SaaS on Next.js 16 (App Router) + Postgres (Neon) + Better Auth

Type-checked against the real SDKs, migration applied to a live Postgres, pooling tested — then tracked for upstream drift and re-verified when it moves. How we verify →

What you're getting

• Next.js 16 App Router — file-based routing, server components, and the Edge proxy (Next 16's renamed middleware).
• Postgres on Neon via Drizzle ORM and the postgres-js driver.
• Better Auth — self-hosted auth running inside your app against your Postgres (Drizzle adapter).
• Multi-tenant SaaS — organizations, role-based memberships, plans/subscriptions, and credit metering.

Setup

bun add next react react-dom drizzle-orm postgres better-auth

Environment variables:

• DATABASE_URL — Neon pooled (-pooler) connection string
• BETTER_AUTH_SECRET — generate with `openssl rand -base64 32`
• BETTER_AUTH_URL — your app's base URL

Apply the schema: bunx drizzle-kit push

Initialization

import { drizzle } from "drizzle-orm/postgres-js";
import postgres from "postgres";

// Neon pooled endpoint = PgBouncer transaction mode → prepared statements off.
// ponytail: single module-level client; the serverless runtime + PgBouncer do
// the pooling, so no custom pool/globalThis singleton dance needed.
const client = postgres(process.env.DATABASE_URL!, { prepare: false });

export const db = drizzle({ client });

// Better Auth instance (self-hosted, Next.js 16 (App Router)).
import { betterAuth } from "better-auth";
import { drizzleAdapter } from "better-auth/adapters/drizzle";
// Reuse the SAME postgres-js/Drizzle client the db slice exported in
// src/lib/db.ts — Better Auth shares the pooled `DATABASE_URL` connection.
import { db } from "./db";

export const auth = betterAuth({
  // Drizzle adapter over the shared client; provider "pg" => Postgres DDL
  // for Better Auth's own user/session/account/verification tables.
  database: drizzleAdapter(db, { provider: "pg" }),
  // ponytail: email+password is the shortest real auth that works out of
  // the box — add socialProviders / plugins here when the app needs them.
  emailAndPassword: { enabled: true },
  secret: process.env.BETTER_AUTH_SECRET,
  baseURL: process.env.BETTER_AUTH_URL,
});

export type Session = typeof auth.$Infer.Session;

// Mount Better Auth on Next's route layer.
import { toNextJsHandler } from "better-auth/next-js";
import { auth } from "@/lib/auth";

export const { GET, POST } = toNextJsHandler(auth);

// Session-protection proxy for Next.js 16 (App Router) (Next 16 renamed middleware.ts → proxy.ts).
// ponytail: getSessionCookie only checks the cookie EXISTS (no DB hit at
// the Edge runtime) — do the real auth.api.getSession() check inside
// protected Server Components / route handlers. This just bounces
// logged-out users before render.
import { NextResponse, type NextRequest } from "next/server";
import { getSessionCookie } from "better-auth/cookies";

export function proxy(request: NextRequest) {
  const sessionCookie = getSessionCookie(request);
  if (!sessionCookie) {
    return NextResponse.redirect(new URL("/sign-in", request.url));
  }
  return NextResponse.next();
}

export const config = {
  // ponytail: guard the SaaS app surface; widen the matcher per app-type.
  matcher: ["/dashboard/:path*", "/settings/:path*"],
};

Multi-tenant SaaS schema: organizations, billing & usage metering

• Organizations & multi-tenancy — the tenant boundary every billable and metered row hangs off
• Memberships & role-based access — org↔user join carrying owner/admin/member roles, unique per pair
• Plans & subscription billing tables — the billable plan catalog and each org's current subscription state
• API usage & credit/token metering — append-only usage rows that drive quota checks and usage billing

import { relations, sql } from "drizzle-orm";
import {
  bigint,
  check,
  index,
  integer,
  pgTable,
  text,
  timestamp,
  unique,
  uuid,
} from "drizzle-orm/pg-core";
// Better Auth owns identity; we only reference its `user` table by id.
import { user } from "./auth-schema";

export type MemberRole = "owner" | "admin" | "member";
export type SubscriptionStatus =
  | "trialing"
  | "active"
  | "past_due"
  | "canceled";

/** Tenant boundary: every billable/metered row hangs off an organization. */
export const organizations = pgTable(
  "organizations",
  {
    id: uuid("id").primaryKey().defaultRandom(),
    slug: text("slug").notNull().unique(),
    name: text("name").notNull(),
    createdAt: timestamp("created_at", { withTimezone: true })
      .notNull()
      .defaultNow(),
  },
  (t) => [index("idx_org_slug").on(t.slug)],
);

/** org <-> user join with role. The composite unique is the membership identity. */
export const memberships = pgTable(
  "memberships",
  {
    id: uuid("id").primaryKey().defaultRandom(),
    organizationId: uuid("organization_id")
      .notNull()
      .references(() => organizations.id, { onDelete: "cascade" }),
    // Better Auth's user.id is text — match it, don't recast.
    userId: text("user_id")
      .notNull()
      .references(() => user.id, { onDelete: "cascade" }),
    role: text("role").$type<MemberRole>().notNull().default("member"),
    createdAt: timestamp("created_at", { withTimezone: true })
      .notNull()
      .defaultNow(),
  },
  (t) => [
    unique("memberships_org_user_unique").on(t.organizationId, t.userId),
    index("idx_membership_user").on(t.userId),
    check(
      "memberships_role_check",
      sql`${t.role} in ('owner','admin','member')`,
    ),
  ],
);

/** Catalog of billable plans (seed-managed). priceCents keeps money integer. */
export const plans = pgTable("plans", {
  id: uuid("id").primaryKey().defaultRandom(),
  slug: text("slug").notNull().unique(), // free | pro | scale
  name: text("name").notNull(),
  priceCents: integer("price_cents").notNull().default(0),
  // Monthly included credits; metering checks usage against this.
  monthlyCredits: bigint("monthly_credits", { mode: "number" })
    .notNull()
    .default(0),
});

/** One active subscription per org. Mirrors the billing provider's state. */
export const subscriptions = pgTable(
  "subscriptions",
  {
    id: uuid("id").primaryKey().defaultRandom(),
    organizationId: uuid("organization_id")
      .notNull()
      .references(() => organizations.id, { onDelete: "cascade" }),
    planId: uuid("plan_id")
      .notNull()
      .references(() => plans.id),
    status: text("status")
      .$type<SubscriptionStatus>()
      .notNull()
      .default("trialing"),
    // ponytail: opaque provider id (Stripe/LemonSqueezy) — no provider FK needed.
    providerSubId: text("provider_sub_id"),
    currentPeriodEnd: timestamp("current_period_end", { withTimezone: true }),
    createdAt: timestamp("created_at", { withTimezone: true })
      .notNull()
      .defaultNow(),
  },
  (t) => [
    // One live subscription per org (the metering layer reads exactly one).
    unique("subscriptions_org_unique").on(t.organizationId),
    index("idx_sub_status").on(t.status),
    check(
      "subscriptions_status_check",
      sql`${t.status} in ('trialing','active','past_due','canceled')`,
    ),
  ],
);

/** Append-only credit/token meter. Roll up by org+window for quota + billing. */
export const apiUsage = pgTable(
  "api_usage",
  {
    id: uuid("id").primaryKey().defaultRandom(),
    organizationId: uuid("organization_id")
      .notNull()
      .references(() => organizations.id, { onDelete: "cascade" }),
    // Who/what spent — opaque key id, nullable for org-level system calls.
    apiKeyId: text("api_key_id"),
    creditsUsed: bigint("credits_used", { mode: "number" }).notNull(),
    createdAt: timestamp("created_at", { withTimezone: true })
      .notNull()
      .defaultNow(),
  },
  (t) => [
    // Drives the "credits used this period" rollup query.
    index("idx_usage_org_time").on(t.organizationId, t.createdAt),
  ],
);

export const organizationsRelations = relations(organizations, ({ many }) => ({
  memberships: many(memberships),
  subscriptions: many(subscriptions),
  usage: many(apiUsage),
}));

export const membershipsRelations = relations(memberships, ({ one }) => ({
  organization: one(organizations, {
    fields: [memberships.organizationId],
    references: [organizations.id],
  }),
  user: one(user, { fields: [memberships.userId], references: [user.id] }),
}));

export const subscriptionsRelations = relations(subscriptions, ({ one }) => ({
  organization: one(organizations, {
    fields: [subscriptions.organizationId],
    references: [organizations.id],
  }),
  plan: one(plans, {
    fields: [subscriptions.planId],
    references: [plans.id],
  }),
}));

export const apiUsageRelations = relations(apiUsage, ({ one }) => ({
  organization: one(organizations, {
    fields: [apiUsage.organizationId],
    references: [organizations.id],
  }),
}));

Connection & security

## Next.js 16 ↔ Postgres pooling (Neon pooled endpoint, PgBouncer transaction mode)

Connect through Neon's **pooled** endpoint (`-pooler` host) via `DATABASE_URL`. Serverless
functions are short-lived and concurrent, so PgBouncer in **transaction mode** is what keeps
Postgres' connection ceiling from being blown.

### `prepare: false` is mandatory
Transaction-mode PgBouncer hands each transaction a different backend, so server-side prepared
statements (postgres-js' default) silently break across the pool. Disable them on the client:
`postgres(url, { prepare: false })`. This is also why **Drizzle, not Prisma**, is paired here —
Prisma's prepared-statement reliance is a blocked intersection on this endpoint.

### Connection reuse
- Construct the postgres-js client at **module scope** (`src/lib/db.ts`) so warm function
  instances reuse one socket instead of opening one per request.
- Cap the driver pool small — `max: 1` per instance. The shared pool lives in PgBouncer, not in
  your function; a large per-instance `max` just multiplies idle connections across instances.
- Keep `idle_timeout` ~20s and `connect_timeout` ~10s so frozen instances release backends fast.

### No session-level features
Transaction mode forbids anything that spans transactions on one backend: `LISTEN/NOTIFY`,
session-scoped `SET`, advisory-lock sessions, server-side cursors, and `WITH HOLD`. Need any of
those? Use Neon's **direct** (non-pooled) endpoint for that path only.

### Thresholds
- Drizzle/postgres-js: `prepare: false`, `max: 1`, `idle_timeout: 20`, `connect_timeout: 10`.
- Neon Free pooled budget is ~10k client connections; keep concurrency well under the project's
  `max_connections` (often 100–900 by plan) by leaning on PgBouncer, never on driver pooling.

Verified billing (Polar)

✓ Idempotency proven — a duplicate webhook delivery yields one subscription, not two; a stale, out-of-order event can't overwrite newer state. Replayed against a live database, not just type-checked.

Subscription sync schema

import { sql } from "drizzle-orm";
import { check, index, pgTable, text, timestamp, uuid } from "drizzle-orm/pg-core";

export const organizations = pgTable("organizations", {
  id: uuid("id").primaryKey().defaultRandom(),
  slug: text("slug").notNull().unique(),
});

export const plans = pgTable("plans", {
  id: uuid("id").primaryKey().defaultRandom(),
  slug: text("slug").notNull().unique(),
  polarProductId: text("polar_product_id").unique(),
});

export type SubscriptionStatus = "trialing" | "active" | "past_due" | "canceled";

export const subscriptions = pgTable(
  "subscriptions",
  {
    id: uuid("id").primaryKey().defaultRandom(),
    organizationId: uuid("organization_id")
      .notNull()
      .references(() => organizations.id, { onDelete: "cascade" }),
    planId: uuid("plan_id")
      .notNull()
      .references(() => plans.id),
    status: text("status").$type<SubscriptionStatus>().notNull().default("trialing"),
    currentPeriodEnd: timestamp("current_period_end", { withTimezone: true }),
    // Billing-sync: the idempotency key (UNIQUE) + the staleness guard timestamp.
    polarSubscriptionId: text("polar_subscription_id").unique(),
    polarEventAt: timestamp("polar_event_at", { withTimezone: true }),
  },
  (t) => [
    index("idx_sub_org").on(t.organizationId),
    check(
      "subscriptions_status_check",
      sql`${t.status} in ('trialing','active','past_due','canceled')`,
    ),
  ],
);

import { and, eq, isNull, lt, or } from "drizzle-orm";
import { subscriptions } from "./schema";

export type PolarSubscriptionEvent = {
  type: string;
  data: {
    id: string;
    status: string;
    currentPeriodEnd: string | null;
    modifiedAt: string;
    metadata: { organizationId: string; planId: string };
  };
};

const STATUS_MAP: Record<string, "trialing" | "active" | "past_due" | "canceled"> = {
  trialing: "trialing",
  active: "active",
  past_due: "past_due",
  unpaid: "past_due",
  canceled: "canceled",
  revoked: "canceled",
};

// Idempotent + CONCURRENCY-safe sync of a Polar subscription. The staleness guard
// lives in the UPDATE's WHERE clause, so Postgres' row lock serializes concurrent
// retries (a stale/older event matches no row); brand-new rows insert with
// onConflictDoNothing (race-safe). Returns changed=true only on a real advance, so
// callers can guard side effects (emails) against Polar's duplicate deliveries.
export async function recordPolarEvent(
  // ponytail: loosely typed Drizzle client so the emitted core stays portable
  // across the app's exact client type.
  db: any,
  event: PolarSubscriptionEvent,
): Promise<{ changed: boolean }> {
  const sub = event.data;
  const status = STATUS_MAP[sub.status];
  if (!status) return { changed: false }; // unknown status — ignore, don't default
  const eventAt = new Date(sub.modifiedAt);
  const currentPeriodEnd = sub.currentPeriodEnd ? new Date(sub.currentPeriodEnd) : null;

  // Guarded UPDATE: applies only when our event is strictly newer than what's stored.
  // No TOCTOU — the comparison is in the WHERE, evaluated under the row lock.
  const updated = await db
    .update(subscriptions)
    .set({ status, currentPeriodEnd, polarEventAt: eventAt })
    .where(
      and(
        eq(subscriptions.polarSubscriptionId, sub.id),
        or(isNull(subscriptions.polarEventAt), lt(subscriptions.polarEventAt, eventAt)),
      ),
    )
    .returning({ id: subscriptions.id });
  if (updated.length > 0) return { changed: true };

  // No row updated: the row exists but our event is stale (guard rejected it), or it
  // doesn't exist yet. If it exists, this is a stale/duplicate delivery — ignore.
  const [existing] = await db
    .select({ id: subscriptions.id })
    .from(subscriptions)
    .where(eq(subscriptions.polarSubscriptionId, sub.id))
    .limit(1);
  if (existing) return { changed: false };

  const inserted = await db
    .insert(subscriptions)
    .values({
      organizationId: sub.metadata.organizationId,
      planId: sub.metadata.planId,
      status,
      currentPeriodEnd,
      polarSubscriptionId: sub.id,
      polarEventAt: eventAt,
    })
    .onConflictDoNothing({ target: subscriptions.polarSubscriptionId })
    .returning({ id: subscriptions.id });

  return { changed: inserted.length > 0 };
}

// Polar webhook for Next.js 16 (App Router). Verifies the HMAC signature, then hands the
// event to the idempotent recordPolarEvent. Returns 200 even if non-critical work
// fails; only a signature failure is rejected.
import { validateEvent, WebhookVerificationError } from "@polar-sh/sdk/webhooks";
import { db } from "@/lib/db";
import { recordPolarEvent, type PolarSubscriptionEvent } from "@/lib/billing/record";

const SUBSCRIPTION_EVENTS = new Set([
  "subscription.created",
  "subscription.active",
  "subscription.updated",
  "subscription.canceled",
  "subscription.revoked",
  "subscription.uncanceled",
]);

export async function POST(request: Request): Promise<Response> {
  const secret = process.env.POLAR_WEBHOOK_SECRET;
  if (!secret) return Response.json({ error: "Server misconfigured" }, { status: 500 });

  const raw = await request.text();
  const headers = Object.fromEntries(request.headers.entries());

  let event: { type: string; data: unknown };
  try {
    event = validateEvent(raw, headers, secret);
  } catch (error) {
    if (error instanceof WebhookVerificationError) {
      return Response.json({ error: "Invalid signature" }, { status: 403 });
    }
    throw error;
  }

  if (SUBSCRIPTION_EVENTS.has(event.type)) {
    await recordPolarEvent(db, event as PolarSubscriptionEvent);
  }
  return Response.json({ ok: true });
}

Decisions & compatibility

• Auth runs in proxy.ts (Next 16's renamed middleware) on the Edge runtime: it gates on the session cookie's presence only — full session validation happens in Server Components and route handlers, not in the proxy.
• prepare: false is mandatory — Neon's pooled endpoint is PgBouncer in transaction mode, where server-side prepared statements break across the pool.
• Drizzle is paired here (not Prisma): Prisma's prepared-statement reliance is incompatible with transaction-mode pooling.
• Self-hosted: Better Auth creates and owns the user/session/account tables in your database, so app-type schemas can foreign-key to `user` directly.
• One active subscription per organization (unique on organization_id) — the metering layer reads exactly one.
• Usage is an append-only meter (api_usage): roll up by organization + time window for quota and billing rather than mutating a running total.

Related stacks

• Same stack, built for AI Wrapper
• Same stack, built for E-commerce store
• Same stack, built for Marketplace
• Same stack, built for Blog / CMS
• Same stack, built for CRM
• Same stack, built for LMS (learning platform)
• Same stack, built for Project management
• Same stack, built for Helpdesk / support
• Same stack, built for Booking / scheduling
• Same stack, with Clerk instead of Better Auth
• Same stack, built for Social network
• Same stack, built for Forum / community
• Same stack, built for Newsletter platform
• Same stack, built for Job board
• Same stack, built for Fintech ledger
• Same stack, built for Notes / knowledge base
• Same stack, built for Video platform
• Same stack, built for Product analytics
• Same stack, built for Fitness tracker
• Same stack, built for IoT telemetry