LaraFoundry
The modular SaaS engine
for
Laravel
Multi-tenancy, OAuth, permissions, and more - battle-tested through a production CRM-ERP. So you never rebuild the same SaaS foundation again.
# Install LaraFoundry
$ composer require larafoundry/core
# Scaffold your SaaS
$ php artisan foundry:install
✓ Multi-tenancy configured
✓ Authentication scaffolded
✓ Permissions seeded
✓ Admin panel ready
Your SaaS foundation is ready.What is LaraFoundry?
LaraFoundry is a modular SaaS engine built with Laravel 12, designed to give developers a head start when building multi-tenant SaaS applications.
Instead of rebuilding the same features for every project, LaraFoundry provides a battle-tested foundation that handles the complex parts - so you can focus on building what makes your product unique.
LaraFoundry is being actively developed and battle-tested through Kohana, a production SaaS CRM-ERP system. The core will be extracted and released as an open-source package once fully validated.
Everything you need to ship faster
Multi-Tenancy
Complete tenant isolation with company-scoped models and database-level separation.
Authentication
OAuth integration, 2FA, QR code login, and comprehensive session management.
Permissions
Flexible role-based access control with granular permissions system.
Modern Stack
Laravel 12, Vue 3, Inertia.js v2, Vite Build Tool and Custom SCSS.
Testing
Comprehensive test coverage with Pest PHP for reliable deployments.
Admin Panel
Full-featured admin interface with user management and activity logging.
User Management
Manage users across tenants with the ability to follow into any user account for impersonation and support.
Logging & Monitoring
Comprehensive activity logging for users and system-wide events with a convenient audit trail UI.
Feature Requests & Voting
Built-in feedback board where users can submit feature requests, upvote ideas, and track implementation status.
Support Ticketing
Integrated helpdesk module with ticket creation, assignment, priority levels, and status tracking.
Payments
Flexible billing module supporting subscriptions, one-time payments, and invoice management.
Affiliate Program
Built-in referral and partner tracking with commission management and payout reporting.
Multi-Language
Full i18n support with per-tenant locale settings, translation management, and RTL-ready layouts.
Security & Access Control
OAuth2, 2FA, rate limiting, IP allowlists, and automatic logging of unauthorised access attempts.
Notification System
Transactional and user-triggered notifications via email, in-app, and webhook channels with template management.
Custom Documentation
Embeddable docs module that lets tenants create and publish their own knowledge base or product documentation.
Free to Use, Fair to Build
LaraFoundry is open source and free for personal projects, learning, and non-commercial use. If you're using it to power a commercial product or service, a commercial license is required.
Personal Use
Free- Side projects & experiments
- Learning & education
- Open-source projects
- Non-commercial apps
Commercial Use
License required- SaaS products & startups
- Client projects
- Internal business tools
- Any revenue-generating use
Latest Updates
Registration Module - Ready
The first LaraFoundry module is complete. A production-grade registration system with:
- Multi-provider auth - Email/password + OAuth2 (Google, Facebook, Twitter)
- Smart avatars - Automatic Gravatar detection with initials fallback
- Session tracking - Full device fingerprinting (browser, OS, geo)
- Auth logging - 7 auth events via Spatie Activity Log
- Team onboarding - Invitation-based registration with auto role assignment
Authentication Module - Ready
Production-grade, multi-method authentication system with 6 login methods and 3 admin security layers.
- Email/Password - Rate-limited login with session tracking and device fingerprinting
- OAuth - Google, Facebook, Twitter via Laravel Socialite v5
- QR Code Login - WhatsApp-style cross-device authentication with encrypted tokens
- PIN Code Lock - 4-digit screen lock for shared workstations with inactivity timeout
- Admin 2FA - Google Authenticator (TOTP) enforced on all admin routes
- Admin Alerts - Real-time Email + Telegram notifications on failed login attempts
- IP Whitelisting - Admin access restricted to configured IPs
- Session Management - Full device tracking with "clear other sessions" support
Multi-Tenancy & Authorization Module - Ready
Complete multi-tenancy system with automatic data isolation, config-driven permissions, and a 5-level authorization hierarchy for multi-company SaaS.
- BelongsToCompany Trait - Automatic Eloquent query filtering by active company, zero chance of cross-tenant data leaks
- 100+ Permissions - Config-driven, auto-registered as Gates across 20+ modules
- 8 Gate Classes - Dedicated authorization logic per module (Company, Employee, Role, Contragent, Warehouse, Production...)
- 5-Level Hierarchy - Super admin > Owner > Revoked > Individual grant > Role-based permissions
- Role Templates - 5 pre-built roles (Manager, Accountant, Storekeeper, Logistician, Worker) auto-cloned to every company
- Custom Roles - Company owners create, edit, and manage roles from the UI
- Permission Overrides - Grant or revoke individual permissions per user, overriding role defaults
- Middleware Stack - SetActiveCompany + CheckAccess + CheckCompanyAccess for full tenant lifecycle
- Permission-Aware Menu - Navigation items filtered by user permissions in real time
- First Allowed Route - Smart redirects instead of 403 pages
- 19 Test Files - Full coverage with Pest PHP
Activity Logging & Monitoring Module - Ready
Production-grade event-driven logging system. 60+ events automatically captured with device fingerprinting, async geolocation, and multi-channel admin alerts.
- Event-driven architecture - zero manual log calls across 60+ event types
- Full device context: browser, OS, device type via jenssegers/agent
- Async IP geolocation with queued jobs and 24h caching
- Extended Spatie ActivityLog model with 20+ queryable fields
- Multi-channel notifications (Email + Telegram) for critical events
- Three-layer observability: activity logs, Telescope (dev), Log Viewer
- Monolog split channels: daily (14 days) + critical errors (30 days)
- Admin UI with time-range filtering built with Vue 3 + Inertia v2
- Comprehensive test coverage with Pest PHP
Multilanguage Module - Ready
Full internationalization system with automatic language detection and seamless Laravel-to-Vue translation pipeline.
- Auto locale detection - 5-step fallback: user pref, session, browser, IP geolocation, default
- 4 languages - English, Ukrainian, Polish, German with 1700+ translation strings
- Zero-config frontend - Translations via Inertia props + global t() in Vue
- Content translation API - Pluggable DeepL + Google Translate layer
- Smart persistence - DB for auth users, long-lived cookies for guests
Navigation & Menu System - Ready
Dynamic, permission-aware navigation that builds menus per request based on user type and granted permissions.
- Dynamic menu building - LayoutDataService constructs 4 navigation contexts per request
- Permission filtering - Module-level and sub-page-level checks for admin, owner, and employee
- Zero 403 pages - First Allowed Route pattern redirects users to their first accessible page
- Responsive layouts - Desktop two-tier header + mobile hamburger with collapsible sections
- Configurable defaults - Users set preferred landing page per company
Vue Frontend (Inertia v2 + Vue 3) - Ready
Dynamic, permission-aware navigation that builds menus per request based on user type and granted permissions.
- LayoutSwitcher - 5 layouts (Guest, Auth, Admin, Blocked, Deleted) selected by server-sent visitor_status
- Overlay system - 7 pullout panels with double-layer stacking and ESC dismissal
- Pagination + Filters - Auto-rendering paginator with smart page range and filter auto-discovery pattern
- Modal system - Custom modals (useForm, async axios, tabs) + SweetAlert2 confirmations
- Zero state library - Reactive refs + provide/inject for all UI state management
Traits & Middlewares - Ready
The invisible backbone of a multi-tenant SaaS: 11 middlewares in strict execution order and 6 custom traits for reusable business logic.
- Middleware stack - 11 middlewares with explicit order: company context, locale detection, PIN lock, access control, session validation
- PIN lock - Database-backed inactivity screen lock (30min timeout, HTTP 423 for APIs)
- 3-level access control - User ban, company owner ban, payment status with route whitelists
- Filter auto-discovery - Request params auto-map to filter methods via method_exists()
- HasPagination + NotificationDataHandler - Consistent data contracts across all controllers
Admin Users
The command center for managing users in a multi-tenant SaaS: CRUD, banning with cascade, impersonation, activity logging, and auto-discovery filters.
Coming Soon