A modern SaaS platform where production posture is the architecture — not a launch-day scramble.
Most early-stage SaaS products bolt on auth, billing, and observability the week before launch and pay for it for years. This reference implementation inverts the order: a multi-tier subscription product with Stripe-webhook-driven state, RS256 JWT, real-time SSE streaming, and tier-gated feature flags built into the request layer — so the production posture ships on day one. The live showcase is ElderAgent, a multi-tier AI product running this stack at elder-agent.com.
Generic platforms slow you down. Hand-rolled stacks ship without guardrails.
Fast to a prototype, expensive to escape
Auth, database, and storage in one console gets you to a demo in a weekend. By the time you need a per-tier feature flag in the request layer, a webhook-driven subscription state machine, or a row-level-security policy that actually composes with your queries, you are either paying enterprise pricing or rebuilding the platform's primitives inside their walled garden.
Auth, billing, and observability rebuilt from scratch every time
Day-one auth is a 50-line JWT helper. By the time you ship the second tier, the third webhook event, and the fourth rate-limit edge case, the surface area has outgrown its hand-rolled foundation. Most teams discover this in production, after a refund storm or a billing reconciliation incident that nobody designed for.
The production posture is the architecture, not a launch-week sprint. Multi-tier billing is wired to a webhook-driven subscription state machine. Auth is RS256 JWT with refresh rotation and bcrypt cost-12 from day one. Tier-gated feature flags live in the request layer, not in UI conditionals. The platform ships ready for paying customers — not ready for a demo.
A subscription request runs through a tier-aware pipeline. Then the feature responds.
A signed-in user hits a tier-gated endpoint. Three things happen before any business logic runs — and the same pipeline runs for every paying tier, every feature, every request.
Signed, refreshed, rate-limited
An RS256 JWT (15-minute access, rotating refresh) is verified against the signing key, the user's tier is read from PostgreSQL, and a per-tier rate-limit window is checked in Redis. bcrypt cost-12 protects the password store; refresh-token rotation invalidates on every use.
Tier-gated, billing-aware
The user's current subscription state is the source of truth for which features the request can reach. Stripe-signed webhooks have already written the latest active / past_due / canceled status to PostgreSQL; no card data ever touches the app. Tier-gated feature flags live in the request layer, not in UI conditionals — a downgraded user cannot reach a Pro endpoint by curl.
Streamed, cited, observable
Long-running operations stream back over SSE — research results, generated content, calculation progress — with metadata (citations, events, follow-up suggestions) arriving as separate events the client can render incrementally. Structured logs and per-tier metrics make the request fully observable from JWT verify to final byte.
SSE in under two seconds. Tertullian's On Baptism on the washing from sin[1], Cyprian on grace given in full measure regardless of age[2], and Augustine tying the practice to original sin[3] — every result a real citation, every event a separate SSE frame. The same pipeline gates a Free-tier request to the lighter depth mode without a single UI conditional. Production posture is structural, not bolted on.
A competitor can stand up auth, billing, and a streaming endpoint in a weekend. Composing them so a downgraded user cannot reach a Pro feature, refund storms reconcile themselves, and cost-per-conversation stays predictable as tiers scale is a different exercise — and it is the entire bet.
Multi-tier billing wired to webhook state
Stripe Customer Portal handles upgrade, downgrade, cancel, and dunning. Stripe-signed webhooks drive subscription state into <code>PostgreSQL</code>. No card data ever touches the app — a clean PCI boundary by structure, not by checklist.
Auth hardened on day one
<code>RS256</code> JWT with rotating refresh tokens, <code>bcrypt</code> cost-12 on the password store, per-tier rate limiting in <code>Redis</code>, and <code>PostgreSQL</code> Row-Level Security for multi-tenant data isolation — wired before the first paying customer, not after the first incident.
Tier-gated feature flags in the request layer
Feature gating lives in middleware against the user's current tier, not in UI conditionals. A downgraded user cannot reach a Pro endpoint by curl. The same flag drives the upsell prompt in the UI and the 402 in the API — single source of truth.
Real-time SSE streaming for any long operation
Research, generation, calculation, progress — anything that takes longer than a snappy round-trip streams back over <code>SSE</code> with metadata events (citations, follow-ups, status) arriving as separate frames. The UX is instant; the cost is bounded.
Stateless API + Redis-shared session state
Horizontally scalable when you need it, cheap until then. Single-host <code>Docker</code> behind <code>nginx</code> on day one; the same image scales out to N replicas behind a load balancer when MRR justifies it — no rewrite, no replatform.
Per-message LLM cost, not per-agent-loop
Cost-per-conversation stays predictable because the model is called per user message, not in an open-ended agent loop. Tier-gated model selection (smaller model for free, larger for paid) keeps unit economics legible at every step of the pricing ladder.
Three engagement tiers — from a one-week scope to an ongoing build.
Every engagement is fixed-price against a written scope. We start small on purpose: a Discovery week usually pays for itself in scope clarity before a line of platform code is written.
- 1–2 weeks of joint work with you and your product lead
- Tier model and feature-gate matrix (Free / Pro / Enterprise or equivalent)
- Billing event catalogue — webhooks, state transitions, edge cases
- Written architecture brief and price quote for the build
- 6–10 week build against the Discovery spec
- Auth (RS256 JWT + refresh rotation + bcrypt cost-12) and Postgres data model
- Stripe Customer Portal + webhook-driven subscription state
- Tier-gated request layer with per-tier rate limiting
- Single-host Docker deployment behind nginx
- SSE streaming layer for long-running operations
- Postgres Row-Level Security for multi-tenant data isolation
- Per-tier feature flags wired into both the API and the UI from one source
- Observability — structured logs, per-tier metrics, billing reconciliation
- Horizontally-scalable architecture (stateless API + Redis-shared session state)
- New tier and feature-gate development as the product grows
- Billing-pipeline evolution — new plans, promo codes, dunning policy
- Observability, performance, and reliability work
- On-call response window for production incidents
The canonical stack we ship — proven in the reference implementation.
@swc-node/register (no prod build step). Tier-aware request pipeline, SSE streaming endpoints, structured logging. nginx on day one; the same image scales out to N replicas behind a load balancer when MRR justifies it. Stateless API plus Redis-shared session state means horizontal scaling is a config change, not a rewrite. Single-host Docker deployment behind nginx, horizontally scalable thanks to a stateless API and Redis-shared session state. Stripe Customer Portal with webhook-driven subscription state — no card data ever touches the app (clean PCI boundary). The same image that ships locally is the image that runs in production; tier-gated feature flags are baked into the request layer, not the UI.
Three fixed phases from a scoping call to a production handoff.
Every build runs through the same gates. Earlier phases are de-risked by the Discovery week; the handoff is non-negotiable — you leave with the repo, the billing pipeline, the auth stack, and the deploy story.
Joint scoping with your product lead. We leave Discovery with a tier model, a feature-gate matrix, a billing event catalogue, and a fixed quote for the build.
Auth (RS256 JWT + refresh rotation + bcrypt cost-12), Postgres data model with Row-Level Security, Stripe Customer Portal + webhook state machine, tier-gated request layer, SSE streaming, single-host Docker deploy. The reference implementation reached production through this loop and runs live at elder-agent.com.
Repository transfer, deployment runbook, billing-reconciliation runbook, auth and webhook documentation, and an architecture walkthrough with your engineers. You own the codebase; optional retainer for ongoing tier and feature-gate evolution.
Anywhere a multi-tier SaaS needs production posture from day one.
ElderAgent is one instance of a generalisable pattern. The same architecture — webhook-driven billing, hardened auth, tier-gated request layer, SSE streaming, stateless API — applies wherever a small team has to ship a paid product without a year of platform engineering first.
Need a SaaS platform where the production posture ships on day one?
We build multi-tier SaaS reference implementations for founders and teams who need auth, billing, streaming, and tier-gated features wired as architecture — fixed price, fixed timeline, source-code handoff. Start with a Discovery week; leave with a tier model, a billing event catalogue, and a quote. If you build, you own the repo.