Billing & auth
We set up billing and auth on proven patterns: Stripe with subscriptions, trials and self-service; Auth.js, Clerk or WorkOS with organisations, SSO and roles. Done in weeks, not months.
Built on proven patterns
How we think about billing & auth
Billing and auth are the kind of thing you only build wrong once before learning to use existing patterns. Stripe has built the solution for subscriptions, trials, billing and self-service for 12 years; Auth.js, Clerk and WorkOS have built the solution for organisations, roles and SSO. Our job is to wire them correctly into your product — not to reinvent them.
We build the full billing stack: product catalogue in Stripe, subscription lifecycle, trials, upgrades and downgrades, billing with self-service via the Customer Portal, and webhook handling with idempotency so you never charge twice. On the auth side: organisations, roles, invitations, SSO via Microsoft, Google or Okta, and MFA where it makes sense.
We've set this up for SaaS startups that just needed their first paying customers, and for larger teams that had auth in chaos from day one and needed to clean it up without losing existing users. The pattern is the same: short iterations, close dialogue, and a migration that doesn't wake anyone up at 3am.
What we deliver
Subscriptions, Customer Portal, organisations, roles and SSO — built in weeks, not months.
Product catalogue in Stripe, monthly and yearly billing, free trials with or without card-required, automatic upgrades and downgrades, and pro-rated billing that just works.
We receive Stripe webhooks and process them idempotently — so re-deliveries don't create double charges. With audit logs on every event and dead-letter handling if something fails three times.
Stripe Customer Portal embedded in your product so customers can update cards, download invoices, change plans or cancel — without contacting support.
Multi-user SaaS with organisations (workspaces, teams), email-based invitation flow, granular roles (admin, member, billing) and audit logging on sensitive actions.
Enterprise SSO via SAML or OIDC built on WorkOS, Clerk Enterprise or your own setup with Auth.js. With just-in-time provisioning and role mapping from IdP groups.
TOTP or WebAuthn (passkeys) as second factor, password policies that follow NIST 2017+ (not 2003), brute-force protection, and audit logs on login attempts.
Engagement
We always discuss scope and price privately in discovery — never on a website. These are typical ranges.
3–5 weeks
Stripe billing with subscriptions, trials and Customer Portal + auth with organisations and roles. For most B2B SaaS.
5–8 weeks
The Standard package plus SAML SSO, SCIM, audit logs and custom roles. For SaaS selling to large organisations.
Both packages cover discovery, build, ops setup and 4 weeks of stabilisation after go-live. Operations and ongoing development are agreed separately.
Before you commit
Auth.js (NextAuth) is free and flexible — good for teams that want to own the code and pay in complexity. Clerk is fast to get started and covers B2C well. WorkOS is built for B2B SaaS and delivers enterprise features (SAML SSO, SCIM, audit logs) without you having to build them. We choose based on where you're going in two years, not what's fastest today.
Per-seat, per-usage or flat-rate isn't just a marketing decision — it shapes the code. We set up Stripe so the pricing model can be changed in days, not weeks. It matters more to be able to experiment after a month in market than to nail it perfectly on day one.
Stripe Elements or Checkout ensures you never handle card numbers directly — card data never passes through your servers. That dramatically reduces PCI scope. We design the flow so it stays that way, also when you add custom checkout steps.
Stripe has EU data residency options for most products. Auth providers vary: Clerk and WorkOS have EU regions, Auth.js can be hosted wherever. We design for EU residency if you have strict requirements, and document the data flow.
FAQ
A focused billing and auth setup for a SaaS MVP typically takes 3–5 weeks: Stripe products, subscription lifecycle, Customer Portal, auth with organisations, invitations and roles. If you need enterprise features (SAML SSO, SCIM, custom roles), add 2–4 weeks.
Yes. We've done it for SaaS products that started with flat-rate or free-only and needed subscriptions added. We design the migration so existing users aren't suddenly charged — typically via grandfathered plans, a communications plan, and a tested rollback. Takes 4–8 weeks depending on how many users and how big the pricing change is.
Yes. We typically build it on WorkOS or Clerk Enterprise — it's faster and more robust than building SAML from scratch. If you're already on Auth.js, we can add a SAML strategy via a provider module. Includes just-in-time provisioning, role mapping from IdP groups and audit logging.
Stripe itself has high availability, but incidents happen. We design the billing flow so temporary failures don't lock users out (subscription status caches locally, payment can be retried), webhook handling is idempotent (re-deliveries don't create double charges), and your team can see Stripe-event status in your own monitoring.
It's possible but not trivial — Stripe-specific concepts (Customer Portal, Connect, Tax) don't necessarily exist in other platforms. We design the abstraction so core billing logic is separated from Stripe-specific calls — so in the worst case you can migrate later. But in practice Stripe is the right choice for the vast majority of B2B SaaS in Europe.
Ready to get started?
We'll get back within one business day with concrete input — not a stock proposal.
