Best Architecture for Adding a Client Portal to Xano + WeWeb ERP

We’ve built an ERP using Xano as the backend and WeWeb as the frontend. We’re now adding a client portal (around 100 users). What is the best approach in terms of infrastructure and security?

We’re considering three architecture options:

Option A

Separate backend + separate frontend for the client portal, with shared data via APIs.

Option B

Same backend, but a separate frontend for the portal.

Option C

Same backend and same frontend (managed through user roles, page access rules, etc.).

Questions:

• What are the pros and cons of each approach in terms of security, scalability, maintenance, and performance?

• Does combining everything into one backend (and possibly one frontend) significantly increase the security risks, given the extra user roles, routing logic, and access control?

• Are there any best practices or recommended patterns for this kind of setup in Xano + WeWeb?

Any guidance or shared experience would be very helpful. Thanks!

Hi Tim, welcome back

Love your question!

I might need some time to do some research and talk to the team to hear their opinions on this one.

You’re asking an important question that touches on both architecture and security, so it’s helpful to zoom out a bit before deciding on a specific setup. In practice, all three options you listed can work with a WeWeb + Xano stack; the “right” choice depends more on how you want to balance separation of concerns, maintenance overhead, and how fast your app is evolving.​

For an overview of those trade‑offs, this article on monolithic vs decoupled architectures explains how combining everything in one system compares to splitting things into separate apps, especially around security boundaries, scalability, and long‑term maintenance. It’s written from a no‑code perspective and maps well to your “one backend vs multiple backends/frontends” question.​

Security and architecture mindset

Rather than thinking of “more frontends/backends = more secure,” it’s usually more useful to think in terms of:

• Clear roles and permissions defined in your backend (for example, Xano auth + role‑based access control).​​
• API endpoints that always filter data on the backend by user/role, so the frontend never even sees data it shouldn’t.​​

Adding more user roles, routes, or pages in a single app does not automatically make things “less secure” if the backend is enforcing access correctly; it mostly makes your configuration more complex, not inherently more dangerous. If you’re comfortable sharing a bit more about what worries you (for example: “can portal users see ERP data?”, “how do I separate admin vs client data?”), it becomes much easier to point you to concrete patterns.​

Recommended learning resources

Because you’re essentially designing a small multi‑tenant system, taking a bit of time to go through Level 2 of the WeWeb Academy is one of the best investments you can make. In particular:​

• https://academy.weweb.io/scale-your-web-app/ux-to-backend-design/
• https://academy.weweb.io/scale-your-web-app/backend-walkthrough/
• https://academy.weweb.io/scale-your-web-app/web-app-security/

These lessons, plus the monolithic vs decoupled article above, will give you the mental model you need to choose between “one app with roles” vs “separate apps that share a backend,” and whichever option you pick can then be implemented cleanly in Xano + WeWeb.

Hope this helps