p> <p>First, create the custom property that will hold the trial start date. Navigate to <strong>Settings → Data management → Properties → Add property</strong>.</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fe2z6o6edq205vyr3y760.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fe2z6o6edq205vyr3y760.png" alt="Kinde Settings &gt; Data management &gt; Properties page showing the " start="" width="800" height="502"></a></p> <p>Configure the property:</p> <ul> <li> <strong>Name</strong>: Trial start date</li> <li> <strong>Key</strong>: <code>trial_start</code> (cannot be changed later)</li> <li> <strong>Type</strong>: Single line text (you will store a Unix timestamp as a string)</li> <li> <strong>Private</strong>: off — this must be public so you can include it in the access token</li> </ul> <p>Select <strong>Save</strong>.</p> <p>Now create the workflow. Kinde Workflows live in your code repository and are synced to Kinde via GitHub. The recommended way to get started is to use the official Kinde workflow base template, which has the correct folder structure already set up.</p> <p>Navigate to <a href="https://github.com/kinde-starter-kits/workflow-base-template" rel="noopener noreferrer">github.com/kinde-starter-kits/workflow-base-template</a>, click the green Use this template button, and select Create a new repository. This creates a repo with the following structure:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>kindeSrc/ └── environment/ └── workflows/ └── postUserAuthentication/ └── Workflow.ts </code></pre> </div> <p>Replace the contents of <code>postUserAuthentication/Workflow.ts</code> with the trial start workflow:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="k">import</span> <span class="p">{</span> <span class="nx">onPostAuthenticationEvent</span><span class="p">,</span> <span class="nx">WorkflowSettings</span><span class="p">,</span> <span class="nx">WorkflowTrigger</span><span class="p">,</span> <span class="nx">createKindeAPI</span><span class="p">,</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">"</span><span class="s2">@kinde/infrastructure</span><span class="dl">"</span><span class="p">;</span> <span class="k">export</span> <span class="kd">const</span> <span class="nx">workflowSettings</span><span class="p">:</span> <span class="nx">WorkflowSettings</span> <span class="o">=</span> <span class="p">{</span> <span class="na">id</span><span class="p">:</span> <span class="dl">"</span><span class="s2">trialStartWorkflow</span><span class="dl">"</span><span class="p">,</span> <span class="na">name</span><span class="p">:</span> <span class="dl">"</span><span class="s2">Stamp trial start date</span><span class="dl">"</span><span class="p">,</span> <span class="na">failurePolicy</span><span class="p">:</span> <span class="p">{</span> <span class="na">action</span><span class="p">:</span> <span class="dl">"</span><span class="s2">continue</span><span class="dl">"</span> <span class="p">},</span> <span class="na">bindings</span><span class="p">:</span> <span class="p">{</span> <span class="dl">"</span><span class="s2">kinde.fetch</span><span class="dl">"</span><span class="p">:</span> <span class="p">{},</span> <span class="p">},</span> <span class="na">trigger</span><span class="p">:</span> <span class="nx">WorkflowTrigger</span><span class="p">.</span><span class="nx">PostAuthentication</span><span class="p">,</span> <span class="p">};</span> <span class="k">export</span> <span class="k">default</span> <span class="k">async</span> <span class="kd">function</span> <span class="nf">Workflow</span><span class="p">(</span><span class="nx">event</span><span class="p">:</span> <span class="nx">onPostAuthenticationEvent</span><span class="p">)</span> <span class="p">{</span> <span class="c1">// Only stamp the trial start on new users — never overwrite existing value</span> <span class="k">if </span><span class="p">(</span><span class="nx">event</span><span class="p">.</span><span class="nx">context</span><span class="p">.</span><span class="nx">isExistingUser</span><span class="p">)</span> <span class="p">{</span> <span class="k">return</span><span class="p">;</span> <span class="p">}</span> <span class="kd">const</span> <span class="nx">userId</span> <span class="o">=</span> <span class="nx">event</span><span class="p">.</span><span class="nx">context</span><span class="p">.</span><span class="nx">user</span><span class="p">.</span><span class="nx">id</span><span class="p">;</span> <span class="kd">const</span> <span class="nx">trialStart</span> <span class="o">=</span> <span class="nb">Math</span><span class="p">.</span><span class="nf">floor</span><span class="p">(</span><span class="nb">Date</span><span class="p">.</span><span class="nf">now</span><span class="p">()</span> <span class="o">/</span> <span class="mi">1000</span><span class="p">).</span><span class="nf">toString</span><span class="p">();</span> <span class="c1">// Use the Kinde Management API to set the trial_start property on the user</span> <span class="kd">const</span> <span class="nx">kindeAPI</span> <span class="o">=</span> <span class="k">await</span> <span class="nf">createKindeAPI</span><span class="p">(</span><span class="nx">event</span><span class="p">);</span> <span class="k">await</span> <span class="nx">kindeAPI</span><span class="p">.</span><span class="nf">patch</span><span class="p">({</span> <span class="na">endpoint</span><span class="p">:</span> <span class="s2">`user`</span><span class="p">,</span> <span class="na">params</span><span class="p">:</span> <span class="p">{</span> <span class="na">id</span><span class="p">:</span> <span class="nx">userId</span> <span class="p">},</span> <span class="na">requestBody</span><span class="p">:</span> <span class="p">{</span> <span class="na">properties</span><span class="p">:</span> <span class="p">{</span> <span class="na">trial_start</span><span class="p">:</span> <span class="nx">trialStart</span><span class="p">,</span> <span class="p">},</span> <span class="p">},</span> <span class="p">});</span> <span class="p">}</span> </code></pre> </div> <p>Commit and push the file to your repository. Then in your Kinde dashboard, navigate to Settings → Git repo, connect your repository, select your branch, and hit Sync code. Once the sync succeeds, navigate to Workflows — the "Stamp trial start date" workflow will appear with status Live.</p> <blockquote> <p>Note: the <code>isExistingUser</code> check is critical. Without it, the workflow would overwrite <code>trial_start</code> on every login, resetting the trial clock each time the user authenticates. The check ensures the timestamp is only written once — on first sign-in.</p> </blockquote> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fthiqwh4fe3spteo715dp.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fthiqwh4fe3spteo715dp.png" alt="Kinde dashboard showing the Workflows section with the " start="" width="800" height="502"></a></p> <p>Note: the <code>isExistingUser</code> check is critical. Without it, the workflow would overwrite the <code>trial_start</code> on every login, resetting the trial clock each time the user authenticates. The check ensures the timestamp is only written once — on first sign-in.</p> <h2> Step #3: Surface Trial State in the Access Token </h2> <p>The <code>trial_start</code> property is now stored on the user record in Kinde. To make it available in the access token without a database query, add it to the token customization settings for your application.</p> <p>Navigate to <strong>Settings → Applications → [your app] → Tokens → Customize</strong> on the Access token card.</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fstz0qtkc1np8jdjdasgn.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fstz0qtkc1np8jdjdasgn.png" alt="Kinde application token customization dialog showing the Properties section with " width="800" height="502"></a></p> <p>In the Customize access token dialog, scroll to the <strong>Properties</strong> section and toggle on <code>trial_start</code>. Select <strong>Save</strong>.</p> <p>From this point, every access token issued to your users will contain an <code>application_properties</code> claim with the <code>trial_start</code> value:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight json"><code><span class="p">{</span><span class="w"> </span><span class="nl">"sub"</span><span class="p">:</span><span class="w"> </span><span class="s2">"kp_abc123"</span><span class="p">,</span><span class="w"> </span><span class="nl">"email"</span><span class="p">:</span><span class="w"> </span><span class="s2">"user@example.com"</span><span class="p">,</span><span class="w"> </span><span class="nl">"feature_flags"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"advanced_analytics"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"t"</span><span class="p">:</span><span class="w"> </span><span class="s2">"b"</span><span class="p">,</span><span class="w"> </span><span class="nl">"v"</span><span class="p">:</span><span class="w"> </span><span class="kc">true</span><span class="w"> </span><span class="p">},</span><span class="w"> </span><span class="nl">"api_access"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"t"</span><span class="p">:</span><span class="w"> </span><span class="s2">"b"</span><span class="p">,</span><span class="w"> </span><span class="nl">"v"</span><span class="p">:</span><span class="w"> </span><span class="kc">true</span><span class="w"> </span><span class="p">},</span><span class="w"> </span><span class="nl">"export_data"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"t"</span><span class="p">:</span><span class="w"> </span><span class="s2">"b"</span><span class="p">,</span><span class="w"> </span><span class="nl">"v"</span><span class="p">:</span><span class="w"> </span><span class="kc">true</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="p">},</span><span class="w"> </span><span class="nl">"application_properties"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"trial_start"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"v"</span><span class="p">:</span><span class="w"> </span><span class="s2">"1717200000"</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="p">},</span><span class="w"> </span><span class="nl">"iss"</span><span class="p">:</span><span class="w"> </span><span class="s2">"https://yourapp.kinde.com"</span><span class="p">,</span><span class="w"> </span><span class="nl">"exp"</span><span class="p">:</span><span class="w"> </span><span class="mi">1717286400</span><span class="w"> </span><span class="p">}</span><span class="w"> </span></code></pre> </div> <p>The <code>feature_flags</code> claim carries the Pro features active on the Free Trial plan. The <code>application_properties.trial_start.v</code> claim carries the Unix timestamp of when the trial started. Your app now has everything it needs to compute trial status without touching the database.</p> <p>Amazing!</p> <h2> Step #4: Build the <code>useTrialStatus</code> Hook </h2> <p>This hook is the single source of truth for trial state in your React app. Every trial-aware component — the countdown banner, the upgrade prompt, the feature gate, the expired paywall — reads from this hook.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="c1">// hooks/useTrialStatus.ts</span> <span class="dl">"</span><span class="s2">use client</span><span class="dl">"</span><span class="p">;</span> <span class="k">import</span> <span class="p">{</span> <span class="nx">useKindeBrowserClient</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">"</span><span class="s2">@kinde-oss/kinde-auth-nextjs</span><span class="dl">"</span><span class="p">;</span> <span class="kd">const</span> <span class="nx">TRIAL_LENGTH_DAYS</span> <span class="o">=</span> <span class="mi">14</span><span class="p">;</span> <span class="kd">const</span> <span class="nx">TRIAL_LENGTH_SECONDS</span> <span class="o">=</span> <span class="nx">TRIAL_LENGTH_DAYS</span> <span class="o">*</span> <span class="mi">24</span> <span class="o">*</span> <span class="mi">60</span> <span class="o">*</span> <span class="mi">60</span><span class="p">;</span> <span class="k">export</span> <span class="kd">type</span> <span class="nx">TrialStatus</span> <span class="o">=</span> <span class="o">|</span> <span class="dl">"</span><span class="s2">active</span><span class="dl">"</span> <span class="c1">// Trial is running, days remain</span> <span class="o">|</span> <span class="dl">"</span><span class="s2">expiring</span><span class="dl">"</span> <span class="c1">// Trial has 3 or fewer days left</span> <span class="o">|</span> <span class="dl">"</span><span class="s2">expired</span><span class="dl">"</span> <span class="c1">// Trial ended, user has not upgraded</span> <span class="o">|</span> <span class="dl">"</span><span class="s2">converted</span><span class="dl">"</span><span class="p">;</span> <span class="c1">// User is on a paid plan</span> <span class="k">export</span> <span class="kr">interface</span> <span class="nx">TrialState</span> <span class="p">{</span> <span class="nl">status</span><span class="p">:</span> <span class="nx">TrialStatus</span><span class="p">;</span> <span class="nl">daysRemaining</span><span class="p">:</span> <span class="kr">number</span><span class="p">;</span> <span class="nl">trialStartDate</span><span class="p">:</span> <span class="nb">Date</span> <span class="o">|</span> <span class="kc">null</span><span class="p">;</span> <span class="nl">trialEndDate</span><span class="p">:</span> <span class="nb">Date</span> <span class="o">|</span> <span class="kc">null</span><span class="p">;</span> <span class="nl">isPro</span><span class="p">:</span> <span class="nx">boolean</span><span class="p">;</span> <span class="p">}</span> <span class="k">export</span> <span class="kd">function</span> <span class="nf">useTrialStatus</span><span class="p">():</span> <span class="nx">TrialState</span> <span class="p">{</span> <span class="kd">const</span> <span class="p">{</span> <span class="nx">getClaim</span><span class="p">,</span> <span class="nx">getBooleanFlag</span> <span class="p">}</span> <span class="o">=</span> <span class="nf">useKindeBrowserClient</span><span class="p">();</span> <span class="c1">// Read trial_start from the application_properties claim</span> <span class="c1">// The value is a Unix timestamp stored as a string</span> <span class="kd">const</span> <span class="nx">trialStartClaim</span> <span class="o">=</span> <span class="nf">getClaim</span><span class="p">(</span><span class="dl">"</span><span class="s2">application_properties</span><span class="dl">"</span><span class="p">,</span> <span class="dl">"</span><span class="s2">access_token</span><span class="dl">"</span><span class="p">);</span> <span class="kd">const</span> <span class="nx">trialStartRaw</span> <span class="o">=</span> <span class="p">(</span><span class="nx">trialStartClaim</span><span class="p">?.</span><span class="nx">value</span> <span class="k">as</span> <span class="kr">any</span><span class="p">)?.</span><span class="nx">trial_start</span><span class="p">?.</span><span class="nx">v</span><span class="p">;</span> <span class="kd">const</span> <span class="nx">trialStartSeconds</span> <span class="o">=</span> <span class="nx">trialStartRaw</span> <span class="p">?</span> <span class="nf">parseInt</span><span class="p">(</span><span class="nx">trialStartRaw</span><span class="p">,</span> <span class="mi">10</span><span class="p">)</span> <span class="p">:</span> <span class="kc">null</span><span class="p">;</span> <span class="c1">// Read feature flags to determine if the user has Pro access</span> <span class="c1">// These flags are active on both the Free Trial plan and the paid Pro plan</span> <span class="kd">const</span> <span class="nx">hasAdvancedAnalytics</span> <span class="o">=</span> <span class="nf">getBooleanFlag</span><span class="p">(</span><span class="dl">"</span><span class="s2">advanced_analytics</span><span class="dl">"</span><span class="p">,</span> <span class="kc">false</span><span class="p">);</span> <span class="kd">const</span> <span class="nx">hasApiAccess</span> <span class="o">=</span> <span class="nf">getBooleanFlag</span><span class="p">(</span><span class="dl">"</span><span class="s2">api_access</span><span class="dl">"</span><span class="p">,</span> <span class="kc">false</span><span class="p">);</span> <span class="c1">// A user is "Pro" if they have the paid plan flags active</span> <span class="c1">// When the Free Trial expires, these flags go false unless they upgrade</span> <span class="c1">// Note: during the trial, these are also true — so use trial state to distinguish</span> <span class="kd">const</span> <span class="nx">hasPlanAccess</span> <span class="o">=</span> <span class="nx">hasAdvancedAnalytics</span> <span class="o">&amp;&amp;</span> <span class="nx">hasApiAccess</span><span class="p">;</span> <span class="k">if </span><span class="p">(</span><span class="o">!</span><span class="nx">trialStartSeconds</span><span class="p">)</span> <span class="p">{</span> <span class="c1">// No trial_start means this is a legacy user or the workflow has not run yet</span> <span class="c1">// Treat as expired to avoid unintended access</span> <span class="k">return</span> <span class="p">{</span> <span class="na">status</span><span class="p">:</span> <span class="dl">"</span><span class="s2">expired</span><span class="dl">"</span><span class="p">,</span> <span class="na">daysRemaining</span><span class="p">:</span> <span class="mi">0</span><span class="p">,</span> <span class="na">trialStartDate</span><span class="p">:</span> <span class="kc">null</span><span class="p">,</span> <span class="na">trialEndDate</span><span class="p">:</span> <span class="kc">null</span><span class="p">,</span> <span class="na">isPro</span><span class="p">:</span> <span class="nx">hasPlanAccess</span><span class="p">,</span> <span class="p">};</span> <span class="p">}</span> <span class="kd">const</span> <span class="nx">now</span> <span class="o">=</span> <span class="nb">Math</span><span class="p">.</span><span class="nf">floor</span><span class="p">(</span><span class="nb">Date</span><span class="p">.</span><span class="nf">now</span><span class="p">()</span> <span class="o">/</span> <span class="mi">1000</span><span class="p">);</span> <span class="kd">const</span> <span class="nx">trialEndSeconds</span> <span class="o">=</span> <span class="nx">trialStartSeconds</span> <span class="o">+</span> <span class="nx">TRIAL_LENGTH_SECONDS</span><span class="p">;</span> <span class="kd">const</span> <span class="nx">secondsRemaining</span> <span class="o">=</span> <span class="nx">trialEndSeconds</span> <span class="o">-</span> <span class="nx">now</span><span class="p">;</span> <span class="kd">const</span> <span class="nx">daysRemaining</span> <span class="o">=</span> <span class="nb">Math</span><span class="p">.</span><span class="nf">max</span><span class="p">(</span><span class="mi">0</span><span class="p">,</span> <span class="nb">Math</span><span class="p">.</span><span class="nf">ceil</span><span class="p">(</span><span class="nx">secondsRemaining</span> <span class="o">/</span> <span class="mi">86400</span><span class="p">));</span> <span class="kd">const</span> <span class="nx">trialStartDate</span> <span class="o">=</span> <span class="k">new</span> <span class="nc">Date</span><span class="p">(</span><span class="nx">trialStartSeconds</span> <span class="o">*</span> <span class="mi">1000</span><span class="p">);</span> <span class="kd">const</span> <span class="nx">trialEndDate</span> <span class="o">=</span> <span class="k">new</span> <span class="nc">Date</span><span class="p">(</span><span class="nx">trialEndSeconds</span> <span class="o">*</span> <span class="mi">1000</span><span class="p">);</span> <span class="c1">// If the user has Pro feature flags active AND the trial has expired,</span> <span class="c1">// they have upgraded — they are a paying customer</span> <span class="k">if </span><span class="p">(</span><span class="nx">hasPlanAccess</span> <span class="o">&amp;&amp;</span> <span class="nx">secondsRemaining</span> <span class="o">&lt;=</span> <span class="mi">0</span><span class="p">)</span> <span class="p">{</span> <span class="k">return</span> <span class="p">{</span> <span class="na">status</span><span class="p">:</span> <span class="dl">"</span><span class="s2">converted</span><span class="dl">"</span><span class="p">,</span> <span class="na">daysRemaining</span><span class="p">:</span> <span class="mi">0</span><span class="p">,</span> <span class="nx">trialStartDate</span><span class="p">,</span> <span class="nx">trialEndDate</span><span class="p">,</span> <span class="na">isPro</span><span class="p">:</span> <span class="kc">true</span><span class="p">,</span> <span class="p">};</span> <span class="p">}</span> <span class="k">if </span><span class="p">(</span><span class="nx">secondsRemaining</span> <span class="o">&lt;=</span> <span class="mi">0</span><span class="p">)</span> <span class="p">{</span> <span class="k">return</span> <span class="p">{</span> <span class="na">status</span><span class="p">:</span> <span class="dl">"</span><span class="s2">expired</span><span class="dl">"</span><span class="p">,</span> <span class="na">daysRemaining</span><span class="p">:</span> <span class="mi">0</span><span class="p">,</span> <span class="nx">trialStartDate</span><span class="p">,</span> <span class="nx">trialEndDate</span><span class="p">,</span> <span class="na">isPro</span><span class="p">:</span> <span class="kc">false</span><span class="p">,</span> <span class="p">};</span> <span class="p">}</span> <span class="k">if </span><span class="p">(</span><span class="nx">daysRemaining</span> <span class="o">&lt;=</span> <span class="mi">3</span><span class="p">)</span> <span class="p">{</span> <span class="k">return</span> <span class="p">{</span> <span class="na">status</span><span class="p">:</span> <span class="dl">"</span><span class="s2">expiring</span><span class="dl">"</span><span class="p">,</span> <span class="nx">daysRemaining</span><span class="p">,</span> <span class="nx">trialStartDate</span><span class="p">,</span> <span class="nx">trialEndDate</span><span class="p">,</span> <span class="na">isPro</span><span class="p">:</span> <span class="kc">true</span><span class="p">,</span> <span class="p">};</span> <span class="p">}</span> <span class="k">return</span> <span class="p">{</span> <span class="na">status</span><span class="p">:</span> <span class="dl">"</span><span class="s2">active</span><span class="dl">"</span><span class="p">,</span> <span class="nx">daysRemaining</span><span class="p">,</span> <span class="nx">trialStartDate</span><span class="p">,</span> <span class="nx">trialEndDate</span><span class="p">,</span> <span class="na">isPro</span><span class="p">:</span> <span class="kc">true</span><span class="p">,</span> <span class="p">};</span> <span class="p">}</span> </code></pre> </div> <p>Note: the hook reads <code>application_properties</code> from the access token. The Kinde browser client's <code>getClaim</code> method defaults to reading from the access token, which is what you want here. The <code>getBooleanFlag</code> method also reads from the token — no network request is made.</p> <h2> Step #5: Build the Trial UI Components </h2> <p>With the <code>useTrialStatus</code> hook in place, build the UI components that surface trial state to users.</p> <h3> The Trial Banner </h3> <p>This sits at the top of the dashboard and counts down the remaining days. It changes color and urgency as the trial approaches expiry.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight tsx"><code><span class="c1">// components/TrialBanner.tsx</span> <span class="dl">"</span><span class="s2">use client</span><span class="dl">"</span><span class="p">;</span> <span class="k">import</span> <span class="p">{</span> <span class="nx">useTrialStatus</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">"</span><span class="s2">@/hooks/useTrialStatus</span><span class="dl">"</span><span class="p">;</span> <span class="k">import</span> <span class="p">{</span> <span class="nx">RegisterLink</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">"</span><span class="s2">@kinde-oss/kinde-auth-nextjs/components</span><span class="dl">"</span><span class="p">;</span> <span class="k">export</span> <span class="kd">function</span> <span class="nf">TrialBanner</span><span class="p">()</span> <span class="p">{</span> <span class="kd">const</span> <span class="p">{</span> <span class="nx">status</span><span class="p">,</span> <span class="nx">daysRemaining</span> <span class="p">}</span> <span class="o">=</span> <span class="nf">useTrialStatus</span><span class="p">();</span> <span class="c1">// Do not show the banner for converted users or when there is no trial data</span> <span class="k">if </span><span class="p">(</span><span class="nx">status</span> <span class="o">===</span> <span class="dl">"</span><span class="s2">converted</span><span class="dl">"</span> <span class="o">||</span> <span class="nx">status</span> <span class="o">===</span> <span class="dl">"</span><span class="s2">expired</span><span class="dl">"</span><span class="p">)</span> <span class="k">return</span> <span class="kc">null</span><span class="p">;</span> <span class="kd">const</span> <span class="nx">isUrgent</span> <span class="o">=</span> <span class="nx">status</span> <span class="o">===</span> <span class="dl">"</span><span class="s2">expiring</span><span class="dl">"</span><span class="p">;</span> <span class="k">return </span><span class="p">(</span> <span class="p">&lt;</span><span class="nt">div</span> <span class="na">className</span><span class="p">=</span><span class="si">{</span><span class="s2">`w-full px-4 py-2 text-sm font-medium text-center flex items-center justify-center gap-4 </span><span class="p">${</span> <span class="nx">isUrgent</span> <span class="p">?</span> <span class="dl">"</span><span class="s2">bg-red-50 text-red-700 border-b border-red-200</span><span class="dl">"</span> <span class="p">:</span> <span class="dl">"</span><span class="s2">bg-blue-50 text-blue-700 border-b border-blue-200</span><span class="dl">"</span> <span class="p">}</span><span class="s2">`</span><span class="si">}</span> <span class="p">&gt;</span> <span class="p">&lt;</span><span class="nt">span</span><span class="p">&gt;</span> <span class="si">{</span><span class="nx">isUrgent</span> <span class="p">?</span> <span class="s2">`Your trial expires in </span><span class="p">${</span><span class="nx">daysRemaining</span><span class="p">}</span><span class="s2"> day</span><span class="p">${</span><span class="nx">daysRemaining</span> <span class="o">!==</span> <span class="mi">1</span> <span class="p">?</span> <span class="dl">"</span><span class="s2">s</span><span class="dl">"</span> <span class="p">:</span> <span class="dl">""</span><span class="p">}</span><span class="s2">. Upgrade to keep your access.`</span> <span class="p">:</span> <span class="s2">`</span><span class="p">${</span><span class="nx">daysRemaining</span><span class="p">}</span><span class="s2"> days left in your free trial.`</span><span class="si">}</span> <span class="p">&lt;/</span><span class="nt">span</span><span class="p">&gt;</span> <span class="p">&lt;</span><span class="nc">RegisterLink</span> <span class="na">planInterest</span><span class="p">=</span><span class="s">"pro_monthly"</span> <span class="na">className</span><span class="p">=</span><span class="si">{</span><span class="s2">`px-3 py-1 rounded text-xs font-semibold </span><span class="p">${</span> <span class="nx">isUrgent</span> <span class="p">?</span> <span class="dl">"</span><span class="s2">bg-red-600 text-white hover:bg-red-700</span><span class="dl">"</span> <span class="p">:</span> <span class="dl">"</span><span class="s2">bg-blue-600 text-white hover:bg-blue-700</span><span class="dl">"</span> <span class="p">}</span><span class="s2">`</span><span class="si">}</span> <span class="p">&gt;</span> Upgrade now <span class="p">&lt;/</span><span class="nc">RegisterLink</span><span class="p">&gt;</span> <span class="p">&lt;/</span><span class="nt">div</span><span class="p">&gt;</span> <span class="p">);</span> <span class="p">}</span> </code></pre> </div> <h3> The Expired Paywall </h3> <p>When the trial ends, replace the dashboard content with an upgrade prompt. Users can still access their data — they just cannot take action until they upgrade.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight tsx"><code><span class="c1">// components/TrialExpiredPaywall.tsx</span> <span class="dl">"</span><span class="s2">use client</span><span class="dl">"</span><span class="p">;</span> <span class="k">import</span> <span class="p">{</span> <span class="nx">useTrialStatus</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">"</span><span class="s2">@/hooks/useTrialStatus</span><span class="dl">"</span><span class="p">;</span> <span class="k">import</span> <span class="p">{</span> <span class="nx">RegisterLink</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">"</span><span class="s2">@kinde-oss/kinde-auth-nextjs/components</span><span class="dl">"</span><span class="p">;</span> <span class="kr">interface</span> <span class="nx">TrialExpiredPaywallProps</span> <span class="p">{</span> <span class="nl">children</span><span class="p">:</span> <span class="nx">React</span><span class="p">.</span><span class="nx">ReactNode</span><span class="p">;</span> <span class="p">}</span> <span class="k">export</span> <span class="kd">function</span> <span class="nf">TrialExpiredPaywall</span><span class="p">({</span> <span class="nx">children</span> <span class="p">}:</span> <span class="nx">TrialExpiredPaywallProps</span><span class="p">)</span> <span class="p">{</span> <span class="kd">const</span> <span class="p">{</span> <span class="nx">status</span><span class="p">,</span> <span class="nx">trialEndDate</span> <span class="p">}</span> <span class="o">=</span> <span class="nf">useTrialStatus</span><span class="p">();</span> <span class="k">if </span><span class="p">(</span><span class="nx">status</span> <span class="o">!==</span> <span class="dl">"</span><span class="s2">expired</span><span class="dl">"</span><span class="p">)</span> <span class="p">{</span> <span class="c1">// Trial is active or user has converted — show the content normally</span> <span class="k">return</span> <span class="p">&lt;&gt;</span><span class="si">{</span><span class="nx">children</span><span class="si">}</span><span class="p">&lt;/&gt;;</span> <span class="p">}</span> <span class="kd">const</span> <span class="nx">endDateFormatted</span> <span class="o">=</span> <span class="nx">trialEndDate</span> <span class="p">?</span> <span class="nx">trialEndDate</span><span class="p">.</span><span class="nf">toLocaleDateString</span><span class="p">(</span><span class="dl">"</span><span class="s2">en-US</span><span class="dl">"</span><span class="p">,</span> <span class="p">{</span> <span class="na">month</span><span class="p">:</span> <span class="dl">"</span><span class="s2">long</span><span class="dl">"</span><span class="p">,</span> <span class="na">day</span><span class="p">:</span> <span class="dl">"</span><span class="s2">numeric</span><span class="dl">"</span><span class="p">,</span> <span class="na">year</span><span class="p">:</span> <span class="dl">"</span><span class="s2">numeric</span><span class="dl">"</span><span class="p">,</span> <span class="p">})</span> <span class="p">:</span> <span class="dl">"</span><span class="s2">recently</span><span class="dl">"</span><span class="p">;</span> <span class="k">return </span><span class="p">(</span> <span class="p">&lt;</span><span class="nt">div</span> <span class="na">className</span><span class="p">=</span><span class="s">"relative"</span><span class="p">&gt;</span> <span class="si">{</span><span class="cm">/* Blur the underlying content so users can see what they are missing */</span><span class="si">}</span> <span class="p">&lt;</span><span class="nt">div</span> <span class="na">className</span><span class="p">=</span><span class="s">"pointer-events-none select-none blur-sm opacity-40"</span><span class="p">&gt;</span> <span class="si">{</span><span class="nx">children</span><span class="si">}</span> <span class="p">&lt;/</span><span class="nt">div</span><span class="p">&gt;</span> <span class="si">{</span><span class="cm">/* Paywall overlay */</span><span class="si">}</span> <span class="p">&lt;</span><span class="nt">div</span> <span class="na">className</span><span class="p">=</span><span class="s">"absolute inset-0 flex items-center justify-center"</span><span class="p">&gt;</span> <span class="p">&lt;</span><span class="nt">div</span> <span class="na">className</span><span class="p">=</span><span class="s">"bg-white rounded-xl shadow-xl border border-gray-200 p-8 max-w-md w-full mx-4 text-center space-y-4"</span><span class="p">&gt;</span> <span class="p">&lt;</span><span class="nt">div</span> <span class="na">className</span><span class="p">=</span><span class="s">"text-2xl font-bold text-gray-900"</span><span class="p">&gt;</span> Your trial ended on <span class="si">{</span><span class="nx">endDateFormatted</span><span class="si">}</span> <span class="p">&lt;/</span><span class="nt">div</span><span class="p">&gt;</span> <span class="p">&lt;</span><span class="nt">p</span> <span class="na">className</span><span class="p">=</span><span class="s">"text-gray-500 text-sm"</span><span class="p">&gt;</span> Your data is safe. Upgrade to Pro to get back to work. <span class="p">&lt;/</span><span class="nt">p</span><span class="p">&gt;</span> <span class="p">&lt;</span><span class="nc">RegisterLink</span> <span class="na">planInterest</span><span class="p">=</span><span class="s">"pro_monthly"</span> <span class="na">className</span><span class="p">=</span><span class="s">"block w-full py-3 px-6 bg-black text-white rounded-lg font-semibold text-sm hover:bg-gray-800 transition-colors"</span> <span class="p">&gt;</span> Upgrade to Pro <span class="p">&lt;/</span><span class="nc">RegisterLink</span><span class="p">&gt;</span> <span class="p">&lt;</span><span class="nt">p</span> <span class="na">className</span><span class="p">=</span><span class="s">"text-xs text-gray-400"</span><span class="p">&gt;</span> No setup required. Your account picks up exactly where you left off. <span class="p">&lt;/</span><span class="nt">p</span><span class="p">&gt;</span> <span class="p">&lt;/</span><span class="nt">div</span><span class="p">&gt;</span> <span class="p">&lt;/</span><span class="nt">div</span><span class="p">&gt;</span> <span class="p">&lt;/</span><span class="nt">div</span><span class="p">&gt;</span> <span class="p">);</span> <span class="p">}</span> </code></pre> </div> <h3> The Feature Gate </h3> <p>For features that are available during the trial but locked on a free-forever tier, use this gate to show an upgrade prompt in context rather than a full-page paywall.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight tsx"><code><span class="c1">// components/FeatureGate.tsx</span> <span class="dl">"</span><span class="s2">use client</span><span class="dl">"</span><span class="p">;</span> <span class="k">import</span> <span class="p">{</span> <span class="nx">useTrialStatus</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">"</span><span class="s2">@/hooks/useTrialStatus</span><span class="dl">"</span><span class="p">;</span> <span class="k">import</span> <span class="p">{</span> <span class="nx">RegisterLink</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">"</span><span class="s2">@kinde-oss/kinde-auth-nextjs/components</span><span class="dl">"</span><span class="p">;</span> <span class="kr">interface</span> <span class="nx">FeatureGateProps</span> <span class="p">{</span> <span class="nl">feature</span><span class="p">:</span> <span class="kr">string</span><span class="p">;</span> <span class="nl">children</span><span class="p">:</span> <span class="nx">React</span><span class="p">.</span><span class="nx">ReactNode</span><span class="p">;</span> <span class="p">}</span> <span class="k">export</span> <span class="kd">function</span> <span class="nf">FeatureGate</span><span class="p">({</span> <span class="nx">feature</span><span class="p">,</span> <span class="nx">children</span> <span class="p">}:</span> <span class="nx">FeatureGateProps</span><span class="p">)</span> <span class="p">{</span> <span class="kd">const</span> <span class="p">{</span> <span class="nx">isPro</span><span class="p">,</span> <span class="nx">status</span> <span class="p">}</span> <span class="o">=</span> <span class="nf">useTrialStatus</span><span class="p">();</span> <span class="k">if </span><span class="p">(</span><span class="nx">isPro</span><span class="p">)</span> <span class="p">{</span> <span class="k">return</span> <span class="p">&lt;&gt;</span><span class="si">{</span><span class="nx">children</span><span class="si">}</span><span class="p">&lt;/&gt;;</span> <span class="p">}</span> <span class="k">return </span><span class="p">(</span> <span class="p">&lt;</span><span class="nt">div</span> <span class="na">className</span><span class="p">=</span><span class="s">"relative rounded-lg border border-gray-200 p-6"</span><span class="p">&gt;</span> <span class="p">&lt;</span><span class="nt">div</span> <span class="na">className</span><span class="p">=</span><span class="s">"pointer-events-none select-none blur-sm opacity-40"</span><span class="p">&gt;</span> <span class="si">{</span><span class="nx">children</span><span class="si">}</span> <span class="p">&lt;/</span><span class="nt">div</span><span class="p">&gt;</span> <span class="p">&lt;</span><span class="nt">div</span> <span class="na">className</span><span class="p">=</span><span class="s">"absolute inset-0 flex items-center justify-center rounded-lg bg-white/80"</span><span class="p">&gt;</span> <span class="p">&lt;</span><span class="nt">div</span> <span class="na">className</span><span class="p">=</span><span class="s">"text-center space-y-2 px-4"</span><span class="p">&gt;</span> <span class="p">&lt;</span><span class="nt">p</span> <span class="na">className</span><span class="p">=</span><span class="s">"text-sm font-semibold text-gray-900"</span><span class="p">&gt;</span> <span class="si">{</span><span class="nx">feature</span><span class="si">}</span> is a Pro feature <span class="p">&lt;/</span><span class="nt">p</span><span class="p">&gt;</span> <span class="si">{</span><span class="nx">status</span> <span class="o">===</span> <span class="dl">"</span><span class="s2">expired</span><span class="dl">"</span> <span class="p">?</span> <span class="p">(</span> <span class="p">&lt;</span><span class="nc">RegisterLink</span> <span class="na">planInterest</span><span class="p">=</span><span class="s">"pro_monthly"</span> <span class="na">className</span><span class="p">=</span><span class="s">"inline-block px-4 py-2 bg-black text-white rounded-md text-xs font-medium"</span> <span class="p">&gt;</span> Upgrade to unlock <span class="p">&lt;/</span><span class="nc">RegisterLink</span><span class="p">&gt;</span> <span class="p">)</span> <span class="p">:</span> <span class="p">(</span> <span class="p">&lt;</span><span class="nt">p</span> <span class="na">className</span><span class="p">=</span><span class="s">"text-xs text-gray-500"</span><span class="p">&gt;</span> Available during your trial — upgrade to keep access after it ends. <span class="p">&lt;/</span><span class="nt">p</span><span class="p">&gt;</span> <span class="p">)</span><span class="si">}</span> <span class="p">&lt;/</span><span class="nt">div</span><span class="p">&gt;</span> <span class="p">&lt;/</span><span class="nt">div</span><span class="p">&gt;</span> <span class="p">&lt;/</span><span class="nt">div</span><span class="p">&gt;</span> <span class="p">);</span> <span class="p">}</span> </code></pre> </div> <h3> Putting the Components Together </h3> <p>Use all three in your dashboard layout:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight tsx"><code><span class="c1">// app/dashboard/layout.tsx</span> <span class="k">import</span> <span class="p">{</span> <span class="nx">TrialBanner</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">"</span><span class="s2">@/components/TrialBanner</span><span class="dl">"</span><span class="p">;</span> <span class="k">import</span> <span class="p">{</span> <span class="nx">TrialExpiredPaywall</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">"</span><span class="s2">@/components/TrialExpiredPaywall</span><span class="dl">"</span><span class="p">;</span> <span class="k">export</span> <span class="k">default</span> <span class="kd">function</span> <span class="nf">DashboardLayout</span><span class="p">({</span> <span class="nx">children</span><span class="p">,</span> <span class="p">}:</span> <span class="p">{</span> <span class="nl">children</span><span class="p">:</span> <span class="nx">React</span><span class="p">.</span><span class="nx">ReactNode</span><span class="p">;</span> <span class="p">})</span> <span class="p">{</span> <span class="k">return </span><span class="p">(</span> <span class="p">&lt;</span><span class="nt">div</span> <span class="na">className</span><span class="p">=</span><span class="s">"min-h-screen flex flex-col"</span><span class="p">&gt;</span> <span class="si">{</span><span class="cm">/* Trial countdown banner — hidden when converted or expired */</span><span class="si">}</span> <span class="p">&lt;</span><span class="nc">TrialBanner</span> <span class="p">/&gt;</span> <span class="p">&lt;</span><span class="nt">main</span> <span class="na">className</span><span class="p">=</span><span class="s">"flex-1"</span><span class="p">&gt;</span> <span class="si">{</span><span class="cm">/* Paywall wraps all dashboard content — activates only on expiry */</span><span class="si">}</span> <span class="p">&lt;</span><span class="nc">TrialExpiredPaywall</span><span class="p">&gt;</span><span class="si">{</span><span class="nx">children</span><span class="si">}</span><span class="p">&lt;/</span><span class="nc">TrialExpiredPaywall</span><span class="p">&gt;</span> <span class="p">&lt;/</span><span class="nt">main</span><span class="p">&gt;</span> <span class="p">&lt;/</span><span class="nt">div</span><span class="p">&gt;</span> <span class="p">);</span> <span class="p">}</span> </code></pre> </div> <p>For individual features, wrap the component with <code>FeatureGate</code>:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight tsx"><code><span class="c1">// app/dashboard/analytics/page.tsx</span> <span class="k">import</span> <span class="p">{</span> <span class="nx">FeatureGate</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">"</span><span class="s2">@/components/FeatureGate</span><span class="dl">"</span><span class="p">;</span> <span class="k">import</span> <span class="p">{</span> <span class="nx">AdvancedAnalyticsDashboard</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">"</span><span class="s2">@/components/AdvancedAnalyticsDashboard</span><span class="dl">"</span><span class="p">;</span> <span class="k">export</span> <span class="k">default</span> <span class="kd">function</span> <span class="nf">AnalyticsPage</span><span class="p">()</span> <span class="p">{</span> <span class="k">return </span><span class="p">(</span> <span class="p">&lt;</span><span class="nt">div</span> <span class="na">className</span><span class="p">=</span><span class="s">"p-6"</span><span class="p">&gt;</span> <span class="p">&lt;</span><span class="nt">h1</span> <span class="na">className</span><span class="p">=</span><span class="s">"text-xl font-semibold mb-4"</span><span class="p">&gt;</span>Analytics<span class="p">&lt;/</span><span class="nt">h1</span><span class="p">&gt;</span> <span class="p">&lt;</span><span class="nc">FeatureGate</span> <span class="na">feature</span><span class="p">=</span><span class="s">"Advanced Analytics"</span><span class="p">&gt;</span> <span class="p">&lt;</span><span class="nc">AdvancedAnalyticsDashboard</span> <span class="p">/&gt;</span> <span class="p">&lt;/</span><span class="nc">FeatureGate</span><span class="p">&gt;</span> <span class="p">&lt;/</span><span class="nt">div</span><span class="p">&gt;</span> <span class="p">);</span> <span class="p">}</span> </code></pre> </div> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fzquwlc11mebswt6nwjbd.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fzquwlc11mebswt6nwjbd.png" alt="Dashboard showing the TrialBanner at the top with " width="800" height="502"></a></p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fk5o82magvcpi9q7f6cfz.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fk5o82magvcpi9q7f6cfz.png" alt="The same dashboard with the trial expired — content blurred behind the TrialExpiredPaywall overlay showing " width="800" height="502"></a></p> <h2> Step #6: Handle the Upgrade — Moving From Trial to Paid </h2> <p>When a trial user clicks "Upgrade to Pro," they go through Kinde's hosted payment flow via the <code>RegisterLink</code> component with <code>planInterest="pro_monthly"</code>. After payment, Kinde switches the user's plan from <code>free_trial</code> to <code>pro_monthly</code>.</p> <p>Two things happen in your app automatically:</p> <p>First, the feature flags attached to the Pro plan remain active. The <code>advanced_analytics</code>, <code>api_access</code>, and <code>export_data</code> flags do not disappear — they continue to resolve as <code>true</code> because they are also attached to the Pro plan. The user notices no change in what they can access.</p> <p>Second, the <code>useTrialStatus</code> hook detects that the trial has ended but the plan flags are still active, and returns <code>status: "converted"</code>. The paywall never appears. The banner disappears.</p> <p>On the server side, Kinde fires a webhook when the subscription is created. Use this to record the conversion in your own database if needed:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="c1">// app/api/webhooks/kinde/route.ts</span> <span class="k">import</span> <span class="p">{</span> <span class="nx">getKindeWebhookDecodedEvent</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">"</span><span class="s2">@kinde/webhooks</span><span class="dl">"</span><span class="p">;</span> <span class="k">import</span> <span class="p">{</span> <span class="nx">NextRequest</span><span class="p">,</span> <span class="nx">NextResponse</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">"</span><span class="s2">next/server</span><span class="dl">"</span><span class="p">;</span> <span class="k">export</span> <span class="k">async</span> <span class="kd">function</span> <span class="nf">POST</span><span class="p">(</span><span class="nx">request</span><span class="p">:</span> <span class="nx">NextRequest</span><span class="p">)</span> <span class="p">{</span> <span class="kd">let</span> <span class="nx">event</span><span class="p">;</span> <span class="k">try</span> <span class="p">{</span> <span class="nx">event</span> <span class="o">=</span> <span class="k">await</span> <span class="nf">getKindeWebhookDecodedEvent</span><span class="p">(</span><span class="nx">request</span><span class="p">);</span> <span class="p">}</span> <span class="k">catch</span> <span class="p">{</span> <span class="k">return</span> <span class="nx">NextResponse</span><span class="p">.</span><span class="nf">json</span><span class="p">({</span> <span class="na">error</span><span class="p">:</span> <span class="dl">"</span><span class="s2">Unauthorized</span><span class="dl">"</span> <span class="p">},</span> <span class="p">{</span> <span class="na">status</span><span class="p">:</span> <span class="mi">401</span> <span class="p">});</span> <span class="p">}</span> <span class="k">if </span><span class="p">(</span><span class="nx">event</span><span class="p">.</span><span class="kd">type</span> <span class="o">===</span> <span class="dl">"</span><span class="s2">subscription.created</span><span class="dl">"</span><span class="p">)</span> <span class="p">{</span> <span class="kd">const</span> <span class="p">{</span> <span class="nx">user_id</span><span class="p">,</span> <span class="nx">plan_key</span> <span class="p">}</span> <span class="o">=</span> <span class="nx">event</span><span class="p">.</span><span class="nx">data</span> <span class="k">as</span> <span class="p">{</span> <span class="na">user_id</span><span class="p">:</span> <span class="kr">string</span><span class="p">;</span> <span class="nl">plan_key</span><span class="p">:</span> <span class="kr">string</span><span class="p">;</span> <span class="p">};</span> <span class="c1">// Record the conversion — trial user is now a paid customer</span> <span class="k">await</span> <span class="nx">db</span><span class="p">.</span><span class="nx">users</span><span class="p">.</span><span class="nf">update</span><span class="p">({</span> <span class="na">where</span><span class="p">:</span> <span class="p">{</span> <span class="na">kindeId</span><span class="p">:</span> <span class="nx">user_id</span> <span class="p">},</span> <span class="na">data</span><span class="p">:</span> <span class="p">{</span> <span class="na">plan</span><span class="p">:</span> <span class="nx">plan_key</span><span class="p">,</span> <span class="na">convertedAt</span><span class="p">:</span> <span class="k">new</span> <span class="nc">Date</span><span class="p">(),</span> <span class="p">},</span> <span class="p">});</span> <span class="nx">console</span><span class="p">.</span><span class="nf">log</span><span class="p">(</span><span class="s2">`Trial converted: user </span><span class="p">${</span><span class="nx">user_id</span><span class="p">}</span><span class="s2"> upgraded to </span><span class="p">${</span><span class="nx">plan_key</span><span class="p">}</span><span class="s2">`</span><span class="p">);</span> <span class="p">}</span> <span class="k">return</span> <span class="nx">NextResponse</span><span class="p">.</span><span class="nf">json</span><span class="p">({</span> <span class="na">received</span><span class="p">:</span> <span class="kc">true</span> <span class="p">});</span> <span class="p">}</span> </code></pre> </div> <p>Note: the webhook is for your own record-keeping. The access control in your app should always read from the token — not from your database's <code>plan</code> column — because the token is always authoritative. The database record is useful for analytics, billing history, and support tooling.</p> <h2> Step #7: Test the Full Trial Lifecycle Without Waiting 14 Days </h2> <p>Testing a 14-day trial by waiting 14 days is not practical. Here are the three approaches for simulating trial state in development.</p> <h3> Approach 1: Manipulate the Trial Start Date </h3> <p>The quickest way to simulate an expiring or expired trial is to set the <code>trial_start</code> property to a past timestamp via the <a href="https://kinde.com/?utm_source=devto&amp;utm_medium=content&amp;utm_campaign=shola&amp;campaignid=chatgptapp&amp;network=&amp;adgroup=&amp;keyword=&amp;matchtype=&amp;creative=13&amp;device=&amp;adposition=" rel="noopener noreferrer">Kinde Management API</a>. Create a test utility:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="c1">// scripts/set-trial-date.ts</span> <span class="c1">// Usage: npx ts-node scripts/set-trial-date.ts &lt;userId&gt; &lt;daysAgo&gt;</span> <span class="c1">// Example: npx ts-node scripts/set-trial-date.ts kp_abc123 13</span> <span class="c1">// Sets trial_start to 13 days ago — 1 day until expiry</span> <span class="kd">const</span> <span class="nx">userId</span> <span class="o">=</span> <span class="nx">process</span><span class="p">.</span><span class="nx">argv</span><span class="p">[</span><span class="mi">2</span><span class="p">];</span> <span class="kd">const</span> <span class="nx">daysAgo</span> <span class="o">=</span> <span class="nf">parseInt</span><span class="p">(</span><span class="nx">process</span><span class="p">.</span><span class="nx">argv</span><span class="p">[</span><span class="mi">3</span><span class="p">]</span> <span class="o">||</span> <span class="dl">"</span><span class="s2">0</span><span class="dl">"</span><span class="p">);</span> <span class="kd">const</span> <span class="nx">trialStart</span> <span class="o">=</span> <span class="nb">Math</span><span class="p">.</span><span class="nf">floor</span><span class="p">(</span><span class="nb">Date</span><span class="p">.</span><span class="nf">now</span><span class="p">()</span> <span class="o">/</span> <span class="mi">1000</span><span class="p">)</span> <span class="o">-</span> <span class="nx">daysAgo</span> <span class="o">*</span> <span class="mi">86400</span><span class="p">;</span> <span class="k">async</span> <span class="kd">function</span> <span class="nf">setTrialDate</span><span class="p">()</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">tokenResponse</span> <span class="o">=</span> <span class="k">await</span> <span class="nf">fetch</span><span class="p">(</span> <span class="s2">`https://</span><span class="p">${</span><span class="nx">process</span><span class="p">.</span><span class="nx">env</span><span class="p">.</span><span class="nx">KINDE_DOMAIN</span><span class="p">}</span><span class="s2">/oauth2/token`</span><span class="p">,</span> <span class="p">{</span> <span class="na">method</span><span class="p">:</span> <span class="dl">"</span><span class="s2">POST</span><span class="dl">"</span><span class="p">,</span> <span class="na">headers</span><span class="p">:</span> <span class="p">{</span> <span class="dl">"</span><span class="s2">Content-Type</span><span class="dl">"</span><span class="p">:</span> <span class="dl">"</span><span class="s2">application/x-www-form-urlencoded</span><span class="dl">"</span> <span class="p">},</span> <span class="na">body</span><span class="p">:</span> <span class="k">new</span> <span class="nc">URLSearchParams</span><span class="p">({</span> <span class="na">grant_type</span><span class="p">:</span> <span class="dl">"</span><span class="s2">client_credentials</span><span class="dl">"</span><span class="p">,</span> <span class="na">client_id</span><span class="p">:</span> <span class="nx">process</span><span class="p">.</span><span class="nx">env</span><span class="p">.</span><span class="nx">KINDE_M2M_CLIENT_ID</span><span class="o">!</span><span class="p">,</span> <span class="na">client_secret</span><span class="p">:</span> <span class="nx">process</span><span class="p">.</span><span class="nx">env</span><span class="p">.</span><span class="nx">KINDE_M2M_CLIENT_SECRET</span><span class="o">!</span><span class="p">,</span> <span class="na">audience</span><span class="p">:</span> <span class="s2">`https://</span><span class="p">${</span><span class="nx">process</span><span class="p">.</span><span class="nx">env</span><span class="p">.</span><span class="nx">KINDE_DOMAIN</span><span class="p">}</span><span class="s2">/api`</span><span class="p">,</span> <span class="p">}),</span> <span class="p">}</span> <span class="p">);</span> <span class="kd">const</span> <span class="p">{</span> <span class="nx">access_token</span> <span class="p">}</span> <span class="o">=</span> <span class="k">await</span> <span class="nx">tokenResponse</span><span class="p">.</span><span class="nf">json</span><span class="p">();</span> <span class="kd">const</span> <span class="nx">response</span> <span class="o">=</span> <span class="k">await</span> <span class="nf">fetch</span><span class="p">(</span> <span class="s2">`https://</span><span class="p">${</span><span class="nx">process</span><span class="p">.</span><span class="nx">env</span><span class="p">.</span><span class="nx">KINDE_DOMAIN</span><span class="p">}</span><span class="s2">/api/v1/user?id=</span><span class="p">${</span><span class="nx">userId</span><span class="p">}</span><span class="s2">`</span><span class="p">,</span> <span class="p">{</span> <span class="na">method</span><span class="p">:</span> <span class="dl">"</span><span class="s2">PATCH</span><span class="dl">"</span><span class="p">,</span> <span class="na">headers</span><span class="p">:</span> <span class="p">{</span> <span class="na">Authorization</span><span class="p">:</span> <span class="s2">`Bearer </span><span class="p">${</span><span class="nx">access_token</span><span class="p">}</span><span class="s2">`</span><span class="p">,</span> <span class="dl">"</span><span class="s2">Content-Type</span><span class="dl">"</span><span class="p">:</span> <span class="dl">"</span><span class="s2">application/json</span><span class="dl">"</span><span class="p">,</span> <span class="p">},</span> <span class="na">body</span><span class="p">:</span> <span class="nx">JSON</span><span class="p">.</span><span class="nf">stringify</span><span class="p">({</span> <span class="na">properties</span><span class="p">:</span> <span class="p">{</span> <span class="na">trial_start</span><span class="p">:</span> <span class="nx">trialStart</span><span class="p">.</span><span class="nf">toString</span><span class="p">(),</span> <span class="p">},</span> <span class="p">}),</span> <span class="p">}</span> <span class="p">);</span> <span class="k">if </span><span class="p">(</span><span class="nx">response</span><span class="p">.</span><span class="nx">ok</span><span class="p">)</span> <span class="p">{</span> <span class="nx">console</span><span class="p">.</span><span class="nf">log</span><span class="p">(</span> <span class="s2">`Set trial_start to </span><span class="p">${</span><span class="nx">daysAgo</span><span class="p">}</span><span class="s2"> days ago for user </span><span class="p">${</span><span class="nx">userId</span><span class="p">}</span><span class="s2">`</span> <span class="p">);</span> <span class="nx">console</span><span class="p">.</span><span class="nf">log</span><span class="p">(</span><span class="s2">`Trial expires in </span><span class="p">${</span><span class="mi">14</span> <span class="o">-</span> <span class="nx">daysAgo</span><span class="p">}</span><span class="s2"> days`</span><span class="p">);</span> <span class="p">}</span> <span class="p">}</span> <span class="nf">setTrialDate</span><span class="p">();</span> </code></pre> </div> <p>Run it to simulate each trial state:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># Active trial — 10 days remaining</span> npx ts-node scripts/set-trial-date.ts kp_abc123 4 <span class="c"># Expiring trial — 2 days remaining</span> npx ts-node scripts/set-trial-date.ts kp_abc123 12 <span class="c"># Expired trial</span> npx ts-node scripts/set-trial-date.ts kp_abc123 15 </code></pre> </div> <p>After running the script, the user needs to re-authenticate to get a fresh token with the updated <code>trial_start</code> value.</p> <h3> Approach 2: Override Trial Length in the Hook </h3> <p>For rapid UI development, add a <code>TRIAL_OVERRIDE_DAYS</code> environment variable that overrides the trial length:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="c1">// In useTrialStatus.ts, replace the constant with:</span> <span class="kd">const</span> <span class="nx">TRIAL_LENGTH_DAYS</span> <span class="o">=</span> <span class="nx">process</span><span class="p">.</span><span class="nx">env</span><span class="p">.</span><span class="nx">NEXT_PUBLIC_TRIAL_OVERRIDE_DAYS</span> <span class="p">?</span> <span class="nf">parseInt</span><span class="p">(</span><span class="nx">process</span><span class="p">.</span><span class="nx">env</span><span class="p">.</span><span class="nx">NEXT_PUBLIC_TRIAL_OVERRIDE_DAYS</span><span class="p">)</span> <span class="p">:</span> <span class="mi">14</span><span class="p">;</span> </code></pre> </div> <p>Set <code>NEXT_PUBLIC_TRIAL_OVERRIDE_DAYS=1</code> in <code>.env.local</code> during development. A trial that started today will expire tomorrow, letting you test the full lifecycle in 24 hours.</p> <h3> Approach 3: Use the Trial Status Storybook </h3> <p>For component-level testing, pass mock trial state directly to the components by extracting the hook logic into a context provider that can be overridden in tests:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="c1">// This pattern lets you render &lt;TrialBanner /&gt; with any trial state</span> <span class="c1">// in Storybook or Jest without needing a real Kinde token</span> <span class="kd">const</span> <span class="nx">mockTrialState</span><span class="p">:</span> <span class="nx">TrialState</span> <span class="o">=</span> <span class="p">{</span> <span class="na">status</span><span class="p">:</span> <span class="dl">"</span><span class="s2">expiring</span><span class="dl">"</span><span class="p">,</span> <span class="na">daysRemaining</span><span class="p">:</span> <span class="mi">2</span><span class="p">,</span> <span class="na">trialStartDate</span><span class="p">:</span> <span class="k">new</span> <span class="nc">Date</span><span class="p">(</span><span class="nb">Date</span><span class="p">.</span><span class="nf">now</span><span class="p">()</span> <span class="o">-</span> <span class="mi">12</span> <span class="o">*</span> <span class="mi">86400</span> <span class="o">*</span> <span class="mi">1000</span><span class="p">),</span> <span class="na">trialEndDate</span><span class="p">:</span> <span class="k">new</span> <span class="nc">Date</span><span class="p">(</span><span class="nb">Date</span><span class="p">.</span><span class="nf">now</span><span class="p">()</span> <span class="o">+</span> <span class="mi">2</span> <span class="o">*</span> <span class="mi">86400</span> <span class="o">*</span> <span class="mi">1000</span><span class="p">),</span> <span class="na">isPro</span><span class="p">:</span> <span class="kc">true</span><span class="p">,</span> <span class="p">};</span> </code></pre> </div> <p>Wonderful! The full trial lifecycle — from first sign-up through expiry and upgrade — is now testable without waiting.</p> <h2> Putting It All Together </h2> <p>Here is the complete trial system mapped across all layers:</p> <div class="table-wrapper-paragraph"><table> <thead> <tr> <th>Layer</th> <th>What it does</th> <th>Where it lives</th> </tr> </thead> <tbody> <tr> <td>Free Trial plan (Kinde)</td> <td>$0.00 plan, no credit card, Pro feature flags attached</td> <td>Kinde Billing dashboard</td> </tr> <tr> <td>Workflow</td> <td>Stamps <code>trial_start</code> Unix timestamp on first sign-in</td> <td> <code>trialStartWorkflow.ts</code> pushed to Kinde</td> </tr> <tr> <td>Token customization</td> <td>Surfaces <code>trial_start</code> and feature flags in the access token</td> <td>Kinde application settings</td> </tr> <tr> <td> <code>useTrialStatus</code> hook</td> <td>Reads token claims, computes trial state</td> <td><code>hooks/useTrialStatus.ts</code></td> </tr> <tr> <td><code>TrialBanner</code></td> <td>Shows countdown, changes urgency at day 11</td> <td><code>components/TrialBanner.tsx</code></td> </tr> <tr> <td><code>TrialExpiredPaywall</code></td> <td>Blurs content, shows upgrade prompt on expiry</td> <td><code>components/TrialExpiredPaywall.tsx</code></td> </tr> <tr> <td><code>FeatureGate</code></td> <td>Locks individual features after expiry</td> <td><code>components/FeatureGate.tsx</code></td> </tr> <tr> <td>Webhook handler</td> <td>Records conversion in your database</td> <td><code>app/api/webhooks/kinde/route.ts</code></td> </tr> </tbody> </table></div> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F7p9odrlxnc21d6fm7b99.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F7p9odrlxnc21d6fm7b99.png" alt="Full system showing a user signing up → hitting the Free Trial plan → Workflow stamps trial_start → token carries trial_start + feature flags → useTrialStatus computes state → three UI outcomes: active (banner + full access), expiring (urgent banner), expired (paywall)" width="800" height="820"></a></p> <h2> What Happens When Kinde Adds Native Trial Support </h2> <p>When Kinde ships built-in trial periods — which is on their roadmap — the migration from this approach is straightforward:</p> <p>The <code>trialStartWorkflow.ts</code> gets retired. The trial length configuration moves from your app's constant into the Kinde plan settings. Kinde handles the start date stamping automatically.</p> <p>The <code>useTrialStatus</code> hook gets simplified — instead of reading <code>application_properties.trial_start</code>, it reads a Kinde-provided trial claim directly from the token. The state logic (<code>active</code>, <code>expiring</code>, <code>expired</code>, <code>converted</code>) stays identical.</p> <p>The <code>TrialBanner</code>, <code>TrialExpiredPaywall</code>, <code>FeatureGate</code>, and webhook handler stay completely unchanged.</p> <p>The migration is a one-afternoon job, not a rewrite.</p> <h2> Conclusion </h2> <p>In this article, you built a complete free trial system using Kinde's existing billing primitives: a $0.00 Free Trial plan with Pro feature flags, a Workflow that stamps the trial start date on first sign-in, token customization that surfaces that date without a database query, and a <code>useTrialStatus</code> hook that drives every trial-aware UI decision from one place.</p> <p>The result is a trial system with no cron jobs, no database sync issues, no middleware that sometimes runs and sometimes does not. Trial state lives in the token. Your app reads it. The user sees the right thing at the right moment.</p> <p>Kinde is free for up to 10,500 monthly active users, no credit card required. Create your account at <a href="https://kinde.com/?utm_source=devto&amp;utm_medium=content&amp;utm_campaign=shola&amp;campaignid=chatgptapp&amp;network=&amp;adgroup=&amp;keyword=&amp;matchtype=&amp;creative=13&amp;device=&amp;adposition=" rel="noopener noreferrer">kinde.com</a> and have your trial system running before lunch.</p> kinde tutorial webdev learning Shola Jegede Thu, 16 Apr 2026 17:29:50 +0000 https://forem.com/sholajegede/how-to-add-device-authorization-flow-to-your-app-with-kinde-1o69 https://forem.com/sholajegede/how-to-add-device-authorization-flow-to-your-app-with-kinde-1o69 <p><em>Most auth tutorials assume there is a browser. Here is what to do when there is not.</em></p> <p>In this article, you will learn:</p> <ul> <li>What the device authorization flow is and why it exists</li> <li>When to use it over other OAuth flows</li> <li>How to set up a Device and IoT application in Kinde</li> <li>How to implement the full flow end to end in Node.js</li> <li>How to poll for tokens correctly and handle every error state</li> <li>How to validate the access token on your API</li> </ul> <p>Let's dive in!</p> <h2> The Problem With Browser-Based Auth </h2> <p>Every standard OAuth flow assumes the same thing: the user is sitting in front of a browser, they can get redirected to a login page, and they can type their credentials into a form.</p> <p>That assumption breaks the moment you step outside the browser. A CLI tool cannot open a redirect. A smart TV has no way to display a full login form usably. A Raspberry Pi running a background process has no UI at all. An AI agent executing tasks on behalf of a user has no session to attach to.</p> <p>For all of these cases, the OAuth 2.0 Device Authorization Grant (defined in RFC 8628) is the right answer. Instead of redirecting the device to a login page, the device asks the authorization server for a short user code and a URL, displays them to the user, and then polls for a token while the user completes login on a separate device — their phone or laptop — that actually has a browser.</p> <p>The device never handles credentials. The user authenticates on a device they trust. The token lands on the original device once the user approves.</p> <p>This flow is why logging into Netflix on a smart TV works the way it does. It is also how tools like the GitHub CLI, the Vercel CLI, and the AWS CLI authenticate their users without opening a browser window programmatically.</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fu4z3hprp6krhskac2s0m.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fu4z3hprp6krhskac2s0m.png" alt="Two-path flow. Left path labeled " width="800" height="213"></a></p> <h2> When to Use the Device Flow </h2> <p>The device flow is not a general-purpose replacement for the authorization code flow. Use it specifically when:</p> <ul> <li>Your application runs in a terminal or CLI and cannot reliably open a browser</li> <li>Your application runs on a device with limited or no input capabilities (smart TVs, set-top boxes, IoT hardware)</li> <li>You are building an AI agent or automation that needs to authenticate on behalf of a human user but runs in a headless environment</li> <li>You are building a desktop background process or daemon that needs user-level tokens without a UI</li> </ul> <p>For standard web apps, mobile apps, or SPAs where a browser is available, stick with the authorization code flow with PKCE. The device flow adds polling complexity that you do not need when a redirect is possible.</p> <h2> Prerequisites </h2> <p>Before writing any code, make sure you have:</p> <ul> <li>A <a href="https://kinde.com?utm_source=devto&amp;utm_medium=content&amp;utm_campaign=shola&amp;campaignid=chatgptapp&amp;network=&amp;adgroup=&amp;keyword=&amp;matchtype=&amp;creative=7&amp;device=&amp;adposition=" rel="noopener noreferrer">Kinde</a> account — free to sign up, no credit card required</li> <li>Node.js 18 or later installed locally</li> <li>A basic understanding of OAuth 2.0 token concepts</li> </ul> <h2> Step #1: Create a Device and IoT Application in Kinde </h2> <p>The device authorization flow requires a specific application type in Kinde. You cannot use an existing web or SPA application for this — the application type determines which OAuth grants are allowed.</p> <p>In your Kinde dashboard, navigate to <strong>Applications</strong> and select <strong>Add application</strong>. Give it a descriptive name like <code>My CLI Tool</code> or <code>Device App</code>. Under application type, select <strong>Device and IoT</strong>. Select <strong>Save</strong>.</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Ftqnaiio9tfjslzu2baqm.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Ftqnaiio9tfjslzu2baqm.png" alt="Kinde dashboard showing the Add application modal with " width="800" height="501"></a></p> <p>Once created, open the application details and note the <strong>Client ID</strong>. You will need this in every request. Device and IoT applications in Kinde do not have a client secret — the flow is designed for public clients that cannot securely store secrets.</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fuk12rjurjc9o10x697p9.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fuk12rjurjc9o10x697p9.png" alt="The newly created Device and IoT application details page showing the Client ID field." width="800" height="502"></a></p> <p>Next, configure the authentication method for this application. Navigate to <strong>Settings &gt; Authentication</strong>, select <strong>Configure</strong> on the <strong>Passwordless &gt; Email + code</strong> card, and under <strong>Applications</strong> select the Device and IoT application you just created. Select <strong>Save</strong>.</p> <p>This tells Kinde to use email OTP as the authentication method when a user goes to the verification URL from this application. Users will receive a one-time code by email rather than needing a password.</p> <h2> Step #2: Understand the Full Flow </h2> <p>Before writing code, it helps to see the complete sequence clearly.</p> <p><strong>Phase 1 — Device requests authorization:</strong><br> Your device (the CLI, the TV, the background process) sends a POST request to Kinde's device authorization endpoint. Kinde responds with a <code>device_code</code>, a <code>user_code</code>, a <code>verification_uri</code>, and a <code>verification_uri_complete</code>.</p> <p><strong>Phase 2 — User authenticates:</strong><br> Your device displays the <code>user_code</code> and the <code>verification_uri</code> to the user. The user visits the URL on their phone or laptop, enters the code, and authenticates through Kinde's normal login flow.</p> <p><strong>Phase 3 — Device polls for token:</strong><br> While the user is authenticating, your device polls Kinde's token endpoint every few seconds using the <code>device_code</code>. Kinde returns <code>authorization_pending</code> until the user completes login, at which point it returns the access token.</p> <p><strong>Phase 4 — Device uses the token:</strong><br> Your device now has a standard OAuth 2.0 Bearer token. It uses this to call your API.</p> <p>The <code>device_code</code> is what your device uses internally. The <code>user_code</code> is what the human types. The <code>verification_uri_complete</code> is the full URL with the code pre-filled — useful for generating a QR code so the user does not have to type anything.</p> <h2> Step #3: Request the Device Code </h2> <p>Here is the first API call your device makes:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="c1">// src/auth.ts</span> <span class="k">import</span> <span class="nx">https</span> <span class="k">from</span> <span class="dl">"</span><span class="s2">https</span><span class="dl">"</span><span class="p">;</span> <span class="k">import</span> <span class="p">{</span> <span class="nx">URLSearchParams</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">"</span><span class="s2">url</span><span class="dl">"</span><span class="p">;</span> <span class="kd">const</span> <span class="nx">KINDE_DOMAIN</span> <span class="o">=</span> <span class="dl">"</span><span class="s2">YOUR_SUBDOMAIN.kinde.com</span><span class="dl">"</span><span class="p">;</span> <span class="kd">const</span> <span class="nx">CLIENT_ID</span> <span class="o">=</span> <span class="dl">"</span><span class="s2">YOUR_CLIENT_ID</span><span class="dl">"</span><span class="p">;</span> <span class="kr">interface</span> <span class="nx">DeviceCodeResponse</span> <span class="p">{</span> <span class="nl">device_code</span><span class="p">:</span> <span class="kr">string</span><span class="p">;</span> <span class="nl">user_code</span><span class="p">:</span> <span class="kr">string</span><span class="p">;</span> <span class="nl">verification_uri</span><span class="p">:</span> <span class="kr">string</span><span class="p">;</span> <span class="nl">verification_uri_complete</span><span class="p">:</span> <span class="kr">string</span><span class="p">;</span> <span class="nl">expires_in</span><span class="p">:</span> <span class="kr">number</span><span class="p">;</span> <span class="c1">// how long the codes are valid (seconds)</span> <span class="nl">interval</span><span class="p">:</span> <span class="kr">number</span><span class="p">;</span> <span class="c1">// minimum polling interval (seconds)</span> <span class="p">}</span> <span class="k">async</span> <span class="kd">function</span> <span class="nf">requestDeviceCode</span><span class="p">():</span> <span class="nb">Promise</span><span class="o">&lt;</span><span class="nx">DeviceCodeResponse</span><span class="o">&gt;</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">params</span> <span class="o">=</span> <span class="k">new</span> <span class="nc">URLSearchParams</span><span class="p">({</span> <span class="na">client_id</span><span class="p">:</span> <span class="nx">CLIENT_ID</span><span class="p">,</span> <span class="na">scope</span><span class="p">:</span> <span class="dl">"</span><span class="s2">openid profile email offline</span><span class="dl">"</span><span class="p">,</span> <span class="p">});</span> <span class="kd">const</span> <span class="nx">response</span> <span class="o">=</span> <span class="k">await</span> <span class="nf">fetch</span><span class="p">(</span> <span class="s2">`https://</span><span class="p">${</span><span class="nx">KINDE_DOMAIN</span><span class="p">}</span><span class="s2">/oauth2/device/auth`</span><span class="p">,</span> <span class="p">{</span> <span class="na">method</span><span class="p">:</span> <span class="dl">"</span><span class="s2">POST</span><span class="dl">"</span><span class="p">,</span> <span class="na">headers</span><span class="p">:</span> <span class="p">{</span> <span class="dl">"</span><span class="s2">Content-Type</span><span class="dl">"</span><span class="p">:</span> <span class="dl">"</span><span class="s2">application/x-www-form-urlencoded</span><span class="dl">"</span><span class="p">,</span> <span class="p">},</span> <span class="na">body</span><span class="p">:</span> <span class="nx">params</span><span class="p">.</span><span class="nf">toString</span><span class="p">(),</span> <span class="p">}</span> <span class="p">);</span> <span class="k">if </span><span class="p">(</span><span class="o">!</span><span class="nx">response</span><span class="p">.</span><span class="nx">ok</span><span class="p">)</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">error</span> <span class="o">=</span> <span class="k">await</span> <span class="nx">response</span><span class="p">.</span><span class="nf">text</span><span class="p">();</span> <span class="k">throw</span> <span class="k">new</span> <span class="nc">Error</span><span class="p">(</span><span class="s2">`Device code request failed: </span><span class="p">${</span><span class="nx">error</span><span class="p">}</span><span class="s2">`</span><span class="p">);</span> <span class="p">}</span> <span class="k">return</span> <span class="nx">response</span><span class="p">.</span><span class="nf">json</span><span class="p">()</span> <span class="k">as</span> <span class="nb">Promise</span><span class="o">&lt;</span><span class="nx">DeviceCodeResponse</span><span class="o">&gt;</span><span class="p">;</span> <span class="p">}</span> </code></pre> </div> <p>The <code>scope</code> values follow the standard OIDC conventions: <code>openid</code> requests an ID token, <code>profile</code> and <code>email</code> include the user's name and email in the token claims, and <code>offline</code> requests a refresh token so you can obtain new access tokens without requiring the user to re-authenticate.</p> <p>The response from Kinde looks like this:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight json"><code><span class="p">{</span><span class="w"> </span><span class="nl">"device_code"</span><span class="p">:</span><span class="w"> </span><span class="s2">"kinde_dc_..."</span><span class="p">,</span><span class="w"> </span><span class="nl">"user_code"</span><span class="p">:</span><span class="w"> </span><span class="s2">"CSLDFDUU"</span><span class="p">,</span><span class="w"> </span><span class="nl">"verification_uri"</span><span class="p">:</span><span class="w"> </span><span class="s2">"https://your-subdomain.kinde.com/device"</span><span class="p">,</span><span class="w"> </span><span class="nl">"verification_uri_complete"</span><span class="p">:</span><span class="w"> </span><span class="s2">"https://your-subdomain.kinde.com/device?user_code=CSLDFDUU"</span><span class="p">,</span><span class="w"> </span><span class="nl">"expires_in"</span><span class="p">:</span><span class="w"> </span><span class="mi">600</span><span class="p">,</span><span class="w"> </span><span class="nl">"interval"</span><span class="p">:</span><span class="w"> </span><span class="mi">5</span><span class="p">,</span><span class="w"> </span><span class="nl">"qr_code"</span><span class="p">:</span><span class="w"> </span><span class="s2">"data:image/png;base64,..."</span><span class="w"> </span><span class="p">}</span><span class="w"> </span></code></pre> </div> <p>The <code>user_code</code> in Kinde is formatted as 8 uppercase characters for easy manual entry. The <code>expires_in</code> is 600 seconds (10 minutes) — that is how long the user has to complete the login before the codes expire. The <code>qr_code</code> field is a base64-encoded PNG image that you can render directly on screen, which means users with a camera can scan it instead of typing the URL and code manually.</p> <h2> Step #4: Display the Code to the User </h2> <p>Once you have the device code response, show the user what they need to do. For a CLI tool this is straightforward:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="c1">// src/cli.ts</span> <span class="k">async</span> <span class="kd">function</span> <span class="nf">startAuth</span><span class="p">()</span> <span class="p">{</span> <span class="nx">console</span><span class="p">.</span><span class="nf">log</span><span class="p">(</span><span class="dl">"</span><span class="se">\n</span><span class="s2">Requesting authorization...</span><span class="se">\n</span><span class="dl">"</span><span class="p">);</span> <span class="kd">const</span> <span class="nx">deviceCodeData</span> <span class="o">=</span> <span class="k">await</span> <span class="nf">requestDeviceCode</span><span class="p">();</span> <span class="nx">console</span><span class="p">.</span><span class="nf">log</span><span class="p">(</span><span class="dl">"</span><span class="s2">To authenticate, visit:</span><span class="dl">"</span><span class="p">);</span> <span class="nx">console</span><span class="p">.</span><span class="nf">log</span><span class="p">(</span><span class="s2">`\n </span><span class="p">${</span><span class="nx">deviceCodeData</span><span class="p">.</span><span class="nx">verification_uri</span><span class="p">}</span><span class="s2">\n`</span><span class="p">);</span> <span class="nx">console</span><span class="p">.</span><span class="nf">log</span><span class="p">(</span><span class="s2">`Enter this code: </span><span class="p">${</span><span class="nx">deviceCodeData</span><span class="p">.</span><span class="nx">user_code</span><span class="p">}</span><span class="s2">`</span><span class="p">);</span> <span class="nx">console</span><span class="p">.</span><span class="nf">log</span><span class="p">(</span><span class="s2">`\nOr open this URL directly (code pre-filled):`</span><span class="p">);</span> <span class="nx">console</span><span class="p">.</span><span class="nf">log</span><span class="p">(</span><span class="s2">`\n </span><span class="p">${</span><span class="nx">deviceCodeData</span><span class="p">.</span><span class="nx">verification_uri_complete</span><span class="p">}</span><span class="s2">\n`</span><span class="p">);</span> <span class="nx">console</span><span class="p">.</span><span class="nf">log</span><span class="p">(</span><span class="s2">`Or scan the QR code if your device can display images.\n`</span><span class="p">);</span> <span class="nx">console</span><span class="p">.</span><span class="nf">log</span><span class="p">(</span> <span class="s2">`Waiting for you to authenticate... (expires in </span><span class="p">${</span><span class="nb">Math</span><span class="p">.</span><span class="nf">floor</span><span class="p">(</span><span class="nx">deviceCodeData</span><span class="p">.</span><span class="nx">expires_in</span> <span class="o">/</span> <span class="mi">60</span><span class="p">)}</span><span class="s2"> minutes)\n`</span> <span class="p">);</span> <span class="c1">// Begin polling</span> <span class="kd">const</span> <span class="nx">token</span> <span class="o">=</span> <span class="k">await</span> <span class="nf">pollForToken</span><span class="p">(</span><span class="nx">deviceCodeData</span><span class="p">);</span> <span class="k">return</span> <span class="nx">token</span><span class="p">;</span> <span class="p">}</span> </code></pre> </div> <p>For a smart TV or embedded device, you would render the <code>user_code</code> prominently on screen alongside the <code>verification_uri</code>, or generate a QR code from <code>verification_uri_complete</code> so the user can scan it with their phone without typing anything.</p> <h2> Step #5: Poll for the Token </h2> <p>This is where most implementations go wrong. Polling is not just "keep hitting the token endpoint until it works." There are specific error states you must handle correctly.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="c1">// src/auth.ts</span> <span class="kr">interface</span> <span class="nx">TokenResponse</span> <span class="p">{</span> <span class="nl">access_token</span><span class="p">:</span> <span class="kr">string</span><span class="p">;</span> <span class="nl">id_token</span><span class="p">?:</span> <span class="kr">string</span><span class="p">;</span> <span class="nl">refresh_token</span><span class="p">?:</span> <span class="kr">string</span><span class="p">;</span> <span class="nl">expires_in</span><span class="p">:</span> <span class="kr">number</span><span class="p">;</span> <span class="nl">token_type</span><span class="p">:</span> <span class="kr">string</span><span class="p">;</span> <span class="p">}</span> <span class="kd">type</span> <span class="nx">PollError</span> <span class="o">=</span> <span class="o">|</span> <span class="dl">"</span><span class="s2">authorization_pending</span><span class="dl">"</span> <span class="c1">// user has not finished yet — keep polling</span> <span class="o">|</span> <span class="dl">"</span><span class="s2">slow_down</span><span class="dl">"</span> <span class="c1">// polling too fast — increase interval by 5 seconds</span> <span class="o">|</span> <span class="dl">"</span><span class="s2">access_denied</span><span class="dl">"</span> <span class="c1">// user explicitly denied — stop polling</span> <span class="o">|</span> <span class="dl">"</span><span class="s2">expired_token</span><span class="dl">"</span><span class="p">;</span> <span class="c1">// codes have expired — restart the flow</span> <span class="k">async</span> <span class="kd">function</span> <span class="nf">pollForToken</span><span class="p">(</span> <span class="nx">deviceCodeData</span><span class="p">:</span> <span class="nx">DeviceCodeResponse</span> <span class="p">):</span> <span class="nb">Promise</span><span class="o">&lt;</span><span class="nx">TokenResponse</span><span class="o">&gt;</span> <span class="p">{</span> <span class="kd">let</span> <span class="nx">interval</span> <span class="o">=</span> <span class="nx">deviceCodeData</span><span class="p">.</span><span class="nx">interval</span><span class="p">;</span> <span class="c1">// start at 5 seconds</span> <span class="kd">const</span> <span class="nx">expiresAt</span> <span class="o">=</span> <span class="nb">Date</span><span class="p">.</span><span class="nf">now</span><span class="p">()</span> <span class="o">+</span> <span class="nx">deviceCodeData</span><span class="p">.</span><span class="nx">expires_in</span> <span class="o">*</span> <span class="mi">1000</span><span class="p">;</span> <span class="k">while </span><span class="p">(</span><span class="nb">Date</span><span class="p">.</span><span class="nf">now</span><span class="p">()</span> <span class="o">&lt;</span> <span class="nx">expiresAt</span><span class="p">)</span> <span class="p">{</span> <span class="c1">// Wait the current interval before polling</span> <span class="k">await</span> <span class="nf">sleep</span><span class="p">(</span><span class="nx">interval</span> <span class="o">*</span> <span class="mi">1000</span><span class="p">);</span> <span class="kd">const</span> <span class="nx">params</span> <span class="o">=</span> <span class="k">new</span> <span class="nc">URLSearchParams</span><span class="p">({</span> <span class="na">grant_type</span><span class="p">:</span> <span class="dl">"</span><span class="s2">urn:ietf:params:oauth:grant-type:device_code</span><span class="dl">"</span><span class="p">,</span> <span class="na">client_id</span><span class="p">:</span> <span class="nx">CLIENT_ID</span><span class="p">,</span> <span class="na">device_code</span><span class="p">:</span> <span class="nx">deviceCodeData</span><span class="p">.</span><span class="nx">device_code</span><span class="p">,</span> <span class="p">});</span> <span class="kd">const</span> <span class="nx">response</span> <span class="o">=</span> <span class="k">await</span> <span class="nf">fetch</span><span class="p">(</span><span class="s2">`https://</span><span class="p">${</span><span class="nx">KINDE_DOMAIN</span><span class="p">}</span><span class="s2">/oauth2/token`</span><span class="p">,</span> <span class="p">{</span> <span class="na">method</span><span class="p">:</span> <span class="dl">"</span><span class="s2">POST</span><span class="dl">"</span><span class="p">,</span> <span class="na">headers</span><span class="p">:</span> <span class="p">{</span> <span class="dl">"</span><span class="s2">Content-Type</span><span class="dl">"</span><span class="p">:</span> <span class="dl">"</span><span class="s2">application/x-www-form-urlencoded</span><span class="dl">"</span><span class="p">,</span> <span class="p">},</span> <span class="na">body</span><span class="p">:</span> <span class="nx">params</span><span class="p">.</span><span class="nf">toString</span><span class="p">(),</span> <span class="p">});</span> <span class="k">if </span><span class="p">(</span><span class="nx">response</span><span class="p">.</span><span class="nx">ok</span><span class="p">)</span> <span class="p">{</span> <span class="c1">// User authenticated — we have a token</span> <span class="k">return</span> <span class="nx">response</span><span class="p">.</span><span class="nf">json</span><span class="p">()</span> <span class="k">as</span> <span class="nb">Promise</span><span class="o">&lt;</span><span class="nx">TokenResponse</span><span class="o">&gt;</span><span class="p">;</span> <span class="p">}</span> <span class="kd">const</span> <span class="nx">error</span> <span class="o">=</span> <span class="k">await</span> <span class="nx">response</span><span class="p">.</span><span class="nf">json</span><span class="p">()</span> <span class="k">as</span> <span class="p">{</span> <span class="na">error</span><span class="p">:</span> <span class="nx">PollError</span><span class="p">;</span> <span class="nl">error_description</span><span class="p">?:</span> <span class="kr">string</span> <span class="p">};</span> <span class="k">switch </span><span class="p">(</span><span class="nx">error</span><span class="p">.</span><span class="nx">error</span><span class="p">)</span> <span class="p">{</span> <span class="k">case</span> <span class="dl">"</span><span class="s2">authorization_pending</span><span class="dl">"</span><span class="p">:</span> <span class="c1">// Normal state — user has not finished yet, keep waiting</span> <span class="k">continue</span><span class="p">;</span> <span class="k">case</span> <span class="dl">"</span><span class="s2">slow_down</span><span class="dl">"</span><span class="p">:</span> <span class="c1">// We are polling too fast — increase interval by 5 seconds</span> <span class="nx">interval</span> <span class="o">+=</span> <span class="mi">5</span><span class="p">;</span> <span class="nx">console</span><span class="p">.</span><span class="nf">log</span><span class="p">(</span><span class="s2">`Slowing down polling to every </span><span class="p">${</span><span class="nx">interval</span><span class="p">}</span><span class="s2"> seconds...`</span><span class="p">);</span> <span class="k">continue</span><span class="p">;</span> <span class="k">case</span> <span class="dl">"</span><span class="s2">access_denied</span><span class="dl">"</span><span class="p">:</span> <span class="c1">// User explicitly denied the authorization</span> <span class="k">throw</span> <span class="k">new</span> <span class="nc">Error</span><span class="p">(</span><span class="dl">"</span><span class="s2">Authorization was denied by the user.</span><span class="dl">"</span><span class="p">);</span> <span class="k">case</span> <span class="dl">"</span><span class="s2">expired_token</span><span class="dl">"</span><span class="p">:</span> <span class="c1">// The device code has expired — need to restart</span> <span class="k">throw</span> <span class="k">new</span> <span class="nc">Error</span><span class="p">(</span> <span class="dl">"</span><span class="s2">The authorization code expired. Please run the command again.</span><span class="dl">"</span> <span class="p">);</span> <span class="nl">default</span><span class="p">:</span> <span class="k">throw</span> <span class="k">new</span> <span class="nc">Error</span><span class="p">(</span> <span class="s2">`Unexpected error during polling: </span><span class="p">${</span><span class="nx">error</span><span class="p">.</span><span class="nx">error</span><span class="p">}</span><span class="s2"> — </span><span class="p">${</span><span class="nx">error</span><span class="p">.</span><span class="nx">error_description</span><span class="p">}</span><span class="s2">`</span> <span class="p">);</span> <span class="p">}</span> <span class="p">}</span> <span class="k">throw</span> <span class="k">new</span> <span class="nc">Error</span><span class="p">(</span> <span class="dl">"</span><span class="s2">Authentication timed out. Please run the command again.</span><span class="dl">"</span> <span class="p">);</span> <span class="p">}</span> <span class="kd">function</span> <span class="nf">sleep</span><span class="p">(</span><span class="nx">ms</span><span class="p">:</span> <span class="kr">number</span><span class="p">):</span> <span class="nb">Promise</span><span class="o">&lt;</span><span class="k">void</span><span class="o">&gt;</span> <span class="p">{</span> <span class="k">return</span> <span class="k">new</span> <span class="nc">Promise</span><span class="p">((</span><span class="nx">resolve</span><span class="p">)</span> <span class="o">=&gt;</span> <span class="nf">setTimeout</span><span class="p">(</span><span class="nx">resolve</span><span class="p">,</span> <span class="nx">ms</span><span class="p">));</span> <span class="p">}</span> </code></pre> </div> <p>A few things to pay attention to here:</p> <p><strong>Always wait before the first poll.</strong> The <code>interval</code> from the response is the minimum time between requests. Make the first poll after waiting that interval, not immediately after displaying the code to the user.</p> <p><strong>Handle <code>slow_down</code> correctly.</strong> When Kinde returns <code>slow_down</code>, you must increase your polling interval by 5 seconds for that request and all subsequent requests. Ignoring this and continuing at the original interval will result in your requests being rejected.</p> <p><strong>Respect <code>expires_in</code>.</strong> Stop polling when the device code expires. Do not continue indefinitely. If the code expires, the user needs to restart the process.</p> <p><strong>Distinguish <code>authorization_pending</code> from errors.</strong> <code>authorization_pending</code> is not an error — it just means the user has not finished yet. Everything else in the error response is a real problem that requires action.</p> <h2> Step #6: Store and Use the Token </h2> <p>Once polling succeeds, you have a standard OAuth 2.0 Bearer token. Store it securely and use it to authenticate API requests.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="c1">// src/token-store.ts</span> <span class="k">import</span> <span class="nx">fs</span> <span class="k">from</span> <span class="dl">"</span><span class="s2">fs</span><span class="dl">"</span><span class="p">;</span> <span class="k">import</span> <span class="nx">os</span> <span class="k">from</span> <span class="dl">"</span><span class="s2">os</span><span class="dl">"</span><span class="p">;</span> <span class="k">import</span> <span class="nx">path</span> <span class="k">from</span> <span class="dl">"</span><span class="s2">path</span><span class="dl">"</span><span class="p">;</span> <span class="kd">const</span> <span class="nx">TOKEN_PATH</span> <span class="o">=</span> <span class="nx">path</span><span class="p">.</span><span class="nf">join</span><span class="p">(</span><span class="nx">os</span><span class="p">.</span><span class="nf">homedir</span><span class="p">(),</span> <span class="dl">"</span><span class="s2">.myapp</span><span class="dl">"</span><span class="p">,</span> <span class="dl">"</span><span class="s2">token.json</span><span class="dl">"</span><span class="p">);</span> <span class="kr">interface</span> <span class="nx">StoredToken</span> <span class="p">{</span> <span class="nl">access_token</span><span class="p">:</span> <span class="kr">string</span><span class="p">;</span> <span class="nl">refresh_token</span><span class="p">?:</span> <span class="kr">string</span><span class="p">;</span> <span class="nl">expires_at</span><span class="p">:</span> <span class="kr">number</span><span class="p">;</span> <span class="c1">// Unix timestamp in ms</span> <span class="p">}</span> <span class="k">export</span> <span class="kd">function</span> <span class="nf">saveToken</span><span class="p">(</span><span class="nx">tokenResponse</span><span class="p">:</span> <span class="nx">TokenResponse</span><span class="p">):</span> <span class="k">void</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">dir</span> <span class="o">=</span> <span class="nx">path</span><span class="p">.</span><span class="nf">dirname</span><span class="p">(</span><span class="nx">TOKEN_PATH</span><span class="p">);</span> <span class="k">if </span><span class="p">(</span><span class="o">!</span><span class="nx">fs</span><span class="p">.</span><span class="nf">existsSync</span><span class="p">(</span><span class="nx">dir</span><span class="p">))</span> <span class="p">{</span> <span class="nx">fs</span><span class="p">.</span><span class="nf">mkdirSync</span><span class="p">(</span><span class="nx">dir</span><span class="p">,</span> <span class="p">{</span> <span class="na">recursive</span><span class="p">:</span> <span class="kc">true</span> <span class="p">});</span> <span class="p">}</span> <span class="kd">const</span> <span class="na">stored</span><span class="p">:</span> <span class="nx">StoredToken</span> <span class="o">=</span> <span class="p">{</span> <span class="na">access_token</span><span class="p">:</span> <span class="nx">tokenResponse</span><span class="p">.</span><span class="nx">access_token</span><span class="p">,</span> <span class="na">refresh_token</span><span class="p">:</span> <span class="nx">tokenResponse</span><span class="p">.</span><span class="nx">refresh_token</span><span class="p">,</span> <span class="na">expires_at</span><span class="p">:</span> <span class="nb">Date</span><span class="p">.</span><span class="nf">now</span><span class="p">()</span> <span class="o">+</span> <span class="nx">tokenResponse</span><span class="p">.</span><span class="nx">expires_in</span> <span class="o">*</span> <span class="mi">1000</span><span class="p">,</span> <span class="p">};</span> <span class="nx">fs</span><span class="p">.</span><span class="nf">writeFileSync</span><span class="p">(</span><span class="nx">TOKEN_PATH</span><span class="p">,</span> <span class="nx">JSON</span><span class="p">.</span><span class="nf">stringify</span><span class="p">(</span><span class="nx">stored</span><span class="p">,</span> <span class="kc">null</span><span class="p">,</span> <span class="mi">2</span><span class="p">),</span> <span class="p">{</span> <span class="na">mode</span><span class="p">:</span> <span class="mo">0o600</span><span class="p">,</span> <span class="c1">// owner read/write only</span> <span class="p">});</span> <span class="p">}</span> <span class="k">export</span> <span class="kd">function</span> <span class="nf">loadToken</span><span class="p">():</span> <span class="nx">StoredToken</span> <span class="o">|</span> <span class="kc">null</span> <span class="p">{</span> <span class="k">if </span><span class="p">(</span><span class="o">!</span><span class="nx">fs</span><span class="p">.</span><span class="nf">existsSync</span><span class="p">(</span><span class="nx">TOKEN_PATH</span><span class="p">))</span> <span class="k">return</span> <span class="kc">null</span><span class="p">;</span> <span class="k">try</span> <span class="p">{</span> <span class="k">return</span> <span class="nx">JSON</span><span class="p">.</span><span class="nf">parse</span><span class="p">(</span><span class="nx">fs</span><span class="p">.</span><span class="nf">readFileSync</span><span class="p">(</span><span class="nx">TOKEN_PATH</span><span class="p">,</span> <span class="dl">"</span><span class="s2">utf-8</span><span class="dl">"</span><span class="p">))</span> <span class="k">as</span> <span class="nx">StoredToken</span><span class="p">;</span> <span class="p">}</span> <span class="k">catch</span> <span class="p">{</span> <span class="k">return</span> <span class="kc">null</span><span class="p">;</span> <span class="p">}</span> <span class="p">}</span> <span class="k">export</span> <span class="kd">function</span> <span class="nf">isTokenExpired</span><span class="p">(</span><span class="nx">token</span><span class="p">:</span> <span class="nx">StoredToken</span><span class="p">):</span> <span class="nx">boolean</span> <span class="p">{</span> <span class="c1">// Add a 60-second buffer to account for clock skew</span> <span class="k">return</span> <span class="nb">Date</span><span class="p">.</span><span class="nf">now</span><span class="p">()</span> <span class="o">&gt;=</span> <span class="nx">token</span><span class="p">.</span><span class="nx">expires_at</span> <span class="o">-</span> <span class="mi">60</span><span class="nx">_000</span><span class="p">;</span> <span class="p">}</span> </code></pre> </div> <p>The file permissions on the token file (<code>0o600</code>) are important. This ensures only the current user can read the stored token, which matters when your tool runs on a shared machine.</p> <p>To call your API with the token:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="c1">// src/api.ts</span> <span class="k">import</span> <span class="p">{</span> <span class="nx">loadToken</span><span class="p">,</span> <span class="nx">isTokenExpired</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">"</span><span class="s2">./token-store</span><span class="dl">"</span><span class="p">;</span> <span class="k">async</span> <span class="kd">function</span> <span class="nf">callApi</span><span class="p">(</span><span class="nx">endpoint</span><span class="p">:</span> <span class="kr">string</span><span class="p">):</span> <span class="nb">Promise</span><span class="o">&lt;</span><span class="nx">unknown</span><span class="o">&gt;</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">stored</span> <span class="o">=</span> <span class="nf">loadToken</span><span class="p">();</span> <span class="k">if </span><span class="p">(</span><span class="o">!</span><span class="nx">stored</span> <span class="o">||</span> <span class="nf">isTokenExpired</span><span class="p">(</span><span class="nx">stored</span><span class="p">))</span> <span class="p">{</span> <span class="k">throw</span> <span class="k">new</span> <span class="nc">Error</span><span class="p">(</span> <span class="dl">"</span><span class="s2">Not authenticated or session expired. Run `myapp login` to authenticate.</span><span class="dl">"</span> <span class="p">);</span> <span class="p">}</span> <span class="kd">const</span> <span class="nx">response</span> <span class="o">=</span> <span class="k">await</span> <span class="nf">fetch</span><span class="p">(</span><span class="s2">`https://api.yourapp.com</span><span class="p">${</span><span class="nx">endpoint</span><span class="p">}</span><span class="s2">`</span><span class="p">,</span> <span class="p">{</span> <span class="na">headers</span><span class="p">:</span> <span class="p">{</span> <span class="na">Authorization</span><span class="p">:</span> <span class="s2">`Bearer </span><span class="p">${</span><span class="nx">stored</span><span class="p">.</span><span class="nx">access_token</span><span class="p">}</span><span class="s2">`</span><span class="p">,</span> <span class="dl">"</span><span class="s2">Content-Type</span><span class="dl">"</span><span class="p">:</span> <span class="dl">"</span><span class="s2">application/json</span><span class="dl">"</span><span class="p">,</span> <span class="p">},</span> <span class="p">});</span> <span class="k">if </span><span class="p">(</span><span class="nx">response</span><span class="p">.</span><span class="nx">status</span> <span class="o">===</span> <span class="mi">401</span><span class="p">)</span> <span class="p">{</span> <span class="k">throw</span> <span class="k">new</span> <span class="nc">Error</span><span class="p">(</span> <span class="dl">"</span><span class="s2">Authentication failed. Run `myapp login` to re-authenticate.</span><span class="dl">"</span> <span class="p">);</span> <span class="p">}</span> <span class="k">return</span> <span class="nx">response</span><span class="p">.</span><span class="nf">json</span><span class="p">();</span> <span class="p">}</span> </code></pre> </div> <h2> Step #7: Validate the Token on Your API </h2> <p>The device receives a standard JWT access token issued by Kinde. Your API validates it the same way it validates tokens from any other Kinde flow — by checking the signature against Kinde's public JWKS endpoint.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="c1">// api-server/middleware/auth.ts</span> <span class="k">import</span> <span class="nx">jwt</span> <span class="k">from</span> <span class="dl">"</span><span class="s2">jsonwebtoken</span><span class="dl">"</span><span class="p">;</span> <span class="k">import</span> <span class="nx">jwksClient</span> <span class="k">from</span> <span class="dl">"</span><span class="s2">jwks-rsa</span><span class="dl">"</span><span class="p">;</span> <span class="kd">const</span> <span class="nx">KINDE_DOMAIN</span> <span class="o">=</span> <span class="dl">"</span><span class="s2">YOUR_SUBDOMAIN.kinde.com</span><span class="dl">"</span><span class="p">;</span> <span class="kd">const</span> <span class="nx">client</span> <span class="o">=</span> <span class="nf">jwksClient</span><span class="p">({</span> <span class="na">jwksUri</span><span class="p">:</span> <span class="s2">`https://</span><span class="p">${</span><span class="nx">KINDE_DOMAIN</span><span class="p">}</span><span class="s2">/.well-known/jwks.json`</span><span class="p">,</span> <span class="na">cache</span><span class="p">:</span> <span class="kc">true</span><span class="p">,</span> <span class="na">cacheMaxAge</span><span class="p">:</span> <span class="mi">600</span><span class="nx">_000</span><span class="p">,</span> <span class="c1">// cache keys for 10 minutes</span> <span class="p">});</span> <span class="kd">function</span> <span class="nf">getSigningKey</span><span class="p">(</span> <span class="nx">header</span><span class="p">:</span> <span class="nx">jwt</span><span class="p">.</span><span class="nx">JwtHeader</span><span class="p">,</span> <span class="nx">callback</span><span class="p">:</span> <span class="nx">jwt</span><span class="p">.</span><span class="nx">SigningKeyCallback</span> <span class="p">)</span> <span class="p">{</span> <span class="nx">client</span><span class="p">.</span><span class="nf">getSigningKey</span><span class="p">(</span><span class="nx">header</span><span class="p">.</span><span class="nx">kid</span><span class="o">!</span><span class="p">,</span> <span class="p">(</span><span class="nx">err</span><span class="p">,</span> <span class="nx">key</span><span class="p">)</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="k">if </span><span class="p">(</span><span class="nx">err</span><span class="p">)</span> <span class="k">return</span> <span class="nf">callback</span><span class="p">(</span><span class="nx">err</span><span class="p">);</span> <span class="nf">callback</span><span class="p">(</span><span class="kc">null</span><span class="p">,</span> <span class="nx">key</span><span class="o">!</span><span class="p">.</span><span class="nf">getPublicKey</span><span class="p">());</span> <span class="p">});</span> <span class="p">}</span> <span class="k">export</span> <span class="kd">function</span> <span class="nf">verifyToken</span><span class="p">(</span> <span class="nx">req</span><span class="p">:</span> <span class="nx">Request</span><span class="p">,</span> <span class="nx">res</span><span class="p">:</span> <span class="nx">Response</span><span class="p">,</span> <span class="nx">next</span><span class="p">:</span> <span class="nx">NextFunction</span> <span class="p">)</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">authHeader</span> <span class="o">=</span> <span class="nx">req</span><span class="p">.</span><span class="nx">headers</span><span class="p">[</span><span class="dl">"</span><span class="s2">authorization</span><span class="dl">"</span><span class="p">];</span> <span class="kd">const</span> <span class="nx">token</span> <span class="o">=</span> <span class="nx">authHeader</span><span class="p">?.</span><span class="nf">split</span><span class="p">(</span><span class="dl">"</span><span class="s2"> </span><span class="dl">"</span><span class="p">)[</span><span class="mi">1</span><span class="p">];</span> <span class="k">if </span><span class="p">(</span><span class="o">!</span><span class="nx">token</span><span class="p">)</span> <span class="p">{</span> <span class="k">return</span> <span class="nx">res</span><span class="p">.</span><span class="nf">status</span><span class="p">(</span><span class="mi">401</span><span class="p">).</span><span class="nf">json</span><span class="p">({</span> <span class="na">error</span><span class="p">:</span> <span class="dl">"</span><span class="s2">No token provided</span><span class="dl">"</span> <span class="p">});</span> <span class="p">}</span> <span class="nx">jwt</span><span class="p">.</span><span class="nf">verify</span><span class="p">(</span> <span class="nx">token</span><span class="p">,</span> <span class="nx">getSigningKey</span><span class="p">,</span> <span class="p">{</span> <span class="na">algorithms</span><span class="p">:</span> <span class="p">[</span><span class="dl">"</span><span class="s2">RS256</span><span class="dl">"</span><span class="p">],</span> <span class="na">issuer</span><span class="p">:</span> <span class="s2">`https://</span><span class="p">${</span><span class="nx">KINDE_DOMAIN</span><span class="p">}</span><span class="s2">`</span><span class="p">,</span> <span class="p">},</span> <span class="p">(</span><span class="nx">err</span><span class="p">,</span> <span class="nx">decoded</span><span class="p">)</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="k">if </span><span class="p">(</span><span class="nx">err</span><span class="p">)</span> <span class="p">{</span> <span class="k">return</span> <span class="nx">res</span><span class="p">.</span><span class="nf">status</span><span class="p">(</span><span class="mi">403</span><span class="p">).</span><span class="nf">json</span><span class="p">({</span> <span class="na">error</span><span class="p">:</span> <span class="dl">"</span><span class="s2">Invalid token</span><span class="dl">"</span> <span class="p">});</span> <span class="p">}</span> <span class="c1">// Attach the decoded claims to the request for use in route handlers</span> <span class="p">(</span><span class="nx">req</span> <span class="k">as</span> <span class="kr">any</span><span class="p">).</span><span class="nx">user</span> <span class="o">=</span> <span class="nx">decoded</span><span class="p">;</span> <span class="nf">next</span><span class="p">();</span> <span class="p">}</span> <span class="p">);</span> <span class="p">}</span> </code></pre> </div> <p>The token issued via device flow contains the same claims as any other Kinde access token: <code>sub</code> (the user's Kinde ID), <code>email</code>, <code>name</code>, <code>org_code</code> if the user is in an organization, and any roles and permissions you have configured. Your API does not need to know or care that the token came from a device flow — the validation is identical.</p> <h2> Putting It All Together </h2> <p>Here is a complete CLI entry point that wires up everything above:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="c1">// src/index.ts</span> <span class="k">import</span> <span class="p">{</span> <span class="nx">startAuth</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">"</span><span class="s2">./auth</span><span class="dl">"</span><span class="p">;</span> <span class="k">import</span> <span class="p">{</span> <span class="nx">saveToken</span><span class="p">,</span> <span class="nx">loadToken</span><span class="p">,</span> <span class="nx">isTokenExpired</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">"</span><span class="s2">./token-store</span><span class="dl">"</span><span class="p">;</span> <span class="k">import</span> <span class="p">{</span> <span class="nx">callApi</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">"</span><span class="s2">./api</span><span class="dl">"</span><span class="p">;</span> <span class="k">async</span> <span class="kd">function</span> <span class="nf">main</span><span class="p">()</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">command</span> <span class="o">=</span> <span class="nx">process</span><span class="p">.</span><span class="nx">argv</span><span class="p">[</span><span class="mi">2</span><span class="p">];</span> <span class="k">if </span><span class="p">(</span><span class="nx">command</span> <span class="o">===</span> <span class="dl">"</span><span class="s2">login</span><span class="dl">"</span><span class="p">)</span> <span class="p">{</span> <span class="nx">console</span><span class="p">.</span><span class="nf">log</span><span class="p">(</span><span class="dl">"</span><span class="s2">Starting authentication...</span><span class="dl">"</span><span class="p">);</span> <span class="kd">const</span> <span class="nx">token</span> <span class="o">=</span> <span class="k">await</span> <span class="nf">startAuth</span><span class="p">();</span> <span class="nf">saveToken</span><span class="p">(</span><span class="nx">token</span><span class="p">);</span> <span class="nx">console</span><span class="p">.</span><span class="nf">log</span><span class="p">(</span><span class="dl">"</span><span class="se">\n</span><span class="s2">Authenticated successfully. You can now use the CLI.</span><span class="se">\n</span><span class="dl">"</span><span class="p">);</span> <span class="k">return</span><span class="p">;</span> <span class="p">}</span> <span class="k">if </span><span class="p">(</span><span class="nx">command</span> <span class="o">===</span> <span class="dl">"</span><span class="s2">whoami</span><span class="dl">"</span><span class="p">)</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">stored</span> <span class="o">=</span> <span class="nf">loadToken</span><span class="p">();</span> <span class="k">if </span><span class="p">(</span><span class="o">!</span><span class="nx">stored</span> <span class="o">||</span> <span class="nf">isTokenExpired</span><span class="p">(</span><span class="nx">stored</span><span class="p">))</span> <span class="p">{</span> <span class="nx">console</span><span class="p">.</span><span class="nf">error</span><span class="p">(</span><span class="dl">"</span><span class="s2">Not authenticated. Run `myapp login` first.</span><span class="dl">"</span><span class="p">);</span> <span class="nx">process</span><span class="p">.</span><span class="nf">exit</span><span class="p">(</span><span class="mi">1</span><span class="p">);</span> <span class="p">}</span> <span class="kd">const</span> <span class="nx">user</span> <span class="o">=</span> <span class="k">await</span> <span class="nf">callApi</span><span class="p">(</span><span class="dl">"</span><span class="s2">/me</span><span class="dl">"</span><span class="p">);</span> <span class="nx">console</span><span class="p">.</span><span class="nf">log</span><span class="p">(</span><span class="nx">user</span><span class="p">);</span> <span class="k">return</span><span class="p">;</span> <span class="p">}</span> <span class="k">if </span><span class="p">(</span><span class="nx">command</span> <span class="o">===</span> <span class="dl">"</span><span class="s2">logout</span><span class="dl">"</span><span class="p">)</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">tokenPath</span> <span class="o">=</span> <span class="nx">path</span><span class="p">.</span><span class="nf">join</span><span class="p">(</span><span class="nx">os</span><span class="p">.</span><span class="nf">homedir</span><span class="p">(),</span> <span class="dl">"</span><span class="s2">.myapp</span><span class="dl">"</span><span class="p">,</span> <span class="dl">"</span><span class="s2">token.json</span><span class="dl">"</span><span class="p">);</span> <span class="k">if </span><span class="p">(</span><span class="nx">fs</span><span class="p">.</span><span class="nf">existsSync</span><span class="p">(</span><span class="nx">tokenPath</span><span class="p">))</span> <span class="p">{</span> <span class="nx">fs</span><span class="p">.</span><span class="nf">unlinkSync</span><span class="p">(</span><span class="nx">tokenPath</span><span class="p">);</span> <span class="nx">console</span><span class="p">.</span><span class="nf">log</span><span class="p">(</span><span class="dl">"</span><span class="s2">Logged out successfully.</span><span class="dl">"</span><span class="p">);</span> <span class="p">}</span> <span class="k">else</span> <span class="p">{</span> <span class="nx">console</span><span class="p">.</span><span class="nf">log</span><span class="p">(</span><span class="dl">"</span><span class="s2">No active session found.</span><span class="dl">"</span><span class="p">);</span> <span class="p">}</span> <span class="k">return</span><span class="p">;</span> <span class="p">}</span> <span class="nx">console</span><span class="p">.</span><span class="nf">log</span><span class="p">(</span><span class="dl">"</span><span class="s2">Usage: myapp &lt;login|whoami|logout&gt;</span><span class="dl">"</span><span class="p">);</span> <span class="p">}</span> <span class="nf">main</span><span class="p">().</span><span class="k">catch</span><span class="p">((</span><span class="nx">err</span><span class="p">)</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="nx">console</span><span class="p">.</span><span class="nf">error</span><span class="p">(</span><span class="nx">err</span><span class="p">.</span><span class="nx">message</span><span class="p">);</span> <span class="nx">process</span><span class="p">.</span><span class="nf">exit</span><span class="p">(</span><span class="mi">1</span><span class="p">);</span> <span class="p">});</span> </code></pre> </div> <p>Running <code>myapp login</code> kicks off the device flow, shows the user a code and URL, polls until they authenticate, and saves the token locally. Every subsequent command loads the token silently from disk and uses it without interrupting the user.</p> <h2> Common Mistakes to Avoid </h2> <p><strong>Polling immediately after displaying the code.</strong> Always wait the <code>interval</code> before the first poll. Hitting the token endpoint immediately wastes a request and may trigger rate limiting.</p> <p><strong>Not handling <code>slow_down</code>.</strong> If you receive a <code>slow_down</code> error and keep polling at the same rate, your requests will continue to fail. Increase the interval by 5 seconds and keep increasing it if you receive the error again.</p> <p><strong>Restarting the whole flow when <code>authorization_pending</code> is returned.</strong> <code>authorization_pending</code> means keep waiting, not start over. Only restart the flow if you receive <code>expired_token</code> or if the <code>expires_in</code> window has elapsed.</p> <p><strong>Storing the token with world-readable permissions.</strong> A token file stored at <code>~/.myapp/token.json</code> with permissions <code>0o644</code> can be read by other users on the same machine. Always write token files with <code>0o600</code>.</p> <p><strong>Not handling token expiry.</strong> Access tokens from Kinde expire after one hour by default. Check the expiry before every API call and prompt the user to re-authenticate if the token is expired. If you requested a refresh token (by including <code>offline</code> in your scopes), you can use it to get a new access token silently.</p> <h2> What This Enables </h2> <p>With device authorization flow in place, your CLI, IoT device, or headless process can authenticate real users through Kinde's full auth stack — including MFA, SSO, and org-scoped tokens — without any of that logic living in your device code. The user authenticates on a device they trust, your device gets a token, and your API validates it the same way it validates every other token.</p> <p>For AI agents and automation workflows that need to act on behalf of authenticated users, this flow is the right foundation. The agent does not handle credentials. The user authorizes it explicitly. The token carries the same org and permission claims as any browser-based session.</p> <p><a href="https://kinde.com?utm_source=devto&amp;utm_medium=content&amp;utm_campaign=shola&amp;campaignid=chatgptapp&amp;network=&amp;adgroup=&amp;keyword=&amp;matchtype=&amp;creative=7&amp;device=&amp;adposition=" rel="noopener noreferrer">Kinde</a> handles the auth infrastructure — the user code generation, the verification page, the token issuance, the JWKS endpoint — so the only code you write is the polling loop and the token storage. Sign up for free and have your first device flow working in under an hour.</p> webdev kinde learning programming Shola Jegede Thu, 16 Apr 2026 11:48:28 +0000 https://forem.com/sholajegede/how-to-audit-who-did-what-in-your-multi-tenant-app-building-an-activity-log-with-convex-and-kinde-4n25 https://forem.com/sholajegede/how-to-audit-who-did-what-in-your-multi-tenant-app-building-an-activity-log-with-convex-and-kinde-4n25 <p><em>Enterprise customers will not sign on the dotted line until they can answer: "Who did what, and when?" Here is how to build the activity log that closes that gap.</em></p> <p>In this article, you will learn:</p> <ul> <li>Why audit logs are no longer optional for multi-tenant SaaS — and what it costs you when they are missing</li> <li>How to design an <code>activityLogs</code> schema in Convex that handles high-volume writes without slowing down your queries</li> <li>Why you should denormalize actor fields at write time and what happens when you do not</li> <li>How to build a single <code>auditLog</code> helper that every mutation calls — and why it being transactional is the whole point</li> <li>How to pull actor identity from Kinde's server session and attach it to every log entry</li> <li>How to build a filterable, paginated, real-time activity feed that org members can view</li> <li>How to export activity logs as CSV for compliance teams</li> <li>How to guarantee that no organization ever sees another organization's activity</li> </ul> <p>Let's dive in!</p> <h2> The Audit Log Gap That Costs You Enterprise Deals </h2> <p>There is a specific moment in enterprise procurement that catches most SaaS founders off guard. You have passed the security review. The procurement lead likes the product. Then someone from IT or legal asks: "If an admin deletes something or changes a permission, can we see who did it and when?"</p> <p>If the answer is no, the deal stalls — sometimes indefinitely. Enterprise customers are not being bureaucratic. They have legal obligations around data access records, SOC 2 and ISO 27001 auditors who ask for evidence of access trails, and internal IT teams that need to investigate incidents when they happen. An audit log is not a backlog item. It is infrastructure that determines whether your app is deployable inside a governed organization.</p> <p>The other problem is internal. When a team member emails asking why a document disappeared, or when a customer opens a support ticket claiming their settings were changed without their knowledge, you have nothing to show them without an activity log. You either stare at database timestamps trying to reconstruct what happened, or you tell them you cannot find out. Neither is acceptable once you have paying customers.</p> <p>Building this correctly is not complicated if you do it at the right layer. This article builds a complete, production-ready activity log for a multi-tenant Next.js app using Convex and <a href="https://kinde.com?utm_source=fcc&amp;utm_medium=content&amp;utm_campaign=shola&amp;campaignid=chatgptapp&amp;network=&amp;adgroup=&amp;keyword=&amp;matchtype=&amp;creative=4&amp;device=&amp;adposition=" rel="noopener noreferrer">Kinde</a>. The pattern it establishes — a single helper, called inside every mutation, committed in the same transaction as the action itself — means you will never have a mutation that fires without a corresponding log entry.</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fale0j1x7ed8664fxvnmo.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fale0j1x7ed8664fxvnmo.png" alt="Three columns connected by arrows. Left column labeled " width="800" height="361"></a></p> <h2> Why Convex Is the Right Database for Audit Logs </h2> <p>Audit logs have a write pattern that is unusual compared to most application data. Entries are inserted at high frequency, almost never updated, never deleted within your retention window, and queried in time-range windows filtered by organization, actor, or resource type.</p> <p><a href="https://dashboard.convex.dev" rel="noopener noreferrer">Convex</a> handles this well for three reasons.</p> <p><strong>Writes are transactional and co-located with your mutations.</strong> Because your mutation and your <code>auditLog</code> call live in the same Convex function and commit in the same transaction, you cannot have a state where a document was deleted but no log entry was written. Either both commit or neither does. This property is not free in architectures where you fire a side-effect call to a separate logging service after the mutation returns — a network failure between the two leaves your audit trail permanently inconsistent.</p> <p><strong>Compound indexes make time-range queries fast.</strong> Filtering by <code>organizationId</code> and then ordering by creation time is exactly the access pattern an activity feed needs. Convex's index system keeps that query fast as the table grows into hundreds of thousands of rows.</p> <p><strong>Reactive queries give you a live feed for free.</strong> A feed component that uses <code>useQuery</code> on your log query will update in real time whenever new entries are written — without polling, without manual WebSocket management, without any extra code. Convex tracks the query's data dependencies and pushes updates automatically.</p> <h2> Schema </h2> <p>Add the <code>activityLogs</code> table to your <code>convex/schema.ts</code>.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="c1">// convex/schema.ts</span> <span class="k">import</span> <span class="p">{</span> <span class="nx">defineSchema</span><span class="p">,</span> <span class="nx">defineTable</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">"</span><span class="s2">convex/server</span><span class="dl">"</span><span class="p">;</span> <span class="k">import</span> <span class="p">{</span> <span class="nx">v</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">"</span><span class="s2">convex/values</span><span class="dl">"</span><span class="p">;</span> <span class="k">export</span> <span class="k">default</span> <span class="nf">defineSchema</span><span class="p">({</span> <span class="c1">// ... your existing tables</span> <span class="na">activityLogs</span><span class="p">:</span> <span class="nf">defineTable</span><span class="p">({</span> <span class="na">organizationId</span><span class="p">:</span> <span class="nx">v</span><span class="p">.</span><span class="nf">id</span><span class="p">(</span><span class="dl">"</span><span class="s2">organizations</span><span class="dl">"</span><span class="p">),</span> <span class="na">actorId</span><span class="p">:</span> <span class="nx">v</span><span class="p">.</span><span class="nf">string</span><span class="p">(),</span> <span class="c1">// Kinde user ID — e.g. "kp_123abc"</span> <span class="na">actorEmail</span><span class="p">:</span> <span class="nx">v</span><span class="p">.</span><span class="nf">string</span><span class="p">(),</span> <span class="c1">// Denormalized for display — no join required</span> <span class="na">actorName</span><span class="p">:</span> <span class="nx">v</span><span class="p">.</span><span class="nf">string</span><span class="p">(),</span> <span class="c1">// Same reason: accounts get deleted, names change</span> <span class="na">action</span><span class="p">:</span> <span class="nx">v</span><span class="p">.</span><span class="nf">string</span><span class="p">(),</span> <span class="c1">// "document.created", "member.role_changed", etc.</span> <span class="na">resourceType</span><span class="p">:</span> <span class="nx">v</span><span class="p">.</span><span class="nf">string</span><span class="p">(),</span> <span class="c1">// "document", "member", "role", "settings"</span> <span class="na">resourceId</span><span class="p">:</span> <span class="nx">v</span><span class="p">.</span><span class="nf">optional</span><span class="p">(</span><span class="nx">v</span><span class="p">.</span><span class="nf">string</span><span class="p">()),</span> <span class="c1">// ID of the affected resource</span> <span class="na">resourceLabel</span><span class="p">:</span> <span class="nx">v</span><span class="p">.</span><span class="nf">optional</span><span class="p">(</span><span class="nx">v</span><span class="p">.</span><span class="nf">string</span><span class="p">()),</span> <span class="c1">// Human-readable name at the time of action</span> <span class="na">metadata</span><span class="p">:</span> <span class="nx">v</span><span class="p">.</span><span class="nf">optional</span><span class="p">(</span><span class="nx">v</span><span class="p">.</span><span class="nf">any</span><span class="p">()),</span> <span class="c1">// Action-specific context: before/after diffs, etc.</span> <span class="na">ipAddress</span><span class="p">:</span> <span class="nx">v</span><span class="p">.</span><span class="nf">optional</span><span class="p">(</span><span class="nx">v</span><span class="p">.</span><span class="nf">string</span><span class="p">()),</span> <span class="p">})</span> <span class="p">.</span><span class="nf">index</span><span class="p">(</span><span class="dl">"</span><span class="s2">by_organization</span><span class="dl">"</span><span class="p">,</span> <span class="p">[</span><span class="dl">"</span><span class="s2">organizationId</span><span class="dl">"</span><span class="p">])</span> <span class="p">.</span><span class="nf">index</span><span class="p">(</span><span class="dl">"</span><span class="s2">by_org_and_actor</span><span class="dl">"</span><span class="p">,</span> <span class="p">[</span><span class="dl">"</span><span class="s2">organizationId</span><span class="dl">"</span><span class="p">,</span> <span class="dl">"</span><span class="s2">actorId</span><span class="dl">"</span><span class="p">])</span> <span class="p">.</span><span class="nf">index</span><span class="p">(</span><span class="dl">"</span><span class="s2">by_org_and_resource_type</span><span class="dl">"</span><span class="p">,</span> <span class="p">[</span><span class="dl">"</span><span class="s2">organizationId</span><span class="dl">"</span><span class="p">,</span> <span class="dl">"</span><span class="s2">resourceType</span><span class="dl">"</span><span class="p">]),</span> <span class="p">});</span> </code></pre> </div> <p>Several design decisions here are worth explaining before you move on.</p> <p><strong>Denormalize actor fields.</strong> <code>actorEmail</code> and <code>actorName</code> are stored directly on the log entry — not as foreign keys to a users table. This means you never need a join to render the activity feed, and the log permanently records who performed the action at the time it happened, not who the account belongs to now. User display names change. Accounts get suspended or deleted. People leave companies. The audit trail must be immutable after write, which means capturing the actor's identity at write time.</p> <p><strong>Use a string for <code>actorId</code>, not a Convex document ID.</strong> Kinde user IDs are strings (e.g. <code>kp_abc123def</code>). Storing the Kinde ID directly means no lookup layer and no dependency on your local <code>users</code> table — the ID remains valid and meaningful even if you migrate or restructure your user data.</p> <p><strong>Store <code>resourceLabel</code>.</strong> When a document is deleted, the document is gone. If you only stored the resource ID, the log entry for <code>document.deleted</code> would show a dead reference with no human-readable context. Capture the label at write time, before the deletion.</p> <p><strong>Three indexes, not one.</strong> The primary access pattern is all logs for an org ordered by time descending. The secondary patterns are filtering by actor ("show me everything Alice did this week") and filtering by resource type ("show me all role changes"). Three focused indexes handle all three without full table scans. Per Convex best practices, <code>by_org_and_resource_type</code> is compound — you always scope to an organization first, so a standalone <code>by_resource_type</code> index would be redundant.</p> <p><strong><code>metadata</code> is typed loosely by design.</strong> A <code>document.shared</code> event needs to capture who it was shared with. A <code>member.role_changed</code> event needs the before and after role values. A <code>settings.updated</code> event needs the field that changed and its old and new values. Rather than adding a column for every possible shape, <code>metadata</code> holds the action-specific payload and you validate it at the call site.</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F2erpqw17p7u923ny4e39.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F2erpqw17p7u923ny4e39.png" alt="The activityLogs table schema with all fields and their types listed. A dotted arrow connects organizationId to a separate organizations table box, labeled " id="" width="800" height="648"></a></p> <h2> The <code>auditLog</code> Helper </h2> <p>Create <code>convex/lib/audit.ts</code>. Every mutation in your app will call this one function. Centralizing it here means you change audit log behavior in exactly one place.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="c1">// convex/lib/audit.ts</span> <span class="k">import</span> <span class="p">{</span> <span class="nx">MutationCtx</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">"</span><span class="s2">../_generated/server</span><span class="dl">"</span><span class="p">;</span> <span class="k">import</span> <span class="p">{</span> <span class="nx">Id</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">"</span><span class="s2">../_generated/dataModel</span><span class="dl">"</span><span class="p">;</span> <span class="k">export</span> <span class="kd">type</span> <span class="nx">AuditAction</span> <span class="o">=</span> <span class="o">|</span> <span class="dl">"</span><span class="s2">document.created</span><span class="dl">"</span> <span class="o">|</span> <span class="dl">"</span><span class="s2">document.updated</span><span class="dl">"</span> <span class="o">|</span> <span class="dl">"</span><span class="s2">document.deleted</span><span class="dl">"</span> <span class="o">|</span> <span class="dl">"</span><span class="s2">document.shared</span><span class="dl">"</span> <span class="o">|</span> <span class="dl">"</span><span class="s2">document.unshared</span><span class="dl">"</span> <span class="o">|</span> <span class="dl">"</span><span class="s2">member.invited</span><span class="dl">"</span> <span class="o">|</span> <span class="dl">"</span><span class="s2">member.removed</span><span class="dl">"</span> <span class="o">|</span> <span class="dl">"</span><span class="s2">member.role_changed</span><span class="dl">"</span> <span class="o">|</span> <span class="dl">"</span><span class="s2">invitation.accepted</span><span class="dl">"</span> <span class="o">|</span> <span class="dl">"</span><span class="s2">invitation.revoked</span><span class="dl">"</span> <span class="o">|</span> <span class="dl">"</span><span class="s2">role.created</span><span class="dl">"</span> <span class="o">|</span> <span class="dl">"</span><span class="s2">role.updated</span><span class="dl">"</span> <span class="o">|</span> <span class="dl">"</span><span class="s2">role.deleted</span><span class="dl">"</span> <span class="o">|</span> <span class="dl">"</span><span class="s2">settings.updated</span><span class="dl">"</span> <span class="o">|</span> <span class="dl">"</span><span class="s2">billing.plan_changed</span><span class="dl">"</span> <span class="o">|</span> <span class="dl">"</span><span class="s2">org.created</span><span class="dl">"</span><span class="p">;</span> <span class="k">export</span> <span class="kd">type</span> <span class="nx">ResourceType</span> <span class="o">=</span> <span class="o">|</span> <span class="dl">"</span><span class="s2">document</span><span class="dl">"</span> <span class="o">|</span> <span class="dl">"</span><span class="s2">member</span><span class="dl">"</span> <span class="o">|</span> <span class="dl">"</span><span class="s2">invitation</span><span class="dl">"</span> <span class="o">|</span> <span class="dl">"</span><span class="s2">role</span><span class="dl">"</span> <span class="o">|</span> <span class="dl">"</span><span class="s2">settings</span><span class="dl">"</span> <span class="o">|</span> <span class="dl">"</span><span class="s2">billing</span><span class="dl">"</span> <span class="o">|</span> <span class="dl">"</span><span class="s2">org</span><span class="dl">"</span><span class="p">;</span> <span class="kr">interface</span> <span class="nx">AuditLogParams</span> <span class="p">{</span> <span class="nl">ctx</span><span class="p">:</span> <span class="nx">MutationCtx</span><span class="p">;</span> <span class="nl">organizationId</span><span class="p">:</span> <span class="nx">Id</span><span class="o">&lt;</span><span class="dl">"</span><span class="s2">organizations</span><span class="dl">"</span><span class="o">&gt;</span><span class="p">;</span> <span class="nl">actorId</span><span class="p">:</span> <span class="kr">string</span><span class="p">;</span> <span class="nl">actorEmail</span><span class="p">:</span> <span class="kr">string</span><span class="p">;</span> <span class="nl">actorName</span><span class="p">:</span> <span class="kr">string</span><span class="p">;</span> <span class="nl">action</span><span class="p">:</span> <span class="nx">AuditAction</span><span class="p">;</span> <span class="nl">resourceType</span><span class="p">:</span> <span class="nx">ResourceType</span><span class="p">;</span> <span class="nl">resourceId</span><span class="p">?:</span> <span class="kr">string</span><span class="p">;</span> <span class="nl">resourceLabel</span><span class="p">?:</span> <span class="kr">string</span><span class="p">;</span> <span class="nl">metadata</span><span class="p">?:</span> <span class="nb">Record</span><span class="o">&lt;</span><span class="kr">string</span><span class="p">,</span> <span class="nx">unknown</span><span class="o">&gt;</span><span class="p">;</span> <span class="nl">ipAddress</span><span class="p">?:</span> <span class="kr">string</span><span class="p">;</span> <span class="p">}</span> <span class="k">export</span> <span class="k">async</span> <span class="kd">function</span> <span class="nf">auditLog</span><span class="p">({</span> <span class="nx">ctx</span><span class="p">,</span> <span class="nx">organizationId</span><span class="p">,</span> <span class="nx">actorId</span><span class="p">,</span> <span class="nx">actorEmail</span><span class="p">,</span> <span class="nx">actorName</span><span class="p">,</span> <span class="nx">action</span><span class="p">,</span> <span class="nx">resourceType</span><span class="p">,</span> <span class="nx">resourceId</span><span class="p">,</span> <span class="nx">resourceLabel</span><span class="p">,</span> <span class="nx">metadata</span><span class="p">,</span> <span class="nx">ipAddress</span><span class="p">,</span> <span class="p">}:</span> <span class="nx">AuditLogParams</span><span class="p">):</span> <span class="nb">Promise</span><span class="o">&lt;</span><span class="k">void</span><span class="o">&gt;</span> <span class="p">{</span> <span class="k">await</span> <span class="nx">ctx</span><span class="p">.</span><span class="nx">db</span><span class="p">.</span><span class="nf">insert</span><span class="p">(</span><span class="dl">"</span><span class="s2">activityLogs</span><span class="dl">"</span><span class="p">,</span> <span class="p">{</span> <span class="nx">organizationId</span><span class="p">,</span> <span class="nx">actorId</span><span class="p">,</span> <span class="nx">actorEmail</span><span class="p">,</span> <span class="nx">actorName</span><span class="p">,</span> <span class="nx">action</span><span class="p">,</span> <span class="nx">resourceType</span><span class="p">,</span> <span class="nx">resourceId</span><span class="p">,</span> <span class="nx">resourceLabel</span><span class="p">,</span> <span class="nx">metadata</span><span class="p">,</span> <span class="nx">ipAddress</span><span class="p">,</span> <span class="p">});</span> <span class="p">}</span> </code></pre> </div> <p>The function signature is explicit by design. <code>AuditAction</code> and <code>ResourceType</code> are union types — TypeScript enforces them at compile time, so a typo like <code>"document.creatd"</code> fails the build rather than silently writing a malformed entry into your audit trail. The function does exactly one thing: insert. Any filtering, validation, or transformation happens at the call site inside the mutation that needs it.</p> <h2> Pulling Actor Identity From Kinde </h2> <p>Before looking at how mutations call <code>auditLog</code>, you need a reliable way to get the current user's Kinde ID, email, and display name inside a Convex mutation.</p> <p>The standard pattern is a <code>getCurrentUser</code> helper that queries your local <code>users</code> table using the Kinde user ID embedded in the Convex auth token. Your <code>users</code> table gets populated during the post-login callback — either via a Convex mutation called from the Next.js auth handler, or by checking on first load.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="c1">// convex/lib/auth.ts</span> <span class="k">import</span> <span class="p">{</span> <span class="nx">QueryCtx</span><span class="p">,</span> <span class="nx">MutationCtx</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">"</span><span class="s2">../_generated/server</span><span class="dl">"</span><span class="p">;</span> <span class="k">export</span> <span class="k">async</span> <span class="kd">function</span> <span class="nf">getCurrentUser</span><span class="p">(</span><span class="nx">ctx</span><span class="p">:</span> <span class="nx">QueryCtx</span> <span class="o">|</span> <span class="nx">MutationCtx</span><span class="p">)</span> <span class="p">{</span> <span class="c1">// ctx.auth.getUserIdentity() reads the JWT Kinde issues after login.</span> <span class="c1">// The `subject` claim is the Kinde user ID (e.g. "kp_abc123def").</span> <span class="kd">const</span> <span class="nx">identity</span> <span class="o">=</span> <span class="k">await</span> <span class="nx">ctx</span><span class="p">.</span><span class="nx">auth</span><span class="p">.</span><span class="nf">getUserIdentity</span><span class="p">();</span> <span class="k">if </span><span class="p">(</span><span class="o">!</span><span class="nx">identity</span><span class="p">)</span> <span class="k">return</span> <span class="kc">null</span><span class="p">;</span> <span class="kd">const</span> <span class="nx">kindeId</span> <span class="o">=</span> <span class="nx">identity</span><span class="p">.</span><span class="nx">subject</span><span class="p">;</span> <span class="kd">const</span> <span class="nx">user</span> <span class="o">=</span> <span class="k">await</span> <span class="nx">ctx</span><span class="p">.</span><span class="nx">db</span> <span class="p">.</span><span class="nf">query</span><span class="p">(</span><span class="dl">"</span><span class="s2">users</span><span class="dl">"</span><span class="p">)</span> <span class="p">.</span><span class="nf">withIndex</span><span class="p">(</span><span class="dl">"</span><span class="s2">by_kinde_id</span><span class="dl">"</span><span class="p">,</span> <span class="p">(</span><span class="nx">q</span><span class="p">)</span> <span class="o">=&gt;</span> <span class="nx">q</span><span class="p">.</span><span class="nf">eq</span><span class="p">(</span><span class="dl">"</span><span class="s2">kindeId</span><span class="dl">"</span><span class="p">,</span> <span class="nx">kindeId</span><span class="p">))</span> <span class="p">.</span><span class="nf">unique</span><span class="p">();</span> <span class="k">return</span> <span class="nx">user</span><span class="p">;</span> <span class="p">}</span> </code></pre> </div> <p>Your <code>users</code> table needs <code>kindeId</code>, <code>email</code>, and <code>name</code> fields. When a user first authenticates through Kinde, those three values are written to the table from the token claims. The <code>auditLog</code> helper reads them and writes them directly onto the log entry — no live lookup, no join, immutable from that point forward.</p> <p><a href="https://kinde.com?utm_source=fcc&amp;utm_medium=content&amp;utm_campaign=shola&amp;campaignid=chatgptapp&amp;network=&amp;adgroup=&amp;keyword=&amp;matchtype=&amp;creative=4&amp;device=&amp;adposition=" rel="noopener noreferrer">Kinde's</a> <code>@kinde-oss/kinde-auth-nextjs</code> SDK handles token issuance on the Next.js side. Convex picks up the token automatically when you configure it to use Kinde as the auth provider via the Convex dashboard's authentication settings.</p> <h2> Step #1: Call <code>auditLog</code> Inside Your Mutations </h2> <p>The pattern is identical across every mutation: do the database write, then call <code>auditLog</code> before returning. Because Convex mutations are transactional, the primary write and the log entry commit together or not at all.</p> <h3> Document creation </h3> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="c1">// convex/documents.ts</span> <span class="k">import</span> <span class="p">{</span> <span class="nx">mutation</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">"</span><span class="s2">./_generated/server</span><span class="dl">"</span><span class="p">;</span> <span class="k">import</span> <span class="p">{</span> <span class="nx">v</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">"</span><span class="s2">convex/values</span><span class="dl">"</span><span class="p">;</span> <span class="k">import</span> <span class="p">{</span> <span class="nx">getCurrentUser</span><span class="p">,</span> <span class="nx">requirePermission</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">"</span><span class="s2">./lib/auth</span><span class="dl">"</span><span class="p">;</span> <span class="k">import</span> <span class="p">{</span> <span class="nx">auditLog</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">"</span><span class="s2">./lib/audit</span><span class="dl">"</span><span class="p">;</span> <span class="k">export</span> <span class="kd">const</span> <span class="nx">create</span> <span class="o">=</span> <span class="nf">mutation</span><span class="p">({</span> <span class="na">args</span><span class="p">:</span> <span class="p">{</span> <span class="na">organizationId</span><span class="p">:</span> <span class="nx">v</span><span class="p">.</span><span class="nf">id</span><span class="p">(</span><span class="dl">"</span><span class="s2">organizations</span><span class="dl">"</span><span class="p">),</span> <span class="na">title</span><span class="p">:</span> <span class="nx">v</span><span class="p">.</span><span class="nf">string</span><span class="p">(),</span> <span class="na">content</span><span class="p">:</span> <span class="nx">v</span><span class="p">.</span><span class="nf">optional</span><span class="p">(</span><span class="nx">v</span><span class="p">.</span><span class="nf">string</span><span class="p">()),</span> <span class="p">},</span> <span class="na">handler</span><span class="p">:</span> <span class="k">async </span><span class="p">(</span><span class="nx">ctx</span><span class="p">,</span> <span class="nx">args</span><span class="p">)</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="kd">const</span> <span class="p">{</span> <span class="nx">user</span> <span class="p">}</span> <span class="o">=</span> <span class="k">await</span> <span class="nf">requirePermission</span><span class="p">(</span><span class="nx">ctx</span><span class="p">,</span> <span class="nx">args</span><span class="p">.</span><span class="nx">organizationId</span><span class="p">,</span> <span class="dl">"</span><span class="s2">documents:create</span><span class="dl">"</span><span class="p">);</span> <span class="kd">const</span> <span class="nx">documentId</span> <span class="o">=</span> <span class="k">await</span> <span class="nx">ctx</span><span class="p">.</span><span class="nx">db</span><span class="p">.</span><span class="nf">insert</span><span class="p">(</span><span class="dl">"</span><span class="s2">documents</span><span class="dl">"</span><span class="p">,</span> <span class="p">{</span> <span class="na">organizationId</span><span class="p">:</span> <span class="nx">args</span><span class="p">.</span><span class="nx">organizationId</span><span class="p">,</span> <span class="na">title</span><span class="p">:</span> <span class="nx">args</span><span class="p">.</span><span class="nx">title</span><span class="p">,</span> <span class="na">content</span><span class="p">:</span> <span class="nx">args</span><span class="p">.</span><span class="nx">content</span> <span class="o">??</span> <span class="dl">""</span><span class="p">,</span> <span class="na">createdBy</span><span class="p">:</span> <span class="nx">user</span><span class="p">.</span><span class="nx">_id</span><span class="p">,</span> <span class="na">createdAt</span><span class="p">:</span> <span class="nb">Date</span><span class="p">.</span><span class="nf">now</span><span class="p">(),</span> <span class="na">updatedAt</span><span class="p">:</span> <span class="nb">Date</span><span class="p">.</span><span class="nf">now</span><span class="p">(),</span> <span class="p">});</span> <span class="k">await</span> <span class="nf">auditLog</span><span class="p">({</span> <span class="nx">ctx</span><span class="p">,</span> <span class="na">organizationId</span><span class="p">:</span> <span class="nx">args</span><span class="p">.</span><span class="nx">organizationId</span><span class="p">,</span> <span class="na">actorId</span><span class="p">:</span> <span class="nx">user</span><span class="p">.</span><span class="nx">kindeId</span><span class="p">,</span> <span class="na">actorEmail</span><span class="p">:</span> <span class="nx">user</span><span class="p">.</span><span class="nx">email</span><span class="p">,</span> <span class="na">actorName</span><span class="p">:</span> <span class="nx">user</span><span class="p">.</span><span class="nx">name</span><span class="p">,</span> <span class="na">action</span><span class="p">:</span> <span class="dl">"</span><span class="s2">document.created</span><span class="dl">"</span><span class="p">,</span> <span class="na">resourceType</span><span class="p">:</span> <span class="dl">"</span><span class="s2">document</span><span class="dl">"</span><span class="p">,</span> <span class="na">resourceId</span><span class="p">:</span> <span class="nx">documentId</span><span class="p">,</span> <span class="na">resourceLabel</span><span class="p">:</span> <span class="nx">args</span><span class="p">.</span><span class="nx">title</span><span class="p">,</span> <span class="p">});</span> <span class="k">return</span> <span class="nx">documentId</span><span class="p">;</span> <span class="p">},</span> <span class="p">});</span> </code></pre> </div> <h3> Document deletion </h3> <p>Read the title before the delete. Once <code>ctx.db.delete</code> runs, that document is gone. If you try to fetch the title after, you get nothing.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="k">export</span> <span class="kd">const</span> <span class="nx">remove</span> <span class="o">=</span> <span class="nf">mutation</span><span class="p">({</span> <span class="na">args</span><span class="p">:</span> <span class="p">{</span> <span class="na">organizationId</span><span class="p">:</span> <span class="nx">v</span><span class="p">.</span><span class="nf">id</span><span class="p">(</span><span class="dl">"</span><span class="s2">organizations</span><span class="dl">"</span><span class="p">),</span> <span class="na">documentId</span><span class="p">:</span> <span class="nx">v</span><span class="p">.</span><span class="nf">id</span><span class="p">(</span><span class="dl">"</span><span class="s2">documents</span><span class="dl">"</span><span class="p">),</span> <span class="p">},</span> <span class="na">handler</span><span class="p">:</span> <span class="k">async </span><span class="p">(</span><span class="nx">ctx</span><span class="p">,</span> <span class="nx">args</span><span class="p">)</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="kd">const</span> <span class="p">{</span> <span class="nx">user</span> <span class="p">}</span> <span class="o">=</span> <span class="k">await</span> <span class="nf">requirePermission</span><span class="p">(</span><span class="nx">ctx</span><span class="p">,</span> <span class="nx">args</span><span class="p">.</span><span class="nx">organizationId</span><span class="p">,</span> <span class="dl">"</span><span class="s2">documents:delete</span><span class="dl">"</span><span class="p">);</span> <span class="kd">const</span> <span class="nb">document</span> <span class="o">=</span> <span class="k">await</span> <span class="nx">ctx</span><span class="p">.</span><span class="nx">db</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="nx">args</span><span class="p">.</span><span class="nx">documentId</span><span class="p">);</span> <span class="k">if </span><span class="p">(</span><span class="o">!</span><span class="nb">document</span><span class="p">)</span> <span class="k">throw</span> <span class="k">new</span> <span class="nc">Error</span><span class="p">(</span><span class="dl">"</span><span class="s2">Document not found</span><span class="dl">"</span><span class="p">);</span> <span class="k">if </span><span class="p">(</span><span class="nb">document</span><span class="p">.</span><span class="nx">organizationId</span> <span class="o">!==</span> <span class="nx">args</span><span class="p">.</span><span class="nx">organizationId</span><span class="p">)</span> <span class="k">throw</span> <span class="k">new</span> <span class="nc">Error</span><span class="p">(</span><span class="dl">"</span><span class="s2">Document not found</span><span class="dl">"</span><span class="p">);</span> <span class="c1">// Capture the label BEFORE the delete — after, it no longer exists</span> <span class="kd">const</span> <span class="nx">documentTitle</span> <span class="o">=</span> <span class="nb">document</span><span class="p">.</span><span class="nx">title</span><span class="p">;</span> <span class="k">await</span> <span class="nx">ctx</span><span class="p">.</span><span class="nx">db</span><span class="p">.</span><span class="k">delete</span><span class="p">(</span><span class="nx">args</span><span class="p">.</span><span class="nx">documentId</span><span class="p">);</span> <span class="k">await</span> <span class="nf">auditLog</span><span class="p">({</span> <span class="nx">ctx</span><span class="p">,</span> <span class="na">organizationId</span><span class="p">:</span> <span class="nx">args</span><span class="p">.</span><span class="nx">organizationId</span><span class="p">,</span> <span class="na">actorId</span><span class="p">:</span> <span class="nx">user</span><span class="p">.</span><span class="nx">kindeId</span><span class="p">,</span> <span class="na">actorEmail</span><span class="p">:</span> <span class="nx">user</span><span class="p">.</span><span class="nx">email</span><span class="p">,</span> <span class="na">actorName</span><span class="p">:</span> <span class="nx">user</span><span class="p">.</span><span class="nx">name</span><span class="p">,</span> <span class="na">action</span><span class="p">:</span> <span class="dl">"</span><span class="s2">document.deleted</span><span class="dl">"</span><span class="p">,</span> <span class="na">resourceType</span><span class="p">:</span> <span class="dl">"</span><span class="s2">document</span><span class="dl">"</span><span class="p">,</span> <span class="na">resourceId</span><span class="p">:</span> <span class="nx">args</span><span class="p">.</span><span class="nx">documentId</span><span class="p">,</span> <span class="na">resourceLabel</span><span class="p">:</span> <span class="nx">documentTitle</span><span class="p">,</span> <span class="p">});</span> <span class="p">},</span> <span class="p">});</span> </code></pre> </div> <h3> Member role change </h3> <p>This one captures a before/after diff in <code>metadata</code>. When someone reviews the log later, they see exactly what changed without querying another table.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="c1">// convex/organizations.ts</span> <span class="k">export</span> <span class="kd">const</span> <span class="nx">updateMemberRole</span> <span class="o">=</span> <span class="nf">mutation</span><span class="p">({</span> <span class="na">args</span><span class="p">:</span> <span class="p">{</span> <span class="na">organizationId</span><span class="p">:</span> <span class="nx">v</span><span class="p">.</span><span class="nf">id</span><span class="p">(</span><span class="dl">"</span><span class="s2">organizations</span><span class="dl">"</span><span class="p">),</span> <span class="na">membershipId</span><span class="p">:</span> <span class="nx">v</span><span class="p">.</span><span class="nf">id</span><span class="p">(</span><span class="dl">"</span><span class="s2">organizationMembers</span><span class="dl">"</span><span class="p">),</span> <span class="na">newRole</span><span class="p">:</span> <span class="nx">v</span><span class="p">.</span><span class="nf">string</span><span class="p">(),</span> <span class="p">},</span> <span class="na">handler</span><span class="p">:</span> <span class="k">async </span><span class="p">(</span><span class="nx">ctx</span><span class="p">,</span> <span class="nx">args</span><span class="p">)</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="kd">const</span> <span class="p">{</span> <span class="nx">user</span> <span class="p">}</span> <span class="o">=</span> <span class="k">await</span> <span class="nf">requirePermission</span><span class="p">(</span><span class="nx">ctx</span><span class="p">,</span> <span class="nx">args</span><span class="p">.</span><span class="nx">organizationId</span><span class="p">,</span> <span class="dl">"</span><span class="s2">members:manage</span><span class="dl">"</span><span class="p">);</span> <span class="kd">const</span> <span class="nx">membership</span> <span class="o">=</span> <span class="k">await</span> <span class="nx">ctx</span><span class="p">.</span><span class="nx">db</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="nx">args</span><span class="p">.</span><span class="nx">membershipId</span><span class="p">);</span> <span class="k">if </span><span class="p">(</span><span class="o">!</span><span class="nx">membership</span><span class="p">)</span> <span class="k">throw</span> <span class="k">new</span> <span class="nc">Error</span><span class="p">(</span><span class="dl">"</span><span class="s2">Member not found</span><span class="dl">"</span><span class="p">);</span> <span class="k">if </span><span class="p">(</span><span class="nx">membership</span><span class="p">.</span><span class="nx">organizationId</span> <span class="o">!==</span> <span class="nx">args</span><span class="p">.</span><span class="nx">organizationId</span><span class="p">)</span> <span class="k">throw</span> <span class="k">new</span> <span class="nc">Error</span><span class="p">(</span><span class="dl">"</span><span class="s2">Member not found</span><span class="dl">"</span><span class="p">);</span> <span class="c1">// Read the previous role before patching</span> <span class="kd">const</span> <span class="nx">previousRole</span> <span class="o">=</span> <span class="nx">membership</span><span class="p">.</span><span class="nx">role</span><span class="p">;</span> <span class="k">await</span> <span class="nx">ctx</span><span class="p">.</span><span class="nx">db</span><span class="p">.</span><span class="nf">patch</span><span class="p">(</span><span class="nx">args</span><span class="p">.</span><span class="nx">membershipId</span><span class="p">,</span> <span class="p">{</span> <span class="na">role</span><span class="p">:</span> <span class="nx">args</span><span class="p">.</span><span class="nx">newRole</span><span class="p">,</span> <span class="p">});</span> <span class="c1">// Fetch the affected user's display info for the log label</span> <span class="kd">const</span> <span class="nx">affectedUser</span> <span class="o">=</span> <span class="k">await</span> <span class="nx">ctx</span><span class="p">.</span><span class="nx">db</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="nx">membership</span><span class="p">.</span><span class="nx">userId</span><span class="p">);</span> <span class="k">await</span> <span class="nf">auditLog</span><span class="p">({</span> <span class="nx">ctx</span><span class="p">,</span> <span class="na">organizationId</span><span class="p">:</span> <span class="nx">args</span><span class="p">.</span><span class="nx">organizationId</span><span class="p">,</span> <span class="na">actorId</span><span class="p">:</span> <span class="nx">user</span><span class="p">.</span><span class="nx">kindeId</span><span class="p">,</span> <span class="na">actorEmail</span><span class="p">:</span> <span class="nx">user</span><span class="p">.</span><span class="nx">email</span><span class="p">,</span> <span class="na">actorName</span><span class="p">:</span> <span class="nx">user</span><span class="p">.</span><span class="nx">name</span><span class="p">,</span> <span class="na">action</span><span class="p">:</span> <span class="dl">"</span><span class="s2">member.role_changed</span><span class="dl">"</span><span class="p">,</span> <span class="na">resourceType</span><span class="p">:</span> <span class="dl">"</span><span class="s2">member</span><span class="dl">"</span><span class="p">,</span> <span class="na">resourceId</span><span class="p">:</span> <span class="nx">membership</span><span class="p">.</span><span class="nx">userId</span><span class="p">,</span> <span class="na">resourceLabel</span><span class="p">:</span> <span class="nx">affectedUser</span><span class="p">?.</span><span class="nx">name</span> <span class="o">??</span> <span class="nx">affectedUser</span><span class="p">?.</span><span class="nx">email</span> <span class="o">??</span> <span class="dl">"</span><span class="s2">Unknown user</span><span class="dl">"</span><span class="p">,</span> <span class="na">metadata</span><span class="p">:</span> <span class="p">{</span> <span class="nx">previousRole</span><span class="p">,</span> <span class="na">newRole</span><span class="p">:</span> <span class="nx">args</span><span class="p">.</span><span class="nx">newRole</span><span class="p">,</span> <span class="p">},</span> <span class="p">});</span> <span class="p">},</span> <span class="p">});</span> </code></pre> </div> <h3> Settings update </h3> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="c1">// convex/settings.ts</span> <span class="k">export</span> <span class="kd">const</span> <span class="nx">update</span> <span class="o">=</span> <span class="nf">mutation</span><span class="p">({</span> <span class="na">args</span><span class="p">:</span> <span class="p">{</span> <span class="na">organizationId</span><span class="p">:</span> <span class="nx">v</span><span class="p">.</span><span class="nf">id</span><span class="p">(</span><span class="dl">"</span><span class="s2">organizations</span><span class="dl">"</span><span class="p">),</span> <span class="na">field</span><span class="p">:</span> <span class="nx">v</span><span class="p">.</span><span class="nf">string</span><span class="p">(),</span> <span class="na">value</span><span class="p">:</span> <span class="nx">v</span><span class="p">.</span><span class="nf">any</span><span class="p">(),</span> <span class="p">},</span> <span class="na">handler</span><span class="p">:</span> <span class="k">async </span><span class="p">(</span><span class="nx">ctx</span><span class="p">,</span> <span class="nx">args</span><span class="p">)</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="kd">const</span> <span class="p">{</span> <span class="nx">user</span> <span class="p">}</span> <span class="o">=</span> <span class="k">await</span> <span class="nf">requirePermission</span><span class="p">(</span><span class="nx">ctx</span><span class="p">,</span> <span class="nx">args</span><span class="p">.</span><span class="nx">organizationId</span><span class="p">,</span> <span class="dl">"</span><span class="s2">settings:manage</span><span class="dl">"</span><span class="p">);</span> <span class="kd">const</span> <span class="nx">settings</span> <span class="o">=</span> <span class="k">await</span> <span class="nx">ctx</span><span class="p">.</span><span class="nx">db</span> <span class="p">.</span><span class="nf">query</span><span class="p">(</span><span class="dl">"</span><span class="s2">organizationSettings</span><span class="dl">"</span><span class="p">)</span> <span class="p">.</span><span class="nf">withIndex</span><span class="p">(</span><span class="dl">"</span><span class="s2">by_organization</span><span class="dl">"</span><span class="p">,</span> <span class="p">(</span><span class="nx">q</span><span class="p">)</span> <span class="o">=&gt;</span> <span class="nx">q</span><span class="p">.</span><span class="nf">eq</span><span class="p">(</span><span class="dl">"</span><span class="s2">organizationId</span><span class="dl">"</span><span class="p">,</span> <span class="nx">args</span><span class="p">.</span><span class="nx">organizationId</span><span class="p">)</span> <span class="p">)</span> <span class="p">.</span><span class="nf">unique</span><span class="p">();</span> <span class="k">if </span><span class="p">(</span><span class="o">!</span><span class="nx">settings</span><span class="p">)</span> <span class="k">throw</span> <span class="k">new</span> <span class="nc">Error</span><span class="p">(</span><span class="dl">"</span><span class="s2">Settings not found</span><span class="dl">"</span><span class="p">);</span> <span class="kd">const</span> <span class="nx">previousValue</span> <span class="o">=</span> <span class="p">(</span><span class="nx">settings</span> <span class="k">as</span> <span class="kr">any</span><span class="p">)[</span><span class="nx">args</span><span class="p">.</span><span class="nx">field</span><span class="p">];</span> <span class="k">await</span> <span class="nx">ctx</span><span class="p">.</span><span class="nx">db</span><span class="p">.</span><span class="nf">patch</span><span class="p">(</span><span class="nx">settings</span><span class="p">.</span><span class="nx">_id</span><span class="p">,</span> <span class="p">{</span> <span class="p">[</span><span class="nx">args</span><span class="p">.</span><span class="nx">field</span><span class="p">]:</span> <span class="nx">args</span><span class="p">.</span><span class="nx">value</span><span class="p">,</span> <span class="na">updatedAt</span><span class="p">:</span> <span class="nb">Date</span><span class="p">.</span><span class="nf">now</span><span class="p">(),</span> <span class="p">});</span> <span class="k">await</span> <span class="nf">auditLog</span><span class="p">({</span> <span class="nx">ctx</span><span class="p">,</span> <span class="na">organizationId</span><span class="p">:</span> <span class="nx">args</span><span class="p">.</span><span class="nx">organizationId</span><span class="p">,</span> <span class="na">actorId</span><span class="p">:</span> <span class="nx">user</span><span class="p">.</span><span class="nx">kindeId</span><span class="p">,</span> <span class="na">actorEmail</span><span class="p">:</span> <span class="nx">user</span><span class="p">.</span><span class="nx">email</span><span class="p">,</span> <span class="na">actorName</span><span class="p">:</span> <span class="nx">user</span><span class="p">.</span><span class="nx">name</span><span class="p">,</span> <span class="na">action</span><span class="p">:</span> <span class="dl">"</span><span class="s2">settings.updated</span><span class="dl">"</span><span class="p">,</span> <span class="na">resourceType</span><span class="p">:</span> <span class="dl">"</span><span class="s2">settings</span><span class="dl">"</span><span class="p">,</span> <span class="na">resourceLabel</span><span class="p">:</span> <span class="nx">args</span><span class="p">.</span><span class="nx">field</span><span class="p">,</span> <span class="na">metadata</span><span class="p">:</span> <span class="p">{</span> <span class="na">field</span><span class="p">:</span> <span class="nx">args</span><span class="p">.</span><span class="nx">field</span><span class="p">,</span> <span class="nx">previousValue</span><span class="p">,</span> <span class="na">newValue</span><span class="p">:</span> <span class="nx">args</span><span class="p">.</span><span class="nx">value</span><span class="p">,</span> <span class="p">},</span> <span class="p">});</span> <span class="p">},</span> <span class="p">});</span> </code></pre> </div> <p>The metadata pattern is consistent across all mutations: capture what changed, what it was before, what it is now. The log entry is self-contained — a compliance auditor reading it does not need to cross-reference other tables or reconstruct state from timestamps.</p> <h2> Step #2: Query the Activity Log </h2> <p>Create the query functions in <code>convex/activityLogs.ts</code>. These are what the frontend subscribes to.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="c1">// convex/activityLogs.ts</span> <span class="k">import</span> <span class="p">{</span> <span class="nx">query</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">"</span><span class="s2">./_generated/server</span><span class="dl">"</span><span class="p">;</span> <span class="k">import</span> <span class="p">{</span> <span class="nx">v</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">"</span><span class="s2">convex/values</span><span class="dl">"</span><span class="p">;</span> <span class="k">import</span> <span class="p">{</span> <span class="nx">requireOrganizationAccess</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">"</span><span class="s2">./lib/auth</span><span class="dl">"</span><span class="p">;</span> <span class="c1">// All activity for an org, paginated, most recent first</span> <span class="k">export</span> <span class="kd">const</span> <span class="nx">list</span> <span class="o">=</span> <span class="nf">query</span><span class="p">({</span> <span class="na">args</span><span class="p">:</span> <span class="p">{</span> <span class="na">organizationId</span><span class="p">:</span> <span class="nx">v</span><span class="p">.</span><span class="nf">id</span><span class="p">(</span><span class="dl">"</span><span class="s2">organizations</span><span class="dl">"</span><span class="p">),</span> <span class="na">paginationOpts</span><span class="p">:</span> <span class="nx">v</span><span class="p">.</span><span class="nf">object</span><span class="p">({</span> <span class="na">numItems</span><span class="p">:</span> <span class="nx">v</span><span class="p">.</span><span class="nf">number</span><span class="p">(),</span> <span class="na">cursor</span><span class="p">:</span> <span class="nx">v</span><span class="p">.</span><span class="nf">union</span><span class="p">(</span><span class="nx">v</span><span class="p">.</span><span class="nf">string</span><span class="p">(),</span> <span class="nx">v</span><span class="p">.</span><span class="nf">null</span><span class="p">()),</span> <span class="p">}),</span> <span class="p">},</span> <span class="na">handler</span><span class="p">:</span> <span class="k">async </span><span class="p">(</span><span class="nx">ctx</span><span class="p">,</span> <span class="p">{</span> <span class="nx">organizationId</span><span class="p">,</span> <span class="nx">paginationOpts</span> <span class="p">})</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="k">await</span> <span class="nf">requireOrganizationAccess</span><span class="p">(</span><span class="nx">ctx</span><span class="p">,</span> <span class="nx">organizationId</span><span class="p">);</span> <span class="k">return</span> <span class="nx">ctx</span><span class="p">.</span><span class="nx">db</span> <span class="p">.</span><span class="nf">query</span><span class="p">(</span><span class="dl">"</span><span class="s2">activityLogs</span><span class="dl">"</span><span class="p">)</span> <span class="p">.</span><span class="nf">withIndex</span><span class="p">(</span><span class="dl">"</span><span class="s2">by_organization</span><span class="dl">"</span><span class="p">,</span> <span class="p">(</span><span class="nx">q</span><span class="p">)</span> <span class="o">=&gt;</span> <span class="nx">q</span><span class="p">.</span><span class="nf">eq</span><span class="p">(</span><span class="dl">"</span><span class="s2">organizationId</span><span class="dl">"</span><span class="p">,</span> <span class="nx">organizationId</span><span class="p">)</span> <span class="p">)</span> <span class="p">.</span><span class="nf">order</span><span class="p">(</span><span class="dl">"</span><span class="s2">desc</span><span class="dl">"</span><span class="p">)</span> <span class="p">.</span><span class="nf">paginate</span><span class="p">(</span><span class="nx">paginationOpts</span><span class="p">);</span> <span class="p">},</span> <span class="p">});</span> <span class="c1">// Filtered by actor — "show me everything Alice did"</span> <span class="k">export</span> <span class="kd">const</span> <span class="nx">listByActor</span> <span class="o">=</span> <span class="nf">query</span><span class="p">({</span> <span class="na">args</span><span class="p">:</span> <span class="p">{</span> <span class="na">organizationId</span><span class="p">:</span> <span class="nx">v</span><span class="p">.</span><span class="nf">id</span><span class="p">(</span><span class="dl">"</span><span class="s2">organizations</span><span class="dl">"</span><span class="p">),</span> <span class="na">actorId</span><span class="p">:</span> <span class="nx">v</span><span class="p">.</span><span class="nf">string</span><span class="p">(),</span> <span class="na">paginationOpts</span><span class="p">:</span> <span class="nx">v</span><span class="p">.</span><span class="nf">object</span><span class="p">({</span> <span class="na">numItems</span><span class="p">:</span> <span class="nx">v</span><span class="p">.</span><span class="nf">number</span><span class="p">(),</span> <span class="na">cursor</span><span class="p">:</span> <span class="nx">v</span><span class="p">.</span><span class="nf">union</span><span class="p">(</span><span class="nx">v</span><span class="p">.</span><span class="nf">string</span><span class="p">(),</span> <span class="nx">v</span><span class="p">.</span><span class="nf">null</span><span class="p">()),</span> <span class="p">}),</span> <span class="p">},</span> <span class="na">handler</span><span class="p">:</span> <span class="k">async </span><span class="p">(</span><span class="nx">ctx</span><span class="p">,</span> <span class="p">{</span> <span class="nx">organizationId</span><span class="p">,</span> <span class="nx">actorId</span><span class="p">,</span> <span class="nx">paginationOpts</span> <span class="p">})</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="k">await</span> <span class="nf">requireOrganizationAccess</span><span class="p">(</span><span class="nx">ctx</span><span class="p">,</span> <span class="nx">organizationId</span><span class="p">);</span> <span class="k">return</span> <span class="nx">ctx</span><span class="p">.</span><span class="nx">db</span> <span class="p">.</span><span class="nf">query</span><span class="p">(</span><span class="dl">"</span><span class="s2">activityLogs</span><span class="dl">"</span><span class="p">)</span> <span class="p">.</span><span class="nf">withIndex</span><span class="p">(</span><span class="dl">"</span><span class="s2">by_org_and_actor</span><span class="dl">"</span><span class="p">,</span> <span class="p">(</span><span class="nx">q</span><span class="p">)</span> <span class="o">=&gt;</span> <span class="nx">q</span><span class="p">.</span><span class="nf">eq</span><span class="p">(</span><span class="dl">"</span><span class="s2">organizationId</span><span class="dl">"</span><span class="p">,</span> <span class="nx">organizationId</span><span class="p">).</span><span class="nf">eq</span><span class="p">(</span><span class="dl">"</span><span class="s2">actorId</span><span class="dl">"</span><span class="p">,</span> <span class="nx">actorId</span><span class="p">)</span> <span class="p">)</span> <span class="p">.</span><span class="nf">order</span><span class="p">(</span><span class="dl">"</span><span class="s2">desc</span><span class="dl">"</span><span class="p">)</span> <span class="p">.</span><span class="nf">paginate</span><span class="p">(</span><span class="nx">paginationOpts</span><span class="p">);</span> <span class="p">},</span> <span class="p">});</span> <span class="c1">// Filtered by resource type — "show me all role changes"</span> <span class="k">export</span> <span class="kd">const</span> <span class="nx">listByResourceType</span> <span class="o">=</span> <span class="nf">query</span><span class="p">({</span> <span class="na">args</span><span class="p">:</span> <span class="p">{</span> <span class="na">organizationId</span><span class="p">:</span> <span class="nx">v</span><span class="p">.</span><span class="nf">id</span><span class="p">(</span><span class="dl">"</span><span class="s2">organizations</span><span class="dl">"</span><span class="p">),</span> <span class="na">resourceType</span><span class="p">:</span> <span class="nx">v</span><span class="p">.</span><span class="nf">string</span><span class="p">(),</span> <span class="na">paginationOpts</span><span class="p">:</span> <span class="nx">v</span><span class="p">.</span><span class="nf">object</span><span class="p">({</span> <span class="na">numItems</span><span class="p">:</span> <span class="nx">v</span><span class="p">.</span><span class="nf">number</span><span class="p">(),</span> <span class="na">cursor</span><span class="p">:</span> <span class="nx">v</span><span class="p">.</span><span class="nf">union</span><span class="p">(</span><span class="nx">v</span><span class="p">.</span><span class="nf">string</span><span class="p">(),</span> <span class="nx">v</span><span class="p">.</span><span class="nf">null</span><span class="p">()),</span> <span class="p">}),</span> <span class="p">},</span> <span class="na">handler</span><span class="p">:</span> <span class="k">async </span><span class="p">(</span><span class="nx">ctx</span><span class="p">,</span> <span class="p">{</span> <span class="nx">organizationId</span><span class="p">,</span> <span class="nx">resourceType</span><span class="p">,</span> <span class="nx">paginationOpts</span> <span class="p">})</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="k">await</span> <span class="nf">requireOrganizationAccess</span><span class="p">(</span><span class="nx">ctx</span><span class="p">,</span> <span class="nx">organizationId</span><span class="p">);</span> <span class="k">return</span> <span class="nx">ctx</span><span class="p">.</span><span class="nx">db</span> <span class="p">.</span><span class="nf">query</span><span class="p">(</span><span class="dl">"</span><span class="s2">activityLogs</span><span class="dl">"</span><span class="p">)</span> <span class="p">.</span><span class="nf">withIndex</span><span class="p">(</span><span class="dl">"</span><span class="s2">by_org_and_resource_type</span><span class="dl">"</span><span class="p">,</span> <span class="p">(</span><span class="nx">q</span><span class="p">)</span> <span class="o">=&gt;</span> <span class="nx">q</span><span class="p">.</span><span class="nf">eq</span><span class="p">(</span><span class="dl">"</span><span class="s2">organizationId</span><span class="dl">"</span><span class="p">,</span> <span class="nx">organizationId</span><span class="p">).</span><span class="nf">eq</span><span class="p">(</span><span class="dl">"</span><span class="s2">resourceType</span><span class="dl">"</span><span class="p">,</span> <span class="nx">resourceType</span><span class="p">)</span> <span class="p">)</span> <span class="p">.</span><span class="nf">order</span><span class="p">(</span><span class="dl">"</span><span class="s2">desc</span><span class="dl">"</span><span class="p">)</span> <span class="p">.</span><span class="nf">paginate</span><span class="p">(</span><span class="nx">paginationOpts</span><span class="p">);</span> <span class="p">},</span> <span class="p">});</span> <span class="c1">// Used by the CSV export endpoint — fetches all entries within a time window</span> <span class="k">export</span> <span class="kd">const</span> <span class="nx">listAllForExport</span> <span class="o">=</span> <span class="nf">query</span><span class="p">({</span> <span class="na">args</span><span class="p">:</span> <span class="p">{</span> <span class="na">organizationId</span><span class="p">:</span> <span class="nx">v</span><span class="p">.</span><span class="nf">id</span><span class="p">(</span><span class="dl">"</span><span class="s2">organizations</span><span class="dl">"</span><span class="p">),</span> <span class="na">since</span><span class="p">:</span> <span class="nx">v</span><span class="p">.</span><span class="nf">optional</span><span class="p">(</span><span class="nx">v</span><span class="p">.</span><span class="nf">number</span><span class="p">()),</span> <span class="c1">// Unix timestamp in ms</span> <span class="p">},</span> <span class="na">handler</span><span class="p">:</span> <span class="k">async </span><span class="p">(</span><span class="nx">ctx</span><span class="p">,</span> <span class="p">{</span> <span class="nx">organizationId</span><span class="p">,</span> <span class="nx">since</span> <span class="p">})</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="k">await</span> <span class="nf">requireOrganizationAccess</span><span class="p">(</span><span class="nx">ctx</span><span class="p">,</span> <span class="nx">organizationId</span><span class="p">);</span> <span class="kd">const</span> <span class="nx">results</span> <span class="o">=</span> <span class="k">await</span> <span class="nx">ctx</span><span class="p">.</span><span class="nx">db</span> <span class="p">.</span><span class="nf">query</span><span class="p">(</span><span class="dl">"</span><span class="s2">activityLogs</span><span class="dl">"</span><span class="p">)</span> <span class="p">.</span><span class="nf">withIndex</span><span class="p">(</span><span class="dl">"</span><span class="s2">by_organization</span><span class="dl">"</span><span class="p">,</span> <span class="p">(</span><span class="nx">q</span><span class="p">)</span> <span class="o">=&gt;</span> <span class="nx">q</span><span class="p">.</span><span class="nf">eq</span><span class="p">(</span><span class="dl">"</span><span class="s2">organizationId</span><span class="dl">"</span><span class="p">,</span> <span class="nx">organizationId</span><span class="p">)</span> <span class="p">)</span> <span class="p">.</span><span class="nf">order</span><span class="p">(</span><span class="dl">"</span><span class="s2">desc</span><span class="dl">"</span><span class="p">)</span> <span class="p">.</span><span class="nf">collect</span><span class="p">();</span> <span class="k">if </span><span class="p">(</span><span class="nx">since</span><span class="p">)</span> <span class="p">{</span> <span class="k">return</span> <span class="nx">results</span><span class="p">.</span><span class="nf">filter</span><span class="p">((</span><span class="nx">entry</span><span class="p">)</span> <span class="o">=&gt;</span> <span class="nx">entry</span><span class="p">.</span><span class="nx">_creationTime</span> <span class="o">&gt;=</span> <span class="nx">since</span><span class="p">);</span> <span class="p">}</span> <span class="k">return</span> <span class="nx">results</span><span class="p">;</span> <span class="p">},</span> <span class="p">});</span> </code></pre> </div> <p>Every query starts with <code>requireOrganizationAccess</code>. This is not optional. Audit log data is sensitive — the fact that it is read-only does not make it public. A user with access to Org A must not be able to call <code>activityLogs.list</code> with Org B's ID and receive results. The access check runs before any data is read.</p> <h2> Step #3: Build the Activity Feed UI </h2> <p>Add the page at <code>/org/[slug]/activity</code>. It shows all activity with filter pills for resource type, loads more entries on scroll, and updates in real time as new entries arrive.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight tsx"><code><span class="c1">// app/org/[slug]/activity/page.tsx</span> <span class="dl">"</span><span class="s2">use client</span><span class="dl">"</span><span class="p">;</span> <span class="k">import</span> <span class="p">{</span> <span class="nx">usePaginatedQuery</span><span class="p">,</span> <span class="nx">useQuery</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">"</span><span class="s2">convex/react</span><span class="dl">"</span><span class="p">;</span> <span class="k">import</span> <span class="p">{</span> <span class="nx">api</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">"</span><span class="s2">@/convex/_generated/api</span><span class="dl">"</span><span class="p">;</span> <span class="k">import</span> <span class="p">{</span> <span class="nx">useState</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">"</span><span class="s2">react</span><span class="dl">"</span><span class="p">;</span> <span class="k">import</span> <span class="p">{</span> <span class="nx">formatDistanceToNow</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">"</span><span class="s2">date-fns</span><span class="dl">"</span><span class="p">;</span> <span class="kd">const</span> <span class="nx">ACTION_LABELS</span><span class="p">:</span> <span class="nb">Record</span><span class="o">&lt;</span><span class="kr">string</span><span class="p">,</span> <span class="kr">string</span><span class="o">&gt;</span> <span class="o">=</span> <span class="p">{</span> <span class="dl">"</span><span class="s2">document.created</span><span class="dl">"</span><span class="p">:</span> <span class="dl">"</span><span class="s2">created a document</span><span class="dl">"</span><span class="p">,</span> <span class="dl">"</span><span class="s2">document.updated</span><span class="dl">"</span><span class="p">:</span> <span class="dl">"</span><span class="s2">updated a document</span><span class="dl">"</span><span class="p">,</span> <span class="dl">"</span><span class="s2">document.deleted</span><span class="dl">"</span><span class="p">:</span> <span class="dl">"</span><span class="s2">deleted a document</span><span class="dl">"</span><span class="p">,</span> <span class="dl">"</span><span class="s2">document.shared</span><span class="dl">"</span><span class="p">:</span> <span class="dl">"</span><span class="s2">shared a document</span><span class="dl">"</span><span class="p">,</span> <span class="dl">"</span><span class="s2">document.unshared</span><span class="dl">"</span><span class="p">:</span> <span class="dl">"</span><span class="s2">unshared a document</span><span class="dl">"</span><span class="p">,</span> <span class="dl">"</span><span class="s2">member.invited</span><span class="dl">"</span><span class="p">:</span> <span class="dl">"</span><span class="s2">invited a member</span><span class="dl">"</span><span class="p">,</span> <span class="dl">"</span><span class="s2">member.removed</span><span class="dl">"</span><span class="p">:</span> <span class="dl">"</span><span class="s2">removed a member</span><span class="dl">"</span><span class="p">,</span> <span class="dl">"</span><span class="s2">member.role_changed</span><span class="dl">"</span><span class="p">:</span> <span class="dl">"</span><span class="s2">changed a member's role</span><span class="dl">"</span><span class="p">,</span> <span class="dl">"</span><span class="s2">invitation.accepted</span><span class="dl">"</span><span class="p">:</span> <span class="dl">"</span><span class="s2">accepted an invitation</span><span class="dl">"</span><span class="p">,</span> <span class="dl">"</span><span class="s2">invitation.revoked</span><span class="dl">"</span><span class="p">:</span> <span class="dl">"</span><span class="s2">revoked an invitation</span><span class="dl">"</span><span class="p">,</span> <span class="dl">"</span><span class="s2">role.created</span><span class="dl">"</span><span class="p">:</span> <span class="dl">"</span><span class="s2">created a role</span><span class="dl">"</span><span class="p">,</span> <span class="dl">"</span><span class="s2">role.updated</span><span class="dl">"</span><span class="p">:</span> <span class="dl">"</span><span class="s2">updated a role</span><span class="dl">"</span><span class="p">,</span> <span class="dl">"</span><span class="s2">role.deleted</span><span class="dl">"</span><span class="p">:</span> <span class="dl">"</span><span class="s2">deleted a role</span><span class="dl">"</span><span class="p">,</span> <span class="dl">"</span><span class="s2">settings.updated</span><span class="dl">"</span><span class="p">:</span> <span class="dl">"</span><span class="s2">updated settings</span><span class="dl">"</span><span class="p">,</span> <span class="dl">"</span><span class="s2">billing.plan_changed</span><span class="dl">"</span><span class="p">:</span> <span class="dl">"</span><span class="s2">changed the billing plan</span><span class="dl">"</span><span class="p">,</span> <span class="dl">"</span><span class="s2">org.created</span><span class="dl">"</span><span class="p">:</span> <span class="dl">"</span><span class="s2">created the organization</span><span class="dl">"</span><span class="p">,</span> <span class="p">};</span> <span class="kd">const</span> <span class="nx">RESOURCE_TYPE_FILTERS</span> <span class="o">=</span> <span class="p">[</span> <span class="p">{</span> <span class="na">value</span><span class="p">:</span> <span class="dl">""</span><span class="p">,</span> <span class="na">label</span><span class="p">:</span> <span class="dl">"</span><span class="s2">All activity</span><span class="dl">"</span> <span class="p">},</span> <span class="p">{</span> <span class="na">value</span><span class="p">:</span> <span class="dl">"</span><span class="s2">document</span><span class="dl">"</span><span class="p">,</span> <span class="na">label</span><span class="p">:</span> <span class="dl">"</span><span class="s2">Documents</span><span class="dl">"</span> <span class="p">},</span> <span class="p">{</span> <span class="na">value</span><span class="p">:</span> <span class="dl">"</span><span class="s2">member</span><span class="dl">"</span><span class="p">,</span> <span class="na">label</span><span class="p">:</span> <span class="dl">"</span><span class="s2">Members</span><span class="dl">"</span> <span class="p">},</span> <span class="p">{</span> <span class="na">value</span><span class="p">:</span> <span class="dl">"</span><span class="s2">role</span><span class="dl">"</span><span class="p">,</span> <span class="na">label</span><span class="p">:</span> <span class="dl">"</span><span class="s2">Roles</span><span class="dl">"</span> <span class="p">},</span> <span class="p">{</span> <span class="na">value</span><span class="p">:</span> <span class="dl">"</span><span class="s2">settings</span><span class="dl">"</span><span class="p">,</span> <span class="na">label</span><span class="p">:</span> <span class="dl">"</span><span class="s2">Settings</span><span class="dl">"</span> <span class="p">},</span> <span class="p">{</span> <span class="na">value</span><span class="p">:</span> <span class="dl">"</span><span class="s2">billing</span><span class="dl">"</span><span class="p">,</span> <span class="na">label</span><span class="p">:</span> <span class="dl">"</span><span class="s2">Billing</span><span class="dl">"</span> <span class="p">},</span> <span class="p">];</span> <span class="k">export</span> <span class="k">default</span> <span class="kd">function</span> <span class="nf">ActivityPage</span><span class="p">({</span> <span class="nx">params</span> <span class="p">}:</span> <span class="p">{</span> <span class="nl">params</span><span class="p">:</span> <span class="p">{</span> <span class="na">slug</span><span class="p">:</span> <span class="kr">string</span> <span class="p">}</span> <span class="p">})</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">org</span> <span class="o">=</span> <span class="nf">useQuery</span><span class="p">(</span><span class="nx">api</span><span class="p">.</span><span class="nx">organizations</span><span class="p">.</span><span class="nx">getBySlug</span><span class="p">,</span> <span class="p">{</span> <span class="na">slug</span><span class="p">:</span> <span class="nx">params</span><span class="p">.</span><span class="nx">slug</span> <span class="p">});</span> <span class="kd">const</span> <span class="p">[</span><span class="nx">resourceTypeFilter</span><span class="p">,</span> <span class="nx">setResourceTypeFilter</span><span class="p">]</span> <span class="o">=</span> <span class="nf">useState</span><span class="p">(</span><span class="dl">""</span><span class="p">);</span> <span class="kd">const</span> <span class="p">{</span> <span class="nx">results</span><span class="p">,</span> <span class="nx">status</span><span class="p">,</span> <span class="nx">loadMore</span> <span class="p">}</span> <span class="o">=</span> <span class="nf">usePaginatedQuery</span><span class="p">(</span> <span class="nx">resourceTypeFilter</span> <span class="p">?</span> <span class="nx">api</span><span class="p">.</span><span class="nx">activityLogs</span><span class="p">.</span><span class="nx">listByResourceType</span> <span class="p">:</span> <span class="nx">api</span><span class="p">.</span><span class="nx">activityLogs</span><span class="p">.</span><span class="nx">list</span><span class="p">,</span> <span class="nx">org</span> <span class="p">?</span> <span class="nx">resourceTypeFilter</span> <span class="p">?</span> <span class="p">{</span> <span class="na">organizationId</span><span class="p">:</span> <span class="nx">org</span><span class="p">.</span><span class="nx">_id</span><span class="p">,</span> <span class="na">resourceType</span><span class="p">:</span> <span class="nx">resourceTypeFilter</span> <span class="p">}</span> <span class="p">:</span> <span class="p">{</span> <span class="na">organizationId</span><span class="p">:</span> <span class="nx">org</span><span class="p">.</span><span class="nx">_id</span> <span class="p">}</span> <span class="p">:</span> <span class="dl">"</span><span class="s2">skip</span><span class="dl">"</span><span class="p">,</span> <span class="p">{</span> <span class="na">initialNumItems</span><span class="p">:</span> <span class="mi">25</span> <span class="p">}</span> <span class="p">);</span> <span class="k">if </span><span class="p">(</span><span class="o">!</span><span class="nx">org</span><span class="p">)</span> <span class="p">{</span> <span class="k">return</span> <span class="p">&lt;</span><span class="nt">div</span> <span class="na">className</span><span class="p">=</span><span class="s">"p-8 text-sm text-gray-500"</span><span class="p">&gt;</span>Loading...<span class="p">&lt;/</span><span class="nt">div</span><span class="p">&gt;;</span> <span class="p">}</span> <span class="k">return </span><span class="p">(</span> <span class="p">&lt;</span><span class="nt">div</span> <span class="na">className</span><span class="p">=</span><span class="s">"max-w-2xl mx-auto py-8 space-y-6"</span><span class="p">&gt;</span> <span class="p">&lt;</span><span class="nt">div</span> <span class="na">className</span><span class="p">=</span><span class="s">"flex items-center justify-between"</span><span class="p">&gt;</span> <span class="p">&lt;</span><span class="nt">div</span><span class="p">&gt;</span> <span class="p">&lt;</span><span class="nt">h1</span> <span class="na">className</span><span class="p">=</span><span class="s">"text-xl font-semibold"</span><span class="p">&gt;</span>Activity<span class="p">&lt;/</span><span class="nt">h1</span><span class="p">&gt;</span> <span class="p">&lt;</span><span class="nt">p</span> <span class="na">className</span><span class="p">=</span><span class="s">"text-sm text-gray-500 mt-0.5"</span><span class="p">&gt;</span> A record of every action taken in this organization. <span class="p">&lt;/</span><span class="nt">p</span><span class="p">&gt;</span> <span class="p">&lt;/</span><span class="nt">div</span><span class="p">&gt;</span> <span class="p">&lt;</span><span class="nt">a</span> <span class="na">href</span><span class="p">=</span><span class="si">{</span><span class="s2">`/api/activity/export?orgId=</span><span class="p">${</span><span class="nx">org</span><span class="p">.</span><span class="nx">_id</span><span class="p">}</span><span class="s2">`</span><span class="si">}</span> <span class="na">className</span><span class="p">=</span><span class="s">"text-sm text-gray-500 hover:text-gray-900 underline underline-offset-2"</span> <span class="p">&gt;</span> Export CSV <span class="p">&lt;/</span><span class="nt">a</span><span class="p">&gt;</span> <span class="p">&lt;/</span><span class="nt">div</span><span class="p">&gt;</span> <span class="si">{</span><span class="cm">/* Filter pills */</span><span class="si">}</span> <span class="p">&lt;</span><span class="nt">div</span> <span class="na">className</span><span class="p">=</span><span class="s">"flex gap-2 flex-wrap"</span><span class="p">&gt;</span> <span class="si">{</span><span class="nx">RESOURCE_TYPE_FILTERS</span><span class="p">.</span><span class="nf">map</span><span class="p">((</span><span class="nx">filter</span><span class="p">)</span> <span class="o">=&gt;</span> <span class="p">(</span> <span class="p">&lt;</span><span class="nt">button</span> <span class="na">key</span><span class="p">=</span><span class="si">{</span><span class="nx">filter</span><span class="p">.</span><span class="nx">value</span><span class="si">}</span> <span class="na">onClick</span><span class="p">=</span><span class="si">{</span><span class="p">()</span> <span class="o">=&gt;</span> <span class="nf">setResourceTypeFilter</span><span class="p">(</span><span class="nx">filter</span><span class="p">.</span><span class="nx">value</span><span class="p">)</span><span class="si">}</span> <span class="na">className</span><span class="p">=</span><span class="si">{</span><span class="s2">`px-3 py-1.5 rounded-full text-xs font-medium transition-colors </span><span class="p">${</span> <span class="nx">resourceTypeFilter</span> <span class="o">===</span> <span class="nx">filter</span><span class="p">.</span><span class="nx">value</span> <span class="p">?</span> <span class="dl">"</span><span class="s2">bg-black text-white</span><span class="dl">"</span> <span class="p">:</span> <span class="dl">"</span><span class="s2">bg-gray-100 text-gray-600 hover:bg-gray-200</span><span class="dl">"</span> <span class="p">}</span><span class="s2">`</span><span class="si">}</span> <span class="p">&gt;</span> <span class="si">{</span><span class="nx">filter</span><span class="p">.</span><span class="nx">label</span><span class="si">}</span> <span class="p">&lt;/</span><span class="nt">button</span><span class="p">&gt;</span> <span class="p">))</span><span class="si">}</span> <span class="p">&lt;/</span><span class="nt">div</span><span class="p">&gt;</span> <span class="si">{</span><span class="cm">/* Log entries */</span><span class="si">}</span> <span class="p">&lt;</span><span class="nt">div</span> <span class="na">className</span><span class="p">=</span><span class="s">"space-y-1"</span><span class="p">&gt;</span> <span class="si">{</span><span class="nx">results</span><span class="p">.</span><span class="nx">length</span> <span class="o">===</span> <span class="mi">0</span> <span class="o">&amp;&amp;</span> <span class="nx">status</span> <span class="o">===</span> <span class="dl">"</span><span class="s2">Exhausted</span><span class="dl">"</span> <span class="p">?</span> <span class="p">(</span> <span class="p">&lt;</span><span class="nt">p</span> <span class="na">className</span><span class="p">=</span><span class="s">"text-sm text-gray-400 py-8 text-center"</span><span class="p">&gt;</span>No activity yet.<span class="p">&lt;/</span><span class="nt">p</span><span class="p">&gt;</span> <span class="p">)</span> <span class="p">:</span> <span class="p">(</span> <span class="nx">results</span><span class="p">.</span><span class="nf">map</span><span class="p">((</span><span class="nx">entry</span><span class="p">)</span> <span class="o">=&gt;</span> <span class="p">(</span> <span class="p">&lt;</span><span class="nt">div</span> <span class="na">key</span><span class="p">=</span><span class="si">{</span><span class="nx">entry</span><span class="p">.</span><span class="nx">_id</span><span class="si">}</span> <span class="na">className</span><span class="p">=</span><span class="s">"flex items-start gap-3 py-3 border-b border-gray-100 last:border-0"</span> <span class="p">&gt;</span> <span class="si">{</span><span class="cm">/* Actor avatar */</span><span class="si">}</span> <span class="p">&lt;</span><span class="nt">div</span> <span class="na">className</span><span class="p">=</span><span class="s">"w-7 h-7 rounded-full bg-gray-200 flex items-center justify-center flex-shrink-0 mt-0.5"</span><span class="p">&gt;</span> <span class="p">&lt;</span><span class="nt">span</span> <span class="na">className</span><span class="p">=</span><span class="s">"text-xs font-medium text-gray-600"</span><span class="p">&gt;</span> <span class="si">{</span><span class="nx">entry</span><span class="p">.</span><span class="nx">actorName</span><span class="p">?.[</span><span class="mi">0</span><span class="p">]?.</span><span class="nf">toUpperCase</span><span class="p">()</span> <span class="o">??</span> <span class="dl">"</span><span class="s2">?</span><span class="dl">"</span><span class="si">}</span> <span class="p">&lt;/</span><span class="nt">span</span><span class="p">&gt;</span> <span class="p">&lt;/</span><span class="nt">div</span><span class="p">&gt;</span> <span class="p">&lt;</span><span class="nt">div</span> <span class="na">className</span><span class="p">=</span><span class="s">"flex-1 min-w-0"</span><span class="p">&gt;</span> <span class="p">&lt;</span><span class="nt">p</span> <span class="na">className</span><span class="p">=</span><span class="s">"text-sm text-gray-900"</span><span class="p">&gt;</span> <span class="p">&lt;</span><span class="nt">span</span> <span class="na">className</span><span class="p">=</span><span class="s">"font-medium"</span><span class="p">&gt;</span><span class="si">{</span><span class="nx">entry</span><span class="p">.</span><span class="nx">actorName</span><span class="si">}</span><span class="p">&lt;/</span><span class="nt">span</span><span class="p">&gt;</span> <span class="si">{</span><span class="dl">"</span><span class="s2"> </span><span class="dl">"</span><span class="si">}</span> <span class="p">&lt;</span><span class="nt">span</span> <span class="na">className</span><span class="p">=</span><span class="s">"text-gray-600"</span><span class="p">&gt;</span> <span class="si">{</span><span class="nx">ACTION_LABELS</span><span class="p">[</span><span class="nx">entry</span><span class="p">.</span><span class="nx">action</span><span class="p">]</span> <span class="o">??</span> <span class="nx">entry</span><span class="p">.</span><span class="nx">action</span><span class="si">}</span> <span class="p">&lt;/</span><span class="nt">span</span><span class="p">&gt;</span> <span class="si">{</span><span class="nx">entry</span><span class="p">.</span><span class="nx">resourceLabel</span> <span class="o">&amp;&amp;</span> <span class="p">(</span> <span class="p">&lt;&gt;</span> <span class="si">{</span><span class="dl">"</span><span class="s2">: </span><span class="dl">"</span><span class="si">}</span> <span class="p">&lt;</span><span class="nt">span</span> <span class="na">className</span><span class="p">=</span><span class="s">"font-medium text-gray-900"</span><span class="p">&gt;</span> <span class="si">{</span><span class="nx">entry</span><span class="p">.</span><span class="nx">resourceLabel</span><span class="si">}</span> <span class="p">&lt;/</span><span class="nt">span</span><span class="p">&gt;</span> <span class="p">&lt;/&gt;</span> <span class="p">)</span><span class="si">}</span> <span class="p">&lt;/</span><span class="nt">p</span><span class="p">&gt;</span> <span class="si">{</span><span class="cm">/* Show before/after for role changes */</span><span class="si">}</span> <span class="si">{</span><span class="nx">entry</span><span class="p">.</span><span class="nx">action</span> <span class="o">===</span> <span class="dl">"</span><span class="s2">member.role_changed</span><span class="dl">"</span> <span class="o">&amp;&amp;</span> <span class="nx">entry</span><span class="p">.</span><span class="nx">metadata</span> <span class="o">&amp;&amp;</span> <span class="p">(</span> <span class="p">&lt;</span><span class="nt">p</span> <span class="na">className</span><span class="p">=</span><span class="s">"text-xs text-gray-400 mt-0.5"</span><span class="p">&gt;</span> <span class="si">{</span><span class="p">(</span><span class="nx">entry</span><span class="p">.</span><span class="nx">metadata</span> <span class="k">as</span> <span class="kr">any</span><span class="p">).</span><span class="nx">previousRole</span><span class="si">}</span> → <span class="si">{</span><span class="p">(</span><span class="nx">entry</span><span class="p">.</span><span class="nx">metadata</span> <span class="k">as</span> <span class="kr">any</span><span class="p">).</span><span class="nx">newRole</span><span class="si">}</span> <span class="p">&lt;/</span><span class="nt">p</span><span class="p">&gt;</span> <span class="p">)</span><span class="si">}</span> <span class="si">{</span><span class="cm">/* Show which field changed for settings updates */</span><span class="si">}</span> <span class="si">{</span><span class="nx">entry</span><span class="p">.</span><span class="nx">action</span> <span class="o">===</span> <span class="dl">"</span><span class="s2">settings.updated</span><span class="dl">"</span> <span class="o">&amp;&amp;</span> <span class="nx">entry</span><span class="p">.</span><span class="nx">metadata</span> <span class="o">&amp;&amp;</span> <span class="p">(</span> <span class="p">&lt;</span><span class="nt">p</span> <span class="na">className</span><span class="p">=</span><span class="s">"text-xs text-gray-400 mt-0.5"</span><span class="p">&gt;</span> Field: <span class="si">{</span><span class="p">(</span><span class="nx">entry</span><span class="p">.</span><span class="nx">metadata</span> <span class="k">as</span> <span class="kr">any</span><span class="p">).</span><span class="nx">field</span><span class="si">}</span> <span class="p">&lt;/</span><span class="nt">p</span><span class="p">&gt;</span> <span class="p">)</span><span class="si">}</span> <span class="p">&lt;</span><span class="nt">p</span> <span class="na">className</span><span class="p">=</span><span class="s">"text-xs text-gray-400 mt-0.5"</span><span class="p">&gt;</span> <span class="si">{</span><span class="nf">formatDistanceToNow</span><span class="p">(</span><span class="nx">entry</span><span class="p">.</span><span class="nx">_creationTime</span><span class="p">,</span> <span class="p">{</span> <span class="na">addSuffix</span><span class="p">:</span> <span class="kc">true</span> <span class="p">})</span><span class="si">}</span> <span class="si">{</span><span class="dl">"</span><span class="s2"> · </span><span class="dl">"</span><span class="si">}</span> <span class="si">{</span><span class="nx">entry</span><span class="p">.</span><span class="nx">actorEmail</span><span class="si">}</span> <span class="p">&lt;/</span><span class="nt">p</span><span class="p">&gt;</span> <span class="p">&lt;/</span><span class="nt">div</span><span class="p">&gt;</span> <span class="p">&lt;/</span><span class="nt">div</span><span class="p">&gt;</span> <span class="p">))</span> <span class="p">)</span><span class="si">}</span> <span class="p">&lt;/</span><span class="nt">div</span><span class="p">&gt;</span> <span class="si">{</span><span class="nx">status</span> <span class="o">===</span> <span class="dl">"</span><span class="s2">CanLoadMore</span><span class="dl">"</span> <span class="o">&amp;&amp;</span> <span class="p">(</span> <span class="p">&lt;</span><span class="nt">div</span> <span class="na">className</span><span class="p">=</span><span class="s">"flex justify-center pt-2"</span><span class="p">&gt;</span> <span class="p">&lt;</span><span class="nt">button</span> <span class="na">onClick</span><span class="p">=</span><span class="si">{</span><span class="p">()</span> <span class="o">=&gt;</span> <span class="nf">loadMore</span><span class="p">(</span><span class="mi">25</span><span class="p">)</span><span class="si">}</span> <span class="na">className</span><span class="p">=</span><span class="s">"text-sm text-gray-500 hover:text-gray-900 underline underline-offset-2"</span> <span class="p">&gt;</span> Load more <span class="p">&lt;/</span><span class="nt">button</span><span class="p">&gt;</span> <span class="p">&lt;/</span><span class="nt">div</span><span class="p">&gt;</span> <span class="p">)</span><span class="si">}</span> <span class="si">{</span><span class="nx">status</span> <span class="o">===</span> <span class="dl">"</span><span class="s2">LoadingMore</span><span class="dl">"</span> <span class="o">&amp;&amp;</span> <span class="p">(</span> <span class="p">&lt;</span><span class="nt">p</span> <span class="na">className</span><span class="p">=</span><span class="s">"text-center text-sm text-gray-400"</span><span class="p">&gt;</span>Loading...<span class="p">&lt;/</span><span class="nt">p</span><span class="p">&gt;</span> <span class="p">)</span><span class="si">}</span> <span class="p">&lt;/</span><span class="nt">div</span><span class="p">&gt;</span> <span class="p">);</span> <span class="p">}</span> </code></pre> </div> <p>The feed is reactive. Convex tracks the query's data dependencies and pushes updates to the component whenever a new log entry is written. An org member watching the activity page will see new entries appear in real time — without a page refresh, without polling, without any extra setup.</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F3z7zis3h6bvv6k55odey.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F3z7zis3h6bvv6k55odey.png" alt="The activity feed UI. Top row shows " width="800" height="502"></a></p> <h2> Step #4: Export as CSV for Compliance </h2> <p>When a compliance team or auditor asks for the activity history, they want a file — not a browser tab. Add a Next.js API route that fetches all logs for an org and returns them as a downloadable CSV.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="c1">// app/api/activity/export/route.ts</span> <span class="k">import</span> <span class="p">{</span> <span class="nx">NextRequest</span><span class="p">,</span> <span class="nx">NextResponse</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">"</span><span class="s2">next/server</span><span class="dl">"</span><span class="p">;</span> <span class="k">import</span> <span class="p">{</span> <span class="nx">getKindeServerSession</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">"</span><span class="s2">@kinde-oss/kinde-auth-nextjs/server</span><span class="dl">"</span><span class="p">;</span> <span class="k">import</span> <span class="p">{</span> <span class="nx">ConvexHttpClient</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">"</span><span class="s2">convex/browser</span><span class="dl">"</span><span class="p">;</span> <span class="k">import</span> <span class="p">{</span> <span class="nx">api</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">"</span><span class="s2">@/convex/_generated/api</span><span class="dl">"</span><span class="p">;</span> <span class="k">import</span> <span class="p">{</span> <span class="nx">Id</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">"</span><span class="s2">@/convex/_generated/dataModel</span><span class="dl">"</span><span class="p">;</span> <span class="kd">const</span> <span class="nx">convex</span> <span class="o">=</span> <span class="k">new</span> <span class="nc">ConvexHttpClient</span><span class="p">(</span><span class="nx">process</span><span class="p">.</span><span class="nx">env</span><span class="p">.</span><span class="nx">NEXT_PUBLIC_CONVEX_URL</span><span class="o">!</span><span class="p">);</span> <span class="k">export</span> <span class="k">async</span> <span class="kd">function</span> <span class="nf">GET</span><span class="p">(</span><span class="nx">req</span><span class="p">:</span> <span class="nx">NextRequest</span><span class="p">)</span> <span class="p">{</span> <span class="kd">const</span> <span class="p">{</span> <span class="nx">isAuthenticated</span> <span class="p">}</span> <span class="o">=</span> <span class="nf">getKindeServerSession</span><span class="p">();</span> <span class="kd">const</span> <span class="nx">authenticated</span> <span class="o">=</span> <span class="k">await</span> <span class="nf">isAuthenticated</span><span class="p">();</span> <span class="k">if </span><span class="p">(</span><span class="o">!</span><span class="nx">authenticated</span><span class="p">)</span> <span class="p">{</span> <span class="k">return</span> <span class="k">new</span> <span class="nc">NextResponse</span><span class="p">(</span><span class="dl">"</span><span class="s2">Unauthorized</span><span class="dl">"</span><span class="p">,</span> <span class="p">{</span> <span class="na">status</span><span class="p">:</span> <span class="mi">401</span> <span class="p">});</span> <span class="p">}</span> <span class="kd">const</span> <span class="nx">orgId</span> <span class="o">=</span> <span class="nx">req</span><span class="p">.</span><span class="nx">nextUrl</span><span class="p">.</span><span class="nx">searchParams</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="dl">"</span><span class="s2">orgId</span><span class="dl">"</span><span class="p">);</span> <span class="k">if </span><span class="p">(</span><span class="o">!</span><span class="nx">orgId</span><span class="p">)</span> <span class="p">{</span> <span class="k">return</span> <span class="k">new</span> <span class="nc">NextResponse</span><span class="p">(</span><span class="dl">"</span><span class="s2">Missing orgId</span><span class="dl">"</span><span class="p">,</span> <span class="p">{</span> <span class="na">status</span><span class="p">:</span> <span class="mi">400</span> <span class="p">});</span> <span class="p">}</span> <span class="c1">// Optional: limit to last 90 days with ?since=&lt;timestamp&gt;</span> <span class="kd">const</span> <span class="nx">since</span> <span class="o">=</span> <span class="nx">req</span><span class="p">.</span><span class="nx">nextUrl</span><span class="p">.</span><span class="nx">searchParams</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="dl">"</span><span class="s2">since</span><span class="dl">"</span><span class="p">);</span> <span class="kd">const</span> <span class="nx">logs</span> <span class="o">=</span> <span class="k">await</span> <span class="nx">convex</span><span class="p">.</span><span class="nf">query</span><span class="p">(</span><span class="nx">api</span><span class="p">.</span><span class="nx">activityLogs</span><span class="p">.</span><span class="nx">listAllForExport</span><span class="p">,</span> <span class="p">{</span> <span class="na">organizationId</span><span class="p">:</span> <span class="nx">orgId</span> <span class="k">as</span> <span class="nx">Id</span><span class="o">&lt;</span><span class="dl">"</span><span class="s2">organizations</span><span class="dl">"</span><span class="o">&gt;</span><span class="p">,</span> <span class="na">since</span><span class="p">:</span> <span class="nx">since</span> <span class="p">?</span> <span class="nc">Number</span><span class="p">(</span><span class="nx">since</span><span class="p">)</span> <span class="p">:</span> <span class="kc">undefined</span><span class="p">,</span> <span class="p">});</span> <span class="kd">const</span> <span class="nx">csvRows</span> <span class="o">=</span> <span class="p">[</span> <span class="p">[</span><span class="dl">"</span><span class="s2">Timestamp</span><span class="dl">"</span><span class="p">,</span> <span class="dl">"</span><span class="s2">Actor Name</span><span class="dl">"</span><span class="p">,</span> <span class="dl">"</span><span class="s2">Actor Email</span><span class="dl">"</span><span class="p">,</span> <span class="dl">"</span><span class="s2">Action</span><span class="dl">"</span><span class="p">,</span> <span class="dl">"</span><span class="s2">Resource Type</span><span class="dl">"</span><span class="p">,</span> <span class="dl">"</span><span class="s2">Resource</span><span class="dl">"</span><span class="p">,</span> <span class="dl">"</span><span class="s2">Details</span><span class="dl">"</span><span class="p">].</span><span class="nf">join</span><span class="p">(</span><span class="dl">"</span><span class="s2">,</span><span class="dl">"</span><span class="p">),</span> <span class="p">...</span><span class="nx">logs</span><span class="p">.</span><span class="nf">map</span><span class="p">((</span><span class="nx">entry</span><span class="p">)</span> <span class="o">=&gt;</span> <span class="p">[</span> <span class="k">new</span> <span class="nc">Date</span><span class="p">(</span><span class="nx">entry</span><span class="p">.</span><span class="nx">_creationTime</span><span class="p">).</span><span class="nf">toISOString</span><span class="p">(),</span> <span class="s2">`"</span><span class="p">${</span><span class="nx">entry</span><span class="p">.</span><span class="nx">actorName</span><span class="p">.</span><span class="nf">replace</span><span class="p">(</span><span class="sr">/"/g</span><span class="p">,</span> <span class="dl">'</span><span class="s1">""</span><span class="dl">'</span><span class="p">)}</span><span class="s2">"`</span><span class="p">,</span> <span class="nx">entry</span><span class="p">.</span><span class="nx">actorEmail</span><span class="p">,</span> <span class="nx">entry</span><span class="p">.</span><span class="nx">action</span><span class="p">,</span> <span class="nx">entry</span><span class="p">.</span><span class="nx">resourceType</span><span class="p">,</span> <span class="s2">`"</span><span class="p">${(</span><span class="nx">entry</span><span class="p">.</span><span class="nx">resourceLabel</span> <span class="o">??</span> <span class="dl">""</span><span class="p">).</span><span class="nf">replace</span><span class="p">(</span><span class="sr">/"/g</span><span class="p">,</span> <span class="dl">'</span><span class="s1">""</span><span class="dl">'</span><span class="p">)}</span><span class="s2">"`</span><span class="p">,</span> <span class="s2">`"</span><span class="p">${</span><span class="nx">entry</span><span class="p">.</span><span class="nx">metadata</span> <span class="p">?</span> <span class="nx">JSON</span><span class="p">.</span><span class="nf">stringify</span><span class="p">(</span><span class="nx">entry</span><span class="p">.</span><span class="nx">metadata</span><span class="p">).</span><span class="nf">replace</span><span class="p">(</span><span class="sr">/"/g</span><span class="p">,</span> <span class="dl">'</span><span class="s1">""</span><span class="dl">'</span><span class="p">)</span> <span class="p">:</span> <span class="dl">""</span><span class="p">}</span><span class="s2">"`</span><span class="p">,</span> <span class="p">].</span><span class="nf">join</span><span class="p">(</span><span class="dl">"</span><span class="s2">,</span><span class="dl">"</span><span class="p">)</span> <span class="p">),</span> <span class="p">].</span><span class="nf">join</span><span class="p">(</span><span class="dl">"</span><span class="se">\n</span><span class="dl">"</span><span class="p">);</span> <span class="k">return</span> <span class="k">new</span> <span class="nc">NextResponse</span><span class="p">(</span><span class="nx">csvRows</span><span class="p">,</span> <span class="p">{</span> <span class="na">status</span><span class="p">:</span> <span class="mi">200</span><span class="p">,</span> <span class="na">headers</span><span class="p">:</span> <span class="p">{</span> <span class="dl">"</span><span class="s2">Content-Type</span><span class="dl">"</span><span class="p">:</span> <span class="dl">"</span><span class="s2">text/csv</span><span class="dl">"</span><span class="p">,</span> <span class="dl">"</span><span class="s2">Content-Disposition</span><span class="dl">"</span><span class="p">:</span> <span class="s2">`attachment; filename="activity-</span><span class="p">${</span><span class="nx">orgId</span><span class="p">}</span><span class="s2">-</span><span class="p">${</span><span class="nb">Date</span><span class="p">.</span><span class="nf">now</span><span class="p">()}</span><span class="s2">.csv"`</span><span class="p">,</span> <span class="p">},</span> <span class="p">});</span> <span class="p">}</span> </code></pre> </div> <p><code>getKindeServerSession</code> from <code>@kinde-oss/kinde-auth-nextjs/server</code> verifies the user is authenticated before any data is touched. The <code>ConvexHttpClient</code> is the correct way to call Convex from a Next.js API route or server action — outside of a React component, <code>useQuery</code> is not available, so you use the HTTP client directly.</p> <p>You now have a complete audit log — write path, read path, real-time feed, and CSV export in one clean pipeline.</p> <h2> Step #5: Guarantee Org Isolation </h2> <p>Org isolation is not automatic. You enforce it explicitly at every query boundary with <code>requireOrganizationAccess</code>. Here is what that helper looks like and why the order of checks matters.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="c1">// convex/lib/auth.ts</span> <span class="k">import</span> <span class="p">{</span> <span class="nx">QueryCtx</span><span class="p">,</span> <span class="nx">MutationCtx</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">"</span><span class="s2">../_generated/server</span><span class="dl">"</span><span class="p">;</span> <span class="k">import</span> <span class="p">{</span> <span class="nx">Id</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">"</span><span class="s2">../_generated/dataModel</span><span class="dl">"</span><span class="p">;</span> <span class="k">export</span> <span class="k">async</span> <span class="kd">function</span> <span class="nf">requireOrganizationAccess</span><span class="p">(</span> <span class="nx">ctx</span><span class="p">:</span> <span class="nx">QueryCtx</span> <span class="o">|</span> <span class="nx">MutationCtx</span><span class="p">,</span> <span class="nx">organizationId</span><span class="p">:</span> <span class="nx">Id</span><span class="o">&lt;</span><span class="dl">"</span><span class="s2">organizations</span><span class="dl">"</span><span class="o">&gt;</span> <span class="p">)</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">identity</span> <span class="o">=</span> <span class="k">await</span> <span class="nx">ctx</span><span class="p">.</span><span class="nx">auth</span><span class="p">.</span><span class="nf">getUserIdentity</span><span class="p">();</span> <span class="k">if </span><span class="p">(</span><span class="o">!</span><span class="nx">identity</span><span class="p">)</span> <span class="k">throw</span> <span class="k">new</span> <span class="nc">Error</span><span class="p">(</span><span class="dl">"</span><span class="s2">Not authenticated</span><span class="dl">"</span><span class="p">);</span> <span class="kd">const</span> <span class="nx">user</span> <span class="o">=</span> <span class="k">await</span> <span class="nx">ctx</span><span class="p">.</span><span class="nx">db</span> <span class="p">.</span><span class="nf">query</span><span class="p">(</span><span class="dl">"</span><span class="s2">users</span><span class="dl">"</span><span class="p">)</span> <span class="p">.</span><span class="nf">withIndex</span><span class="p">(</span><span class="dl">"</span><span class="s2">by_kinde_id</span><span class="dl">"</span><span class="p">,</span> <span class="p">(</span><span class="nx">q</span><span class="p">)</span> <span class="o">=&gt;</span> <span class="nx">q</span><span class="p">.</span><span class="nf">eq</span><span class="p">(</span><span class="dl">"</span><span class="s2">kindeId</span><span class="dl">"</span><span class="p">,</span> <span class="nx">identity</span><span class="p">.</span><span class="nx">subject</span><span class="p">))</span> <span class="p">.</span><span class="nf">unique</span><span class="p">();</span> <span class="k">if </span><span class="p">(</span><span class="o">!</span><span class="nx">user</span><span class="p">)</span> <span class="k">throw</span> <span class="k">new</span> <span class="nc">Error</span><span class="p">(</span><span class="dl">"</span><span class="s2">User not found</span><span class="dl">"</span><span class="p">);</span> <span class="kd">const</span> <span class="nx">membership</span> <span class="o">=</span> <span class="k">await</span> <span class="nx">ctx</span><span class="p">.</span><span class="nx">db</span> <span class="p">.</span><span class="nf">query</span><span class="p">(</span><span class="dl">"</span><span class="s2">organizationMembers</span><span class="dl">"</span><span class="p">)</span> <span class="p">.</span><span class="nf">withIndex</span><span class="p">(</span><span class="dl">"</span><span class="s2">by_org_and_user</span><span class="dl">"</span><span class="p">,</span> <span class="p">(</span><span class="nx">q</span><span class="p">)</span> <span class="o">=&gt;</span> <span class="nx">q</span><span class="p">.</span><span class="nf">eq</span><span class="p">(</span><span class="dl">"</span><span class="s2">organizationId</span><span class="dl">"</span><span class="p">,</span> <span class="nx">organizationId</span><span class="p">).</span><span class="nf">eq</span><span class="p">(</span><span class="dl">"</span><span class="s2">userId</span><span class="dl">"</span><span class="p">,</span> <span class="nx">user</span><span class="p">.</span><span class="nx">_id</span><span class="p">)</span> <span class="p">)</span> <span class="p">.</span><span class="nf">unique</span><span class="p">();</span> <span class="c1">// No membership record = no access. This check runs before any log data is read.</span> <span class="k">if </span><span class="p">(</span><span class="o">!</span><span class="nx">membership</span><span class="p">)</span> <span class="k">throw</span> <span class="k">new</span> <span class="nc">Error</span><span class="p">(</span><span class="dl">"</span><span class="s2">Access denied</span><span class="dl">"</span><span class="p">);</span> <span class="k">return</span> <span class="p">{</span> <span class="nx">user</span><span class="p">,</span> <span class="nx">membership</span> <span class="p">};</span> <span class="p">}</span> </code></pre> </div> <p>When <code>activityLogs.list</code> is called with an organization ID, <code>requireOrganizationAccess</code> checks for a membership record in that specific org before the log query runs. A member of Org A cannot call the query with Org B's ID and receive results — the check throws before any database read happens.</p> <p>The isolation guarantee has two layers. First, the membership check in the query handler. Second, the <code>organizationId</code> field on every log entry — each query is scoped to one org's index range. Even if the membership check somehow failed, a query hitting <code>by_organization</code> would only return entries for that specific org.</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fo81a5ngrjzc9c3y21gv6.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fo81a5ngrjzc9c3y21gv6.png" alt="Two side-by-side columns labeled " width="800" height="661"></a></p> <h2> Testing the System </h2> <p>Do not skip this. An audit log that silently misses entries is worse than no audit log — it creates false confidence. These five tests verify the critical paths.</p> <p><strong>Test 1: Transactional commit</strong></p> <p>Call <code>documents.remove</code> with a valid document ID. After it succeeds, open the Convex dashboard and check the <code>activityLogs</code> table — a <code>document.deleted</code> entry should exist with the correct <code>resourceLabel</code>. Now temporarily patch the mutation to throw an error after <code>ctx.db.delete</code> but before <code>auditLog</code>. Call it again. Both the deletion and the log entry should roll back together. If the document gets deleted but no log entry appears, your <code>auditLog</code> call is outside the mutation handler — move it inside.</p> <p><strong>Test 2: Actor identity per session</strong></p> <p>Sign in as two different users and each create a document in the same organization. Check <code>activityLogs</code> — the two entries should have different <code>actorId</code>, <code>actorEmail</code>, and <code>actorName</code> values. If both entries show the same actor, <code>getCurrentUser</code> is reading from a stale or shared identity source.</p> <p><strong>Test 3: Org isolation under direct API call</strong></p> <p>From the Convex dashboard, call <code>activityLogs.list</code> with the ID of an organization the currently authenticated user does not belong to. You should receive:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>Error: Access denied </code></pre> </div> <p>If the query returns data, <code>requireOrganizationAccess</code> is either missing or not throwing correctly.</p> <p><strong>Test 4: Resource label captured before deletion</strong></p> <p>Create a document titled "Q2 Vendor Report". Delete it. Find the <code>document.deleted</code> entry in <code>activityLogs</code>. The <code>resourceLabel</code> field should read <code>"Q2 Vendor Report"</code>. If it is null or undefined, the delete is happening before the title is read. Reverse the order.</p> <p><strong>Test 5: Metadata correctness on role changes</strong></p> <p>Change a member's role from <code>member</code> to <code>admin</code>. Find the <code>member.role_changed</code> log entry and expand <code>metadata</code>. It should contain <code>{ "previousRole": "member", "newRole": "admin" }</code>. If <code>previousRole</code> is <code>null</code>, the membership record is being read after the patch — capture the previous role before calling <code>ctx.db.patch</code>.</p> <h2> Common Mistakes to Avoid </h2> <p><strong>Capturing resource labels after the mutation.</strong> Read everything you need from the affected resource before modifying or deleting it. After <code>ctx.db.delete</code>, the document is gone. After <code>ctx.db.patch</code>, the original field values are overwritten in the current context. Read first, write second, log third.</p> <p><strong>Calling a side-effect logging service after the mutation returns.</strong> If you call an external logging service after the Convex mutation completes, the log entry and the action are not transactionally coupled. A network failure or a crash between the mutation completing and the side-effect firing gives you a permanent inconsistency in your audit trail. Keep <code>auditLog</code> inside the Convex mutation.</p> <p><strong>Skipping <code>requireOrganizationAccess</code> on log queries.</strong> Audit log data is sensitive. The fact that it is read-only does not make it safe to skip the access check. Every query that reads <code>activityLogs</code> needs the membership check, no exceptions.</p> <p><strong>Storing a Convex document ID instead of the Kinde user ID as <code>actorId</code>.</strong> Convex document IDs change if you migrate or restructure data. Kinde user IDs are stable identifiers issued by the identity provider. Use the Kinde ID.</p> <p><strong>Not filtering by <code>organizationId</code> on every log query.</strong> A query that reads from <code>activityLogs</code> without an <code>organizationId</code> constraint is a full table scan that will slow down as the table grows and expose cross-org data. Every query goes through an index that starts with <code>organizationId</code>.</p> <h2> What This Enables </h2> <p>An enterprise customer's IT team can answer "who accessed what and when" directly from the activity feed — no support ticket, no engineering involvement.</p> <p>Your compliance team can export a CSV of all activity within any date range and hand it to an auditor without writing a single SQL query.</p> <p>When a user claims their settings were changed without their knowledge, you check the log and show them exactly who made the change and when — in under a minute.</p> <p>Enterprise deals that stalled on the audit log question now have a concrete answer: every action is logged at write time, every entry is scoped to one organization, the data is exportable on demand, and the log is tamper-evident by design.</p> <h2> What Is Next </h2> <p><strong>Retention policies.</strong> Add a scheduled Convex function that runs nightly and deletes log entries older than your configured retention window. Store the retention duration on the organization record so you can offer longer retention as a paid feature for enterprise tiers.</p> <p><strong>Admin-only visibility.</strong> Right now any org member who can reach the activity route can view the feed. Add a <code>audit:read</code> permission check inside the query handler — the membership check is already there, it is a small addition — and gate the page to admins and owners only.</p> <p><strong>Webhook delivery.</strong> Enterprise customers with SIEM (security information and event management) tools will ask for activity data pushed to them in real time. Add a Convex action that fires a webhook to a customer-configured URL after each log entry is written. The payload is the log entry itself.</p> <p><strong>Full-text search.</strong> For orgs with high activity volume, time-range and resource-type filters are not always enough. Convex supports full-text search indexes. Adding one on <code>action</code> and <code>resourceLabel</code> lets you support queries like "show all activity mentioning 'Q2 Report'".</p> webdev kinde convex learning Shola Jegede Tue, 14 Apr 2026 14:28:29 +0000 https://forem.com/sholajegede/how-to-use-feature-flags-to-safely-roll-out-features-in-production-with-kinde-cdg https://forem.com/sholajegede/how-to-use-feature-flags-to-safely-roll-out-features-in-production-with-kinde-cdg <p>In this article, you will learn:</p> <ul> <li>What feature flags are and why they matter for production releases</li> <li>The four flag types Kinde supports and when to use each one</li> <li>How Kinde delivers flag values through the auth token — no extra SDK required</li> <li>How to create your first feature flag in the Kinde dashboard</li> <li>How to read flags in a Next.js application using the Kinde SDK</li> <li>How to override flags per environment, per organization, and per user</li> <li>How to use flags for gradual AI feature rollouts</li> <li>How to use string flags for A/B testing UI copy</li> <li>How to use integer flags to control per-user AI token limits</li> <li>How to use JSON flags for complex feature configurations</li> <li>The flag lifecycle: creation, rollout, cleanup</li> </ul> <p>Let's dive in!</p> <h2> Why Feature Flags Exist </h2> <p>Every developer has shipped a feature to production and immediately wished they had not. Something works fine in staging. It breaks in production. Users are affected. A rollback means a redeployment — and redeployments take time, require coordination, and sometimes break other things in the process.</p> <p>Feature flags decouple deployment from release. You merge the code, you deploy it, but the feature stays hidden behind a flag set to <code>false</code>. When you are ready to release — or when you want to release to just 10 users first — you flip the flag. No redeployment. No code change. Instant.</p> <p>For AI products specifically, this matters more than for most software. AI features have a different risk profile. A new model might behave unexpectedly under production load. A new AI agent capability might produce output you did not anticipate. A new prompting strategy might increase latency. You want to be able to release these changes to a subset of users, monitor behavior, and either expand the rollout or kill the feature with a single dashboard toggle.</p> <p>That is exactly what Kinde's feature flags give you — and unlike standalone feature flag tools, Kinde's flags live in the same auth token as your user's identity and permissions. No separate SDK. No separate API call. No synchronization problem between your auth state and your flag state.</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fawbsd9ofq6meq95h2msx.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fawbsd9ofq6meq95h2msx.png" alt="Two deployment flows side by side. LEFT " width="800" height="932"></a></p> <h2> How Kinde Feature Flags Work </h2> <p>Most feature flag services require you to install a separate SDK, make an API call at runtime to fetch flag values, and cache them in localStorage or memory. This adds latency, adds a dependency, and creates a potential desync between what your auth system knows about the user and what your flag system thinks.</p> <p>Kinde takes a different approach. Flag values are embedded directly in the JWT access token under the <code>feature_flags</code> claim. Every time the user's token refreshes, their flag values refresh with it. No separate call. No extra SDK. The flags arrive with the auth token.</p> <p>Here is what that claim looks like in a real Kinde access token:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight json"><code><span class="p">{</span><span class="w"> </span><span class="nl">"sub"</span><span class="p">:</span><span class="w"> </span><span class="s2">"kp_abc123"</span><span class="p">,</span><span class="w"> </span><span class="nl">"email"</span><span class="p">:</span><span class="w"> </span><span class="s2">"alice@example.com"</span><span class="p">,</span><span class="w"> </span><span class="nl">"feature_flags"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"new_ai_model"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"t"</span><span class="p">:</span><span class="w"> </span><span class="s2">"b"</span><span class="p">,</span><span class="w"> </span><span class="nl">"v"</span><span class="p">:</span><span class="w"> </span><span class="kc">false</span><span class="w"> </span><span class="p">},</span><span class="w"> </span><span class="nl">"ai_token_limit"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"t"</span><span class="p">:</span><span class="w"> </span><span class="s2">"i"</span><span class="p">,</span><span class="w"> </span><span class="nl">"v"</span><span class="p">:</span><span class="w"> </span><span class="mi">1000</span><span class="w"> </span><span class="p">},</span><span class="w"> </span><span class="nl">"prompt_variant"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"t"</span><span class="p">:</span><span class="w"> </span><span class="s2">"s"</span><span class="p">,</span><span class="w"> </span><span class="nl">"v"</span><span class="p">:</span><span class="w"> </span><span class="s2">"control"</span><span class="w"> </span><span class="p">},</span><span class="w"> </span><span class="nl">"model_config"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"t"</span><span class="p">:</span><span class="w"> </span><span class="s2">"j"</span><span class="p">,</span><span class="w"> </span><span class="nl">"v"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"temperature"</span><span class="p">:</span><span class="w"> </span><span class="mf">0.7</span><span class="p">,</span><span class="w"> </span><span class="nl">"max_tokens"</span><span class="p">:</span><span class="w"> </span><span class="mi">500</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="p">},</span><span class="w"> </span><span class="nl">"permissions"</span><span class="p">:</span><span class="w"> </span><span class="p">[</span><span class="s2">"reports:view"</span><span class="p">],</span><span class="w"> </span><span class="nl">"org_code"</span><span class="p">:</span><span class="w"> </span><span class="s2">"org_xyz789"</span><span class="w"> </span><span class="p">}</span><span class="w"> </span></code></pre> </div> <p>The <code>"t"</code> field is the type (<code>"b"</code> = boolean, <code>"i"</code> = integer, <code>"s"</code> = string, <code>"j"</code> = JSON) and <code>"v"</code> is the value. The Kinde SDK wraps this cleanly so you never have to parse the raw token.</p> <p>Note: Kinde feature flags are completely free on every plan, for every user.</p> <h2> The Four Flag Types </h2> <p>Kinde supports four flag types. The type is set at creation and <strong>cannot be changed later</strong> — the key also cannot be changed, so choose carefully before saving.</p> <p><strong>Boolean</strong> is the classic on/off switch. Use it for anything that is either enabled or disabled: a new feature, a beta programme, a kill switch for a misbehaving AI capability.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>Flag key: new_ai_model Type: Boolean Default: false Use case: Hide the new GPT-5 integration until ready for gradual rollout </code></pre> </div> <p><strong>String</strong> passes configuration values as text. Use it for A/B testing copy, selecting between variants of a feature, or setting environment-specific values.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>Flag key: prompt_variant Type: String Default: "control" Use case: Test different AI prompt strategies: "control" vs "chain_of_thought" vs "few_shot" </code></pre> </div> <p><strong>Integer</strong> passes numeric limits. Use it to set per-user or per-organization quotas, limits, or thresholds.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>Flag key: ai_token_limit Type: Integer Default: 1000 Use case: Control how many AI tokens each user can consume per session </code></pre> </div> <p><strong>JSON</strong> passes structured configuration objects. Use it for complex feature configurations that involve multiple related values.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight json"><code><span class="err">Flag</span><span class="w"> </span><span class="err">key:</span><span class="w"> </span><span class="err">model_config</span><span class="w"> </span><span class="err">Type:</span><span class="w"> </span><span class="err">JSON</span><span class="w"> </span><span class="err">Default:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"temperature"</span><span class="p">:</span><span class="w"> </span><span class="mf">0.7</span><span class="p">,</span><span class="w"> </span><span class="nl">"max_tokens"</span><span class="p">:</span><span class="w"> </span><span class="mi">500</span><span class="p">,</span><span class="w"> </span><span class="nl">"model"</span><span class="p">:</span><span class="w"> </span><span class="s2">"gpt-4o"</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="err">Use</span><span class="w"> </span><span class="err">case:</span><span class="w"> </span><span class="err">Send</span><span class="w"> </span><span class="err">the</span><span class="w"> </span><span class="err">full</span><span class="w"> </span><span class="err">AI</span><span class="w"> </span><span class="err">model</span><span class="w"> </span><span class="err">configuration</span><span class="w"> </span><span class="err">to</span><span class="w"> </span><span class="err">the</span><span class="w"> </span><span class="err">app</span><span class="w"> </span><span class="err">without</span><span class="w"> </span><span class="err">a</span><span class="w"> </span><span class="err">redeployment</span><span class="w"> </span></code></pre> </div> <div class="table-wrapper-paragraph"><table> <thead> <tr> <th>Type</th> <th>SDK method</th> <th>Best for</th> </tr> </thead> <tbody> <tr> <td>Boolean</td> <td><code>getBooleanFlag</code></td> <td>Feature on/off, kill switches, beta access</td> </tr> <tr> <td>String</td> <td><code>getStringFlag</code></td> <td>A/B variants, copy testing, environment labels</td> </tr> <tr> <td>Integer</td> <td><code>getIntegerFlag</code></td> <td>Rate limits, quotas, timeouts, seat counts</td> </tr> <tr> <td>JSON</td> <td> <code>getFlag</code> (with type)</td> <td>Model configs, complex feature settings</td> </tr> </tbody> </table></div> <h2> Step #1: Create a Feature Flag in Kinde </h2> <p>Navigate to <strong>Releases</strong> → <strong>Feature flags</strong> → <strong>Add feature flag</strong> in your Kinde dashboard.</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fvpcd0y051hvwrte4yc2u.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fvpcd0y051hvwrte4yc2u.png" alt="Kinde dashboard Releases &gt; Feature flags page showing the " value="" width="800" height="502"></a></p> <p>Fill in the flag details:</p> <p><strong>Name:</strong> A human-readable label, for example "New AI Model". This can be changed later.</p> <p><strong>Key:</strong> The identifier your code uses, for example <code>new_ai_model</code>. Use lowercase with underscores. This <strong>cannot be changed after creation</strong>.</p> <p><strong>Type:</strong> Select one of Boolean, String, Integer, or JSON. This also <strong>cannot be changed after creation</strong>.</p> <p><strong>Default value:</strong> The value every user gets unless overridden. For a new feature you are not ready to release, the default is <code>false</code> for Boolean.</p> <p><strong>Allow overrides:</strong> Select whether the flag value can be overridden per environment, per organization, or per user. Enable organizations — you will want the flexibility.</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F898ks2rmfyfag9o0ntfg.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F898ks2rmfyfag9o0ntfg.png" alt="Kinde " value="" width="800" height="502"></a></p> <p>Select <strong>Save</strong>. The flag now exists with a global default of <code>false</code>. Every user in every organization gets <code>false</code> until you explicitly enable it somewhere.</p> <p>Wonderful! The flag is created and safely off. Now wire it into your application.</p> <h2> Step #2: Read Flags in a Next.js Application </h2> <p>The Kinde Next.js SDK exposes flag methods through <code>getKindeServerSession()</code> on the server and <code>useKindeBrowserClient()</code> on the client. For most production use cases, read flags server-side.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="c1">// app/dashboard/page.tsx</span> <span class="k">import</span> <span class="p">{</span> <span class="nx">getKindeServerSession</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">"</span><span class="s2">@kinde-oss/kinde-auth-nextjs/server</span><span class="dl">"</span><span class="p">;</span> <span class="k">import</span> <span class="p">{</span> <span class="nx">redirect</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">"</span><span class="s2">next/navigation</span><span class="dl">"</span><span class="p">;</span> <span class="k">export</span> <span class="k">default</span> <span class="k">async</span> <span class="kd">function</span> <span class="nf">DashboardPage</span><span class="p">()</span> <span class="p">{</span> <span class="kd">const</span> <span class="p">{</span> <span class="nx">isAuthenticated</span><span class="p">,</span> <span class="nx">getUser</span><span class="p">,</span> <span class="nx">getBooleanFlag</span><span class="p">,</span> <span class="nx">getIntegerFlag</span><span class="p">,</span> <span class="nx">getStringFlag</span><span class="p">,</span> <span class="p">}</span> <span class="o">=</span> <span class="nf">getKindeServerSession</span><span class="p">();</span> <span class="k">if </span><span class="p">(</span><span class="o">!</span><span class="p">(</span><span class="k">await</span> <span class="nf">isAuthenticated</span><span class="p">()))</span> <span class="p">{</span> <span class="nf">redirect</span><span class="p">(</span><span class="dl">"</span><span class="s2">/api/auth/login</span><span class="dl">"</span><span class="p">);</span> <span class="p">}</span> <span class="kd">const</span> <span class="nx">user</span> <span class="o">=</span> <span class="k">await</span> <span class="nf">getUser</span><span class="p">();</span> <span class="c1">// Read each flag with a default value as fallback</span> <span class="c1">// The default value is used if the flag doesn't exist in the token</span> <span class="kd">const</span> <span class="nx">showNewAIModel</span> <span class="o">=</span> <span class="k">await</span> <span class="nf">getBooleanFlag</span><span class="p">(</span><span class="dl">"</span><span class="s2">new_ai_model</span><span class="dl">"</span><span class="p">,</span> <span class="kc">false</span><span class="p">);</span> <span class="kd">const</span> <span class="nx">aiTokenLimit</span> <span class="o">=</span> <span class="k">await</span> <span class="nf">getIntegerFlag</span><span class="p">(</span><span class="dl">"</span><span class="s2">ai_token_limit</span><span class="dl">"</span><span class="p">,</span> <span class="mi">1000</span><span class="p">);</span> <span class="kd">const</span> <span class="nx">promptVariant</span> <span class="o">=</span> <span class="k">await</span> <span class="nf">getStringFlag</span><span class="p">(</span><span class="dl">"</span><span class="s2">prompt_variant</span><span class="dl">"</span><span class="p">,</span> <span class="dl">"</span><span class="s2">control</span><span class="dl">"</span><span class="p">);</span> <span class="k">return </span><span class="p">(</span> <span class="o">&lt;</span><span class="nx">main</span> <span class="nx">className</span><span class="o">=</span><span class="dl">"</span><span class="s2">p-8</span><span class="dl">"</span><span class="o">&gt;</span> <span class="o">&lt;</span><span class="nx">h1</span><span class="o">&gt;</span><span class="nx">Dashboard</span><span class="o">&lt;</span><span class="sr">/h1</span><span class="err">&gt; </span> <span class="p">{</span><span class="cm">/* Only render the new AI section if the flag is on */</span><span class="p">}</span> <span class="p">{</span><span class="nx">showNewAIModel</span> <span class="o">&amp;&amp;</span> <span class="p">(</span> <span class="o">&lt;</span><span class="nx">section</span> <span class="nx">className</span><span class="o">=</span><span class="dl">"</span><span class="s2">mt-6 rounded-lg bg-purple-50 p-6</span><span class="dl">"</span><span class="o">&gt;</span> <span class="o">&lt;</span><span class="nx">h2</span> <span class="nx">className</span><span class="o">=</span><span class="dl">"</span><span class="s2">font-semibold text-purple-900</span><span class="dl">"</span><span class="o">&gt;</span> <span class="err">✨</span> <span class="nx">New</span> <span class="nx">AI</span> <span class="nc">Model </span><span class="p">(</span><span class="nx">Beta</span><span class="p">)</span> <span class="o">&lt;</span><span class="sr">/h2</span><span class="err">&gt; </span> <span class="o">&lt;</span><span class="nx">p</span> <span class="nx">className</span><span class="o">=</span><span class="dl">"</span><span class="s2">text-sm text-purple-700 mt-1</span><span class="dl">"</span><span class="o">&gt;</span> <span class="nx">You</span> <span class="nx">have</span> <span class="nx">early</span> <span class="nx">access</span> <span class="nx">to</span> <span class="nx">our</span> <span class="nx">upgraded</span> <span class="nx">AI</span> <span class="nx">model</span><span class="p">.</span> <span class="o">&lt;</span><span class="sr">/p</span><span class="err">&gt; </span> <span class="o">&lt;</span><span class="nx">AIModelInterface</span> <span class="nx">tokenLimit</span><span class="o">=</span><span class="p">{</span><span class="nx">aiTokenLimit</span><span class="p">}</span> <span class="nx">promptVariant</span><span class="o">=</span><span class="p">{</span><span class="nx">promptVariant</span><span class="p">}</span> <span class="sr">/</span><span class="err">&gt; </span> <span class="o">&lt;</span><span class="sr">/section</span><span class="err">&gt; </span> <span class="p">)}</span> <span class="p">{</span><span class="cm">/* Standard content visible to all users */</span><span class="p">}</span> <span class="o">&lt;</span><span class="nx">section</span> <span class="nx">className</span><span class="o">=</span><span class="dl">"</span><span class="s2">mt-6</span><span class="dl">"</span><span class="o">&gt;</span> <span class="o">&lt;</span><span class="nx">h2</span> <span class="nx">className</span><span class="o">=</span><span class="dl">"</span><span class="s2">font-semibold</span><span class="dl">"</span><span class="o">&gt;</span><span class="nx">Standard</span> <span class="nx">Features</span><span class="o">&lt;</span><span class="sr">/h2</span><span class="err">&gt; </span> <span class="o">&lt;</span><span class="nx">StandardInterface</span> <span class="nx">tokenLimit</span><span class="o">=</span><span class="p">{</span><span class="nx">aiTokenLimit</span><span class="p">}</span> <span class="sr">/</span><span class="err">&gt; </span> <span class="o">&lt;</span><span class="sr">/section</span><span class="err">&gt; </span> <span class="o">&lt;</span><span class="sr">/main</span><span class="err">&gt; </span> <span class="p">);</span> <span class="p">}</span> <span class="c1">// Placeholder components</span> <span class="kd">function</span> <span class="nf">AIModelInterface</span><span class="p">({</span> <span class="nx">tokenLimit</span><span class="p">,</span> <span class="nx">promptVariant</span><span class="p">,</span> <span class="p">}:</span> <span class="p">{</span> <span class="nl">tokenLimit</span><span class="p">:</span> <span class="kr">number</span><span class="p">;</span> <span class="nl">promptVariant</span><span class="p">:</span> <span class="kr">string</span><span class="p">;</span> <span class="p">})</span> <span class="p">{</span> <span class="k">return </span><span class="p">(</span> <span class="o">&lt;</span><span class="nx">div</span> <span class="nx">className</span><span class="o">=</span><span class="dl">"</span><span class="s2">mt-4</span><span class="dl">"</span><span class="o">&gt;</span> <span class="o">&lt;</span><span class="nx">p</span> <span class="nx">className</span><span class="o">=</span><span class="dl">"</span><span class="s2">text-xs text-purple-500</span><span class="dl">"</span><span class="o">&gt;</span> <span class="nx">Token</span> <span class="nx">limit</span><span class="p">:</span> <span class="p">{</span><span class="nx">tokenLimit</span><span class="p">}</span> <span class="o">|</span> <span class="nx">Variant</span><span class="p">:</span> <span class="p">{</span><span class="nx">promptVariant</span><span class="p">}</span> <span class="o">&lt;</span><span class="sr">/p</span><span class="err">&gt; </span> <span class="o">&lt;</span><span class="sr">/div</span><span class="err">&gt; </span> <span class="p">);</span> <span class="p">}</span> <span class="kd">function</span> <span class="nf">StandardInterface</span><span class="p">({</span> <span class="nx">tokenLimit</span> <span class="p">}:</span> <span class="p">{</span> <span class="nl">tokenLimit</span><span class="p">:</span> <span class="kr">number</span> <span class="p">})</span> <span class="p">{</span> <span class="k">return</span> <span class="o">&lt;</span><span class="nx">p</span> <span class="nx">className</span><span class="o">=</span><span class="dl">"</span><span class="s2">text-sm text-gray-500</span><span class="dl">"</span><span class="o">&gt;</span><span class="nx">Token</span> <span class="nx">limit</span><span class="p">:</span> <span class="p">{</span><span class="nx">tokenLimit</span><span class="p">}</span><span class="o">&lt;</span><span class="sr">/p&gt;</span><span class="err">; </span><span class="p">}</span> </code></pre> </div> <p>Note: <code>getBooleanFlag("new_ai_model", false)</code> takes the flag key and a default value. If the flag does not exist in the user's token for any reason (flag not created yet, SDK version mismatch), the default value is returned. This makes your application safe to deploy before the flag exists in Kinde.</p> <h2> Step #3: Override Flags Per Environment </h2> <p>The most common override pattern: the new feature is <code>false</code> globally, but <code>true</code> in your staging environment so your team can test it before any users see it.</p> <p>Navigate to <strong>Settings</strong> → <strong>Environment</strong> → <strong>Feature flags</strong> (make sure you are in your staging environment, not production).</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fz8875zkdihbaixyjwr65.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fz8875zkdihbaixyjwr65.png" alt="Kinde Settings &gt; Environment &gt; Feature flags page showing a list of flags with their values. The " value="" width="800" height="502"></a></p> <p>Find <code>new_ai_model</code> and select <strong>Edit value</strong>. Switch it to <code>true</code>. Select <strong>Save</strong>.</p> <p>Now everyone in your staging environment sees the new AI feature. Everyone in production still sees <code>false</code>. Your team tests it, confirms it works, and when ready you flip it on in production — no code change, no redeployment.</p> <p>The cascade order for flag evaluation is:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>Business default → Environment override → Organization override → User override </code></pre> </div> <p>The most specific level wins. A user override takes precedence over everything. An organization override takes precedence over the environment. The business default is the fallback when nothing else is set.</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fahzx05girpypw0tbynez.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fahzx05girpypw0tbynez.png" alt="Cascade waterfall showing: Business default (false) → Environment override (staging: true, production: false) → Org override (AcmeCorp: true) → User override (alice@test.com: true). At each level, the value either inherits from above or is explicitly set. The user's final value is the lowest-level explicit setting or the inherited value if nothing is set below" width="800" height="810"></a></p> <h2> Step #4: Override Flags Per Organization for Gradual Rollouts </h2> <p>For B2B AI products, you often want to enable a new feature for specific customer organizations before rolling it out globally. An org-level override is exactly how you do this.</p> <p>Navigate to <strong>Organizations</strong> → select your pilot customer's org → <strong>Feature flags</strong>.</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F6e1gwdozp7mz1btulayn.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F6e1gwdozp7mz1btulayn.png" alt="Kinde Organizations &gt; [Org name] &gt; Feature flags page showing the list of flags and their values for this specific organization" width="800" height="502"></a></p> <p>Select <strong>Edit value</strong> next to <code>secondn_ai_model</code> and set it to <code>true</code>. That organization's users now see the new AI feature. Every other organization still inherits the <code>false</code> default.</p> <p>This is gradual rollout in practice. Your rollout sequence for a significant AI feature might look like this:</p> <p><strong>Week 1:</strong> Enable for your own organization (internal testing)</p> <p><strong>Week 2:</strong> Enable for 2-3 design partner organizations (trusted early adopters)</p> <p><strong>Week 3:</strong> Enable for 10% of organizations (broader beta)</p> <p><strong>Week 4:</strong> Set business default to <code>true</code> (full rollout) and remove org overrides</p> <p>No deployments. No feature branches. No big-bang release. Each step is a toggle in the Kinde dashboard.</p> <h2> Step #5: Override Flags Per User for Beta Access </h2> <p>Sometimes you want to give specific individuals early access — a power user who has asked for beta features, a journalist reviewing the product, or your own test account.</p> <p>Navigate to <strong>Users</strong> → select the user → <strong>Feature flags</strong>.</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fsmqmwsh3i2kg049bvk29.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fsmqmwsh3i2kg049bvk29.png" alt="Kinde Users &gt; [User name] &gt; Feature flags tab showing the list of all flags and the user's current values. The " value="" width="800" height="502"></a></p> <p>Find <code>third_ai_model</code> and select <strong>Edit value</strong>. Set it to <code>true</code>. This user now has the new AI feature regardless of which organization they belong to and regardless of the environment default.</p> <p>Note: User-level overrides apply across all organizations and environments for that user. They are the most specific level and cannot be further scoped. If you want to give a user access in one org but not another, use org-level overrides instead.</p> <h2> Step #6: Use String Flags for AI Prompt A/B Testing </h2> <p>String flags unlock a particularly powerful pattern for AI products: testing different prompt strategies without redeployment.</p> <p>Create a flag called <code>ai_prompt_strategy</code> of type <strong>String</strong> with a default value of <code>"standard"</code>. Enable environment and organization overrides.</p> <p>In your API route that calls the AI:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="c1">// app/api/ai/chat/route.ts</span> <span class="k">import</span> <span class="p">{</span> <span class="nx">getKindeServerSession</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">"</span><span class="s2">@kinde-oss/kinde-auth-nextjs/server</span><span class="dl">"</span><span class="p">;</span> <span class="k">import</span> <span class="p">{</span> <span class="nx">NextRequest</span><span class="p">,</span> <span class="nx">NextResponse</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">"</span><span class="s2">next/server</span><span class="dl">"</span><span class="p">;</span> <span class="c1">// Prompt templates for each variant</span> <span class="kd">const</span> <span class="nx">PROMPT_STRATEGIES</span> <span class="o">=</span> <span class="p">{</span> <span class="na">standard</span><span class="p">:</span> <span class="p">(</span><span class="na">userMessage</span><span class="p">:</span> <span class="kr">string</span><span class="p">)</span> <span class="o">=&gt;</span> <span class="s2">`You are a helpful assistant. User: </span><span class="p">${</span><span class="nx">userMessage</span><span class="p">}</span><span class="s2">`</span><span class="p">,</span> <span class="na">chain_of_thought</span><span class="p">:</span> <span class="p">(</span><span class="na">userMessage</span><span class="p">:</span> <span class="kr">string</span><span class="p">)</span> <span class="o">=&gt;</span> <span class="s2">`You are a helpful assistant. Think step-by-step before answering. User: </span><span class="p">${</span><span class="nx">userMessage</span><span class="p">}</span><span class="s2"> Let me work through this carefully:`</span><span class="p">,</span> <span class="na">few_shot</span><span class="p">:</span> <span class="p">(</span><span class="na">userMessage</span><span class="p">:</span> <span class="kr">string</span><span class="p">)</span> <span class="o">=&gt;</span> <span class="s2">`You are a helpful assistant. Here are examples of good responses: Q: What is 2+2? A: 4. Q: What is the capital of France? A: Paris. Now answer: </span><span class="p">${</span><span class="nx">userMessage</span><span class="p">}</span><span class="s2">`</span><span class="p">,</span> <span class="p">}</span> <span class="k">as</span> <span class="kd">const</span><span class="p">;</span> <span class="kd">type</span> <span class="nx">PromptStrategy</span> <span class="o">=</span> <span class="kr">keyof</span> <span class="k">typeof</span> <span class="nx">PROMPT_STRATEGIES</span><span class="p">;</span> <span class="k">export</span> <span class="k">async</span> <span class="kd">function</span> <span class="nf">POST</span><span class="p">(</span><span class="nx">request</span><span class="p">:</span> <span class="nx">NextRequest</span><span class="p">)</span> <span class="p">{</span> <span class="kd">const</span> <span class="p">{</span> <span class="nx">isAuthenticated</span><span class="p">,</span> <span class="nx">getStringFlag</span><span class="p">,</span> <span class="nx">getIntegerFlag</span> <span class="p">}</span> <span class="o">=</span> <span class="nf">getKindeServerSession</span><span class="p">();</span> <span class="k">if </span><span class="p">(</span><span class="o">!</span><span class="p">(</span><span class="k">await</span> <span class="nf">isAuthenticated</span><span class="p">()))</span> <span class="p">{</span> <span class="k">return</span> <span class="nx">NextResponse</span><span class="p">.</span><span class="nf">json</span><span class="p">({</span> <span class="na">error</span><span class="p">:</span> <span class="dl">"</span><span class="s2">Unauthenticated</span><span class="dl">"</span> <span class="p">},</span> <span class="p">{</span> <span class="na">status</span><span class="p">:</span> <span class="mi">401</span> <span class="p">});</span> <span class="p">}</span> <span class="c1">// Read the prompt strategy flag for this user</span> <span class="kd">const</span> <span class="nx">strategy</span> <span class="o">=</span> <span class="p">(</span><span class="k">await</span> <span class="nf">getStringFlag</span><span class="p">(</span> <span class="dl">"</span><span class="s2">ai_prompt_strategy</span><span class="dl">"</span><span class="p">,</span> <span class="dl">"</span><span class="s2">standard</span><span class="dl">"</span> <span class="p">))</span> <span class="k">as</span> <span class="nx">PromptStrategy</span><span class="p">;</span> <span class="c1">// Read the token limit flag for this user</span> <span class="kd">const</span> <span class="nx">maxTokens</span> <span class="o">=</span> <span class="k">await</span> <span class="nf">getIntegerFlag</span><span class="p">(</span><span class="dl">"</span><span class="s2">ai_token_limit</span><span class="dl">"</span><span class="p">,</span> <span class="mi">1000</span><span class="p">);</span> <span class="kd">const</span> <span class="p">{</span> <span class="nx">message</span> <span class="p">}</span> <span class="o">=</span> <span class="k">await</span> <span class="nx">request</span><span class="p">.</span><span class="nf">json</span><span class="p">();</span> <span class="c1">// Build the prompt based on the user's assigned variant</span> <span class="kd">const</span> <span class="nx">promptBuilder</span> <span class="o">=</span> <span class="nx">PROMPT_STRATEGIES</span><span class="p">[</span><span class="nx">strategy</span><span class="p">]</span> <span class="o">??</span> <span class="nx">PROMPT_STRATEGIES</span><span class="p">.</span><span class="nx">standard</span><span class="p">;</span> <span class="kd">const</span> <span class="nx">prompt</span> <span class="o">=</span> <span class="nf">promptBuilder</span><span class="p">(</span><span class="nx">message</span><span class="p">);</span> <span class="c1">// Call your AI provider with the variant prompt and limit</span> <span class="kd">const</span> <span class="nx">aiResponse</span> <span class="o">=</span> <span class="k">await</span> <span class="nf">callAIProvider</span><span class="p">({</span> <span class="nx">prompt</span><span class="p">,</span> <span class="nx">maxTokens</span><span class="p">,</span> <span class="c1">// Log which variant was used for analytics</span> <span class="na">metadata</span><span class="p">:</span> <span class="p">{</span> <span class="nx">strategy</span><span class="p">,</span> <span class="na">userId</span><span class="p">:</span> <span class="dl">"</span><span class="s2">from_session</span><span class="dl">"</span> <span class="p">},</span> <span class="p">});</span> <span class="k">return</span> <span class="nx">NextResponse</span><span class="p">.</span><span class="nf">json</span><span class="p">({</span> <span class="na">response</span><span class="p">:</span> <span class="nx">aiResponse</span><span class="p">,</span> <span class="c1">// Optionally surface the variant in the response for debugging</span> <span class="na">_variant</span><span class="p">:</span> <span class="nx">process</span><span class="p">.</span><span class="nx">env</span><span class="p">.</span><span class="nx">NODE_ENV</span> <span class="o">===</span> <span class="dl">"</span><span class="s2">development</span><span class="dl">"</span> <span class="p">?</span> <span class="nx">strategy</span> <span class="p">:</span> <span class="kc">undefined</span><span class="p">,</span> <span class="p">});</span> <span class="p">}</span> <span class="k">async</span> <span class="kd">function</span> <span class="nf">callAIProvider</span><span class="p">({</span> <span class="nx">prompt</span><span class="p">,</span> <span class="nx">maxTokens</span><span class="p">,</span> <span class="nx">metadata</span><span class="p">,</span> <span class="p">}:</span> <span class="p">{</span> <span class="nl">prompt</span><span class="p">:</span> <span class="kr">string</span><span class="p">;</span> <span class="nl">maxTokens</span><span class="p">:</span> <span class="kr">number</span><span class="p">;</span> <span class="nl">metadata</span><span class="p">:</span> <span class="nb">Record</span><span class="o">&lt;</span><span class="kr">string</span><span class="p">,</span> <span class="kr">string</span><span class="o">&gt;</span><span class="p">;</span> <span class="p">})</span> <span class="p">{</span> <span class="c1">// Replace with your actual AI provider call</span> <span class="nx">console</span><span class="p">.</span><span class="nf">log</span><span class="p">(</span><span class="dl">"</span><span class="s2">Calling AI with strategy:</span><span class="dl">"</span><span class="p">,</span> <span class="nx">metadata</span><span class="p">.</span><span class="nx">strategy</span><span class="p">);</span> <span class="k">return</span> <span class="dl">"</span><span class="s2">AI response placeholder</span><span class="dl">"</span><span class="p">;</span> <span class="p">}</span> </code></pre> </div> <p>To run the A/B test: set <code>ai_prompt_strategy</code> to <code>"chain_of_thought"</code> for half your organizations in Kinde's org overrides. The other half inherits <code>"standard"</code>. Monitor which variant produces better outcomes in your analytics. When you have a winner, update the business default to the winning strategy and remove the overrides.</p> <h2> Step #7: Use Integer Flags for AI Token Limits </h2> <p>AI API costs are directly proportional to token consumption. Integer flags let you set per-user or per-plan token limits without redeploying when you need to adjust them.</p> <p>Create a flag called <code>ai_token_limit</code> of type <strong>Integer</strong> with a default value of <code>1000</code>. Enable all overrides.</p> <p>Use it in your AI route handler:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="c1">// In your AI route handler — enforce the token limit before calling the AI</span> <span class="kd">const</span> <span class="nx">maxTokens</span> <span class="o">=</span> <span class="k">await</span> <span class="nf">getIntegerFlag</span><span class="p">(</span><span class="dl">"</span><span class="s2">ai_token_limit</span><span class="dl">"</span><span class="p">,</span> <span class="mi">1000</span><span class="p">);</span> <span class="c1">// Validate the requested tokens against the user's limit</span> <span class="kd">const</span> <span class="nx">requestedTokens</span> <span class="o">=</span> <span class="nx">body</span><span class="p">.</span><span class="nx">max_tokens</span> <span class="o">??</span> <span class="mi">500</span><span class="p">;</span> <span class="kd">const</span> <span class="nx">enforcedTokens</span> <span class="o">=</span> <span class="nb">Math</span><span class="p">.</span><span class="nf">min</span><span class="p">(</span><span class="nx">requestedTokens</span><span class="p">,</span> <span class="nx">maxTokens</span><span class="p">);</span> <span class="k">if </span><span class="p">(</span><span class="nx">requestedTokens</span> <span class="o">&gt;</span> <span class="nx">maxTokens</span><span class="p">)</span> <span class="p">{</span> <span class="nx">console</span><span class="p">.</span><span class="nf">log</span><span class="p">(</span> <span class="s2">`User requested </span><span class="p">${</span><span class="nx">requestedTokens</span><span class="p">}</span><span class="s2"> tokens, capped to </span><span class="p">${</span><span class="nx">maxTokens</span><span class="p">}</span><span class="s2">`</span> <span class="p">);</span> <span class="p">}</span> <span class="c1">// Use enforcedTokens in your AI call</span> <span class="kd">const</span> <span class="nx">response</span> <span class="o">=</span> <span class="k">await</span> <span class="nx">openai</span><span class="p">.</span><span class="nx">chat</span><span class="p">.</span><span class="nx">completions</span><span class="p">.</span><span class="nf">create</span><span class="p">({</span> <span class="na">model</span><span class="p">:</span> <span class="dl">"</span><span class="s2">gpt-4o</span><span class="dl">"</span><span class="p">,</span> <span class="na">messages</span><span class="p">:</span> <span class="p">[{</span> <span class="na">role</span><span class="p">:</span> <span class="dl">"</span><span class="s2">user</span><span class="dl">"</span><span class="p">,</span> <span class="na">content</span><span class="p">:</span> <span class="nx">prompt</span> <span class="p">}],</span> <span class="na">max_tokens</span><span class="p">:</span> <span class="nx">enforcedTokens</span><span class="p">,</span> <span class="p">});</span> </code></pre> </div> <p>Now adjust limits per organization without touching code:</p> <ul> <li>Free plan orgs: set <code>ai_token_limit</code> to <code>500</code> via org override</li> <li>Pro plan orgs: inherit the default of <code>1000</code> </li> <li>Enterprise orgs: set <code>ai_token_limit</code> to <code>5000</code> via org override</li> <li>Your own internal org: set <code>ai_token_limit</code> to <code>10000</code> for testing</li> </ul> <p>When your infrastructure changes and you need to globally reduce the default limit, change the business default in the Kinde dashboard. Every user's limit updates at their next token refresh — no deployment.</p> <h2> Step #8: Use JSON Flags for Complex AI Configurations </h2> <p>When multiple related configuration values need to change together, JSON flags keep them atomic. If you use separate flags for each value, you can end up in a state where some values have been updated and others have not, which can cause subtle bugs.</p> <p>Create a flag called <code>ai_model_config</code> of type <strong>JSON</strong> with a default value:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight json"><code><span class="p">{</span><span class="w"> </span><span class="nl">"model"</span><span class="p">:</span><span class="w"> </span><span class="s2">"gpt-4o"</span><span class="p">,</span><span class="w"> </span><span class="nl">"temperature"</span><span class="p">:</span><span class="w"> </span><span class="mf">0.7</span><span class="p">,</span><span class="w"> </span><span class="nl">"max_tokens"</span><span class="p">:</span><span class="w"> </span><span class="mi">500</span><span class="p">,</span><span class="w"> </span><span class="nl">"system_prompt"</span><span class="p">:</span><span class="w"> </span><span class="s2">"You are a helpful AI assistant."</span><span class="w"> </span><span class="p">}</span><span class="w"> </span></code></pre> </div> <p>Enable environment and organization overrides. Now use it in your application:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="c1">// app/api/ai/generate/route.ts</span> <span class="k">import</span> <span class="p">{</span> <span class="nx">getKindeServerSession</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">"</span><span class="s2">@kinde-oss/kinde-auth-nextjs/server</span><span class="dl">"</span><span class="p">;</span> <span class="k">import</span> <span class="p">{</span> <span class="nx">NextRequest</span><span class="p">,</span> <span class="nx">NextResponse</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">"</span><span class="s2">next/server</span><span class="dl">"</span><span class="p">;</span> <span class="kr">interface</span> <span class="nx">AIModelConfig</span> <span class="p">{</span> <span class="nl">model</span><span class="p">:</span> <span class="kr">string</span><span class="p">;</span> <span class="nl">temperature</span><span class="p">:</span> <span class="kr">number</span><span class="p">;</span> <span class="nl">max_tokens</span><span class="p">:</span> <span class="kr">number</span><span class="p">;</span> <span class="nl">system_prompt</span><span class="p">:</span> <span class="kr">string</span><span class="p">;</span> <span class="p">}</span> <span class="kd">const</span> <span class="nx">DEFAULT_CONFIG</span><span class="p">:</span> <span class="nx">AIModelConfig</span> <span class="o">=</span> <span class="p">{</span> <span class="na">model</span><span class="p">:</span> <span class="dl">"</span><span class="s2">gpt-4o</span><span class="dl">"</span><span class="p">,</span> <span class="na">temperature</span><span class="p">:</span> <span class="mf">0.7</span><span class="p">,</span> <span class="na">max_tokens</span><span class="p">:</span> <span class="mi">500</span><span class="p">,</span> <span class="na">system_prompt</span><span class="p">:</span> <span class="dl">"</span><span class="s2">You are a helpful AI assistant.</span><span class="dl">"</span><span class="p">,</span> <span class="p">};</span> <span class="k">export</span> <span class="k">async</span> <span class="kd">function</span> <span class="nf">POST</span><span class="p">(</span><span class="nx">request</span><span class="p">:</span> <span class="nx">NextRequest</span><span class="p">)</span> <span class="p">{</span> <span class="kd">const</span> <span class="p">{</span> <span class="nx">isAuthenticated</span><span class="p">,</span> <span class="nx">getFlag</span> <span class="p">}</span> <span class="o">=</span> <span class="nf">getKindeServerSession</span><span class="p">();</span> <span class="k">if </span><span class="p">(</span><span class="o">!</span><span class="p">(</span><span class="k">await</span> <span class="nf">isAuthenticated</span><span class="p">()))</span> <span class="p">{</span> <span class="k">return</span> <span class="nx">NextResponse</span><span class="p">.</span><span class="nf">json</span><span class="p">({</span> <span class="na">error</span><span class="p">:</span> <span class="dl">"</span><span class="s2">Unauthenticated</span><span class="dl">"</span> <span class="p">},</span> <span class="p">{</span> <span class="na">status</span><span class="p">:</span> <span class="mi">401</span> <span class="p">});</span> <span class="p">}</span> <span class="c1">// Read the JSON flag — use getFlag with type "j" for JSON</span> <span class="kd">const</span> <span class="nx">configFlag</span> <span class="o">=</span> <span class="k">await</span> <span class="nf">getFlag</span><span class="p">(</span> <span class="dl">"</span><span class="s2">ai_model_config</span><span class="dl">"</span><span class="p">,</span> <span class="nx">DEFAULT_CONFIG</span><span class="p">,</span> <span class="dl">"</span><span class="s2">j</span><span class="dl">"</span> <span class="c1">// "j" = JSON type</span> <span class="p">);</span> <span class="c1">// configFlag.value contains the parsed JSON object</span> <span class="kd">const</span> <span class="nx">config</span> <span class="o">=</span> <span class="p">(</span><span class="nx">configFlag</span><span class="p">?.</span><span class="nx">value</span> <span class="k">as</span> <span class="nx">AIModelConfig</span><span class="p">)</span> <span class="o">??</span> <span class="nx">DEFAULT_CONFIG</span><span class="p">;</span> <span class="kd">const</span> <span class="p">{</span> <span class="nx">message</span> <span class="p">}</span> <span class="o">=</span> <span class="k">await</span> <span class="nx">request</span><span class="p">.</span><span class="nf">json</span><span class="p">();</span> <span class="c1">// Use the full config from the flag — one atomic update in Kinde</span> <span class="c1">// changes model, temperature, max_tokens, and system_prompt together</span> <span class="kd">const</span> <span class="nx">response</span> <span class="o">=</span> <span class="k">await</span> <span class="nf">callAI</span><span class="p">({</span> <span class="na">model</span><span class="p">:</span> <span class="nx">config</span><span class="p">.</span><span class="nx">model</span><span class="p">,</span> <span class="na">temperature</span><span class="p">:</span> <span class="nx">config</span><span class="p">.</span><span class="nx">temperature</span><span class="p">,</span> <span class="na">maxTokens</span><span class="p">:</span> <span class="nx">config</span><span class="p">.</span><span class="nx">max_tokens</span><span class="p">,</span> <span class="na">systemPrompt</span><span class="p">:</span> <span class="nx">config</span><span class="p">.</span><span class="nx">system_prompt</span><span class="p">,</span> <span class="na">userMessage</span><span class="p">:</span> <span class="nx">message</span><span class="p">,</span> <span class="p">});</span> <span class="k">return</span> <span class="nx">NextResponse</span><span class="p">.</span><span class="nf">json</span><span class="p">({</span> <span class="nx">response</span> <span class="p">});</span> <span class="p">}</span> <span class="k">async</span> <span class="kd">function</span> <span class="nf">callAI</span><span class="p">({</span> <span class="nx">model</span><span class="p">,</span> <span class="nx">temperature</span><span class="p">,</span> <span class="nx">maxTokens</span><span class="p">,</span> <span class="nx">systemPrompt</span><span class="p">,</span> <span class="nx">userMessage</span><span class="p">,</span> <span class="p">}:</span> <span class="p">{</span> <span class="nl">model</span><span class="p">:</span> <span class="kr">string</span><span class="p">;</span> <span class="nl">temperature</span><span class="p">:</span> <span class="kr">number</span><span class="p">;</span> <span class="nl">maxTokens</span><span class="p">:</span> <span class="kr">number</span><span class="p">;</span> <span class="nl">systemPrompt</span><span class="p">:</span> <span class="kr">string</span><span class="p">;</span> <span class="nl">userMessage</span><span class="p">:</span> <span class="kr">string</span><span class="p">;</span> <span class="p">})</span> <span class="p">{</span> <span class="c1">// Your AI provider call using the flag-configured values</span> <span class="nx">console</span><span class="p">.</span><span class="nf">log</span><span class="p">(</span><span class="s2">`Using model: </span><span class="p">${</span><span class="nx">model</span><span class="p">}</span><span class="s2">, temp: </span><span class="p">${</span><span class="nx">temperature</span><span class="p">}</span><span class="s2">, max_tokens: </span><span class="p">${</span><span class="nx">maxTokens</span><span class="p">}</span><span class="s2">`</span><span class="p">);</span> <span class="k">return</span> <span class="dl">"</span><span class="s2">AI response placeholder</span><span class="dl">"</span><span class="p">;</span> <span class="p">}</span> </code></pre> </div> <p>When you want to test a newer model with different parameters, update the JSON flag value for your staging environment. If it works well, update the production environment override. If there is a problem, revert the JSON flag — all four values revert atomically.</p> <h2> Putting It All Together </h2> <p>Here is a complete rollout lifecycle for a major AI feature using flags:</p> <p><strong>Phase 1 — Development (flag default: <code>false</code>):</strong><br> Code is deployed behind the flag. Nothing changes for users. Your team iterates freely.</p> <p><strong>Phase 2 — Internal testing (environment override: staging <code>true</code>):</strong><br> The feature is live in staging. Your team tests it thoroughly against real data. Production users are unaffected.</p> <p><strong>Phase 3 — Beta access (user overrides: specific users <code>true</code>):</strong><br> You enable the flag for 5 power users and your own account. Collect feedback. Fix issues without touching code.</p> <p><strong>Phase 4 — Gradual rollout (org overrides: pilot orgs <code>true</code>):</strong><br> Enable for 3 design partner organizations. Monitor AI token consumption, error rates, user satisfaction. Expand to 20% of orgs if metrics look good.</p> <p><strong>Phase 5 — Full release (business default: <code>true</code>):</strong><br> Update the global default to <code>true</code>. All remaining users see the feature. Remove org-level overrides — they are no longer needed.</p> <p><strong>Phase 6 — Cleanup (delete the flag):</strong><br> Once the feature is stable and you are confident you will not need to roll back, remove the flag from your code and delete it from Kinde. Temporary flags are technical debt. A flag that controls a permanent feature state can stay; a flag that was used to control a release should go.</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fbuosy1lopjug4mfb6efw.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fbuosy1lopjug4mfb6efw.png" alt="Six-phase rollout timeline as a horizontal flow: Dev (flag off, code deployed) → Internal Testing (staging override on) → Beta Users (user overrides on) → Gradual Rollout (org overrides expanding) → Full Release (global default on) → Cleanup (flag deleted). Each phase is a labeled box with the flag configuration state shown below it. Arrows connect each phase. This is the canonical feature flag lifecycle readers should internalize" width="800" height="74"></a></p> <h2> Flag Naming Conventions </h2> <p>A flag library grows fast. Without conventions it becomes unmanageable. Use these patterns from the start:</p> <p><strong>Prefix by category:</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="s">ai_* AI feature flags (ai_new_model, ai_token_limit, ai_prompt_strategy)</span> <span class="s">ui_* UI and design flags (ui_dark_mode, ui_new_nav)</span> <span class="s">billing_* Billing and plan flags (billing_annual_discount)</span> <span class="s">beta_* Beta features (beta_voice_input, beta_export_pdf)</span> </code></pre> </div> <p><strong>Use positive names for booleans:</strong> <code>show_new_dashboard</code> not <code>hide_old_dashboard</code>. Double negatives in code (<code>if (!hideOldDashboard)</code>) cause bugs.</p> <p><strong>Use descriptive names for strings and integers:</strong> <code>ai_model_name</code> not <code>model</code>, <code>ai_max_tokens_per_request</code> not <code>limit</code>.</p> <p><strong>Document the flag purpose in the description field.</strong> Kinde lets you add a description when creating the flag. Write what the flag does, what the rollout plan is, and when it should be deleted. Future you will appreciate it.</p> <h2> Conclusion </h2> <p>In this article, you learned how to use Kinde feature flags to safely roll out features in production — using all four flag types, managing overrides at the environment, organization, and user levels, and running a phased rollout from internal testing to full release without a single redeployment.</p> <p>The key insight that makes Kinde's approach different: flags are delivered in the auth token, not fetched separately. The same token that authenticates your user also carries their flag values, their permissions, and their organization context. One integration. One token. Everything your application needs to make runtime decisions.</p> <p>Kinde is free for up to 10,500 monthly active users, no credit card required. Feature flags are available on every plan. Create your account at <a href="https://kinde.com" rel="noopener noreferrer">kinde.com</a> and start shipping code with confidence.</p> webdev kinde featureflags programming Shola Jegede Tue, 14 Apr 2026 12:47:33 +0000 https://forem.com/sholajegede/how-to-add-enterprise-sso-to-your-ai-app-with-kinde-saml-oidc-and-beyond-438a https://forem.com/sholajegede/how-to-add-enterprise-sso-to-your-ai-app-with-kinde-saml-oidc-and-beyond-438a <p><em>Enterprise buyers will not deploy your AI app without SSO. Here is everything you need to know to pass that security review.</em></p> <p>In this article, you will learn:</p> <ul> <li>Why enterprise SSO is now non-negotiable for AI apps that sell to businesses</li> <li>The difference between SAML and OIDC — and which one to use when</li> <li>How Kinde models enterprise connections with organizations</li> <li>How to configure a custom SAML connection in Kinde step by step</li> <li>How to configure a Microsoft Entra ID (Azure AD) SAML connection</li> <li>What home realm discovery is and why it makes the login experience seamless</li> <li>How JIT (just-in-time) provisioning works in Kinde</li> <li>How IdP-initiated SSO works (Kinde shipped this in February 2026)</li> <li>How to let enterprise customers configure their own SSO via the self-serve portal</li> <li>How to use Kinde's suspend organization feature when a customer churns or has a security incident</li> </ul> <p>Let's dive in!</p> <h2> Why Enterprise SSO Is No Longer Optional for AI Apps </h2> <p>There is a question every AI founder building for enterprise customers will hear sooner or later, usually from IT security during a procurement review: "Do you support SSO?"</p> <p>The wrong answer ends the deal. Not "we're working on it." Not "we have Google login." SSO — specifically SAML 2.0 or enterprise OIDC federated to the company's identity provider — is a hard requirement for any AI app that wants to handle company data at scale.</p> <p>The reason is not bureaucracy. It is a genuine security need that AI tools make more acute than most SaaS products. When a 30-person team at a financial services firm deploys your AI app to analyze internal documents, every one of those 30 users needs to be automatically deprovisioned the moment they leave the company. With SSO, that happens instantly — their IdP account is deactivated and they cannot access your app, your AI's context, or your data. Without SSO, some offboarding ticket eventually gets filed and one of those users might still have access six weeks after their last day.</p> <p>Enterprise IT teams also need your AI app to be visible in their identity governance stack. If your app lives outside their IdP's audit trail, it will not pass a SOC 2 or ISO 27001 review. SSO is what makes your app governable.</p> <p>The good news: adding enterprise SSO no longer requires weeks of work. Kinde handles the SAML/OIDC infrastructure — you configure connections in a dashboard, your app code stays exactly as it is, and enterprise customers connect their Okta, Entra ID, or other IdP the same day they ask for it.</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fqsdbkcat7v5i2qejkyiw.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fqsdbkcat7v5i2qejkyiw.png" alt="Two columns showing " width="800" height="913"></a></p> <h2> SAML vs OIDC: Choosing the Right Protocol </h2> <p>Before touching any configuration, understand which protocol your customer needs. Getting this wrong means starting over.</p> <p><strong>SAML 2.0</strong> is the enterprise legacy standard. XML-based, widely supported by every major enterprise IdP including Okta, Microsoft Entra ID (Azure AD), Google Workspace, and Ping Identity. If your customer has been in business for more than 10 years or works in financial services, healthcare, or government, they almost certainly have SAML infrastructure. This is the protocol you will encounter most often in enterprise procurement reviews.</p> <p><strong>OIDC (OpenID Connect)</strong> is the modern standard, built on OAuth 2.0. JSON-based, simpler to implement, better suited for mobile and API-driven authentication. Increasingly preferred by newer enterprises and tech companies. If your customer uses Okta with OIDC configured, or runs a modern identity stack, OIDC is the cleaner choice.</p> <p>Both are fully supported by Kinde. Here is a practical decision guide:</p> <div class="table-wrapper-paragraph"><table> <thead> <tr> <th>Scenario</th> <th>Recommended protocol</th> </tr> </thead> <tbody> <tr> <td>Customer uses Okta, Ping, or ADFS</td> <td>SAML 2.0</td> </tr> <tr> <td>Customer uses Microsoft Entra ID (Azure AD)</td> <td>SAML or Entra ID OIDC — both work</td> </tr> <tr> <td>Customer is a modern tech company with Google Workspace</td> <td>SAML (Google Workspace SAML)</td> </tr> <tr> <td>Customer uses a modern cloud-native IdP</td> <td>OIDC</td> </tr> <tr> <td>Customer has no strong preference</td> <td>OIDC — simpler to configure</td> </tr> <tr> <td>Customer's IT team sends you XML metadata</td> <td>SAML — that is their preference</td> </tr> </tbody> </table></div> <p>Note: If a customer sends you an XML metadata URL, they are using SAML. If they send you a discovery endpoint URL ending in <code>.well-known/openid-configuration</code>, they are using OIDC. The format of what they provide tells you the protocol.</p> <h2> How Kinde Models Enterprise SSO </h2> <p>Kinde's SSO model is built around two concepts you need to understand before configuring anything.</p> <p><strong>Kinde acts as the Service Provider (SP).</strong> Your enterprise customer acts as (or connects to) the Identity Provider (IdP). This means the IdP owns the user identities — their Okta, Entra ID, or Google Workspace is the source of truth. Kinde receives the authentication assertion from the IdP and issues its own session token to your app. Your application code always talks to Kinde — never directly to the customer's IdP.</p> <p><strong>Enterprise connections live on organizations.</strong> In Kinde, each enterprise customer is a Kinde organization. Their SSO connection is attached to that organization. This is the right model for multi-tenant AI apps: one connection per customer, each isolated, each independently configurable. Acme Corp's Okta SAML setup has no effect on Globex Inc's Entra ID configuration.</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fjimafznoxsh3xp3ftktq.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fjimafznoxsh3xp3ftktq.png" alt="Architecture showing Your AI App → Kinde (SP) → multiple IdPs (Okta, Entra ID, Google Workspace). Each IdP connection maps to a specific Kinde Organization (Acme Corp → Okta, Globex Inc → Entra ID, Startup LLC → Google SAML). Kinde issues tokens to your app after validating the SAML/OIDC assertion. Your app code is unchanged — it always calls Kinde, never the individual IdPs" width="800" height="296"></a></p> <h2> Step #1: Create an Organization for Your Enterprise Customer </h2> <p>Each enterprise customer gets their own Kinde organization. If you already have organizations set up, skip to Step #2.</p> <p>Navigate to <strong>Organizations</strong> in your Kinde dashboard and select <strong>Create organization</strong>. Give it the name of the enterprise customer — this is internal to your Kinde account, not visible to end users. Note the org code assigned; you will use it when scoping the connection.</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Ft723o2hcrtg6xa0ekmye.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Ft723o2hcrtg6xa0ekmye.png" alt="Kinde Organizations page showing the " width="800" height="502"></a></p> <p>For multi-tenant AI apps, each customer organization is also where you will attach billing, custom roles, and per-org MFA requirements. The enterprise connection is just one of many things scoped per organization.</p> <h2> Step #2: Configure a Custom SAML Connection </h2> <p>This is the generic SAML path that works with any SAML 2.0-compliant IdP. Go through this if your customer uses an IdP not covered by Kinde's named integrations (Okta, Entra ID, Google Workspace, Cloudflare, LastPass).</p> <p>In your Kinde dashboard, navigate to <strong>Settings</strong> → <strong>Environment</strong> → <strong>Authentication</strong> and scroll to the <strong>Enterprise connection</strong> section. Select <strong>Add connection</strong>.</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fs4nfli89cqkcj3vj27hn.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fs4nfli89cqkcj3vj27hn.png" alt="Kinde Settings &gt; Authentication page showing the Enterprise connections section with an " width="800" height="504"></a></p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fofzz5jajxvwsmxd88rfs.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fofzz5jajxvwsmxd88rfs.png" alt="The list of available connection types is visible: Custom SAML, Microsoft Entra ID (SAML), Okta (SAML), Google Workspace (SAML), and others" width="800" height="502"></a></p> <p>Select <strong>Custom SAML</strong> and click <strong>Next</strong>. You will now configure the connection:</p> <p><strong>Step 2a: Connection name.</strong> Enter a descriptive name like <code>Acme Corp Okta SAML</code>. This is internal — use whatever helps you identify it.</p> <p><strong>Step 2b: Entity ID.</strong> Generate a random alphanumeric string, for example <code>hEb876ZZlkg99Dwat64Mnbvyh129</code>. Copy it — you will add this to your customer's IdP configuration as the SP Entity ID (also called Audience URI in some IdPs).</p> <p><strong>Step 2c: ACS URL.</strong> Kinde generates this for you. It is the URL where the IdP will send the SAML response after authentication. It looks like:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code># Without custom domain https://your-subdomain.kinde.com/login/saml/callback # With custom domain https://auth.yourdomain.com/login/saml/callback </code></pre> </div> <p>Copy the ACS URL — your customer's IT team needs this to configure their IdP.</p> <p><strong>Step 2d: IdP metadata URL.</strong> Your customer's IT team provides this. It is a URL that Kinde fetches to get the IdP's public certificate and endpoints. In Okta it is typically <code>https://your-okta-domain.okta.com/app/your-app-id/sso/saml/metadata</code>. In other IdPs it may be called the Federation Metadata URL.</p> <p><strong>Step 2e: Email attribute.</strong> This tells Kinde which SAML attribute contains the user's email address. The standard value is <code>http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress</code> for Entra ID or simply <code>email</code> for most others. If left blank, Kinde defaults to <code>email</code>.</p> <p><strong>Step 2f: Home realm domains.</strong> Enter the email domains that route to this connection, for example <code>acmecorp.com</code>. When a user enters their email during login and it matches this domain, Kinde silently routes them to the Acme Corp SAML IdP without showing an SSO button. This is home realm discovery — users experience seamless, invisible SSO.</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fywyt50yds2lvx2fmcpos.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fywyt50yds2lvx2fmcpos.png" alt="Kinde SAML connection configuration form showing the fields: Connection name (filled: " id="" width="800" height="502"></a></p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fa2f4ib0hr2stsrm88cbs.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fa2f4ib0hr2stsrm88cbs.png" alt="ACS URL (shown, greyed out — generated by Kinde), Email attribute, Home realm domains (filled: " width="800" height="502"></a></p> <p><strong>Step 2g: JIT provisioning.</strong> Enable <strong>Create a user record in Kinde</strong> if you want users to be automatically created in Kinde on their first SSO login. This is almost always the right choice for enterprise customers — it means you do not have to pre-provision users manually. They sign in through their IdP and Kinde creates their account automatically.</p> <p><strong>Step 2h: Trust email addresses.</strong> Enable this if you want Kinde to match SSO users to existing Kinde users by email. For example, if a user already has an account in Kinde via email/password, enabling this merges them with the incoming SSO identity. If disabled, a new separate identity is created regardless.</p> <p>Select <strong>Save</strong>. The connection is created. Now give your customer's IT team the following information:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight properties"><code><span class="err">SP</span> <span class="err">Entity</span> <span class="err">ID</span> <span class="err">(Audience</span> <span class="err">URI):</span> <span class="err">[your</span> <span class="err">Entity</span> <span class="err">ID</span> <span class="err">string]</span> <span class="err">ACS</span> <span class="err">URL</span> <span class="err">(Reply</span> <span class="err">URL):</span> <span class="py">https</span><span class="p">:</span><span class="s">//your-subdomain.kinde.com/login/saml/callback</span> <span class="err">Name</span> <span class="err">ID</span> <span class="py">format</span><span class="p">:</span> <span class="s">Email address (urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress)</span> </code></pre> </div> <p>That is all the IT team needs to configure their IdP. Once they complete setup and activate the connection on their side, test by having a user from their domain attempt to log in to your app.</p> <p>A working SAML connection in about 10 minutes of configuration on each side.</p> <h2> Step #3: Configure Microsoft Entra ID (Azure AD) SAML </h2> <p>Microsoft Entra ID is the most common enterprise IdP for AI apps selling into corporate accounts. Kinde has a dedicated Entra ID connection type that handles Entra-specific quirks — including a note that older Entra tenants require the Entity ID to have a <code>spn:</code> prefix.</p> <p>Navigate to <strong>Settings</strong> → <strong>Authentication</strong> → <strong>Add connection</strong> → <strong>Microsoft Entra ID (SAML)</strong>.</p> <p>The configuration is similar to custom SAML with a few Entra-specific fields:</p> <p><strong>Step 3a: Connection name.</strong> For example <code>Acme Corp Entra ID</code>.</p> <p><strong>Step 3b: Entity ID.</strong> Generate a random string as before. If your connection fails after setup, try prefixing it with <code>spn:</code> — this is an older Entra ID requirement some tenants still have.</p> <p><strong>Step 3c: IdP metadata URL.</strong> From the Microsoft Entra admin center, navigate to <strong>Enterprise applications</strong> → your app → <strong>Single sign-on</strong> → <strong>SAML</strong> → <strong>App Federation Metadata URL</strong>. Copy this URL and paste it into Kinde.</p> <p><strong>Step 3d: Email attribute.</strong> For Entra ID SAML, the email attribute is:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress </code></pre> </div> <p>Enter this value exactly. Getting this wrong is the most common cause of Entra ID SAML failures — Kinde receives the SAML assertion but cannot find the email claim.</p> <p><strong>Step 3e: Home realm domains.</strong> Enter the corporate domain(s), for example <code>acmecorp.com</code>, <code>acmecorp.onmicrosoft.com</code>.</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F2n72d249gd97obq5vl8u.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F2n72d249gd97obq5vl8u.png" alt="Kinde Entra ID SAML connection form showing the Email attribute field filled with the Entra ID schema URL. The ACS URL is highlighted — this is what the Entra IT admin needs to enter as the Reply URL in the Azure portal" width="800" height="502"></a></p> <p>On the Entra ID side, your customer's IT admin needs to create an Enterprise Application in the Azure portal with:</p> <ul> <li> <strong>Reply URL (ACS URL):</strong> The ACS URL from Kinde</li> <li> <strong>Identifier (Entity ID):</strong> The Entity ID string you created in Kinde</li> <li> <strong>Sign on URL:</strong> Your app's login URL (optional)</li> <li> <strong>Attributes &amp; Claims:</strong> Ensure the email claim is mapped to the user's email attribute</li> </ul> <p>Note: If you need additional Entra ID attributes in Kinde (like department, phone number, or group membership), you can sync them using a Kinde post-authentication workflow. The workflow reads the SAML assertion attributes and writes them to Kinde custom user properties.</p> <h2> Step #4: Enable IdP-Initiated SSO </h2> <p>Standard SAML flow is SP-initiated: the user starts at your app, clicks login, gets redirected to the IdP, authenticates, and comes back. This is the most common setup.</p> <p>Kinde shipped <strong>IdP-initiated SSO</strong> in February 2026. With IdP-initiated flow, users start the login from their IdP portal — for example, clicking your app's tile in Okta or the Microsoft MyApps dashboard. They are authenticated at the IdP first, and Kinde handles the unsolicited SAML response when it arrives.</p> <p>To enable IdP-initiated SSO for a connection, navigate to the connection in Kinde and toggle on <strong>Allow IdP-initiated SSO</strong>. When this is enabled, Kinde also uses the email from the SAML response to pre-fill the login screen if the user ends up being redirected back to an SP-initiated flow, reducing friction.</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F3us99pghbmi3wshuefmf.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F3us99pghbmi3wshuefmf.png" alt="Kinde enterprise connection detail page showing the " width="800" height="502"></a></p> <p>Enterprise customers who use a company intranet or application portal (like Okta's dashboard or Microsoft MyApps) often require IdP-initiated flow. Without it, they cannot tile your app in their portal — and tiling apps is how IT controls visibility and access across the company. Enabling this expands your deployment options inside enterprise accounts significantly.</p> <h2> Step #5: Set Up Home Realm Discovery for Seamless Login </h2> <p>Home realm discovery is what makes enterprise SSO feel invisible to end users. Instead of showing a generic "Sign in with SSO" button that users may not understand, Kinde detects the user's email domain and automatically routes them to the correct IdP.</p> <p>You already set home realm domains in Step #2. Here is how the experience works once configured:</p> <ol> <li>User navigates to your AI app and reaches the Kinde login page</li> <li>User enters their email address: <code>alice@acmecorp.com</code> </li> <li>Kinde matches the <code>acmecorp.com</code> domain to the Acme Corp SAML connection</li> <li>Kinde silently redirects Alice to Acme Corp's Okta for authentication</li> <li>Alice authenticates with Okta (likely already SSO'd from her device)</li> <li>Okta sends the SAML assertion back to Kinde</li> <li>Kinde issues a session token and Alice lands in your app</li> </ol> <p>Steps 3 through 6 happen in under a second. From Alice's perspective, she typed her email and landed in the app. No separate SSO button. No understanding of SAML required.</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F3rnbhg17uhfl1inglgjv.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F3rnbhg17uhfl1inglgjv.png" alt="Home realm discovery flow — User types email (alice@acmecorp.com) → Kinde checks home realm domains → Matches " width="800" height="1071"></a></p> <p>Note: Home realm domains must be unique across all connections in your Kinde environment. If you add <code>acmecorp.com</code> to one connection, no other connection can also claim it.</p> <h2> Step #6: Let Enterprise Customers Configure Their Own SSO </h2> <p>For AI apps with many enterprise customers, having your team configure each SAML connection manually does not scale. Kinde supports <strong>self-serve SSO configuration</strong> (available on Scale plans) — enterprise customers can configure their own SSO connection through the Kinde self-serve portal.</p> <p>When self-serve SSO is enabled for an organization, the customer's admin (a user with the appropriate role in your app) can visit the self-serve portal, navigate to <strong>Security</strong> or <strong>Connections</strong>, and configure their SAML or OIDC connection themselves.</p> <p>They enter their IdP metadata URL, set their attribute mappings, and submit. Kinde validates the configuration and creates the connection. Your team gets notified but does not need to be involved in the data entry.</p> <p>To enable this, navigate to <strong>Settings</strong> → <strong>Self-serve portal</strong> → and enable SSO self-management for the relevant organizations. You can control which organizations have this capability — you might enable it only for enterprise-tier customers.</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F2f039c2r8lu78s8x74ft.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F2f039c2r8lu78s8x74ft.png" alt="Kinde Settings &gt; Self-serve portal showing the SSO configuration option with a toggle to enable customers to manage their own enterprise connections. The description text explains what customers can configure" width="800" height="502"></a></p> <p>This is the SSO motion that scales. Your enterprise sales team closes the deal and mentions SSO as a feature the customer can configure themselves on day one. No engineering ticket. No back-and-forth over Entity IDs. The customer's IT admin does the setup in your self-serve portal in 20 minutes.</p> <h2> Step #7: Read Enterprise Identity in Your App </h2> <p>Once enterprise SSO is configured, the user's Kinde session looks exactly the same as any other authenticated session. Your application code does not need to know or care whether the user authenticated via email OTP, Google login, or enterprise SAML. The same Kinde SDK methods work for all of them.</p> <p>In a Next.js application:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="c1">// app/dashboard/page.tsx</span> <span class="k">import</span> <span class="p">{</span> <span class="nx">getKindeServerSession</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">"</span><span class="s2">@kinde-oss/kinde-auth-nextjs/server</span><span class="dl">"</span><span class="p">;</span> <span class="k">import</span> <span class="p">{</span> <span class="nx">redirect</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">"</span><span class="s2">next/navigation</span><span class="dl">"</span><span class="p">;</span> <span class="k">export</span> <span class="k">default</span> <span class="k">async</span> <span class="kd">function</span> <span class="nf">DashboardPage</span><span class="p">()</span> <span class="p">{</span> <span class="kd">const</span> <span class="p">{</span> <span class="nx">isAuthenticated</span><span class="p">,</span> <span class="nx">getUser</span><span class="p">,</span> <span class="nx">getOrganization</span> <span class="p">}</span> <span class="o">=</span> <span class="nf">getKindeServerSession</span><span class="p">();</span> <span class="k">if </span><span class="p">(</span><span class="o">!</span><span class="p">(</span><span class="k">await</span> <span class="nf">isAuthenticated</span><span class="p">()))</span> <span class="p">{</span> <span class="nf">redirect</span><span class="p">(</span><span class="dl">"</span><span class="s2">/api/auth/login</span><span class="dl">"</span><span class="p">);</span> <span class="p">}</span> <span class="kd">const</span> <span class="nx">user</span> <span class="o">=</span> <span class="k">await</span> <span class="nf">getUser</span><span class="p">();</span> <span class="kd">const</span> <span class="nx">org</span> <span class="o">=</span> <span class="k">await</span> <span class="nf">getOrganization</span><span class="p">();</span> <span class="c1">// user.email comes from the SAML assertion for SSO users</span> <span class="c1">// org.orgCode identifies which enterprise customer this is</span> <span class="c1">// No special handling needed for SSO vs non-SSO users</span> <span class="k">return </span><span class="p">(</span> <span class="o">&lt;</span><span class="nx">main</span> <span class="nx">className</span><span class="o">=</span><span class="dl">"</span><span class="s2">p-8</span><span class="dl">"</span><span class="o">&gt;</span> <span class="o">&lt;</span><span class="nx">h1</span><span class="o">&gt;</span><span class="nx">Welcome</span><span class="p">,</span> <span class="p">{</span><span class="nx">user</span><span class="p">?.</span><span class="nx">given_name</span><span class="p">}</span><span class="o">&lt;</span><span class="sr">/h1</span><span class="err">&gt; </span> <span class="o">&lt;</span><span class="nx">p</span> <span class="nx">className</span><span class="o">=</span><span class="dl">"</span><span class="s2">text-gray-500</span><span class="dl">"</span><span class="o">&gt;</span> <span class="nx">Signed</span> <span class="k">in</span> <span class="nx">via</span> <span class="p">{</span><span class="nx">org</span><span class="p">?.</span><span class="nx">name</span> <span class="o">??</span> <span class="dl">"</span><span class="s2">your organization</span><span class="dl">"</span><span class="p">}</span> <span class="o">&lt;</span><span class="sr">/p</span><span class="err">&gt; </span> <span class="o">&lt;</span><span class="sr">/main</span><span class="err">&gt; </span> <span class="p">);</span> <span class="p">}</span> </code></pre> </div> <p>If you want to know which authentication method the user used (useful for audit logs or analytics), you can check the <code>identities</code> from the Kinde Management API. But for most application logic, you simply use <code>getUser()</code> and <code>getOrganization()</code> without worrying about the underlying auth method.</p> <p>For AI apps that need to enforce that specific customers must use SSO and cannot fall back to email/password, configure an <strong>org-level access policy</strong> in Kinde. Navigate to <strong>Organizations</strong> → select the org → <strong>Access policies</strong> → enable <strong>Require enterprise connection</strong>. Users who try to log in to this organization via email/password will be blocked and prompted to use SSO instead.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="c1">// Verify the user is authenticated via enterprise SSO for sensitive AI operations</span> <span class="c1">// This is an optional extra layer — Kinde's access policies handle the enforcement,</span> <span class="c1">// but you can also check in your API routes for audit purposes</span> <span class="k">import</span> <span class="p">{</span> <span class="nx">getKindeServerSession</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">"</span><span class="s2">@kinde-oss/kinde-auth-nextjs/server</span><span class="dl">"</span><span class="p">;</span> <span class="k">import</span> <span class="p">{</span> <span class="nx">NextRequest</span><span class="p">,</span> <span class="nx">NextResponse</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">"</span><span class="s2">next/server</span><span class="dl">"</span><span class="p">;</span> <span class="k">export</span> <span class="k">async</span> <span class="kd">function</span> <span class="nf">POST</span><span class="p">(</span><span class="nx">request</span><span class="p">:</span> <span class="nx">NextRequest</span><span class="p">)</span> <span class="p">{</span> <span class="kd">const</span> <span class="p">{</span> <span class="nx">isAuthenticated</span><span class="p">,</span> <span class="nx">getOrganization</span> <span class="p">}</span> <span class="o">=</span> <span class="nf">getKindeServerSession</span><span class="p">();</span> <span class="k">if </span><span class="p">(</span><span class="o">!</span><span class="p">(</span><span class="k">await</span> <span class="nf">isAuthenticated</span><span class="p">()))</span> <span class="p">{</span> <span class="k">return</span> <span class="nx">NextResponse</span><span class="p">.</span><span class="nf">json</span><span class="p">({</span> <span class="na">error</span><span class="p">:</span> <span class="dl">"</span><span class="s2">Unauthenticated</span><span class="dl">"</span> <span class="p">},</span> <span class="p">{</span> <span class="na">status</span><span class="p">:</span> <span class="mi">401</span> <span class="p">});</span> <span class="p">}</span> <span class="kd">const</span> <span class="nx">org</span> <span class="o">=</span> <span class="k">await</span> <span class="nf">getOrganization</span><span class="p">();</span> <span class="c1">// Log the org for audit trail — critical for enterprise AI compliance</span> <span class="nx">console</span><span class="p">.</span><span class="nf">log</span><span class="p">(</span><span class="s2">`AI request from org: </span><span class="p">${</span><span class="nx">org</span><span class="p">?.</span><span class="nx">orgCode</span><span class="p">}</span><span class="s2">, user: </span><span class="p">${(</span><span class="k">await</span> <span class="nf">getKindeServerSession</span><span class="p">().</span><span class="nf">getUser</span><span class="p">())?.</span><span class="nx">id</span><span class="p">}</span><span class="s2">`</span><span class="p">);</span> <span class="c1">// Execute AI operation</span> <span class="c1">// ...</span> <span class="k">return</span> <span class="nx">NextResponse</span><span class="p">.</span><span class="nf">json</span><span class="p">({</span> <span class="na">result</span><span class="p">:</span> <span class="dl">"</span><span class="s2">...</span><span class="dl">"</span> <span class="p">});</span> <span class="p">}</span> </code></pre> </div> <h2> Step #8: Suspend an Organization Instantly </h2> <p>Enterprise contracts end. Security incidents happen. When either occurs, you need to cut off an entire organization's access immediately — not one user at a time.</p> <p>Kinde added <strong>organization suspension</strong> in February 2026. When you suspend an org, every active token is revoked and every session is invalidated instantly. No user from that organization can log in to your app, regardless of how they authenticated.</p> <p>Navigate to <strong>Organizations</strong> → select the org → <strong>Settings</strong> → <strong>Suspend organization</strong>. Select <strong>Suspend</strong>. Done.</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fpde6ri1b7f5ztsxmjxcu.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fpde6ri1b7f5ztsxmjxcu.png" alt="Kinde Organization settings page showing the " width="800" height="502"></a></p> <p>Unsuspending restores access just as quickly — toggle the same setting off and all users can log back in at their next login attempt.</p> <p>This feature is essential for enterprise AI apps for two reasons. First, when a customer churns or does not renew, you need access revocation to happen immediately, not when individual users try to log in and find their tokens expired. Second, if a customer reports a security incident (a compromised account, suspicious AI queries, a potential data breach), suspension gives you a one-click kill switch while you investigate.</p> <h2> Putting It All Together </h2> <p>Here is the full enterprise SSO setup checklist for your AI app:</p> <p><strong>In Kinde dashboard:</strong></p> <ul> <li>Organization created for each enterprise customer</li> <li>SAML or OIDC connection configured and saved</li> <li>Home realm domain(s) set for seamless routing</li> <li>JIT provisioning enabled for automatic user creation</li> <li>IdP-initiated SSO enabled (if customer uses an app portal)</li> <li>Org-level access policy set to require enterprise connection (optional but recommended for security-sensitive customers)</li> <li>Self-serve SSO enabled for enterprise-tier orgs (Scale plan)</li> </ul> <p><strong>What you give the customer's IT team:</strong></p> <ul> <li>SP Entity ID (Audience URI)</li> <li>ACS URL (Reply URL)</li> <li>Name ID format: <code>urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress</code> </li> </ul> <p><strong>What the customer's IT team gives you:</strong></p> <ul> <li>IdP metadata URL (or the XML metadata itself)</li> <li>Email attribute name (if non-standard)</li> <li>Home realm domains to register</li> </ul> <p><strong>In your application code:</strong></p> <ul> <li>No changes required to authentication logic</li> <li>Use <code>getUser()</code> and <code>getOrganization()</code> as normal</li> <li>Add org-level access policy enforcement in API routes if needed</li> <li>Log <code>orgCode</code> in audit trails for all AI operations</li> </ul> <h2> SAML Troubleshooting Reference </h2> <p>These are the most common SAML configuration problems and how to fix them in Kinde:</p> <div class="table-wrapper-paragraph"><table> <thead> <tr> <th>Symptom</th> <th>Likely cause</th> <th>Fix</th> </tr> </thead> <tbody> <tr> <td>"Invalid assertion" error</td> <td>Certificate mismatch or expired IdP cert</td> <td>Re-fetch the IdP metadata URL in Kinde to refresh the certificate</td> </tr> <tr> <td>User authenticated but no email</td> <td>Wrong email attribute name</td> <td>Check the Entra/Okta attribute configuration and update the email attribute field in Kinde</td> </tr> <tr> <td>Loop between app and IdP</td> <td>ACS URL misconfigured</td> <td>Verify the ACS URL in the IdP exactly matches what Kinde shows (including protocol and path)</td> </tr> <tr> <td>"Entity ID not found"</td> <td>SP Entity ID mismatch</td> <td>Confirm the Entity ID in your IdP matches the string you set in Kinde exactly</td> </tr> <tr> <td>Users get separate accounts</td> <td>Trust email not enabled</td> <td>Enable "Trust email addresses" in the connection settings to merge existing users</td> </tr> <tr> <td>Old Entra ID tenant fails</td> <td>Entity ID format</td> <td>Prefix the Entity ID with <code>spn:</code> — required by some older Entra tenants</td> </tr> <tr> <td>SSO button shows for home realm users</td> <td>Home realm domain not set</td> <td>Add the email domain to the connection's home realm domains</td> </tr> </tbody> </table></div> <p>Navigate to <strong>Settings</strong> → <strong>Logs</strong> → <strong>Authentication logs</strong> in Kinde to see detailed SAML assertion logs for failed authentication attempts. This is the fastest way to identify configuration issues.</p> <h2> Conclusion </h2> <p>In this article, you configured enterprise SSO for your AI app — custom SAML, Microsoft Entra ID SAML, home realm discovery, JIT provisioning, IdP-initiated flow, customer self-serve setup, and organization suspension. Your AI app can now pass enterprise security reviews, integrate with any major corporate identity provider, and automatically revoke access when users leave a customer's organization.</p> <p>The entire configuration lives in Kinde. Your application code is completely unchanged — the same <code>getUser()</code> and <code>getOrganization()</code> calls that work for email login work for enterprise SAML. Kinde normalizes all authentication methods into the same session model.</p> <p>Enterprise SSO used to be the feature that required a dedicated engineering sprint and an enterprise-tier contract with your auth provider. With Kinde, it is a configuration that takes an afternoon and is available on all paid plans.</p> <p>Create a free Kinde account at <a href="https://kinde.com" rel="noopener noreferrer">kinde.com</a> — 10,500 monthly active users, no credit card required — and have your first enterprise connection configured before your next security review.</p> webdev kinde ai development Shola Jegede Tue, 14 Apr 2026 10:35:04 +0000 https://forem.com/sholajegede/how-to-implement-rbac-in-a-nextjs-16-app-with-kinde-a-step-by-step-guide-1ic1 https://forem.com/sholajegede/how-to-implement-rbac-in-a-nextjs-16-app-with-kinde-a-step-by-step-guide-1ic1 <p><em>Next.js 16 ships with <code>proxy.ts</code>, React Compiler, and React 19.2. Your access control should be as modern as your stack.</em></p> <p>In this article, you will learn:</p> <ul> <li>What RBAC is and why it belongs in your auth layer, not your database</li> <li>How Kinde models roles and permissions and why that maps cleanly to Next.js 16</li> <li>How to set up the Kinde Next.js SDK in a Next.js 16.2 project</li> <li>How to configure the auth handler and environment variables</li> <li>How to protect routes using <code>proxy.ts</code> — the new Next.js 16 network boundary file</li> <li>How to define roles and permissions in the Kinde dashboard</li> <li>How to enforce permissions in React Server Components</li> <li>How to enforce permissions in Route Handlers (API routes)</li> <li>How to render conditional UI based on a user's role</li> <li>How to handle the <code>use cache</code> directive safely alongside permission checks</li> </ul> <p>Let's dive in!</p> <h2> Prerequisites </h2> <p>Before starting this tutorial, make sure you have:</p> <ul> <li>Node.js 18.18 or later installed</li> <li>A Kinde account — free at <a href="https://kinde.com" rel="noopener noreferrer">kinde.com</a>, no credit card required</li> <li>Familiarity with Next.js App Router fundamentals</li> <li>Basic knowledge of TypeScript</li> </ul> <h2> What Is RBAC and Why Does It Belong in Auth? </h2> <p>Role-Based Access Control (RBAC) is the mechanism that decides what authenticated users are allowed to do. Authentication answers "who are you?" — RBAC answers "what can you do?"</p> <p>The wrong place to implement RBAC is your database. Many teams check a <code>role</code> column on the user record mid-request, which means a round-trip to the database every time your application needs to make an access decision. That is slow, adds complexity, and couples your permission logic to your data layer.</p> <p>The right place is your auth token. When a user logs in, Kinde issues a JWT that includes their roles and the exact permissions those roles grant. Your application reads from the token. No extra database query. No round-trip. The permission answer is cryptographically included at the start of every authenticated request.</p> <p>This is what makes Kinde's RBAC model a natural fit for Next.js 16's Server Components architecture — every Server Component can check permissions synchronously from the session without adding a waterfall of database queries.</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fcg3stcjj0uid1kmys719.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fcg3stcjj0uid1kmys719.png" alt="Two paths side by side. LEFT " width="800" height="496"></a></p> <h2> How Kinde's RBAC Model Works </h2> <p>Kinde structures access control in three layers that are worth understanding before you write any code:</p> <p><strong>Permissions</strong> are the granular capabilities your application checks: <code>posts:create</code>, <code>posts:delete</code>, <code>users:manage</code>, <code>billing:view</code>. You define these in the Kinde dashboard. They are the atoms of your access system — every access decision in your code should reference a permission key, not a role name.</p> <p><strong>Roles</strong> are named bundles of permissions. <code>admin</code>, <code>editor</code>, <code>viewer</code> are roles. You define roles and attach permissions to them in Kinde. Roles exist so you can assign a coherent set of capabilities to a user in one operation.</p> <p><strong>Users</strong> are assigned roles. When a user logs in, their JWT token contains both their roles and the expanded set of permissions those roles grant. Your code checks permissions — the role is just the management abstraction that groups them.</p> <p>The access check in your Next.js components is always <code>getPermission("posts:create")</code>, never <code>getRole() === "admin"</code>. This decoupling means you can restructure your roles in the Kinde dashboard without touching a line of application code.</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fvae7n634f6b33pssc4ja.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fvae7n634f6b33pssc4ja.png" alt="Three-layer pyramid — Permissions (base, many small blocks: posts:create, posts:delete, users:manage, billing:view), Roles (middle: admin has all permissions, editor has posts:create + posts:delete, viewer has none), Users (top: Alice assigned admin, Bob assigned editor). Arrow from " width="800" height="533"></a></p> <h2> What's New in Next.js 16 That Affects This Tutorial </h2> <p>Next.js 16 introduced <code>proxy.ts</code> as the new file for handling network boundary logic, replacing <code>middleware.ts</code> for most use cases. The <code>middleware.ts</code> file is deprecated in 16 and will be removed in a future version.</p> <p>For RBAC, this matters in one specific way: <code>proxy.ts</code> runs before any route in your application and is where you redirect unauthenticated users. The Kinde <code>withAuth</code> helper plugs into this file just as cleanly as it did into <code>middleware.ts</code>.</p> <p>Next.js 16 also stabilised the React Compiler, which automatically memoises components. You do not need to manually wrap permission-checking components in <code>useMemo</code> or <code>memo</code> — the compiler handles it.</p> <p>One important note about <code>use cache</code> in Next.js 16: do not cache pages or components that render based on user-specific permission data. Cached outputs are shared across users. The code in this tutorial keeps permission-sensitive components outside of <code>use cache</code> boundaries.</p> <h2> Step #1: Create a Next.js 16 Project </h2> <p>Start a fresh Next.js 16.2 project with the App Router and TypeScript:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>npx create-next-app@latest my-rbac-app <span class="se">\</span> <span class="nt">--typescript</span> <span class="se">\</span> <span class="nt">--app</span> <span class="se">\</span> <span class="nt">--tailwind</span> <span class="se">\</span> <span class="nt">--src-dir</span> </code></pre> </div> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F3cqwkdwhrezz254cffgv.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F3cqwkdwhrezz254cffgv.png" alt="Terminal output of raw `create-next-app` endraw completing successfully, showing the project structure being created" width="800" height="605"></a></p> <p>Navigate into the project directory and install the Kinde Next.js SDK:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nb">cd </span>my-rbac-app npm <span class="nb">install</span> @kinde-oss/kinde-auth-nextjs </code></pre> </div> <h2> Step #2: Configure Kinde and Set Environment Variables </h2> <p>In your Kinde dashboard, navigate to <strong>Settings</strong> → <strong>Applications</strong> → <strong>Add application</strong> and select <strong>Back-end web</strong>. Give it a name like <code>My Next.js 16 App</code>. Once created, open the application details and copy the following values:</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fiatwuyykg0f3ex61wdi2.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fiatwuyykg0f3ex61wdi2.png" alt="Kinde dashboard Settings &gt; Applications showing an application with " width="800" height="502"></a></p> <p>Create a <code>.env.local</code> file in the root of your project:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># Kinde application credentials</span> <span class="nv">KINDE_CLIENT_ID</span><span class="o">=</span>your_kinde_client_id <span class="nv">KINDE_CLIENT_SECRET</span><span class="o">=</span>your_kinde_client_secret <span class="nv">KINDE_ISSUER_URL</span><span class="o">=</span>https://your-subdomain.kinde.com <span class="c"># Application URLs</span> <span class="nv">KINDE_SITE_URL</span><span class="o">=</span>http://localhost:3000 <span class="nv">KINDE_POST_LOGOUT_REDIRECT_URL</span><span class="o">=</span>http://localhost:3000 <span class="nv">KINDE_POST_LOGIN_REDIRECT_URL</span><span class="o">=</span>http://localhost:3000/dashboard </code></pre> </div> <p>Replace <code>your_kinde_client_id</code>, <code>your_kinde_client_secret</code>, and <code>your-subdomain</code> with the values from your Kinde dashboard. The <code>KINDE_ISSUER_URL</code> is your Kinde domain, typically <code>https://yourappname.kinde.com</code>.</p> <p>Next, add the callback URLs in Kinde. Still in your application's settings, find the <strong>Callback URLs</strong> section and add:</p> <ul> <li> <strong>Allowed callback URLs</strong>: <code>http://localhost:3000/api/auth/kinde_callback</code> </li> <li> <strong>Allowed logout redirect URLs</strong>: <code>http://localhost:3000</code> </li> </ul> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fw6xqt5pmw5dofytf2s3h.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fw6xqt5pmw5dofytf2s3h.png" alt="Kinde application settings showing the Callback URLs section with the localhost callback URL and logout redirect URL filled in" width="800" height="502"></a></p> <h2> Step #3: Set Up the Auth Route Handler </h2> <p>Create the Kinde auth handler at <code>app/api/auth/[kindeAuth]/route.ts</code>. This single file handles all of Kinde's auth endpoints — login, logout, register, and the callback:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="c1">// app/api/auth/[kindeAuth]/route.ts</span> <span class="k">import</span> <span class="p">{</span> <span class="nx">handleAuth</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">"</span><span class="s2">@kinde-oss/kinde-auth-nextjs/server</span><span class="dl">"</span><span class="p">;</span> <span class="k">export</span> <span class="kd">const</span> <span class="nx">GET</span> <span class="o">=</span> <span class="nf">handleAuth</span><span class="p">();</span> </code></pre> </div> <p>That is the entire auth route. Kinde handles the OAuth flow, token exchange, session management, and redirect logic. Your application does not need to implement any of this.</p> <h2> Step #4: Wrap the Root Layout with KindeProvider </h2> <p>Open <code>app/layout.tsx</code> and wrap the children with <code>KindeProvider</code>. This is a server component — import from the server path, not the client path:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="c1">// layout.ts</span> <span class="k">import</span> <span class="kd">type</span> <span class="p">{</span> <span class="nx">Metadata</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">"</span><span class="s2">next</span><span class="dl">"</span><span class="p">;</span> <span class="k">import</span> <span class="p">{</span> <span class="nx">Geist</span><span class="p">,</span> <span class="nx">Geist_Mono</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">"</span><span class="s2">next/font/google</span><span class="dl">"</span><span class="p">;</span> <span class="k">import</span> <span class="dl">"</span><span class="s2">./globals.css</span><span class="dl">"</span><span class="p">;</span> <span class="kd">const</span> <span class="nx">geistSans</span> <span class="o">=</span> <span class="nc">Geist</span><span class="p">({</span> <span class="na">variable</span><span class="p">:</span> <span class="dl">"</span><span class="s2">--font-geist-sans</span><span class="dl">"</span><span class="p">,</span> <span class="na">subsets</span><span class="p">:</span> <span class="p">[</span><span class="dl">"</span><span class="s2">latin</span><span class="dl">"</span><span class="p">],</span> <span class="p">});</span> <span class="kd">const</span> <span class="nx">geistMono</span> <span class="o">=</span> <span class="nc">Geist_Mono</span><span class="p">({</span> <span class="na">variable</span><span class="p">:</span> <span class="dl">"</span><span class="s2">--font-geist-mono</span><span class="dl">"</span><span class="p">,</span> <span class="na">subsets</span><span class="p">:</span> <span class="p">[</span><span class="dl">"</span><span class="s2">latin</span><span class="dl">"</span><span class="p">],</span> <span class="p">});</span> <span class="k">export</span> <span class="kd">const</span> <span class="nx">metadata</span><span class="p">:</span> <span class="nx">Metadata</span> <span class="o">=</span> <span class="p">{</span> <span class="na">title</span><span class="p">:</span> <span class="dl">"</span><span class="s2">My RBAC App</span><span class="dl">"</span><span class="p">,</span> <span class="na">description</span><span class="p">:</span> <span class="dl">"</span><span class="s2">Built with Next.js 16 and Kinde</span><span class="dl">"</span><span class="p">,</span> <span class="p">};</span> <span class="k">export</span> <span class="k">default</span> <span class="kd">function</span> <span class="nf">RootLayout</span><span class="p">({</span> <span class="nx">children</span><span class="p">,</span> <span class="p">}:</span> <span class="nb">Readonly</span><span class="o">&lt;</span><span class="p">{</span> <span class="na">children</span><span class="p">:</span> <span class="nx">React</span><span class="p">.</span><span class="nx">ReactNode</span><span class="p">;</span> <span class="p">}</span><span class="o">&gt;</span><span class="p">)</span> <span class="p">{</span> <span class="k">return </span><span class="p">(</span> <span class="o">&lt;</span><span class="nx">html</span> <span class="nx">lang</span><span class="o">=</span><span class="dl">"</span><span class="s2">en</span><span class="dl">"</span> <span class="nx">className</span><span class="o">=</span><span class="p">{</span><span class="s2">`</span><span class="p">${</span><span class="nx">geistSans</span><span class="p">.</span><span class="nx">variable</span><span class="p">}</span><span class="s2"> </span><span class="p">${</span><span class="nx">geistMono</span><span class="p">.</span><span class="nx">variable</span><span class="p">}</span><span class="s2"> h-full antialiased`</span><span class="p">}</span> <span class="o">&gt;</span> <span class="o">&lt;</span><span class="nx">body</span> <span class="nx">className</span><span class="o">=</span><span class="dl">"</span><span class="s2">min-h-full flex flex-col</span><span class="dl">"</span><span class="o">&gt;</span><span class="p">{</span><span class="nx">children</span><span class="p">}</span><span class="o">&lt;</span><span class="sr">/body</span><span class="err">&gt; </span> <span class="o">&lt;</span><span class="sr">/html</span><span class="err">&gt; </span> <span class="p">);</span> <span class="p">}</span> </code></pre> </div> <h2> Step #5: Protect Routes Using proxy.ts </h2> <p>In Next.js 16, <code>proxy.ts</code> is the new file for network boundary logic. The <code>middleware.ts</code> file is deprecated — use <code>proxy.ts</code> instead for new projects.</p> <p>Create <code>proxy.ts</code> in your project root (at the same level as <code>app</code>):<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="c1">// proxy.ts</span> <span class="k">import</span> <span class="p">{</span> <span class="nx">withAuth</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">"</span><span class="s2">@kinde-oss/kinde-auth-nextjs/middleware</span><span class="dl">"</span><span class="p">;</span> <span class="k">import</span> <span class="kd">type</span> <span class="p">{</span> <span class="nx">NextRequest</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">"</span><span class="s2">next/server</span><span class="dl">"</span><span class="p">;</span> <span class="k">export</span> <span class="k">default</span> <span class="nx">withAuth</span><span class="p">;</span> <span class="k">export</span> <span class="kd">const</span> <span class="nx">config</span> <span class="o">=</span> <span class="p">{</span> <span class="na">matcher</span><span class="p">:</span> <span class="p">[</span><span class="dl">"</span><span class="s2">/dashboard/:path*</span><span class="dl">"</span><span class="p">,</span> <span class="dl">"</span><span class="s2">/admin/:path*</span><span class="dl">"</span><span class="p">],</span> <span class="p">};</span> </code></pre> </div> <p>Note: If you have an existing project using <code>middleware.ts</code>, it continues to work in Next.js 16 for Edge runtime use cases. But for new projects, <code>proxy.ts</code> is the correct file. The <code>withAuth</code> import path and usage are identical between the two.</p> <p>Any unauthenticated user who tries to reach a matched route is automatically redirected to Kinde's login page. Once they authenticate, Kinde redirects them back to the page they originally requested.</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fumzoemusc6szkzzf34md.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fumzoemusc6szkzzf34md.png" alt="Browser showing an unauthenticated user being redirected to the Kinde login page when they try to access /dashboard directly. The Kinde login UI is visible with the email OTP input field" width="800" height="483"></a></p> <h2> Step #6: Define Roles and Permissions in Kinde </h2> <p>Before writing any permission-checking code, set up your roles and permissions in the Kinde dashboard.</p> <p>Navigate to <strong>Roles &amp; Permissions</strong> → <strong>Permissions</strong> → <strong>Add permission</strong>. Create each permission with a <code>resource:action</code> naming convention:</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F3jn97y4avimzalezx18n.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F3jn97y4avimzalezx18n.png" alt="Kinde Roles &amp; Permissions &gt; Permissions page showing a list of permissions: posts:create, posts:update, posts:delete, posts:publish, users:view, users:manage. Each has its key visible" width="800" height="502"></a></p> <p>For this tutorial, create these permissions:</p> <div class="table-wrapper-paragraph"><table> <thead> <tr> <th>Key</th> <th>Description</th> </tr> </thead> <tbody> <tr> <td><code>posts:create</code></td> <td>Create new posts</td> </tr> <tr> <td><code>posts:update</code></td> <td>Edit existing posts</td> </tr> <tr> <td><code>posts:delete</code></td> <td>Delete posts permanently</td> </tr> <tr> <td><code>posts:publish</code></td> <td>Publish or unpublish posts</td> </tr> <tr> <td><code>users:view</code></td> <td>View the user list</td> </tr> <tr> <td><code>users:manage</code></td> <td>Edit user details and roles</td> </tr> </tbody> </table></div> <p>Now navigate to <strong>Roles &amp; Permissions</strong> → <strong>Roles</strong> → <strong>Add role</strong> and create three roles:</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fvrvyka49l33v87kqp5do.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fvrvyka49l33v87kqp5do.png" alt="Kinde Roles &amp; Permissions &gt; Roles page showing three roles: Admin (key: admin), Editor (key: editor), Viewer (key: viewer" width="800" height="502"></a></p> <p>Assign permissions to each role:</p> <div class="table-wrapper-paragraph"><table> <thead> <tr> <th>Permission</th> <th>Admin</th> <th>Editor</th> <th>Viewer</th> </tr> </thead> <tbody> <tr> <td><code>posts:create</code></td> <td>✓</td> <td>✓</td> <td></td> </tr> <tr> <td><code>posts:update</code></td> <td>✓</td> <td>✓</td> <td></td> </tr> <tr> <td><code>posts:delete</code></td> <td>✓</td> <td></td> <td></td> </tr> <tr> <td><code>posts:publish</code></td> <td>✓</td> <td>✓</td> <td></td> </tr> <tr> <td><code>users:view</code></td> <td>✓</td> <td></td> <td></td> </tr> <tr> <td><code>users:manage</code></td> <td>✓</td> <td></td> <td></td> </tr> </tbody> </table></div> <p>Assign a role to your own user for testing. Navigate to <strong>Users</strong> → select your user → <strong>Roles</strong> → assign <code>admin</code>. You will test the other roles by reassigning later.</p> <p>Terrific! The permission model is ready. Time to use it in code.</p> <h2> Step #7: Check Permissions in Server Components </h2> <p><code>getKindeServerSession()</code> is the main SDK helper for checking authentication state and accessing user data in Server Components. It reads directly from the server-side session — no network request, no database query.</p> <p>Create a protected dashboard page at <code>app/dashboard/page.tsx</code>:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="c1">// app/dashboard/page.tsx</span> <span class="k">import</span> <span class="p">{</span> <span class="nx">getKindeServerSession</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">"</span><span class="s2">@kinde-oss/kinde-auth-nextjs/server</span><span class="dl">"</span><span class="p">;</span> <span class="k">import</span> <span class="p">{</span> <span class="nx">redirect</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">"</span><span class="s2">next/navigation</span><span class="dl">"</span><span class="p">;</span> <span class="k">import</span> <span class="p">{</span> <span class="nx">PermissionGate</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">"</span><span class="s2">@/components/PermissionGate</span><span class="dl">"</span><span class="p">;</span> <span class="k">export</span> <span class="k">default</span> <span class="k">async</span> <span class="kd">function</span> <span class="nf">DashboardPage</span><span class="p">()</span> <span class="p">{</span> <span class="kd">const</span> <span class="p">{</span> <span class="nx">isAuthenticated</span><span class="p">,</span> <span class="nx">getUser</span> <span class="p">}</span> <span class="o">=</span> <span class="nf">getKindeServerSession</span><span class="p">();</span> <span class="k">if </span><span class="p">(</span><span class="o">!</span><span class="p">(</span><span class="k">await</span> <span class="nf">isAuthenticated</span><span class="p">()))</span> <span class="nf">redirect</span><span class="p">(</span><span class="dl">"</span><span class="s2">/api/auth/login</span><span class="dl">"</span><span class="p">);</span> <span class="kd">const</span> <span class="nx">user</span> <span class="o">=</span> <span class="k">await</span> <span class="nf">getUser</span><span class="p">();</span> <span class="k">return </span><span class="p">(</span> <span class="o">&lt;</span><span class="nx">main</span> <span class="nx">className</span><span class="o">=</span><span class="dl">"</span><span class="s2">p-8</span><span class="dl">"</span><span class="o">&gt;</span> <span class="o">&lt;</span><span class="nx">h1</span> <span class="nx">className</span><span class="o">=</span><span class="dl">"</span><span class="s2">text-2xl font-bold mb-1</span><span class="dl">"</span><span class="o">&gt;</span><span class="nx">Dashboard</span><span class="o">&lt;</span><span class="sr">/h1</span><span class="err">&gt; </span> <span class="o">&lt;</span><span class="nx">p</span> <span class="nx">className</span><span class="o">=</span><span class="dl">"</span><span class="s2">text-gray-500 mb-8</span><span class="dl">"</span><span class="o">&gt;</span> <span class="nx">Welcome</span> <span class="nx">back</span><span class="p">,</span> <span class="p">{</span><span class="nx">user</span><span class="p">?.</span><span class="nx">given_name</span> <span class="o">??</span> <span class="dl">"</span><span class="s2">User</span><span class="dl">"</span><span class="p">}</span> <span class="o">&lt;</span><span class="sr">/p</span><span class="err">&gt; </span> <span class="o">&lt;</span><span class="nx">div</span> <span class="nx">className</span><span class="o">=</span><span class="dl">"</span><span class="s2">grid grid-cols-1 gap-4 md:grid-cols-3</span><span class="dl">"</span><span class="o">&gt;</span> <span class="p">{</span><span class="cm">/* Visible to all authenticated users */</span><span class="p">}</span> <span class="o">&lt;</span><span class="nx">div</span> <span class="nx">className</span><span class="o">=</span><span class="dl">"</span><span class="s2">rounded-lg border p-6</span><span class="dl">"</span><span class="o">&gt;</span> <span class="o">&lt;</span><span class="nx">h2</span> <span class="nx">className</span><span class="o">=</span><span class="dl">"</span><span class="s2">font-semibold mb-2</span><span class="dl">"</span><span class="o">&gt;</span><span class="nx">Posts</span><span class="o">&lt;</span><span class="sr">/h2</span><span class="err">&gt; </span> <span class="o">&lt;</span><span class="nx">p</span> <span class="nx">className</span><span class="o">=</span><span class="dl">"</span><span class="s2">text-sm text-gray-500 mb-4</span><span class="dl">"</span><span class="o">&gt;</span><span class="nx">Manage</span> <span class="nx">your</span> <span class="nx">content</span><span class="o">&lt;</span><span class="sr">/p</span><span class="err">&gt; </span> <span class="o">&lt;</span><span class="nx">PermissionGate</span> <span class="nx">permission</span><span class="o">=</span><span class="dl">"</span><span class="s2">posts:create</span><span class="dl">"</span><span class="o">&gt;</span> <span class="o">&lt;</span><span class="nx">a</span> <span class="nx">href</span><span class="o">=</span><span class="dl">"</span><span class="s2">/dashboard/posts/new</span><span class="dl">"</span> <span class="nx">className</span><span class="o">=</span><span class="dl">"</span><span class="s2">text-sm font-medium text-blue-600 hover:underline</span><span class="dl">"</span> <span class="o">&gt;</span> <span class="o">+</span> <span class="nx">New</span> <span class="nx">post</span> <span class="o">&lt;</span><span class="sr">/a</span><span class="err">&gt; </span> <span class="o">&lt;</span><span class="sr">/PermissionGate</span><span class="err">&gt; </span> <span class="o">&lt;</span><span class="sr">/div</span><span class="err">&gt; </span> <span class="p">{</span><span class="cm">/* Only users with users:manage see this card */</span><span class="p">}</span> <span class="o">&lt;</span><span class="nx">PermissionGate</span> <span class="nx">permission</span><span class="o">=</span><span class="dl">"</span><span class="s2">users:manage</span><span class="dl">"</span><span class="o">&gt;</span> <span class="o">&lt;</span><span class="nx">div</span> <span class="nx">className</span><span class="o">=</span><span class="dl">"</span><span class="s2">rounded-lg border p-6 bg-amber-50</span><span class="dl">"</span><span class="o">&gt;</span> <span class="o">&lt;</span><span class="nx">h2</span> <span class="nx">className</span><span class="o">=</span><span class="dl">"</span><span class="s2">font-semibold mb-2</span><span class="dl">"</span><span class="o">&gt;</span><span class="nx">Users</span><span class="o">&lt;</span><span class="sr">/h2</span><span class="err">&gt; </span> <span class="o">&lt;</span><span class="nx">p</span> <span class="nx">className</span><span class="o">=</span><span class="dl">"</span><span class="s2">text-sm text-gray-500 mb-4</span><span class="dl">"</span><span class="o">&gt;</span> <span class="nx">Manage</span> <span class="nx">team</span> <span class="nx">members</span> <span class="nx">and</span> <span class="nx">access</span> <span class="o">&lt;</span><span class="sr">/p</span><span class="err">&gt; </span> <span class="o">&lt;</span><span class="nx">a</span> <span class="nx">href</span><span class="o">=</span><span class="dl">"</span><span class="s2">/admin/users</span><span class="dl">"</span> <span class="nx">className</span><span class="o">=</span><span class="dl">"</span><span class="s2">text-sm font-medium text-amber-700 hover:underline</span><span class="dl">"</span> <span class="o">&gt;</span> <span class="nx">View</span> <span class="nx">all</span> <span class="nx">users</span> <span class="o">&lt;</span><span class="sr">/a</span><span class="err">&gt; </span> <span class="o">&lt;</span><span class="sr">/div</span><span class="err">&gt; </span> <span class="o">&lt;</span><span class="sr">/PermissionGate</span><span class="err">&gt; </span> <span class="p">{</span><span class="cm">/* Only users with posts:delete see this card */</span><span class="p">}</span> <span class="o">&lt;</span><span class="nx">PermissionGate</span> <span class="nx">permission</span><span class="o">=</span><span class="dl">"</span><span class="s2">posts:delete</span><span class="dl">"</span><span class="o">&gt;</span> <span class="o">&lt;</span><span class="nx">div</span> <span class="nx">className</span><span class="o">=</span><span class="dl">"</span><span class="s2">rounded-lg border border-red-200 p-6 bg-red-50</span><span class="dl">"</span><span class="o">&gt;</span> <span class="o">&lt;</span><span class="nx">h2</span> <span class="nx">className</span><span class="o">=</span><span class="dl">"</span><span class="s2">font-semibold text-red-800 mb-2</span><span class="dl">"</span><span class="o">&gt;</span> <span class="nx">Content</span> <span class="nx">Management</span> <span class="o">&lt;</span><span class="sr">/h2</span><span class="err">&gt; </span> <span class="o">&lt;</span><span class="nx">p</span> <span class="nx">className</span><span class="o">=</span><span class="dl">"</span><span class="s2">text-sm text-red-600 mb-4</span><span class="dl">"</span><span class="o">&gt;</span> <span class="nx">Delete</span> <span class="nx">and</span> <span class="nx">bulk</span><span class="o">-</span><span class="nx">manage</span> <span class="nx">content</span> <span class="o">&lt;</span><span class="sr">/p</span><span class="err">&gt; </span> <span class="o">&lt;</span><span class="nx">a</span> <span class="nx">href</span><span class="o">=</span><span class="dl">"</span><span class="s2">/admin/content</span><span class="dl">"</span> <span class="nx">className</span><span class="o">=</span><span class="dl">"</span><span class="s2">text-sm font-medium text-red-700 hover:underline</span><span class="dl">"</span> <span class="o">&gt;</span> <span class="nx">Manage</span> <span class="nx">content</span> <span class="o">&lt;</span><span class="sr">/a</span><span class="err">&gt; </span> <span class="o">&lt;</span><span class="sr">/div</span><span class="err">&gt; </span> <span class="o">&lt;</span><span class="sr">/PermissionGate</span><span class="err">&gt; </span> <span class="o">&lt;</span><span class="sr">/div</span><span class="err">&gt; </span> <span class="o">&lt;</span><span class="sr">/main</span><span class="err">&gt; </span> <span class="p">);</span> <span class="p">}</span> </code></pre> </div> <p>Note: The <code>isGranted</code> property is what you check — not just whether <code>canCreatePosts</code> is truthy. <code>getPermission()</code> always returns an object; <code>isGranted</code> is <code>false</code> when the user does not have the permission rather than returning <code>null</code>. This makes the check explicit and safe.</p> <h2> Step #8: Enforce Permissions in Route Handlers </h2> <p>Client-side permission checks are for UX — they hide controls that would fail. Server-side checks in API routes are the real security gate. You need both.</p> <p>Create a protected API route at <code>app/api/protected/posts/route.ts</code>:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="c1">// app/api/protected/posts/route.ts</span> <span class="k">import</span> <span class="p">{</span> <span class="nx">getKindeServerSession</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">"</span><span class="s2">@kinde-oss/kinde-auth-nextjs/server</span><span class="dl">"</span><span class="p">;</span> <span class="k">import</span> <span class="p">{</span> <span class="nx">NextRequest</span><span class="p">,</span> <span class="nx">NextResponse</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">"</span><span class="s2">next/server</span><span class="dl">"</span><span class="p">;</span> <span class="k">export</span> <span class="k">async</span> <span class="kd">function</span> <span class="nf">POST</span><span class="p">(</span><span class="nx">request</span><span class="p">:</span> <span class="nx">NextRequest</span><span class="p">)</span> <span class="p">{</span> <span class="kd">const</span> <span class="p">{</span> <span class="nx">isAuthenticated</span><span class="p">,</span> <span class="nx">getPermission</span><span class="p">,</span> <span class="nx">getUser</span> <span class="p">}</span> <span class="o">=</span> <span class="nf">getKindeServerSession</span><span class="p">();</span> <span class="c1">// Step 1: Check authentication</span> <span class="k">if </span><span class="p">(</span><span class="o">!</span><span class="p">(</span><span class="k">await</span> <span class="nf">isAuthenticated</span><span class="p">()))</span> <span class="p">{</span> <span class="k">return</span> <span class="nx">NextResponse</span><span class="p">.</span><span class="nf">json</span><span class="p">(</span> <span class="p">{</span> <span class="na">error</span><span class="p">:</span> <span class="dl">"</span><span class="s2">Unauthenticated. Please sign in.</span><span class="dl">"</span> <span class="p">},</span> <span class="p">{</span> <span class="na">status</span><span class="p">:</span> <span class="mi">401</span> <span class="p">}</span> <span class="p">);</span> <span class="p">}</span> <span class="c1">// Step 2: Check the specific permission required for this action</span> <span class="kd">const</span> <span class="nx">canCreatePosts</span> <span class="o">=</span> <span class="k">await</span> <span class="nf">getPermission</span><span class="p">(</span><span class="dl">"</span><span class="s2">posts:create</span><span class="dl">"</span><span class="p">);</span> <span class="k">if </span><span class="p">(</span><span class="o">!</span><span class="nx">canCreatePosts</span><span class="p">?.</span><span class="nx">isGranted</span><span class="p">)</span> <span class="p">{</span> <span class="k">return</span> <span class="nx">NextResponse</span><span class="p">.</span><span class="nf">json</span><span class="p">(</span> <span class="p">{</span> <span class="na">error</span><span class="p">:</span> <span class="dl">"</span><span class="s2">Forbidden</span><span class="dl">"</span><span class="p">,</span> <span class="na">message</span><span class="p">:</span> <span class="dl">"</span><span class="s2">You do not have permission to create posts.</span><span class="dl">"</span><span class="p">,</span> <span class="p">},</span> <span class="p">{</span> <span class="na">status</span><span class="p">:</span> <span class="mi">403</span> <span class="p">}</span> <span class="p">);</span> <span class="p">}</span> <span class="c1">// Step 3: Parse the request</span> <span class="kd">const</span> <span class="nx">body</span> <span class="o">=</span> <span class="k">await</span> <span class="nx">request</span><span class="p">.</span><span class="nf">json</span><span class="p">();</span> <span class="kd">const</span> <span class="p">{</span> <span class="nx">title</span><span class="p">,</span> <span class="nx">content</span> <span class="p">}</span> <span class="o">=</span> <span class="nx">body</span><span class="p">;</span> <span class="k">if </span><span class="p">(</span><span class="o">!</span><span class="nx">title</span> <span class="o">||</span> <span class="o">!</span><span class="nx">content</span><span class="p">)</span> <span class="p">{</span> <span class="k">return</span> <span class="nx">NextResponse</span><span class="p">.</span><span class="nf">json</span><span class="p">(</span> <span class="p">{</span> <span class="na">error</span><span class="p">:</span> <span class="dl">"</span><span class="s2">Title and content are required.</span><span class="dl">"</span> <span class="p">},</span> <span class="p">{</span> <span class="na">status</span><span class="p">:</span> <span class="mi">400</span> <span class="p">}</span> <span class="p">);</span> <span class="p">}</span> <span class="c1">// Step 4: Execute the action — safe to proceed</span> <span class="kd">const</span> <span class="nx">user</span> <span class="o">=</span> <span class="k">await</span> <span class="nf">getUser</span><span class="p">();</span> <span class="c1">// Replace this with your actual database logic</span> <span class="kd">const</span> <span class="nx">post</span> <span class="o">=</span> <span class="p">{</span> <span class="na">id</span><span class="p">:</span> <span class="nx">crypto</span><span class="p">.</span><span class="nf">randomUUID</span><span class="p">(),</span> <span class="nx">title</span><span class="p">,</span> <span class="nx">content</span><span class="p">,</span> <span class="na">authorId</span><span class="p">:</span> <span class="nx">user</span><span class="p">?.</span><span class="nx">id</span><span class="p">,</span> <span class="na">createdAt</span><span class="p">:</span> <span class="k">new</span> <span class="nc">Date</span><span class="p">().</span><span class="nf">toISOString</span><span class="p">(),</span> <span class="p">};</span> <span class="k">return</span> <span class="nx">NextResponse</span><span class="p">.</span><span class="nf">json</span><span class="p">({</span> <span class="nx">post</span> <span class="p">},</span> <span class="p">{</span> <span class="na">status</span><span class="p">:</span> <span class="mi">201</span> <span class="p">});</span> <span class="p">}</span> <span class="k">export</span> <span class="k">async</span> <span class="kd">function</span> <span class="nf">DELETE</span><span class="p">(</span><span class="nx">request</span><span class="p">:</span> <span class="nx">NextRequest</span><span class="p">)</span> <span class="p">{</span> <span class="kd">const</span> <span class="p">{</span> <span class="nx">isAuthenticated</span><span class="p">,</span> <span class="nx">getPermission</span> <span class="p">}</span> <span class="o">=</span> <span class="nf">getKindeServerSession</span><span class="p">();</span> <span class="k">if </span><span class="p">(</span><span class="o">!</span><span class="p">(</span><span class="k">await</span> <span class="nf">isAuthenticated</span><span class="p">()))</span> <span class="p">{</span> <span class="k">return</span> <span class="nx">NextResponse</span><span class="p">.</span><span class="nf">json</span><span class="p">(</span> <span class="p">{</span> <span class="na">error</span><span class="p">:</span> <span class="dl">"</span><span class="s2">Unauthenticated.</span><span class="dl">"</span> <span class="p">},</span> <span class="p">{</span> <span class="na">status</span><span class="p">:</span> <span class="mi">401</span> <span class="p">}</span> <span class="p">);</span> <span class="p">}</span> <span class="c1">// Delete requires a more privileged permission than create</span> <span class="kd">const</span> <span class="nx">canDeletePosts</span> <span class="o">=</span> <span class="k">await</span> <span class="nf">getPermission</span><span class="p">(</span><span class="dl">"</span><span class="s2">posts:delete</span><span class="dl">"</span><span class="p">);</span> <span class="k">if </span><span class="p">(</span><span class="o">!</span><span class="nx">canDeletePosts</span><span class="p">?.</span><span class="nx">isGranted</span><span class="p">)</span> <span class="p">{</span> <span class="k">return</span> <span class="nx">NextResponse</span><span class="p">.</span><span class="nf">json</span><span class="p">(</span> <span class="p">{</span> <span class="na">error</span><span class="p">:</span> <span class="dl">"</span><span class="s2">Forbidden</span><span class="dl">"</span><span class="p">,</span> <span class="na">message</span><span class="p">:</span> <span class="dl">"</span><span class="s2">You do not have permission to delete posts.</span><span class="dl">"</span><span class="p">,</span> <span class="p">},</span> <span class="p">{</span> <span class="na">status</span><span class="p">:</span> <span class="mi">403</span> <span class="p">}</span> <span class="p">);</span> <span class="p">}</span> <span class="kd">const</span> <span class="p">{</span> <span class="nx">searchParams</span> <span class="p">}</span> <span class="o">=</span> <span class="k">new</span> <span class="nc">URL</span><span class="p">(</span><span class="nx">request</span><span class="p">.</span><span class="nx">url</span><span class="p">);</span> <span class="kd">const</span> <span class="nx">postId</span> <span class="o">=</span> <span class="nx">searchParams</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="dl">"</span><span class="s2">id</span><span class="dl">"</span><span class="p">);</span> <span class="k">if </span><span class="p">(</span><span class="o">!</span><span class="nx">postId</span><span class="p">)</span> <span class="p">{</span> <span class="k">return</span> <span class="nx">NextResponse</span><span class="p">.</span><span class="nf">json</span><span class="p">(</span> <span class="p">{</span> <span class="na">error</span><span class="p">:</span> <span class="dl">"</span><span class="s2">Post ID is required.</span><span class="dl">"</span> <span class="p">},</span> <span class="p">{</span> <span class="na">status</span><span class="p">:</span> <span class="mi">400</span> <span class="p">}</span> <span class="p">);</span> <span class="p">}</span> <span class="c1">// Your delete logic here</span> <span class="k">return</span> <span class="nx">NextResponse</span><span class="p">.</span><span class="nf">json</span><span class="p">({</span> <span class="na">deleted</span><span class="p">:</span> <span class="kc">true</span><span class="p">,</span> <span class="nx">postId</span> <span class="p">});</span> <span class="p">}</span> </code></pre> </div> <h2> Step #9: Build a Reusable Permission Guard Component </h2> <p>Checking permissions inline in every component gets repetitive. A <code>PermissionGate</code> component keeps the pattern clean and consistent:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="c1">// components/PermissionGate.tsx</span> <span class="k">import</span> <span class="p">{</span> <span class="nx">getKindeServerSession</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">"</span><span class="s2">@kinde-oss/kinde-auth-nextjs/server</span><span class="dl">"</span><span class="p">;</span> <span class="kr">interface</span> <span class="nx">PermissionGateProps</span> <span class="p">{</span> <span class="nl">permission</span><span class="p">:</span> <span class="kr">string</span><span class="p">;</span> <span class="nl">children</span><span class="p">:</span> <span class="nx">React</span><span class="p">.</span><span class="nx">ReactNode</span><span class="p">;</span> <span class="c1">// Optional: what to show if the user lacks the permission</span> <span class="nl">fallback</span><span class="p">?:</span> <span class="nx">React</span><span class="p">.</span><span class="nx">ReactNode</span><span class="p">;</span> <span class="p">}</span> <span class="k">export</span> <span class="k">async</span> <span class="kd">function</span> <span class="nf">PermissionGate</span><span class="p">({</span> <span class="nx">permission</span><span class="p">,</span> <span class="nx">children</span><span class="p">,</span> <span class="nx">fallback</span> <span class="o">=</span> <span class="kc">null</span><span class="p">,</span> <span class="p">}:</span> <span class="nx">PermissionGateProps</span><span class="p">)</span> <span class="p">{</span> <span class="kd">const</span> <span class="p">{</span> <span class="nx">getPermission</span> <span class="p">}</span> <span class="o">=</span> <span class="nf">getKindeServerSession</span><span class="p">();</span> <span class="kd">const</span> <span class="nx">result</span> <span class="o">=</span> <span class="k">await</span> <span class="nf">getPermission</span><span class="p">(</span><span class="nx">permission</span><span class="p">);</span> <span class="k">if </span><span class="p">(</span><span class="o">!</span><span class="nx">result</span><span class="p">?.</span><span class="nx">isGranted</span><span class="p">)</span> <span class="p">{</span> <span class="k">return</span> <span class="o">&lt;&gt;</span><span class="p">{</span><span class="nx">fallback</span><span class="p">}</span><span class="o">&lt;</span><span class="sr">/&gt;</span><span class="err">; </span> <span class="p">}</span> <span class="k">return</span> <span class="o">&lt;&gt;</span><span class="p">{</span><span class="nx">children</span><span class="p">}</span><span class="o">&lt;</span><span class="sr">/&gt;</span><span class="err">; </span><span class="p">}</span> </code></pre> </div> <p>Now any Server Component in your app can use it cleanly:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="c1">// app/dashboard/posts/page.tsx</span> <span class="k">import</span> <span class="p">{</span> <span class="nx">getKindeServerSession</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">"</span><span class="s2">@kinde-oss/kinde-auth-nextjs/server</span><span class="dl">"</span><span class="p">;</span> <span class="k">import</span> <span class="p">{</span> <span class="nx">redirect</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">"</span><span class="s2">next/navigation</span><span class="dl">"</span><span class="p">;</span> <span class="k">import</span> <span class="p">{</span> <span class="nx">PermissionGate</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">"</span><span class="s2">@/components/PermissionGate</span><span class="dl">"</span><span class="p">;</span> <span class="k">export</span> <span class="k">default</span> <span class="k">async</span> <span class="kd">function</span> <span class="nf">PostsPage</span><span class="p">()</span> <span class="p">{</span> <span class="kd">const</span> <span class="p">{</span> <span class="nx">isAuthenticated</span> <span class="p">}</span> <span class="o">=</span> <span class="nf">getKindeServerSession</span><span class="p">();</span> <span class="k">if </span><span class="p">(</span><span class="o">!</span><span class="p">(</span><span class="k">await</span> <span class="nf">isAuthenticated</span><span class="p">()))</span> <span class="p">{</span> <span class="nf">redirect</span><span class="p">(</span><span class="dl">"</span><span class="s2">/api/auth/login</span><span class="dl">"</span><span class="p">);</span> <span class="p">}</span> <span class="k">return </span><span class="p">(</span> <span class="o">&lt;</span><span class="nx">main</span> <span class="nx">className</span><span class="o">=</span><span class="dl">"</span><span class="s2">p-8</span><span class="dl">"</span><span class="o">&gt;</span> <span class="o">&lt;</span><span class="nx">div</span> <span class="nx">className</span><span class="o">=</span><span class="dl">"</span><span class="s2">flex items-center justify-between mb-8</span><span class="dl">"</span><span class="o">&gt;</span> <span class="o">&lt;</span><span class="nx">h1</span> <span class="nx">className</span><span class="o">=</span><span class="dl">"</span><span class="s2">text-2xl font-bold</span><span class="dl">"</span><span class="o">&gt;</span><span class="nx">Posts</span><span class="o">&lt;</span><span class="sr">/h1</span><span class="err">&gt; </span> <span class="p">{</span><span class="cm">/* Only users with posts:create see this button */</span><span class="p">}</span> <span class="o">&lt;</span><span class="nx">PermissionGate</span> <span class="nx">permission</span><span class="o">=</span><span class="dl">"</span><span class="s2">posts:create</span><span class="dl">"</span><span class="o">&gt;</span> <span class="o">&lt;</span><span class="nx">a</span> <span class="nx">href</span><span class="o">=</span><span class="dl">"</span><span class="s2">/dashboard/posts/new</span><span class="dl">"</span> <span class="nx">className</span><span class="o">=</span><span class="dl">"</span><span class="s2">rounded-md bg-blue-600 px-4 py-2 text-sm font-medium text-white hover:bg-blue-700</span><span class="dl">"</span> <span class="o">&gt;</span> <span class="nx">New</span> <span class="nx">post</span> <span class="o">&lt;</span><span class="sr">/a</span><span class="err">&gt; </span> <span class="o">&lt;</span><span class="sr">/PermissionGate</span><span class="err">&gt; </span> <span class="o">&lt;</span><span class="sr">/div</span><span class="err">&gt; </span> <span class="p">{</span><span class="cm">/* Post list visible to everyone */</span><span class="p">}</span> <span class="o">&lt;</span><span class="nx">PostList</span> <span class="o">/&gt;</span> <span class="p">{</span><span class="cm">/* Bulk delete only for users with posts:delete */</span><span class="p">}</span> <span class="o">&lt;</span><span class="nx">PermissionGate</span> <span class="nx">permission</span><span class="o">=</span><span class="dl">"</span><span class="s2">posts:delete</span><span class="dl">"</span> <span class="nx">fallback</span><span class="o">=</span><span class="p">{</span> <span class="o">&lt;</span><span class="nx">p</span> <span class="nx">className</span><span class="o">=</span><span class="dl">"</span><span class="s2">mt-8 text-sm text-gray-400</span><span class="dl">"</span><span class="o">&gt;</span> <span class="nx">You</span> <span class="nx">have</span> <span class="nx">view</span><span class="o">-</span><span class="nx">only</span> <span class="nx">access</span> <span class="nx">to</span> <span class="k">this</span> <span class="nx">section</span><span class="p">.</span> <span class="o">&lt;</span><span class="sr">/p</span><span class="err">&gt; </span> <span class="p">}</span> <span class="o">&gt;</span> <span class="o">&lt;</span><span class="nx">BulkDeleteControls</span> <span class="o">/&gt;</span> <span class="o">&lt;</span><span class="sr">/PermissionGate</span><span class="err">&gt; </span> <span class="o">&lt;</span><span class="sr">/main</span><span class="err">&gt; </span> <span class="p">);</span> <span class="p">}</span> <span class="c1">// Placeholder components — replace with your real implementations</span> <span class="kd">function</span> <span class="nf">PostList</span><span class="p">()</span> <span class="p">{</span> <span class="k">return</span> <span class="o">&lt;</span><span class="nx">div</span> <span class="nx">className</span><span class="o">=</span><span class="dl">"</span><span class="s2">space-y-4</span><span class="dl">"</span><span class="o">&gt;</span><span class="p">{</span><span class="cm">/* Post items */</span><span class="p">}</span><span class="o">&lt;</span><span class="sr">/div&gt;</span><span class="err">; </span><span class="p">}</span> <span class="kd">function</span> <span class="nf">BulkDeleteControls</span><span class="p">()</span> <span class="p">{</span> <span class="k">return </span><span class="p">(</span> <span class="o">&lt;</span><span class="nx">div</span> <span class="nx">className</span><span class="o">=</span><span class="dl">"</span><span class="s2">mt-8 rounded-lg border border-red-200 p-4</span><span class="dl">"</span><span class="o">&gt;</span> <span class="o">&lt;</span><span class="nx">p</span> <span class="nx">className</span><span class="o">=</span><span class="dl">"</span><span class="s2">text-sm font-medium text-red-700</span><span class="dl">"</span><span class="o">&gt;</span><span class="nx">Bulk</span> <span class="nx">actions</span><span class="o">&lt;</span><span class="sr">/p</span><span class="err">&gt; </span> <span class="o">&lt;</span><span class="sr">/div</span><span class="err">&gt; </span> <span class="p">);</span> <span class="p">}</span> </code></pre> </div> <p>Wonderful! <code>PermissionGate</code> works as a clean wrapper everywhere. No repeated <code>getPermission</code> calls spread across components — just one consistent primitive.</p> <h2> Step #10: Add Sign In and Sign Out </h2> <p>With protection and permissions in place, add the authentication links. Kinde provides <code>LoginLink</code>, <code>RegisterLink</code>, and <code>LogoutLink</code> components that generate the correct Kinde auth URLs:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="c1">// app/page.tsx</span> <span class="k">import</span> <span class="p">{</span> <span class="nx">LoginLink</span><span class="p">,</span> <span class="nx">RegisterLink</span><span class="p">,</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">"</span><span class="s2">@kinde-oss/kinde-auth-nextjs/components</span><span class="dl">"</span><span class="p">;</span> <span class="k">import</span> <span class="p">{</span> <span class="nx">getKindeServerSession</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">"</span><span class="s2">@kinde-oss/kinde-auth-nextjs/server</span><span class="dl">"</span><span class="p">;</span> <span class="k">import</span> <span class="p">{</span> <span class="nx">redirect</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">"</span><span class="s2">next/navigation</span><span class="dl">"</span><span class="p">;</span> <span class="k">export</span> <span class="k">default</span> <span class="k">async</span> <span class="kd">function</span> <span class="nf">Home</span><span class="p">()</span> <span class="p">{</span> <span class="kd">const</span> <span class="p">{</span> <span class="nx">isAuthenticated</span> <span class="p">}</span> <span class="o">=</span> <span class="nf">getKindeServerSession</span><span class="p">();</span> <span class="c1">// If already authenticated, send to dashboard</span> <span class="k">if </span><span class="p">(</span><span class="k">await</span> <span class="nf">isAuthenticated</span><span class="p">())</span> <span class="p">{</span> <span class="nf">redirect</span><span class="p">(</span><span class="dl">"</span><span class="s2">/dashboard</span><span class="dl">"</span><span class="p">);</span> <span class="p">}</span> <span class="k">return </span><span class="p">(</span> <span class="o">&lt;</span><span class="nx">main</span> <span class="nx">className</span><span class="o">=</span><span class="dl">"</span><span class="s2">flex min-h-screen flex-col items-center justify-center p-24</span><span class="dl">"</span><span class="o">&gt;</span> <span class="o">&lt;</span><span class="nx">h1</span> <span class="nx">className</span><span class="o">=</span><span class="dl">"</span><span class="s2">text-4xl font-bold mb-4</span><span class="dl">"</span><span class="o">&gt;</span><span class="nx">My</span> <span class="nx">RBAC</span> <span class="nx">App</span><span class="o">&lt;</span><span class="sr">/h1</span><span class="err">&gt; </span> <span class="o">&lt;</span><span class="nx">p</span> <span class="nx">className</span><span class="o">=</span><span class="dl">"</span><span class="s2">text-gray-500 mb-8 text-center max-w-md</span><span class="dl">"</span><span class="o">&gt;</span> <span class="nx">Sign</span> <span class="k">in</span> <span class="nx">to</span> <span class="nx">access</span> <span class="nx">your</span> <span class="nx">dashboard</span><span class="p">.</span> <span class="nx">Your</span> <span class="nx">permissions</span> <span class="nx">are</span> <span class="nx">automatically</span> <span class="nx">loaded</span> <span class="k">from</span> <span class="nx">your</span> <span class="nx">role</span><span class="p">.</span> <span class="o">&lt;</span><span class="sr">/p</span><span class="err">&gt; </span> <span class="o">&lt;</span><span class="nx">div</span> <span class="nx">className</span><span class="o">=</span><span class="dl">"</span><span class="s2">flex gap-4</span><span class="dl">"</span><span class="o">&gt;</span> <span class="o">&lt;</span><span class="nx">LoginLink</span> <span class="nx">className</span><span class="o">=</span><span class="dl">"</span><span class="s2">rounded-md bg-blue-600 px-6 py-2 text-sm font-medium text-white hover:bg-blue-700</span><span class="dl">"</span><span class="o">&gt;</span> <span class="nx">Sign</span> <span class="k">in</span> <span class="o">&lt;</span><span class="sr">/LoginLink</span><span class="err">&gt; </span> <span class="o">&lt;</span><span class="nx">RegisterLink</span> <span class="nx">className</span><span class="o">=</span><span class="dl">"</span><span class="s2">rounded-md border border-gray-300 px-6 py-2 text-sm font-medium hover:bg-gray-50</span><span class="dl">"</span><span class="o">&gt;</span> <span class="nx">Create</span> <span class="nx">account</span> <span class="o">&lt;</span><span class="sr">/RegisterLink</span><span class="err">&gt; </span> <span class="o">&lt;</span><span class="sr">/div</span><span class="err">&gt; </span> <span class="o">&lt;</span><span class="sr">/main</span><span class="err">&gt; </span> <span class="p">);</span> <span class="p">}</span> </code></pre> </div> <p>For sign out, create a simple server action or use the <code>LogoutLink</code> component anywhere in your authenticated layout:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="c1">// app/dashboard/layout.tsx</span> <span class="k">import</span> <span class="p">{</span> <span class="nx">LogoutLink</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">"</span><span class="s2">@kinde-oss/kinde-auth-nextjs/components</span><span class="dl">"</span><span class="p">;</span> <span class="k">import</span> <span class="p">{</span> <span class="nx">getKindeServerSession</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">"</span><span class="s2">@kinde-oss/kinde-auth-nextjs/server</span><span class="dl">"</span><span class="p">;</span> <span class="k">import</span> <span class="p">{</span> <span class="nx">redirect</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">"</span><span class="s2">next/navigation</span><span class="dl">"</span><span class="p">;</span> <span class="k">export</span> <span class="k">default</span> <span class="k">async</span> <span class="kd">function</span> <span class="nf">DashboardLayout</span><span class="p">({</span> <span class="nx">children</span><span class="p">,</span> <span class="p">}:</span> <span class="p">{</span> <span class="nl">children</span><span class="p">:</span> <span class="nx">React</span><span class="p">.</span><span class="nx">ReactNode</span><span class="p">;</span> <span class="p">})</span> <span class="p">{</span> <span class="kd">const</span> <span class="p">{</span> <span class="nx">isAuthenticated</span><span class="p">,</span> <span class="nx">getUser</span><span class="p">,</span> <span class="nx">getRoles</span> <span class="p">}</span> <span class="o">=</span> <span class="nf">getKindeServerSession</span><span class="p">();</span> <span class="k">if </span><span class="p">(</span><span class="o">!</span><span class="p">(</span><span class="k">await</span> <span class="nf">isAuthenticated</span><span class="p">()))</span> <span class="p">{</span> <span class="nf">redirect</span><span class="p">(</span><span class="dl">"</span><span class="s2">/api/auth/login</span><span class="dl">"</span><span class="p">);</span> <span class="p">}</span> <span class="kd">const</span> <span class="nx">user</span> <span class="o">=</span> <span class="k">await</span> <span class="nf">getUser</span><span class="p">();</span> <span class="kd">const</span> <span class="nx">roles</span> <span class="o">=</span> <span class="k">await</span> <span class="nf">getRoles</span><span class="p">();</span> <span class="c1">// Show the first role for display purposes</span> <span class="c1">// Your app might show this differently</span> <span class="kd">const</span> <span class="nx">displayRole</span> <span class="o">=</span> <span class="nx">roles</span><span class="p">?.[</span><span class="mi">0</span><span class="p">]?.</span><span class="nx">name</span> <span class="o">??</span> <span class="dl">"</span><span class="s2">User</span><span class="dl">"</span><span class="p">;</span> <span class="k">return </span><span class="p">(</span> <span class="o">&lt;</span><span class="nx">div</span> <span class="nx">className</span><span class="o">=</span><span class="dl">"</span><span class="s2">min-h-screen bg-gray-50</span><span class="dl">"</span><span class="o">&gt;</span> <span class="p">{</span><span class="cm">/* Navigation bar */</span><span class="p">}</span> <span class="o">&lt;</span><span class="nx">nav</span> <span class="nx">className</span><span class="o">=</span><span class="dl">"</span><span class="s2">border-b bg-white px-6 py-4</span><span class="dl">"</span><span class="o">&gt;</span> <span class="o">&lt;</span><span class="nx">div</span> <span class="nx">className</span><span class="o">=</span><span class="dl">"</span><span class="s2">flex items-center justify-between</span><span class="dl">"</span><span class="o">&gt;</span> <span class="o">&lt;</span><span class="nx">span</span> <span class="nx">className</span><span class="o">=</span><span class="dl">"</span><span class="s2">font-semibold</span><span class="dl">"</span><span class="o">&gt;</span><span class="nx">My</span> <span class="nx">RBAC</span> <span class="nx">App</span><span class="o">&lt;</span><span class="sr">/span</span><span class="err">&gt; </span> <span class="o">&lt;</span><span class="nx">div</span> <span class="nx">className</span><span class="o">=</span><span class="dl">"</span><span class="s2">flex items-center gap-4</span><span class="dl">"</span><span class="o">&gt;</span> <span class="o">&lt;</span><span class="nx">span</span> <span class="nx">className</span><span class="o">=</span><span class="dl">"</span><span class="s2">text-sm text-gray-600</span><span class="dl">"</span><span class="o">&gt;</span> <span class="p">{</span><span class="nx">user</span><span class="p">?.</span><span class="nx">email</span><span class="p">}</span> <span class="o">&lt;</span><span class="sr">/span</span><span class="err">&gt; </span> <span class="p">{</span><span class="cm">/* Role badge — for display only, never for access control */</span><span class="p">}</span> <span class="o">&lt;</span><span class="nx">span</span> <span class="nx">className</span><span class="o">=</span><span class="dl">"</span><span class="s2">rounded-full bg-blue-100 px-3 py-1 text-xs font-medium text-blue-800</span><span class="dl">"</span><span class="o">&gt;</span> <span class="p">{</span><span class="nx">displayRole</span><span class="p">}</span> <span class="o">&lt;</span><span class="sr">/span</span><span class="err">&gt; </span> <span class="o">&lt;</span><span class="nx">LogoutLink</span> <span class="nx">className</span><span class="o">=</span><span class="dl">"</span><span class="s2">text-sm text-gray-600 hover:text-gray-900</span><span class="dl">"</span><span class="o">&gt;</span> <span class="nx">Sign</span> <span class="nx">out</span> <span class="o">&lt;</span><span class="sr">/LogoutLink</span><span class="err">&gt; </span> <span class="o">&lt;</span><span class="sr">/div</span><span class="err">&gt; </span> <span class="o">&lt;</span><span class="sr">/div</span><span class="err">&gt; </span> <span class="o">&lt;</span><span class="sr">/nav</span><span class="err">&gt; </span> <span class="o">&lt;</span><span class="nx">main</span><span class="o">&gt;</span><span class="p">{</span><span class="nx">children</span><span class="p">}</span><span class="o">&lt;</span><span class="sr">/main</span><span class="err">&gt; </span> <span class="o">&lt;</span><span class="sr">/div</span><span class="err">&gt; </span> <span class="p">);</span> <span class="p">}</span> </code></pre> </div> <p>Note: The role badge in the nav is display-only. It tells the user what their role is, which is good UX. But your access decisions in code never read this display value — they always call <code>getPermission("permission:key")</code>.</p> <h2> Putting It All Together </h2> <p>Here is the complete file structure for the RBAC setup you have just built:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>my-rbac-app/ ├── app/ │ ├── api/ │ │ └── auth/ │ │ └── [kindeAuth]/ │ │ └── route.ts ← Kinde auth handler │ │ └── protected/ │ │ └── posts/ │ │ └── route.ts ← Permission-checked API route │ ├── dashboard/ │ │ ├── layout.tsx ← Nav with user/role display │ │ ├── page.tsx ← Permission-based UI │ │ └── posts/ │ │ └── page.tsx ← Uses PermissionGate │ ├── admin/ │ │ └── users/ │ │ └── page.tsx ← Admin-only page │ ├── layout.tsx ← KindeProvider wrapper │ └── page.tsx ← Login / register landing ├── components/ │ └── PermissionGate.tsx ← Reusable permission guard ├── proxy.ts ← Next.js 16 route protection └── .env.local ← Kinde credentials </code></pre> </div> <p>The flow for every protected request:</p> <p><strong>Step 1:</strong> <code>proxy.ts</code> intercepts the request. If the route matches the matcher and the user is unauthenticated, Kinde redirects to login. Authenticated users pass through.</p> <p><strong>Step 2:</strong> The Server Component or Route Handler calls <code>getKindeServerSession()</code> and reads permissions from the token. No database query.</p> <p><strong>Step 3:</strong> <code>getPermission("permission:key")</code> returns <code>{ isGranted: boolean }</code>. If <code>false</code>, the component renders the fallback or the route handler returns 403.</p> <p><strong>Step 4:</strong> The user sees exactly what their role allows them to see. The role definition lives in Kinde — change a role's permissions in the dashboard and every user with that role sees the updated access on their next session.</p> <h2> A Note on <code>use cache</code> in Next.js 16 </h2> <p>Next.js 16 introduces <code>use cache</code> as a new opt-in caching primitive. You can add it to pages, components, and functions to cache their output.</p> <p>Do not add <code>use cache</code> to any page or component that renders based on the authenticated user's permissions. Cached outputs are stored and reused across requests — if you cache a dashboard page that shows admin controls for one user, the next user to hit that route may see the cached admin UI regardless of their actual permissions.</p> <p>Keep permission-checked components and pages entirely outside <code>use cache</code> boundaries. If you need to cache parts of a permission-protected page, use React's <code>Suspense</code> to split the cacheable sections from the permission-gated sections:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="c1">// ✓ Correct: cache the public section, NOT the permission-gated section</span> <span class="k">export</span> <span class="k">default</span> <span class="k">async</span> <span class="kd">function</span> <span class="nf">PostsPage</span><span class="p">()</span> <span class="p">{</span> <span class="kd">const</span> <span class="p">{</span> <span class="nx">isAuthenticated</span> <span class="p">}</span> <span class="o">=</span> <span class="nf">getKindeServerSession</span><span class="p">();</span> <span class="k">if </span><span class="p">(</span><span class="o">!</span><span class="p">(</span><span class="k">await</span> <span class="nf">isAuthenticated</span><span class="p">()))</span> <span class="nf">redirect</span><span class="p">(</span><span class="dl">"</span><span class="s2">/api/auth/login</span><span class="dl">"</span><span class="p">);</span> <span class="k">return </span><span class="p">(</span> <span class="o">&lt;</span><span class="nx">main</span><span class="o">&gt;</span> <span class="p">{</span><span class="cm">/* This section is the same for all authenticated users — safe to cache */</span><span class="p">}</span> <span class="o">&lt;</span><span class="nx">Suspense</span> <span class="nx">fallback</span><span class="o">=</span><span class="p">{</span><span class="o">&lt;</span><span class="nx">p</span><span class="o">&gt;</span><span class="nx">Loading</span> <span class="nx">posts</span><span class="p">...</span><span class="o">&lt;</span><span class="sr">/p&gt;}</span><span class="err">&gt; </span> <span class="o">&lt;</span><span class="nx">PublicPostList</span> <span class="o">/&gt;</span> <span class="p">{</span><span class="cm">/* Has "use cache" inside */</span><span class="p">}</span> <span class="o">&lt;</span><span class="sr">/Suspense</span><span class="err">&gt; </span> <span class="p">{</span><span class="cm">/* This section is specific to the user's permissions — never cache */</span><span class="p">}</span> <span class="o">&lt;</span><span class="nx">PermissionGate</span> <span class="nx">permission</span><span class="o">=</span><span class="dl">"</span><span class="s2">posts:delete</span><span class="dl">"</span><span class="o">&gt;</span> <span class="o">&lt;</span><span class="nx">BulkDeleteControls</span> <span class="o">/&gt;</span> <span class="o">&lt;</span><span class="sr">/PermissionGate</span><span class="err">&gt; </span> <span class="o">&lt;</span><span class="sr">/main</span><span class="err">&gt; </span> <span class="p">);</span> <span class="p">}</span> </code></pre> </div> <h2> Testing Your RBAC Implementation </h2> <p>Verify your setup by testing these scenarios:</p> <p><strong>Test 1 — Unauthenticated access.</strong> Open an incognito window and navigate to <code>/dashboard</code>. You should be redirected to the Kinde login page.</p> <p><strong>Test 2 — Role-based UI.</strong> Log in as your admin user. Confirm the Users card and bulk delete controls are visible. Navigate to <strong>Users</strong> in Kinde, change your role to <code>editor</code>, and refresh. The Users card and delete controls should disappear.</p> <p><strong>Test 3 — API enforcement.</strong> Using a REST client like Postman or curl, send a <code>DELETE</code> request to <code>/api/protected/posts?id=123</code> without an authenticated session. You should receive a 401. Log in with an editor-role user and try again — you should receive a 403, because editors have <code>posts:create</code> and <code>posts:update</code> but not <code>posts:delete</code>.</p> <p><strong>Test 4 — Permission updates.</strong> In Kinde, add the <code>users:view</code> permission to the <code>editor</code> role. Refresh the page while logged in as an editor — the Users section should now appear, with no code change on your part.</p> <h2> Conclusion </h2> <p>In this article, you built a complete RBAC system for a Next.js 16.2 application using Kinde. You used <code>proxy.ts</code> — the new Next.js 16 network boundary file — for route protection, <code>getKindeServerSession()</code> for server-side permission reads, <code>getPermission()</code> for granular access checks, and a reusable <code>PermissionGate</code> component for clean conditional rendering.</p> <p>The most important thing you built is not the code — it is the separation. Roles and permissions live in Kinde. Code checks permissions. The two halves are cleanly decoupled. When your product evolves and you need to add a new role or change what an editor can do, you change a configuration in the Kinde dashboard. Your Next.js application does not need to be redeployed.</p> <p>Kinde is free for up to 10,500 monthly active users, no credit card required. Get started at <a href="https://kinde.com" rel="noopener noreferrer">kinde.com</a>.</p> kinde webdev programming tutorial Shola Jegede Sun, 22 Mar 2026 00:42:57 +0000 https://forem.com/sholajegede/how-to-scope-permissions-per-tenant-in-a-multi-tenant-app-27dj https://forem.com/sholajegede/how-to-scope-permissions-per-tenant-in-a-multi-tenant-app-27dj <p><em>The same user, Sarah, is an admin at Acme Corp and a read-only viewer at Startup Inc. She should see completely different things in the same product depending on which tenant she is operating in. Here is how to build that correctly.</em></p> <p>In this article, you will learn:</p> <ul> <li>What "per-tenant permissions" actually means and why it is different from global RBAC</li> <li>How Kinde models multi-tenancy with organizations, and how tenant context flows into every token</li> <li>How to define roles and permissions in Kinde that scope per organization</li> <li>How to read tenant-scoped permissions from the Kinde token in a Next.js API route</li> <li>How to build a reusable permission guard that you can drop into any route</li> <li>How to gate UI components in React based on the current tenant's permissions</li> <li>How to isolate data at the database query level using the org code from the token</li> <li>How to handle the user-switching-tenants scenario correctly</li> <li>The two most common multi-tenant permission bugs and how to avoid them</li> </ul> <p>Let's dive in!</p> <h2> The Problem With Global Permissions </h2> <p>Most developers reach for a simple RBAC model first: define some roles globally, assign users to roles, check roles in your code. Admin can do everything, member can do some things, viewer can only read.</p> <p>This works fine for single-tenant apps. It falls apart the moment one user belongs to more than one tenant.</p> <p>Consider Sarah. She joined Acme Corp as an admin — she manages billing, invites colleagues, and deletes stale projects. She was also invited to Startup Inc as an outside consultant — read-only access, she can view reports but touch nothing.</p> <p>In a global RBAC model, you cannot express this. Sarah has one set of roles in your system. If she is an admin, she is an admin everywhere. If you restrict her globally to viewer, she loses the ability to manage Acme Corp.</p> <p>The correct model is tenant-scoped permissions: Sarah's role and permissions are defined per organization. When she logs into Acme Corp, her token says admin with full permissions. When she logs into Startup Inc, the same user's token says viewer with read-only permissions. Same user identity, completely different permission set, determined by which tenant context she authenticated into.</p> <p>This is exactly how Kinde handles multi-tenancy, and it is the right mental model for any B2B SaaS product.</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fjzisxw6yxvrwtjmq7var.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fjzisxw6yxvrwtjmq7var.png" alt="User " width="793" height="1004"></a></p> <h2> How Kinde Models This </h2> <p>In <a href="https://kinde.com?utm_source=devto&amp;utm_medium=content&amp;utm_campaign=shola&amp;campaignid=chatgptapp&amp;network=&amp;adgroup=&amp;keyword=&amp;matchtype=&amp;creative=10&amp;device=&amp;adposition=" rel="noopener noreferrer">Kinde</a>, every customer of your SaaS product is an <strong>organization</strong>. Acme Corp is one org. Startup Inc is another. Each has its own isolated context — its own members, its own roles assigned to those members, its own feature flags, and optionally its own auth settings.</p> <p>When a user logs in, they authenticate within an organization context. Kinde issues a JWT access token that includes the <code>org_code</code> — the unique identifier for the tenant they are currently operating in. Every permission, every role, every feature flag in that token is scoped to that specific organization.</p> <p>The token for Sarah logged into Acme Corp looks like this:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight json"><code><span class="p">{</span><span class="w"> </span><span class="nl">"sub"</span><span class="p">:</span><span class="w"> </span><span class="s2">"kp_123abc"</span><span class="p">,</span><span class="w"> </span><span class="nl">"email"</span><span class="p">:</span><span class="w"> </span><span class="s2">"sarah@example.com"</span><span class="p">,</span><span class="w"> </span><span class="nl">"org_code"</span><span class="p">:</span><span class="w"> </span><span class="s2">"org_acme_corp"</span><span class="p">,</span><span class="w"> </span><span class="nl">"roles"</span><span class="p">:</span><span class="w"> </span><span class="p">[</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"id"</span><span class="p">:</span><span class="w"> </span><span class="s2">"rol_001"</span><span class="p">,</span><span class="w"> </span><span class="nl">"key"</span><span class="p">:</span><span class="w"> </span><span class="s2">"admin"</span><span class="p">,</span><span class="w"> </span><span class="nl">"name"</span><span class="p">:</span><span class="w"> </span><span class="s2">"Admin"</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="p">],</span><span class="w"> </span><span class="nl">"permissions"</span><span class="p">:</span><span class="w"> </span><span class="p">[</span><span class="w"> </span><span class="s2">"projects:create"</span><span class="p">,</span><span class="w"> </span><span class="s2">"projects:read"</span><span class="p">,</span><span class="w"> </span><span class="s2">"projects:delete"</span><span class="p">,</span><span class="w"> </span><span class="s2">"billing:manage"</span><span class="p">,</span><span class="w"> </span><span class="s2">"members:invite"</span><span class="w"> </span><span class="p">],</span><span class="w"> </span><span class="nl">"iss"</span><span class="p">:</span><span class="w"> </span><span class="s2">"https://yourapp.kinde.com"</span><span class="p">,</span><span class="w"> </span><span class="nl">"exp"</span><span class="p">:</span><span class="w"> </span><span class="mi">1740000000</span><span class="w"> </span><span class="p">}</span><span class="w"> </span></code></pre> </div> <p>The same Sarah logged into Startup Inc gets a new token:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight json"><code><span class="p">{</span><span class="w"> </span><span class="nl">"sub"</span><span class="p">:</span><span class="w"> </span><span class="s2">"kp_123abc"</span><span class="p">,</span><span class="w"> </span><span class="nl">"email"</span><span class="p">:</span><span class="w"> </span><span class="s2">"sarah@example.com"</span><span class="p">,</span><span class="w"> </span><span class="nl">"org_code"</span><span class="p">:</span><span class="w"> </span><span class="s2">"org_startup_inc"</span><span class="p">,</span><span class="w"> </span><span class="nl">"roles"</span><span class="p">:</span><span class="w"> </span><span class="p">[</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"id"</span><span class="p">:</span><span class="w"> </span><span class="s2">"rol_003"</span><span class="p">,</span><span class="w"> </span><span class="nl">"key"</span><span class="p">:</span><span class="w"> </span><span class="s2">"viewer"</span><span class="p">,</span><span class="w"> </span><span class="nl">"name"</span><span class="p">:</span><span class="w"> </span><span class="s2">"Viewer"</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="p">],</span><span class="w"> </span><span class="nl">"permissions"</span><span class="p">:</span><span class="w"> </span><span class="p">[</span><span class="w"> </span><span class="s2">"projects:read"</span><span class="p">,</span><span class="w"> </span><span class="s2">"reports:read"</span><span class="w"> </span><span class="p">],</span><span class="w"> </span><span class="nl">"iss"</span><span class="p">:</span><span class="w"> </span><span class="s2">"https://yourapp.kinde.com"</span><span class="p">,</span><span class="w"> </span><span class="nl">"exp"</span><span class="p">:</span><span class="w"> </span><span class="mi">1740000000</span><span class="w"> </span><span class="p">}</span><span class="w"> </span></code></pre> </div> <p>Same <code>sub</code>. Different <code>org_code</code>, <code>roles</code>, and <code>permissions</code>. Your application reads these claims and enforces them. Kinde's job is to put the right claims into each token based on what role the user holds in each specific org.</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F9j2mxbv233scr7ttenc5.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F9j2mxbv233scr7ttenc5.png" alt="Two JWTs side by side, both showing " width="800" height="472"></a></p> <h2> Step #1: Define Roles and Permissions in Kinde </h2> <p>Before writing a single line of application code, configure the roles and permissions that express your access model in the Kinde dashboard.</p> <h3> Defining permissions </h3> <p>Navigate to <strong>Roles &amp; Permissions</strong> → <strong>Permissions</strong> → <strong>Add permission</strong>.</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F8iaivk2zosgybepundn4.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F8iaivk2zosgybepundn4.png" alt="Kinde dashboard Roles &amp; Permissions &gt; Permissions page showing a list of defined permissions with columns for key and description." width="800" height="501"></a></p> <p>Create one permission per discrete action in your product. The <code>resource:action</code> naming pattern keeps permissions readable as your product grows:</p> <div class="table-wrapper-paragraph"><table> <thead> <tr> <th>Permission key</th> <th>Description</th> </tr> </thead> <tbody> <tr> <td><code>projects:create</code></td> <td>Create new projects</td> </tr> <tr> <td><code>projects:read</code></td> <td>View projects and details</td> </tr> <tr> <td><code>projects:delete</code></td> <td>Permanently delete projects</td> </tr> <tr> <td><code>members:invite</code></td> <td>Invite new members to the organization</td> </tr> <tr> <td><code>members:remove</code></td> <td>Remove members from the organization</td> </tr> <tr> <td><code>billing:manage</code></td> <td>Manage subscription and billing</td> </tr> <tr> <td><code>reports:read</code></td> <td>View analytics and reports</td> </tr> <tr> <td><code>reports:export</code></td> <td>Export report data</td> </tr> </tbody> </table></div> <p>Note: Permission keys must be defined centrally in Kinde before they can appear in any token. A permission that is not defined will never show up in the <code>permissions</code> array, regardless of what roles you assign.</p> <h3> Defining roles </h3> <p>Navigate to <strong>Roles &amp; Permissions</strong> → <strong>Roles</strong> → <strong>Add role</strong>.</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fbrlg272n95yvrk9e2j71.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fbrlg272n95yvrk9e2j71.png" alt="Kinde dashboard Roles page showing three roles: Admin (description: " width="800" height="501"></a></p> <p>For the project management example, three roles cover most B2B SaaS access models:</p> <p><strong>Admin:</strong> <code>projects:create</code>, <code>projects:read</code>, <code>projects:delete</code>, <code>members:invite</code>, <code>members:remove</code>, <code>billing:manage</code>, <code>reports:read</code>, <code>reports:export</code></p> <p><strong>Member:</strong> <code>projects:create</code>, <code>projects:read</code>, <code>reports:read</code></p> <p><strong>Viewer:</strong> <code>projects:read</code>, <code>reports:read</code></p> <p>These role-to-permission mappings are what Kinde resolves when building the <code>permissions</code> array in the user's token. Assign a user the <code>admin</code> role within a specific org, and every permission attached to that role flows into their token for that org.</p> <h3> Assigning roles per organization </h3> <p>When a user joins an organization, they are assigned a role for that organization specifically. Navigate to an organization in Kinde → <strong>Members</strong> → select a member → assign their role.</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fip7atcktmve98zkf0sjt.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fip7atcktmve98zkf0sjt.png" alt="Kinde dashboard showing an organization's member list with three members: Alice (Admin badge), Bob (Member badge), Sarah (Viewer badge)." width="800" height="501"></a></p> <p>This is the per-tenant scoping in action. Sarah's role in this specific organization is Viewer. Navigate to a different organization, find Sarah there, and she might have a completely different role assignment.</p> <p>Terrific! Kinde is configured. Time to use these permissions in the application.</p> <h2> Step #2: Read Tenant-Scoped Permissions in a Next.js API Route </h2> <p>With the Kinde Next.js SDK installed and configured, reading tenant-scoped permissions server-side requires one import.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="c1">// app/api/projects/route.ts</span> <span class="k">import</span> <span class="p">{</span> <span class="nx">getKindeServerSession</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">"</span><span class="s2">@kinde-oss/kinde-auth-nextjs/server</span><span class="dl">"</span><span class="p">;</span> <span class="k">import</span> <span class="p">{</span> <span class="nx">NextResponse</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">"</span><span class="s2">next/server</span><span class="dl">"</span><span class="p">;</span> <span class="k">export</span> <span class="k">async</span> <span class="kd">function</span> <span class="nf">GET</span><span class="p">()</span> <span class="p">{</span> <span class="kd">const</span> <span class="p">{</span> <span class="nx">isAuthenticated</span><span class="p">,</span> <span class="nx">getOrganization</span><span class="p">,</span> <span class="nx">getPermissions</span> <span class="p">}</span> <span class="o">=</span> <span class="nf">getKindeServerSession</span><span class="p">();</span> <span class="c1">// Step 1: Confirm the user is authenticated</span> <span class="k">if </span><span class="p">(</span><span class="o">!</span><span class="p">(</span><span class="k">await</span> <span class="nf">isAuthenticated</span><span class="p">()))</span> <span class="p">{</span> <span class="k">return</span> <span class="nx">NextResponse</span><span class="p">.</span><span class="nf">json</span><span class="p">({</span> <span class="na">error</span><span class="p">:</span> <span class="dl">"</span><span class="s2">Unauthorized</span><span class="dl">"</span> <span class="p">},</span> <span class="p">{</span> <span class="na">status</span><span class="p">:</span> <span class="mi">401</span> <span class="p">});</span> <span class="p">}</span> <span class="c1">// Step 2: Get the current tenant context from the token</span> <span class="c1">// org_code is the tenant identifier — comes from the signed JWT, not the request</span> <span class="kd">const</span> <span class="nx">org</span> <span class="o">=</span> <span class="k">await</span> <span class="nf">getOrganization</span><span class="p">();</span> <span class="k">if </span><span class="p">(</span><span class="o">!</span><span class="nx">org</span><span class="p">?.</span><span class="nx">orgCode</span><span class="p">)</span> <span class="p">{</span> <span class="k">return</span> <span class="nx">NextResponse</span><span class="p">.</span><span class="nf">json</span><span class="p">(</span> <span class="p">{</span> <span class="na">error</span><span class="p">:</span> <span class="dl">"</span><span class="s2">No organization context</span><span class="dl">"</span> <span class="p">},</span> <span class="p">{</span> <span class="na">status</span><span class="p">:</span> <span class="mi">403</span> <span class="p">}</span> <span class="p">);</span> <span class="p">}</span> <span class="c1">// Step 3: Get this user's permissions for this specific org</span> <span class="c1">// getPermissions() returns { permissions: string[], orgCode: string }</span> <span class="kd">const</span> <span class="p">{</span> <span class="nx">permissions</span><span class="p">,</span> <span class="nx">orgCode</span> <span class="p">}</span> <span class="o">=</span> <span class="k">await</span> <span class="nf">getPermissions</span><span class="p">();</span> <span class="c1">// Step 4: Check the required permission</span> <span class="k">if </span><span class="p">(</span><span class="o">!</span><span class="nx">permissions</span><span class="p">.</span><span class="nf">includes</span><span class="p">(</span><span class="dl">"</span><span class="s2">projects:read</span><span class="dl">"</span><span class="p">))</span> <span class="p">{</span> <span class="k">return</span> <span class="nx">NextResponse</span><span class="p">.</span><span class="nf">json</span><span class="p">(</span> <span class="p">{</span> <span class="na">error</span><span class="p">:</span> <span class="dl">"</span><span class="s2">You do not have permission to view projects</span><span class="dl">"</span> <span class="p">},</span> <span class="p">{</span> <span class="na">status</span><span class="p">:</span> <span class="mi">403</span> <span class="p">}</span> <span class="p">);</span> <span class="p">}</span> <span class="c1">// Step 5: Fetch data scoped to this tenant</span> <span class="c1">// ALWAYS use org.orgCode from the token — never a client-supplied tenant ID</span> <span class="kd">const</span> <span class="nx">projects</span> <span class="o">=</span> <span class="k">await</span> <span class="nx">db</span><span class="p">.</span><span class="nx">projects</span><span class="p">.</span><span class="nf">findMany</span><span class="p">({</span> <span class="na">where</span><span class="p">:</span> <span class="p">{</span> <span class="na">orgCode</span><span class="p">:</span> <span class="nx">org</span><span class="p">.</span><span class="nx">orgCode</span> <span class="p">},</span> <span class="p">});</span> <span class="k">return</span> <span class="nx">NextResponse</span><span class="p">.</span><span class="nf">json</span><span class="p">({</span> <span class="nx">projects</span> <span class="p">});</span> <span class="p">}</span> </code></pre> </div> <p>Two things to pay attention to here.</p> <p><code>getPermissions()</code> returns both the <code>permissions</code> array and the <code>orgCode</code> — confirming which org these permissions apply to. This is useful for logging and debugging: if a permission check fails unexpectedly, you can verify the org context is what you expected.</p> <p>The database query filters by <code>org.orgCode</code> from the token, not a tenant ID from the request body or query string. The org code in the JWT is cryptographically signed — a client-supplied value is not. This is the fundamental data isolation guarantee of the multi-tenant model.</p> <h2> Step #3: Build a Reusable Permission Guard </h2> <p>Repeating the same auth and permission check logic in every route is tedious and error-prone. Extract it into a single reusable guard function.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="c1">// lib/permissions.ts</span> <span class="k">import</span> <span class="p">{</span> <span class="nx">getKindeServerSession</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">"</span><span class="s2">@kinde-oss/kinde-auth-nextjs/server</span><span class="dl">"</span><span class="p">;</span> <span class="k">import</span> <span class="p">{</span> <span class="nx">NextResponse</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">"</span><span class="s2">next/server</span><span class="dl">"</span><span class="p">;</span> <span class="c1">// Enumerate all permissions in one place — catches typos at compile time</span> <span class="kd">type</span> <span class="nx">Permission</span> <span class="o">=</span> <span class="o">|</span> <span class="dl">"</span><span class="s2">projects:create</span><span class="dl">"</span> <span class="o">|</span> <span class="dl">"</span><span class="s2">projects:read</span><span class="dl">"</span> <span class="o">|</span> <span class="dl">"</span><span class="s2">projects:delete</span><span class="dl">"</span> <span class="o">|</span> <span class="dl">"</span><span class="s2">members:invite</span><span class="dl">"</span> <span class="o">|</span> <span class="dl">"</span><span class="s2">members:remove</span><span class="dl">"</span> <span class="o">|</span> <span class="dl">"</span><span class="s2">billing:manage</span><span class="dl">"</span> <span class="o">|</span> <span class="dl">"</span><span class="s2">reports:read</span><span class="dl">"</span> <span class="o">|</span> <span class="dl">"</span><span class="s2">reports:export</span><span class="dl">"</span><span class="p">;</span> <span class="c1">// What a successful auth context looks like</span> <span class="kr">interface</span> <span class="nx">AuthContext</span> <span class="p">{</span> <span class="nl">userId</span><span class="p">:</span> <span class="kr">string</span><span class="p">;</span> <span class="nl">orgCode</span><span class="p">:</span> <span class="kr">string</span><span class="p">;</span> <span class="nl">permissions</span><span class="p">:</span> <span class="nx">Permission</span><span class="p">[];</span> <span class="p">}</span> <span class="cm">/** * Checks authentication, org context, and required permissions. * Returns AuthContext on success, NextResponse error on failure. * * Usage: * const auth = await requirePermission("projects:read"); * if (auth instanceof NextResponse) return auth; * // auth.orgCode and auth.permissions are now available */</span> <span class="k">export</span> <span class="k">async</span> <span class="kd">function</span> <span class="nf">requirePermission</span><span class="p">(</span> <span class="p">...</span><span class="nx">required</span><span class="p">:</span> <span class="nx">Permission</span><span class="p">[]</span> <span class="p">):</span> <span class="nb">Promise</span><span class="o">&lt;</span><span class="nx">AuthContext</span> <span class="o">|</span> <span class="nx">NextResponse</span><span class="o">&gt;</span> <span class="p">{</span> <span class="kd">const</span> <span class="p">{</span> <span class="nx">isAuthenticated</span><span class="p">,</span> <span class="nx">getOrganization</span><span class="p">,</span> <span class="nx">getPermissions</span><span class="p">,</span> <span class="nx">getUser</span> <span class="p">}</span> <span class="o">=</span> <span class="nf">getKindeServerSession</span><span class="p">();</span> <span class="k">if </span><span class="p">(</span><span class="o">!</span><span class="p">(</span><span class="k">await</span> <span class="nf">isAuthenticated</span><span class="p">()))</span> <span class="p">{</span> <span class="k">return</span> <span class="nx">NextResponse</span><span class="p">.</span><span class="nf">json</span><span class="p">({</span> <span class="na">error</span><span class="p">:</span> <span class="dl">"</span><span class="s2">Unauthorized</span><span class="dl">"</span> <span class="p">},</span> <span class="p">{</span> <span class="na">status</span><span class="p">:</span> <span class="mi">401</span> <span class="p">});</span> <span class="p">}</span> <span class="kd">const</span> <span class="p">[</span><span class="nx">user</span><span class="p">,</span> <span class="nx">org</span><span class="p">,</span> <span class="p">{</span> <span class="nx">permissions</span> <span class="p">}]</span> <span class="o">=</span> <span class="k">await</span> <span class="nb">Promise</span><span class="p">.</span><span class="nf">all</span><span class="p">([</span> <span class="nf">getUser</span><span class="p">(),</span> <span class="nf">getOrganization</span><span class="p">(),</span> <span class="nf">getPermissions</span><span class="p">(),</span> <span class="p">]);</span> <span class="k">if </span><span class="p">(</span><span class="o">!</span><span class="nx">org</span><span class="p">?.</span><span class="nx">orgCode</span><span class="p">)</span> <span class="p">{</span> <span class="k">return</span> <span class="nx">NextResponse</span><span class="p">.</span><span class="nf">json</span><span class="p">(</span> <span class="p">{</span> <span class="na">error</span><span class="p">:</span> <span class="dl">"</span><span class="s2">No organization context — authenticate within an organization</span><span class="dl">"</span> <span class="p">},</span> <span class="p">{</span> <span class="na">status</span><span class="p">:</span> <span class="mi">403</span> <span class="p">}</span> <span class="p">);</span> <span class="p">}</span> <span class="kd">const</span> <span class="nx">hasPermission</span> <span class="o">=</span> <span class="nx">required</span><span class="p">.</span><span class="nf">some</span><span class="p">((</span><span class="nx">perm</span><span class="p">)</span> <span class="o">=&gt;</span> <span class="p">(</span><span class="nx">permissions</span> <span class="k">as</span> <span class="kr">string</span><span class="p">[]).</span><span class="nf">includes</span><span class="p">(</span><span class="nx">perm</span><span class="p">)</span> <span class="p">);</span> <span class="k">if </span><span class="p">(</span><span class="o">!</span><span class="nx">hasPermission</span><span class="p">)</span> <span class="p">{</span> <span class="k">return</span> <span class="nx">NextResponse</span><span class="p">.</span><span class="nf">json</span><span class="p">(</span> <span class="p">{</span> <span class="na">error</span><span class="p">:</span> <span class="dl">"</span><span class="s2">Insufficient permissions</span><span class="dl">"</span><span class="p">,</span> <span class="nx">required</span><span class="p">,</span> <span class="na">granted</span><span class="p">:</span> <span class="nx">permissions</span><span class="p">,</span> <span class="p">},</span> <span class="p">{</span> <span class="na">status</span><span class="p">:</span> <span class="mi">403</span> <span class="p">}</span> <span class="p">);</span> <span class="p">}</span> <span class="k">return</span> <span class="p">{</span> <span class="na">userId</span><span class="p">:</span> <span class="nx">user</span><span class="p">?.</span><span class="nx">id</span> <span class="o">??</span> <span class="dl">""</span><span class="p">,</span> <span class="na">orgCode</span><span class="p">:</span> <span class="nx">org</span><span class="p">.</span><span class="nx">orgCode</span><span class="p">,</span> <span class="na">permissions</span><span class="p">:</span> <span class="nx">permissions</span> <span class="k">as</span> <span class="nx">Permission</span><span class="p">[],</span> <span class="p">};</span> <span class="p">}</span> </code></pre> </div> <p>Every protected API route now becomes a clean two-step: check permissions, run logic.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="c1">// app/api/projects/route.ts</span> <span class="k">import</span> <span class="p">{</span> <span class="nx">requirePermission</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">"</span><span class="s2">@/lib/permissions</span><span class="dl">"</span><span class="p">;</span> <span class="k">import</span> <span class="p">{</span> <span class="nx">NextResponse</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">"</span><span class="s2">next/server</span><span class="dl">"</span><span class="p">;</span> <span class="c1">// GET — requires projects:read</span> <span class="k">export</span> <span class="k">async</span> <span class="kd">function</span> <span class="nf">GET</span><span class="p">()</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">auth</span> <span class="o">=</span> <span class="k">await</span> <span class="nf">requirePermission</span><span class="p">(</span><span class="dl">"</span><span class="s2">projects:read</span><span class="dl">"</span><span class="p">);</span> <span class="k">if </span><span class="p">(</span><span class="nx">auth</span> <span class="k">instanceof</span> <span class="nx">NextResponse</span><span class="p">)</span> <span class="k">return</span> <span class="nx">auth</span><span class="p">;</span> <span class="kd">const</span> <span class="nx">projects</span> <span class="o">=</span> <span class="k">await</span> <span class="nx">db</span><span class="p">.</span><span class="nx">projects</span><span class="p">.</span><span class="nf">findMany</span><span class="p">({</span> <span class="na">where</span><span class="p">:</span> <span class="p">{</span> <span class="na">orgCode</span><span class="p">:</span> <span class="nx">auth</span><span class="p">.</span><span class="nx">orgCode</span> <span class="p">},</span> <span class="c1">// tenant-scoped</span> <span class="p">});</span> <span class="k">return</span> <span class="nx">NextResponse</span><span class="p">.</span><span class="nf">json</span><span class="p">({</span> <span class="nx">projects</span> <span class="p">});</span> <span class="p">}</span> <span class="c1">// POST — requires projects:create</span> <span class="k">export</span> <span class="k">async</span> <span class="kd">function</span> <span class="nf">POST</span><span class="p">(</span><span class="nx">request</span><span class="p">:</span> <span class="nx">Request</span><span class="p">)</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">auth</span> <span class="o">=</span> <span class="k">await</span> <span class="nf">requirePermission</span><span class="p">(</span><span class="dl">"</span><span class="s2">projects:create</span><span class="dl">"</span><span class="p">);</span> <span class="k">if </span><span class="p">(</span><span class="nx">auth</span> <span class="k">instanceof</span> <span class="nx">NextResponse</span><span class="p">)</span> <span class="k">return</span> <span class="nx">auth</span><span class="p">;</span> <span class="kd">const</span> <span class="nx">body</span> <span class="o">=</span> <span class="k">await</span> <span class="nx">request</span><span class="p">.</span><span class="nf">json</span><span class="p">();</span> <span class="kd">const</span> <span class="nx">project</span> <span class="o">=</span> <span class="k">await</span> <span class="nx">db</span><span class="p">.</span><span class="nx">projects</span><span class="p">.</span><span class="nf">create</span><span class="p">({</span> <span class="na">data</span><span class="p">:</span> <span class="p">{</span> <span class="p">...</span><span class="nx">body</span><span class="p">,</span> <span class="na">orgCode</span><span class="p">:</span> <span class="nx">auth</span><span class="p">.</span><span class="nx">orgCode</span><span class="p">,</span> <span class="c1">// stamp the tenant from the token</span> <span class="na">createdBy</span><span class="p">:</span> <span class="nx">auth</span><span class="p">.</span><span class="nx">userId</span><span class="p">,</span> <span class="p">},</span> <span class="p">});</span> <span class="k">return</span> <span class="nx">NextResponse</span><span class="p">.</span><span class="nf">json</span><span class="p">({</span> <span class="nx">project</span> <span class="p">},</span> <span class="p">{</span> <span class="na">status</span><span class="p">:</span> <span class="mi">201</span> <span class="p">});</span> <span class="p">}</span> <span class="c1">// DELETE — requires projects:delete</span> <span class="k">export</span> <span class="k">async</span> <span class="kd">function</span> <span class="nf">DELETE</span><span class="p">(</span> <span class="nx">_request</span><span class="p">:</span> <span class="nx">Request</span><span class="p">,</span> <span class="p">{</span> <span class="nx">params</span> <span class="p">}:</span> <span class="p">{</span> <span class="nl">params</span><span class="p">:</span> <span class="p">{</span> <span class="na">id</span><span class="p">:</span> <span class="kr">string</span> <span class="p">}</span> <span class="p">}</span> <span class="p">)</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">auth</span> <span class="o">=</span> <span class="k">await</span> <span class="nf">requirePermission</span><span class="p">(</span><span class="dl">"</span><span class="s2">projects:delete</span><span class="dl">"</span><span class="p">);</span> <span class="k">if </span><span class="p">(</span><span class="nx">auth</span> <span class="k">instanceof</span> <span class="nx">NextResponse</span><span class="p">)</span> <span class="k">return</span> <span class="nx">auth</span><span class="p">;</span> <span class="c1">// orgCode in the where clause prevents cross-tenant deletion</span> <span class="c1">// Even if a wrong ID is passed, this query will not find it</span> <span class="c1">// unless it belongs to the current user's tenant</span> <span class="k">await</span> <span class="nx">db</span><span class="p">.</span><span class="nx">projects</span><span class="p">.</span><span class="k">delete</span><span class="p">({</span> <span class="na">where</span><span class="p">:</span> <span class="p">{</span> <span class="na">id</span><span class="p">:</span> <span class="nx">params</span><span class="p">.</span><span class="nx">id</span><span class="p">,</span> <span class="na">orgCode</span><span class="p">:</span> <span class="nx">auth</span><span class="p">.</span><span class="nx">orgCode</span><span class="p">,</span> <span class="p">},</span> <span class="p">});</span> <span class="k">return</span> <span class="nx">NextResponse</span><span class="p">.</span><span class="nf">json</span><span class="p">({</span> <span class="na">deleted</span><span class="p">:</span> <span class="kc">true</span> <span class="p">});</span> <span class="p">}</span> </code></pre> </div> <p>The <code>orgCode</code> filter on every write and delete is the data isolation layer. It is the database-level defense that ensures even a logic bug cannot cause cross-tenant data leakage.</p> <p>Amazing!</p> <h2> Step #4: Gate UI Components by Permission </h2> <p>The API layer is the security boundary — it rejects unauthorized requests. The UI layer is the experience boundary — it hides controls the user cannot use, preventing confusion without exposing a wall of 403 errors.</p> <p>Create a client-side permission hook:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="c1">// hooks/usePermissions.ts</span> <span class="dl">"</span><span class="s2">use client</span><span class="dl">"</span><span class="p">;</span> <span class="k">import</span> <span class="p">{</span> <span class="nx">useKindeBrowserClient</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">"</span><span class="s2">@kinde-oss/kinde-auth-nextjs</span><span class="dl">"</span><span class="p">;</span> <span class="kd">type</span> <span class="nx">Permission</span> <span class="o">=</span> <span class="o">|</span> <span class="dl">"</span><span class="s2">projects:create</span><span class="dl">"</span> <span class="o">|</span> <span class="dl">"</span><span class="s2">projects:read</span><span class="dl">"</span> <span class="o">|</span> <span class="dl">"</span><span class="s2">projects:delete</span><span class="dl">"</span> <span class="o">|</span> <span class="dl">"</span><span class="s2">members:invite</span><span class="dl">"</span> <span class="o">|</span> <span class="dl">"</span><span class="s2">members:remove</span><span class="dl">"</span> <span class="o">|</span> <span class="dl">"</span><span class="s2">billing:manage</span><span class="dl">"</span> <span class="o">|</span> <span class="dl">"</span><span class="s2">reports:read</span><span class="dl">"</span> <span class="o">|</span> <span class="dl">"</span><span class="s2">reports:export</span><span class="dl">"</span><span class="p">;</span> <span class="k">export</span> <span class="kd">function</span> <span class="nf">usePermissions</span><span class="p">()</span> <span class="p">{</span> <span class="kd">const</span> <span class="p">{</span> <span class="nx">getPermission</span><span class="p">,</span> <span class="nx">getOrganization</span> <span class="p">}</span> <span class="o">=</span> <span class="nf">useKindeBrowserClient</span><span class="p">();</span> <span class="c1">// getPermission returns { isGranted: boolean, orgCode: string }</span> <span class="c1">// isGranted is org-scoped — it reflects permissions for the current org context</span> <span class="kd">const</span> <span class="nx">can</span> <span class="o">=</span> <span class="p">(</span><span class="nx">permission</span><span class="p">:</span> <span class="nx">Permission</span><span class="p">):</span> <span class="nx">boolean</span> <span class="o">=&gt;</span> <span class="nf">getPermission</span><span class="p">(</span><span class="nx">permission</span><span class="p">)?.</span><span class="nx">isGranted</span> <span class="o">??</span> <span class="kc">false</span><span class="p">;</span> <span class="kd">const</span> <span class="nx">org</span> <span class="o">=</span> <span class="nf">getOrganization</span><span class="p">();</span> <span class="k">return</span> <span class="p">{</span> <span class="nx">can</span><span class="p">,</span> <span class="na">orgCode</span><span class="p">:</span> <span class="nx">org</span><span class="p">?.</span><span class="nx">orgCode</span> <span class="o">??</span> <span class="kc">null</span><span class="p">,</span> <span class="na">orgName</span><span class="p">:</span> <span class="nx">org</span><span class="p">?.</span><span class="nx">name</span> <span class="o">??</span> <span class="kc">null</span><span class="p">,</span> <span class="p">};</span> <span class="p">}</span> </code></pre> </div> <p>Use the hook in your components for conditional rendering:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight tsx"><code><span class="c1">// components/ProjectCard.tsx</span> <span class="dl">"</span><span class="s2">use client</span><span class="dl">"</span><span class="p">;</span> <span class="k">import</span> <span class="p">{</span> <span class="nx">usePermissions</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">"</span><span class="s2">@/hooks/usePermissions</span><span class="dl">"</span><span class="p">;</span> <span class="k">export</span> <span class="kd">function</span> <span class="nf">ProjectCard</span><span class="p">({</span> <span class="nx">project</span> <span class="p">}:</span> <span class="p">{</span> <span class="nl">project</span><span class="p">:</span> <span class="nx">Project</span> <span class="p">})</span> <span class="p">{</span> <span class="kd">const</span> <span class="p">{</span> <span class="nx">can</span> <span class="p">}</span> <span class="o">=</span> <span class="nf">usePermissions</span><span class="p">();</span> <span class="k">return </span><span class="p">(</span> <span class="p">&lt;</span><span class="nt">div</span> <span class="na">className</span><span class="p">=</span><span class="s">"project-card"</span><span class="p">&gt;</span> <span class="p">&lt;</span><span class="nt">h3</span><span class="p">&gt;</span><span class="si">{</span><span class="nx">project</span><span class="p">.</span><span class="nx">name</span><span class="si">}</span><span class="p">&lt;/</span><span class="nt">h3</span><span class="p">&gt;</span> <span class="p">&lt;</span><span class="nt">div</span> <span class="na">className</span><span class="p">=</span><span class="s">"project-actions"</span><span class="p">&gt;</span> <span class="si">{</span><span class="cm">/* Members and admins can edit */</span><span class="si">}</span> <span class="si">{</span><span class="nf">can</span><span class="p">(</span><span class="dl">"</span><span class="s2">projects:create</span><span class="dl">"</span><span class="p">)</span> <span class="o">&amp;&amp;</span> <span class="p">(</span> <span class="p">&lt;</span><span class="nt">button</span> <span class="na">onClick</span><span class="p">=</span><span class="si">{</span><span class="p">()</span> <span class="o">=&gt;</span> <span class="nf">editProject</span><span class="p">(</span><span class="nx">project</span><span class="p">.</span><span class="nx">id</span><span class="p">)</span><span class="si">}</span><span class="p">&gt;</span>Edit<span class="p">&lt;/</span><span class="nt">button</span><span class="p">&gt;</span> <span class="p">)</span><span class="si">}</span> <span class="si">{</span><span class="cm">/* Only admins can delete — not rendered at all for members/viewers */</span><span class="si">}</span> <span class="si">{</span><span class="nf">can</span><span class="p">(</span><span class="dl">"</span><span class="s2">projects:delete</span><span class="dl">"</span><span class="p">)</span> <span class="o">&amp;&amp;</span> <span class="p">(</span> <span class="p">&lt;</span><span class="nt">button</span> <span class="na">onClick</span><span class="p">=</span><span class="si">{</span><span class="p">()</span> <span class="o">=&gt;</span> <span class="nf">deleteProject</span><span class="p">(</span><span class="nx">project</span><span class="p">.</span><span class="nx">id</span><span class="p">)</span><span class="si">}</span> <span class="na">className</span><span class="p">=</span><span class="s">"destructive"</span> <span class="p">&gt;</span> Delete <span class="p">&lt;/</span><span class="nt">button</span><span class="p">&gt;</span> <span class="p">)</span><span class="si">}</span> <span class="p">&lt;/</span><span class="nt">div</span><span class="p">&gt;</span> <span class="p">&lt;/</span><span class="nt">div</span><span class="p">&gt;</span> <span class="p">);</span> <span class="p">}</span> <span class="c1">// components/Sidebar.tsx</span> <span class="dl">"</span><span class="s2">use client</span><span class="dl">"</span><span class="p">;</span> <span class="k">import</span> <span class="p">{</span> <span class="nx">usePermissions</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">"</span><span class="s2">@/hooks/usePermissions</span><span class="dl">"</span><span class="p">;</span> <span class="k">import</span> <span class="nx">Link</span> <span class="k">from</span> <span class="dl">"</span><span class="s2">next/link</span><span class="dl">"</span><span class="p">;</span> <span class="k">export</span> <span class="kd">function</span> <span class="nf">Sidebar</span><span class="p">()</span> <span class="p">{</span> <span class="kd">const</span> <span class="p">{</span> <span class="nx">can</span><span class="p">,</span> <span class="nx">orgName</span> <span class="p">}</span> <span class="o">=</span> <span class="nf">usePermissions</span><span class="p">();</span> <span class="k">return </span><span class="p">(</span> <span class="p">&lt;</span><span class="nt">nav</span> <span class="na">className</span><span class="p">=</span><span class="s">"sidebar"</span><span class="p">&gt;</span> <span class="si">{</span><span class="cm">/* Show current org context at the top */</span><span class="si">}</span> <span class="si">{</span><span class="nx">orgName</span> <span class="o">&amp;&amp;</span> <span class="p">&lt;</span><span class="nt">div</span> <span class="na">className</span><span class="p">=</span><span class="s">"workspace-name"</span><span class="p">&gt;</span><span class="si">{</span><span class="nx">orgName</span><span class="si">}</span><span class="p">&lt;/</span><span class="nt">div</span><span class="p">&gt;</span><span class="si">}</span> <span class="si">{</span><span class="cm">/* Always visible to authenticated org members */</span><span class="si">}</span> <span class="p">&lt;</span><span class="nc">Link</span> <span class="na">href</span><span class="p">=</span><span class="s">"/projects"</span><span class="p">&gt;</span>Projects<span class="p">&lt;/</span><span class="nc">Link</span><span class="p">&gt;</span> <span class="si">{</span><span class="cm">/* Only visible if user has reports:read */</span><span class="si">}</span> <span class="si">{</span><span class="nf">can</span><span class="p">(</span><span class="dl">"</span><span class="s2">reports:read</span><span class="dl">"</span><span class="p">)</span> <span class="o">&amp;&amp;</span> <span class="p">&lt;</span><span class="nc">Link</span> <span class="na">href</span><span class="p">=</span><span class="s">"/reports"</span><span class="p">&gt;</span>Reports<span class="p">&lt;/</span><span class="nc">Link</span><span class="p">&gt;</span><span class="si">}</span> <span class="si">{</span><span class="cm">/* Only visible if user can invite members (admin) */</span><span class="si">}</span> <span class="si">{</span><span class="nf">can</span><span class="p">(</span><span class="dl">"</span><span class="s2">members:invite</span><span class="dl">"</span><span class="p">)</span> <span class="o">&amp;&amp;</span> <span class="p">&lt;</span><span class="nc">Link</span> <span class="na">href</span><span class="p">=</span><span class="s">"/members"</span><span class="p">&gt;</span>Team Members<span class="p">&lt;/</span><span class="nc">Link</span><span class="p">&gt;</span><span class="si">}</span> <span class="si">{</span><span class="cm">/* Only visible if user can manage billing (admin) */</span><span class="si">}</span> <span class="si">{</span><span class="nf">can</span><span class="p">(</span><span class="dl">"</span><span class="s2">billing:manage</span><span class="dl">"</span><span class="p">)</span> <span class="o">&amp;&amp;</span> <span class="p">(</span> <span class="p">&lt;</span><span class="nc">Link</span> <span class="na">href</span><span class="p">=</span><span class="s">"/settings/billing"</span><span class="p">&gt;</span>Billing<span class="p">&lt;/</span><span class="nc">Link</span><span class="p">&gt;</span> <span class="p">)</span><span class="si">}</span> <span class="p">&lt;/</span><span class="nt">nav</span><span class="p">&gt;</span> <span class="p">);</span> <span class="p">}</span> </code></pre> </div> <p>The same component file produces three completely different outputs<br> depending on who is logged in:</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fu3deocq7moytx7cvrxcy.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fu3deocq7moytx7cvrxcy.png" alt="Admin view — full sidebar with Projects, Reports, Team Members,&lt;br&gt; and Billing. Cards show both Edit and Delete buttons.&lt;br&gt; Badge shows Admin · Sarah Chen" width="800" height="501"></a></p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F4xwvjye0hfu6m9qeuncx.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F4xwvjye0hfu6m9qeuncx.png" alt="Member view — sidebar shows Projects and Reports only.&lt;br&gt; Cards show Edit button only, no Delete.&lt;br&gt; Badge shows Member · Sarah Chen" width="800" height="501"></a></p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F51bzevuawixfug14u15m.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F51bzevuawixfug14u15m.png" alt="Viewer view — sidebar shows Projects only.&lt;br&gt; Cards show No actions available — no buttons at all.&lt;br&gt; Badge shows Viewer · Sarah Chen" width="800" height="501"></a></p> <p>Note: Conditional rendering hides controls but does not enforce access. A user can still call API routes directly with tools like curl. The <code>requirePermission</code> guard in the API layer is what enforces authorization — the UI gate is for experience, not security.</p> <h2> Step #5: Handle Tenant Switching Correctly </h2> <p>When Sarah switches from Acme Corp to Startup Inc, she needs a new token scoped to the new organization. The existing token's <code>org_code</code> is <code>org_acme_corp</code> — you cannot change a signed JWT's claims without issuing a new one.</p> <p>The correct approach is to redirect the user through Kinde's authentication with the target org specified:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight tsx"><code><span class="c1">// components/OrgSwitcher.tsx</span> <span class="dl">"</span><span class="s2">use client</span><span class="dl">"</span><span class="p">;</span> <span class="k">import</span> <span class="p">{</span> <span class="nx">useKindeBrowserClient</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">"</span><span class="s2">@kinde-oss/kinde-auth-nextjs</span><span class="dl">"</span><span class="p">;</span> <span class="k">import</span> <span class="p">{</span> <span class="nx">LoginLink</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">"</span><span class="s2">@kinde-oss/kinde-auth-nextjs/components</span><span class="dl">"</span><span class="p">;</span> <span class="kr">interface</span> <span class="nx">Org</span> <span class="p">{</span> <span class="nl">code</span><span class="p">:</span> <span class="kr">string</span><span class="p">;</span> <span class="nl">name</span><span class="p">:</span> <span class="kr">string</span><span class="p">;</span> <span class="p">}</span> <span class="k">export</span> <span class="kd">function</span> <span class="nf">OrgSwitcher</span><span class="p">({</span> <span class="nx">orgs</span> <span class="p">}:</span> <span class="p">{</span> <span class="nl">orgs</span><span class="p">:</span> <span class="nx">Org</span><span class="p">[]</span> <span class="p">})</span> <span class="p">{</span> <span class="kd">const</span> <span class="p">{</span> <span class="nx">getOrganization</span> <span class="p">}</span> <span class="o">=</span> <span class="nf">useKindeBrowserClient</span><span class="p">();</span> <span class="kd">const</span> <span class="nx">currentOrg</span> <span class="o">=</span> <span class="nf">getOrganization</span><span class="p">();</span> <span class="k">return </span><span class="p">(</span> <span class="p">&lt;</span><span class="nt">div</span> <span class="na">className</span><span class="p">=</span><span class="s">"org-switcher"</span><span class="p">&gt;</span> <span class="si">{</span><span class="nx">orgs</span><span class="p">.</span><span class="nf">map</span><span class="p">((</span><span class="nx">org</span><span class="p">)</span> <span class="o">=&gt;</span> <span class="nx">org</span><span class="p">.</span><span class="nx">code</span> <span class="o">===</span> <span class="nx">currentOrg</span><span class="p">?.</span><span class="nx">orgCode</span> <span class="p">?</span> <span class="p">(</span> <span class="c1">// Already in this org — highlight it as current</span> <span class="p">&lt;</span><span class="nt">div</span> <span class="na">key</span><span class="p">=</span><span class="si">{</span><span class="nx">org</span><span class="p">.</span><span class="nx">code</span><span class="si">}</span> <span class="na">className</span><span class="p">=</span><span class="s">"org-item current"</span><span class="p">&gt;</span> <span class="si">{</span><span class="nx">org</span><span class="p">.</span><span class="nx">name</span><span class="si">}</span> <span class="p">&lt;</span><span class="nt">span</span> <span class="na">className</span><span class="p">=</span><span class="s">"badge"</span><span class="p">&gt;</span>Current<span class="p">&lt;/</span><span class="nt">span</span><span class="p">&gt;</span> <span class="p">&lt;/</span><span class="nt">div</span><span class="p">&gt;</span> <span class="p">)</span> <span class="p">:</span> <span class="p">(</span> <span class="c1">// Switch to this org — triggers a new Kinde token for org.code</span> <span class="p">&lt;</span><span class="nc">LoginLink</span> <span class="na">key</span><span class="p">=</span><span class="si">{</span><span class="nx">org</span><span class="p">.</span><span class="nx">code</span><span class="si">}</span> <span class="na">authUrlParams</span><span class="p">=</span><span class="si">{</span><span class="p">{</span> <span class="na">org_code</span><span class="p">:</span> <span class="nx">org</span><span class="p">.</span><span class="nx">code</span> <span class="p">}</span><span class="si">}</span> <span class="na">className</span><span class="p">=</span><span class="s">"org-item"</span> <span class="p">&gt;</span> <span class="si">{</span><span class="nx">org</span><span class="p">.</span><span class="nx">name</span><span class="si">}</span> <span class="p">&lt;/</span><span class="nc">LoginLink</span><span class="p">&gt;</span> <span class="p">)</span> <span class="p">)</span><span class="si">}</span> <span class="p">&lt;/</span><span class="nt">div</span><span class="p">&gt;</span> <span class="p">);</span> <span class="p">}</span> </code></pre> </div> <p>The <code>org_code</code> parameter in <code>authUrlParams</code> tells Kinde which organization to issue the token for. After the brief authentication redirect, the user's token contains the <code>org_code</code>, <code>roles</code>, and <code>permissions</code> for the switched-to org. Every permission check in both the API and the UI immediately reflects the new tenant context.</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F41y3hw4hwwz0uycbm92n.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F41y3hw4hwwz0uycbm92n.png" alt="Org switching flow — " width="800" height="307"></a></p> <h2> Putting It All Together </h2> <p>Here is the complete per-tenant permission system mapped across all layers:</p> <div class="table-wrapper-paragraph"><table> <thead> <tr> <th>Layer</th> <th>What it does</th> <th>Where it lives</th> </tr> </thead> <tbody> <tr> <td><strong>Kinde (config)</strong></td> <td>Defines permissions globally, bundles them into roles, assigns roles per org</td> <td>Kinde dashboard</td> </tr> <tr> <td><strong>JWT token</strong></td> <td>Carries <code>org_code</code> + <code>permissions</code> for the current org context</td> <td>Issued by Kinde, verified by SDK</td> </tr> <tr> <td><strong><code>requirePermission()</code> (API)</strong></td> <td>Rejects requests missing auth, org context, or required permissions</td> <td><code>lib/permissions.ts</code></td> </tr> <tr> <td><strong>DB queries</strong></td> <td>Filter every read/write/delete by <code>auth.orgCode</code> from the token</td> <td>All API route handlers</td> </tr> <tr> <td><strong><code>usePermissions()</code> hook (UI)</strong></td> <td>Conditionally renders controls based on <code>getPermission(key).isGranted</code> </td> <td>React components</td> </tr> <tr> <td><strong><code>OrgSwitcher</code> (UI)</strong></td> <td>Issues a new token for the selected org via <code>LoginLink</code> + <code>org_code</code> </td> <td> <code>OrgSwitcher</code> component</td> </tr> </tbody> </table></div> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fvohduygmjntuqf34g21z.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fvohduygmjntuqf34g21z.png" alt="Full architecture — Kinde (left box: permissions → roles → orgs with role assignments) issues a signed JWT → the JWT flows to both the API Layer (center box: requirePermission guard → DB queries filtered by orgCode) and the React Layer (right box: usePermissions hook → conditional rendering)." width="800" height="277"></a></p> <h2> The Two Most Common Multi-Tenant Permission Bugs </h2> <p><strong>Bug #1: Trusting the client-supplied tenant ID</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="c1">// ❌ Wrong — org code from the request body is attacker-controlled</span> <span class="k">export</span> <span class="k">async</span> <span class="kd">function</span> <span class="nf">GET</span><span class="p">(</span><span class="nx">request</span><span class="p">:</span> <span class="nx">Request</span><span class="p">)</span> <span class="p">{</span> <span class="kd">const</span> <span class="p">{</span> <span class="nx">orgCode</span> <span class="p">}</span> <span class="o">=</span> <span class="k">await</span> <span class="nx">request</span><span class="p">.</span><span class="nf">json</span><span class="p">();</span> <span class="kd">const</span> <span class="nx">projects</span> <span class="o">=</span> <span class="k">await</span> <span class="nx">db</span><span class="p">.</span><span class="nx">projects</span><span class="p">.</span><span class="nf">findMany</span><span class="p">({</span> <span class="na">where</span><span class="p">:</span> <span class="p">{</span> <span class="nx">orgCode</span> <span class="p">},</span> <span class="c1">// a user can pass any org's code here</span> <span class="p">});</span> <span class="p">}</span> <span class="c1">// ✅ Correct — org code from the signed JWT cannot be forged</span> <span class="k">export</span> <span class="k">async</span> <span class="kd">function</span> <span class="nf">GET</span><span class="p">()</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">auth</span> <span class="o">=</span> <span class="k">await</span> <span class="nf">requirePermission</span><span class="p">(</span><span class="dl">"</span><span class="s2">projects:read</span><span class="dl">"</span><span class="p">);</span> <span class="k">if </span><span class="p">(</span><span class="nx">auth</span> <span class="k">instanceof</span> <span class="nx">NextResponse</span><span class="p">)</span> <span class="k">return</span> <span class="nx">auth</span><span class="p">;</span> <span class="kd">const</span> <span class="nx">projects</span> <span class="o">=</span> <span class="k">await</span> <span class="nx">db</span><span class="p">.</span><span class="nx">projects</span><span class="p">.</span><span class="nf">findMany</span><span class="p">({</span> <span class="na">where</span><span class="p">:</span> <span class="p">{</span> <span class="na">orgCode</span><span class="p">:</span> <span class="nx">auth</span><span class="p">.</span><span class="nx">orgCode</span> <span class="p">},</span> <span class="p">});</span> <span class="p">}</span> </code></pre> </div> <p>A user controls what goes in a request body. They cannot forge a claim in a signed JWT. Always read the tenant context from the token.</p> <p><strong>Bug #2: Checking role names instead of permissions</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="c1">// ❌ Wrong — brittle, breaks when roles are renamed or restructured</span> <span class="kd">const</span> <span class="nx">roles</span> <span class="o">=</span> <span class="k">await</span> <span class="nf">getRoles</span><span class="p">();</span> <span class="kd">const</span> <span class="nx">isAdmin</span> <span class="o">=</span> <span class="nx">roles</span><span class="p">?.</span><span class="nf">some</span><span class="p">(</span><span class="nx">r</span> <span class="o">=&gt;</span> <span class="nx">r</span><span class="p">.</span><span class="nx">key</span> <span class="o">===</span> <span class="dl">"</span><span class="s2">admin</span><span class="dl">"</span><span class="p">);</span> <span class="k">if </span><span class="p">(</span><span class="o">!</span><span class="nx">isAdmin</span><span class="p">)</span> <span class="k">return</span> <span class="nf">forbidden</span><span class="p">();</span> <span class="c1">// ✅ Correct — checks the specific action, decoupled from role names</span> <span class="kd">const</span> <span class="nx">auth</span> <span class="o">=</span> <span class="k">await</span> <span class="nf">requirePermission</span><span class="p">(</span><span class="dl">"</span><span class="s2">projects:delete</span><span class="dl">"</span><span class="p">);</span> <span class="k">if </span><span class="p">(</span><span class="nx">auth</span> <span class="k">instanceof</span> <span class="nx">NextResponse</span><span class="p">)</span> <span class="k">return</span> <span class="nx">auth</span><span class="p">;</span> </code></pre> </div> <p>Role names can change. New roles can be created. A "super_admin" or "owner" role might need delete access too. When you check role names, you have to update every check site when your role structure evolves. When you check permissions, the mapping from roles to permissions is managed in Kinde's configuration and your code stays unchanged.</p> <h2> Conclusion </h2> <p>In this article, you built a complete per-tenant permission system for a multi-tenant Next.js app using Kinde organizations. The same user now has completely different permissions depending on which org they are operating in — because those permissions come from the org-scoped token claims, not from a global role attached to the user.</p> <p>The model is clear: Kinde puts the right claims in the token for each org context (trust layer). Your API guard enforces permissions before any logic runs (security layer). Your UI hook hides controls the user cannot use (experience layer). Your database queries filter by the org code from the token (isolation layer).</p> <p>Four layers, one source of truth: the token.</p> <p>Kinde is free for up to 10,500 monthly active users, no credit card required. Create your account at <a href="https://kinde.com?utm_source=devto&amp;utm_medium=content&amp;utm_campaign=shola&amp;campaignid=chatgptapp&amp;network=&amp;adgroup=&amp;keyword=&amp;matchtype=&amp;creative=10&amp;device=&amp;adposition=" rel="noopener noreferrer">kinde.com</a> and have multi-tenant permissions running today.</p> kinde webdev programming tutorial Shola Jegede Sun, 22 Mar 2026 00:27:29 +0000 https://forem.com/sholajegede/your-free-trial-isnt-converting-because-your-upgrade-flow-has-too-much-friction-1e9j https://forem.com/sholajegede/your-free-trial-isnt-converting-because-your-upgrade-flow-has-too-much-friction-1e9j <p><em>A technical founder asked me why only 8% of their trial users were upgrading. We spent an hour going through their funnel. The product was good. The problem was everything around it.</em></p> <p>In this article, you will learn:</p> <ul> <li>Why most free trial conversion problems are not actually product problems</li> <li>What the data says about where trial users actually drop off</li> <li>The five friction points that kill conversion — and which ones founders keep building themselves</li> <li>Why auth and upgrade flows are the worst place to build from scratch</li> <li>How Kinde handles the login, onboarding, upgrade, and access layers so you do not have to</li> <li>What your team should be spending its friction-reduction energy on instead</li> <li>How to audit your own funnel in 30 minutes and find the leaks</li> </ul> <p>Let's dive in!</p> <h2> The Conversation That Prompted This Article </h2> <p>A technical founder — building a SaaS tool for operations teams — reached out with a familiar problem. Their trial-to-paid conversion was hovering around 8%. They had good traffic, decent trial signups, and they knew from user interviews that people liked the product. But when the trial ended, most users just did not upgrade.</p> <p>They had already done the obvious things. They had shortened the trial from 30 days to 14. They had added in-app upgrade prompts. They had set up reminder emails. The conversion number barely moved.</p> <p>When we walked through their full funnel together, the product was not the problem. The product did what it promised. But surrounding it was a web of friction that accumulated across every touchpoint — friction that the founding team had built themselves, piece by piece, never stepping back to look at the whole thing from a new user's perspective.</p> <p>The login flow asked for email, password, first name, last name, company name, and team size before the user saw a single feature. The upgrade page required re-entering credit card information even if the user had already paid for something. The "upgrade to Pro" button existed in exactly one place in the entire product. Inviting a team member required the admin to first create the team member's role, then generate an invite link, then email it externally, then wait for the user to set up their own password. None of these problems were product problems. They were infrastructure problems. And the founding team had built every one of them.</p> <p>This article is about that category of friction: the stuff around your product that you probably built yourself and never had to build at all.</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fxdg30r0zjgzk832pz9eo.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fxdg30r0zjgzk832pz9eo.png" alt="A funnel showing a typical SaaS trial journey with friction points marked at each stage — Signup (form fields), First login (email verification delay), Onboarding (required setup before seeing value), Upgrade prompt (single location, one path), Payment (re-entry, redirect), Invite teammate (multi-step manual flow)." width="560" height="2480"></a></p> <h2> What the Data Actually Says </h2> <p>Before diagnosing where friction hides, it is worth grounding this in numbers.</p> <p>Opt-in free trials — the model where users sign up without a credit card — convert to paid at around 18 to 25% on average. Freemium products, where users stay on a free tier indefinitely, convert around 2.6 to 5%. If your product is genuinely solving a real problem and your conversion rate is sitting well below these benchmarks, you almost certainly have a friction problem, not a product problem.</p> <p>A few statistics that should make every technical founder uncomfortable:</p> <p>Each additional field in a signup form reduces completion by an average of 5 to 7%. When one company dropped the credit card requirement from their signup, they immediately saw a 71% increase in users willing to start a trial. Removing just three form fields from a payment page lifted conversion by 8%. Users who experience core product value within the first 15 minutes are three times more likely to retain than those who wait 30 minutes or longer. Users who complete an onboarding flow are five times more likely to convert than those who do not.</p> <p>The pattern is consistent: every second between a user's decision to try your product and the moment they experience its value is a second where they can change their mind. And the irony is that the friction accumulates most heavily in the parts of the product that have nothing to do with what makes your product valuable.</p> <p>Nobody's aha moment is "I successfully created an account." Nobody upgrades to Pro because "the payment page was really elegant." But a bad login experience, a broken invite flow, or an upgrade page that sends the user off-site and back can absolutely stop a conversion that was about to happen.</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Furul1zcb2b8jptrehvlz.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Furul1zcb2b8jptrehvlz.png" alt="A simple comparison card with two columns — " width="800" height="792"></a></p> <h2> The Five Friction Points That Kill Free Trial Conversion </h2> <p>These are the five places where trial conversion typically bleeds out. Two of them are product problems you genuinely need to solve. Three of them are infrastructure problems you should never have had to build.</p> <h3> Friction Point #1: The Signup Wall (Infrastructure) </h3> <p>The most common version of this: a new user lands on your product, decides they want to try it, and is immediately presented with a form. Email. Password. Confirm password. First name. Last name. Company. Team size. Job title. Use case. Newsletter opt-in. Terms checkbox.</p> <p>This is not onboarding. This is interrogation. And it happens at exactly the wrong moment — before the user has experienced a single second of your product's value.</p> <p>The right version of signup asks for as little as possible. An email address and a way to verify it is enough. Better yet, a single "Sign in with Google" button is one click. Users who have already experienced your product and then are asked for their email to save their work convert significantly better than users asked to commit before they have seen anything.</p> <p>This is a pure infrastructure problem. It is not about your product. It is about how you authenticate users. And it is completely solved by not building your own auth system.</p> <h3> Friction Point #2: Email Verification Delay (Infrastructure) </h3> <p>The single most underestimated conversion killer in SaaS. User signs up, checks email, verification email is in spam or takes 90 seconds, user moves on and never comes back.</p> <p>Email verifications that go to spam folders, that arrive late, or that require the user to leave the product and return to it introduce a break in momentum that most users never recover from. The user was ready to try your product. Now they are checking their spam folder.</p> <p>The fix is passwordless authentication with email OTPs — users enter their email, get a short code, enter it, and they are in. No password to create, no verification link to chase, no spam filter to defeat. Kinde's default authentication is email + code, not a magic link. A six-digit OTP that the user enters manually. The user stays in the flow the entire time. No tab-switching.</p> <h3> Friction Point #3: The First-Run Empty State (Product) </h3> <p>This is a genuine product problem — and arguably the most important one to solve, because it sits right after the authentication friction that you have just removed.</p> <p>A new user logs in for the first time and sees a completely blank dashboard. No data, no examples, no clear next action. The product looks empty because it is empty. This is the "blank canvas problem" and it is responsible for an enormous share of early churn.</p> <p>The fix is not complex: pre-populate the user's account with example data, a sample project, or a guided first action that gets them to their aha moment within the first five minutes. Trello puts users directly into a pre-configured board. Figma opens a default file. Notion creates a sample workspace. None of them leave the user staring at an empty screen wondering what to do.</p> <p>This is the friction point that is worth spending your engineering team's time on. It is specific to your product's value proposition and cannot be handled by any external tool.</p> <h3> Friction Point #4: The Upgrade Moment (Infrastructure) </h3> <p>This is where the founder I talked to lost most of their conversions. The user has been using the product for a week. They have hit a feature limit or they have decided the product is worth paying for. They look for the upgrade button.</p> <p>It is not in the navigation. It is not in the settings. It is not in the feature they just hit the limit on. It is on a pricing page linked from the marketing site footer.</p> <p>Even when users find the upgrade path, the friction continues: they are redirected to a separate page, asked to choose a plan, asked to enter payment details, redirected to a third-party checkout, and then redirected back to the product. At each hop, some percentage of users drop off.</p> <p>The right upgrade flow is in-context: the upgrade prompt appears exactly where the user hits the limit, the payment is handled without leaving the product, and the new feature is unlocked immediately after payment with zero additional steps required.</p> <p>This is almost entirely an infrastructure problem. Wiring together your auth system, your plan state, your billing provider, and your feature flags in a way that makes this experience seamless is weeks of engineering work. Or it is a Kinde configuration that takes an afternoon.</p> <h3> Friction Point #5: The Team Invite Friction (Infrastructure and Product) </h3> <p>Many SaaS products live or die on team adoption. A single user converts to paid, but the product is much stickier once teammates are inside it too. This is the expansion motion that drives net revenue retention above 100%.</p> <p>But the invite flow in most early-stage products is brutal. Admin has to set up roles. Generate an invite link. Copy it. Email it manually. The invitee signs up, creates a password, and waits for an admin to approve. The teammate who signed up on Tuesday shows up in the admin's queue on Thursday. The admin gets an email notification, clicks through, approves, and the new user can finally access the product.</p> <p>Three days of friction for what should be a one-minute experience.</p> <p>The right invite flow sends an invitation email with a single link. The invitee clicks the link, authenticates in one step (social login or OTP), and is inside the product with the correct role already assigned. No manual queue. No password creation. No admin approval step for standard roles.</p> <p>Again: this is infrastructure. The invitation, authentication, role assignment, and access provisioning are not features of your product. They are plumbing that most teams spend weeks building.</p> <h2> The Category of Friction You Should Stop Building </h2> <p>Notice the pattern across friction points #1, #2, #4, and #5. They are all infrastructure. They are all part of the login and access layer. And they are all things that the founding team of the product I described above had built themselves, from scratch, because that seemed like the right call at the time.</p> <p>It was not the right call. Here is why.</p> <p>When you build your own auth system, you are making a bet that your implementation of signup flows, email verification, social login, OTP delivery, password reset, session management, multi-tenant org logic, role assignment, invite flows, plan gating, and upgrade checkout will be good enough not to cost you conversions. That bet almost always loses, for a simple reason: none of these things are your product. You are not optimizing them. You are not testing them. You are not studying the best practices the way Stripe studied payment UX or the way Kinde has studied auth UX.</p> <p>Every hour your team spends debugging email deliverability or adding a Google login button or wiring up a Stripe webhook to update a user's plan state in your database is an hour not spent on friction point #3 — the blank canvas problem, which is the one that is genuinely specific to your product and genuinely worth your team's engineering attention.</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F68fudatz734py871aj5a.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F68fudatz734py871aj5a.png" alt="A simple " value="" width="800" height="535"></a></p> <h2> What Kinde Gets Right Out of the Box </h2> <p><a href="https://kinde.com?utm_source=devto&amp;utm_medium=content&amp;utm_campaign=shola&amp;campaignid=chatgptapp&amp;network=&amp;adgroup=&amp;keyword=&amp;matchtype=&amp;creative=11&amp;device=&amp;adposition=" rel="noopener noreferrer">Kinde</a> is auth, user management, and billing in one platform. The reason this matters for free trial conversion is not because Kinde does those things — it is that Kinde does those things well, so you do not have to.</p> <p>Here is what you get without writing any infrastructure code:</p> <p><strong>Passwordless authentication by default.</strong> Kinde's default auth method is email + OTP, not a password. Users enter their email and a six-digit code. No password to create, no verification link to follow, no confirmation email that might land in spam. Users stay in your product from the moment they decide to sign up.</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fjfuukp5zkqzo238sfz3n.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fjfuukp5zkqzo238sfz3n.png" alt="Kinde's default login/signup page showing the email field and OTP code entry — clean, minimal, no password field." width="800" height="501"></a></p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fjl6otjk3ddnejib1oz05.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fjl6otjk3ddnejib1oz05.png" alt="This is what users see when they first encounter your product's auth layer." width="800" height="501"></a></p> <p><strong>Social login out of the box.</strong> Google, GitHub, Microsoft, Apple, and others can be enabled in the Kinde dashboard in under two minutes. One-click signup removes all the form-field friction from new user acquisition. Users who already have a Google account can be inside your product in a single click.</p> <p><strong>No credit card required for Kinde itself.</strong> Kinde's free plan supports up to 10,500 monthly active users — no credit card required to get started. This is important because it means you can mirror the same no-credit-card opt-in model for your own users that the data shows converts best, without paying anything for the auth infrastructure that enables it.</p> <p><strong>Upgrade flows that stay in-product.</strong> Kinde's billing integration puts the pricing table, plan selection, and Stripe checkout inside your product. When a user hits a feature limit and sees an upgrade prompt, they complete the upgrade without leaving the product. The new plan is active immediately. Feature flags tied to that plan update in the same request.</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fw0nwv1c981grmwd0kz71.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fw0nwv1c981grmwd0kz71.png" alt="Kinde's plan selection UI — Free and Pro cards with " width="800" height="634"></a></p> <p><strong>Feature flags tied to plan state.</strong> The moment a user upgrades, the feature flags attached to that plan activate without any webhook handling or database updates from your team. The user does not have to log out and back in. The feature is simply available. This is what makes in-context upgrade prompts work: "You've hit the limit on the free plan. Upgrade to Pro to unlock this." The user clicks, pays, and the feature unlocks in that same session.</p> <p><strong>Organization-based team management.</strong> For B2B products, Kinde organizations give every customer their own isolated workspace, with their own members, roles, and plan state. The invite flow sends a Kinde-powered email with a join link. The invitee authenticates (social login or OTP), and their role in the organization is already assigned. No admin queue, no password creation ceremony, no manual step for the inviting user after they send the invitation.</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Faan4s0ug775m96n16jqy.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Faan4s0ug775m96n16jqy.png" alt="Kinde dashboard showing the Organization view — expanded to show member list with roles (Admin, Member, Viewer) and an " width="800" height="501"></a></p> <p><strong>Roles and permissions that express in your product's UI.</strong> Using <code>getPermissions()</code> or feature flag checks from the Kinde SDK, your product can conditionally show or hide features based on a user's role and plan state. An admin on the Pro plan sees everything. A member on the free plan sees what they should see. This all comes from the Kinde token — no database query required to determine what a user can see.</p> <h2> Applying This to Your Own Funnel </h2> <p>The founder I described at the start ended up migrating to Kinde and rebuilding their auth and upgrade layer on top of it. The signup form went from six fields to one. Social login accounted for 60% of new signups within the first two weeks. The upgrade flow moved inside the product. The invite flow dropped from a five-step manual process to a single email.</p> <p>Their trial-to-paid conversion went from 8% to 21% over the following 90 days.</p> <p>That is not a product change. The product did not change. The friction around the product changed.</p> <p>If you want to audit your own funnel, here is a 30-minute process:</p> <p><strong>Step 1 (5 min): Walk the signup flow yourself.</strong> Open an incognito window and sign up for your own product. Count every field, every click, every page navigation, every email you have to check. Every step is potential churn.</p> <p><strong>Step 2 (5 min): Measure time to first value.</strong> From the moment you complete signup to the moment you see something genuinely useful in the product — how long does that take? If it is more than five minutes, you have a problem.</p> <p><strong>Step 3 (5 min): Find the upgrade path.</strong> Without knowing where it is, try to find the upgrade button. Time yourself. If it takes more than 30 seconds, most users will not find it at the moment they are ready to pay.</p> <p><strong>Step 4 (5 min): Walk the invite flow.</strong> Go through the process of inviting a team member. Count every step the inviting user has to take. Then count every step the invited user has to take. Multiply both by the cognitive overhead of switching contexts and waiting for emails. That is your expansion friction.</p> <p><strong>Step 5 (10 min): Look at your drop-off data.</strong> Where in the funnel are users leaving? If the biggest drop is between signup and first meaningful action, you have an onboarding problem. If the biggest drop is at the end of the trial, you likely have an upgrade friction problem. If users activate but do not invite teammates, you have an expansion friction problem.</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fzxr6m9t7ejgrwnyndhnv.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fzxr6m9t7ejgrwnyndhnv.png" alt="A funnel audit template — five numbered rows (Signup Flow, Time to First Value, Upgrade Path, Invite Flow, Drop-off Data) with columns for " width="700" height="3460"></a></p> <h2> The Division of Labor That Works </h2> <p>The founders who convert at 20%+ typically have an implicit understanding of this division:</p> <p><strong>Kinde's job:</strong> Handle every interaction a user has with authentication, access, plan state, and team membership. Make these interactions fast, polished, and invisible. No friction that the user notices, no engineering hours that the team notices.</p> <p><strong>Your team's job:</strong> Handle every interaction a user has with your actual product. Make the first-run experience genuinely delightful. Get users to their aha moment in under five minutes. Build the features that make people want to upgrade because the product is worth it — not because the upgrade flow tricked them into it.</p> <p>This is the right division. The user's experience of your auth layer is not a differentiator. Nobody upgrades to Pro because your login page was beautiful. But users will not upgrade at all if the upgrade path is hard to find, the payment flow is clunky, or the new features do not unlock immediately after payment.</p> <p><a href="https://kinde.com?utm_source=devto&amp;utm_medium=content&amp;utm_campaign=shola&amp;campaignid=chatgptapp&amp;network=&amp;adgroup=&amp;keyword=&amp;matchtype=&amp;creative=11&amp;device=&amp;adposition=" rel="noopener noreferrer">Kinde</a> handles the layer that should be invisible and frictionless. Your team handles the layer that should be delightful and differentiated.</p> <h2> Conclusion </h2> <p>In this article, you audited the five friction points that kill free trial conversion, identified which ones are infrastructure problems you should stop building from scratch, and saw how Kinde handles the login, onboarding, upgrade, and team access layers so that your engineering team can focus on what actually makes your product worth paying for.</p> <p>The founder's 8% conversion rate was not a product failure. It was a resource allocation failure. Every hour spent debugging email verification or building invite flows is an hour taken from the blank canvas problem — the one genuine product problem that only your team can solve.</p> <p>Free up those hours. Let Kinde handle the plumbing. Spend your engineering attention on the aha moment.</p> <p>Kinde is free for up to 10,500 monthly active users, no credit card required. Create your account at <a href="https://kinde.com?utm_source=devto&amp;utm_medium=content&amp;utm_campaign=shola&amp;campaignid=chatgptapp&amp;network=&amp;adgroup=&amp;keyword=&amp;matchtype=&amp;creative=11&amp;device=&amp;adposition=" rel="noopener noreferrer">kinde.com</a> and have authentication running before lunch.</p> webdev kinde architecture development Shola Jegede Sun, 22 Mar 2026 00:15:55 +0000 https://forem.com/sholajegede/how-to-build-a-secure-mcp-server-for-ai-agents-551g https://forem.com/sholajegede/how-to-build-a-secure-mcp-server-for-ai-agents-551g <p><em>OpenClaw proved that millions of developers will build with MCP first and think about security second. Here is how to not be that developer.</em></p> <p>In this article, you will learn:</p> <ul> <li>What OpenClaw and Moltbook revealed about the state of agentic AI security</li> <li>Why most MCP servers are architecturally insecure by default</li> <li>What "tool-level auth" means and why it is the right mental model for MCP security</li> <li>How Kinde's own MCP server (shipped January 2026) handles scoped access as a real-world reference</li> <li>How to set up a Kinde M2M application as the authorization layer for your MCP server</li> <li>How to issue and validate scoped JWT tokens per tool category</li> <li>How to write a Node.js MCP server that enforces permissions at the tool boundary</li> <li>How to test that your auth layer actually holds under adversarial conditions</li> </ul> <p>Let's dive in!</p> <h2> OpenClaw, Moltbook, and the Security Wake-Up Call </h2> <p>In late January 2026, two things happened simultaneously that changed how the developer community thinks about agentic AI security.</p> <p><strong>OpenClaw</strong> — an open-source self-hosted AI agent formerly called Clawdbot and briefly Moltbot — crossed 180,000 GitHub stars in a week. It turned any messaging app (WhatsApp, Telegram, Discord, Signal) into an AI agent interface, extended by a Skills system built entirely on MCP servers. Security researchers scanning the internet found over 1,800 exposed OpenClaw instances leaking API keys, chat histories, and account credentials. Cisco's AI security team tested a third-party OpenClaw skill from the ClawHub marketplace and found it performed data exfiltration and prompt injection without user awareness. One of OpenClaw's own maintainers, known as Shadow, warned on Discord that the project was "far too dangerous" for anyone who could not understand command-line basics.</p> <p><strong>Moltbook</strong> — a Reddit-style social network built by Matt Schlicht exclusively for AI agents — launched on January 28 and hit 1.6 million registered agents by February. It was built via vibe coding and contained a misconfigured Supabase database that granted full read and write access to its data — exposing 1.5 million agents belonging to only 17,000 registered humans. Cybersecurity researchers at Vectra AI and PointGuard AI identified Moltbook as a vector for indirect prompt injection: a malicious post on Moltbook could cascade into every MCP tool an agent had access to. Moltbook was acquired by Meta on March 10, 2026.</p> <p>The pattern that connected both incidents was the same: agents were granted sweeping, unscoped access to tools. No authentication. No per-tool permissions. No way to answer the question "which agent did this and what were they authorized to do?" A static API key — if there was one at all — gave full access to everything.</p> <p>Security researcher Itamar Golan (founder of Prompt Security, now part of SentinelOne) put it plainly in a VentureBeat interview: treat agents as production infrastructure, not a productivity app — least privilege, scoped tokens, allowlisted actions, strong authentication on every integration, and auditability end-to-end.</p> <p>This article is about building exactly that.</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fhlo3q1atq8ylnh9wge9v.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fhlo3q1atq8ylnh9wge9v.png" alt="Timeline showing OpenClaw going viral (Jan 2026) → Moltbook launching (Jan 28) → 1,800+ exposed OpenClaw instances found → Moltbook Supabase breach → Meta acquires Moltbook (Mar 10)." width="639" height="311"></a></p> <h2> Why Most MCP Servers Are Architecturally Insecure </h2> <p>The MCP spec (finalized in late 2024, updated through 2025) mandates OAuth 2.1 with PKCE for public remote servers. But the ecosystem reality is starkly different. A 2026 survey of production MCP servers found that 53% rely on static API keys and only 8.5% use OAuth. The rest have no authentication at all.</p> <p>This is not because developers are careless. It is because the default path is the insecure path. The most commonly copied MCP server examples use static bearer tokens or no auth. The "get something working" version of MCP has no concept of which agent is calling or what it is allowed to do. And when 180,000 developers adopt OpenClaw and start wiring up Skills, they inherit those insecure defaults at scale.</p> <p>The specific problems with unscoped MCP access are worth naming precisely, because they map directly to what happened with OpenClaw and Moltbook:</p> <p><strong>No tool-level permissions.</strong> A token that grants access to your MCP server grants access to every tool on it. An agent authorized to read files can also delete them. An agent authorized to query a database can also drop tables. There is no granularity.</p> <p><strong>No agent identity.</strong> When five different OpenClaw instances connect to your MCP server, can you tell them apart? Can you see which user delegated authority to each one? With a static API key, the answer is no. All you know is that something with the key made a request.</p> <p><strong>Prompt injection cascades.</strong> Because agents are granted broad tool access, a successful prompt injection attack has a large blast radius. The Moltbook incident demonstrated this: a malicious post in an agent's context could instruct the agent to call tools it had no business calling — and because tools were unscoped, the agent could comply.</p> <p><strong>No revocation granularity.</strong> If you need to cut off one agent's access, you have to rotate the key for everyone.</p> <p>What you need instead is a model where each agent has a cryptographically verified identity, each token carries specific scopes that enumerate exactly which tools the agent can call, and every tool call is validated against those scopes before execution. That is what Kinde's own MCP server — shipped in January 2026 — demonstrates in production.</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fkwed0y5nvy4crdpwx0kh.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fkwed0y5nvy4crdpwx0kh.png" alt="Two architecture diagrams side by side. LEFT: " width="800" height="274"></a></p> <h2> The Kinde MCP Server as a Reference Model </h2> <p><a href="https://kinde.com?utm_source=devto&amp;utm_medium=content&amp;utm_campaign=shola&amp;campaignid=chatgptapp&amp;network=&amp;adgroup=&amp;keyword=&amp;matchtype=&amp;creative=9&amp;device=&amp;adposition=" rel="noopener noreferrer">Kinde</a> shipped its own MCP server in January 2026. It lets AI assistants like Claude Code connect to your Kinde business and manage users, organizations, roles, and permissions through natural language — things like "create a new organization for Acme Corp" or "list all users with the admin role."</p> <p>The security model it uses is the right reference for anyone building their own MCP server:</p> <p><strong>M2M (Machine-to-Machine) applications</strong> are the identity primitive for agents. Not user accounts. Not API keys. Dedicated M2M applications that have their own client ID and secret, exist as first-class entities in Kinde, and can be granted or revoked access independently of human users.</p> <p><strong>Scopes enumerate exact permissions.</strong> The Kinde MCP server defines specific scopes for each category of operation — scopes for reading users, different scopes for writing users, separate scopes for managing organizations. An M2M application that has not been granted a scope cannot call the tools that require it. The authorization decision happens at the token issuance level, not at runtime guesswork.</p> <p><strong>JWT validation on every request.</strong> Tokens are short-lived (one hour by default for M2M), signed with Kinde's private key, and verified against Kinde's public JWKS endpoint on every inbound request. A token cannot be forged, replayed beyond its expiry, or accepted by a different server than the one it was issued for.</p> <p><strong>Revocability.</strong> To cut off an agent's access, you revoke or remove the M2M application in Kinde. It stops working immediately. No key rotation, no impact on other agents.</p> <p>This is the pattern you should apply to your own MCP server. The steps below show you exactly how to implement it.</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fhhfk6dtgrn5917f2hq35.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fhhfk6dtgrn5917f2hq35.png" alt="Kinde dashboard MCP Server section — showing the setup page or the operations/scopes list that Kinde's own MCP server exposes (e.g., list_users scope, create_organization scope, manage_roles scope)." width="800" height="502"></a></p> <h2> Step #1: Create a Kinde M2M Application for Your MCP Server </h2> <p>Before writing any server code, set up the authorization layer in Kinde. This takes about three minutes.</p> <p>Create a free Kinde account at <a href="https://kinde.com" rel="noopener noreferrer">kinde.com</a> if you do not have one. Then navigate to <strong>Settings</strong> → <strong>Applications</strong> → <strong>Add application</strong> and select <strong>Machine to machine</strong>.</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fnpep5iw6cko1ozjgob57.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fnpep5iw6cko1ozjgob57.png" alt="Kinde Settings &gt; Applications page showing the " width="800" height="502"></a></p> <p>Give it a descriptive name like <code>My MCP Server Agent</code>. Once created, open the application details and note down:</p> <ul> <li> <strong>Client ID</strong> — the agent's unique identity</li> <li> <strong>Client Secret</strong> — the credential used to obtain tokens (treat this like a password)</li> <li> <strong>Token endpoint</strong> — <code>https://YOUR_DOMAIN.kinde.com/oauth2/token</code> </li> <li> <strong>JWKS endpoint</strong> — <code>https://YOUR_DOMAIN.kinde.com/.well-known/jwks.json</code> </li> </ul> <p>Now register your MCP server as an API in Kinde. Navigate to <strong>APIs</strong> → <strong>Add API</strong>. Give it a name (e.g. <code>My MCP Server</code>) and an audience identifier (e.g. <code>https://mcp.yourapp.com</code>). This audience value will be embedded in every token issued for your server — your server checks it on every request to ensure the token was meant for it specifically, preventing token passthrough attacks.</p> <h2> Step #2: Define Scopes for Tool-Level Permissions </h2> <p>This is the step most MCP servers skip entirely, and it is the most important one.</p> <p>In your Kinde API definition (under <strong>APIs</strong> → select your API → <strong>Scopes</strong>), define one scope per logical group of tools. Do not define one global scope — that defeats the purpose. Think about the categories of capability your MCP server exposes and create a scope for each.</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fnepm7ysulx301gn4gsiw.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fnepm7ysulx301gn4gsiw.png" alt="Kinde API scopes page showing several scopes defined for the MCP server, e.g., tools:read, tools:write, admin:users, admin:orgs. Each scope has a name and description visible" width="800" height="502"></a></p> <p>For a hypothetical MCP server that manages a SaaS product's users and data, the scopes might look like this:</p> <div class="table-wrapper-paragraph"><table> <thead> <tr> <th>Scope</th> <th>Tools it authorizes</th> <th>Who gets it</th> </tr> </thead> <tbody> <tr> <td><code>users:read</code></td> <td> <code>get_user</code>, <code>list_users</code>, <code>search_users</code> </td> <td>Read-only agents, analytics pipelines</td> </tr> <tr> <td><code>users:write</code></td> <td> <code>create_user</code>, <code>update_user</code>, <code>invite_user</code> </td> <td>CRM agents, onboarding automations</td> </tr> <tr> <td><code>users:delete</code></td> <td> <code>delete_user</code>, <code>suspend_user</code> </td> <td>Admin agents only</td> </tr> <tr> <td><code>data:read</code></td> <td> <code>query_records</code>, <code>export_data</code> </td> <td>Reporting agents</td> </tr> <tr> <td><code>data:write</code></td> <td> <code>create_record</code>, <code>update_record</code> </td> <td>Integration agents</td> </tr> <tr> <td><code>admin</code></td> <td>All tools</td> <td>Trusted internal agents only</td> </tr> </tbody> </table></div> <p>Now grant your M2M application the scopes it actually needs. Navigate to your M2M application → <strong>APIs</strong> → select your API → check only the scopes this specific agent should have. An agent that only needs to read users gets <code>users:read</code>. It cannot request a token with <code>users:delete</code> even if it tries — Kinde will not issue it.</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F4hmhlv5e9pu29y9jhoua.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F4hmhlv5e9pu29y9jhoua.png" alt="Kinde M2M application details showing the API scopes section with some scopes checked (users:read, data:read) and others unchecked (users:delete, admin" width="800" height="502"></a></p> <p>The authorization policy is now defined. Time to build the server.</p> <h2> Step #3: Build the MCP Server with Token Validation </h2> <p>Now write the MCP server itself. This is a Node.js server using the <code>@modelcontextprotocol/sdk</code> package. The key additions over a basic MCP server are the JWT validation middleware and the per-tool scope enforcement.</p> <p>First, install the dependencies:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>npm init <span class="nt">-y</span> npm <span class="nb">install</span> @modelcontextprotocol/sdk jwks-rsa jsonwebtoken express </code></pre> </div> <p>Create the server file:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="c1">// server.ts</span> <span class="k">import</span> <span class="p">{</span> <span class="nx">McpServer</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">"</span><span class="s2">@modelcontextprotocol/sdk/server/mcp.js</span><span class="dl">"</span><span class="p">;</span> <span class="k">import</span> <span class="p">{</span> <span class="nx">StreamableHTTPServerTransport</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">"</span><span class="s2">@modelcontextprotocol/sdk/server/streamableHttp.js</span><span class="dl">"</span><span class="p">;</span> <span class="k">import</span> <span class="nx">express</span><span class="p">,</span> <span class="p">{</span> <span class="nx">Request</span><span class="p">,</span> <span class="nx">Response</span><span class="p">,</span> <span class="nx">NextFunction</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">"</span><span class="s2">express</span><span class="dl">"</span><span class="p">;</span> <span class="k">import</span> <span class="nx">jwt</span> <span class="k">from</span> <span class="dl">"</span><span class="s2">jsonwebtoken</span><span class="dl">"</span><span class="p">;</span> <span class="k">import</span> <span class="nx">jwksClient</span> <span class="k">from</span> <span class="dl">"</span><span class="s2">jwks-rsa</span><span class="dl">"</span><span class="p">;</span> <span class="k">import</span> <span class="p">{</span> <span class="nx">z</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">"</span><span class="s2">zod</span><span class="dl">"</span><span class="p">;</span> <span class="c1">// ─── Configuration ──────────────────────────────────────────────────────────</span> <span class="kd">const</span> <span class="nx">KINDE_DOMAIN</span> <span class="o">=</span> <span class="nx">process</span><span class="p">.</span><span class="nx">env</span><span class="p">.</span><span class="nx">KINDE_DOMAIN</span><span class="o">!</span><span class="p">;</span> <span class="c1">// e.g. "yourapp.kinde.com"</span> <span class="kd">const</span> <span class="nx">MCP_AUDIENCE</span> <span class="o">=</span> <span class="nx">process</span><span class="p">.</span><span class="nx">env</span><span class="p">.</span><span class="nx">MCP_AUDIENCE</span><span class="o">!</span><span class="p">;</span> <span class="c1">// e.g. "https://mcp.yourapp.com"</span> <span class="c1">// JWKS client — fetches Kinde's public signing keys</span> <span class="c1">// Used to verify that incoming tokens were genuinely signed by Kinde</span> <span class="kd">const</span> <span class="nx">jwks</span> <span class="o">=</span> <span class="nf">jwksClient</span><span class="p">({</span> <span class="na">jwksUri</span><span class="p">:</span> <span class="s2">`https://</span><span class="p">${</span><span class="nx">KINDE_DOMAIN</span><span class="p">}</span><span class="s2">/.well-known/jwks.json`</span><span class="p">,</span> <span class="na">cache</span><span class="p">:</span> <span class="kc">true</span><span class="p">,</span> <span class="na">cacheMaxEntries</span><span class="p">:</span> <span class="mi">5</span><span class="p">,</span> <span class="na">cacheMaxAge</span><span class="p">:</span> <span class="mi">600</span><span class="nx">_000</span><span class="p">,</span> <span class="c1">// 10 minutes</span> <span class="p">});</span> <span class="c1">// ─── JWT Validation ──────────────────────────────────────────────────────────</span> <span class="kr">interface</span> <span class="nx">TokenPayload</span> <span class="p">{</span> <span class="nl">sub</span><span class="p">:</span> <span class="kr">string</span><span class="p">;</span> <span class="c1">// agent identity (M2M app client ID)</span> <span class="nl">scp</span><span class="p">?:</span> <span class="kr">string</span><span class="p">;</span> <span class="c1">// space-separated scopes</span> <span class="nl">permissions</span><span class="p">?:</span> <span class="kr">string</span><span class="p">[];</span> <span class="c1">// Kinde also surfaces permissions here</span> <span class="nl">aud</span><span class="p">:</span> <span class="kr">string</span> <span class="o">|</span> <span class="kr">string</span><span class="p">[];</span> <span class="nl">iss</span><span class="p">:</span> <span class="kr">string</span><span class="p">;</span> <span class="nl">exp</span><span class="p">:</span> <span class="kr">number</span><span class="p">;</span> <span class="p">}</span> <span class="k">async</span> <span class="kd">function</span> <span class="nf">validateToken</span><span class="p">(</span><span class="nx">authHeader</span><span class="p">:</span> <span class="kr">string</span> <span class="o">|</span> <span class="kc">undefined</span><span class="p">):</span> <span class="nb">Promise</span><span class="o">&lt;</span><span class="nx">TokenPayload</span><span class="o">&gt;</span> <span class="p">{</span> <span class="k">if </span><span class="p">(</span><span class="o">!</span><span class="nx">authHeader</span><span class="p">?.</span><span class="nf">startsWith</span><span class="p">(</span><span class="dl">"</span><span class="s2">Bearer </span><span class="dl">"</span><span class="p">))</span> <span class="p">{</span> <span class="k">throw</span> <span class="k">new</span> <span class="nc">Error</span><span class="p">(</span><span class="dl">"</span><span class="s2">Missing or malformed Authorization header</span><span class="dl">"</span><span class="p">);</span> <span class="p">}</span> <span class="kd">const</span> <span class="nx">token</span> <span class="o">=</span> <span class="nx">authHeader</span><span class="p">.</span><span class="nf">slice</span><span class="p">(</span><span class="mi">7</span><span class="p">);</span> <span class="c1">// Decode the header to find the key ID (kid)</span> <span class="kd">const</span> <span class="nx">decoded</span> <span class="o">=</span> <span class="nx">jwt</span><span class="p">.</span><span class="nf">decode</span><span class="p">(</span><span class="nx">token</span><span class="p">,</span> <span class="p">{</span> <span class="na">complete</span><span class="p">:</span> <span class="kc">true</span> <span class="p">});</span> <span class="k">if </span><span class="p">(</span><span class="o">!</span><span class="nx">decoded</span> <span class="o">||</span> <span class="k">typeof</span> <span class="nx">decoded</span> <span class="o">===</span> <span class="dl">"</span><span class="s2">string</span><span class="dl">"</span><span class="p">)</span> <span class="p">{</span> <span class="k">throw</span> <span class="k">new</span> <span class="nc">Error</span><span class="p">(</span><span class="dl">"</span><span class="s2">Invalid token format</span><span class="dl">"</span><span class="p">);</span> <span class="p">}</span> <span class="kd">const</span> <span class="nx">kid</span> <span class="o">=</span> <span class="nx">decoded</span><span class="p">.</span><span class="nx">header</span><span class="p">.</span><span class="nx">kid</span><span class="p">;</span> <span class="k">if </span><span class="p">(</span><span class="o">!</span><span class="nx">kid</span><span class="p">)</span> <span class="p">{</span> <span class="k">throw</span> <span class="k">new</span> <span class="nc">Error</span><span class="p">(</span><span class="dl">"</span><span class="s2">Token missing key ID (kid)</span><span class="dl">"</span><span class="p">);</span> <span class="p">}</span> <span class="c1">// Fetch the public key from Kinde's JWKS endpoint</span> <span class="kd">const</span> <span class="nx">signingKey</span> <span class="o">=</span> <span class="k">await</span> <span class="nx">jwks</span><span class="p">.</span><span class="nf">getSigningKey</span><span class="p">(</span><span class="nx">kid</span><span class="p">);</span> <span class="kd">const</span> <span class="nx">publicKey</span> <span class="o">=</span> <span class="nx">signingKey</span><span class="p">.</span><span class="nf">getPublicKey</span><span class="p">();</span> <span class="c1">// Verify the token — this checks signature, expiry, issuer, and audience</span> <span class="kd">const</span> <span class="nx">payload</span> <span class="o">=</span> <span class="nx">jwt</span><span class="p">.</span><span class="nf">verify</span><span class="p">(</span><span class="nx">token</span><span class="p">,</span> <span class="nx">publicKey</span><span class="p">,</span> <span class="p">{</span> <span class="na">algorithms</span><span class="p">:</span> <span class="p">[</span><span class="dl">"</span><span class="s2">RS256</span><span class="dl">"</span><span class="p">],</span> <span class="na">issuer</span><span class="p">:</span> <span class="s2">`https://</span><span class="p">${</span><span class="nx">KINDE_DOMAIN</span><span class="p">}</span><span class="s2">`</span><span class="p">,</span> <span class="na">audience</span><span class="p">:</span> <span class="nx">MCP_AUDIENCE</span><span class="p">,</span> <span class="c1">// prevents token passthrough attacks</span> <span class="p">})</span> <span class="k">as</span> <span class="nx">TokenPayload</span><span class="p">;</span> <span class="k">return</span> <span class="nx">payload</span><span class="p">;</span> <span class="p">}</span> <span class="c1">// ─── Scope Enforcement ───────────────────────────────────────────────────────</span> <span class="kd">function</span> <span class="nf">requireScope</span><span class="p">(</span><span class="nx">requiredScope</span><span class="p">:</span> <span class="kr">string</span><span class="p">)</span> <span class="p">{</span> <span class="k">return </span><span class="p">(</span><span class="nx">payload</span><span class="p">:</span> <span class="nx">TokenPayload</span><span class="p">):</span> <span class="k">void</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="c1">// Kinde puts scopes in the `scp` claim as a space-separated string</span> <span class="kd">const</span> <span class="nx">tokenScopes</span> <span class="o">=</span> <span class="nx">payload</span><span class="p">.</span><span class="nx">scp</span><span class="p">?.</span><span class="nf">split</span><span class="p">(</span><span class="dl">"</span><span class="s2"> </span><span class="dl">"</span><span class="p">)</span> <span class="o">??</span> <span class="p">[];</span> <span class="c1">// Also check the `permissions` array (Kinde's permission system)</span> <span class="kd">const</span> <span class="nx">permissions</span> <span class="o">=</span> <span class="nx">payload</span><span class="p">.</span><span class="nx">permissions</span> <span class="o">??</span> <span class="p">[];</span> <span class="kd">const</span> <span class="nx">hasScope</span> <span class="o">=</span> <span class="nx">tokenScopes</span><span class="p">.</span><span class="nf">includes</span><span class="p">(</span><span class="nx">requiredScope</span><span class="p">)</span> <span class="o">||</span> <span class="nx">tokenScopes</span><span class="p">.</span><span class="nf">includes</span><span class="p">(</span><span class="dl">"</span><span class="s2">admin</span><span class="dl">"</span><span class="p">)</span> <span class="o">||</span> <span class="nx">permissions</span><span class="p">.</span><span class="nf">includes</span><span class="p">(</span><span class="nx">requiredScope</span><span class="p">)</span> <span class="o">||</span> <span class="nx">permissions</span><span class="p">.</span><span class="nf">includes</span><span class="p">(</span><span class="dl">"</span><span class="s2">admin</span><span class="dl">"</span><span class="p">);</span> <span class="k">if </span><span class="p">(</span><span class="o">!</span><span class="nx">hasScope</span><span class="p">)</span> <span class="p">{</span> <span class="k">throw</span> <span class="k">new</span> <span class="nc">Error</span><span class="p">(</span> <span class="s2">`Insufficient permissions. Required: </span><span class="p">${</span><span class="nx">requiredScope</span><span class="p">}</span><span class="s2">. `</span> <span class="o">+</span> <span class="s2">`Token has: </span><span class="p">${</span><span class="nx">tokenScopes</span><span class="p">.</span><span class="nf">join</span><span class="p">(</span><span class="dl">"</span><span class="s2">, </span><span class="dl">"</span><span class="p">)</span> <span class="o">||</span> <span class="dl">"</span><span class="s2">none</span><span class="dl">"</span><span class="p">}</span><span class="s2">`</span> <span class="p">);</span> <span class="p">}</span> <span class="p">};</span> <span class="p">}</span> <span class="c1">// ─── Auth Middleware ──────────────────────────────────────────────────────────</span> <span class="c1">// Store the validated token payload on the request object</span> <span class="c1">// so tool handlers can access it without re-validating</span> <span class="kr">declare</span> <span class="nb">global</span> <span class="p">{</span> <span class="k">namespace</span> <span class="nx">Express</span> <span class="p">{</span> <span class="kr">interface</span> <span class="nx">Request</span> <span class="p">{</span> <span class="nl">agentToken</span><span class="p">?:</span> <span class="nx">TokenPayload</span><span class="p">;</span> <span class="p">}</span> <span class="p">}</span> <span class="p">}</span> <span class="k">async</span> <span class="kd">function</span> <span class="nf">authMiddleware</span><span class="p">(</span><span class="nx">req</span><span class="p">:</span> <span class="nx">Request</span><span class="p">,</span> <span class="nx">res</span><span class="p">:</span> <span class="nx">Response</span><span class="p">,</span> <span class="nx">next</span><span class="p">:</span> <span class="nx">NextFunction</span><span class="p">)</span> <span class="p">{</span> <span class="k">try</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">payload</span> <span class="o">=</span> <span class="k">await</span> <span class="nf">validateToken</span><span class="p">(</span><span class="nx">req</span><span class="p">.</span><span class="nx">headers</span><span class="p">.</span><span class="nx">authorization</span><span class="p">);</span> <span class="nx">req</span><span class="p">.</span><span class="nx">agentToken</span> <span class="o">=</span> <span class="nx">payload</span><span class="p">;</span> <span class="nx">console</span><span class="p">.</span><span class="nf">log</span><span class="p">(</span><span class="s2">`Agent authenticated: </span><span class="p">${</span><span class="nx">payload</span><span class="p">.</span><span class="nx">sub</span><span class="p">}</span><span class="s2"> with scopes: </span><span class="p">${</span><span class="nx">payload</span><span class="p">.</span><span class="nx">scp</span><span class="p">}</span><span class="s2">`</span><span class="p">);</span> <span class="nf">next</span><span class="p">();</span> <span class="p">}</span> <span class="k">catch </span><span class="p">(</span><span class="nx">err</span><span class="p">)</span> <span class="p">{</span> <span class="nx">console</span><span class="p">.</span><span class="nf">warn</span><span class="p">(</span><span class="s2">`Auth failed: </span><span class="p">${(</span><span class="nx">err</span> <span class="k">as</span> <span class="nb">Error</span><span class="p">).</span><span class="nx">message</span><span class="p">}</span><span class="s2">`</span><span class="p">);</span> <span class="nx">res</span><span class="p">.</span><span class="nf">status</span><span class="p">(</span><span class="mi">401</span><span class="p">).</span><span class="nf">json</span><span class="p">({</span> <span class="na">error</span><span class="p">:</span> <span class="dl">"</span><span class="s2">unauthorized</span><span class="dl">"</span><span class="p">,</span> <span class="na">message</span><span class="p">:</span> <span class="p">(</span><span class="nx">err</span> <span class="k">as</span> <span class="nb">Error</span><span class="p">).</span><span class="nx">message</span><span class="p">,</span> <span class="p">});</span> <span class="p">}</span> <span class="p">}</span> <span class="c1">// ─── MCP Server Definition ────────────────────────────────────────────────────</span> <span class="kd">const</span> <span class="nx">server</span> <span class="o">=</span> <span class="k">new</span> <span class="nc">McpServer</span><span class="p">({</span> <span class="na">name</span><span class="p">:</span> <span class="dl">"</span><span class="s2">secure-mcp-server</span><span class="dl">"</span><span class="p">,</span> <span class="na">version</span><span class="p">:</span> <span class="dl">"</span><span class="s2">1.0.0</span><span class="dl">"</span><span class="p">,</span> <span class="p">});</span> <span class="c1">// Tool #1: get_user — requires users:read scope</span> <span class="nx">server</span><span class="p">.</span><span class="nf">tool</span><span class="p">(</span> <span class="dl">"</span><span class="s2">get_user</span><span class="dl">"</span><span class="p">,</span> <span class="dl">"</span><span class="s2">Retrieve a user by their ID</span><span class="dl">"</span><span class="p">,</span> <span class="p">{</span> <span class="na">user_id</span><span class="p">:</span> <span class="nx">z</span><span class="p">.</span><span class="nf">string</span><span class="p">().</span><span class="nf">describe</span><span class="p">(</span><span class="dl">"</span><span class="s2">The unique identifier of the user to retrieve</span><span class="dl">"</span><span class="p">),</span> <span class="p">},</span> <span class="k">async </span><span class="p">({</span> <span class="nx">user_id</span> <span class="p">},</span> <span class="p">{</span> <span class="nx">_meta</span> <span class="p">})</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="c1">// Access the validated token from the request context</span> <span class="c1">// The token was validated and attached by authMiddleware before this handler runs</span> <span class="kd">const</span> <span class="nx">token</span> <span class="o">=</span> <span class="p">(</span><span class="nx">_meta</span> <span class="k">as</span> <span class="kr">any</span><span class="p">)?.</span><span class="nx">agentToken</span> <span class="k">as</span> <span class="nx">TokenPayload</span><span class="p">;</span> <span class="nf">requireScope</span><span class="p">(</span><span class="dl">"</span><span class="s2">users:read</span><span class="dl">"</span><span class="p">)(</span><span class="nx">token</span><span class="p">);</span> <span class="c1">// Your actual business logic here</span> <span class="c1">// This is a placeholder — replace with real data fetching</span> <span class="k">return</span> <span class="p">{</span> <span class="na">content</span><span class="p">:</span> <span class="p">[</span> <span class="p">{</span> <span class="na">type</span><span class="p">:</span> <span class="dl">"</span><span class="s2">text</span><span class="dl">"</span> <span class="k">as</span> <span class="kd">const</span><span class="p">,</span> <span class="na">text</span><span class="p">:</span> <span class="nx">JSON</span><span class="p">.</span><span class="nf">stringify</span><span class="p">({</span> <span class="na">id</span><span class="p">:</span> <span class="nx">user_id</span><span class="p">,</span> <span class="na">email</span><span class="p">:</span> <span class="dl">"</span><span class="s2">user@example.com</span><span class="dl">"</span><span class="p">,</span> <span class="na">name</span><span class="p">:</span> <span class="dl">"</span><span class="s2">Jane Smith</span><span class="dl">"</span><span class="p">,</span> <span class="na">created_at</span><span class="p">:</span> <span class="dl">"</span><span class="s2">2025-01-15T10:30:00Z</span><span class="dl">"</span><span class="p">,</span> <span class="p">}),</span> <span class="p">},</span> <span class="p">],</span> <span class="p">};</span> <span class="p">}</span> <span class="p">);</span> <span class="c1">// Tool #2: create_user — requires users:write scope</span> <span class="nx">server</span><span class="p">.</span><span class="nf">tool</span><span class="p">(</span> <span class="dl">"</span><span class="s2">create_user</span><span class="dl">"</span><span class="p">,</span> <span class="dl">"</span><span class="s2">Create a new user account</span><span class="dl">"</span><span class="p">,</span> <span class="p">{</span> <span class="na">email</span><span class="p">:</span> <span class="nx">z</span><span class="p">.</span><span class="nf">string</span><span class="p">().</span><span class="nf">email</span><span class="p">().</span><span class="nf">describe</span><span class="p">(</span><span class="dl">"</span><span class="s2">Email address for the new user</span><span class="dl">"</span><span class="p">),</span> <span class="na">name</span><span class="p">:</span> <span class="nx">z</span><span class="p">.</span><span class="nf">string</span><span class="p">().</span><span class="nf">describe</span><span class="p">(</span><span class="dl">"</span><span class="s2">Full name of the user</span><span class="dl">"</span><span class="p">),</span> <span class="na">role</span><span class="p">:</span> <span class="nx">z</span><span class="p">.</span><span class="nf">enum</span><span class="p">([</span><span class="dl">"</span><span class="s2">admin</span><span class="dl">"</span><span class="p">,</span> <span class="dl">"</span><span class="s2">member</span><span class="dl">"</span><span class="p">,</span> <span class="dl">"</span><span class="s2">viewer</span><span class="dl">"</span><span class="p">]).</span><span class="k">default</span><span class="p">(</span><span class="dl">"</span><span class="s2">member</span><span class="dl">"</span><span class="p">),</span> <span class="p">},</span> <span class="k">async </span><span class="p">({</span> <span class="nx">email</span><span class="p">,</span> <span class="nx">name</span><span class="p">,</span> <span class="nx">role</span> <span class="p">},</span> <span class="p">{</span> <span class="nx">_meta</span> <span class="p">})</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">token</span> <span class="o">=</span> <span class="p">(</span><span class="nx">_meta</span> <span class="k">as</span> <span class="kr">any</span><span class="p">)?.</span><span class="nx">agentToken</span> <span class="k">as</span> <span class="nx">TokenPayload</span><span class="p">;</span> <span class="nf">requireScope</span><span class="p">(</span><span class="dl">"</span><span class="s2">users:write</span><span class="dl">"</span><span class="p">)(</span><span class="nx">token</span><span class="p">);</span> <span class="c1">// Log who created the user for audit purposes</span> <span class="nx">console</span><span class="p">.</span><span class="nf">log</span><span class="p">(</span><span class="s2">`User creation requested by agent: </span><span class="p">${</span><span class="nx">token</span><span class="p">.</span><span class="nx">sub</span><span class="p">}</span><span class="s2">`</span><span class="p">);</span> <span class="c1">// Your actual user creation logic here</span> <span class="k">return</span> <span class="p">{</span> <span class="na">content</span><span class="p">:</span> <span class="p">[</span> <span class="p">{</span> <span class="na">type</span><span class="p">:</span> <span class="dl">"</span><span class="s2">text</span><span class="dl">"</span> <span class="k">as</span> <span class="kd">const</span><span class="p">,</span> <span class="na">text</span><span class="p">:</span> <span class="nx">JSON</span><span class="p">.</span><span class="nf">stringify</span><span class="p">({</span> <span class="na">id</span><span class="p">:</span> <span class="s2">`usr_</span><span class="p">${</span><span class="nb">Date</span><span class="p">.</span><span class="nf">now</span><span class="p">()}</span><span class="s2">`</span><span class="p">,</span> <span class="nx">email</span><span class="p">,</span> <span class="nx">name</span><span class="p">,</span> <span class="nx">role</span><span class="p">,</span> <span class="na">created_by_agent</span><span class="p">:</span> <span class="nx">token</span><span class="p">.</span><span class="nx">sub</span><span class="p">,</span> <span class="na">created_at</span><span class="p">:</span> <span class="k">new</span> <span class="nc">Date</span><span class="p">().</span><span class="nf">toISOString</span><span class="p">(),</span> <span class="p">}),</span> <span class="p">},</span> <span class="p">],</span> <span class="p">};</span> <span class="p">}</span> <span class="p">);</span> <span class="c1">// Tool #3: delete_user — requires users:delete scope (most restrictive)</span> <span class="nx">server</span><span class="p">.</span><span class="nf">tool</span><span class="p">(</span> <span class="dl">"</span><span class="s2">delete_user</span><span class="dl">"</span><span class="p">,</span> <span class="dl">"</span><span class="s2">Permanently delete a user account</span><span class="dl">"</span><span class="p">,</span> <span class="p">{</span> <span class="na">user_id</span><span class="p">:</span> <span class="nx">z</span><span class="p">.</span><span class="nf">string</span><span class="p">().</span><span class="nf">describe</span><span class="p">(</span><span class="dl">"</span><span class="s2">ID of the user to delete</span><span class="dl">"</span><span class="p">),</span> <span class="na">reason</span><span class="p">:</span> <span class="nx">z</span><span class="p">.</span><span class="nf">string</span><span class="p">().</span><span class="nf">describe</span><span class="p">(</span><span class="dl">"</span><span class="s2">Reason for deletion (required for audit trail)</span><span class="dl">"</span><span class="p">),</span> <span class="p">},</span> <span class="k">async </span><span class="p">({</span> <span class="nx">user_id</span><span class="p">,</span> <span class="nx">reason</span> <span class="p">},</span> <span class="p">{</span> <span class="nx">_meta</span> <span class="p">})</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">token</span> <span class="o">=</span> <span class="p">(</span><span class="nx">_meta</span> <span class="k">as</span> <span class="kr">any</span><span class="p">)?.</span><span class="nx">agentToken</span> <span class="k">as</span> <span class="nx">TokenPayload</span><span class="p">;</span> <span class="c1">// This scope is only granted to trusted admin agents</span> <span class="c1">// Read-only agents cannot call this tool even if they know it exists</span> <span class="nf">requireScope</span><span class="p">(</span><span class="dl">"</span><span class="s2">users:delete</span><span class="dl">"</span><span class="p">)(</span><span class="nx">token</span><span class="p">);</span> <span class="nx">console</span><span class="p">.</span><span class="nf">log</span><span class="p">(</span> <span class="s2">`AUDIT: User </span><span class="p">${</span><span class="nx">user_id</span><span class="p">}</span><span class="s2"> deleted by agent </span><span class="p">${</span><span class="nx">token</span><span class="p">.</span><span class="nx">sub</span><span class="p">}</span><span class="s2">. Reason: </span><span class="p">${</span><span class="nx">reason</span><span class="p">}</span><span class="s2">`</span> <span class="p">);</span> <span class="k">return</span> <span class="p">{</span> <span class="na">content</span><span class="p">:</span> <span class="p">[</span> <span class="p">{</span> <span class="na">type</span><span class="p">:</span> <span class="dl">"</span><span class="s2">text</span><span class="dl">"</span> <span class="k">as</span> <span class="kd">const</span><span class="p">,</span> <span class="na">text</span><span class="p">:</span> <span class="nx">JSON</span><span class="p">.</span><span class="nf">stringify</span><span class="p">({</span> <span class="na">deleted</span><span class="p">:</span> <span class="kc">true</span><span class="p">,</span> <span class="nx">user_id</span><span class="p">,</span> <span class="na">deleted_by</span><span class="p">:</span> <span class="nx">token</span><span class="p">.</span><span class="nx">sub</span><span class="p">,</span> <span class="nx">reason</span><span class="p">,</span> <span class="na">timestamp</span><span class="p">:</span> <span class="k">new</span> <span class="nc">Date</span><span class="p">().</span><span class="nf">toISOString</span><span class="p">(),</span> <span class="p">}),</span> <span class="p">},</span> <span class="p">],</span> <span class="p">};</span> <span class="p">}</span> <span class="p">);</span> <span class="c1">// ─── HTTP Server ──────────────────────────────────────────────────────────────</span> <span class="kd">const</span> <span class="nx">app</span> <span class="o">=</span> <span class="nf">express</span><span class="p">();</span> <span class="nx">app</span><span class="p">.</span><span class="nf">use</span><span class="p">(</span><span class="nx">express</span><span class="p">.</span><span class="nf">json</span><span class="p">());</span> <span class="c1">// The auth middleware runs on every MCP request before the tool handlers</span> <span class="nx">app</span><span class="p">.</span><span class="nf">post</span><span class="p">(</span><span class="dl">"</span><span class="s2">/mcp</span><span class="dl">"</span><span class="p">,</span> <span class="nx">authMiddleware</span><span class="p">,</span> <span class="k">async </span><span class="p">(</span><span class="nx">req</span><span class="p">,</span> <span class="nx">res</span><span class="p">)</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">transport</span> <span class="o">=</span> <span class="k">new</span> <span class="nc">StreamableHTTPServerTransport</span><span class="p">({</span> <span class="na">sessionIdGenerator</span><span class="p">:</span> <span class="kc">undefined</span><span class="p">,</span> <span class="p">});</span> <span class="c1">// Pass the validated token into the MCP request context</span> <span class="c1">// so tool handlers can access it via _meta.agentToken</span> <span class="p">(</span><span class="nx">req</span> <span class="k">as</span> <span class="kr">any</span><span class="p">).</span><span class="nx">agentToken</span> <span class="o">=</span> <span class="nx">req</span><span class="p">.</span><span class="nx">agentToken</span><span class="p">;</span> <span class="k">await</span> <span class="nx">server</span><span class="p">.</span><span class="nf">connect</span><span class="p">(</span><span class="nx">transport</span><span class="p">);</span> <span class="k">await</span> <span class="nx">transport</span><span class="p">.</span><span class="nf">handleRequest</span><span class="p">(</span><span class="nx">req</span><span class="p">,</span> <span class="nx">res</span><span class="p">,</span> <span class="nx">req</span><span class="p">.</span><span class="nx">body</span><span class="p">);</span> <span class="p">});</span> <span class="c1">// Protected resource metadata endpoint — required for OAuth 2.1 discovery</span> <span class="c1">// MCP clients fetch this to learn where to get tokens</span> <span class="nx">app</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="dl">"</span><span class="s2">/.well-known/oauth-protected-resource</span><span class="dl">"</span><span class="p">,</span> <span class="p">(</span><span class="nx">_req</span><span class="p">,</span> <span class="nx">res</span><span class="p">)</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="nx">res</span><span class="p">.</span><span class="nf">json</span><span class="p">({</span> <span class="na">resource</span><span class="p">:</span> <span class="nx">MCP_AUDIENCE</span><span class="p">,</span> <span class="na">authorization_servers</span><span class="p">:</span> <span class="p">[</span><span class="s2">`https://</span><span class="p">${</span><span class="nx">KINDE_DOMAIN</span><span class="p">}</span><span class="s2">`</span><span class="p">],</span> <span class="na">scopes_supported</span><span class="p">:</span> <span class="p">[</span> <span class="dl">"</span><span class="s2">users:read</span><span class="dl">"</span><span class="p">,</span> <span class="dl">"</span><span class="s2">users:write</span><span class="dl">"</span><span class="p">,</span> <span class="dl">"</span><span class="s2">users:delete</span><span class="dl">"</span><span class="p">,</span> <span class="dl">"</span><span class="s2">data:read</span><span class="dl">"</span><span class="p">,</span> <span class="dl">"</span><span class="s2">data:write</span><span class="dl">"</span><span class="p">,</span> <span class="dl">"</span><span class="s2">admin</span><span class="dl">"</span><span class="p">,</span> <span class="p">],</span> <span class="na">bearer_methods_supported</span><span class="p">:</span> <span class="p">[</span><span class="dl">"</span><span class="s2">header</span><span class="dl">"</span><span class="p">],</span> <span class="p">});</span> <span class="p">});</span> <span class="kd">const</span> <span class="nx">PORT</span> <span class="o">=</span> <span class="nx">process</span><span class="p">.</span><span class="nx">env</span><span class="p">.</span><span class="nx">PORT</span> <span class="o">??</span> <span class="mi">3000</span><span class="p">;</span> <span class="nx">app</span><span class="p">.</span><span class="nf">listen</span><span class="p">(</span><span class="nx">PORT</span><span class="p">,</span> <span class="p">()</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="nx">console</span><span class="p">.</span><span class="nf">log</span><span class="p">(</span><span class="s2">`Secure MCP Server running on port </span><span class="p">${</span><span class="nx">PORT</span><span class="p">}</span><span class="s2">`</span><span class="p">);</span> <span class="nx">console</span><span class="p">.</span><span class="nf">log</span><span class="p">(</span><span class="s2">`Protected resource metadata: http://localhost:</span><span class="p">${</span><span class="nx">PORT</span><span class="p">}</span><span class="s2">/.well-known/oauth-protected-resource`</span><span class="p">);</span> <span class="p">});</span> </code></pre> </div> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fvw1yk6dwfxqlumsu0l9x.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fvw1yk6dwfxqlumsu0l9x.png" alt="Terminal showing the MCP server running, with log output like " width="800" height="269"></a></p> <h2> Step #4: How Agents Obtain Tokens </h2> <p>Your MCP server is now a protected resource. To call it, an agent needs a token. Here is how an OpenClaw-style agent — or any MCP client — would obtain one using Kinde's client credentials flow:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="c1">// agent-token.ts</span> <span class="c1">// This code runs in the AGENT (the MCP client), not in the MCP server</span> <span class="k">async</span> <span class="kd">function</span> <span class="nf">getAgentToken</span><span class="p">():</span> <span class="nb">Promise</span><span class="o">&lt;</span><span class="kr">string</span><span class="o">&gt;</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">tokenResponse</span> <span class="o">=</span> <span class="k">await</span> <span class="nf">fetch</span><span class="p">(</span> <span class="s2">`https://</span><span class="p">${</span><span class="nx">process</span><span class="p">.</span><span class="nx">env</span><span class="p">.</span><span class="nx">KINDE_DOMAIN</span><span class="p">}</span><span class="s2">/oauth2/token`</span><span class="p">,</span> <span class="p">{</span> <span class="na">method</span><span class="p">:</span> <span class="dl">"</span><span class="s2">POST</span><span class="dl">"</span><span class="p">,</span> <span class="na">headers</span><span class="p">:</span> <span class="p">{</span> <span class="dl">"</span><span class="s2">Content-Type</span><span class="dl">"</span><span class="p">:</span> <span class="dl">"</span><span class="s2">application/x-www-form-urlencoded</span><span class="dl">"</span> <span class="p">},</span> <span class="na">body</span><span class="p">:</span> <span class="k">new</span> <span class="nc">URLSearchParams</span><span class="p">({</span> <span class="na">grant_type</span><span class="p">:</span> <span class="dl">"</span><span class="s2">client_credentials</span><span class="dl">"</span><span class="p">,</span> <span class="na">client_id</span><span class="p">:</span> <span class="nx">process</span><span class="p">.</span><span class="nx">env</span><span class="p">.</span><span class="nx">KINDE_M2M_CLIENT_ID</span><span class="o">!</span><span class="p">,</span> <span class="na">client_secret</span><span class="p">:</span> <span class="nx">process</span><span class="p">.</span><span class="nx">env</span><span class="p">.</span><span class="nx">KINDE_M2M_CLIENT_SECRET</span><span class="o">!</span><span class="p">,</span> <span class="na">audience</span><span class="p">:</span> <span class="nx">process</span><span class="p">.</span><span class="nx">env</span><span class="p">.</span><span class="nx">MCP_AUDIENCE</span><span class="o">!</span><span class="p">,</span> <span class="c1">// your MCP server's audience</span> <span class="na">scope</span><span class="p">:</span> <span class="dl">"</span><span class="s2">users:read data:read</span><span class="dl">"</span><span class="p">,</span> <span class="c1">// only request what this agent needs</span> <span class="p">}),</span> <span class="p">}</span> <span class="p">);</span> <span class="k">if </span><span class="p">(</span><span class="o">!</span><span class="nx">tokenResponse</span><span class="p">.</span><span class="nx">ok</span><span class="p">)</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">error</span> <span class="o">=</span> <span class="k">await</span> <span class="nx">tokenResponse</span><span class="p">.</span><span class="nf">json</span><span class="p">();</span> <span class="k">throw</span> <span class="k">new</span> <span class="nc">Error</span><span class="p">(</span><span class="s2">`Token request failed: </span><span class="p">${</span><span class="nx">JSON</span><span class="p">.</span><span class="nf">stringify</span><span class="p">(</span><span class="nx">error</span><span class="p">)}</span><span class="s2">`</span><span class="p">);</span> <span class="p">}</span> <span class="kd">const</span> <span class="p">{</span> <span class="nx">access_token</span> <span class="p">}</span> <span class="o">=</span> <span class="k">await</span> <span class="nx">tokenResponse</span><span class="p">.</span><span class="nf">json</span><span class="p">();</span> <span class="k">return</span> <span class="nx">access_token</span><span class="p">;</span> <span class="p">}</span> <span class="c1">// Then use the token in every MCP request</span> <span class="k">async</span> <span class="kd">function</span> <span class="nf">callMcpTool</span><span class="p">(</span><span class="nx">tool</span><span class="p">:</span> <span class="kr">string</span><span class="p">,</span> <span class="nx">params</span><span class="p">:</span> <span class="nx">object</span><span class="p">)</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">token</span> <span class="o">=</span> <span class="k">await</span> <span class="nf">getAgentToken</span><span class="p">();</span> <span class="kd">const</span> <span class="nx">response</span> <span class="o">=</span> <span class="k">await</span> <span class="nf">fetch</span><span class="p">(</span><span class="dl">"</span><span class="s2">https://mcp.yourapp.com/mcp</span><span class="dl">"</span><span class="p">,</span> <span class="p">{</span> <span class="na">method</span><span class="p">:</span> <span class="dl">"</span><span class="s2">POST</span><span class="dl">"</span><span class="p">,</span> <span class="na">headers</span><span class="p">:</span> <span class="p">{</span> <span class="dl">"</span><span class="s2">Content-Type</span><span class="dl">"</span><span class="p">:</span> <span class="dl">"</span><span class="s2">application/json</span><span class="dl">"</span><span class="p">,</span> <span class="dl">"</span><span class="s2">Authorization</span><span class="dl">"</span><span class="p">:</span> <span class="s2">`Bearer </span><span class="p">${</span><span class="nx">token</span><span class="p">}</span><span class="s2">`</span><span class="p">,</span> <span class="c1">// Kinde-issued JWT</span> <span class="p">},</span> <span class="na">body</span><span class="p">:</span> <span class="nx">JSON</span><span class="p">.</span><span class="nf">stringify</span><span class="p">({</span> <span class="na">jsonrpc</span><span class="p">:</span> <span class="dl">"</span><span class="s2">2.0</span><span class="dl">"</span><span class="p">,</span> <span class="na">method</span><span class="p">:</span> <span class="dl">"</span><span class="s2">tools/call</span><span class="dl">"</span><span class="p">,</span> <span class="na">params</span><span class="p">:</span> <span class="p">{</span> <span class="na">name</span><span class="p">:</span> <span class="nx">tool</span><span class="p">,</span> <span class="na">arguments</span><span class="p">:</span> <span class="nx">params</span> <span class="p">},</span> <span class="na">id</span><span class="p">:</span> <span class="mi">1</span><span class="p">,</span> <span class="p">}),</span> <span class="p">});</span> <span class="k">return</span> <span class="nx">response</span><span class="p">.</span><span class="nf">json</span><span class="p">();</span> <span class="p">}</span> </code></pre> </div> <p>Note: Tokens issued via client credentials are valid for one hour by default in Kinde. Agents should cache the token and only request a new one when it is close to expiry — not on every tool call. Check the <code>expires_in</code> field in the token response and refresh when there are 60 seconds or fewer remaining.</p> <h2> Step #5: Configure an OpenClaw Skill With Proper Auth </h2> <p>To connect a properly authenticated MCP server to an OpenClaw agent, you configure the skill in <code>openclaw.json</code> with the token endpoint details. Here is what a secure skill configuration looks like:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight json"><code><span class="p">{</span><span class="w"> </span><span class="nl">"plugins"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"entries"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"my-secure-tool"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"enabled"</span><span class="p">:</span><span class="w"> </span><span class="kc">true</span><span class="p">,</span><span class="w"> </span><span class="nl">"type"</span><span class="p">:</span><span class="w"> </span><span class="s2">"mcp"</span><span class="p">,</span><span class="w"> </span><span class="nl">"transport"</span><span class="p">:</span><span class="w"> </span><span class="s2">"streamable-http"</span><span class="p">,</span><span class="w"> </span><span class="nl">"url"</span><span class="p">:</span><span class="w"> </span><span class="s2">"https://mcp.yourapp.com/mcp"</span><span class="p">,</span><span class="w"> </span><span class="nl">"auth"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"type"</span><span class="p">:</span><span class="w"> </span><span class="s2">"oauth2"</span><span class="p">,</span><span class="w"> </span><span class="nl">"flow"</span><span class="p">:</span><span class="w"> </span><span class="s2">"client_credentials"</span><span class="p">,</span><span class="w"> </span><span class="nl">"token_endpoint"</span><span class="p">:</span><span class="w"> </span><span class="s2">"https://YOUR_DOMAIN.kinde.com/oauth2/token"</span><span class="p">,</span><span class="w"> </span><span class="nl">"client_id"</span><span class="p">:</span><span class="w"> </span><span class="s2">"your_m2m_client_id"</span><span class="p">,</span><span class="w"> </span><span class="nl">"client_secret_env"</span><span class="p">:</span><span class="w"> </span><span class="s2">"MY_TOOL_CLIENT_SECRET"</span><span class="p">,</span><span class="w"> </span><span class="nl">"audience"</span><span class="p">:</span><span class="w"> </span><span class="s2">"https://mcp.yourapp.com"</span><span class="p">,</span><span class="w"> </span><span class="nl">"scopes"</span><span class="p">:</span><span class="w"> </span><span class="p">[</span><span class="s2">"users:read"</span><span class="p">,</span><span class="w"> </span><span class="s2">"data:read"</span><span class="p">]</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="p">}</span><span class="w"> </span></code></pre> </div> <p>Note: <code>client_secret_env</code> points to an environment variable rather than embedding the secret inline — critical for anyone publishing skill configurations or committing them to version control. The secret itself lives in the environment, not in the config file.</p> <p>This configuration gives your agent the specific scopes it needs and nothing more. If someone performs a prompt injection attack via Moltbook and tries to get this agent to call <code>delete_user</code>, the token does not have the <code>users:delete</code> scope — the MCP server rejects the call before it can execute.</p> <h2> Putting It All Together </h2> <p>Here is the complete security architecture you have built:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>┌─────────────────────────────────────────────────────────────────┐ │ Kinde │ │ │ │ M2M Application (Agent Identity) │ │ ├── Client ID: m2m_abc123 │ │ ├── Granted scopes: users:read, data:read │ │ └── NOT granted: users:write, users:delete, admin │ │ │ │ JWKS Endpoint: /well-known/jwks.json (public key verification) │ │ Token Endpoint: /oauth2/token (client credentials flow) │ └───────────────────────────────┬─────────────────────────────────┘ │ issues signed JWT (1hr TTL) │ with scopes: users:read data:read ▼ ┌─────────────────────────────────────────────────────────────────┐ │ Agent (OpenClaw) │ │ │ │ Holds JWT in memory (never stored on disk) │ │ Sends: Authorization: Bearer &lt;JWT&gt; on every MCP request │ └───────────────────────────────┬─────────────────────────────────┘ │ HTTPS POST /mcp │ Authorization: Bearer &lt;JWT&gt; ▼ ┌─────────────────────────────────────────────────────────────────┐ │ Secure MCP Server │ │ │ │ 1. authMiddleware: validates JWT signature via JWKS │ │ → checks issuer, audience, expiry │ │ │ │ 2. Per-tool scope check: requireScope("users:read") │ │ → tools/get_user ✓ (scope present) │ │ → tools/delete_user ✗ (scope missing → 401) │ │ │ │ 3. Audit log: agent ID, tool called, timestamp │ └─────────────────────────────────────────────────────────────────┘ </code></pre> </div> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fus3n8mdjusy3hbcep5xw.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fus3n8mdjusy3hbcep5xw.png" alt="Clean visual version of the ASCII architecture above — showing Kinde (auth layer) on the left, Agent (OpenClaw) in the middle, Secure MCP Server on the right. Arrows show the token flow. The scope check at the tool boundary is highlighted." width="800" height="274"></a></p> <p>The security properties you now have that OpenClaw's default Skills did not:</p> <div class="table-wrapper-paragraph"><table> <thead> <tr> <th>Property</th> <th>Insecure MCP (OpenClaw default)</th> <th>Secure MCP (with Kinde)</th> </tr> </thead> <tbody> <tr> <td><strong>Agent identity</strong></td> <td>Anonymous / shared API key</td> <td>Cryptographic JWT (<code>sub</code> claim = M2M app ID)</td> </tr> <tr> <td><strong>Token forgability</strong></td> <td>API key can be shared/leaked</td> <td>RS256 JWT signed by Kinde — cannot be forged</td> </tr> <tr> <td><strong>Tool-level permissions</strong></td> <td>All tools accessible to all callers</td> <td>Per-tool scope enforcement</td> </tr> <tr> <td><strong>Prompt injection blast radius</strong></td> <td>Agent can call any tool if injected</td> <td>Injected instruction can only call scoped tools</td> </tr> <tr> <td><strong>Token expiry</strong></td> <td>API keys never expire</td> <td>1-hour TTL — breach window is bounded</td> </tr> <tr> <td><strong>Revocation</strong></td> <td>Must rotate key for all agents</td> <td>Revoke one M2M app, others unaffected</td> </tr> <tr> <td><strong>Audit trail</strong></td> <td>None</td> <td>Agent ID + scope logged on every tool call</td> </tr> </tbody> </table></div> <h2> Testing Your Security Layer </h2> <p>Before deploying, verify these four scenarios:</p> <p><strong>Test 1 — Valid token, allowed scope.</strong> Call <code>get_user</code> with a token that has <code>users:read</code>. You should receive the user data. This confirms the happy path works.</p> <p><strong>Test 2 — Valid token, insufficient scope.</strong> Call <code>delete_user</code> with a token that only has <code>users:read</code>. You should receive a 401 with a message like "Insufficient permissions. Required: users:delete." This confirms scope enforcement works.</p> <p><strong>Test 3 — Expired token.</strong> Manually modify the <code>exp</code> claim of a token or wait for it to expire, then attempt a call. You should receive a 401 with a JWT expiry error. This confirms token lifecycle enforcement works.</p> <p><strong>Test 4 — Wrong audience.</strong> Use a token issued for a different API (different <code>aud</code> claim) and attempt a call to your MCP server. You should receive a 401 with an audience mismatch error. This confirms that token passthrough attacks are blocked.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># Test 2 example — calling a tool without the required scope</span> curl <span class="nt">-X</span> POST https://your-mcp-server.com/mcp <span class="se">\</span> <span class="nt">-H</span> <span class="s2">"Content-Type: application/json"</span> <span class="se">\</span> <span class="nt">-H</span> <span class="s2">"Authorization: Bearer </span><span class="nv">$READ_ONLY_TOKEN</span><span class="s2">"</span> <span class="se">\</span> <span class="nt">-d</span> <span class="s1">'{ "jsonrpc": "2.0", "method": "tools/call", "params": { "name": "delete_user", "arguments": { "user_id": "usr_123", "reason": "Test deletion attempt" } }, "id": 1 }'</span> <span class="c"># Expected response:</span> <span class="c"># HTTP 401 Unauthorized</span> <span class="c"># { "error": "unauthorized", "message": "Insufficient permissions. Required: users:delete. Token has: users:read" }</span> </code></pre> </div> <p>Amazing! Your MCP server is now hardened against the attack patterns that took down OpenClaw deployments and turned Moltbook into a security incident.</p> <h2> Conclusion </h2> <p>In this article, you built a secure MCP server with scoped, tool-level authentication — the approach that the OpenClaw and Moltbook incidents showed was critically missing from most agentic AI deployments. Your server now knows who every connecting agent is, what they are allowed to do, and rejects anything outside those boundaries at the tool boundary before execution.</p> <p>The key insight from Kinde's own MCP server — shipped in January 2026 as a working reference implementation — is that security for AI agents is not fundamentally different from security for any other kind of software. M2M identities, scoped tokens, short TTLs, and JWT validation are not new concepts. What is new is applying them consistently to MCP servers, which the ecosystem has been slow to do.</p> <p>Agentic AI is not going away. OpenClaw proved that. The question is whether the infrastructure it runs on is built securely. That starts with the MCP server you control.</p> <p><a href="https://kinde.com?utm_source=devto&amp;utm_medium=content&amp;utm_campaign=shola&amp;campaignid=chatgptapp&amp;network=&amp;adgroup=&amp;keyword=&amp;matchtype=&amp;creative=9&amp;device=&amp;adposition=" rel="noopener noreferrer">Kinde is free</a> for up to 10,500 monthly active users, no credit card required. Create your account at <a href="https://kinde.com" rel="noopener noreferrer">kinde.com</a> and start treating your agents as the production infrastructure they are.</p> kinde ai mcp agents Shola Jegede Sat, 21 Mar 2026 23:40:03 +0000 https://forem.com/sholajegede/stop-treating-ai-agents-like-users-why-your-auth-model-needs-a-new-layer-for-non-human-identities-57ni https://forem.com/sholajegede/stop-treating-ai-agents-like-users-why-your-auth-model-needs-a-new-layer-for-non-human-identities-57ni <p><em>Your auth system was built for humans. AI agents are not humans. Something has to give.</em></p> <p>In this article, you will learn:</p> <ul> <li>Why the traditional user auth model breaks down for AI agents</li> <li>What non-human identities are and why they need their own auth layer</li> <li>The difference between global and org-scoped machine identity</li> <li>How the OAuth 2.0 client credentials flow works for non-human callers</li> <li>How to use Kinde M2M applications to authenticate AI agents properly</li> <li>How to scope agent access to a specific tenant using org-scoped M2M apps</li> <li>The biggest security mistakes developers make when adding agent auth and how to avoid them</li> </ul> <p>Let's dive in!</p> <h2> The Problem Nobody Warned You About </h2> <p>You shipped auth. Users can sign up, sign in, and get sessions. You followed the OAuth flow, you set up JWTs, you protected your routes. Everything works.</p> <p>Then someone on your team says: "We're adding an AI agent that acts on behalf of users."</p> <p>And suddenly you have a question your auth system was never designed to answer: how do you authenticate something that has no browser, no session, no email address, and no ability to type in a password?</p> <p>The lazy answer is to create a fake user account for the agent. Give it an email like <code>agent@yourapp.com</code>, hand it a password, and call it done. It works — until it becomes a security nightmare. You have an account with full user-level access, no MFA, credentials that never rotate, and no audit trail that distinguishes what the agent did from what a real user did. That is not an auth model. That is a ticking clock.</p> <p>The real answer is that AI agents are not users. They are non-human identities. They need their own authentication layer, their own token type, their own scopes, and their own access boundaries. And in 2026, with AI agents becoming a core part of SaaS products, getting this right is no longer optional.</p> <p>Here is what that looks like in practice, and how <a href="https://kinde.com?utm_source=devto&amp;utm_medium=content&amp;utm_campaign=shola&amp;campaignid=chatgptapp&amp;network=&amp;adgroup=&amp;keyword=&amp;matchtype=&amp;creative=8&amp;device=&amp;adposition=" rel="noopener noreferrer">Kinde's M2M</a> application system handles it properly.</p> <h2> What Is a Non-Human Identity? </h2> <p>A non-human identity (NHI) is any software principal that needs to authenticate and call APIs without a human being directly involved in the auth flow. In the context of modern SaaS products, non-human identities include things like backend services, CI/CD pipelines, scheduled jobs, microservices, and — increasingly — AI agents.</p> <p>What all of these have in common is that they cannot participate in an interactive auth flow. There is no redirect. There is no browser. There is no one sitting at a keyboard to enter a verification code. A human auth flow is fundamentally the wrong tool for the job.</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Flmyuynfucw7qvduzu2pm.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Flmyuynfucw7qvduzu2pm.png" alt="Side-by-side comparison — Human auth flow (Browser → Login page → Redirect → Token) vs Non-human auth flow (Service → Token endpoint → Token)." width="800" height="622"></a></p> <p>The problem is that most auth systems — and most developer mental models — were built around human identities first. Non-human auth was bolted on later, often improperly, as an afterthought.</p> <h2> Why the Fake User Approach Fails </h2> <p>Before getting into the right solution, it is worth being specific about why the fake user workaround is dangerous. These are not theoretical risks.</p> <p><strong>Over-permissioned by default.</strong> A user account typically has all the permissions of a regular user. For an AI agent that only needs to read data from one endpoint and write to another, that is massive over-permission. Least-privilege is the foundational principle of access control, and fake user accounts violate it immediately.</p> <p><strong>No credential rotation.</strong> User passwords are designed to be long-lived and human-memorable. They are not designed to be rotated on a schedule the way service credentials should be. In practice, the fake user's password never changes, which means a leaked credential is a permanent breach.</p> <p><strong>No audit trail separation.</strong> When an agent operating as <code>agent@yourapp.com</code> makes a write operation, your logs show a user action. You cannot distinguish agent activity from human activity. Debugging becomes a nightmare, compliance becomes impossible, and incident response becomes guesswork.</p> <p><strong>Sessions and cookies do not make sense.</strong> User auth produces sessions tied to browsers. Agents do not have browsers. They do not maintain state across requests the same way users do. Forcing them through a session-based flow creates fragile plumbing that breaks under load or on token expiry.</p> <p><strong>MFA breaks the whole thing.</strong> If you ever enforce MFA for user accounts — and you should — your fake agent account will be locked out the moment MFA is required. Either you exempt it, which creates a security hole, or you break your automation.</p> <h2> The Right Mental Model: Machine-to-Machine Authentication </h2> <p>The correct solution has existed in the OAuth 2.0 specification for years. It is called the client credentials flow, and it is specifically designed for non-human identities authenticating without user involvement.</p> <p>Instead of a user logging in with credentials, a machine authenticates using a <code>client_id</code> and <code>client_secret</code>. It sends those credentials directly to the token endpoint and receives an access token in return. No redirects. No browser. No session. Just a token that the machine can use to call APIs on its own behalf.</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Ff75bm6e0z1f9zgqnluda.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Ff75bm6e0z1f9zgqnluda.png" alt="Client credentials flow — Machine sends client_id + client_secret to Token endpoint → receives Access Token → calls API with Bearer token." width="800" height="293"></a></p> <p>The access token issued through the client credentials flow is structurally different from a user token. It does not have a <code>sub</code> claim representing a user. It does not expire into a refresh token cycle the way user sessions do. It is scoped to the capabilities of the machine application, not the permissions of a specific person. This distinction is crucial.</p> <p>In Kinde, this pattern is implemented through <strong>M2M applications</strong> — Machine-to-Machine applications. An M2M application is a registered identity in Kinde with its own <code>client_id</code> and <code>client_secret</code>, its own set of API scopes, and its own token. It is the right primitive for any non-human caller: a CI/CD pipeline, a backend service, an automation script, or an AI agent.</p> <h2> Two Types of Machine Identity in Kinde </h2> <p><a href="https://kinde.com?utm_source=devto&amp;utm_medium=content&amp;utm_campaign=shola&amp;campaignid=chatgptapp&amp;network=&amp;adgroup=&amp;keyword=&amp;matchtype=&amp;creative=8&amp;device=&amp;adposition=" rel="noopener noreferrer">Kinde</a> supports two types of M2M applications, and understanding the difference is important for building the right auth model for your product.</p> <h3> Global M2M Applications </h3> <p>A global M2M application is not tied to any specific organization in your Kinde setup. It operates across your entire tenant space. This makes it suitable for internal tooling, admin automation, infrastructure scripts, and anything that needs to operate at the system level rather than within a specific customer's context.</p> <p>A typical use case is a CI/CD pipeline that needs to call the Kinde Management API to create users, update flags, or deploy configuration changes across all of your organizations. It does not need to be scoped to one tenant — it needs cross-tenant access, and a global M2M app provides exactly that.</p> <h3> Org-Scoped M2M Applications </h3> <p>An org-scoped M2M application is tied to a specific organization — a specific tenant — in your Kinde setup. Tokens issued to this app automatically include the <code>org_code</code> claim, which enforces that all API calls made by this machine identity are restricted to that organization's context.</p> <p>This is the right pattern for AI agents acting on behalf of a specific customer. If Acme Corp has an AI agent that reads their data, writes to their workspace, and takes actions in their context, that agent should not have any access to the data or context of Beta Inc. Org-scoped M2M applications enforce this boundary at the token level — before your API even has to think about it.</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fhnmksyvij8wb7mb2tw0c.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fhnmksyvij8wb7mb2tw0c.png" alt="Two-column comparison — Global M2M (one key, access to all orgs, used for admin/infra) vs Org-scoped M2M (one key per org, access locked to org_code, used for per-tenant agents)." width="800" height="633"></a></p> <p>Note: Org-scoped M2M applications are available on the Kinde Plus and Kinde Scale plans.</p> <h2> Global vs Org-Scoped M2M: At a Glance </h2> <div class="table-wrapper-paragraph"><table> <thead> <tr> <th>Feature</th> <th>Global M2M App</th> <th>Org-Scoped M2M App</th> </tr> </thead> <tbody> <tr> <td>Org context in token</td> <td>No</td> <td>Yes (<code>org_code</code> claim)</td> </tr> <tr> <td>Tenant data isolation</td> <td>Manual (your API must enforce it)</td> <td>Enforced at token issuance</td> </tr> <tr> <td>Best for</td> <td>Admin scripts, internal automation, infra</td> <td>Per-tenant AI agents, scoped APIs</td> </tr> <tr> <td>Token restrictions</td> <td>None</td> <td>Scoped to one organization</td> </tr> <tr> <td>Credential rotation</td> <td>Manual, in Kinde dashboard</td> <td>Manual, in Kinde dashboard</td> </tr> <tr> <td>Available on</td> <td>All plans</td> <td>Kinde Plus and Scale</td> </tr> </tbody> </table></div> <h2> How the Client Credentials Flow Works in Kinde </h2> <p>When an M2M application needs to call an API, it follows the OAuth 2.0 client credentials flow. Here is exactly what that looks like in code.</p> <h3> Step #1: Request a Token </h3> <p>The machine application sends a <code>POST</code> request to your Kinde domain's token endpoint. It authenticates with its <code>client_id</code> and <code>client_secret</code> and requests the scopes it needs.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>curl <span class="nt">--request</span> POST <span class="se">\</span> <span class="nt">--url</span> https://YOUR_KINDE_DOMAIN.kinde.com/oauth2/token <span class="se">\</span> <span class="nt">--header</span> <span class="s1">'Content-Type: application/x-www-form-urlencoded'</span> <span class="se">\</span> <span class="nt">--data</span> <span class="nv">grant_type</span><span class="o">=</span>client_credentials <span class="se">\</span> <span class="nt">--data</span> <span class="nv">client_id</span><span class="o">=</span>YOUR_M2M_CLIENT_ID <span class="se">\</span> <span class="nt">--data</span> <span class="nv">client_secret</span><span class="o">=</span>YOUR_M2M_CLIENT_SECRET <span class="se">\</span> <span class="nt">--data</span> <span class="nv">audience</span><span class="o">=</span>https://YOUR_KINDE_DOMAIN.kinde.com/api <span class="se">\</span> <span class="nt">--data</span> <span class="nv">scope</span><span class="o">=</span><span class="nb">read</span>:users write:flags </code></pre> </div> <p>Note: Replace <code>YOUR_KINDE_DOMAIN</code>, <code>YOUR_M2M_CLIENT_ID</code>, and <code>YOUR_M2M_CLIENT_SECRET</code> with the values from your Kinde dashboard.</p> <h3> Step #2: Receive the Access Token </h3> <p>Kinde responds with an access token:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight json"><code><span class="p">{</span><span class="w"> </span><span class="nl">"access_token"</span><span class="p">:</span><span class="w"> </span><span class="s2">"eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9..."</span><span class="p">,</span><span class="w"> </span><span class="nl">"token_type"</span><span class="p">:</span><span class="w"> </span><span class="s2">"bearer"</span><span class="p">,</span><span class="w"> </span><span class="nl">"expires_in"</span><span class="p">:</span><span class="w"> </span><span class="mi">86400</span><span class="p">,</span><span class="w"> </span><span class="nl">"scope"</span><span class="p">:</span><span class="w"> </span><span class="s2">"read:users write:flags"</span><span class="w"> </span><span class="p">}</span><span class="w"> </span></code></pre> </div> <p>For an org-scoped M2M app, the decoded token payload will also include the <code>org_code</code> claim:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight json"><code><span class="p">{</span><span class="w"> </span><span class="nl">"iss"</span><span class="p">:</span><span class="w"> </span><span class="s2">"https://YOUR_KINDE_DOMAIN.kinde.com"</span><span class="p">,</span><span class="w"> </span><span class="nl">"sub"</span><span class="p">:</span><span class="w"> </span><span class="s2">"YOUR_M2M_CLIENT_ID"</span><span class="p">,</span><span class="w"> </span><span class="nl">"aud"</span><span class="p">:</span><span class="w"> </span><span class="p">[</span><span class="s2">"https://YOUR_KINDE_DOMAIN.kinde.com/api"</span><span class="p">],</span><span class="w"> </span><span class="nl">"exp"</span><span class="p">:</span><span class="w"> </span><span class="mi">1234567890</span><span class="p">,</span><span class="w"> </span><span class="nl">"iat"</span><span class="p">:</span><span class="w"> </span><span class="mi">1234567890</span><span class="p">,</span><span class="w"> </span><span class="nl">"scope"</span><span class="p">:</span><span class="w"> </span><span class="s2">"read:users write:flags"</span><span class="p">,</span><span class="w"> </span><span class="nl">"org_code"</span><span class="p">:</span><span class="w"> </span><span class="s2">"org_abc123"</span><span class="w"> </span><span class="p">}</span><span class="w"> </span></code></pre> </div> <p>The <code>org_code</code> claim is embedded at token issuance time and cannot be modified. Your API can trust it completely.</p> <h3> Step #3: Call Your API with the Token </h3> <p>The agent uses the access token as a Bearer token in subsequent API calls:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="c1">// Node.js example — calling your API as an M2M client</span> <span class="kd">const</span> <span class="nx">response</span> <span class="o">=</span> <span class="k">await</span> <span class="nf">fetch</span><span class="p">(</span><span class="dl">"</span><span class="s2">https://api.yourapp.com/v1/users</span><span class="dl">"</span><span class="p">,</span> <span class="p">{</span> <span class="na">method</span><span class="p">:</span> <span class="dl">"</span><span class="s2">GET</span><span class="dl">"</span><span class="p">,</span> <span class="na">headers</span><span class="p">:</span> <span class="p">{</span> <span class="c1">// pass the M2M token as a Bearer token</span> <span class="na">Authorization</span><span class="p">:</span> <span class="s2">`Bearer </span><span class="p">${</span><span class="nx">accessToken</span><span class="p">}</span><span class="s2">`</span><span class="p">,</span> <span class="dl">"</span><span class="s2">Content-Type</span><span class="dl">"</span><span class="p">:</span> <span class="dl">"</span><span class="s2">application/json</span><span class="dl">"</span><span class="p">,</span> <span class="p">},</span> <span class="p">});</span> <span class="kd">const</span> <span class="nx">data</span> <span class="o">=</span> <span class="k">await</span> <span class="nx">response</span><span class="p">.</span><span class="nf">json</span><span class="p">();</span> </code></pre> </div> <h3> Step #4: Verify the Token on Your API </h3> <p>Your API receives the token and verifies it. For an org-scoped M2M app, you can trust the <code>org_code</code> claim directly from the verified token to enforce tenant isolation without any additional lookup:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="c1">// Express.js middleware — verifying and using the org_code from an M2M token</span> <span class="k">import</span> <span class="nx">jwt</span> <span class="k">from</span> <span class="dl">"</span><span class="s2">jsonwebtoken</span><span class="dl">"</span><span class="p">;</span> <span class="k">import</span> <span class="nx">jwksClient</span> <span class="k">from</span> <span class="dl">"</span><span class="s2">jwks-rsa</span><span class="dl">"</span><span class="p">;</span> <span class="kd">const</span> <span class="nx">client</span> <span class="o">=</span> <span class="nf">jwksClient</span><span class="p">({</span> <span class="na">jwksUri</span><span class="p">:</span> <span class="s2">`https://YOUR_KINDE_DOMAIN.kinde.com/.well-known/jwks.json`</span><span class="p">,</span> <span class="p">});</span> <span class="kd">function</span> <span class="nf">getKey</span><span class="p">(</span><span class="nx">header</span><span class="p">,</span> <span class="nx">callback</span><span class="p">)</span> <span class="p">{</span> <span class="nx">client</span><span class="p">.</span><span class="nf">getSigningKey</span><span class="p">(</span><span class="nx">header</span><span class="p">.</span><span class="nx">kid</span><span class="p">,</span> <span class="p">(</span><span class="nx">err</span><span class="p">,</span> <span class="nx">key</span><span class="p">)</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">signingKey</span> <span class="o">=</span> <span class="nx">key</span><span class="p">.</span><span class="nf">getPublicKey</span><span class="p">();</span> <span class="nf">callback</span><span class="p">(</span><span class="kc">null</span><span class="p">,</span> <span class="nx">signingKey</span><span class="p">);</span> <span class="p">});</span> <span class="p">}</span> <span class="kd">function</span> <span class="nf">verifyM2MToken</span><span class="p">(</span><span class="nx">req</span><span class="p">,</span> <span class="nx">res</span><span class="p">,</span> <span class="nx">next</span><span class="p">)</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">authHeader</span> <span class="o">=</span> <span class="nx">req</span><span class="p">.</span><span class="nx">headers</span><span class="p">[</span><span class="dl">"</span><span class="s2">authorization</span><span class="dl">"</span><span class="p">];</span> <span class="kd">const</span> <span class="nx">token</span> <span class="o">=</span> <span class="nx">authHeader</span> <span class="o">&amp;&amp;</span> <span class="nx">authHeader</span><span class="p">.</span><span class="nf">split</span><span class="p">(</span><span class="dl">"</span><span class="s2"> </span><span class="dl">"</span><span class="p">)[</span><span class="mi">1</span><span class="p">];</span> <span class="k">if </span><span class="p">(</span><span class="o">!</span><span class="nx">token</span><span class="p">)</span> <span class="p">{</span> <span class="k">return</span> <span class="nx">res</span><span class="p">.</span><span class="nf">status</span><span class="p">(</span><span class="mi">401</span><span class="p">).</span><span class="nf">json</span><span class="p">({</span> <span class="na">error</span><span class="p">:</span> <span class="dl">"</span><span class="s2">No token provided</span><span class="dl">"</span> <span class="p">});</span> <span class="p">}</span> <span class="nx">jwt</span><span class="p">.</span><span class="nf">verify</span><span class="p">(</span> <span class="nx">token</span><span class="p">,</span> <span class="nx">getKey</span><span class="p">,</span> <span class="p">{</span> <span class="na">audience</span><span class="p">:</span> <span class="dl">"</span><span class="s2">https://YOUR_KINDE_DOMAIN.kinde.com/api</span><span class="dl">"</span><span class="p">,</span> <span class="na">issuer</span><span class="p">:</span> <span class="dl">"</span><span class="s2">https://YOUR_KINDE_DOMAIN.kinde.com</span><span class="dl">"</span><span class="p">,</span> <span class="p">},</span> <span class="p">(</span><span class="nx">err</span><span class="p">,</span> <span class="nx">decoded</span><span class="p">)</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="k">if </span><span class="p">(</span><span class="nx">err</span><span class="p">)</span> <span class="p">{</span> <span class="k">return</span> <span class="nx">res</span><span class="p">.</span><span class="nf">status</span><span class="p">(</span><span class="mi">403</span><span class="p">).</span><span class="nf">json</span><span class="p">({</span> <span class="na">error</span><span class="p">:</span> <span class="dl">"</span><span class="s2">Invalid token</span><span class="dl">"</span> <span class="p">});</span> <span class="p">}</span> <span class="c1">// org_code is now trusted and available — no additional lookup needed</span> <span class="nx">req</span><span class="p">.</span><span class="nx">orgCode</span> <span class="o">=</span> <span class="nx">decoded</span><span class="p">.</span><span class="nx">org_code</span><span class="p">;</span> <span class="nx">req</span><span class="p">.</span><span class="nx">scopes</span> <span class="o">=</span> <span class="nx">decoded</span><span class="p">.</span><span class="nx">scope</span> <span class="p">?</span> <span class="nx">decoded</span><span class="p">.</span><span class="nx">scope</span><span class="p">.</span><span class="nf">split</span><span class="p">(</span><span class="dl">"</span><span class="s2"> </span><span class="dl">"</span><span class="p">)</span> <span class="p">:</span> <span class="p">[];</span> <span class="nf">next</span><span class="p">();</span> <span class="p">}</span> <span class="p">);</span> <span class="p">}</span> <span class="c1">// Use in a route to enforce org isolation</span> <span class="nx">app</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="dl">"</span><span class="s2">/v1/users</span><span class="dl">"</span><span class="p">,</span> <span class="nx">verifyM2MToken</span><span class="p">,</span> <span class="k">async </span><span class="p">(</span><span class="nx">req</span><span class="p">,</span> <span class="nx">res</span><span class="p">)</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="c1">// All queries are automatically scoped to this organization</span> <span class="kd">const</span> <span class="nx">users</span> <span class="o">=</span> <span class="k">await</span> <span class="nx">db</span><span class="p">.</span><span class="nx">users</span><span class="p">.</span><span class="nf">findAll</span><span class="p">({</span> <span class="na">where</span><span class="p">:</span> <span class="p">{</span> <span class="na">org_code</span><span class="p">:</span> <span class="nx">req</span><span class="p">.</span><span class="nx">orgCode</span> <span class="p">},</span> <span class="p">});</span> <span class="nx">res</span><span class="p">.</span><span class="nf">json</span><span class="p">({</span> <span class="nx">users</span> <span class="p">});</span> <span class="p">});</span> </code></pre> </div> <p>Wonderful! Your API now enforces tenant isolation based entirely on what is in the verified token — no additional queries, no custom middleware logic, no trust-but-verify gymnastics.</p> <h2> Setting Up an M2M Application in Kinde </h2> <h3> Creating a Global M2M Application </h3> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fuu3p7j0eqodelb82nzpy.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fuu3p7j0eqodelb82nzpy.png" alt="Kinde dashboard — Settings &gt; Applications &gt; Add application, with " width="800" height="502"></a></p> <ol> <li>In your Kinde dashboard, navigate to <strong>Settings</strong> → <strong>Applications</strong>.</li> <li>Select <strong>Add application</strong>.</li> <li>Give your application a name — something descriptive like <code>"Reporting Pipeline"</code> or <code>"Internal Automation Agent"</code>.</li> <li>Select <strong>Machine to machine</strong> as the application type.</li> <li>Select <strong>Save</strong>.</li> </ol> <p>Kinde generates a <code>client_id</code> and <code>client_secret</code> for your new application. Save the secret immediately — it is only shown once.</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F25bv0wpxpouym3w9geh1.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F25bv0wpxpouym3w9geh1.png" alt="The newly created M2M application's detail page in Kinde, showing the client_id and client_secret fields with the " width="800" height="502"></a></p> <h3> Assigning Scopes to the M2M Application </h3> <p>Before your M2M application can call any API, you need to assign the scopes it is permitted to request. Scopes define the boundaries of what the token can do.</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Ffjn8nbg9vltkvny6xgv0.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Ffjn8nbg9vltkvny6xgv0.png" alt="M2M application detail page — the " width="800" height="502"></a></p> <p>Navigate to the <strong>APIs</strong> section of your M2M application and select the APIs the application needs access to. For each API, choose only the scopes genuinely required by the agent. A reporting agent that only reads data should have <code>read:reports</code>, not <code>write:reports</code> or <code>delete:reports</code>. Least privilege applies here just as much as it does for users.</p> <h3> Creating an Org-Scoped M2M Application </h3> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F186czcebzvmcjsotba3p.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F186czcebzvmcjsotba3p.png" alt="Kinde dashboard — Organizations &gt; [specific org] &gt; M2M apps tab, showing the " width="800" height="502"></a></p> <ol> <li>In your Kinde dashboard, navigate to <strong>Organizations</strong>.</li> <li>Select the organization you want to scope the M2M app to.</li> <li>Select the <strong>M2M apps</strong> tab.</li> <li>Enter a name for the application — for example, <code>"Acme Corp AI Agent"</code>.</li> <li>Select <strong>M2M application</strong> as the type.</li> <li>Select <strong>Save</strong>.</li> </ol> <p>Kinde generates a <code>client_id</code> and <code>client_secret</code> tied specifically to that organization. Tokens issued with these credentials will automatically include the <code>org_code</code> claim set to that organization's code.</p> <h2> A Real-World Scenario: Per-Tenant AI Agent </h2> <p>Here is a concrete scenario to make this tangible. You are building a B2B SaaS product with an AI feature that automatically summarizes activity for each customer's workspace. The agent needs to read data from your API, process it, and write a summary back.</p> <p>Without org-scoped M2M, your agent either has global access (dangerous) or you build custom tenant-checking middleware on every endpoint (fragile). With org-scoped M2M in Kinde, each customer's agent gets its own set of credentials that are cryptographically tied to their organization. The token tells your API exactly which tenant it belongs to, and your API can trust that claim without any additional work.</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fsu20mz2qcim9by2z2g28.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fsu20mz2qcim9by2z2g28.png" alt="Multi-tenant agent architecture — three organization boxes (Acme Corp, Beta Inc, Gamma Ltd), each with their own M2M credentials, each token carrying org_code, all hitting the same API endpoint which enforces isolation based on org_code from the token. No cross-org access possible" width="800" height="332"></a></p> <p>The full flow for this scenario looks like:</p> <ol> <li>On onboarding, create an org-scoped M2M application for the new customer's organization in Kinde.</li> <li>Store the <code>client_id</code> and <code>client_secret</code> securely (environment variables, secrets manager, etc.).</li> <li>When the agent needs to act, it requests a token using the client credentials flow.</li> <li>It calls your API with the token as a Bearer header.</li> <li>Your API verifies the token, extracts <code>org_code</code>, and scopes all database queries to that organization.</li> <li>The agent can never access another tenant's data, even if its credentials were somehow leaked — because the token itself is bound to one org.</li> </ol> <h2> What About Kinde's MCP Server? </h2> <p>In January 2026, Kinde shipped an MCP (Model Context Protocol) server. This lets AI agents and AI tools connect to Kinde directly using the MCP protocol — which is rapidly becoming the standard interface for AI-to-tool communication.</p> <p>What this means in practice is that AI agents using MCP-compatible frameworks (like Claude Code, Cursor, or any agent built on an MCP client library) can interact with Kinde's management capabilities — creating users, managing organizations, checking permissions, and more — through a standardized tool interface rather than raw API calls.</p> <p>For teams building AI-native products, this is a big deal. Instead of writing custom integration code to give your agent access to Kinde's capabilities, you can connect it via the MCP server and let it use those capabilities as native tools.</p> <p>The MCP server and M2M applications complement each other. M2M handles the authentication layer — proving the agent's identity and authorizing its access. The MCP server handles the interface layer — giving the agent a structured way to use Kinde's functionality once it is authenticated.</p> <h2> Security Best Practices for M2M Auth </h2> <p>There are a few principles that are non-negotiable when running machine identities in production.</p> <p><strong>One M2M application per service.</strong> Do not share credentials across multiple agents or services. If one service is compromised, its credentials can be revoked without affecting anything else. Shared credentials mean shared blast radius.</p> <p><strong>Minimum necessary scopes.</strong> Every M2M application should be granted only the scopes it genuinely needs to do its job. An agent that reads data should not have write access. An agent that writes to one resource should not have write access to all resources. Define your API scopes granularly and assign them carefully.</p> <p><strong>Rotate client secrets on a schedule.</strong> Client secrets are long-lived credentials and they should be rotated periodically. Kinde provides secret rotation directly in the dashboard. Build secret rotation into your operational runbook and do not treat it as optional.</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Ffda8ldjtvt3wnvj9isky.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Ffda8ldjtvt3wnvj9isky.png" alt="Kinde dashboard — Application details page showing the " width="800" height="502"></a></p> <p><strong>Never put client secrets in client-side code.</strong> M2M credentials authenticate a service, not a user. They must live server-side — in environment variables, in a secrets manager, in a secure deployment config. Putting them anywhere that gets shipped to a browser is an immediate credential leak.</p> <p><strong>Track <code>client_id</code> and <code>org_code</code> in your logs.</strong> When an M2M token is used to call your API, log the <code>client_id</code> alongside the <code>org_code</code>. This gives you a clean audit trail that distinguishes what each agent did, in which tenant's context, at what time. When something goes wrong — and eventually something will — this makes debugging and incident response dramatically faster.</p> <p><strong>Token expiry is your friend.</strong> M2M tokens expire. Do not try to cache them indefinitely. Let them expire and re-request as needed. Short expiry windows limit the blast radius of a leaked token significantly. Kinde issues M2M tokens with configurable expiry — keep it as short as your use case allows.</p> <h2> Conclusion </h2> <p>In this article, you learned why the traditional user auth model breaks down for AI agents, what non-human identities are and why they need their own auth layer, and how the OAuth 2.0 client credentials flow provides the right foundation for machine authentication. You also saw how Kinde's M2M applications implement this properly — with global apps for internal tooling and org-scoped apps for per-tenant AI agents that enforce isolation at the token level.</p> <p>The shift to AI-native products is not slowing down. Every SaaS product built in 2026 is adding or planning to add agent capabilities. The teams that get non-human identity right from the beginning are the ones that avoid the security incidents, the audit nightmares, and the architectural rewrites that come from bolting fake user accounts onto a system that was never designed for them.</p> <p>Kinde gives you the primitives to do this properly from day one. <a href="https://kinde.com?utm_source=devto&amp;utm_medium=content&amp;utm_campaign=shola&amp;campaignid=chatgptapp&amp;network=&amp;adgroup=&amp;keyword=&amp;matchtype=&amp;creative=8&amp;device=&amp;adposition=" rel="noopener noreferrer">Create a free Kinde account</a> and start building your M2M auth layer today.</p> webdev kinde ai auth