Server-First SaaS Checklist
A practical checklist for building a B2B SaaS product with server-enforced auth, RBAC, and feature limits.
Use this checklist before you start adding product features.
Authentication on the server
Resolve sessions in server components, route handlers, and server actions. The client can reflect auth state for UX, but it should not decide access.
Role checks in one place
Centralize role checks in shared utilities and enforce them with route-level guards:
requireAuth()requireRole(...)requireAdmin()
RLS as the data safety net
Server checks and RLS solve different problems:
- server checks control who can execute a flow
- RLS controls which rows can be read or changed
You need both in production.
Billing gates before mutations
Subscription state should be resolved on the server and checked before writes. Read-only mode is a product requirement, not just a UI badge.
Feature limits
Treat feature limits as server-side policy. Track usage in the database, resolve plan limits by plan slug, and fail closed when configuration is missing.