Today I am introducing the Feature Policy API, a declarative policy system that gives our SaaS starter kit a plug-and-play way to express business rules.
It launches with team invitations. More features will be migrated to it in the future.
Why Declarative Policies Matter
SaaS teams rarely share the same rulebook. Enterprise customers want domain restrictions, startups want viral invites, and regulated teams need audit trails.
Hardcoding these paths inside controllers forces you to branch or fork the codebase. Makerkit optimizes for extensibility - teams should layer new logic without rewriting internals unless a special case demands it.
The Feature Policy API keeps everything orchestrated in a central registry so you can:
- Swap policies without rewriting the core flow
- Stage rules for different steps in a journey (preliminary vs submission)
- Test policies in isolation
- Let customers layer their own requirements without losing upgradeability
FeaturePolicy complements (and never replaces) your database guarantees. Keep enforcing core invariants with Postgres constraints, Supabase policies, and transactional checks—FeaturePolicy orchestrates the API/front-end logic that sits on top of them.
Teams Invitations: the first feature to use Feature Policy
We started with the most common multi-tenant pain point: invitations.
Different teams have different rules for invitations:
- Some want to restrict the number of invitations per team
- Some want to restrict the number of invitations per subscription status or plan
- Others want to validate the email domain
- etc.
A SaaS Starter Kit such as Makerkit cannot assume what rules you want to apply to invitations.
Therefore, we have created a declarative policy system that allows you to customize invitations without rewriting internals - e.g. updating the hot paths in the codebase for customizing this behavior.
- Registry:
packages/features/team-accounts/src/server/policies/invitation-policies.ts
- Server usage: Every invitation call now runs through
createInvitationsPolicyEvaluator()
- DX: Policies return structured
allow()
/deny()
results so you can surface actionable messages in product and logs
API documentation
You can read the full API guide in our documentation.
Roadmap: More Features Using Feature Policy
Invitations are just the start. We are actively staging the same declarative approach for more features.
If there is a flow you want using the new Feature Policy API next, please let me know.
Happy building!