Self-hosted Node.js gateway that handles customer onboarding, authentication, entitlement gating, and usage metering for your SaaS listing. Source included. Runs in your VPC.
The gateway sits between AWS Marketplace and your application, handling auth, entitlements, and metering. Your upstream only sees identity headers.
X-User-* headers
X-User-EmailX-User-AcctIdX-User-Tier
Validating marketplace tokens, creating tenants, handling the redirect flow, dealing with race conditions between SQS events and registration.
JWT auth, multi-tenant user accounts, invitation flows, password resets, admin panels. Every SaaS needs it, nobody wants to build it again.
Checking active subscriptions, enforcing tier quotas, caching entitlements, handling contract vs PAYG models. Get this wrong and you give away your product.
BatchMeterUsage with hourly semantics, zero-usage heartbeats, aggregation, deduplication, audit trails. Get this wrong and you lose revenue.
Handles the AWS Marketplace POST redirect, validates tokens, creates tenant records, manages registration sessions. Handles the SQS race condition out of the box.
httpOnly cookie auth, multi-tenant user management, email invitations with expiry, password resets, role-based access control (admin/user).
Contract tier enforcement with configurable thresholds (monthly/lifetime). Entitlement checks cached as signed JWTs. One boolean toggle switches to PAYG mode.
Usage ingestion API, hourly BatchMeterUsage with auto-aggregation, zero-usage heartbeats for compliance, dimension auto-discovery, full audit trail with AWS MeteringRecordIds.
Transparent reverse proxy to your upstream. Injects X-User-Email, X-User-AcctId, X-User-Tier, X-User-CurrentUsage. Configurable public path whitelist for webhooks.
SvelteKit 2 + Material UI frontend. Admin dashboard, user login/signup, profile management, password reset, contact form. Production-ready out of the box.
A single environment variable switches the entire billing and enforcement strategy. No code changes.
Auth tokens are never accessible to client-side JavaScript. SameSite=Strict by default.
Prevents replay attacks on the AWS Marketplace fulfillment flow. Sessions are consumed on first use.
All passwords hashed with bcrypt. Cost factor is configurable for your security/performance tradeoff.
Server refuses to start with missing or invalid configuration. No silent failures in production.
Blocks WebDAV methods, dotfiles, database files, and config file extensions at the reverse proxy layer.
Login events, subscription lifecycle events, and metering submissions all recorded with timestamps.
Don't spend weeks rebuilding fulfillment, auth, and metering. Start with production-tested code and focus on your product.
Reusable foundation for every Marketplace listing. Deploy the gateway, point it at your upstream, and you're live.
Production-grade Marketplace integration without the overhead. One Node.js server, one SQLite file, no database server to manage.
Save weeks of engineering time. The kit pays for itself before your first customer subscribes.
The same auth + metering code behind 4 production AWS Marketplace SaaS products. Now yours.
Get the Kit →