Authentication, roles and multi-tenancy
How Blanca's Builder structures authentication, user roles and organizations for SaaS projects.
Authentication in Blanca's Builder is opinionated for a reason: it is the foundation that the rest of the SaaS sits on.
Last updated: 2026-06-28
Supabase Auth
Projects use Supabase Auth with email + password and OAuth providers. Passwords are bcrypt-hashed by Supabase; Blanca's Builder never sees plaintext.
Roles in a separate table
Roles are stored in a dedicated `user_roles` table and checked via a security-definer function. Storing roles on the profile row is a known privilege-escalation pattern and Blanca's Builder forbids it.
Organizations
Multi-tenant projects use an `organizations` table plus an `organization_members` join table. RLS policies scope every row to the active organization.
Staff is separate
Internal staff accounts are completely separated from customer accounts and never appear in business metrics.
Canonical: https://blancasbuilder.com/knowledge/saas-projects/auth-and-roles · Blanca's Builder