Case study
LiveArbFlow
Multi-tenant GA4 analytics SaaS for agencies — secure per-client workspaces, per-tenant data isolation, and a dashboard that unifies GA4, Meta and LinkedIn and tells you what actually changed. Deployed and running in production.
- ROLE
- Solo — design, frontend, backend, infra
- STACK
- Next.js · FastAPI · PostgreSQL · Vercel
- FOR
- Marketing agencies managing many clients
- STATUS
- Live in production
The problem
Agencies juggle every client's analytics across GA4, Meta and LinkedIn — separate logins, exported CSVs, and still no clear answer to the only question that matters before a client call: what actually changed this week, and why? There was no single, secure place to see per-client performance and have the notable shifts surfaced for you.
What it does
ArbFlow gives an agency one isolated workspace per client. Connect a client's GA4, Meta and LinkedIn in a few clicks and ArbFlow unifies the data into a clean dashboard — then surfaces what moved: traffic shifts, funnel spikes, pages worth a look. You walk into the client call already knowing the story.
Architecture
A Next.js dashboard on Vercel talks to a FastAPI backend, which owns auth, the OAuth connectors, and aggregation over a tenant-scoped PostgreSQL database.
- DASHBOARD
- Next.js on Vercel (App Router) — the agency-facing UI and per-client views.
- API
- FastAPI service — authentication, the GA4 / Meta / LinkedIn OAuth connectors, and metric aggregation.
- DATA
- PostgreSQL — every row tagged by tenant; reads and writes are tenant-scoped.
- CONNECTORS
- GA4, Meta and LinkedIn pulled via OAuth on a schedule, then normalised.
browser → Next.js (Vercel) → FastAPI → PostgreSQL · connectors pull GA4 / Meta / LinkedIn on a schedule
Security & multi-tenancy
Multi-tenancy is the whole product, so isolation is a first-class concern rather than an afterthought. The decisions that mattered:
- Per-tenant data isolation: every record is tied to a tenant and every query is scoped to the caller's tenant, so one workspace can never read another's data.
- Scoped workspaces with role-based access — members only ever see the clients they're granted.
- Third-party OAuth tokens are held server-side and never exposed to the browser.
- Least-privilege OAuth scopes against GA4 / Meta / LinkedIn.
Status
Live in production on Vercel. Try the connect flow and dashboard yourself, or ask me about any of the decisions above.