Skip to content
← Back to work

Case study

Live

ArbFlow

Multi-tenant GA4 analytics SaaS for agencies — secure per-client workspaces, per-tenant data isolation, and a dashboard that unifies GA4, Meta and LinkedIn and tells you what actually changed. Deployed and running in production.

Next.jsFastAPIPostgreSQLJWTVercel
ROLE
Solo — design, frontend, backend, infra
STACK
Next.js · FastAPI · PostgreSQL · Vercel
FOR
Marketing agencies managing many clients
STATUS
Live in production

The problem

Agencies juggle every client's analytics across GA4, Meta and LinkedIn — separate logins, exported CSVs, and still no clear answer to the only question that matters before a client call: what actually changed this week, and why? There was no single, secure place to see per-client performance and have the notable shifts surfaced for you.

What it does

ArbFlow gives an agency one isolated workspace per client. Connect a client's GA4, Meta and LinkedIn in a few clicks and ArbFlow unifies the data into a clean dashboard — then surfaces what moved: traffic shifts, funnel spikes, pages worth a look. You walk into the client call already knowing the story.

Architecture

A Next.js dashboard on Vercel talks to a FastAPI backend, which owns auth, the OAuth connectors, and aggregation over a tenant-scoped PostgreSQL database.

DASHBOARD
Next.js on Vercel (App Router) — the agency-facing UI and per-client views.
API
FastAPI service — authentication, the GA4 / Meta / LinkedIn OAuth connectors, and metric aggregation.
DATA
PostgreSQL — every row tagged by tenant; reads and writes are tenant-scoped.
CONNECTORS
GA4, Meta and LinkedIn pulled via OAuth on a schedule, then normalised.

browser Next.js (Vercel) FastAPI PostgreSQL · connectors pull GA4 / Meta / LinkedIn on a schedule

Security & multi-tenancy

Multi-tenancy is the whole product, so isolation is a first-class concern rather than an afterthought. The decisions that mattered:

  • Per-tenant data isolation: every record is tied to a tenant and every query is scoped to the caller's tenant, so one workspace can never read another's data.
  • Scoped workspaces with role-based access — members only ever see the clients they're granted.
  • Third-party OAuth tokens are held server-side and never exposed to the browser.
  • Least-privilege OAuth scopes against GA4 / Meta / LinkedIn.

Status

Live in production on Vercel. Try the connect flow and dashboard yourself, or ask me about any of the decisions above.