94 Features, 1 Platform
PUGUH provides the complete infrastructure every SaaS product needs. From auth to compliance — integrate via SDK, focus on your domain.
Authentication & OAuth2
PUGUH provides complete JWT RS256 (asymmetric) authentication. Your product simply verifies tokens locally using the public key from the JWKS endpoint — no roundtrip to PUGUH on every request.
- JWT RS256 asymmetric signing (private key at PUGUH, public key at your product)
- OAuth2 social login (Google, GitHub) + Magic Link login
- MFA / 2FA with TOTP (RFC 6238) + backup codes
- Passkeys / WebAuthn for passwordless login
- Token refresh, session management, and active session list
- Local token verification (< 1ms, no network call)
IAM & RBAC
Identity and Access Management with role-based access control. Each user has roles at the organization level, and permissions can be configured per resource.
- 4 built-in roles + custom roles (user-defined)
- Fine-grained permissions: {module}.{resource}.{action}
- API Key management (generate, revoke, rotate)
- Service account support for machine-to-machine auth
- User invitation and onboarding flow
- Admin impersonation with full audit trail
Organization & Multi-tenancy
Each organization has an isolated data boundary. Row-Level Security at the database level ensures data never leaks. Organization policies provide enterprise-grade security controls.
- Row-Level Security (RLS) at database level
- Organization policies: password, session timeout, MFA enforcement
- IP allowlist + email domain restriction per organization
- White-label branding (logo, colors, custom login page)
- Enterprise SSO (SAML 2.0 / OIDC) per organization
- Directory Sync (SCIM 2.0) for auto-provisioning
Storage & Background Jobs
File storage auto-isolated per organization and protected by auth. Background job queue for async processing with retry, scheduling, and dead letter queue.
- File upload/download with auth and org isolation
- Presigned URLs for temporary access to private files
- Server-side image processing (resize, thumbnail)
- Async job queue with exponential backoff retry
- Cron scheduling (POSIX cron) + priority queues
- Dead Letter Queue for failed job inspection and retry
Billing & Subscription
Billing system integrated with local payment gateway (Midtrans). Subscription management, invoice generation, usage metering, and payment method management — all built-in.
- Midtrans payment gateway integration
- Subscription plans with usage-based billing
- Automatic invoice generation
- Payment method management (CRUD)
- Usage metering (API calls, storage, members)
- Quota enforcement (soft warning + hard block)
Webhooks & Event Bus
Reliable webhook system with retry, HMAC signing, and delivery logs. Internal event bus for routing events to webhook endpoints and streaming destinations.
- Webhook endpoint registration with event filtering
- HMAC-SHA256 payload signing (GitHub/Stripe standard)
- Reliable delivery with retry + exponential backoff
- Delivery logs and status tracking
- Event streaming to external SIEM (Splunk, Datadog, ELK)
- Internal event bus with dead letter queue
Audit & Compliance
Immutable audit trail with complete GDPR tools. Data export, consent management, account deletion with PII anonymization — compliance is not an afterthought.
- Append-only audit log (DB triggers prevent edit/delete)
- Full data export (users, orgs, apps, RBAC, audit, files)
- Account deletion with PII anonymization (GDPR Art.17)
- Consent management API (record + track consent)
- Configurable retention policies per organization
- Audit streaming to external SIEM