Open source · MIT · Self-hosted

The Enterprise SaaS Shell You Own Outright.

Secure by design. Open source by choice. Yours outright.

Get it free on GitHub Get started Sign in

The DevResponseKit administrator console.

958: automated tests
$0: marginal auth cost
80+: admin console pages
3-tier: access control
4: languages

Everything a B2B platform needs

The production layer indie kits never build.

Fork it, own it, ship it. DevResponseKit assembles the multi-tenant foundation most teams spend weeks building — already tested and documented.

Administrator console

More than 80 pages for users, roles, a 30-key permission catalog, organizations, memberships, enterprise apps, email, and audit — with server-side search, filtering, bulk actions, and CSV export.

Three-tier access control

Superadmin, org-admin, and user tiers built on single source-of-truth scope primitives. Out-of-scope lookups return 404, so one tenant can never learn another exists.

Scoped machine API

A versioned /api/v1 with SHA-256-hashed API keys and Ed25519 JWTs verified against a published JWKS. A credential can never exceed its owner's permissions.

Cross-subdomain SSO

Single-use, 60-second nonce JWTs let users move between your apps without signing in again — backed by a registrable-origin allow-list.

Outbox-first email

Every message is recorded in an inspectable, org-scoped outbox before delivery, with pluggable Resend and Mailgun providers and editable per-locale templates.

Localized by default

next-intl with four locales and a persisted per-user preference — every route, message, and email template respects the visitor's language.

Embedded docs viewer

Markdown, Mermaid, and Shiki rendered through an XSS-hardened, sanitize-first pipeline — your documentation ships inside the app.

Security, shipped not described

HTTP security headers, PII-scrubbed observability, timing-safe secret comparison, and a CI test that fails the build if any route skips tenant scoping.

Why DevResponseKit

Clerk- and WorkOS-class identity, self-hosted at zero marginal cost.

Organizations, three-tier RBAC, SSO, API keys, and audit are all built on open-source Better Auth — with no per-user, per-organization, or per-SSO-connection bill to compound as you grow.

Verifiable multi-tenant isolation

Tenancy is enforced at the build gate: a CI test scans every admin route and fails if one touches data without a scope primitive. Isolation becomes a guarantee you can read and run, not take on faith.

Own the code, own the data

Copy-forward source you fork and ship — no framework lock-in and no per-seat runtime fees. Self-hosted on a PostgreSQL database you control.

Tested and documented

744 tests across unit, component, integration, security, end-to-end, and accessibility suites, plus architecture decision records and an embedded documentation site.

Built on a stack your team already runs

Modern, type-safe, no abstraction overhead.

Next.js 16
React 19
TypeScript 5.9
PostgreSQL + Kysely
Better Auth
next-intl
Tailwind CSS 4
Vitest · Playwright · axe

Fork it. Own it. Ship it.

DevResponseKit is free and open source. Clone the repository and have a secure, multi-tenant, localized B2B platform running in minutes.

Get it free on GitHub Create an account

github.com/devresponse/devresponsekit