Kitlore
Multi-tenant AI-powered headless CMS — generates SEO blog posts via LLM, auto-posts to LinkedIn, delivers via webhook to any site
The content treadmill
Every developer knows they should blog for SEO. Almost none do — writing takes 3–4 hours per post, editing takes another hour, and multi-channel publishing is yet another task. Kitlore inverts this: one API call triggers generation, review, and publishing. The harder engineering problem was multi-tenancy at scale — every customer's data must be strictly isolated, API keys must be as secure as passwords, and webhook delivery must be reliable even when the recipient server is slow.
Context
- Multi-tenant: strict data isolation required between customers
- API keys must be hashed — never stored in plaintext
- AI generation is slow (3–8s) — can't block the HTTP response
- LinkedIn OAuth tokens require encryption at rest
Our approach
Key decisions
Go + Gin for concurrent generation
Go's goroutines handle concurrent AI generation jobs without blocking. Compile-time type safety prevents entire classes of async bugs that Node or Python can hit under load.
Asynq for async job delivery
AI generation is slow. Asynq (Redis-backed job queue) accepts the request, returns 202 Accepted in <50ms, and delivers the generated content via signed webhook when ready.
Row-level tenant isolation
Every database query is scoped to tenant_id at the repository layer. Cross-tenant data leakage is impossible by design — not prevented by middleware, eliminated at the query.
SHA-256 + AES-256-GCM security
API keys are SHA-256 hashed before storage. LinkedIn OAuth tokens are AES-256-GCM encrypted at rest. Webhook payloads are HMAC-SHA256 signed so recipients can verify delivery.
Results
What we achieved
Acknowledged response time
GCM encrypted OAuth tokens
Hashed API keys
Tenant isolation at DB layer
Stack used
Next project
ClaimSense →Start a project
Let's build something great
Drop your details below. We'll have it open in Gmail, ready to send — no copy-pasting.