Membership and Billing Rules — Central Membership & SSO Hub
1. Document Purpose
This document outlines all key business rules that must be implemented in the Central Membership & SSO Hub system.
This document serves as a guide for:
- product owner,
- programmer,
- UI/UX designer,
- tester,
- and operations team.
Programmers must not make assumptions about rules not defined herein.
2. General Principles
- A single member account can subscribe to multiple SaaS products simultaneously.
- Each product has independent packages and pricing.
- Licenses are only active after valid activation (free or confirmed payment).
- Member data is private and can only be accessed by the owning member and Super Admin for legitimate reasons.
- The payment process is atomic: a license must not be active if payment has not been confirmed.
- Member data is not permanently deleted due to a change in license status.
- All critical actions must be auditable.
3. Member Account Rules
3.1 Registration
- Email must be unique across the entire system.
- Email is normalized to lowercase and trimmed of spaces before storage.
- Passwords must not be stored in plain text (must be hashed).
- Accounts are
unverifieduntil the email is verified. unverifiedaccounts cannot activate licenses or log in to SaaS applications.- Email verification links have an expiration period (e.g., 24 hours).
- Members can request a resend of the verification link.
3.2 Login
- Login uses email and password.
- Email is normalized before the validation process.
- Repeated failed login attempts must be rate limited.
- Accounts with
suspendedstatus cannot log in. - Accounts with
unverifiedstatus cannot log in to SaaS applications via SSO.
3.3 Profile
- Members can only change their own profile data.
- Email changes require re-verification to the new email.
- Password changes terminate all other active sessions.
4. Product and Package Rules
- Each SaaS product is identified by a unique product code (e.g.,
NTO). - Each product defines its own packages independently.
- Package prices are stored in IDR currency.
- Free packages have no duration and will not expire.
- Paid packages have a duration in days.
- Super Admin can add, modify, or deactivate packages.
- Package price changes do not affect active subscriptions.
- Deactivated packages cannot be selected by new members, but existing subscriptions continue until completion.
5. License Rules
5.1 License Creation
- A single member may only have one active license per product at a time.
- The License-ID is created once when the product is first activated.
- Renewals do not change the License-ID.
- A License-ID is only regenerated if the previous license was
cancelled. - License-ID must be globally unique across the entire system.
5.2 License Activation
- Free package activation immediately results in an
activelicense. - Paid package activation only occurs after a successful payment confirmation webhook is received and verified.
- The system must not activate a paid license without valid payment confirmation.
5.3 License-ID Format
[PREFIX_PRODUK]-[XXXX]-[XXXX]-[XXXX]
- Prefix: 2–4 uppercase letters corresponding to the product code.
- Segment: 4 uppercase alphanumeric characters, randomly generated.
- Example:
NTO-A1B2-C3D4-E5F6
5.4 License Status
active: License is active.grace_period: Paid, expired, within the grace period.suspended: Grace Period ended, access blocked.cancelled: Canceled.
Status transitions:
active → grace_period (paid packages only, when expired_at is reached)
grace_period → active (if renewal is successful)
grace_period → suspended (if Grace Period ends)
suspended → active (if member pays again)
6. Payment Rules
6.1 Order
- Each checkout session creates one
orderwithpending_paymentstatus. - An Order has a unique
order_idused as a reference to the payment gateway. - Orders not completed within a certain time limit automatically expire.
6.2 Payment Confirmation via Webhook
- The system only activates a license after receiving a successful confirmation webhook from the payment gateway.
- The Webhook must be verified using the signature mechanism provided by the payment gateway.
- A single
order_idmust not trigger activation more than once (idempotency). - Webhooks from the payment gateway that cannot be verified must be ignored and logged.
6.3 Payment Failure
- Failed payments do not activate licenses.
- Members can attempt to checkout again for a new order.
6.4 Transaction History
- Each payment transaction is stored permanently.
- Invoices are available for download by members.
- Transaction history cannot be altered or deleted.
7. Grace Period Rules
- Grace Period only applies to paid packages.
- Grace Period length is configured per product (default: 7 days).
- Grace Period begins immediately after
expired_atis reached. - During Grace Period:
- members can still access the application,
- the system displays a warning banner on the member dashboard,
- and the system displays a warning banner within the SaaS application (via JWT that includes
grace_periodstatus).
- Email notifications are sent according to the defined schedule.
- After the Grace Period ends, the license changes to
suspendedstatus. - Renewals during Grace Period update
expired_atfrom the original expiration date.
8. SSO and Token Rules
- JWTs are issued only for members with active accounts and licenses with
active,active_free, orgrace_periodstatus. - JWTs are not issued for members with
unverified,suspendedstatus, orcancelledlicenses. - JWTs have a short validity period (e.g., 1 hour).
- Refresh Tokens have a longer validity period (e.g., 30 days).
- JWT contains information:
sub,name,email,product,license_id,tier,license_status,expires_at. - SaaS applications must verify JWTs using the Hub's public key.
- SaaS applications must not trust claims in a JWT without verifying its signature.
- When a license is
suspended, Refresh Tokens cannot be used to generate new Access Tokens.
9. Notification Rules
- Activation confirmation emails must be sent after a license is active.
- Invoice emails must be sent after successful payment.
- The schedule for expired and Grace Period reminder notifications must be followed.
- Email delivery failures must be logged.
- Members can manage notification preferences (enable/disable specific notification types).
10. Security Rules
- Passwords are stored using secure hashing algorithms (bcrypt or Argon2).
- Payment gateway API Keys must not be stored in the frontend or public repositories.
- Payment gateway Webhooks must be verified before processing.
- JWTs are signed using RS256 (asymmetric).
- The JWT private key is only stored on the Hub server.
- All communication uses HTTPS.
- Rate limiting is applied to login and registration endpoints.
- Sensitive data must not be written to logs in its entirety.
11. Audit Log Rules
The following activities must be logged:
- new account registration,
- successful and failed logins,
- email verification,
- license activation,
- successful payments,
- failed payments,
- Grace Period initiation,
- license suspension,
- license restoration,
- account status changes by Super Admin,
- JWT issuance,
- and sensitive administrative actions.
The audit log must minimally store:
- actor_id,
- actor_role,
- action,
- object_type,
- object_id,
- timestamp,
- ip_address,
- and result (success / failure).
12. New Product Addition Rules
When a new SaaS product joins the ecosystem:
- The product is registered in the system with a unique product code.
- Product packages are configured by the Super Admin.
client_idandclient_secretOAuth2 are issued for the product.- The License-ID prefix format is defined (e.g.,
APBfor Application B). - The product implements SSO integration according to the sso-auth-flow document.
13. Definition of Done
Implementation is considered complete if:
- members can register, verify email, and activate a free package in a single session,
- License-ID is generated, displayed, and sent to email,
- SSO issues JWTs that can be verified by SaaS applications,
- payments automatically activate licenses via webhook,
- Grace Period runs and notifications are sent according to schedule,
- licenses are
suspendedafter Grace Period ends, - member data is not lost even if the license is
suspended, - the same webhook does not trigger activation twice,
- all critical actions are recorded in the audit log,
- and all security rules are implemented.