SecureStartKit
SecurityFeaturesPricingDocsBlogChangelog
Sign inBuy Now
Getting Started
Installation
Configuration
Deployment

Components

  • Hero
  • Pricing
  • Features

Features

  • Authentication
  • Payments
  • Emails
  • Database
  • Blog
  • Security Headers
  • Claude Code Skills

Recipes

  • Add a Server Action
  • Add a Database Table
  • Add an OAuth Provider
  • Add an Email Template
  • Customize the Auth Flow
  • Add an Admin Metric
  • Enable Bot Protection

Deployment

Deploy to Vercel. Environment variables, custom domain, DNS, SSL, post-deploy verification.

Deploy to Vercel

  1. Push your code to GitHub.
  2. Go to vercel.com and click Add New Project.
  3. Import your GitHub repository.
  4. Add your environment variables (the full list is below).
  5. Click Deploy.

The default Vercel + Next.js configuration works for this template without changes. No custom build command, no vercel.json overrides required.

Environment variables

VariableNotes
NEXT_PUBLIC_APP_URLYour app URL. Must include https:// (e.g., https://yourdomain.com). The Zod env validator rejects URLs without a protocol.
NEXT_PUBLIC_SUPABASE_URLSupabase project URL
NEXT_PUBLIC_SUPABASE_ANON_KEYSupabase anon key (safe in client bundle; RLS deny-all backs it)
SUPABASE_SERVICE_ROLE_KEYSupabase service-role key. Production-only scope, mark as Sensitive in Vercel.
STRIPE_SECRET_KEYStripe secret key (sk_live_... in production). Production-only, Sensitive.
STRIPE_WEBHOOK_SECRETProduction webhook signing secret (whsec_...). Production-only, Sensitive.
NEXT_PUBLIC_STRIPE_PUBLISHABLE_KEYStripe publishable key (pk_live_...); safe in client bundle
RESEND_API_KEYResend API key (re_...). Production-only, Sensitive.

For the architectural reasoning behind environment scoping (Production-only vs Preview-only vs All-Environments) and the Sensitive flag, see Next.js environment variables, the leak prevention guide.

Important: NEXT_PUBLIC_APP_URL must include the protocol. Setting it to yourdomain.com without https:// causes the build to fail with an "Invalid URL" error from the Zod env validator. This is intentional; the validator catches the mistake at boot rather than at the first SSR render.

Custom domain

Use the bare domain (non-www) as primary

Use yourdomain.com as the primary domain, not www.yourdomain.com. This is the convention for SaaS apps and the URLs throughout the template assume it.

  1. In Vercel, go to Settings > Domains.
  2. Add yourdomain.com as your primary domain.
  3. Add www.yourdomain.com and configure it as a redirect to yourdomain.com.

Vercel handles the www-to-bare redirect automatically once both are added.

DNS records

At your domain registrar, add:

TypeNameValue
A@76.76.21.21
CNAMEwwwcname.vercel-dns.com

Vercel issues and renews the SSL certificate automatically. No manual cert management.

Update environment after the domain attaches

Once the domain resolves to Vercel, update three places to match:

  1. Vercel env vars: set NEXT_PUBLIC_APP_URL to https://yourdomain.com. Redeploy to pick it up.
  2. config.ts: set domainName to yourdomain.com (bare; no protocol, no trailing slash).
  3. Supabase: under Authentication > URL Configuration, set Site URL to https://yourdomain.com and add https://yourdomain.com/auth/callback to the Redirect URLs allowlist. Wildcards like ** are for local dev only; production should use exact paths. See Supabase OAuth, magic links, MFA for the redirect-allowlist hardening details.
  4. Stripe: create a production webhook endpoint at https://yourdomain.com/api/webhooks/stripe and copy the new signing secret to STRIPE_WEBHOOK_SECRET.

Post-deploy verification

After the first production deploy, run through these checks. This is a subset of the full 12-check pre-launch audit; for the full pass, see pre-launch security audit.

  • https://yourdomain.com/sitemap.xml returns your sitemap.
  • https://yourdomain.com/robots.txt allows crawling of the public pages.
  • https://yourdomain.com/llms.txt returns the AI-agent index (this template ships one at public/llms.txt).
  • https://yourdomain.com/opengraph-image returns your OG image.
  • A test purchase via Stripe test mode triggers the delivery email and the admin notification.
  • A login attempt with an invalid password returns a generic error, not a database message.
  • Security headers verified at securityheaders.com (target A or A+).

Redeploying

Vercel redeploys automatically on push to your main branch. Manual redeploy:

  • Dashboard: project > Deployments > latest > Redeploy.
  • CLI:
npx vercel --prod

For pre-launch verification beyond what's listed above, run the Pre-launch Security Audit checklist.