1
Your Idea
2
Tech Stack
3
Setup
4
Structure
5
Database
6
Features
7
Test
8
Launch
⚡ Full-Stack SaaS Tech Stack
Every layer you need to ship a production SaaS — all free to start. Upgrade when you have paying users.
| Layer | Technology | Free Tier | What It Does | When to Upgrade |
|---|---|---|---|---|
| Frontend | Next.js 15 (App Router) | FREE | React framework with server-side rendering, routing, and API routes. The one framework that does everything. | Never — it scales to millions of users. |
| Language | TypeScript | FREE | Type-safe JavaScript. Catches errors at compile time, not in production. Required for maintainable SaaS. | Never. |
| Styling | Tailwind CSS | FREE | Utility-first CSS framework. Write styles as class names directly in JSX. No context switching. | Never — pairs with shadcn/ui for components. |
| Database + Auth | Supabase | FREE 500MB · 50K users | PostgreSQL database with built-in auth, Row Level Security, real-time subscriptions, storage, and edge functions. | $25/mo at ~50K active users or 8GB. |
| AI Provider | Groq AI | FREE 14,400 req/day | Fastest inference available. Runs LLaMA 3.3 70B. OpenAI-compatible API — swap providers by changing one URL. | $0.59/M tokens input — only when you have usage. |
| Deployment | Vercel | FREE Hobby plan | Zero-config deployment for Next.js. Push to GitHub → live in 45 seconds. Automatic preview URLs per branch. | $20/mo Pro for custom domains + team. |
| Version Control | GitHub | FREE | Store code, trigger Vercel deployments, manage issues and pull requests. The source of truth for your project. | Never for solo projects. |
| ORM / Query | Supabase JS SDK | FREE | Type-safe client for Supabase queries. Works on both server and client. No raw SQL needed for common operations. | Never — use SQL for complex queries. |
| UI Components | shadcn/ui | FREE | Copy-paste component library built on Radix UI + Tailwind. You own the code — no black box dependency. | Never — add Tremor for data viz if needed. |
| Icons | Lucide React | FREE | 600+ crisp SVG icons as React components. Tree-shakeable — only bundle what you use. | Never. |
💰 Monthly Cost by Growth Stage
💡 Idea Stage
$0
/month
• Next.js — free
• Supabase Free tier
• Groq AI free tier
• Vercel Hobby
• GitHub Free
• Supabase Free tier
• Groq AI free tier
• Vercel Hobby
• GitHub Free
🚀 Early Traction
$25
/month
• Supabase Pro ($25)
• Groq AI (~$5 usage)
• Vercel Hobby still fine
• Domain ($10/yr)
• Groq AI (~$5 usage)
• Vercel Hobby still fine
• Domain ($10/yr)
📈 Growing
$70
/month
• Supabase Pro ($25)
• Vercel Pro ($20)
• Groq AI (~$20 usage)
• Resend email ($5+)
• Vercel Pro ($20)
• Groq AI (~$20 usage)
• Resend email ($5+)
🏢 Scaling
$200+
/month
• Supabase Team ($599)
• Or self-hosted PG
• Multiple AI providers
• CDN, monitoring
• Or self-hosted PG
• Multiple AI providers
• CDN, monitoring
✅ SaaS Pre-Launch Checklist
🔐 Auth & Security
All protected routes redirect unauthenticated users to /login
Row Level Security enabled on ALL database tables
GROQ_API_KEY has no NEXT_PUBLIC_ prefix (server-only)
.env.local is in .gitignore — never committed
AI routes use server-side only (route.ts, not client)
🗄️ Database
Supabase project created in correct region
All tables have RLS policies (not just enabled)
user_id columns reference auth.users(id)
Indexes on user_id and created_at for performance
Schema tested with a real account before launch
🤖 AI Integration
System prompt clearly defines AI's role and constraints
User inputs sanitized before adding to prompts
Error handling if AI provider is down (try/catch)
AI responses validated before saving to DB
Rate limiting considered for API route
🚀 Deployment
All env vars set in Vercel project settings
Supabase URL in CORS allowed origins
Auth redirect URLs set in Supabase Dashboard
Production deployment tested end-to-end
Custom domain configured (or Vercel subdomain noted)
🧪 Functional Testing
New user registration → email confirmation → login works
Logged-in user can create, read, update, delete their data
AI feature generates output end-to-end in production
User A cannot see or edit User B's data
Mobile layout tested on actual device
📣 Marketing Ready
Landing page clearly states what the product does
Call-to-action above the fold ("Sign up free")
LinkedIn/Twitter launch post drafted and ready
Target communities identified (Reddit, Slack, Discord)
Feedback form or email configured for early users
⚖️ 10 Commandments of AI SaaS
Never expose API keys to the browser
Any key with NEXT_PUBLIC_ is in your client bundle. Any user can steal it. AI keys go in server-only code (route handlers, server actions) — never in components.
Enable Row Level Security on every table
RLS is not optional. Without it, any authenticated user can read every row in every table via the Supabase JS SDK. Enable RLS + write policies before inserting any real data.
Stay provider-agnostic by default
Use an AI provider with an OpenAI-compatible API (Groq, Together, OpenRouter). That way you switch providers by changing one URL — not your entire codebase.
Always wrap AI calls in try/catch
AI providers go down. Rate limits happen. Network timeouts are real. Unhandled promise rejections in production = white screens and angry users. Catch everything, return graceful errors.
Free tier first — validate before paid
Run on $0/month until you have users who pay. Supabase free (500MB), Groq free (14K req/day), Vercel Hobby — enough to validate any SaaS idea. Add cost only when you add revenue.
Sanitize all user input before prompts
Prompt injection is the AI equivalent of SQL injection. A user can type "Ignore all previous instructions…" and hijack your AI's behavior. Trim, validate, and constrain user inputs before inserting into system or user prompts.
Engineer your system prompt, not your UI
The system prompt is where AI product quality lives. 90% of your AI behavior is determined by a well-crafted system prompt. Spend more time on prompt engineering than on UI components.
Commit .env.local to .gitignore immediately
The #1 security mistake by beginners. Create .gitignore before your first commit. Once a secret is in git history, it's compromised — even after deletion.
Test the auth flow on every deployment
Auth is the most common source of production bugs. After every deployment, manually: (1) register new user, (2) confirm email, (3) log in, (4) log out, (5) access a protected page unauthenticated.
Ship ugly first, polish later
No one has ever failed because their MVP was too ugly. They fail because they spent 3 months perfecting a UI no one wants. Get to "working + deployed" in days, not months. Real users give better feedback than imagined ones.
🔑 Common Errors & Fixes
| Error | Cause | Fix |
|---|---|---|
| AuthSessionMissingError | No active session — user not logged in or session expired | Check auth.getUser() before accessing protected routes. Middleware re-auth. |
| new row violates RLS policy | INSERT denied because user_id doesn't match auth.uid() | Make sure you're passing user_id: user.id in insert. RLS policy must match auth.uid(). |
| GROQ_API_KEY not defined | Environment variable missing in deployment | Add GROQ_API_KEY in Vercel → Project → Settings → Environment Variables. Redeploy. |
| NEXT_REDIRECT error in try/catch | redirect() throws internally in Next.js 15 — caught by your try/catch | Never wrap redirect() in try/catch. Call it outside the catch block. |
| fetch failed (ERR_CERT_*) | Invalid SUPABASE_URL — missing https:// or wrong project ref | Copy URL from Supabase Dashboard → Project Settings → API. Include full URL with https://. |
| AuthApiError: invalid API key | Wrong anon key or key copied with whitespace | Copy anon key from Supabase Dashboard → Project Settings → API → anon public. |
| Module not found '@/lib/supabase' | Import path wrong or file not created | Create lib/supabase/client.ts and lib/supabase/server.ts. Check tsconfig paths. |