Source: github.com/boxyhq/saas-starter-kit | License: MIT | Stars: 3k+ Core features: Next.js 14 + TypeScript + Prisma + PostgreSQL Auth: NextAuth + SAML SSO via BoxyHQ Directory Sync (SCIM) for enterprise user provisioning Stripe subscriptions Email: Nodemailer UI: Tailwind + daisyUI Teams with invitation flow and role management API token management Audit logs

SaaS Starter Kit Review 2026: Enterprise Auth for Free

TL;DR

BoxyHQ's SaaS Starter Kit is the only free boilerplate with enterprise security features built in — SAML SSO, directory sync (SCIM), API token management, and audit logs. Most boilerplates charge $300-1500 for these features (WorkOS pricing starts at $125/month). The code quality is excellent. The UI is less polished than shadcn/ui alternatives. Best for security-conscious B2B SaaS developers targeting enterprise customers.

Rating: 3.5/5

What You Get (Free)

Source: github.com/boxyhq/saas-starter-kit | License: MIT | Stars: 3k+

Core features:

Next.js 14 + TypeScript + Prisma + PostgreSQL
Auth: NextAuth + SAML SSO via BoxyHQ
Directory Sync (SCIM) for enterprise user provisioning
Stripe subscriptions
Email: Nodemailer
UI: Tailwind + daisyUI
Teams with invitation flow and role management
API token management
Audit logs

The Security Focus: What Makes It Unique

SAML SSO

SAML SSO lets enterprise customers authenticate with their identity provider (Okta, Azure AD, Google Workspace) instead of creating new credentials. This is a hard requirement for most enterprise sales.

// SAML SSO configuration via BoxyHQ SAML Jackson
import jackson from '@boxyhq/saml-jackson';

const { apiController, oauthController } = await jackson({
  externalUrl: process.env.NEXTAUTH_URL!,
  samlAudience: 'https://saml.boxyhq.com',
  samlPath: '/api/oauth/saml',
  db: {
    engine: 'sql',
    type: 'postgres',
    url: process.env.DATABASE_URL!,
  },
});

// Configure SAML for a team (admin action)
await apiController.config({
  encodedRawMetadata: samlXMLMetadata,  // From customer's IdP
  defaultRedirectUrl: `${baseUrl}/auth/saml`,
  redirectUrl: `${baseUrl}/auth/saml`,
  tenant: teamId,
  product: 'my-saas',
});

BoxyHQ's SAML Jackson handles the complex SAML protocol implementation. You configure it with your customer's SAML metadata XML from their identity provider, and it handles the full SAML flow — including metadata validation, XML parsing, and assertion verification.

Alternative cost: WorkOS SAML SSO starts at $125/month. Auth0 SAML is enterprise tier. BoxyHQ self-hosted is free.

Directory Sync (SCIM)

SCIM (System for Cross-domain Identity Management) lets enterprise customers automatically provision and deprovision users from their identity provider:

When a customer's IT admin adds a new employee in Okta → they're automatically added to your SaaS
When an employee leaves and is deactivated in Azure AD → they're automatically removed from your SaaS

// Handle SCIM user provisioning event
export async function POST(req: Request) {
  const body = await req.json();

  if (body.op === 'add') {
    // User being provisioned from IdP
    await createUserFromSCIM({
      email: body.value.emails[0].value,
      name: body.value.displayName,
      teamId: extractTeamFromSCIMRequest(req),
    });
  }

  if (body.op === 'remove') {
    // User being deprovisioned
    await deactivateUser(body.value);
  }
}

This is enterprise procurement table-stakes. Without it, enterprise customers must manually manage user access — a security and compliance risk they won't accept.

Core Features in Detail

Team Management

// Invite member to team
export const inviteMember = async (
  invitedBy: User,
  team: Team,
  params: { email: string; role: Role }
) => {
  const invitation = await prisma.invitation.create({
    data: {
      email: params.email,
      role: params.role,
      teamId: team.id,
      invitedById: invitedBy.id,
      token: crypto.randomUUID(),
      expiresAt: addDays(new Date(), 7),
    },
  });

  await sendTeamInvitation({ invitedBy, team, invitation });
  return invitation;
};

// Accept invitation
export const acceptInvitation = async (token: string, user: User) => {
  const invitation = await prisma.invitation.findFirst({
    where: { token, expiresAt: { gt: new Date() } },
    include: { team: true },
  });

  if (!invitation) throw new Error('Invitation expired or invalid');

  await prisma.teamMember.create({
    data: {
      teamId: invitation.teamId,
      userId: user.id,
      role: invitation.role,
    },
  });

  await prisma.invitation.delete({ where: { id: invitation.id } });
};

Invitation tokens expire after 7 days, preventing stale access. The role model supports OWNER, ADMIN, MEMBER tiers.

API Token Management

// Create API token for team
export async function POST(req: Request, { params }) {
  const session = await getServerSession(authOptions);
  const team = await getTeam(params.teamSlug);

  // Verify user is team admin+
  await requireTeamRole(session.user, team, 'ADMIN');

  const rawToken = `sk_${crypto.randomUUID()}`;
  const hashedToken = await bcrypt.hash(rawToken, 10);

  const apiKey = await prisma.apiKey.create({
    data: {
      name: (await req.json()).name,
      teamId: team.id,
      hashedKey: hashedToken,
      expiresAt: addDays(new Date(), 365),
      createdById: session.user.id,
    },
  });

  // Only return raw token once on creation — never stored in plaintext
  return Response.json({ ...apiKey, key: rawToken });
}

The API key is hashed (bcrypt) before storage — never stored in plaintext. The raw token is returned only once on creation, matching how GitHub, Stripe, and other developer APIs handle keys.

Audit Logs

// Log significant actions for compliance
await prisma.auditLog.create({
  data: {
    teamId,
    userId: session.user.id,
    action: 'member.invitation.sent',
    target: invitedEmail,
    metadata: {
      role,
      invitedBy: session.user.name,
      timestamp: new Date().toISOString(),
    },
  },
});

// Query audit trail for compliance review
const logs = await prisma.auditLog.findMany({
  where: { teamId },
  orderBy: { createdAt: 'desc' },
  include: { user: { select: { name: true, email: true } } },
  take: 100,
});

Audit logs capture: member invitations, role changes, API key creation/revocation, billing changes, and authentication events. Enterprise compliance teams require this for SOC 2 certification.

Getting Started

git clone https://github.com/boxyhq/saas-starter-kit
cd saas-starter-kit

# Install dependencies
npm install

# Configure environment
cp .env.example .env

# Required environment variables:
# DATABASE_URL=postgresql://...
# NEXTAUTH_URL=http://localhost:3000
# NEXTAUTH_SECRET=...
# STRIPE_SECRET_KEY=...
# STRIPE_WEBHOOK_SECRET=...
# SMTP_HOST=...
# JACKSON_API_KEYS=...  # BoxyHQ SAML Jackson

# Initialize database
npx prisma db push

# Start development
npm run dev

SOC 2 Compliance Acceleration

BoxyHQ's SaaS Starter Kit directly accelerates SOC 2 Type II certification — the security audit most enterprise procurement teams require before signing contracts. SOC 2 auditors evaluate controls across five trust service criteria; SaaS Starter Kit addresses several out of the box.

Access controls (CC6.3): The RBAC model with OWNER, ADMIN, and MEMBER tiers, combined with invitation token expiry (7-day window), satisfies logical access requirements without additional implementation. Role-scoped permissions prevent privilege escalation at the database layer via Prisma middleware.

Audit logging (CC7.2): The audit log implementation captures actor, action, target, and metadata fields with ISO 8601 timestamps. This satisfies SOC 2 monitoring activity requirements and gives compliance reviewers an exportable activity trail. Most boilerplates treat audit logging as an optional add-on; here it's a first-class feature.

Credential security (CC6.1): Hashed API keys with expiry dates are precisely what auditors check under the "logical access controls" criterion. Storing credentials in plaintext is a common finding in SOC 2 readiness assessments — SaaS Starter Kit avoids it by design.

Gaps you'll still need to address: Data encryption at rest (add via database-level encryption or Supabase Vault), data retention policies (scheduled Prisma jobs to archive or prune old audit records), and penetration test documentation (requires an external engagement). Starting from SaaS Starter Kit with these controls pre-implemented typically saves 2-4 weeks of custom development before a SOC 2 auditor begins assessment.

Limitations

UI: daisyUI instead of shadcn/ui The component library is daisyUI (Tailwind CSS component utilities). Less polished than shadcn/ui by most standards — components feel slightly dated. Not a functional blocker, but the initial design is not as impressive.

Nodemailer for email Requires configuring your own SMTP server. No pre-built Resend or Postmark integration. Budget 2-4 hours to upgrade to a modern email API.

BoxyHQ Jackson deployment Running SAML SSO in production requires running SAML Jackson separately (or using BoxyHQ's managed service). Additional infrastructure to manage.

Less active community GitHub Issues are answered and PRs are reviewed, but the community is much smaller than ShipFast or T3 Stack. Fewer tutorials, fewer answers online.

Who Should Use SaaS Starter Kit

Good fit:

B2B SaaS targeting enterprise customers that require SSO and SCIM
Developers who can't afford WorkOS ($125+/month) or Auth0 Enterprise
Security-conscious products needing audit logs and API token management
Open-source-first teams on MIT license requirements

Bad fit:

Consumer SaaS where enterprise auth is overkill
Developers who want the most polished shadcn/ui UI
Products where large community support is important
Early-stage startups without enterprise sales pipeline

Feature Comparison vs Alternatives

Feature	SaaS Starter Kit	ShipFast	Supastarter
Price	Free	$169	$299
SAML SSO	✅ (BoxyHQ)	❌	❌
SCIM	✅ (BoxyHQ)	❌	❌
Audit Logs	✅	❌	❌
API Tokens	✅	❌	❌
Teams	✅	❌	✅
Billing	Stripe	Stripe	Stripe
UI quality	⭐⭐⭐	⭐⭐⭐⭐	⭐⭐⭐⭐⭐

Final Verdict

Rating: 3.5/5

SaaS Starter Kit fills a specific niche: enterprise authentication and compliance features at $0. SAML SSO, SCIM, audit logs, and API tokens together represent $300+/month in third-party services or weeks of custom implementation. Getting them free and pre-integrated is exceptional value for B2B SaaS developers targeting enterprise customers.

The UI polish gap and smaller community are real trade-offs. If you don't need the enterprise features, ShipFast or Next SaaS Starter will have you shipping faster.

Compare SaaS Starter Kit with other enterprise boilerplates in the StarterPick directory.

See our comparison of auth options for SaaS — SAML SSO is covered by WorkOS and Clerk Enterprise.

Browse all open-source SaaS boilerplates for more free alternatives.

Community and Long-Term Support Outlook

SaaS Starter Kit is maintained by BoxyHQ, a company whose core product is enterprise authentication infrastructure. This is meaningfully different from an individual developer maintaining a side project boilerplate — BoxyHQ has a business incentive to keep SaaS Starter Kit updated because it serves as a primary adoption channel for SAML Jackson and their other enterprise auth products.

The GitHub repository has consistent maintenance: issues are triaged, pull requests are reviewed, and major Next.js version updates are tracked. The commit frequency is lower than community-driven boilerplates like T3 Stack or Shipfast, which have larger contributor pools, but the maintenance is reliable rather than sporadic. For a boilerplate you plan to use as the foundation of a B2B product, predictable maintenance from a funded company is a meaningful stability signal.

The community size is the weakest point relative to competitors. The BoxyHQ Discord exists and is responsive, but the volume of pre-existing answers to common questions is much lower than the T3 Discord or the ShipFast community. When you encounter an integration problem — Stripe webhook handling in a specific Next.js version, or a SAML Jackson configuration edge case — you are often first to post the question. Experienced developers who can read source code and debug independently will find this acceptable. Developers who rely heavily on community patterns will find it limiting.

The enterprise auth features are themselves a form of long-term support insurance. SAML SSO and SCIM are standard protocols with stable specifications — the BoxyHQ Jackson implementation is unlikely to break due to upstream changes the way a custom auth solution might. If you build on SAML Jackson today, the enterprise auth you ship in year one should still work cleanly in year three without significant maintenance.

For the broader context of how SaaS Starter Kit compares to the full landscape of free and paid options, the best free open-source SaaS boilerplates guide provides the comparison. For teams that decide the enterprise features are not necessary and want a more community-supported free option, the best SaaS boilerplates guide covers the full range.

The boilerplate that works best is the one your team can productively extend. Documentation quality, community activity, and the clarity of the codebase architecture matter as much as the feature list when you're making the decision for a product you'll maintain for years.

The SaaS Starter Kit's plugin architecture and active community make it one of the more maintainable free options in the ecosystem — patterns you establish early tend to stay clean as the codebase grows.

Compare SaaS Starter Kit with other enterprise boilerplates in the StarterPick directory.

See the best free open-source SaaS boilerplates guide for more free alternatives.

Browse the best SaaS boilerplates guide for the full comparison across free and paid options.

The SaaS Boilerplate Matrix (Free PDF)