Writing · · 3 min read

The white-label SaaS backend agencies rebuild on every client

If your agency has rebuilt passwordless login for the fourth time this quarter — different client, same auth, same Stripe webhooks, same audit trail — this is the post that ends that.

AI gets each client's SaaS 70% done in an afternoon. Claude Code or Cursor scaffolds the screens, the models, the happy path, the demo that closes the deal. Then the other 30% is the same dangerous code every time: auth boundaries, idempotent webhooks, multi-tenant isolation, audit logging. It doesn't demo. It eats your margin. And it's exactly where AI codegen is least trustworthy.

Cloudflare is the right place to run client SaaS — cheap, fast, global, no servers to babysit. But Cloudflare on its own still leaves you hand-rolling that production 30% on every engagement.

The 70/30 problem is an agency-margin problem

For a product company, building the backend once is a cost. For an agency it's a tax you pay per client:

  • Auth + RBAC — rebuilt under deadline, edge cases missed.
  • Payments — Stripe intents and webhooks that have to survive retries.
  • Audit — append-only, or it's useless when the client's compliance team asks “who changed this?”
  • Multi-tenant isolation — the one bug that becomes an incident.

Here's the concrete one that bites: a client's Stripe webhook fires twice (Stripe will retry). Your AI-generated handler has no idempotency key, so it provisions the subscription — and charges — twice. You find out from the client. That's the 30%.

Compose it. Don't regenerate it.

microservices.sh ships that 30% as verified, source-visible modules your agent reads before it composes — auth, org-team-rbac, payment, billing-subscriptions, webhook-delivery, idempotency, audit-log, jobs-workflows, and more. Each is contract-verified (every module ships a contract spec the CLI checks), runs Cloudflare-native, and lands as code the client owns — not a black box you rent on their behalf.

pnpm create microservices-app@latest acme-portal --template saas-starter-sveltekit

You still build the 70% that makes each client different. You stop rebuilding — and re-debugging — the 30% that's identical, and identically risky, every time.

Why “white-label” means source-visible + owned

Two things a closed backend can't give an agency:

  • The client owns the code. No “you locked us into your platform” conversation at handoff — their repo, their Cloudflare account. That's what makes it genuinely white-label: you ship it under their brand, on their infra, with nothing to unwind.
  • You inspect before you ship. Your agent reads each module's contract — its RPC, events, hooks, permissions — so you know exactly what auth and audit do before the client's security review.

That's the gap between “the AI wrote some auth” and “auth you can put your name on.” See how modules connect by contract on the contracts page.

On the next engagement

It runs locally first — no login, no Cloudflare for the first app. Point your agent at the module catalog, compose, and deploy to the client's own Cloudflare when it's ready. Built for exactly this: microservices.sh for agencies.

pnpm create microservices-app@latest
Run the quickstart How module contracts work →