| Responsibility | Rationale |
|---|
| User identity (user/account/session) | Single source of truth across all products |
| OAuth Server (token issuance) | Per-application audience isolation requires central signing |
| SSO Group management | Controls which applications share login sessions |
| Organization model (B2B) | Cross-product org structure |
| Product catalog (product/price) | Commercial fact, scoped by app_id |
| Subscription/order records | Commercial fact, isolated by app_id |
| Payment gateway integration | Gateway vocabulary normalization |
| Outbound events (webhook to SaaS) | Commercial fact change notification |
| Responsibility | Rationale |
|---|
| SKU-to-entitlement mapping | Product rules are heterogeneous (P6) |
| Usage metering / credit balances | High-frequency writes, per-product autonomy (P1) |
| Business data (tasks, files, AI calls) | Pure business logic |
| Push tokens / device registration | Runtime session data, not shared across products |
| JWT signature verification | Each application verifies locally with saas-core JWKS |
saas-core answers “who (user/org) bought what (SKU) in which application,
whether it is currently valid, and when it expires.” It never answers
“what capabilities this SKU grants” or “how much quota this user has left.”
