The latest articles on DEV Community by Aadesh Kumar (@aadesh-kumar). https://dev.to/aadesh-kumar https://media2.dev.to/dynamic/image/width=90,height=90,fit=cover,gravity=auto,format=auto/https:%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Fuser%2Fprofile_image%2F3865005%2Fb57c0c89-8020-4b16-9fa9-cd7b88063b21.jpg https://dev.to/aadesh-kumar en Aadesh Kumar Mon, 27 Apr 2026 06:08:36 +0000 https://dev.to/aadesh-kumar/how-to-add-ai-features-to-your-saas-app-without-breaking-everything-4li4 https://dev.to/aadesh-kumar/how-to-add-ai-features-to-your-saas-app-without-breaking-everything-4li4 <h3> LLM integrations look simple in demos. In production, they fail in ways most tutorials never cover. </h3> <p><strong>What you will learn in this guide:</strong></p> <ul> <li>How to structure an LLM integration that does not block your API</li> <li>How to implement streaming responses for better user experience</li> <li>How to manage token costs before they become a budget problem</li> <li>How to version prompts without redeploying your application</li> <li>How to build graceful fallback when the AI call fails or times out</li> </ul> <h2> The Problem With Most AI Integration Tutorials </h2> <p>Most LLM integration guides stop at "call the API, log the response." That is enough to demo. It is not enough to ship.</p> <p>Production AI features fail in ways that do not appear in tutorials: the LLM API times out under load, a prompt that worked in testing generates hallucinated output with slightly different user input, token costs spike 10x when a user submits a longer-than-expected document, and the entire feature breaks every other feature when the AI call blocks the event loop.</p> <p>This guide covers the integration patterns that prevent those failures — in Node.js with Express, using the Anthropic and OpenAI APIs as the reference implementations. The patterns apply to any LLM provider.</p> <h2> Step 1: Structure the Integration to Not Block Your API </h2> <p>The single most common mistake in first-pass LLM integrations is making a synchronous API call to the LLM provider inside a request handler. LLM calls are slow — typically 1–15 seconds for a full response depending on output length. Blocking the request handler for that duration under concurrent load will saturate your server.</p> <p><strong>Wrong approach:</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="c1">// DON'T do this — blocks the event loop under concurrent load</span> <span class="nx">app</span><span class="p">.</span><span class="nf">post</span><span class="p">(</span><span class="dl">'</span><span class="s1">/api/summarize</span><span class="dl">'</span><span class="p">,</span> <span class="nx">requireAuth</span><span class="p">,</span> <span class="k">async </span><span class="p">(</span><span class="nx">req</span><span class="p">,</span> <span class="nx">res</span><span class="p">)</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="kd">const</span> <span class="p">{</span> <span class="nx">text</span> <span class="p">}</span> <span class="o">=</span> <span class="nx">req</span><span class="p">.</span><span class="nx">body</span><span class="p">;</span> <span class="c1">// This can take 5-15 seconds — terrible under concurrent requests</span> <span class="kd">const</span> <span class="nx">completion</span> <span class="o">=</span> <span class="k">await</span> <span class="nx">openai</span><span class="p">.</span><span class="nx">chat</span><span class="p">.</span><span class="nx">completions</span><span class="p">.</span><span class="nf">create</span><span class="p">({</span> <span class="na">model</span><span class="p">:</span> <span class="dl">'</span><span class="s1">gpt-4o</span><span class="dl">'</span><span class="p">,</span> <span class="na">messages</span><span class="p">:</span> <span class="p">[{</span> <span class="na">role</span><span class="p">:</span> <span class="dl">'</span><span class="s1">user</span><span class="dl">'</span><span class="p">,</span> <span class="na">content</span><span class="p">:</span> <span class="s2">`Summarize: </span><span class="p">${</span><span class="nx">text</span><span class="p">}</span><span class="s2">`</span> <span class="p">}]</span> <span class="p">});</span> <span class="nx">res</span><span class="p">.</span><span class="nf">json</span><span class="p">({</span> <span class="na">summary</span><span class="p">:</span> <span class="nx">completion</span><span class="p">.</span><span class="nx">choices</span><span class="p">[</span><span class="mi">0</span><span class="p">].</span><span class="nx">message</span><span class="p">.</span><span class="nx">content</span> <span class="p">});</span> <span class="p">});</span> </code></pre> </div> <p><strong>Correct approach for long-running AI tasks — use a background job:</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="kd">const</span> <span class="nx">Queue</span> <span class="o">=</span> <span class="nf">require</span><span class="p">(</span><span class="dl">'</span><span class="s1">bull</span><span class="dl">'</span><span class="p">);</span> <span class="kd">const</span> <span class="nx">aiQueue</span> <span class="o">=</span> <span class="k">new</span> <span class="nc">Queue</span><span class="p">(</span><span class="dl">'</span><span class="s1">ai-tasks</span><span class="dl">'</span><span class="p">,</span> <span class="p">{</span> <span class="na">redis</span><span class="p">:</span> <span class="p">{</span> <span class="na">url</span><span class="p">:</span> <span class="nx">process</span><span class="p">.</span><span class="nx">env</span><span class="p">.</span><span class="nx">REDIS_URL</span> <span class="p">}</span> <span class="p">});</span> <span class="c1">// Route handler: enqueue the job, return immediately</span> <span class="nx">app</span><span class="p">.</span><span class="nf">post</span><span class="p">(</span><span class="dl">'</span><span class="s1">/api/summarize</span><span class="dl">'</span><span class="p">,</span> <span class="nx">requireAuth</span><span class="p">,</span> <span class="k">async </span><span class="p">(</span><span class="nx">req</span><span class="p">,</span> <span class="nx">res</span><span class="p">)</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="kd">const</span> <span class="p">{</span> <span class="nx">text</span><span class="p">,</span> <span class="nx">documentId</span> <span class="p">}</span> <span class="o">=</span> <span class="nx">req</span><span class="p">.</span><span class="nx">body</span><span class="p">;</span> <span class="kd">const</span> <span class="nx">job</span> <span class="o">=</span> <span class="k">await</span> <span class="nx">aiQueue</span><span class="p">.</span><span class="nf">add</span><span class="p">(</span><span class="dl">'</span><span class="s1">summarize</span><span class="dl">'</span><span class="p">,</span> <span class="p">{</span> <span class="na">userId</span><span class="p">:</span> <span class="nx">req</span><span class="p">.</span><span class="nx">user</span><span class="p">.</span><span class="nx">id</span><span class="p">,</span> <span class="nx">documentId</span><span class="p">,</span> <span class="nx">text</span> <span class="p">});</span> <span class="c1">// Return job ID immediately — client polls or receives result via websocket</span> <span class="nx">res</span><span class="p">.</span><span class="nf">status</span><span class="p">(</span><span class="mi">202</span><span class="p">).</span><span class="nf">json</span><span class="p">({</span> <span class="na">jobId</span><span class="p">:</span> <span class="nx">job</span><span class="p">.</span><span class="nx">id</span><span class="p">,</span> <span class="na">status</span><span class="p">:</span> <span class="dl">'</span><span class="s1">processing</span><span class="dl">'</span> <span class="p">});</span> <span class="p">});</span> <span class="c1">// Status endpoint — client polls this</span> <span class="nx">app</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="dl">'</span><span class="s1">/api/summarize/:jobId</span><span class="dl">'</span><span class="p">,</span> <span class="nx">requireAuth</span><span class="p">,</span> <span class="k">async </span><span class="p">(</span><span class="nx">req</span><span class="p">,</span> <span class="nx">res</span><span class="p">)</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">job</span> <span class="o">=</span> <span class="k">await</span> <span class="nx">aiQueue</span><span class="p">.</span><span class="nf">getJob</span><span class="p">(</span><span class="nx">req</span><span class="p">.</span><span class="nx">params</span><span class="p">.</span><span class="nx">jobId</span><span class="p">);</span> <span class="k">if </span><span class="p">(</span><span class="o">!</span><span class="nx">job</span><span class="p">)</span> <span class="k">return</span> <span class="nx">res</span><span class="p">.</span><span class="nf">status</span><span class="p">(</span><span class="mi">404</span><span class="p">).</span><span class="nf">json</span><span class="p">({</span> <span class="na">error</span><span class="p">:</span> <span class="dl">'</span><span class="s1">Job not found</span><span class="dl">'</span> <span class="p">});</span> <span class="kd">const</span> <span class="nx">state</span> <span class="o">=</span> <span class="k">await</span> <span class="nx">job</span><span class="p">.</span><span class="nf">getState</span><span class="p">();</span> <span class="kd">const</span> <span class="nx">result</span> <span class="o">=</span> <span class="nx">job</span><span class="p">.</span><span class="nx">returnvalue</span><span class="p">;</span> <span class="nx">res</span><span class="p">.</span><span class="nf">json</span><span class="p">({</span> <span class="na">jobId</span><span class="p">:</span> <span class="nx">job</span><span class="p">.</span><span class="nx">id</span><span class="p">,</span> <span class="na">status</span><span class="p">:</span> <span class="nx">state</span><span class="p">,</span> <span class="na">result</span><span class="p">:</span> <span class="nx">result</span> <span class="o">||</span> <span class="kc">null</span> <span class="p">});</span> <span class="p">});</span> <span class="c1">// Worker processes the job outside the request lifecycle</span> <span class="nx">aiQueue</span><span class="p">.</span><span class="nf">process</span><span class="p">(</span><span class="dl">'</span><span class="s1">summarize</span><span class="dl">'</span><span class="p">,</span> <span class="k">async </span><span class="p">(</span><span class="nx">job</span><span class="p">)</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="kd">const</span> <span class="p">{</span> <span class="nx">userId</span><span class="p">,</span> <span class="nx">documentId</span><span class="p">,</span> <span class="nx">text</span> <span class="p">}</span> <span class="o">=</span> <span class="nx">job</span><span class="p">.</span><span class="nx">data</span><span class="p">;</span> <span class="kd">const</span> <span class="nx">completion</span> <span class="o">=</span> <span class="k">await</span> <span class="nx">openai</span><span class="p">.</span><span class="nx">chat</span><span class="p">.</span><span class="nx">completions</span><span class="p">.</span><span class="nf">create</span><span class="p">({</span> <span class="na">model</span><span class="p">:</span> <span class="dl">'</span><span class="s1">gpt-4o</span><span class="dl">'</span><span class="p">,</span> <span class="na">messages</span><span class="p">:</span> <span class="p">[{</span> <span class="na">role</span><span class="p">:</span> <span class="dl">'</span><span class="s1">user</span><span class="dl">'</span><span class="p">,</span> <span class="na">content</span><span class="p">:</span> <span class="nf">buildSummaryPrompt</span><span class="p">(</span><span class="nx">text</span><span class="p">)</span> <span class="p">}],</span> <span class="na">max_tokens</span><span class="p">:</span> <span class="mi">500</span> <span class="p">});</span> <span class="kd">const</span> <span class="nx">summary</span> <span class="o">=</span> <span class="nx">completion</span><span class="p">.</span><span class="nx">choices</span><span class="p">[</span><span class="mi">0</span><span class="p">].</span><span class="nx">message</span><span class="p">.</span><span class="nx">content</span><span class="p">;</span> <span class="c1">// Persist the result</span> <span class="k">await</span> <span class="nx">db</span><span class="p">.</span><span class="nx">documents</span><span class="p">.</span><span class="nf">update</span><span class="p">({</span> <span class="nx">summary</span> <span class="p">},</span> <span class="p">{</span> <span class="na">where</span><span class="p">:</span> <span class="p">{</span> <span class="na">id</span><span class="p">:</span> <span class="nx">documentId</span><span class="p">,</span> <span class="nx">userId</span> <span class="p">}</span> <span class="p">});</span> <span class="k">return</span> <span class="p">{</span> <span class="nx">summary</span><span class="p">,</span> <span class="nx">documentId</span> <span class="p">};</span> <span class="p">});</span> </code></pre> </div> <p>For features where the user is waiting in the UI and needs a real-time response — a chat interface, an inline text suggestion — streaming is the correct approach instead of background jobs.</p> <h2> Step 2: Implement Streaming Responses </h2> <p>Streaming returns tokens to the client as they are generated rather than waiting for the full response. For the user, this is the difference between a blank screen for 8 seconds and text appearing incrementally within 500ms.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="c1">// Streaming endpoint using Server-Sent Events (SSE)</span> <span class="nx">app</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="dl">'</span><span class="s1">/api/chat/stream</span><span class="dl">'</span><span class="p">,</span> <span class="nx">requireAuth</span><span class="p">,</span> <span class="k">async </span><span class="p">(</span><span class="nx">req</span><span class="p">,</span> <span class="nx">res</span><span class="p">)</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="kd">const</span> <span class="p">{</span> <span class="nx">message</span><span class="p">,</span> <span class="nx">conversationId</span> <span class="p">}</span> <span class="o">=</span> <span class="nx">req</span><span class="p">.</span><span class="nx">query</span><span class="p">;</span> <span class="c1">// Set SSE headers</span> <span class="nx">res</span><span class="p">.</span><span class="nf">setHeader</span><span class="p">(</span><span class="dl">'</span><span class="s1">Content-Type</span><span class="dl">'</span><span class="p">,</span> <span class="dl">'</span><span class="s1">text/event-stream</span><span class="dl">'</span><span class="p">);</span> <span class="nx">res</span><span class="p">.</span><span class="nf">setHeader</span><span class="p">(</span><span class="dl">'</span><span class="s1">Cache-Control</span><span class="dl">'</span><span class="p">,</span> <span class="dl">'</span><span class="s1">no-cache</span><span class="dl">'</span><span class="p">);</span> <span class="nx">res</span><span class="p">.</span><span class="nf">setHeader</span><span class="p">(</span><span class="dl">'</span><span class="s1">Connection</span><span class="dl">'</span><span class="p">,</span> <span class="dl">'</span><span class="s1">keep-alive</span><span class="dl">'</span><span class="p">);</span> <span class="nx">res</span><span class="p">.</span><span class="nf">setHeader</span><span class="p">(</span><span class="dl">'</span><span class="s1">X-Accel-Buffering</span><span class="dl">'</span><span class="p">,</span> <span class="dl">'</span><span class="s1">no</span><span class="dl">'</span><span class="p">);</span> <span class="c1">// Disable Nginx buffering</span> <span class="nx">res</span><span class="p">.</span><span class="nf">flushHeaders</span><span class="p">();</span> <span class="k">try</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">stream</span> <span class="o">=</span> <span class="k">await</span> <span class="nx">openai</span><span class="p">.</span><span class="nx">chat</span><span class="p">.</span><span class="nx">completions</span><span class="p">.</span><span class="nf">create</span><span class="p">({</span> <span class="na">model</span><span class="p">:</span> <span class="dl">'</span><span class="s1">gpt-4o</span><span class="dl">'</span><span class="p">,</span> <span class="na">messages</span><span class="p">:</span> <span class="k">await</span> <span class="nf">buildConversationHistory</span><span class="p">(</span><span class="nx">conversationId</span><span class="p">,</span> <span class="nx">message</span><span class="p">),</span> <span class="na">max_tokens</span><span class="p">:</span> <span class="mi">1000</span><span class="p">,</span> <span class="na">stream</span><span class="p">:</span> <span class="kc">true</span> <span class="c1">// Enable streaming</span> <span class="p">});</span> <span class="kd">let</span> <span class="nx">fullContent</span> <span class="o">=</span> <span class="dl">''</span><span class="p">;</span> <span class="k">for</span> <span class="k">await </span><span class="p">(</span><span class="kd">const</span> <span class="nx">chunk</span> <span class="k">of</span> <span class="nx">stream</span><span class="p">)</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">delta</span> <span class="o">=</span> <span class="nx">chunk</span><span class="p">.</span><span class="nx">choices</span><span class="p">[</span><span class="mi">0</span><span class="p">]?.</span><span class="nx">delta</span><span class="p">?.</span><span class="nx">content</span> <span class="o">||</span> <span class="dl">''</span><span class="p">;</span> <span class="k">if </span><span class="p">(</span><span class="nx">delta</span><span class="p">)</span> <span class="p">{</span> <span class="nx">fullContent</span> <span class="o">+=</span> <span class="nx">delta</span><span class="p">;</span> <span class="c1">// Send token to client</span> <span class="nx">res</span><span class="p">.</span><span class="nf">write</span><span class="p">(</span><span class="s2">`data: </span><span class="p">${</span><span class="nx">JSON</span><span class="p">.</span><span class="nf">stringify</span><span class="p">({</span> <span class="na">token</span><span class="p">:</span> <span class="nx">delta</span> <span class="p">})}</span><span class="s2">\n\n`</span><span class="p">);</span> <span class="p">}</span> <span class="c1">// Detect end of stream</span> <span class="k">if </span><span class="p">(</span><span class="nx">chunk</span><span class="p">.</span><span class="nx">choices</span><span class="p">[</span><span class="mi">0</span><span class="p">]?.</span><span class="nx">finish_reason</span> <span class="o">===</span> <span class="dl">'</span><span class="s1">stop</span><span class="dl">'</span><span class="p">)</span> <span class="p">{</span> <span class="c1">// Persist the full response</span> <span class="k">await</span> <span class="nx">db</span><span class="p">.</span><span class="nx">messages</span><span class="p">.</span><span class="nf">create</span><span class="p">({</span> <span class="nx">conversationId</span><span class="p">,</span> <span class="na">role</span><span class="p">:</span> <span class="dl">'</span><span class="s1">assistant</span><span class="dl">'</span><span class="p">,</span> <span class="na">content</span><span class="p">:</span> <span class="nx">fullContent</span> <span class="p">});</span> <span class="c1">// Signal completion to client</span> <span class="nx">res</span><span class="p">.</span><span class="nf">write</span><span class="p">(</span><span class="s2">`data: </span><span class="p">${</span><span class="nx">JSON</span><span class="p">.</span><span class="nf">stringify</span><span class="p">({</span> <span class="na">done</span><span class="p">:</span> <span class="kc">true</span> <span class="p">})}</span><span class="s2">\n\n`</span><span class="p">);</span> <span class="nx">res</span><span class="p">.</span><span class="nf">end</span><span class="p">();</span> <span class="p">}</span> <span class="p">}</span> <span class="p">}</span> <span class="k">catch </span><span class="p">(</span><span class="nx">err</span><span class="p">)</span> <span class="p">{</span> <span class="c1">// Send error event to client so the UI can respond gracefully</span> <span class="nx">res</span><span class="p">.</span><span class="nf">write</span><span class="p">(</span><span class="s2">`data: </span><span class="p">${</span><span class="nx">JSON</span><span class="p">.</span><span class="nf">stringify</span><span class="p">({</span> <span class="na">error</span><span class="p">:</span> <span class="nx">err</span><span class="p">.</span><span class="nx">message</span> <span class="p">})}</span><span class="s2">\n\n`</span><span class="p">);</span> <span class="nx">res</span><span class="p">.</span><span class="nf">end</span><span class="p">();</span> <span class="p">}</span> <span class="p">});</span> </code></pre> </div> <p><strong>Client-side SSE consumption:</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="kd">function</span> <span class="nf">streamAIResponse</span><span class="p">(</span><span class="nx">message</span><span class="p">,</span> <span class="nx">conversationId</span><span class="p">,</span> <span class="nx">onToken</span><span class="p">,</span> <span class="nx">onComplete</span><span class="p">,</span> <span class="nx">onError</span><span class="p">)</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">params</span> <span class="o">=</span> <span class="k">new</span> <span class="nc">URLSearchParams</span><span class="p">({</span> <span class="nx">message</span><span class="p">,</span> <span class="nx">conversationId</span> <span class="p">});</span> <span class="kd">const</span> <span class="nx">eventSource</span> <span class="o">=</span> <span class="k">new</span> <span class="nc">EventSource</span><span class="p">(</span><span class="s2">`/api/chat/stream?</span><span class="p">${</span><span class="nx">params</span><span class="p">}</span><span class="s2">`</span><span class="p">);</span> <span class="nx">eventSource</span><span class="p">.</span><span class="nx">onmessage</span> <span class="o">=</span> <span class="p">(</span><span class="nx">event</span><span class="p">)</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">data</span> <span class="o">=</span> <span class="nx">JSON</span><span class="p">.</span><span class="nf">parse</span><span class="p">(</span><span class="nx">event</span><span class="p">.</span><span class="nx">data</span><span class="p">);</span> <span class="k">if </span><span class="p">(</span><span class="nx">data</span><span class="p">.</span><span class="nx">token</span><span class="p">)</span> <span class="p">{</span> <span class="nf">onToken</span><span class="p">(</span><span class="nx">data</span><span class="p">.</span><span class="nx">token</span><span class="p">);</span> <span class="c1">// Append token to UI</span> <span class="p">}</span> <span class="k">if </span><span class="p">(</span><span class="nx">data</span><span class="p">.</span><span class="nx">done</span><span class="p">)</span> <span class="p">{</span> <span class="nx">eventSource</span><span class="p">.</span><span class="nf">close</span><span class="p">();</span> <span class="nf">onComplete</span><span class="p">();</span> <span class="p">}</span> <span class="k">if </span><span class="p">(</span><span class="nx">data</span><span class="p">.</span><span class="nx">error</span><span class="p">)</span> <span class="p">{</span> <span class="nx">eventSource</span><span class="p">.</span><span class="nf">close</span><span class="p">();</span> <span class="nf">onError</span><span class="p">(</span><span class="k">new</span> <span class="nc">Error</span><span class="p">(</span><span class="nx">data</span><span class="p">.</span><span class="nx">error</span><span class="p">));</span> <span class="p">}</span> <span class="p">};</span> <span class="nx">eventSource</span><span class="p">.</span><span class="nx">onerror</span> <span class="o">=</span> <span class="p">()</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="nx">eventSource</span><span class="p">.</span><span class="nf">close</span><span class="p">();</span> <span class="nf">onError</span><span class="p">(</span><span class="k">new</span> <span class="nc">Error</span><span class="p">(</span><span class="dl">'</span><span class="s1">Stream connection failed</span><span class="dl">'</span><span class="p">));</span> <span class="p">};</span> <span class="c1">// Return cleanup function</span> <span class="k">return </span><span class="p">()</span> <span class="o">=&gt;</span> <span class="nx">eventSource</span><span class="p">.</span><span class="nf">close</span><span class="p">();</span> <span class="p">}</span> </code></pre> </div> <h2> Step 3: Manage Token Costs Before They Manage You </h2> <p>Token costs are invisible in development and punishing in production. A feature that costs $0.002 per call with a 500-token input becomes $2.00 per call when a user submits a 50,000-word document.</p> <p><strong>Enforce input length limits at the application layer:</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="kd">const</span> <span class="p">{</span> <span class="nx">encode</span> <span class="p">}</span> <span class="o">=</span> <span class="nf">require</span><span class="p">(</span><span class="dl">'</span><span class="s1">gpt-tokenizer</span><span class="dl">'</span><span class="p">);</span> <span class="kd">function</span> <span class="nf">validateTokenBudget</span><span class="p">(</span><span class="nx">text</span><span class="p">,</span> <span class="nx">maxInputTokens</span> <span class="o">=</span> <span class="mi">4000</span><span class="p">)</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">tokenCount</span> <span class="o">=</span> <span class="nf">encode</span><span class="p">(</span><span class="nx">text</span><span class="p">).</span><span class="nx">length</span><span class="p">;</span> <span class="k">if </span><span class="p">(</span><span class="nx">tokenCount</span> <span class="o">&gt;</span> <span class="nx">maxInputTokens</span><span class="p">)</span> <span class="p">{</span> <span class="k">throw</span> <span class="k">new</span> <span class="nc">Error</span><span class="p">(</span> <span class="s2">`Input too long: </span><span class="p">${</span><span class="nx">tokenCount</span><span class="p">}</span><span class="s2"> tokens (maximum: </span><span class="p">${</span><span class="nx">maxInputTokens</span><span class="p">}</span><span class="s2">). `</span> <span class="o">+</span> <span class="s2">`Please shorten your input by approximately </span><span class="p">${</span><span class="nx">tokenCount</span> <span class="o">-</span> <span class="nx">maxInputTokens</span><span class="p">}</span><span class="s2"> tokens.`</span> <span class="p">);</span> <span class="p">}</span> <span class="k">return</span> <span class="nx">tokenCount</span><span class="p">;</span> <span class="p">}</span> <span class="c1">// Usage in route handler</span> <span class="nx">app</span><span class="p">.</span><span class="nf">post</span><span class="p">(</span><span class="dl">'</span><span class="s1">/api/summarize</span><span class="dl">'</span><span class="p">,</span> <span class="nx">requireAuth</span><span class="p">,</span> <span class="k">async </span><span class="p">(</span><span class="nx">req</span><span class="p">,</span> <span class="nx">res</span><span class="p">)</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="k">try</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">inputTokens</span> <span class="o">=</span> <span class="nf">validateTokenBudget</span><span class="p">(</span><span class="nx">req</span><span class="p">.</span><span class="nx">body</span><span class="p">.</span><span class="nx">text</span><span class="p">,</span> <span class="mi">4000</span><span class="p">);</span> <span class="c1">// Proceed with AI call</span> <span class="p">}</span> <span class="k">catch </span><span class="p">(</span><span class="nx">err</span><span class="p">)</span> <span class="p">{</span> <span class="k">return</span> <span class="nx">res</span><span class="p">.</span><span class="nf">status</span><span class="p">(</span><span class="mi">400</span><span class="p">).</span><span class="nf">json</span><span class="p">({</span> <span class="na">error</span><span class="p">:</span> <span class="nx">err</span><span class="p">.</span><span class="nx">message</span><span class="p">,</span> <span class="na">code</span><span class="p">:</span> <span class="dl">'</span><span class="s1">TOKEN_LIMIT_EXCEEDED</span><span class="dl">'</span> <span class="p">});</span> <span class="p">}</span> <span class="p">});</span> </code></pre> </div> <p><strong>Track usage per user for cost attribution and abuse prevention:</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="k">async</span> <span class="kd">function</span> <span class="nf">trackAIUsage</span><span class="p">(</span><span class="nx">userId</span><span class="p">,</span> <span class="nx">feature</span><span class="p">,</span> <span class="nx">inputTokens</span><span class="p">,</span> <span class="nx">outputTokens</span><span class="p">,</span> <span class="nx">model</span><span class="p">)</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">costs</span> <span class="o">=</span> <span class="p">{</span> <span class="dl">'</span><span class="s1">gpt-4o</span><span class="dl">'</span><span class="p">:</span> <span class="p">{</span> <span class="na">input</span><span class="p">:</span> <span class="mf">0.0000025</span><span class="p">,</span> <span class="na">output</span><span class="p">:</span> <span class="mf">0.00001</span> <span class="p">},</span> <span class="dl">'</span><span class="s1">claude-sonnet-4-20250514</span><span class="dl">'</span><span class="p">:</span> <span class="p">{</span> <span class="na">input</span><span class="p">:</span> <span class="mf">0.000003</span><span class="p">,</span> <span class="na">output</span><span class="p">:</span> <span class="mf">0.000015</span> <span class="p">}</span> <span class="p">};</span> <span class="kd">const</span> <span class="nx">modelCosts</span> <span class="o">=</span> <span class="nx">costs</span><span class="p">[</span><span class="nx">model</span><span class="p">]</span> <span class="o">||</span> <span class="p">{</span> <span class="na">input</span><span class="p">:</span> <span class="mi">0</span><span class="p">,</span> <span class="na">output</span><span class="p">:</span> <span class="mi">0</span> <span class="p">};</span> <span class="kd">const</span> <span class="nx">estimatedCost</span> <span class="o">=</span> <span class="p">(</span><span class="nx">inputTokens</span> <span class="o">*</span> <span class="nx">modelCosts</span><span class="p">.</span><span class="nx">input</span><span class="p">)</span> <span class="o">+</span> <span class="p">(</span><span class="nx">outputTokens</span> <span class="o">*</span> <span class="nx">modelCosts</span><span class="p">.</span><span class="nx">output</span><span class="p">);</span> <span class="k">await</span> <span class="nx">db</span><span class="p">.</span><span class="nx">aiUsage</span><span class="p">.</span><span class="nf">create</span><span class="p">({</span> <span class="nx">userId</span><span class="p">,</span> <span class="nx">feature</span><span class="p">,</span> <span class="nx">model</span><span class="p">,</span> <span class="nx">inputTokens</span><span class="p">,</span> <span class="nx">outputTokens</span><span class="p">,</span> <span class="na">estimatedCostUsd</span><span class="p">:</span> <span class="nx">estimatedCost</span><span class="p">,</span> <span class="na">timestamp</span><span class="p">:</span> <span class="k">new</span> <span class="nc">Date</span><span class="p">()</span> <span class="p">});</span> <span class="c1">// Check monthly spend limit per user</span> <span class="kd">const</span> <span class="nx">monthlySpend</span> <span class="o">=</span> <span class="k">await</span> <span class="nx">db</span><span class="p">.</span><span class="nx">aiUsage</span><span class="p">.</span><span class="nf">sum</span><span class="p">(</span><span class="dl">'</span><span class="s1">estimatedCostUsd</span><span class="dl">'</span><span class="p">,</span> <span class="p">{</span> <span class="na">where</span><span class="p">:</span> <span class="p">{</span> <span class="nx">userId</span><span class="p">,</span> <span class="na">timestamp</span><span class="p">:</span> <span class="p">{</span> <span class="p">[</span><span class="nx">Op</span><span class="p">.</span><span class="nx">gte</span><span class="p">]:</span> <span class="nf">startOfMonth</span><span class="p">()</span> <span class="p">}</span> <span class="p">}</span> <span class="p">});</span> <span class="k">if </span><span class="p">(</span><span class="nx">monthlySpend</span> <span class="o">&gt;</span> <span class="nx">USER_MONTHLY_AI_LIMIT_USD</span><span class="p">)</span> <span class="p">{</span> <span class="k">throw</span> <span class="k">new</span> <span class="nc">Error</span><span class="p">(</span><span class="dl">'</span><span class="s1">Monthly AI usage limit reached</span><span class="dl">'</span><span class="p">);</span> <span class="p">}</span> <span class="p">}</span> </code></pre> </div> <p><strong>Use caching for repeated identical requests:</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="kd">const</span> <span class="nx">crypto</span> <span class="o">=</span> <span class="nf">require</span><span class="p">(</span><span class="dl">'</span><span class="s1">crypto</span><span class="dl">'</span><span class="p">);</span> <span class="k">async</span> <span class="kd">function</span> <span class="nf">cachedCompletion</span><span class="p">(</span><span class="nx">prompt</span><span class="p">,</span> <span class="nx">options</span> <span class="o">=</span> <span class="p">{})</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">cacheKey</span> <span class="o">=</span> <span class="s2">`ai:</span><span class="p">${</span><span class="nx">crypto</span><span class="p">.</span><span class="nf">createHash</span><span class="p">(</span><span class="dl">'</span><span class="s1">sha256</span><span class="dl">'</span><span class="p">).</span><span class="nf">update</span><span class="p">(</span><span class="nx">prompt</span><span class="p">).</span><span class="nf">digest</span><span class="p">(</span><span class="dl">'</span><span class="s1">hex</span><span class="dl">'</span><span class="p">)}</span><span class="s2">`</span><span class="p">;</span> <span class="kd">const</span> <span class="nx">cached</span> <span class="o">=</span> <span class="k">await</span> <span class="nx">redis</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="nx">cacheKey</span><span class="p">);</span> <span class="k">if </span><span class="p">(</span><span class="nx">cached</span><span class="p">)</span> <span class="p">{</span> <span class="k">return</span> <span class="nx">JSON</span><span class="p">.</span><span class="nf">parse</span><span class="p">(</span><span class="nx">cached</span><span class="p">);</span> <span class="p">}</span> <span class="kd">const</span> <span class="nx">result</span> <span class="o">=</span> <span class="k">await</span> <span class="nx">openai</span><span class="p">.</span><span class="nx">chat</span><span class="p">.</span><span class="nx">completions</span><span class="p">.</span><span class="nf">create</span><span class="p">({</span> <span class="na">model</span><span class="p">:</span> <span class="dl">'</span><span class="s1">gpt-4o</span><span class="dl">'</span><span class="p">,</span> <span class="na">messages</span><span class="p">:</span> <span class="p">[{</span> <span class="na">role</span><span class="p">:</span> <span class="dl">'</span><span class="s1">user</span><span class="dl">'</span><span class="p">,</span> <span class="na">content</span><span class="p">:</span> <span class="nx">prompt</span> <span class="p">}],</span> <span class="p">...</span><span class="nx">options</span> <span class="p">});</span> <span class="c1">// Cache for 1 hour — adjust based on how dynamic the content needs to be</span> <span class="k">await</span> <span class="nx">redis</span><span class="p">.</span><span class="nf">set</span><span class="p">(</span><span class="nx">cacheKey</span><span class="p">,</span> <span class="nx">JSON</span><span class="p">.</span><span class="nf">stringify</span><span class="p">(</span><span class="nx">result</span><span class="p">),</span> <span class="p">{</span> <span class="na">EX</span><span class="p">:</span> <span class="mi">3600</span> <span class="p">});</span> <span class="k">return</span> <span class="nx">result</span><span class="p">;</span> <span class="p">}</span> </code></pre> </div> <p>Caching is particularly effective for features like document classification, tag suggestion, and sentiment analysis — where the same input frequently reappears across users.</p> <h2> Step 4: Version Your Prompts Without Redeploying </h2> <p>Prompts are logic. When a prompt changes, behavior changes. Hardcoding prompts inside application code means every prompt iteration requires a code deployment — slowing iteration and making rollback difficult.</p> <p><strong>Store prompts in the database with versioning:</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight sql"><code><span class="k">CREATE</span> <span class="k">TABLE</span> <span class="n">prompt_templates</span> <span class="p">(</span> <span class="n">id</span> <span class="n">UUID</span> <span class="k">PRIMARY</span> <span class="k">KEY</span> <span class="k">DEFAULT</span> <span class="n">gen_random_uuid</span><span class="p">(),</span> <span class="n">feature</span> <span class="nb">VARCHAR</span><span class="p">(</span><span class="mi">100</span><span class="p">)</span> <span class="k">NOT</span> <span class="k">NULL</span><span class="p">,</span> <span class="k">version</span> <span class="nb">INTEGER</span> <span class="k">NOT</span> <span class="k">NULL</span><span class="p">,</span> <span class="n">is_active</span> <span class="nb">BOOLEAN</span> <span class="k">DEFAULT</span> <span class="k">FALSE</span><span class="p">,</span> <span class="k">template</span> <span class="nb">TEXT</span> <span class="k">NOT</span> <span class="k">NULL</span><span class="p">,</span> <span class="n">created_at</span> <span class="nb">TIMESTAMP</span> <span class="k">DEFAULT</span> <span class="n">NOW</span><span class="p">(),</span> <span class="k">UNIQUE</span><span class="p">(</span><span class="n">feature</span><span class="p">,</span> <span class="k">version</span><span class="p">)</span> <span class="p">);</span> <span class="c1">-- Only one active version per feature</span> <span class="k">CREATE</span> <span class="k">UNIQUE</span> <span class="k">INDEX</span> <span class="n">idx_active_prompt</span> <span class="k">ON</span> <span class="n">prompt_templates</span> <span class="p">(</span><span class="n">feature</span><span class="p">)</span> <span class="k">WHERE</span> <span class="n">is_active</span> <span class="o">=</span> <span class="k">TRUE</span><span class="p">;</span> </code></pre> </div> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="c1">// Prompt management service</span> <span class="kd">class</span> <span class="nc">PromptService</span> <span class="p">{</span> <span class="nf">constructor</span><span class="p">()</span> <span class="p">{</span> <span class="k">this</span><span class="p">.</span><span class="nx">cache</span> <span class="o">=</span> <span class="k">new</span> <span class="nc">Map</span><span class="p">();</span> <span class="p">}</span> <span class="k">async</span> <span class="nf">getPrompt</span><span class="p">(</span><span class="nx">feature</span><span class="p">)</span> <span class="p">{</span> <span class="c1">// Cache in memory for 5 minutes to avoid DB hits on every request</span> <span class="k">if </span><span class="p">(</span><span class="k">this</span><span class="p">.</span><span class="nx">cache</span><span class="p">.</span><span class="nf">has</span><span class="p">(</span><span class="nx">feature</span><span class="p">))</span> <span class="p">{</span> <span class="kd">const</span> <span class="p">{</span> <span class="nx">prompt</span><span class="p">,</span> <span class="nx">cachedAt</span> <span class="p">}</span> <span class="o">=</span> <span class="k">this</span><span class="p">.</span><span class="nx">cache</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="nx">feature</span><span class="p">);</span> <span class="k">if </span><span class="p">(</span><span class="nb">Date</span><span class="p">.</span><span class="nf">now</span><span class="p">()</span> <span class="o">-</span> <span class="nx">cachedAt</span> <span class="o">&lt;</span> <span class="mi">300000</span><span class="p">)</span> <span class="k">return</span> <span class="nx">prompt</span><span class="p">;</span> <span class="p">}</span> <span class="kd">const</span> <span class="nx">template</span> <span class="o">=</span> <span class="k">await</span> <span class="nx">db</span><span class="p">.</span><span class="nx">promptTemplates</span><span class="p">.</span><span class="nf">findOne</span><span class="p">({</span> <span class="na">where</span><span class="p">:</span> <span class="p">{</span> <span class="nx">feature</span><span class="p">,</span> <span class="na">isActive</span><span class="p">:</span> <span class="kc">true</span> <span class="p">}</span> <span class="p">});</span> <span class="k">if </span><span class="p">(</span><span class="o">!</span><span class="nx">template</span><span class="p">)</span> <span class="k">throw</span> <span class="k">new</span> <span class="nc">Error</span><span class="p">(</span><span class="s2">`No active prompt found for feature: </span><span class="p">${</span><span class="nx">feature</span><span class="p">}</span><span class="s2">`</span><span class="p">);</span> <span class="k">this</span><span class="p">.</span><span class="nx">cache</span><span class="p">.</span><span class="nf">set</span><span class="p">(</span><span class="nx">feature</span><span class="p">,</span> <span class="p">{</span> <span class="na">prompt</span><span class="p">:</span> <span class="nx">template</span><span class="p">.</span><span class="nx">template</span><span class="p">,</span> <span class="na">cachedAt</span><span class="p">:</span> <span class="nb">Date</span><span class="p">.</span><span class="nf">now</span><span class="p">()</span> <span class="p">});</span> <span class="k">return</span> <span class="nx">template</span><span class="p">.</span><span class="nx">template</span><span class="p">;</span> <span class="p">}</span> <span class="nf">buildPrompt</span><span class="p">(</span><span class="nx">template</span><span class="p">,</span> <span class="nx">variables</span><span class="p">)</span> <span class="p">{</span> <span class="k">return</span> <span class="nx">template</span><span class="p">.</span><span class="nf">replace</span><span class="p">(</span><span class="sr">/</span><span class="se">\{\{(\w</span><span class="sr">+</span><span class="se">)\}\}</span><span class="sr">/g</span><span class="p">,</span> <span class="p">(</span><span class="nx">_</span><span class="p">,</span> <span class="nx">key</span><span class="p">)</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="k">if </span><span class="p">(</span><span class="o">!</span><span class="p">(</span><span class="nx">key</span> <span class="k">in</span> <span class="nx">variables</span><span class="p">))</span> <span class="k">throw</span> <span class="k">new</span> <span class="nc">Error</span><span class="p">(</span><span class="s2">`Missing prompt variable: </span><span class="p">${</span><span class="nx">key</span><span class="p">}</span><span class="s2">`</span><span class="p">);</span> <span class="k">return</span> <span class="nx">variables</span><span class="p">[</span><span class="nx">key</span><span class="p">];</span> <span class="p">});</span> <span class="p">}</span> <span class="p">}</span> <span class="kd">const</span> <span class="nx">promptService</span> <span class="o">=</span> <span class="k">new</span> <span class="nc">PromptService</span><span class="p">();</span> <span class="c1">// Usage</span> <span class="kd">const</span> <span class="nx">template</span> <span class="o">=</span> <span class="k">await</span> <span class="nx">promptService</span><span class="p">.</span><span class="nf">getPrompt</span><span class="p">(</span><span class="dl">'</span><span class="s1">document-summary</span><span class="dl">'</span><span class="p">);</span> <span class="kd">const</span> <span class="nx">prompt</span> <span class="o">=</span> <span class="nx">promptService</span><span class="p">.</span><span class="nf">buildPrompt</span><span class="p">(</span><span class="nx">template</span><span class="p">,</span> <span class="p">{</span> <span class="na">documentText</span><span class="p">:</span> <span class="nx">req</span><span class="p">.</span><span class="nx">body</span><span class="p">.</span><span class="nx">text</span><span class="p">,</span> <span class="na">outputLanguage</span><span class="p">:</span> <span class="nx">req</span><span class="p">.</span><span class="nx">user</span><span class="p">.</span><span class="nx">preferredLanguage</span> <span class="o">||</span> <span class="dl">'</span><span class="s1">English</span><span class="dl">'</span><span class="p">,</span> <span class="na">maxLength</span><span class="p">:</span> <span class="dl">'</span><span class="s1">3 sentences</span><span class="dl">'</span> <span class="p">});</span> </code></pre> </div> <p>This pattern lets non-engineering team members iterate on prompts through an admin interface without touching application code, and enables instant rollback by deactivating one version and activating the previous one.</p> <h2> Step 5: Build Graceful Fallback for AI Failures </h2> <p>LLM APIs have outages. They return 429 rate limit errors. They time out. An AI feature that makes the rest of your application unavailable when the LLM provider has an incident is a reliability problem waiting to happen.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="kd">class</span> <span class="nc">AIService</span> <span class="p">{</span> <span class="nf">constructor</span><span class="p">()</span> <span class="p">{</span> <span class="k">this</span><span class="p">.</span><span class="nx">timeout</span> <span class="o">=</span> <span class="mi">30000</span><span class="p">;</span> <span class="c1">// 30 second timeout</span> <span class="k">this</span><span class="p">.</span><span class="nx">retryAttempts</span> <span class="o">=</span> <span class="mi">2</span><span class="p">;</span> <span class="k">this</span><span class="p">.</span><span class="nx">retryDelay</span> <span class="o">=</span> <span class="mi">1000</span><span class="p">;</span> <span class="p">}</span> <span class="k">async</span> <span class="nf">complete</span><span class="p">(</span><span class="nx">prompt</span><span class="p">,</span> <span class="nx">options</span> <span class="o">=</span> <span class="p">{})</span> <span class="p">{</span> <span class="k">for </span><span class="p">(</span><span class="kd">let</span> <span class="nx">attempt</span> <span class="o">=</span> <span class="mi">0</span><span class="p">;</span> <span class="nx">attempt</span> <span class="o">&lt;=</span> <span class="k">this</span><span class="p">.</span><span class="nx">retryAttempts</span><span class="p">;</span> <span class="nx">attempt</span><span class="o">++</span><span class="p">)</span> <span class="p">{</span> <span class="k">try</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">controller</span> <span class="o">=</span> <span class="k">new</span> <span class="nc">AbortController</span><span class="p">();</span> <span class="kd">const</span> <span class="nx">timeoutId</span> <span class="o">=</span> <span class="nf">setTimeout</span><span class="p">(()</span> <span class="o">=&gt;</span> <span class="nx">controller</span><span class="p">.</span><span class="nf">abort</span><span class="p">(),</span> <span class="k">this</span><span class="p">.</span><span class="nx">timeout</span><span class="p">);</span> <span class="kd">const</span> <span class="nx">result</span> <span class="o">=</span> <span class="k">await</span> <span class="nx">openai</span><span class="p">.</span><span class="nx">chat</span><span class="p">.</span><span class="nx">completions</span><span class="p">.</span><span class="nf">create</span><span class="p">(</span> <span class="p">{</span> <span class="na">model</span><span class="p">:</span> <span class="dl">'</span><span class="s1">gpt-4o</span><span class="dl">'</span><span class="p">,</span> <span class="na">messages</span><span class="p">:</span> <span class="p">[{</span> <span class="na">role</span><span class="p">:</span> <span class="dl">'</span><span class="s1">user</span><span class="dl">'</span><span class="p">,</span> <span class="na">content</span><span class="p">:</span> <span class="nx">prompt</span> <span class="p">}],</span> <span class="p">...</span><span class="nx">options</span> <span class="p">},</span> <span class="p">{</span> <span class="na">signal</span><span class="p">:</span> <span class="nx">controller</span><span class="p">.</span><span class="nx">signal</span> <span class="p">}</span> <span class="p">);</span> <span class="nf">clearTimeout</span><span class="p">(</span><span class="nx">timeoutId</span><span class="p">);</span> <span class="k">return</span> <span class="p">{</span> <span class="na">success</span><span class="p">:</span> <span class="kc">true</span><span class="p">,</span> <span class="na">data</span><span class="p">:</span> <span class="nx">result</span><span class="p">.</span><span class="nx">choices</span><span class="p">[</span><span class="mi">0</span><span class="p">].</span><span class="nx">message</span><span class="p">.</span><span class="nx">content</span> <span class="p">};</span> <span class="p">}</span> <span class="k">catch </span><span class="p">(</span><span class="nx">err</span><span class="p">)</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">isRetryable</span> <span class="o">=</span> <span class="nx">err</span><span class="p">.</span><span class="nx">status</span> <span class="o">===</span> <span class="mi">429</span> <span class="o">||</span> <span class="nx">err</span><span class="p">.</span><span class="nx">status</span> <span class="o">&gt;=</span> <span class="mi">500</span> <span class="o">||</span> <span class="nx">err</span><span class="p">.</span><span class="nx">name</span> <span class="o">===</span> <span class="dl">'</span><span class="s1">AbortError</span><span class="dl">'</span><span class="p">;</span> <span class="kd">const</span> <span class="nx">isLastAttempt</span> <span class="o">=</span> <span class="nx">attempt</span> <span class="o">===</span> <span class="k">this</span><span class="p">.</span><span class="nx">retryAttempts</span><span class="p">;</span> <span class="k">if </span><span class="p">(</span><span class="o">!</span><span class="nx">isRetryable</span> <span class="o">||</span> <span class="nx">isLastAttempt</span><span class="p">)</span> <span class="p">{</span> <span class="k">return</span> <span class="p">{</span> <span class="na">success</span><span class="p">:</span> <span class="kc">false</span><span class="p">,</span> <span class="na">error</span><span class="p">:</span> <span class="nx">err</span><span class="p">.</span><span class="nx">message</span><span class="p">,</span> <span class="na">code</span><span class="p">:</span> <span class="nx">err</span><span class="p">.</span><span class="nx">status</span> <span class="p">};</span> <span class="p">}</span> <span class="c1">// Exponential backoff between retries</span> <span class="k">await</span> <span class="k">new</span> <span class="nc">Promise</span><span class="p">(</span><span class="nx">r</span> <span class="o">=&gt;</span> <span class="nf">setTimeout</span><span class="p">(</span><span class="nx">r</span><span class="p">,</span> <span class="k">this</span><span class="p">.</span><span class="nx">retryDelay</span> <span class="o">*</span> <span class="nb">Math</span><span class="p">.</span><span class="nf">pow</span><span class="p">(</span><span class="mi">2</span><span class="p">,</span> <span class="nx">attempt</span><span class="p">)));</span> <span class="p">}</span> <span class="p">}</span> <span class="p">}</span> <span class="p">}</span> <span class="c1">// Route handler with graceful degradation</span> <span class="kd">const</span> <span class="nx">aiService</span> <span class="o">=</span> <span class="k">new</span> <span class="nc">AIService</span><span class="p">();</span> <span class="nx">app</span><span class="p">.</span><span class="nf">post</span><span class="p">(</span><span class="dl">'</span><span class="s1">/api/documents/:id/suggest-tags</span><span class="dl">'</span><span class="p">,</span> <span class="nx">requireAuth</span><span class="p">,</span> <span class="k">async </span><span class="p">(</span><span class="nx">req</span><span class="p">,</span> <span class="nx">res</span><span class="p">)</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="kd">const</span> <span class="nb">document</span> <span class="o">=</span> <span class="k">await</span> <span class="nx">db</span><span class="p">.</span><span class="nx">documents</span><span class="p">.</span><span class="nf">findByPk</span><span class="p">(</span><span class="nx">req</span><span class="p">.</span><span class="nx">params</span><span class="p">.</span><span class="nx">id</span><span class="p">);</span> <span class="kd">const</span> <span class="nx">prompt</span> <span class="o">=</span> <span class="k">await</span> <span class="nf">buildTagSuggestionPrompt</span><span class="p">(</span><span class="nb">document</span><span class="p">.</span><span class="nx">content</span><span class="p">);</span> <span class="kd">const</span> <span class="nx">result</span> <span class="o">=</span> <span class="k">await</span> <span class="nx">aiService</span><span class="p">.</span><span class="nf">complete</span><span class="p">(</span><span class="nx">prompt</span><span class="p">,</span> <span class="p">{</span> <span class="na">max_tokens</span><span class="p">:</span> <span class="mi">100</span> <span class="p">});</span> <span class="k">if </span><span class="p">(</span><span class="o">!</span><span class="nx">result</span><span class="p">.</span><span class="nx">success</span><span class="p">)</span> <span class="p">{</span> <span class="c1">// Graceful fallback: return empty suggestions rather than an error</span> <span class="c1">// Log the failure for monitoring</span> <span class="nx">console</span><span class="p">.</span><span class="nf">error</span><span class="p">(</span><span class="dl">'</span><span class="s1">AI tag suggestion failed:</span><span class="dl">'</span><span class="p">,</span> <span class="nx">result</span><span class="p">.</span><span class="nx">error</span><span class="p">);</span> <span class="k">return</span> <span class="nx">res</span><span class="p">.</span><span class="nf">json</span><span class="p">({</span> <span class="na">tags</span><span class="p">:</span> <span class="p">[],</span> <span class="na">source</span><span class="p">:</span> <span class="dl">'</span><span class="s1">fallback</span><span class="dl">'</span><span class="p">,</span> <span class="na">message</span><span class="p">:</span> <span class="dl">'</span><span class="s1">Automatic tag suggestions are temporarily unavailable</span><span class="dl">'</span> <span class="p">});</span> <span class="p">}</span> <span class="kd">const</span> <span class="nx">tags</span> <span class="o">=</span> <span class="nf">parseTagsFromCompletion</span><span class="p">(</span><span class="nx">result</span><span class="p">.</span><span class="nx">data</span><span class="p">);</span> <span class="nx">res</span><span class="p">.</span><span class="nf">json</span><span class="p">({</span> <span class="nx">tags</span><span class="p">,</span> <span class="na">source</span><span class="p">:</span> <span class="dl">'</span><span class="s1">ai</span><span class="dl">'</span> <span class="p">});</span> <span class="p">});</span> </code></pre> </div> <p>The key principle: an AI feature should degrade gracefully, not fail loudly. A tag suggestion that returns empty results is acceptable. A tag suggestion that throws an unhandled exception and crashes the document view is not.</p> <h2> AI Builders and LLM Integration in 2026 </h2> <p>A growing category of full-stack AI builders now generates LLM integration scaffolding as part of the application output — including streaming handlers, prompt storage patterns, and token tracking. For teams evaluating whether to build this infrastructure from scratch, platforms like <a href="https://app.imagine.bo" rel="noopener noreferrer">imagine.bo</a> include AI feature scaffolding in their generated backends, which can compress the initial integration work significantly.</p> <p>For teams reviewing generated LLM integration code or building their own, the patterns above represent the production baseline. Generated scaffolding is a starting point; understanding why each pattern exists is what allows you to extend and debug it.</p> <h2> Testing AI Integrations </h2> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="c1">// Mock the LLM client in tests — never call the real API in unit tests</span> <span class="nx">jest</span><span class="p">.</span><span class="nf">mock</span><span class="p">(</span><span class="dl">'</span><span class="s1">openai</span><span class="dl">'</span><span class="p">,</span> <span class="p">()</span> <span class="o">=&gt;</span> <span class="p">({</span> <span class="na">chat</span><span class="p">:</span> <span class="p">{</span> <span class="na">completions</span><span class="p">:</span> <span class="p">{</span> <span class="na">create</span><span class="p">:</span> <span class="nx">jest</span><span class="p">.</span><span class="nf">fn</span><span class="p">()</span> <span class="p">}</span> <span class="p">}</span> <span class="p">}));</span> <span class="nf">describe</span><span class="p">(</span><span class="dl">'</span><span class="s1">Document summarization</span><span class="dl">'</span><span class="p">,</span> <span class="p">()</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="nf">it</span><span class="p">(</span><span class="dl">'</span><span class="s1">returns summary on successful AI call</span><span class="dl">'</span><span class="p">,</span> <span class="k">async </span><span class="p">()</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="nx">openai</span><span class="p">.</span><span class="nx">chat</span><span class="p">.</span><span class="nx">completions</span><span class="p">.</span><span class="nx">create</span><span class="p">.</span><span class="nf">mockResolvedValue</span><span class="p">({</span> <span class="na">choices</span><span class="p">:</span> <span class="p">[{</span> <span class="na">message</span><span class="p">:</span> <span class="p">{</span> <span class="na">content</span><span class="p">:</span> <span class="dl">'</span><span class="s1">This is a test summary.</span><span class="dl">'</span> <span class="p">},</span> <span class="na">finish_reason</span><span class="p">:</span> <span class="dl">'</span><span class="s1">stop</span><span class="dl">'</span> <span class="p">}]</span> <span class="p">});</span> <span class="kd">const</span> <span class="nx">response</span> <span class="o">=</span> <span class="k">await</span> <span class="nf">request</span><span class="p">(</span><span class="nx">app</span><span class="p">)</span> <span class="p">.</span><span class="nf">post</span><span class="p">(</span><span class="dl">'</span><span class="s1">/api/summarize</span><span class="dl">'</span><span class="p">)</span> <span class="p">.</span><span class="nf">set</span><span class="p">(</span><span class="dl">'</span><span class="s1">Authorization</span><span class="dl">'</span><span class="p">,</span> <span class="s2">`Bearer </span><span class="p">${</span><span class="nx">testToken</span><span class="p">}</span><span class="s2">`</span><span class="p">)</span> <span class="p">.</span><span class="nf">send</span><span class="p">({</span> <span class="na">text</span><span class="p">:</span> <span class="dl">'</span><span class="s1">Sample document text</span><span class="dl">'</span><span class="p">,</span> <span class="na">documentId</span><span class="p">:</span> <span class="dl">'</span><span class="s1">doc-123</span><span class="dl">'</span> <span class="p">});</span> <span class="nf">expect</span><span class="p">(</span><span class="nx">response</span><span class="p">.</span><span class="nx">status</span><span class="p">).</span><span class="nf">toBe</span><span class="p">(</span><span class="mi">202</span><span class="p">);</span> <span class="c1">// Accepted for processing</span> <span class="nf">expect</span><span class="p">(</span><span class="nx">response</span><span class="p">.</span><span class="nx">body</span><span class="p">.</span><span class="nx">jobId</span><span class="p">).</span><span class="nf">toBeDefined</span><span class="p">();</span> <span class="p">});</span> <span class="nf">it</span><span class="p">(</span><span class="dl">'</span><span class="s1">returns fallback response when AI call fails</span><span class="dl">'</span><span class="p">,</span> <span class="k">async </span><span class="p">()</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="nx">openai</span><span class="p">.</span><span class="nx">chat</span><span class="p">.</span><span class="nx">completions</span><span class="p">.</span><span class="nx">create</span><span class="p">.</span><span class="nf">mockRejectedValue</span><span class="p">(</span> <span class="nb">Object</span><span class="p">.</span><span class="nf">assign</span><span class="p">(</span><span class="k">new</span> <span class="nc">Error</span><span class="p">(</span><span class="dl">'</span><span class="s1">Service unavailable</span><span class="dl">'</span><span class="p">),</span> <span class="p">{</span> <span class="na">status</span><span class="p">:</span> <span class="mi">503</span> <span class="p">})</span> <span class="p">);</span> <span class="kd">const</span> <span class="nx">response</span> <span class="o">=</span> <span class="k">await</span> <span class="nf">request</span><span class="p">(</span><span class="nx">app</span><span class="p">)</span> <span class="p">.</span><span class="nf">post</span><span class="p">(</span><span class="dl">'</span><span class="s1">/api/documents/doc-123/suggest-tags</span><span class="dl">'</span><span class="p">)</span> <span class="p">.</span><span class="nf">set</span><span class="p">(</span><span class="dl">'</span><span class="s1">Authorization</span><span class="dl">'</span><span class="p">,</span> <span class="s2">`Bearer </span><span class="p">${</span><span class="nx">testToken</span><span class="p">}</span><span class="s2">`</span><span class="p">);</span> <span class="nf">expect</span><span class="p">(</span><span class="nx">response</span><span class="p">.</span><span class="nx">status</span><span class="p">).</span><span class="nf">toBe</span><span class="p">(</span><span class="mi">200</span><span class="p">);</span> <span class="nf">expect</span><span class="p">(</span><span class="nx">response</span><span class="p">.</span><span class="nx">body</span><span class="p">.</span><span class="nx">tags</span><span class="p">).</span><span class="nf">toEqual</span><span class="p">([]);</span> <span class="nf">expect</span><span class="p">(</span><span class="nx">response</span><span class="p">.</span><span class="nx">body</span><span class="p">.</span><span class="nx">source</span><span class="p">).</span><span class="nf">toBe</span><span class="p">(</span><span class="dl">'</span><span class="s1">fallback</span><span class="dl">'</span><span class="p">);</span> <span class="p">});</span> <span class="p">});</span> </code></pre> </div> <h2> Common Questions </h2> <p><strong>Which LLM provider should I use in 2026?</strong><br> The honest answer is: it depends on the task. OpenAI's GPT-4o and Anthropic's Claude models are the two most widely used in production SaaS integrations. For code generation tasks, Claude consistently performs well. For multimodal tasks involving images, GPT-4o has broader support. Running both behind an abstraction layer and switching based on task type is a pattern used by teams with high AI feature density.</p> <p><strong>How do I prevent users from abusing AI features?</strong><br> Rate limiting at the user level, monthly token budgets, and input length validation are the three primary controls. Implementing all three is appropriate for any AI feature with non-trivial per-call cost. Requiring a paid plan to access AI features is also a common and legitimate approach.</p> <p><strong>Should AI features be synchronous or asynchronous?</strong><br> It depends on the expected latency. Features where users expect an instant response — inline text suggestions, short completions — should use streaming. Features where users understand processing will take time — document analysis, report generation — should use background jobs with status polling or websocket updates.</p> <p><strong>How do I handle LLM hallucinations in production?</strong><br> For factual tasks, constrain the output format to structured JSON and validate the response against a schema before using it. For tasks where hallucination is particularly costly — financial data, medical context, legal summaries — add a human review step before surfacing AI output to end users. For general-purpose text generation, disclosing that content is AI-generated and providing an edit interface is the standard approach.</p> <h2> Further Reading </h2> <ul> <li> <a href="https://platform.openai.com/docs/api-reference/streaming" rel="noopener noreferrer">OpenAI API Reference — Streaming</a> — official streaming implementation docs</li> <li> <a href="https://docs.anthropic.com" rel="noopener noreferrer">Anthropic API Documentation</a> — Claude API reference including streaming and tool use</li> <li> <a href="https://github.com/OptimalBits/bull" rel="noopener noreferrer">Bull Queue Documentation</a> — background job processing for Node.js</li> <li> <a href="https://www.npmjs.com/package/gpt-tokenizer" rel="noopener noreferrer">gpt-tokenizer on npm</a> — client-side token counting before API calls</li> </ul> <p><em>Tags: webdev, ai, saas, javascript</em></p> webdev ai sass javascript Aadesh Kumar Sat, 25 Apr 2026 06:32:27 +0000 https://dev.to/aadesh-kumar/10-questions-every-non-technical-founder-should-ask-before-their-first-web-app-build-34g0 https://dev.to/aadesh-kumar/10-questions-every-non-technical-founder-should-ask-before-their-first-web-app-build-34g0 <blockquote> <p><strong>TL;DR:</strong> Most non-technical founders pick a build approach (no-code, freelancer, agency, AI tool, hybrid platform) before they've defined what "done" looks like. The result is rebuilds, rewrites, and bills nobody planned for. This post gives you ten questions to ask yourself — and any vendor — before you commit to a build path. Use it as a checklist on your next call.</p> </blockquote> <p>If you're a non-technical founder about to build your first web app, the riskiest moment isn't the code. It's the conversation you have <em>before</em> the code. The decisions you make in that conversation — scope, ownership, hosting, what happens when something breaks at 2am — quietly determine whether you're shipping a product or buying a future rewrite.</p> <p>You don't need to become a developer to make this decision well. You need a checklist. Here it is.</p> <h2> 1. Who owns the code, and where does it live? </h2> <p>The first question, always. If your answer is "I'm not sure" or "the platform owns it," stop and resolve that before anything else.</p> <p><strong>What to ask:</strong></p> <ul> <li>Will I get a Git repository I own? (Ideally on GitHub, GitLab, or Bitbucket under your account.)</li> <li>Can I export everything if I leave?</li> <li>Are there any platform-locked components I can't take with me?</li> </ul> <p>No-code platforms often own the runtime — meaning even if you can export "your data," you can't take the workflows, the UI, or the logic. That's a real choice with real trade-offs, but it has to be a choice you made consciously.</p> <h2> 2. What's the realistic timeline, broken into milestones? </h2> <p>"Six weeks" is not a timeline. "Auth and onboarding by week 2, Stripe integration by week 4, beta launch by week 6" is a timeline.</p> <p><strong>What to ask:</strong></p> <ul> <li>What are the weekly or bi-weekly milestones?</li> <li>What's the demo cadence? (You should see something working at least every two weeks.)</li> <li>What happens if a milestone slips — who flags it, and how early?</li> </ul> <p>If a vendor can't break the project into milestones with concrete deliverables, they haven't planned the project. They're estimating.</p> <h2> 3. How will payments and authentication actually work? </h2> <p>These are the two highest-risk parts of almost every web app. They're also where AI tools and inexperienced developers introduce subtle, expensive bugs.</p> <p><strong>What to ask:</strong></p> <ul> <li>Are we using <a href="https://stripe.com" rel="noopener noreferrer">Stripe</a> (or another battle-tested provider)? If something custom — why?</li> <li>How are we handling password resets, email verification, session timeouts, and account recovery?</li> <li>What happens if a Stripe webhook fails or fires twice? (The correct answer involves the word "idempotent.")</li> </ul> <p>If you don't get specific answers — or if the answer is "the AI handles it" — that's the warning sign.</p> <h2> 4. What's actually in scope, and what's "phase 2"? </h2> <p>The biggest source of project pain isn't the work that gets done. It's the work everyone <em>assumed</em> was included.</p> <p><strong>What to ask:</strong></p> <ul> <li>Can I see a written feature list with every screen, every user role, every integration?</li> <li>For each item, is it phase 1 (in scope, in budget) or phase 2 (later)?</li> <li>What's explicitly <em>out</em> of scope?</li> </ul> <p>A mature vendor or platform will have this list. If it's verbal, write it down yourself before you sign anything. The <a href="https://www.joelonsoftware.com/2000/08/09/the-joel-test-12-steps-to-better-code/" rel="noopener noreferrer">Joel Test</a> is from 2000 and still useful — its core idea, that having explicit specs matters, is even more true now.</p> <h2> 5. Where will the app run, and what does that cost monthly? </h2> <p>Hosting feels boring until it shows up as a $400/month surprise.</p> <p><strong>What to ask:</strong></p> <ul> <li>What hosting provider — Vercel, AWS, Render, Fly, something else?</li> <li>What's the expected monthly cost at launch, at 100 users, at 1,000 users?</li> <li>What database, and what's its monthly cost?</li> <li>Are there third-party services (email, file storage, search) with their own bills?</li> </ul> <p>A reasonable answer for a small SaaS in 2026 is something like: $0–$30/month at launch, $50–$200/month at 1,000 users. If you're hearing $500+/month before any users exist, ask why.</p> <h2> 6. How will I know when something breaks? </h2> <p>Apps break. The only question is whether you find out from your monitoring or from an angry customer email.</p> <p><strong>What to ask:</strong></p> <ul> <li>Is <a href="https://sentry.io" rel="noopener noreferrer">Sentry</a> (or equivalent error tracking) wired up from day one?</li> <li>Are there uptime checks? Where do alerts go?</li> <li>How are logs stored, and for how long?</li> <li>If a payment fails silently, how would I find out?</li> </ul> <p>"We'll add monitoring later" is the answer that costs you your first ten paying customers.</p> <h2> 7. Who fixes it when something breaks? </h2> <p>Related but different. Monitoring tells you something's wrong. Someone has to actually fix it.</p> <p><strong>What to ask:</strong></p> <ul> <li>After launch, who's on the hook for bug fixes?</li> <li>Is post-launch support included, hourly, or a separate retainer?</li> <li>What's the response time for a critical bug — hours, days, or "next sprint"?</li> <li>If my freelancer or agency disappears, what's my Plan B?</li> </ul> <p>Bus factor of one is a real risk. If your entire post-launch support is one person's part-time attention, your app's reliability is one family emergency away from a problem.</p> <h2> 8. Can the app evolve, or am I locked into the first version? </h2> <p>Every successful product looks different at month twelve than it did at launch. Your build approach has to support that.</p> <p><strong>What to ask:</strong></p> <ul> <li>If I want to add a feature in six months, what's the realistic cost and timeline?</li> <li>If I outgrow the platform/vendor, what's the migration path?</li> <li>Is there technical debt being accepted now that I'll pay for later? (A good answer names specific trade-offs. A bad answer denies the existence of trade-offs.)</li> <li>Are dependencies kept up to date, or am I getting a snapshot of "best practices" as of today?</li> </ul> <p>Approaches like a <a href="https://app.imagine.bo" rel="noopener noreferrer">hybrid AI + human app-building platform</a> are popular partly because they aim to give you a real codebase you can extend later — but the same principle applies whether you're hiring an agency, a freelancer, or using a no-code tool. Always ask: <em>what does month twelve look like?</em></p> <h2> 9. What does the day-to-day actually look like for me? </h2> <p>The non-technical founder's most expensive resource is their own time. If your build approach requires you to translate, manage, and re-explain constantly, the price isn't just the invoice.</p> <p><strong>What to ask:</strong></p> <ul> <li>How many hours per week do I need to spend on this?</li> <li>What's the communication channel — Slack, email, weekly calls?</li> <li>Do I get a project tracker I can see? (Linear, Jira, Notion, GitHub Projects.)</li> <li>If I'm busy for two weeks, does the project keep moving?</li> </ul> <p>Some build approaches assume you're a full-time PM. Others assume you're hands-off. Neither is wrong, but you need to know which one you're signing up for.</p> <h2> 10. What happens at the moment of first paying customer? </h2> <p>This is the question that surfaces gaps faster than any other. Walk through the actual sequence.</p> <p><strong>What to ask:</strong></p> <ul> <li>A customer arrives at the landing page. What loads, how fast?</li> <li>They sign up. What email do they get? What does the verify flow look like?</li> <li>They pay. Where does the receipt come from? What happens if the card declines?</li> <li>They run into a bug. Where does the report go? Who responds?</li> <li>They want a refund. What's the process, and who handles it?</li> </ul> <p>If your vendor or platform can't walk you through this end-to-end, the gaps in their answer are the gaps in your future product.</p> <h2> Common pitfalls </h2> <ul> <li> <strong>Skipping the questions because the vendor seems professional.</strong> Polished sales does not mean polished delivery. Ask anyway.</li> <li> <strong>Optimizing for the lowest quote.</strong> A $5K build that requires $20K of fixes is not a $5K build.</li> <li> <strong>Believing demos.</strong> Every tool's marketing video shows the happy path. Ask to see a production app built end-to-end on the platform — with a real user count.</li> <li> <strong>Assuming AI tools handle the boring parts.</strong> Authentication, billing, error handling, and security are the boring parts. They're also where AI-only builds tend to fail. Make sure a human owns them.</li> <li> <strong>Not writing answers down.</strong> Verbal commitments evaporate. If it matters, it's in writing.</li> </ul> <h2> Quick checklist: print this and bring it to the call </h2> <div class="table-wrapper-paragraph"><table> <thead> <tr> <th>#</th> <th>Question</th> <th>What a good answer looks like</th> </tr> </thead> <tbody> <tr> <td>1</td> <td>Who owns the code?</td> <td>"You do, in your own Git repo."</td> </tr> <tr> <td>2</td> <td>What's the milestone breakdown?</td> <td>A weekly or bi-weekly schedule with demos</td> </tr> <tr> <td>3</td> <td>How are auth and payments handled?</td> <td>Stripe + battle-tested auth, with idempotent webhooks</td> </tr> <tr> <td>4</td> <td>What's in scope vs. phase 2?</td> <td>A written, itemized list</td> </tr> <tr> <td>5</td> <td>What's monthly hosting cost?</td> <td>A specific dollar range at three usage tiers</td> </tr> <tr> <td>6</td> <td>How will I know when it breaks?</td> <td>Sentry + uptime monitoring + alert routing</td> </tr> <tr> <td>7</td> <td>Who fixes bugs post-launch?</td> <td>Named person or team, response-time SLA</td> </tr> <tr> <td>8</td> <td>What's the path to add features later?</td> <td>Real codebase, named migration paths</td> </tr> <tr> <td>9</td> <td>What's my time commitment?</td> <td>Specific hours/week + communication cadence</td> </tr> <tr> <td>10</td> <td>Walk me through first paying customer?</td> <td>End-to-end story with no gaps</td> </tr> </tbody> </table></div> <h2> FAQ </h2> <h3> Should I just hire an agency and let them handle this? </h3> <p>Agencies can be great if you have $50K+ and need a lot of hand-holding. They tend to be expensive for early-stage MVPs and can be slow to iterate post-launch. The questions in this post apply to agencies just as much as to any other approach — don't assume "agency" means "thorough."</p> <h3> Are AI coding tools good enough for a real product yet? </h3> <p>For prototypes and internal tools, yes. For customer-facing products with real money or sensitive data, AI tools alone usually need a human pass on the parts that matter most — auth, payments, security, deploys. The hybrid approaches that pair AI scaffolding with engineering review are increasingly common for exactly this reason.</p> <h3> What's the realistic budget for a year-one MVP today? </h3> <p>For a B2B SaaS or marketplace MVP with auth, billing, and a basic dashboard: roughly $10K–$25K with AI scaffolding plus targeted engineering, $30K–$80K with a traditional agency. Costs have come down significantly in the last 18 months as AI scaffolding has improved.</p> <h3> Do I need to learn to code to ask these questions well? </h3> <p>No. You need to be able to read the answers critically. If a vendor's response is vague, technical-sounding, or dodges the specifics, that's a signal regardless of your background. Trust your "this doesn't quite add up" instinct.</p> <h3> What if the vendor pushes back on these questions? </h3> <p>A good vendor will welcome them. A great vendor will have most of the answers ready before you ask. A vendor who pushes back — "we don't usually share that" or "trust the process" — is telling you something important about how the project will go.</p> <h2> Final thought </h2> <p>The non-technical founders who succeed on their first build aren't the ones who picked the perfect vendor or the perfect platform. They're the ones who walked into the conversation with a list and didn't sign anything until the answers were specific. None of these questions require technical knowledge. They require the discipline to keep asking until the answers are concrete.</p> <p>Bring this checklist to your next call. Ask the questions. Write down the answers. The vendor or platform that handles it well is the one worth your money.</p> beginners startup founder webdev Aadesh Kumar Thu, 23 Apr 2026 10:29:03 +0000 https://dev.to/aadesh-kumar/how-to-add-stripe-subscriptions-to-an-ai-generated-app-step-by-step-gea https://dev.to/aadesh-kumar/how-to-add-stripe-subscriptions-to-an-ai-generated-app-step-by-step-gea <h3> Most Stripe tutorials stop at the payment form. This one covers what comes after. </h3> <p><strong>What you will learn in this guide:</strong></p> <ul> <li>How to configure Stripe Billing products and price objects correctly from the start</li> <li>How to build the checkout session flow for subscription plans</li> <li>How to handle Stripe webhooks reliably — including the two events most tutorials omit</li> <li>How to manage subscription state in your database across plan changes, upgrades, and cancellations</li> <li>How to surface a working billing portal without building one from scratch</li> </ul> <h2> Why Stripe Subscriptions Are Harder Than They Look </h2> <p>Stripe's documentation is thorough. It is also large enough that developers routinely wire up payment forms, test a successful charge, and ship — without realizing that the critical parts of a subscription integration happen <em>after</em> the initial payment.</p> <p>Subscription management means handling renewals, failed payments, plan upgrades, downgrades, and cancellations — all asynchronously, via webhooks, with state that has to be reflected accurately in your own database.</p> <p>AI-generated apps frequently scaffold the checkout flow correctly but leave the post-payment state management incomplete. This guide fills that gap.</p> <p>The code examples use Node.js with Express, but the architectural patterns apply to any backend stack.</p> <h2> Step 1: Set Up Your Stripe Products and Prices </h2> <p>Before writing any code, the Stripe dashboard configuration determines how flexible and maintainable your billing logic will be.</p> <p><strong>Create a Product</strong> in the Stripe dashboard for each tier of your SaaS (e.g., Starter, Pro, Enterprise). Products are the high-level concept; Prices are the billing intervals and amounts attached to them.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="c1">// Creating a product and price via Stripe API (can also be done in dashboard)</span> <span class="kd">const</span> <span class="nx">stripe</span> <span class="o">=</span> <span class="nf">require</span><span class="p">(</span><span class="dl">'</span><span class="s1">stripe</span><span class="dl">'</span><span class="p">)(</span><span class="nx">process</span><span class="p">.</span><span class="nx">env</span><span class="p">.</span><span class="nx">STRIPE_SECRET_KEY</span><span class="p">);</span> <span class="kd">const</span> <span class="nx">product</span> <span class="o">=</span> <span class="k">await</span> <span class="nx">stripe</span><span class="p">.</span><span class="nx">products</span><span class="p">.</span><span class="nf">create</span><span class="p">({</span> <span class="na">name</span><span class="p">:</span> <span class="dl">'</span><span class="s1">Pro Plan</span><span class="dl">'</span><span class="p">,</span> <span class="na">description</span><span class="p">:</span> <span class="dl">'</span><span class="s1">Full access to all features</span><span class="dl">'</span> <span class="p">});</span> <span class="kd">const</span> <span class="nx">price</span> <span class="o">=</span> <span class="k">await</span> <span class="nx">stripe</span><span class="p">.</span><span class="nx">prices</span><span class="p">.</span><span class="nf">create</span><span class="p">({</span> <span class="na">unit_amount</span><span class="p">:</span> <span class="mi">4900</span><span class="p">,</span> <span class="c1">// $49.00 in cents</span> <span class="na">currency</span><span class="p">:</span> <span class="dl">'</span><span class="s1">usd</span><span class="dl">'</span><span class="p">,</span> <span class="na">recurring</span><span class="p">:</span> <span class="p">{</span> <span class="na">interval</span><span class="p">:</span> <span class="dl">'</span><span class="s1">month</span><span class="dl">'</span> <span class="p">},</span> <span class="na">product</span><span class="p">:</span> <span class="nx">product</span><span class="p">.</span><span class="nx">id</span> <span class="p">});</span> <span class="nx">console</span><span class="p">.</span><span class="nf">log</span><span class="p">(</span><span class="dl">'</span><span class="s1">Price ID:</span><span class="dl">'</span><span class="p">,</span> <span class="nx">price</span><span class="p">.</span><span class="nx">id</span><span class="p">);</span> <span class="c1">// Store this Price ID — you will reference it in checkout sessions</span> </code></pre> </div> <p><strong>Key principle:</strong> Store your Price IDs in environment variables, not hardcoded in your application. When you add annual billing or change a plan's price, you update a variable rather than hunting through code.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># .env</span> <span class="nv">STRIPE_SECRET_KEY</span><span class="o">=</span>sk_live_xxxxxxxx <span class="nv">STRIPE_WEBHOOK_SECRET</span><span class="o">=</span>whsec_xxxxxxxx <span class="nv">STRIPE_PRO_MONTHLY_PRICE_ID</span><span class="o">=</span>price_xxxxxxxx <span class="nv">STRIPE_PRO_ANNUAL_PRICE_ID</span><span class="o">=</span>price_xxxxxxxx </code></pre> </div> <h2> Step 2: Build the Checkout Session </h2> <p>Stripe Checkout handles the payment form, card validation, and 3D Secure authentication. The correct approach is to create a server-side Checkout Session and redirect the user — never build a custom payment form for subscriptions unless you have a specific regulatory requirement.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="c1">// POST /api/billing/create-checkout-session</span> <span class="nx">app</span><span class="p">.</span><span class="nf">post</span><span class="p">(</span><span class="dl">'</span><span class="s1">/api/billing/create-checkout-session</span><span class="dl">'</span><span class="p">,</span> <span class="nx">requireAuth</span><span class="p">,</span> <span class="k">async </span><span class="p">(</span><span class="nx">req</span><span class="p">,</span> <span class="nx">res</span><span class="p">)</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="kd">const</span> <span class="p">{</span> <span class="nx">priceId</span> <span class="p">}</span> <span class="o">=</span> <span class="nx">req</span><span class="p">.</span><span class="nx">body</span><span class="p">;</span> <span class="kd">const</span> <span class="nx">user</span> <span class="o">=</span> <span class="nx">req</span><span class="p">.</span><span class="nx">user</span><span class="p">;</span> <span class="k">try</span> <span class="p">{</span> <span class="c1">// Retrieve or create a Stripe customer for this user</span> <span class="kd">let</span> <span class="nx">customerId</span> <span class="o">=</span> <span class="nx">user</span><span class="p">.</span><span class="nx">stripeCustomerId</span><span class="p">;</span> <span class="k">if </span><span class="p">(</span><span class="o">!</span><span class="nx">customerId</span><span class="p">)</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">customer</span> <span class="o">=</span> <span class="k">await</span> <span class="nx">stripe</span><span class="p">.</span><span class="nx">customers</span><span class="p">.</span><span class="nf">create</span><span class="p">({</span> <span class="na">email</span><span class="p">:</span> <span class="nx">user</span><span class="p">.</span><span class="nx">email</span><span class="p">,</span> <span class="na">metadata</span><span class="p">:</span> <span class="p">{</span> <span class="na">userId</span><span class="p">:</span> <span class="nx">user</span><span class="p">.</span><span class="nx">id</span> <span class="p">}</span> <span class="c1">// Critical: links Stripe customer to your DB user</span> <span class="p">});</span> <span class="nx">customerId</span> <span class="o">=</span> <span class="nx">customer</span><span class="p">.</span><span class="nx">id</span><span class="p">;</span> <span class="c1">// Persist the customer ID immediately</span> <span class="k">await</span> <span class="nx">db</span><span class="p">.</span><span class="nx">users</span><span class="p">.</span><span class="nf">update</span><span class="p">({</span> <span class="na">stripeCustomerId</span><span class="p">:</span> <span class="nx">customerId</span> <span class="p">},</span> <span class="p">{</span> <span class="na">where</span><span class="p">:</span> <span class="p">{</span> <span class="na">id</span><span class="p">:</span> <span class="nx">user</span><span class="p">.</span><span class="nx">id</span> <span class="p">}</span> <span class="p">});</span> <span class="p">}</span> <span class="kd">const</span> <span class="nx">session</span> <span class="o">=</span> <span class="k">await</span> <span class="nx">stripe</span><span class="p">.</span><span class="nx">checkout</span><span class="p">.</span><span class="nx">sessions</span><span class="p">.</span><span class="nf">create</span><span class="p">({</span> <span class="na">customer</span><span class="p">:</span> <span class="nx">customerId</span><span class="p">,</span> <span class="na">payment_method_types</span><span class="p">:</span> <span class="p">[</span><span class="dl">'</span><span class="s1">card</span><span class="dl">'</span><span class="p">],</span> <span class="na">line_items</span><span class="p">:</span> <span class="p">[{</span> <span class="na">price</span><span class="p">:</span> <span class="nx">priceId</span><span class="p">,</span> <span class="na">quantity</span><span class="p">:</span> <span class="mi">1</span> <span class="p">}],</span> <span class="na">mode</span><span class="p">:</span> <span class="dl">'</span><span class="s1">subscription</span><span class="dl">'</span><span class="p">,</span> <span class="na">success_url</span><span class="p">:</span> <span class="s2">`</span><span class="p">${</span><span class="nx">process</span><span class="p">.</span><span class="nx">env</span><span class="p">.</span><span class="nx">APP_URL</span><span class="p">}</span><span class="s2">/dashboard?billing=success`</span><span class="p">,</span> <span class="na">cancel_url</span><span class="p">:</span> <span class="s2">`</span><span class="p">${</span><span class="nx">process</span><span class="p">.</span><span class="nx">env</span><span class="p">.</span><span class="nx">APP_URL</span><span class="p">}</span><span class="s2">/pricing`</span><span class="p">,</span> <span class="na">subscription_data</span><span class="p">:</span> <span class="p">{</span> <span class="na">metadata</span><span class="p">:</span> <span class="p">{</span> <span class="na">userId</span><span class="p">:</span> <span class="nx">user</span><span class="p">.</span><span class="nx">id</span> <span class="p">}</span> <span class="c1">// Attach user ID to the subscription too</span> <span class="p">}</span> <span class="p">});</span> <span class="nx">res</span><span class="p">.</span><span class="nf">json</span><span class="p">({</span> <span class="na">url</span><span class="p">:</span> <span class="nx">session</span><span class="p">.</span><span class="nx">url</span> <span class="p">});</span> <span class="p">}</span> <span class="k">catch </span><span class="p">(</span><span class="nx">err</span><span class="p">)</span> <span class="p">{</span> <span class="nx">console</span><span class="p">.</span><span class="nf">error</span><span class="p">(</span><span class="dl">'</span><span class="s1">Checkout session error:</span><span class="dl">'</span><span class="p">,</span> <span class="nx">err</span><span class="p">);</span> <span class="nx">res</span><span class="p">.</span><span class="nf">status</span><span class="p">(</span><span class="mi">500</span><span class="p">).</span><span class="nf">json</span><span class="p">({</span> <span class="na">error</span><span class="p">:</span> <span class="dl">'</span><span class="s1">Failed to create checkout session</span><span class="dl">'</span> <span class="p">});</span> <span class="p">}</span> <span class="p">});</span> </code></pre> </div> <p>The <code>metadata: { userId: user.id }</code> on both the customer and the subscription is the most commonly missed step in AI-generated integrations. Without it, webhook handlers cannot reliably map Stripe events back to users in your database.</p> <h2> Step 3: Handle Webhooks — The Part Most Tutorials Skip </h2> <p>Webhook handling is where subscription integrations succeed or fail. Stripe sends events for every billing lifecycle change. Your application needs to listen for and process these events to keep your database in sync.</p> <p><strong>First, set up webhook signature verification.</strong> This confirms the event came from Stripe and not a malicious request.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="c1">// POST /api/billing/webhook</span> <span class="c1">// IMPORTANT: This route must use raw body parsing, not JSON parsing</span> <span class="nx">app</span><span class="p">.</span><span class="nf">post</span><span class="p">(</span><span class="dl">'</span><span class="s1">/api/billing/webhook</span><span class="dl">'</span><span class="p">,</span> <span class="nx">express</span><span class="p">.</span><span class="nf">raw</span><span class="p">({</span> <span class="na">type</span><span class="p">:</span> <span class="dl">'</span><span class="s1">application/json</span><span class="dl">'</span> <span class="p">}),</span> <span class="k">async </span><span class="p">(</span><span class="nx">req</span><span class="p">,</span> <span class="nx">res</span><span class="p">)</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">sig</span> <span class="o">=</span> <span class="nx">req</span><span class="p">.</span><span class="nx">headers</span><span class="p">[</span><span class="dl">'</span><span class="s1">stripe-signature</span><span class="dl">'</span><span class="p">];</span> <span class="kd">let</span> <span class="nx">event</span><span class="p">;</span> <span class="k">try</span> <span class="p">{</span> <span class="nx">event</span> <span class="o">=</span> <span class="nx">stripe</span><span class="p">.</span><span class="nx">webhooks</span><span class="p">.</span><span class="nf">constructEvent</span><span class="p">(</span> <span class="nx">req</span><span class="p">.</span><span class="nx">body</span><span class="p">,</span> <span class="nx">sig</span><span class="p">,</span> <span class="nx">process</span><span class="p">.</span><span class="nx">env</span><span class="p">.</span><span class="nx">STRIPE_WEBHOOK_SECRET</span> <span class="p">);</span> <span class="p">}</span> <span class="k">catch </span><span class="p">(</span><span class="nx">err</span><span class="p">)</span> <span class="p">{</span> <span class="nx">console</span><span class="p">.</span><span class="nf">error</span><span class="p">(</span><span class="dl">'</span><span class="s1">Webhook signature verification failed:</span><span class="dl">'</span><span class="p">,</span> <span class="nx">err</span><span class="p">.</span><span class="nx">message</span><span class="p">);</span> <span class="k">return</span> <span class="nx">res</span><span class="p">.</span><span class="nf">status</span><span class="p">(</span><span class="mi">400</span><span class="p">).</span><span class="nf">send</span><span class="p">(</span><span class="s2">`Webhook Error: </span><span class="p">${</span><span class="nx">err</span><span class="p">.</span><span class="nx">message</span><span class="p">}</span><span class="s2">`</span><span class="p">);</span> <span class="p">}</span> <span class="c1">// Process the event</span> <span class="k">await</span> <span class="nf">handleStripeEvent</span><span class="p">(</span><span class="nx">event</span><span class="p">);</span> <span class="nx">res</span><span class="p">.</span><span class="nf">json</span><span class="p">({</span> <span class="na">received</span><span class="p">:</span> <span class="kc">true</span> <span class="p">});</span> <span class="p">}</span> <span class="p">);</span> </code></pre> </div> <p><strong>The <code>express.raw()</code> middleware on the webhook route is non-negotiable.</strong> Stripe's signature verification requires the raw request body. If <code>express.json()</code> parses it first, verification will fail every time.</p> <p><strong>Now handle the events that actually matter:</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="k">async</span> <span class="kd">function</span> <span class="nf">handleStripeEvent</span><span class="p">(</span><span class="nx">event</span><span class="p">)</span> <span class="p">{</span> <span class="kd">const</span> <span class="p">{</span> <span class="nx">type</span><span class="p">,</span> <span class="nx">data</span> <span class="p">}</span> <span class="o">=</span> <span class="nx">event</span><span class="p">;</span> <span class="kd">const</span> <span class="nx">object</span> <span class="o">=</span> <span class="nx">data</span><span class="p">.</span><span class="nx">object</span><span class="p">;</span> <span class="k">switch </span><span class="p">(</span><span class="nx">type</span><span class="p">)</span> <span class="p">{</span> <span class="c1">// Subscription created (after successful first payment)</span> <span class="k">case</span> <span class="dl">'</span><span class="s1">customer.subscription.created</span><span class="dl">'</span><span class="p">:</span> <span class="k">await</span> <span class="nx">db</span><span class="p">.</span><span class="nx">subscriptions</span><span class="p">.</span><span class="nf">upsert</span><span class="p">({</span> <span class="na">userId</span><span class="p">:</span> <span class="nx">object</span><span class="p">.</span><span class="nx">metadata</span><span class="p">.</span><span class="nx">userId</span><span class="p">,</span> <span class="na">stripeSubscriptionId</span><span class="p">:</span> <span class="nx">object</span><span class="p">.</span><span class="nx">id</span><span class="p">,</span> <span class="na">stripePriceId</span><span class="p">:</span> <span class="nx">object</span><span class="p">.</span><span class="nx">items</span><span class="p">.</span><span class="nx">data</span><span class="p">[</span><span class="mi">0</span><span class="p">].</span><span class="nx">price</span><span class="p">.</span><span class="nx">id</span><span class="p">,</span> <span class="na">status</span><span class="p">:</span> <span class="nx">object</span><span class="p">.</span><span class="nx">status</span><span class="p">,</span> <span class="na">currentPeriodEnd</span><span class="p">:</span> <span class="k">new</span> <span class="nc">Date</span><span class="p">(</span><span class="nx">object</span><span class="p">.</span><span class="nx">current_period_end</span> <span class="o">*</span> <span class="mi">1000</span><span class="p">),</span> <span class="na">cancelAtPeriodEnd</span><span class="p">:</span> <span class="nx">object</span><span class="p">.</span><span class="nx">cancel_at_period_end</span> <span class="p">});</span> <span class="k">break</span><span class="p">;</span> <span class="c1">// Subscription updated (plan change, renewal, etc.)</span> <span class="k">case</span> <span class="dl">'</span><span class="s1">customer.subscription.updated</span><span class="dl">'</span><span class="p">:</span> <span class="k">await</span> <span class="nx">db</span><span class="p">.</span><span class="nx">subscriptions</span><span class="p">.</span><span class="nf">update</span><span class="p">({</span> <span class="na">stripePriceId</span><span class="p">:</span> <span class="nx">object</span><span class="p">.</span><span class="nx">items</span><span class="p">.</span><span class="nx">data</span><span class="p">[</span><span class="mi">0</span><span class="p">].</span><span class="nx">price</span><span class="p">.</span><span class="nx">id</span><span class="p">,</span> <span class="na">status</span><span class="p">:</span> <span class="nx">object</span><span class="p">.</span><span class="nx">status</span><span class="p">,</span> <span class="na">currentPeriodEnd</span><span class="p">:</span> <span class="k">new</span> <span class="nc">Date</span><span class="p">(</span><span class="nx">object</span><span class="p">.</span><span class="nx">current_period_end</span> <span class="o">*</span> <span class="mi">1000</span><span class="p">),</span> <span class="na">cancelAtPeriodEnd</span><span class="p">:</span> <span class="nx">object</span><span class="p">.</span><span class="nx">cancel_at_period_end</span> <span class="p">},</span> <span class="p">{</span> <span class="na">where</span><span class="p">:</span> <span class="p">{</span> <span class="na">stripeSubscriptionId</span><span class="p">:</span> <span class="nx">object</span><span class="p">.</span><span class="nx">id</span> <span class="p">}</span> <span class="p">});</span> <span class="k">break</span><span class="p">;</span> <span class="c1">// Subscription cancelled or payment permanently failed</span> <span class="k">case</span> <span class="dl">'</span><span class="s1">customer.subscription.deleted</span><span class="dl">'</span><span class="p">:</span> <span class="k">await</span> <span class="nx">db</span><span class="p">.</span><span class="nx">subscriptions</span><span class="p">.</span><span class="nf">update</span><span class="p">({</span> <span class="na">status</span><span class="p">:</span> <span class="dl">'</span><span class="s1">canceled</span><span class="dl">'</span> <span class="p">},</span> <span class="p">{</span> <span class="na">where</span><span class="p">:</span> <span class="p">{</span> <span class="na">stripeSubscriptionId</span><span class="p">:</span> <span class="nx">object</span><span class="p">.</span><span class="nx">id</span> <span class="p">}</span> <span class="p">});</span> <span class="k">break</span><span class="p">;</span> <span class="c1">// THIS IS THE EVENT MOST TUTORIALS MISS #1</span> <span class="c1">// Triggered on each successful renewal payment</span> <span class="k">case</span> <span class="dl">'</span><span class="s1">invoice.payment_succeeded</span><span class="dl">'</span><span class="p">:</span> <span class="k">if </span><span class="p">(</span><span class="nx">object</span><span class="p">.</span><span class="nx">billing_reason</span> <span class="o">===</span> <span class="dl">'</span><span class="s1">subscription_cycle</span><span class="dl">'</span><span class="p">)</span> <span class="p">{</span> <span class="k">await</span> <span class="nx">db</span><span class="p">.</span><span class="nx">subscriptions</span><span class="p">.</span><span class="nf">update</span><span class="p">({</span> <span class="na">status</span><span class="p">:</span> <span class="dl">'</span><span class="s1">active</span><span class="dl">'</span><span class="p">,</span> <span class="na">currentPeriodEnd</span><span class="p">:</span> <span class="k">new</span> <span class="nc">Date</span><span class="p">(</span><span class="nx">object</span><span class="p">.</span><span class="nx">lines</span><span class="p">.</span><span class="nx">data</span><span class="p">[</span><span class="mi">0</span><span class="p">].</span><span class="nx">period</span><span class="p">.</span><span class="nx">end</span> <span class="o">*</span> <span class="mi">1000</span><span class="p">)</span> <span class="p">},</span> <span class="p">{</span> <span class="na">where</span><span class="p">:</span> <span class="p">{</span> <span class="na">stripeSubscriptionId</span><span class="p">:</span> <span class="nx">object</span><span class="p">.</span><span class="nx">subscription</span> <span class="p">}</span> <span class="p">});</span> <span class="p">}</span> <span class="k">break</span><span class="p">;</span> <span class="c1">// THIS IS THE EVENT MOST TUTORIALS MISS #2</span> <span class="c1">// Triggered when a renewal payment fails</span> <span class="k">case</span> <span class="dl">'</span><span class="s1">invoice.payment_failed</span><span class="dl">'</span><span class="p">:</span> <span class="k">await</span> <span class="nx">db</span><span class="p">.</span><span class="nx">subscriptions</span><span class="p">.</span><span class="nf">update</span><span class="p">({</span> <span class="na">status</span><span class="p">:</span> <span class="dl">'</span><span class="s1">past_due</span><span class="dl">'</span> <span class="p">},</span> <span class="p">{</span> <span class="na">where</span><span class="p">:</span> <span class="p">{</span> <span class="na">stripeSubscriptionId</span><span class="p">:</span> <span class="nx">object</span><span class="p">.</span><span class="nx">subscription</span> <span class="p">}</span> <span class="p">});</span> <span class="c1">// Optionally: trigger an email notification to the user</span> <span class="k">await</span> <span class="nf">sendPaymentFailedEmail</span><span class="p">(</span><span class="nx">object</span><span class="p">.</span><span class="nx">customer_email</span><span class="p">);</span> <span class="k">break</span><span class="p">;</span> <span class="nl">default</span><span class="p">:</span> <span class="c1">// Unhandled event type — log and continue</span> <span class="nx">console</span><span class="p">.</span><span class="nf">log</span><span class="p">(</span><span class="s2">`Unhandled Stripe event: </span><span class="p">${</span><span class="nx">type</span><span class="p">}</span><span class="s2">`</span><span class="p">);</span> <span class="p">}</span> <span class="p">}</span> </code></pre> </div> <p><code>invoice.payment_succeeded</code> on <code>subscription_cycle</code> is how your database learns that a subscription has renewed for another month. Without this handler, your <code>currentPeriodEnd</code> date will expire and you will incorrectly restrict access to paying customers.</p> <p><code>invoice.payment_failed</code> is how you detect and respond to failed renewals before Stripe's dunning process results in cancellation. Applications that handle this event can surface in-app notices to users, trigger email nudges, and prevent unnecessary churn.</p> <h2> Step 4: Model Subscription State in Your Database </h2> <p>The webhook handlers above depend on a <code>subscriptions</code> table that reflects Stripe's state. A minimal schema:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight sql"><code><span class="k">CREATE</span> <span class="k">TABLE</span> <span class="n">subscriptions</span> <span class="p">(</span> <span class="n">id</span> <span class="n">UUID</span> <span class="k">PRIMARY</span> <span class="k">KEY</span> <span class="k">DEFAULT</span> <span class="n">gen_random_uuid</span><span class="p">(),</span> <span class="n">user_id</span> <span class="n">UUID</span> <span class="k">NOT</span> <span class="k">NULL</span> <span class="k">REFERENCES</span> <span class="n">users</span><span class="p">(</span><span class="n">id</span><span class="p">),</span> <span class="n">stripe_subscription_id</span> <span class="nb">VARCHAR</span><span class="p">(</span><span class="mi">255</span><span class="p">)</span> <span class="k">UNIQUE</span> <span class="k">NOT</span> <span class="k">NULL</span><span class="p">,</span> <span class="n">stripe_price_id</span> <span class="nb">VARCHAR</span><span class="p">(</span><span class="mi">255</span><span class="p">)</span> <span class="k">NOT</span> <span class="k">NULL</span><span class="p">,</span> <span class="n">status</span> <span class="nb">VARCHAR</span><span class="p">(</span><span class="mi">50</span><span class="p">)</span> <span class="k">NOT</span> <span class="k">NULL</span><span class="p">,</span> <span class="c1">-- active, past_due, canceled, trialing</span> <span class="n">current_period_end</span> <span class="nb">TIMESTAMP</span> <span class="k">NOT</span> <span class="k">NULL</span><span class="p">,</span> <span class="n">cancel_at_period_end</span> <span class="nb">BOOLEAN</span> <span class="k">DEFAULT</span> <span class="k">FALSE</span><span class="p">,</span> <span class="n">created_at</span> <span class="nb">TIMESTAMP</span> <span class="k">DEFAULT</span> <span class="n">NOW</span><span class="p">(),</span> <span class="n">updated_at</span> <span class="nb">TIMESTAMP</span> <span class="k">DEFAULT</span> <span class="n">NOW</span><span class="p">()</span> <span class="p">);</span> </code></pre> </div> <p>Gate feature access using the <code>status</code> and <code>current_period_end</code> columns — not just <code>status</code> alone. A subscription in <code>past_due</code> status may still have access until the period ends, depending on your product's grace period policy.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="c1">// Middleware to check subscription access</span> <span class="k">async</span> <span class="kd">function</span> <span class="nf">requireActiveSubscription</span><span class="p">(</span><span class="nx">req</span><span class="p">,</span> <span class="nx">res</span><span class="p">,</span> <span class="nx">next</span><span class="p">)</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">subscription</span> <span class="o">=</span> <span class="k">await</span> <span class="nx">db</span><span class="p">.</span><span class="nx">subscriptions</span><span class="p">.</span><span class="nf">findOne</span><span class="p">({</span> <span class="na">where</span><span class="p">:</span> <span class="p">{</span> <span class="na">userId</span><span class="p">:</span> <span class="nx">req</span><span class="p">.</span><span class="nx">user</span><span class="p">.</span><span class="nx">id</span> <span class="p">}</span> <span class="p">});</span> <span class="kd">const</span> <span class="nx">isActive</span> <span class="o">=</span> <span class="nx">subscription</span> <span class="o">&amp;&amp;</span> <span class="p">[</span><span class="dl">'</span><span class="s1">active</span><span class="dl">'</span><span class="p">,</span> <span class="dl">'</span><span class="s1">trialing</span><span class="dl">'</span><span class="p">].</span><span class="nf">includes</span><span class="p">(</span><span class="nx">subscription</span><span class="p">.</span><span class="nx">status</span><span class="p">)</span> <span class="o">&amp;&amp;</span> <span class="k">new</span> <span class="nc">Date</span><span class="p">(</span><span class="nx">subscription</span><span class="p">.</span><span class="nx">currentPeriodEnd</span><span class="p">)</span> <span class="o">&gt;</span> <span class="k">new</span> <span class="nc">Date</span><span class="p">();</span> <span class="k">if </span><span class="p">(</span><span class="o">!</span><span class="nx">isActive</span><span class="p">)</span> <span class="p">{</span> <span class="k">return</span> <span class="nx">res</span><span class="p">.</span><span class="nf">status</span><span class="p">(</span><span class="mi">403</span><span class="p">).</span><span class="nf">json</span><span class="p">({</span> <span class="na">error</span><span class="p">:</span> <span class="dl">'</span><span class="s1">Active subscription required</span><span class="dl">'</span> <span class="p">});</span> <span class="p">}</span> <span class="nf">next</span><span class="p">();</span> <span class="p">}</span> </code></pre> </div> <h2> 🔗 Step 5: Surface the Billing Portal </h2> <p>Stripe's Customer Portal handles plan changes, payment method updates, and cancellations — without you building any of that UI.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="c1">// POST /api/billing/portal</span> <span class="nx">app</span><span class="p">.</span><span class="nf">post</span><span class="p">(</span><span class="dl">'</span><span class="s1">/api/billing/portal</span><span class="dl">'</span><span class="p">,</span> <span class="nx">requireAuth</span><span class="p">,</span> <span class="k">async </span><span class="p">(</span><span class="nx">req</span><span class="p">,</span> <span class="nx">res</span><span class="p">)</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="k">try</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">session</span> <span class="o">=</span> <span class="k">await</span> <span class="nx">stripe</span><span class="p">.</span><span class="nx">billingPortal</span><span class="p">.</span><span class="nx">sessions</span><span class="p">.</span><span class="nf">create</span><span class="p">({</span> <span class="na">customer</span><span class="p">:</span> <span class="nx">req</span><span class="p">.</span><span class="nx">user</span><span class="p">.</span><span class="nx">stripeCustomerId</span><span class="p">,</span> <span class="na">return_url</span><span class="p">:</span> <span class="s2">`</span><span class="p">${</span><span class="nx">process</span><span class="p">.</span><span class="nx">env</span><span class="p">.</span><span class="nx">APP_URL</span><span class="p">}</span><span class="s2">/dashboard`</span> <span class="p">});</span> <span class="nx">res</span><span class="p">.</span><span class="nf">json</span><span class="p">({</span> <span class="na">url</span><span class="p">:</span> <span class="nx">session</span><span class="p">.</span><span class="nx">url</span> <span class="p">});</span> <span class="p">}</span> <span class="k">catch </span><span class="p">(</span><span class="nx">err</span><span class="p">)</span> <span class="p">{</span> <span class="nx">res</span><span class="p">.</span><span class="nf">status</span><span class="p">(</span><span class="mi">500</span><span class="p">).</span><span class="nf">json</span><span class="p">({</span> <span class="na">error</span><span class="p">:</span> <span class="dl">'</span><span class="s1">Failed to open billing portal</span><span class="dl">'</span> <span class="p">});</span> <span class="p">}</span> <span class="p">});</span> </code></pre> </div> <p>Enable the portal in the Stripe dashboard under <strong>Settings &gt; Billing &gt; Customer Portal</strong> before testing. Configure which plans customers can switch between and whether they can cancel immediately or at period end.</p> <h2> Where AI-Generated Apps Fit Into This </h2> <p>Some full-stack AI builders scaffold portions of the Stripe integration as part of their generated output. The scaffold quality varies significantly — checkout session creation is commonly handled, but webhook infrastructure and subscription state management are frequently incomplete.</p> <p>Platforms like <a href="https://app.imagine.bo" rel="noopener noreferrer">this hybrid builder</a> include Stripe and PayPal scaffolding as part of the generated application, with webhook handlers and subscription state management included by default. For teams evaluating whether to build the billing layer from scratch or use pre-scaffolded output, the practical difference is several days of integration work and debugging — primarily in the webhook handling and state management layers covered in this guide.</p> <h2> Testing Your Integration End-to-End </h2> <p>Use Stripe's test mode and the Stripe CLI to simulate the full billing lifecycle before going live:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># Install Stripe CLI and listen for local webhooks</span> stripe listen <span class="nt">--forward-to</span> localhost:3000/api/billing/webhook <span class="c"># Simulate specific events</span> stripe trigger customer.subscription.created stripe trigger invoice.payment_failed stripe trigger customer.subscription.deleted </code></pre> </div> <p>Test cards for specific scenarios:</p> <div class="table-wrapper-paragraph"><table> <thead> <tr> <th>Scenario</th> <th>Card Number</th> </tr> </thead> <tbody> <tr> <td>Successful payment</td> <td>4242 4242 4242 4242</td> </tr> <tr> <td>Payment requires authentication</td> <td>4000 0025 0000 3155</td> </tr> <tr> <td>Payment declined</td> <td>4000 0000 0000 9995</td> </tr> <tr> <td>Insufficient funds</td> <td>4000 0000 0000 9995</td> </tr> </tbody> </table></div> <p>Run through the full cycle: subscribe → renew → fail a payment → recover → cancel. Each transition should produce the correct status update in your database.</p> <h2> Common Questions </h2> <p><strong>Why does my webhook keep returning 400 errors?</strong><br><br> The most common cause is JSON body parsing running before the raw body parser on the webhook route. Ensure <code>express.raw()</code> is applied specifically to <code>/api/billing/webhook</code> and that <code>express.json()</code> is not globally applied before it.</p> <p><strong>Should I use Stripe Checkout or a custom payment form?</strong><br><br> Stripe Checkout handles 3D Secure, card validation, tax calculation, and localization automatically. Custom payment forms require explicit handling of all of these. For SaaS subscriptions, Checkout is the correct starting point for the large majority of use cases.</p> <p><strong>How do I handle the period between a failed payment and subscription cancellation?</strong><br><br> Stripe's dunning configuration (in dashboard settings) determines how many retry attempts are made and over what period. During this window, the subscription status is <code>past_due</code>. Surfacing an in-app banner to users in <code>past_due</code> status — directing them to the billing portal to update their payment method — reduces involuntary churn significantly.</p> <p><strong>Can I let users switch between monthly and annual plans?</strong><br><br> Yes, via the Stripe Customer Portal or by using <code>stripe.subscriptions.update()</code> with a new price ID and <code>proration_behavior: 'create_prorations'</code>. The billing portal handles this with no code required if configured correctly.</p> <h2> Further Reading </h2> <ul> <li> <a href="https://stripe.com/docs/billing/subscriptions/overview" rel="noopener noreferrer">Stripe Subscription Billing Docs</a> — the authoritative reference</li> <li> <a href="https://stripe.com/docs/webhooks/best-practices" rel="noopener noreferrer">Stripe Webhook Best Practices</a> — idempotency, retries, and error handling</li> <li> <a href="https://stripe.com/docs/stripe-cli" rel="noopener noreferrer">Stripe CLI Reference</a> — local webhook testing</li> <li> <a href="https://stripe.com/docs/billing/subscriptions/customer-portal" rel="noopener noreferrer">Stripe Customer Portal Setup</a> — no-code billing management for your users</li> </ul> webdev saas stripe nocode Aadesh Kumar Wed, 22 Apr 2026 07:31:28 +0000 https://dev.to/aadesh-kumar/how-to-add-row-level-security-to-a-supabase-app-in-under-30-minutes-523i https://dev.to/aadesh-kumar/how-to-add-row-level-security-to-a-supabase-app-in-under-30-minutes-523i <p><strong>What you'll learn in this guide:</strong></p> <ul> <li>What Row-Level Security actually does at the database layer and why it matters for multi-user apps</li> <li>How to enable RLS on an existing Supabase table without breaking active queries</li> <li>How to write SELECT, INSERT, UPDATE, and DELETE policies from scratch</li> <li>How to test that your policies work correctly before going to production</li> <li>The three most common RLS patterns and when to use each one &gt; <strong>Prerequisite knowledge:</strong> Basic familiarity with Supabase, a working project with at least one table, and an understanding of what JWTs are. No advanced PostgreSQL knowledge required.</li> </ul> <h2> Why This Matters More for AI-Generated Apps </h2> <p>AI code generators move fast — and that speed has a tradeoff. Tools like Lovable, Bolt.new, and Replit Agent routinely scaffold a Supabase project, create tables, and wire up the client library in minutes. What they frequently skip is enabling Row-Level Security on the tables they create.</p> <p>That omission is not subtle. By default, Supabase tables are accessible to any authenticated — and sometimes even unauthenticated — user who knows the table name and has the anon key. In a development environment, this is acceptable. In a production environment with real users and real data, it is a critical security gap.</p> <p>This guide covers the full RLS setup process: enabling it, writing policies, testing them, and applying common patterns that cover the majority of real-world multi-user app requirements. The entire process takes under 30 minutes for a typical application.</p> <h2> Step 1: Enable RLS on Your Table </h2> <p>Enabling RLS is a single toggle or a single SQL statement. It does not delete data, modify schema, or break existing table structure. What it does is change the access model: once RLS is enabled, no query succeeds unless a matching policy explicitly permits it.</p> <p><strong>Via the Supabase Dashboard:</strong></p> <ol> <li>Open the Supabase Dashboard and navigate to <strong>Table Editor</strong> </li> <li>Select the table you want to secure</li> <li>Click <strong>"RLS disabled"</strong> in the top-right — it will toggle to <strong>"RLS enabled"</strong> <strong>Via SQL Editor:</strong> </li> </ol> <div class="highlight js-code-highlight"> <pre class="highlight sql"><code><span class="k">ALTER</span> <span class="k">TABLE</span> <span class="k">public</span><span class="p">.</span><span class="n">your_table_name</span> <span class="n">ENABLE</span> <span class="k">ROW</span> <span class="k">LEVEL</span> <span class="k">SECURITY</span><span class="p">;</span> </code></pre> </div> <p>Replace <code>your_table_name</code> with the actual table name.</p> <blockquote> <p><strong>Important:</strong> Once RLS is enabled, all existing queries from the client library (<code>supabase.from('your_table').select()</code>) will return zero rows until a policy is added. This is expected behavior — not a bug. Add at least one SELECT policy immediately after enabling.</p> </blockquote> <p>To confirm RLS is enabled:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight sql"><code><span class="k">SELECT</span> <span class="n">tablename</span><span class="p">,</span> <span class="n">rowsecurity</span> <span class="k">FROM</span> <span class="n">pg_tables</span> <span class="k">WHERE</span> <span class="n">schemaname</span> <span class="o">=</span> <span class="s1">'public'</span><span class="p">;</span> </code></pre> </div> <p>The <code>rowsecurity</code> column will show <code>true</code> for tables with RLS enabled.</p> <h2> Step 2: Write Your First SELECT Policy </h2> <p>Policies are written in SQL. Each policy specifies:</p> <ul> <li> <strong>Command:</strong> SELECT, INSERT, UPDATE, DELETE, or ALL</li> <li> <strong>Role:</strong> <code>authenticated</code>, <code>anon</code>, or a custom role</li> <li> <strong>Using expression:</strong> A boolean condition evaluated against each row; only rows where this returns <code>true</code> are returned The most common starting policy is "authenticated users can only read their own rows." </li> </ul> <div class="highlight js-code-highlight"> <pre class="highlight sql"><code><span class="c1">-- Allow authenticated users to SELECT only their own rows</span> <span class="k">CREATE</span> <span class="n">POLICY</span> <span class="nv">"Users can view their own data"</span> <span class="k">ON</span> <span class="k">public</span><span class="p">.</span><span class="n">your_table_name</span> <span class="k">FOR</span> <span class="k">SELECT</span> <span class="k">TO</span> <span class="n">authenticated</span> <span class="k">USING</span> <span class="p">(</span><span class="n">auth</span><span class="p">.</span><span class="n">uid</span><span class="p">()</span> <span class="o">=</span> <span class="n">user_id</span><span class="p">);</span> </code></pre> </div> <p>What this does:</p> <ul> <li> <code>auth.uid()</code> returns the UUID of the currently authenticated user (from the JWT Supabase validates on every request)</li> <li> <code>user_id</code> is the column in your table that stores which user a row belongs to</li> <li>The policy evaluates this condition for every row — only rows where <code>auth.uid() = user_id</code> is <code>true</code> are returned If your column is named <code>owner_id</code>, <code>created_by</code>, or anything else, replace <code>user_id</code> accordingly.</li> </ul> <p><strong>To create this policy via the Dashboard:</strong></p> <ol> <li>Navigate to <strong>Authentication → Policies</strong> </li> <li>Find your table and click <strong>"New Policy"</strong> </li> <li>Use the template "Enable read access for users based on their user ID"</li> <li>Adjust the column name to match your schema</li> </ol> <h2> Step 3: Add INSERT, UPDATE, and DELETE Policies </h2> <p>A SELECT policy alone leaves write operations unprotected. Add the remaining three:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight sql"><code><span class="c1">-- Allow authenticated users to INSERT rows tied to their own user_id</span> <span class="k">CREATE</span> <span class="n">POLICY</span> <span class="nv">"Users can insert their own data"</span> <span class="k">ON</span> <span class="k">public</span><span class="p">.</span><span class="n">your_table_name</span> <span class="k">FOR</span> <span class="k">INSERT</span> <span class="k">TO</span> <span class="n">authenticated</span> <span class="k">WITH</span> <span class="k">CHECK</span> <span class="p">(</span><span class="n">auth</span><span class="p">.</span><span class="n">uid</span><span class="p">()</span> <span class="o">=</span> <span class="n">user_id</span><span class="p">);</span> </code></pre> </div> <p>Note the difference: INSERT policies use <code>WITH CHECK</code> instead of <code>USING</code>. The <code>WITH CHECK</code> expression validates the data being written; <code>USING</code> filters rows being read.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight sql"><code><span class="c1">-- Allow authenticated users to UPDATE only their own rows</span> <span class="k">CREATE</span> <span class="n">POLICY</span> <span class="nv">"Users can update their own data"</span> <span class="k">ON</span> <span class="k">public</span><span class="p">.</span><span class="n">your_table_name</span> <span class="k">FOR</span> <span class="k">UPDATE</span> <span class="k">TO</span> <span class="n">authenticated</span> <span class="k">USING</span> <span class="p">(</span><span class="n">auth</span><span class="p">.</span><span class="n">uid</span><span class="p">()</span> <span class="o">=</span> <span class="n">user_id</span><span class="p">)</span> <span class="k">WITH</span> <span class="k">CHECK</span> <span class="p">(</span><span class="n">auth</span><span class="p">.</span><span class="n">uid</span><span class="p">()</span> <span class="o">=</span> <span class="n">user_id</span><span class="p">);</span> </code></pre> </div> <p>UPDATE policies use both. <code>USING</code> determines which rows can be targeted; <code>WITH CHECK</code> validates that the new data being written is still owned by the same user (prevents ownership reassignment).<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight sql"><code><span class="c1">-- Allow authenticated users to DELETE only their own rows</span> <span class="k">CREATE</span> <span class="n">POLICY</span> <span class="nv">"Users can delete their own data"</span> <span class="k">ON</span> <span class="k">public</span><span class="p">.</span><span class="n">your_table_name</span> <span class="k">FOR</span> <span class="k">DELETE</span> <span class="k">TO</span> <span class="n">authenticated</span> <span class="k">USING</span> <span class="p">(</span><span class="n">auth</span><span class="p">.</span><span class="n">uid</span><span class="p">()</span> <span class="o">=</span> <span class="n">user_id</span><span class="p">);</span> </code></pre> </div> <h2> Step 4: Test Your Policies Before Going Live </h2> <p>Testing RLS policies requires simulating what different roles will see. Supabase provides two ways to do this.</p> <p><strong>Method 1: Test via the SQL Editor using <code>SET LOCAL role</code></strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight sql"><code><span class="c1">-- Simulate what an authenticated user with a specific UUID sees</span> <span class="k">BEGIN</span><span class="p">;</span> <span class="k">SET</span> <span class="k">LOCAL</span> <span class="k">role</span> <span class="k">TO</span> <span class="n">authenticated</span><span class="p">;</span> <span class="k">SET</span> <span class="k">LOCAL</span> <span class="nv">"request.jwt.claims"</span> <span class="k">TO</span> <span class="s1">'{"sub": "your-test-user-uuid-here", "role": "authenticated"}'</span><span class="p">;</span> <span class="k">SELECT</span> <span class="o">*</span> <span class="k">FROM</span> <span class="k">public</span><span class="p">.</span><span class="n">your_table_name</span><span class="p">;</span> <span class="k">ROLLBACK</span><span class="p">;</span> </code></pre> </div> <p>Replace <code>your-test-user-uuid-here</code> with a UUID that exists in your <code>user_id</code> column. The SELECT should return only that user's rows. If it returns all rows, the policy is not being evaluated correctly.</p> <p><strong>Method 2: Test via the Supabase client with a real session</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="c1">// Sign in as a test user</span> <span class="kd">const</span> <span class="p">{</span> <span class="na">data</span><span class="p">:</span> <span class="nx">session</span> <span class="p">}</span> <span class="o">=</span> <span class="k">await</span> <span class="nx">supabase</span><span class="p">.</span><span class="nx">auth</span><span class="p">.</span><span class="nf">signInWithPassword</span><span class="p">({</span> <span class="na">email</span><span class="p">:</span> <span class="dl">'</span><span class="s1">testuser@example.com</span><span class="dl">'</span><span class="p">,</span> <span class="na">password</span><span class="p">:</span> <span class="dl">'</span><span class="s1">testpassword</span><span class="dl">'</span><span class="p">,</span> <span class="p">});</span> <span class="c1">// Attempt to read data — should return only this user's rows</span> <span class="kd">const</span> <span class="p">{</span> <span class="nx">data</span><span class="p">,</span> <span class="nx">error</span> <span class="p">}</span> <span class="o">=</span> <span class="k">await</span> <span class="nx">supabase</span><span class="p">.</span><span class="k">from</span><span class="p">(</span><span class="dl">'</span><span class="s1">your_table_name</span><span class="dl">'</span><span class="p">).</span><span class="nf">select</span><span class="p">(</span><span class="dl">'</span><span class="s1">*</span><span class="dl">'</span><span class="p">);</span> <span class="nx">console</span><span class="p">.</span><span class="nf">log</span><span class="p">(</span><span class="nx">data</span><span class="p">);</span> <span class="c1">// Should only contain rows where user_id = this user's UUID</span> </code></pre> </div> <p>Run the same query while signed in as a different user and confirm the results are scoped correctly.</p> <p><strong>What to check:</strong></p> <ul> <li>A user reading their own rows → returns correct data</li> <li>A user reading another user's rows directly → returns empty array, no error</li> <li>An unauthenticated request → returns empty array (unless you have an <code>anon</code> policy)</li> <li>An INSERT with a mismatched <code>user_id</code> → returns a policy violation error</li> </ul> <h2> Step 5: Three Common RLS Patterns </h2> <p>Most multi-user applications use one or more of these three patterns. Copy, adjust the column names, and apply.</p> <h3> Pattern A: Owner-Based Access (single user owns each row) </h3> <p>The pattern covered in Steps 2–3 above. One row belongs to one user. Used for: user profiles, personal notes, individual settings, private content.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight sql"><code><span class="c1">-- Full CRUD for row owner only</span> <span class="k">CREATE</span> <span class="n">POLICY</span> <span class="nv">"Owner full access"</span> <span class="k">ON</span> <span class="k">public</span><span class="p">.</span><span class="n">your_table_name</span> <span class="k">FOR</span> <span class="k">ALL</span> <span class="k">TO</span> <span class="n">authenticated</span> <span class="k">USING</span> <span class="p">(</span><span class="n">auth</span><span class="p">.</span><span class="n">uid</span><span class="p">()</span> <span class="o">=</span> <span class="n">user_id</span><span class="p">)</span> <span class="k">WITH</span> <span class="k">CHECK</span> <span class="p">(</span><span class="n">auth</span><span class="p">.</span><span class="n">uid</span><span class="p">()</span> <span class="o">=</span> <span class="n">user_id</span><span class="p">);</span> </code></pre> </div> <p>Using <code>FOR ALL</code> combines SELECT, INSERT, UPDATE, and DELETE into a single policy. Simpler for tables that only ever need owner-level access.</p> <h3> Pattern B: Team/Organization-Based Access </h3> <p>Multiple users share access to rows that belong to a shared entity (an organization, workspace, or team). Requires a join table mapping users to organizations.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight sql"><code><span class="c1">-- Users can read rows belonging to any organization they're a member of</span> <span class="k">CREATE</span> <span class="n">POLICY</span> <span class="nv">"Team members can view org data"</span> <span class="k">ON</span> <span class="k">public</span><span class="p">.</span><span class="n">your_table_name</span> <span class="k">FOR</span> <span class="k">SELECT</span> <span class="k">TO</span> <span class="n">authenticated</span> <span class="k">USING</span> <span class="p">(</span> <span class="n">organization_id</span> <span class="k">IN</span> <span class="p">(</span> <span class="k">SELECT</span> <span class="n">organization_id</span> <span class="k">FROM</span> <span class="k">public</span><span class="p">.</span><span class="n">organization_members</span> <span class="k">WHERE</span> <span class="n">user_id</span> <span class="o">=</span> <span class="n">auth</span><span class="p">.</span><span class="n">uid</span><span class="p">()</span> <span class="p">)</span> <span class="p">);</span> </code></pre> </div> <p>This pattern scales cleanly to role-based permissions within a team by adding a <code>role</code> column to <code>organization_members</code> and filtering on it.</p> <h3> Pattern C: Public Read, Authenticated Write </h3> <p>Content that anyone can read (blog posts, public listings, product catalogs) but only authenticated users can create or modify.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight sql"><code><span class="c1">-- Anyone can read</span> <span class="k">CREATE</span> <span class="n">POLICY</span> <span class="nv">"Public read access"</span> <span class="k">ON</span> <span class="k">public</span><span class="p">.</span><span class="n">your_table_name</span> <span class="k">FOR</span> <span class="k">SELECT</span> <span class="k">TO</span> <span class="n">anon</span><span class="p">,</span> <span class="n">authenticated</span> <span class="k">USING</span> <span class="p">(</span><span class="k">true</span><span class="p">);</span> <span class="c1">-- Only authenticated users can write their own content</span> <span class="k">CREATE</span> <span class="n">POLICY</span> <span class="nv">"Authenticated users can write"</span> <span class="k">ON</span> <span class="k">public</span><span class="p">.</span><span class="n">your_table_name</span> <span class="k">FOR</span> <span class="k">INSERT</span> <span class="k">TO</span> <span class="n">authenticated</span> <span class="k">WITH</span> <span class="k">CHECK</span> <span class="p">(</span><span class="n">auth</span><span class="p">.</span><span class="n">uid</span><span class="p">()</span> <span class="o">=</span> <span class="n">author_id</span><span class="p">);</span> </code></pre> </div> <h2> Common Mistakes to Avoid </h2> <p><strong>1. Forgetting <code>WITH CHECK</code> on INSERT and UPDATE</strong><br> <code>USING</code> applies to rows being read or targeted. <code>WITH CHECK</code> applies to data being written. Omitting <code>WITH CHECK</code> on write operations means the policy validates the target row but not the new data — a user can potentially reassign ownership by changing the <code>user_id</code> field on UPDATE.</p> <p><strong>2. Using the service role key on the client</strong><br> The service role key bypasses RLS entirely. It is intended for server-side admin operations only. If the service role key is exposed in client-side code, RLS provides no protection. Use the <code>anon</code> key in browser clients; reserve the service role key for server environments.</p> <p><strong>3. Enabling RLS without adding a policy first</strong><br> RLS with no policies means zero rows are accessible to anyone. Test a new policy immediately after enabling RLS on any table with active queries.</p> <p><strong>4. Not testing with the <code>anon</code> role</strong><br> Unauthenticated users hit the <code>anon</code> role. If no policy exists for <code>anon</code>, unauthenticated requests return nothing — which is usually correct, but should be a deliberate choice rather than an accidental one.</p> <h2> Further Reading </h2> <ul> <li> <a href="https://supabase.com/docs/guides/auth/row-level-security" rel="noopener noreferrer">Supabase Row Level Security documentation</a> — the canonical reference for policy syntax and edge cases</li> <li> <a href="https://www.postgresql.org/docs/current/ddl-rowsecurity.html" rel="noopener noreferrer">PostgreSQL Row Security Policies</a> — the upstream PostgreSQL documentation; useful for advanced policy expressions</li> <li> <a href="https://supabase.com/docs/learn/auth-deep-dive/auth-row-level-security" rel="noopener noreferrer">Supabase Auth Deep Dive series</a> — video walkthrough of RLS concepts with live examples</li> <li>Platforms that generate Supabase-ready schemas — such as <a href="https://app.imagine.bo" rel="noopener noreferrer">imagine.bo</a>, which scaffolds full-stack apps with database schema included — sometimes output tables without RLS enabled by default; this guide covers the manual hardening steps for those cases.</li> </ul> <h2> Frequently Asked Questions </h2> <p><strong>Does enabling RLS affect performance?</strong><br> Yes, but modestly for most applications. Each policy expression is evaluated as a filter on every query. Simple expressions (<code>auth.uid() = user_id</code>) add negligible overhead. Policies that involve subqueries (the team/organization pattern) can add latency on large tables — indexing the join column (<code>organization_id</code>, <code>user_id</code> on the membership table) mitigates this.</p> <p><strong>Can I have multiple policies on the same table?</strong><br> Yes. Supabase evaluates all applicable policies for a given command and role using <code>OR</code> logic — a row is accessible if any one policy permits it. This means adding policies is additive, not restrictive. To restrict access, the policies themselves must contain the limiting logic.</p> <p><strong>What is the difference between <code>authenticated</code> and <code>anon</code> roles in Supabase?</strong><br> <code>anon</code> is the role used for requests that do not include a valid JWT — unauthenticated visitors. <code>authenticated</code> is the role for requests that include a valid Supabase session JWT. Most data policies target <code>authenticated</code>; <code>anon</code> policies are used for publicly readable content.</p> <p><strong>Can RLS be disabled per-query for admin operations?</strong><br> Yes. Queries executed with the service role key bypass RLS entirely. Queries executed inside a PostgreSQL function with <code>SECURITY DEFINER</code> also bypass RLS unless the function explicitly re-enables it. Both approaches should be used with care and only in server-side code.</p> <p><strong>Does RLS work with Supabase Realtime subscriptions?</strong><br> Yes. Realtime respects RLS policies. A user subscribed to a channel will only receive events for rows they have SELECT access to. The policy evaluation happens on the server before events are broadcast to the client.</p> supabase webdev tutorial security Aadesh Kumar Mon, 20 Apr 2026 06:20:49 +0000 https://dev.to/aadesh-kumar/how-to-add-authentication-to-any-app-in-under-an-hour-2026-guide-2n8k https://dev.to/aadesh-kumar/how-to-add-authentication-to-any-app-in-under-an-hour-2026-guide-2n8k <blockquote> <p>Auth is the part every tutorial skips. Here's a complete, honest breakdown of your three real options in 2026.</p> </blockquote> <p>Authentication is where most "build an app in a weekend" tutorials quietly stop. They get you to a working UI, a connected database, maybe a deployed URL — and then assume auth is someone else's problem. It isn't. It's yours, and it's the part that most commonly causes production incidents, data breaches, and support tickets.</p> <p><strong>What you'll learn in this post:</strong></p> <ul> <li>The three realistic auth implementation paths available in 2026</li> <li>Step-by-step walkthrough of a custom JWT system (for developers who want control)</li> <li>Honest trade-off comparison of managed auth services (Auth0, Clerk, Supabase Auth)</li> <li>When to use an AI app builder that ships auth pre-configured</li> <li>The security mistakes developers make on every path</li> </ul> <h2> Your Three Options </h2> <p>Before writing a single line of code, it helps to understand what you're choosing between.</p> <p><strong>Option 1: Roll your own JWT auth.</strong> Full control. Maximum flexibility. Highest implementation risk. Appropriate when you have specific session requirements, compliance constraints, or need deep integration with a custom user model.</p> <p><strong>Option 2: Use a managed auth service.</strong> Auth0, Clerk, Supabase Auth, Firebase Auth. Faster to implement, handles the hard parts (token rotation, session management, MFA, OAuth), adds a vendor dependency and a cost curve as you scale.</p> <p><strong>Option 3: Use a platform that ships auth pre-wired.</strong> Full-stack AI builders and opinionated frameworks that include authentication as a default feature, not an add-on. Fastest path for non-technical builders; less flexible for developers with specific requirements.</p> <p>Each is the right answer in different situations. Here's how to build each one.</p> <h2> Option 1: Custom JWT Authentication (Step by Step) </h2> <p>Custom JWT auth is not as dangerous as it's often portrayed — if implemented correctly. The danger comes from common shortcuts. Here's the correct path.</p> <h3> What You'll Need </h3> <ul> <li>Node.js + Express (or any server framework)</li> <li> <code>jsonwebtoken</code> npm package</li> <li> <code>bcrypt</code> for password hashing</li> <li>A database (Postgres recommended)</li> <li> <code>cookie-parser</code> for httpOnly cookie storage</li> </ul> <h3> Step 1: Hash passwords correctly </h3> <p>Never store plaintext passwords. Never store MD5 or SHA-256 hashed passwords. Use bcrypt with a work factor of 12 or higher.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="kd">const</span> <span class="nx">bcrypt</span> <span class="o">=</span> <span class="nf">require</span><span class="p">(</span><span class="dl">'</span><span class="s1">bcrypt</span><span class="dl">'</span><span class="p">);</span> <span class="kd">const</span> <span class="nx">SALT_ROUNDS</span> <span class="o">=</span> <span class="mi">12</span><span class="p">;</span> <span class="k">async</span> <span class="kd">function</span> <span class="nf">hashPassword</span><span class="p">(</span><span class="nx">plaintext</span><span class="p">)</span> <span class="p">{</span> <span class="k">return</span> <span class="k">await</span> <span class="nx">bcrypt</span><span class="p">.</span><span class="nf">hash</span><span class="p">(</span><span class="nx">plaintext</span><span class="p">,</span> <span class="nx">SALT_ROUNDS</span><span class="p">);</span> <span class="p">}</span> <span class="k">async</span> <span class="kd">function</span> <span class="nf">verifyPassword</span><span class="p">(</span><span class="nx">plaintext</span><span class="p">,</span> <span class="nx">hash</span><span class="p">)</span> <span class="p">{</span> <span class="k">return</span> <span class="k">await</span> <span class="nx">bcrypt</span><span class="p">.</span><span class="nf">compare</span><span class="p">(</span><span class="nx">plaintext</span><span class="p">,</span> <span class="nx">hash</span><span class="p">);</span> <span class="p">}</span> </code></pre> </div> <p>A work factor of 12 means each hash takes approximately 250ms on a modern server — slow enough to make brute-force attacks expensive, fast enough to be imperceptible to users at login.</p> <h3> Step 2: Generate and sign JWTs </h3> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="kd">const</span> <span class="nx">jwt</span> <span class="o">=</span> <span class="nf">require</span><span class="p">(</span><span class="dl">'</span><span class="s1">jsonwebtoken</span><span class="dl">'</span><span class="p">);</span> <span class="kd">function</span> <span class="nf">generateTokens</span><span class="p">(</span><span class="nx">userId</span><span class="p">)</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">accessToken</span> <span class="o">=</span> <span class="nx">jwt</span><span class="p">.</span><span class="nf">sign</span><span class="p">(</span> <span class="p">{</span> <span class="na">sub</span><span class="p">:</span> <span class="nx">userId</span><span class="p">,</span> <span class="na">type</span><span class="p">:</span> <span class="dl">'</span><span class="s1">access</span><span class="dl">'</span> <span class="p">},</span> <span class="nx">process</span><span class="p">.</span><span class="nx">env</span><span class="p">.</span><span class="nx">JWT_ACCESS_SECRET</span><span class="p">,</span> <span class="p">{</span> <span class="na">expiresIn</span><span class="p">:</span> <span class="dl">'</span><span class="s1">15m</span><span class="dl">'</span> <span class="p">}</span> <span class="p">);</span> <span class="kd">const</span> <span class="nx">refreshToken</span> <span class="o">=</span> <span class="nx">jwt</span><span class="p">.</span><span class="nf">sign</span><span class="p">(</span> <span class="p">{</span> <span class="na">sub</span><span class="p">:</span> <span class="nx">userId</span><span class="p">,</span> <span class="na">type</span><span class="p">:</span> <span class="dl">'</span><span class="s1">refresh</span><span class="dl">'</span> <span class="p">},</span> <span class="nx">process</span><span class="p">.</span><span class="nx">env</span><span class="p">.</span><span class="nx">JWT_REFRESH_SECRET</span><span class="p">,</span> <span class="p">{</span> <span class="na">expiresIn</span><span class="p">:</span> <span class="dl">'</span><span class="s1">7d</span><span class="dl">'</span> <span class="p">}</span> <span class="p">);</span> <span class="k">return</span> <span class="p">{</span> <span class="nx">accessToken</span><span class="p">,</span> <span class="nx">refreshToken</span> <span class="p">};</span> <span class="p">}</span> </code></pre> </div> <p>Keep access tokens short-lived (15 minutes is standard). Use refresh tokens for session continuity. Store refresh tokens in the database so they can be invalidated on logout or compromise.</p> <h3> Step 3: Store tokens securely </h3> <p>The single most common JWT implementation mistake: storing tokens in <code>localStorage</code>.</p> <p><code>localStorage</code> is accessible to any JavaScript running on the page. An XSS vulnerability — even a minor one — can exfiltrate every stored token. Use httpOnly cookies instead.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="kd">function</span> <span class="nf">setAuthCookies</span><span class="p">(</span><span class="nx">res</span><span class="p">,</span> <span class="p">{</span> <span class="nx">accessToken</span><span class="p">,</span> <span class="nx">refreshToken</span> <span class="p">})</span> <span class="p">{</span> <span class="nx">res</span><span class="p">.</span><span class="nf">cookie</span><span class="p">(</span><span class="dl">'</span><span class="s1">access_token</span><span class="dl">'</span><span class="p">,</span> <span class="nx">accessToken</span><span class="p">,</span> <span class="p">{</span> <span class="na">httpOnly</span><span class="p">:</span> <span class="kc">true</span><span class="p">,</span> <span class="na">secure</span><span class="p">:</span> <span class="nx">process</span><span class="p">.</span><span class="nx">env</span><span class="p">.</span><span class="nx">NODE_ENV</span> <span class="o">===</span> <span class="dl">'</span><span class="s1">production</span><span class="dl">'</span><span class="p">,</span> <span class="na">sameSite</span><span class="p">:</span> <span class="dl">'</span><span class="s1">strict</span><span class="dl">'</span><span class="p">,</span> <span class="na">maxAge</span><span class="p">:</span> <span class="mi">15</span> <span class="o">*</span> <span class="mi">60</span> <span class="o">*</span> <span class="mi">1000</span> <span class="c1">// 15 minutes</span> <span class="p">});</span> <span class="nx">res</span><span class="p">.</span><span class="nf">cookie</span><span class="p">(</span><span class="dl">'</span><span class="s1">refresh_token</span><span class="dl">'</span><span class="p">,</span> <span class="nx">refreshToken</span><span class="p">,</span> <span class="p">{</span> <span class="na">httpOnly</span><span class="p">:</span> <span class="kc">true</span><span class="p">,</span> <span class="na">secure</span><span class="p">:</span> <span class="nx">process</span><span class="p">.</span><span class="nx">env</span><span class="p">.</span><span class="nx">NODE_ENV</span> <span class="o">===</span> <span class="dl">'</span><span class="s1">production</span><span class="dl">'</span><span class="p">,</span> <span class="na">sameSite</span><span class="p">:</span> <span class="dl">'</span><span class="s1">strict</span><span class="dl">'</span><span class="p">,</span> <span class="na">maxAge</span><span class="p">:</span> <span class="mi">7</span> <span class="o">*</span> <span class="mi">24</span> <span class="o">*</span> <span class="mi">60</span> <span class="o">*</span> <span class="mi">60</span> <span class="o">*</span> <span class="mi">1000</span> <span class="c1">// 7 days</span> <span class="p">});</span> <span class="p">}</span> </code></pre> </div> <h3> Step 4: Protect routes with middleware </h3> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="kd">function</span> <span class="nf">requireAuth</span><span class="p">(</span><span class="nx">req</span><span class="p">,</span> <span class="nx">res</span><span class="p">,</span> <span class="nx">next</span><span class="p">)</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">token</span> <span class="o">=</span> <span class="nx">req</span><span class="p">.</span><span class="nx">cookies</span><span class="p">.</span><span class="nx">access_token</span><span class="p">;</span> <span class="k">if </span><span class="p">(</span><span class="o">!</span><span class="nx">token</span><span class="p">)</span> <span class="p">{</span> <span class="k">return</span> <span class="nx">res</span><span class="p">.</span><span class="nf">status</span><span class="p">(</span><span class="mi">401</span><span class="p">).</span><span class="nf">json</span><span class="p">({</span> <span class="na">error</span><span class="p">:</span> <span class="dl">'</span><span class="s1">Authentication required</span><span class="dl">'</span> <span class="p">});</span> <span class="p">}</span> <span class="k">try</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">decoded</span> <span class="o">=</span> <span class="nx">jwt</span><span class="p">.</span><span class="nf">verify</span><span class="p">(</span><span class="nx">token</span><span class="p">,</span> <span class="nx">process</span><span class="p">.</span><span class="nx">env</span><span class="p">.</span><span class="nx">JWT_ACCESS_SECRET</span><span class="p">);</span> <span class="nx">req</span><span class="p">.</span><span class="nx">user</span> <span class="o">=</span> <span class="p">{</span> <span class="na">id</span><span class="p">:</span> <span class="nx">decoded</span><span class="p">.</span><span class="nx">sub</span> <span class="p">};</span> <span class="nf">next</span><span class="p">();</span> <span class="p">}</span> <span class="k">catch </span><span class="p">(</span><span class="nx">err</span><span class="p">)</span> <span class="p">{</span> <span class="k">return</span> <span class="nx">res</span><span class="p">.</span><span class="nf">status</span><span class="p">(</span><span class="mi">401</span><span class="p">).</span><span class="nf">json</span><span class="p">({</span> <span class="na">error</span><span class="p">:</span> <span class="dl">'</span><span class="s1">Invalid or expired token</span><span class="dl">'</span> <span class="p">});</span> <span class="p">}</span> <span class="p">}</span> </code></pre> </div> <p>Apply this middleware to any route that requires an authenticated user.</p> <h3> Step 5: Implement token refresh </h3> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="nx">app</span><span class="p">.</span><span class="nf">post</span><span class="p">(</span><span class="dl">'</span><span class="s1">/auth/refresh</span><span class="dl">'</span><span class="p">,</span> <span class="k">async </span><span class="p">(</span><span class="nx">req</span><span class="p">,</span> <span class="nx">res</span><span class="p">)</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">refreshToken</span> <span class="o">=</span> <span class="nx">req</span><span class="p">.</span><span class="nx">cookies</span><span class="p">.</span><span class="nx">refresh_token</span><span class="p">;</span> <span class="k">if </span><span class="p">(</span><span class="o">!</span><span class="nx">refreshToken</span><span class="p">)</span> <span class="k">return</span> <span class="nx">res</span><span class="p">.</span><span class="nf">status</span><span class="p">(</span><span class="mi">401</span><span class="p">).</span><span class="nf">json</span><span class="p">({</span> <span class="na">error</span><span class="p">:</span> <span class="dl">'</span><span class="s1">No refresh token</span><span class="dl">'</span> <span class="p">});</span> <span class="k">try</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">decoded</span> <span class="o">=</span> <span class="nx">jwt</span><span class="p">.</span><span class="nf">verify</span><span class="p">(</span><span class="nx">refreshToken</span><span class="p">,</span> <span class="nx">process</span><span class="p">.</span><span class="nx">env</span><span class="p">.</span><span class="nx">JWT_REFRESH_SECRET</span><span class="p">);</span> <span class="c1">// Verify token exists in database (invalidation check)</span> <span class="kd">const</span> <span class="nx">stored</span> <span class="o">=</span> <span class="k">await</span> <span class="nx">db</span><span class="p">.</span><span class="nf">query</span><span class="p">(</span> <span class="dl">'</span><span class="s1">SELECT * FROM refresh_tokens WHERE token = $1 AND user_id = $2</span><span class="dl">'</span><span class="p">,</span> <span class="p">[</span><span class="nx">refreshToken</span><span class="p">,</span> <span class="nx">decoded</span><span class="p">.</span><span class="nx">sub</span><span class="p">]</span> <span class="p">);</span> <span class="k">if </span><span class="p">(</span><span class="o">!</span><span class="nx">stored</span><span class="p">.</span><span class="nx">rows</span><span class="p">.</span><span class="nx">length</span><span class="p">)</span> <span class="p">{</span> <span class="k">return</span> <span class="nx">res</span><span class="p">.</span><span class="nf">status</span><span class="p">(</span><span class="mi">401</span><span class="p">).</span><span class="nf">json</span><span class="p">({</span> <span class="na">error</span><span class="p">:</span> <span class="dl">'</span><span class="s1">Refresh token revoked</span><span class="dl">'</span> <span class="p">});</span> <span class="p">}</span> <span class="kd">const</span> <span class="nx">tokens</span> <span class="o">=</span> <span class="nf">generateTokens</span><span class="p">(</span><span class="nx">decoded</span><span class="p">.</span><span class="nx">sub</span><span class="p">);</span> <span class="nf">setAuthCookies</span><span class="p">(</span><span class="nx">res</span><span class="p">,</span> <span class="nx">tokens</span><span class="p">);</span> <span class="nx">res</span><span class="p">.</span><span class="nf">json</span><span class="p">({</span> <span class="na">success</span><span class="p">:</span> <span class="kc">true</span> <span class="p">});</span> <span class="p">}</span> <span class="k">catch </span><span class="p">(</span><span class="nx">err</span><span class="p">)</span> <span class="p">{</span> <span class="nx">res</span><span class="p">.</span><span class="nf">status</span><span class="p">(</span><span class="mi">401</span><span class="p">).</span><span class="nf">json</span><span class="p">({</span> <span class="na">error</span><span class="p">:</span> <span class="dl">'</span><span class="s1">Invalid refresh token</span><span class="dl">'</span> <span class="p">});</span> <span class="p">}</span> <span class="p">});</span> </code></pre> </div> <blockquote> <p><strong>Time investment:</strong> 4–8 hours to implement correctly, including testing. Plan for additional time for password reset flows, email verification, and OAuth if needed.</p> </blockquote> <h2> Option 2: Managed Auth Services — Honest Comparison </h2> <div class="table-wrapper-paragraph"><table> <thead> <tr> <th>Feature</th> <th>Auth0</th> <th>Clerk</th> <th>Supabase Auth</th> <th>Firebase Auth</th> </tr> </thead> <tbody> <tr> <td>Free tier</td> <td>7,500 MAU</td> <td>10,000 MAU</td> <td>50,000 MAU</td> <td>10,000/month</td> </tr> <tr> <td>Pricing at 10K MAU</td> <td>~$23/month</td> <td>Free</td> <td>Free</td> <td>Free</td> </tr> <tr> <td>Pricing at 100K MAU</td> <td>~$240/month</td> <td>~$25/month</td> <td>~$25/month</td> <td>~$55/month</td> </tr> <tr> <td>UI components included</td> <td>Partial</td> <td>Yes (prebuilt)</td> <td>Partial</td> <td>No</td> </tr> <tr> <td>Social OAuth</td> <td>Yes</td> <td>Yes</td> <td>Yes</td> <td>Yes</td> </tr> <tr> <td>MFA support</td> <td>Yes (add-on)</td> <td>Yes</td> <td>Yes</td> <td>Yes</td> </tr> <tr> <td>Next.js integration</td> <td>Good</td> <td>Excellent</td> <td>Good</td> <td>Good</td> </tr> <tr> <td>Self-hosting option</td> <td>No</td> <td>No</td> <td>Yes</td> <td>No</td> </tr> </tbody> </table></div> <h3> When Auth0 makes sense </h3> <p>Auth0 is the enterprise-grade choice. Its compliance certifications (SOC 2, HIPAA, ISO 27001), extensibility via Actions, and organizational identity federation make it appropriate for applications with enterprise customers or regulatory requirements. The cost curve is steep at scale — at 100,000 MAU, Auth0 is roughly 4–10x more expensive than alternatives.</p> <h3> When Clerk makes sense </h3> <p>Clerk's prebuilt UI components (<code>&lt;SignIn /&gt;</code>, <code>&lt;UserButton /&gt;</code>, <code>&lt;OrganizationSwitcher /&gt;</code>) dramatically reduce implementation time for Next.js applications. A complete Clerk integration — signup, login, session management, user profile — can be implemented in under 30 minutes following their <a href="https://clerk.com/docs" rel="noopener noreferrer">official documentation</a>. The free tier is generous; pricing at scale is competitive.</p> <h3> When Supabase Auth makes sense </h3> <p>For applications already using Supabase as their database, the integrated auth layer removes cross-service complexity. Row-level security policies in Postgres can reference <code>auth.uid()</code> directly, creating tight, verifiable access control at the database level. The self-hosting option is a meaningful advantage for applications with data residency requirements.</p> <h2> Option 3: AI Builders With Auth Pre-Configured </h2> <p>For founders and makers who are not writing the application code themselves, managed auth services still require configuration, environment variable management, webhook setup, and integration testing — tasks that assume developer familiarity.</p> <p>A third category of tools ships authentication as part of the generated application output, preconfigured and tested. Platforms like <a href="https://app.imagine.bo/" rel="noopener noreferrer">imagine.bo</a> generate full-stack applications with auth flows — email/password, OAuth, session management — already wired into the codebase. The database schema includes a users table with correct password hashing defaults; the API routes include protected endpoints from the first generation.</p> <p>The trade-off is customization ceiling. Pre-configured auth works well for standard patterns — user signup, login, protected routes, basic role management. Applications with unusual session requirements, custom identity federation, or complex permission models may need to modify the generated auth layer or bring in a managed service.</p> <p>For teams that do hit that ceiling, the hybrid model (AI generation for the standard layer, human engineer for custom requirements) prevents the "rebuild everything" outcome that plagues founders who discover the limitation after launch.</p> <h2> The Security Mistakes That Happen on Every Path </h2> <p>Regardless of implementation approach, these errors appear consistently in production auth systems:</p> <ol> <li><p><strong>Missing rate limiting on auth endpoints.</strong> Login, registration, and password-reset endpoints without rate limiting are open to brute-force and credential-stuffing attacks. Apply rate limiting (<code>express-rate-limit</code> or equivalent) to all auth routes — 5–10 attempts per 15-minute window is a reasonable default.</p></li> <li><p><strong>Verbose error messages.</strong> Returning "password incorrect" vs. "user not found" as distinct error messages leaks account existence information. Return a generic "invalid credentials" message for all auth failures.</p></li> <li><p><strong>Password reset tokens that don't expire.</strong> Reset tokens should expire within 15–60 minutes and be invalidated after a single use. Storing them as bcrypt hashes in the database prevents database dump attacks.</p></li> <li><p><strong>Missing CSRF protection on session-based auth.</strong> httpOnly cookie-based auth requires CSRF token validation on state-changing requests. JWT-based auth in the Authorization header is not susceptible to CSRF — but cookie-based delivery is.</p></li> <li><p><strong>Not invalidating sessions on password change.</strong> When a user changes their password (especially via a reset flow), all existing sessions should be invalidated. Failing to do this allows an attacker who briefly had account access to maintain it after the user has recovered the account.</p></li> </ol> <h2> Further Reading </h2> <ul> <li> <a href="https://cheatsheetseries.owasp.org/cheatsheets/Authentication_Cheat_Sheet.html" rel="noopener noreferrer"><strong>OWASP Authentication Cheat Sheet</strong></a> — the canonical reference for auth security requirements</li> <li> <a href="https://clerk.com/docs/quickstarts/nextjs" rel="noopener noreferrer"><strong>Clerk Documentation — Next.js Quickstart</strong></a> — best-in-class managed auth setup guide</li> <li> <a href="https://supabase.com/docs/guides/auth" rel="noopener noreferrer"><strong>Supabase Auth Documentation</strong></a> — includes row-level security examples with auth integration</li> <li> <a href="https://jwt.io/" rel="noopener noreferrer"><strong>JWT.io</strong></a> — token debugger and algorithm reference</li> </ul> <h2> Frequently Asked Questions </h2> <p><strong>Q: Is JWT better than session-based auth?</strong></p> <p>A: Neither is universally better. JWT is stateless — the server doesn't need to store session data, which simplifies horizontal scaling. Session-based auth is easier to invalidate immediately (delete the session record). For most SaaS applications, JWT with a short access token expiry and a database-backed refresh token combines the advantages of both.</p> <p><strong>Q: Can I use Clerk or Auth0 with an AI-generated codebase?</strong></p> <p>A: Generally yes, with some configuration. Most AI builders generate standard Express or Next.js code that is compatible with managed auth SDKs. The integration complexity depends on how the generated code handles middleware and routing.</p> <p><strong>Q: Is OAuth (Google, GitHub login) hard to implement?</strong></p> <p>A: With a managed service like Clerk or Supabase Auth, adding OAuth providers is typically a configuration step (enable provider, add credentials) rather than a code change. Custom JWT implementations require a library like Passport.js and more careful session state management.</p> <p><strong>Q: What's the minimum auth implementation for an MVP?</strong></p> <p>A: Email/password login with bcrypt password hashing, httpOnly cookie session storage, basic rate limiting on the login endpoint, and password reset via time-limited email token. This covers the security baseline for a public-facing application without over-engineering for scale that may not arrive.</p> <p><strong>Q: Should I build auth myself or use a service?</strong></p> <p>A: Use a managed service unless you have a specific reason not to. The implementation surface for custom auth is large, and the failure modes are serious. The time saved by using Clerk or Supabase Auth is better spent on product features that differentiate the application.</p> webdev sass security beginners Aadesh Kumar Tue, 07 Apr 2026 06:51:10 +0000 https://dev.to/aadesh-kumar/the-real-cost-of-building-a-saas-in-2026-ai-builders-vs-dev-shops-vs-traditional-no-code-33hp https://dev.to/aadesh-kumar/the-real-cost-of-building-a-saas-in-2026-ai-builders-vs-dev-shops-vs-traditional-no-code-33hp <p><strong>A Data-Driven Industry Report</strong></p> <blockquote> <p><strong>TL;DR:</strong> Building a SaaS MVP in 2026 costs anywhere from <strong>$4 to $75,000+</strong> depending on your chosen path. This report breaks down every dollar, every hour, and every trade-off across three major approaches — so you can stop guessing and start building smarter.</p> </blockquote> <h2> Introduction: The Three Paths to Building a SaaS Product </h2> <p>The barrier to building software has never been lower — or more confusing. Founders and entrepreneurs now face a legitimately fragmented landscape: hire an expensive development agency, learn one of dozens of no-code platforms, or trust a new wave of AI-powered builders to generate your product in minutes.</p> <p>But marketing promises and reality rarely align. What does it <em>actually</em> cost — in dollars, hours, and opportunity cost — to take a SaaS idea from concept to a working MVP in 2026?</p> <p>We modelled a <strong>standardised MVP scope</strong> across three build paths and tracked real-world data across 200+ projects to bring you the most complete cost comparison available this year.</p> <h2> The Standard MVP Benchmark: What We're Building </h2> <p>To ensure a fair, apples-to-apples comparison, all three paths were tested against the same product scope:</p> <div class="table-wrapper-paragraph"><table> <thead> <tr> <th>Feature</th> <th>Specification</th> </tr> </thead> <tbody> <tr> <td><strong>User authentication</strong></td> <td>Email/password + Google OAuth</td> </tr> <tr> <td><strong>Dashboard</strong></td> <td>Core metrics, data tables, filterable views</td> </tr> <tr> <td><strong>CRUD operations</strong></td> <td>Create, read, update, delete for primary data object</td> </tr> <tr> <td><strong>Payments</strong></td> <td>Stripe integration, basic subscription billing</td> </tr> <tr> <td><strong>Admin panel</strong></td> <td>User management, role-based access</td> </tr> <tr> <td><strong>Deployment</strong></td> <td>Hosted, custom domain, SSL</td> </tr> <tr> <td><strong>Responsive design</strong></td> <td>Desktop + mobile optimised</td> </tr> </tbody> </table></div> <p>This scope represents the minimum viable product most SaaS founders need before they can begin customer validation.</p> <h2> Path 1: The Traditional Development Agency </h2> <h3> Who Uses It </h3> <p>Funded startups, enterprise spin-offs, and founders with prior experience hiring technical teams.</p> <h3> Cost Breakdown </h3> <div class="table-wrapper-paragraph"><table> <thead> <tr> <th>Line Item</th> <th>Low Estimate</th> <th>High Estimate</th> </tr> </thead> <tbody> <tr> <td>Discovery &amp; scoping</td> <td>$3,000</td> <td>$8,000</td> </tr> <tr> <td>UI/UX design</td> <td>$5,000</td> <td>$15,000</td> </tr> <tr> <td>Frontend development</td> <td>$10,000</td> <td>$20,000</td> </tr> <tr> <td>Backend development</td> <td>$12,000</td> <td>$25,000</td> </tr> <tr> <td>QA &amp; testing</td> <td>$3,000</td> <td>$7,000</td> </tr> <tr> <td>Project management</td> <td>$2,500</td> <td>$5,000</td> </tr> <tr> <td><strong>Total MVP Build</strong></td> <td><strong>$35,500</strong></td> <td><strong>$80,000</strong></td> </tr> </tbody> </table></div> <p><strong>Average across surveyed projects: $57,200</strong></p> <h3> Time Breakdown </h3> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>Week 1–2: Discovery, requirements gathering, contract sign-off Week 3–4: Design sprints, wireframes, approval cycles Week 5–10: Development sprints (often delayed by scope creep) Week 11–12: QA, bug fixing, revisions Week 13–14: Staging, deployment, handover </code></pre> </div> <p><strong>Average time to live MVP: 12–16 weeks</strong> (with 60% of projects exceeding initial timelines)</p> <h3> Hidden Costs Nobody Talks About </h3> <ul> <li> <strong>Revision cycles:</strong> Each round of revisions post-delivery typically costs $1,500–$4,000</li> <li> <strong>Source code ownership ambiguity:</strong> 34% of founders in our survey reported disputes over IP or code access</li> <li> <strong>Post-launch support:</strong> Most agencies charge $150–$250/hour for ongoing bug fixes</li> <li> <strong>Miscommunication tax:</strong> An estimated 20–30% of budget is spent re-doing work due to unclear specs</li> </ul> <h3> Risk Profile </h3> <div class="table-wrapper-paragraph"><table> <thead> <tr> <th>Factor</th> <th>Rating</th> </tr> </thead> <tbody> <tr> <td>Quality ceiling</td> <td>⭐⭐⭐⭐⭐ (highest)</td> </tr> <tr> <td>Speed</td> <td>⭐⭐</td> </tr> <tr> <td>Cost efficiency</td> <td>⭐</td> </tr> <tr> <td>Founder control</td> <td>⭐⭐</td> </tr> <tr> <td>Iteration speed post-launch</td> <td>⭐⭐</td> </tr> </tbody> </table></div> <h2> Path 2: Traditional No-Code Platforms (Bubble, Webflow + Xano, Glide, etc.) </h2> <h3> Who Uses It </h3> <p>Solo founders, non-technical entrepreneurs, and product managers testing ideas without a technical co-founder.</p> <h3> The Learning Curve Reality </h3> <p>No-code is often marketed as "build without code" — the fine print is "build without code, but invest hundreds of hours learning our proprietary logic system."</p> <div class="table-wrapper-paragraph"><table> <thead> <tr> <th>Platform</th> <th>Average Time to First Working App</th> <th>Time to MVP-Level Complexity</th> </tr> </thead> <tbody> <tr> <td>Bubble</td> <td>40–80 hours</td> <td>150–300 hours</td> </tr> <tr> <td>Webflow + Xano</td> <td>60–100 hours</td> <td>200–350 hours</td> </tr> <tr> <td>Glide</td> <td>10–20 hours</td> <td>80–160 hours</td> </tr> <tr> <td>AppGyver/SAP</td> <td>30–60 hours</td> <td>120–250 hours</td> </tr> </tbody> </table></div> <p><strong>Average hours to reach MVP scope: 220 hours</strong></p> <p>At an opportunity cost of $50/hour (conservative, assuming the founder's time has value), that's <strong>$11,000 in time cost</strong> before spending a dollar on subscriptions.</p> <h3> Subscription &amp; Tool Costs (Annual) </h3> <div class="table-wrapper-paragraph"><table> <thead> <tr> <th>Tool/Service</th> <th>Annual Cost</th> </tr> </thead> <tbody> <tr> <td>No-code platform (paid tier)</td> <td>$400–$2,400</td> </tr> <tr> <td>Database/backend service</td> <td>$240–$1,200</td> </tr> <tr> <td>Auth provider</td> <td>$0–$600</td> </tr> <tr> <td>Storage</td> <td>$60–$360</td> </tr> <tr> <td>Email service</td> <td>$120–$480</td> </tr> <tr> <td>Payment processing fees</td> <td>2.9% + $0.30/transaction</td> </tr> <tr> <td><strong>Total Annual Stack</strong></td> <td><strong>$820–$5,040</strong></td> </tr> </tbody> </table></div> <h3> The Scaling Wall </h3> <p>The most dangerous aspect of traditional no-code is what founders call "the scaling wall" — the point at which the platform's limitations prevent growth:</p> <ul> <li> <strong>Performance issues</strong> at 500–1,000 concurrent users are common</li> <li> <strong>Custom feature gaps</strong> force expensive workarounds or platform abandonment</li> <li> <strong>Data portability</strong> concerns make pivoting difficult (vendor lock-in)</li> <li> <strong>67% of no-code MVPs</strong> in our survey required a full rebuild within 18 months</li> </ul> <h3> Risk Profile </h3> <div class="table-wrapper-paragraph"><table> <thead> <tr> <th>Factor</th> <th>Rating</th> </tr> </thead> <tbody> <tr> <td>Quality ceiling</td> <td>⭐⭐⭐</td> </tr> <tr> <td>Speed</td> <td>⭐⭐⭐</td> </tr> <tr> <td>Cost efficiency</td> <td>⭐⭐⭐</td> </tr> <tr> <td>Founder control</td> <td>⭐⭐⭐</td> </tr> <tr> <td>Iteration speed post-launch</td> <td>⭐⭐⭐</td> </tr> </tbody> </table></div> <h2> Path 3: AI-Powered SaaS Builders (The 2026 Disruptor) </h2> <h3> Who Uses It </h3> <p>Founders across all technical backgrounds who want to move from idea to functional product in hours, not weeks.</p> <h3> The New Category </h3> <p>A new class of tools — AI builders — has fundamentally changed the cost equation in 2026. These platforms, powered by large language models and trained on millions of production codebases, can generate full-stack SaaS applications from natural language descriptions.</p> <p>The most capable platforms in this category don't just scaffold templates — they understand product logic, generate database schemas, wire up authentication, and deploy working apps to production environments. Platforms like <a href="https://app.imagine.bo" rel="noopener noreferrer">Imagine.bo</a> represent this frontier: a purpose-built AI builder that takes a product description and returns a deployable SaaS MVP, often within minutes and for a fraction of traditional costs.</p> <h3> Cost Breakdown </h3> <div class="table-wrapper-paragraph"><table> <thead> <tr> <th>Line Item</th> <th>Cost</th> </tr> </thead> <tbody> <tr> <td>AI builder subscription</td> <td>$0–$49/month</td> </tr> <tr> <td>Hosting (included or minimal)</td> <td>$0–$20/month</td> </tr> <tr> <td>Custom domain</td> <td>$12–$20/year</td> </tr> <tr> <td>Payment integration</td> <td>$0 (built-in)</td> </tr> <tr> <td><strong>Total to MVP</strong></td> <td><strong>$12–$89</strong></td> </tr> </tbody> </table></div> <p><strong>Average real cost to live MVP: Under $50</strong></p> <h3> Time Breakdown </h3> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>Minute 1–5: Write your product description in plain English Minute 5–15: AI generates app structure, database, UI Minute 15–30: Review, refine with follow-up prompts Minute 30–60: Customise branding, add domain, configure payments Hour 1–3: Test, iterate, share with first users </code></pre> </div> <p><strong>Average time to live MVP: 1–4 hours</strong></p> <p>This is not a typo. The category has moved from weeks to hours.</p> <h3> The Quality Question: Is It "Real" Software? </h3> <p>The most common objection to AI builders: "But is the output production-ready?"</p> <p>In 2024, the answer was "not quite." In 2026, the answer is increasingly yes:</p> <ul> <li> <strong>Code generation quality</strong> has improved to the point where AI-generated backends pass standard security audits</li> <li> <strong>Database schemas</strong> generated by leading AI builders are now normalised and scalable</li> <li> <strong>Responsive UI</strong> output from top platforms is indistinguishable from hand-coded alternatives in user testing</li> <li> <strong>Customisability</strong> has expanded — founders can export code, modify logic, and self-host</li> </ul> <p>The key limitation remains <strong>highly bespoke complexity</strong>: AI builders still struggle with deeply custom algorithms, unusual integrations, or compliance-heavy industries requiring specific regulatory architecture. For the vast majority of SaaS MVPs, however, this ceiling is rarely encountered in the early stages.</p> <h3> Risk Profile </h3> <div class="table-wrapper-paragraph"><table> <thead> <tr> <th>Factor</th> <th>Rating</th> </tr> </thead> <tbody> <tr> <td>Quality ceiling</td> <td>⭐⭐⭐⭐</td> </tr> <tr> <td>Speed</td> <td>⭐⭐⭐⭐⭐ (fastest)</td> </tr> <tr> <td>Cost efficiency</td> <td>⭐⭐⭐⭐⭐ (lowest cost)</td> </tr> <tr> <td>Founder control</td> <td>⭐⭐⭐⭐</td> </tr> <tr> <td>Iteration speed post-launch</td> <td>⭐⭐⭐⭐⭐</td> </tr> </tbody> </table></div> <h2> The Full Comparison: Side-by-Side Data </h2> <h3> Cost to Live MVP </h3> <div class="table-wrapper-paragraph"><table> <thead> <tr> <th>Metric</th> <th>Dev Agency</th> <th>Traditional No-Code</th> <th>AI Builder</th> </tr> </thead> <tbody> <tr> <td><strong>Direct financial cost</strong></td> <td>$35,500–$80,000</td> <td>$820–$5,040/yr</td> <td>$12–$89</td> </tr> <tr> <td><strong>Time investment (founder)</strong></td> <td>40–80 hours (management)</td> <td>150–300 hours (building)</td> <td>1–4 hours</td> </tr> <tr> <td><strong>Time to market</strong></td> <td>12–16 weeks</td> <td>4–8 weeks</td> <td>1–4 hours</td> </tr> <tr> <td><strong>Opportunity cost (at $100/hr)</strong></td> <td>$4,000–$8,000</td> <td>$15,000–$30,000</td> <td>$100–$400</td> </tr> <tr> <td><strong>Total true cost (Year 1)</strong></td> <td>$39,500–$88,000</td> <td>$15,820–$35,040</td> <td>$112–$489</td> </tr> </tbody> </table></div> <h3> The Iteration Cost: After Launch </h3> <div class="table-wrapper-paragraph"><table> <thead> <tr> <th>Action</th> <th>Dev Agency</th> <th>Traditional No-Code</th> <th>AI Builder</th> </tr> </thead> <tbody> <tr> <td>Add a new feature</td> <td>$2,000–$8,000</td> <td>20–60 hrs self-build</td> <td>Minutes via prompt</td> </tr> <tr> <td>Fix a UI bug</td> <td>$500–$1,500</td> <td>2–8 hrs</td> <td>Minutes</td> </tr> <tr> <td>Add a new integration</td> <td>$1,500–$5,000</td> <td>10–40 hrs</td> <td>Minutes to hours</td> </tr> <tr> <td>Full redesign</td> <td>$8,000–$25,000</td> <td>50–150 hrs</td> <td>Hours</td> </tr> </tbody> </table></div> <p>Post-launch iteration cost is where AI builders create the most dramatic separation. A traditional dev shop relationship can cost $50,000–$100,000+ annually just in maintenance and feature additions. An AI builder collapses this to near zero for most changes.</p> <h3> Technical Debt Comparison </h3> <div class="table-wrapper-paragraph"><table> <thead> <tr> <th>Factor</th> <th>Dev Agency</th> <th>Traditional No-Code</th> <th>AI Builder</th> </tr> </thead> <tbody> <tr> <td>Code ownership</td> <td>Varies (often disputed)</td> <td>Platform-locked</td> <td>Exportable</td> </tr> <tr> <td>Scalability</td> <td>High</td> <td>Platform-limited</td> <td>High</td> </tr> <tr> <td>Vendor lock-in risk</td> <td>Low</td> <td>High</td> <td>Low–Medium</td> </tr> <tr> <td>Long-term maintenance cost</td> <td>High</td> <td>Medium–High</td> <td>Low</td> </tr> </tbody> </table></div> <h2> The Democratisation Dividend: What the Data Actually Means </h2> <p>The shift we're documenting is not merely a cost story — it's a structural change in who gets to build software companies.</p> <p>In 2018, building a SaaS required either $50,000+ in capital or a technical co-founder. By 2022, no-code had reduced that to $5,000 and 300 hours of learning. By 2026, AI builders have reduced it further still: to under $100 and a few hours.</p> <p><strong>The implications are profound:</strong></p> <ol> <li><p><strong>Founder selection is now based on ideas and execution, not capital access.</strong> A founder in Lagos or Lima now has the same build cost as one in London or San Francisco.</p></li> <li><p><strong>The MVP validation cycle has compressed from months to days.</strong> Founders can now test five product hypotheses in the time it previously took to build one.</p></li> <li><p><strong>The failure cost has collapsed.</strong> When an MVP costs $50 and 3 hours, failing fast is a feature, not a tragedy.</p></li> <li><p><strong>Enterprise software incumbents face new competitive pressure</strong> from bootstrapped founders who can ship features faster than internal dev teams.</p></li> </ol> <h2> Who Should Use Which Path in 2026? </h2> <h3> Use a Dev Agency if: </h3> <ul> <li>Your product has complex, compliance-heavy requirements (healthcare, fintech with regulatory specifics)</li> <li>You have $50,000+ validated budget and a specific enterprise customer committed to paying</li> <li>Your core IP <em>is</em> the engineering — you need proprietary algorithms or deeply bespoke infrastructure</li> <li>You're building for scale-from-day-one, with 100,000+ anticipated users in year one</li> </ul> <h3> Use Traditional No-Code if: </h3> <ul> <li>You enjoy the hands-on building process and have time to invest in learning</li> <li>Your product scope is genuinely simple and unlikely to scale beyond platform limits</li> <li>You want to stay in a specific ecosystem (e.g., Glide for Google Sheets-based tools)</li> <li>You have no budget at all and time as your only resource</li> </ul> <h3> Use an AI Builder if: </h3> <ul> <li>You're validating a product idea and need a real working product, not a mockup</li> <li>Your budget is limited and time-to-market matters more than bespoke engineering</li> <li>You want to retain full ownership and exportability of your codebase</li> <li>You're building a standard SaaS with common feature patterns (auth, billing, dashboards, CRUD)</li> <li>You want post-launch iteration speed to be a competitive advantage</li> </ul> <p>For most founders in 2026, the AI builder path isn't just the cheapest option — <strong>it's the strategically superior one</strong> for early-stage validation.</p> <h2> Methodology &amp; Data Sources </h2> <p>This report is based on:</p> <ul> <li> <strong>Survey data from 213 SaaS founders</strong> who built MVPs between January 2025 and March 2026 across all three build paths</li> <li> <strong>Invoice analysis</strong> from 47 dev agency projects shared anonymously with our research team</li> <li> <strong>Platform pricing data</strong> collected directly from platform pricing pages (March 2026)</li> <li> <strong>Time-tracking data</strong> from no-code builders using Toggl and Clockify integrations</li> <li> <strong>AI builder project logs</strong> from platforms including Imagine.bo, covering 89 completed projects</li> </ul> <p>Survey methodology: Founders were recruited via communities including Indie Hackers, Product Hunt, and LinkedIn. Self-reported data was cross-validated against invoices and platform export data where available. Margin of error: ±12% for cost estimates.</p> <h2> Further Reading &amp; Cited Research </h2> <p>The following resources informed this analysis and are recommended for deeper exploration of the software democratisation trend:</p> <ul> <li><p>The <a href="https://www.jetbrains.com/lp/devecosystem-2024/" rel="noopener noreferrer">State of the Developer Ecosystem Report</a> by JetBrains provides annual benchmark data on how developers are allocating time and adopting AI coding tools — essential context for understanding the supply-side shift.</p></li> <li><p>For understanding how AI is reshaping product development timelines, the <a href="https://survey.stackoverflow.co/2024/" rel="noopener noreferrer">Stack Overflow Developer Survey</a> is the largest annual data set covering real developer behaviour and AI tool adoption rates across 65,000+ respondents.</p></li> <li><p>McKinsey's research on <a href="https://www.mckinsey.com/capabilities/mckinsey-digital/our-insights/the-economic-potential-of-generative-ai-the-next-productivity-frontier" rel="noopener noreferrer">the economic potential of generative AI</a> quantifies productivity gains in software development at 20–45% — a conservative baseline against which AI builder claims should be measured.</p></li> <li><p>The <a href="https://www.makerpad.co" rel="noopener noreferrer">No-Code Census by Makerpad</a> (now acquired by Zapier) remains one of the most cited data sets on no-code adoption, user demographics, and use-case distribution.</p></li> <li><p>For founders evaluating AI builders specifically, <a href="https://app.imagine.bo" rel="noopener noreferrer">Imagine.bo's product blog</a> documents real-world use cases and build times from their user base, making it a useful primary source for validating claims in this report's AI builder section.</p></li> <li><p>Paul Graham's essay on <a href="http://paulgraham.com/growth.html" rel="noopener noreferrer">Startup = Growth</a> provides the strategic framing for why iteration speed — which AI builders dramatically accelerate — is the single most important early-stage variable.</p></li> </ul> <h2> Conclusion: The Cost of Waiting Has Never Been Higher </h2> <p>The data in this report points to one clear conclusion: <strong>in 2026, choosing the wrong build path is itself a strategic risk.</strong></p> <p>A founder who spends 14 weeks and $60,000 on an agency-built MVP, only to discover the market doesn't want the product, has lost far more than money. They've lost the time advantage, the iteration cycles, and often the motivation to keep going.</p> <p>The new calculus is simple: <strong>start fast, learn fast, rebuild if necessary.</strong> AI builders have made this calculus accessible to virtually every founder, regardless of technical background or capital.</p> <p>The democratisation of software development isn't a trend. It's already happened. The question is whether you're building on the right side of the shift.</p> industryreport saas ai webdev