Every side project I've started in the last two years began the same way.
Open VS Code. Create a new Next.js app. Start wiring up authentication.
Three days later I'm debugging a NextAuth callback, Stripe webhooks aren't firing, and I haven't touched the actual idea I was excited about. The setup tax is real — and it quietly kills more projects than bad ideas ever do.
So I stopped starting products and started building the foundation I kept rebuilding. This is what I learned, what I built, and why I made the decisions I did.
The stack
No exotic choices here. Everything is boring on purpose.
Next.js 14 (App Router) — stable, well-documented, widely understood
NextAuth v5 — handles OAuth + credentials auth without reinventing the wheel
Prisma — type-safe ORM that plays nicely with the App Router
Stripe — payments and webhooks, subscription-ready
React Email + Resend — transactional emails that actually land in the inbox
MySQL — straightforward, production-proven, no surprises
Tailwind CSS — utility-first, fast to build with
TypeScript throughout
The companion Express REST API boilerplate runs alongside it for projects that need a separate backend:
Express + TypeScript
JWT auth (access + refresh tokens)
Prisma (shared schema pattern)
Zod — request validation that doubles as documentation
Winston — structured logging
Vitest + Supertest — integration tests out of the box
Key decisions I had to make
App Router, not Pages Router
This was the easy call. Pages Router is legacy at this point. App Router has better support for server components, layouts, and loading states. The learning curve is real but the patterns are worth adopting now.
NextAuth v5, not v4
v5 is a near-complete rewrite. The config is cleaner, Edge runtime support is better, and it's where the project is heading. I hit a few rough edges during the build but nothing that wasn't solvable — and the result is cleaner than v4 ever was.
Separate API boilerplate instead of Route Handlers only
You could handle everything through Next.js Route Handlers. For simple projects, that's fine. But a lot of real-world SaaS products eventually need a standalone API — for mobile clients, third-party integrations, or just keeping concerns separated. I bundled both so you can start with one and grow into the other without changing your assumptions.
Prisma over raw SQL or Drizzle
Drizzle is worth watching. But Prisma has better tooling, better documentation, and a larger community right now. For a boilerplate meant to reduce friction, Prisma was the right call.
JWT with refresh tokens, not sessions only
Sessions are simpler. But if you're building anything that needs a mobile client or a public API, you'll want token-based auth. I implemented both access tokens (short-lived) and refresh tokens (long-lived, stored securely) so you don't have to bolt this on later.
What's actually included
This isn't a starter template. It's a working application with all the plumbing done.
Authentication
Email/password login with hashed passwords
OAuth (Google ready to enable)
Protected routes and middleware
Session management
Payments
Stripe Checkout integration
Webhook handler (signature verified)
Subscription status synced to the database
Customer portal link
Welcome email on signup
Password reset flow
React Email templates (easy to customise)
Resend as the transport (swap it for any SMTP provider)
Database
Prisma schema with User, Account, Session, and Subscription models
Migration files included
Seed script for local development
Developer experience
TypeScript strict mode
ESLint + Prettier configured
Environment variable validation on startup
Detailed README with setup steps that actually work
What I left out (on purpose)
No admin dashboard. No analytics integration. No multi-tenancy pattern.
Not because those aren't useful — but because every project needs them differently. The boilerplate handles the parts that are almost always identical. The parts that vary by product, I left for you to build.
The honest part
This took longer than I expected. NextAuth v5 had some edge cases that weren't well-documented. Getting Stripe webhooks to behave locally (Stripe CLI is your friend) took a few hours. The React Email setup is cleaner than I thought it would be — that was a pleasant surprise.
But the end result is something I genuinely wish had existed when I started. I've already used it to spin up a new project and the difference is significant — working on actual features on day one instead of debugging OAuth flows on day four.
Where to get it
I packaged both boilerplates together as the Indie Dev Starter Kit — available on Gumroad for $49.
You get the full source code for both the Next.js SaaS boilerplate and the Express REST API boilerplate, plus documentation covering setup, environment variables, deployment, and customisation.
If you're an indie dev, a freelancer who keeps spinning up similar projects, or someone who just wants to stop rebuilding the same foundation — it's at [https://muhammadqasim897.gumroad.com/l/uuhtsw].
Happy to answer questions in the comments about any of the stack decisions.
Built with Next.js 14, NextAuth v5, Prisma, Stripe, React Email, and TypeScript.
Top comments (0)