0 / 62
0%

Production SaaS · 62 items

Before you ship to production,
check this list.

62 things every production SaaS needs. Tool-agnostic — works with any stack. Checks are saved in your browser. Items marked Already are included in Already's starter kit.

Already Included in Already
build You build this
Authentication 0 / 8
Email + password sign-up and sign-in Already
With email verification and secure password reset flow.
OAuth (Google, GitHub, or equivalent) Already
Social login reduces friction. Add at least one provider.
Magic link / passwordless email Already
One-click login for users who forget passwords.
TOTP 2FA (authenticator app) Already
Required for any B2B product. Users expect it.
Passkeys (WebAuthn) Already
Phishing-resistant, passwordless. Increasingly standard.
Email enumeration protection Already
Sign-in errors should not reveal whether an email exists.
Rate limiting on auth endpoints Already
Block brute-force and credential stuffing attempts.
Auth event audit log Already
Log every sign-in with timestamp, IP, and device. Needed for compliance.
Billing & Payments 0 / 7
Payment processor integration (Stripe) Already
Subscriptions, one-time payments, or both wired end-to-end.
Idempotent webhook handler Already
Stripe retries failed webhooks. Processing the same event twice must be safe.
Dead-letter queue for failed webhook events Already
Silent dropped events = silent revenue bugs. Persist and alert on failures.
Plan-based feature gating Already
Limit features by plan tier. Check on every request, not just on sign-in.
Customer billing portal Already
Let customers update payment methods and cancel without contacting support.
Trial period + grace period Already
Grace period prevents instant churn on failed payment. Gives users time to update cards.
Billing notifications / dunning emails Already
Warn users before trial ends, when payment fails, and when subscription renews.
Multi-tenancy & Orgs 0 / 6
Organisation / workspace model Already
All resources belong to an org. Users can be members of multiple orgs.
Role-based access control (RBAC) Already
At minimum: owner, admin, member. Enforced at the route and query layer.
Member invitations by email Already
Invite flow with token expiry and role assignment on accept.
Row-level security at the database layer Already
Postgres RLS policies ensure tenants can't read each other's data even if query logic has a bug.
Query-layer tenant scoping Already
Every query automatically filters by org_id. No relying on developers to remember.
Admin dashboard with impersonation Already
See what any user sees without knowing their password. Essential for support.
Security 0 / 10
Content Security Policy (CSP) with nonces Already
Mitigates XSS. Nonce-based CSP avoids unsafe-inline and works with SSR.
HSTS + secure transport headers Already
Strict-Transport-Security, X-Frame-Options, Referrer-Policy, X-Content-Type-Options.
API rate limiting Already
Per-user and per-IP limits. Prevent abuse of expensive or sensitive endpoints.
Bot and scraper detection Already
Block bots on sign-up and sensitive actions. Separate from rate limiting.
File upload validation + MIME type checks Already
Validate file type server-side. Never trust the Content-Type header alone.
Suspicious activity detection Already
Geo anomalies, new device flags, login velocity. Alert users on unusual activity.
Secrets not committed to source control Already
.env in .gitignore, no real keys in .env.example. Use a secrets manager or Keychain injection.
Dependency vulnerability scanning in CI Already
npm audit, Dependabot, or Snyk. Automate what you won't check manually.
API keys for external access (hashed at rest) Already
Store only the hash. Show the key once on creation. Scoped by capability.
Input sanitization on AI / user-generated content build
Prompt injection and malicious input are real attack vectors for AI-powered SaaS.
Performance 0 / 6
LCP < 2.5s and INP < 200ms Already
Google's Core Web Vitals thresholds. Measure with field data, not just lab data.
CLS < 0.1 (no layout shift on load) Already
Specify image dimensions. Avoid inserting content above the fold after load.
Bundle size budget enforced in CI Already
Track JS bundle size. Alert when a dependency adds unexpected weight.
Database connection pooling Already
Serverless functions open new connections on every invocation. Pool via PgBouncer or Supabase pooler.
Indexes on all foreign keys and filter columns Already
Missing indexes are the most common cause of slow queries in production.
Static generation or Partial Prerendering where possible Already
Marketing pages should be static. PPR (Next.js 15) enables hybrid rendering per-page.
Observability 0 / 6
Error monitoring with source maps (Sentry) Already
Catch exceptions before users report them. Source maps show the real line number.
Real-user performance monitoring Already
Lab tests don't catch field issues. PostHog, Vercel Analytics, or Datadog RUM.
Health check endpoint Already
/api/health returns DB status and app version. Required for uptime monitors.
Background job failure tracking Already
Failed cron jobs and queue workers fail silently without explicit alerting.
Structured logging (JSON format) build
Parseable logs make it possible to search, alert, and correlate issues in production.
External uptime monitoring build
Checkly, Better Uptime, or equivalent. Alerts when your health endpoint stops responding.
Developer Experience 0 / 9
One-command local dev setup Already
New devs should be running locally in under 10 minutes. If they aren't, fix it.
Type-safe environment variable validation Already
Fail at startup if a required env var is missing. Zod on process.env at boot time.
Database migration tooling Already
Track schema changes in version control. Run migrations in CI before deploying.
Seed script for local development Already
Deterministic test data makes onboarding and debugging much faster.
Lint + format check in CI Already
Code style debates belong in config, not code review. ESLint + Prettier on every PR.
TypeScript strict mode check in CI Already
tsc --noEmit on every PR. Catches type errors before they reach production.
Unit and integration tests (Vitest) Already
Cover business logic, billing edge cases, and auth flows at minimum.
End-to-end tests (Playwright) Already
Sign-up, onboarding, and billing flows. Catch regressions before users do.
Component library / Storybook Already
Document and visually test UI components in isolation.
AI Integration 0 / 5
Multi-provider AI (Anthropic, OpenAI, Google) Already
Abstract the provider. Swap models without changing your application code.
Per-user AI credits ledger Already
Track and limit AI spend per user or org. Needed before you go to production.
Streaming AI responses Already
Stream tokens to the client. Non-streamed AI feels broken for anything over 2 seconds.
AI-native developer context (CLAUDE.md / Cursor rules) Already
Configure your AI coding assistant with codebase context. Drastically improves output quality.
Prompt injection protection build
Validate and sanitize user content before inserting into prompts. Document your trust boundaries.

Skip the checklist. Already ships 57 of 62.

Auth, billing, multi-tenancy, security, observability, AI integration, and GDPR compliance — all wired together in a single Next.js starter kit. Buy once, own the code.

Get Already — $199 →

Solo $199 · Team $399 · early-bird until June 24