Deployment
Deploy to Vercel. Environment variables, custom domain, DNS, SSL, post-deploy verification.
Deploy to Vercel
- Push your code to GitHub.
- Go to vercel.com and click Add New Project.
- Import your GitHub repository.
- Add your environment variables (the full list is below).
- Click Deploy.
The default Vercel + Next.js configuration works for this template without changes. No custom build command, no vercel.json overrides required.
Environment variables
| Variable | Notes |
|---|---|
NEXT_PUBLIC_APP_URL | Your app URL. Must include https:// (e.g., https://yourdomain.com). The Zod env validator rejects URLs without a protocol. |
NEXT_PUBLIC_SUPABASE_URL | Supabase project URL |
NEXT_PUBLIC_SUPABASE_ANON_KEY | Supabase anon key (safe in client bundle; RLS deny-all backs it) |
SUPABASE_SERVICE_ROLE_KEY | Supabase service-role key. Production-only scope, mark as Sensitive in Vercel. |
STRIPE_SECRET_KEY | Stripe secret key (sk_live_... in production). Production-only, Sensitive. |
STRIPE_WEBHOOK_SECRET | Production webhook signing secret (whsec_...). Production-only, Sensitive. |
NEXT_PUBLIC_STRIPE_PUBLISHABLE_KEY | Stripe publishable key (pk_live_...); safe in client bundle |
RESEND_API_KEY | Resend API key (re_...). Production-only, Sensitive. |
For the architectural reasoning behind environment scoping (Production-only vs Preview-only vs All-Environments) and the Sensitive flag, see Next.js environment variables, the leak prevention guide.
Important: NEXT_PUBLIC_APP_URL must include the protocol. Setting it to yourdomain.com without https:// causes the build to fail with an "Invalid URL" error from the Zod env validator. This is intentional; the validator catches the mistake at boot rather than at the first SSR render.
Custom domain
Use the bare domain (non-www) as primary
Use yourdomain.com as the primary domain, not www.yourdomain.com. This is the convention for SaaS apps and the URLs throughout the template assume it.
- In Vercel, go to Settings > Domains.
- Add
yourdomain.comas your primary domain. - Add
www.yourdomain.comand configure it as a redirect toyourdomain.com.
Vercel handles the www-to-bare redirect automatically once both are added.
DNS records
At your domain registrar, add:
| Type | Name | Value |
|---|---|---|
| A | @ | 76.76.21.21 |
| CNAME | www | cname.vercel-dns.com |
Vercel issues and renews the SSL certificate automatically. No manual cert management.
Update environment after the domain attaches
Once the domain resolves to Vercel, update three places to match:
- Vercel env vars: set
NEXT_PUBLIC_APP_URLtohttps://yourdomain.com. Redeploy to pick it up. config.ts: setdomainNametoyourdomain.com(bare; no protocol, no trailing slash).- Supabase: under Authentication > URL Configuration, set Site URL to
https://yourdomain.comand addhttps://yourdomain.com/auth/callbackto the Redirect URLs allowlist. Wildcards like**are for local dev only; production should use exact paths. See Supabase OAuth, magic links, MFA for the redirect-allowlist hardening details. - Stripe: create a production webhook endpoint at
https://yourdomain.com/api/webhooks/stripeand copy the new signing secret toSTRIPE_WEBHOOK_SECRET.
Post-deploy verification
After the first production deploy, run through these checks. This is a subset of the full 12-check pre-launch audit; for the full pass, see pre-launch security audit.
https://yourdomain.com/sitemap.xmlreturns your sitemap.https://yourdomain.com/robots.txtallows crawling of the public pages.https://yourdomain.com/llms.txtreturns the AI-agent index (this template ships one atpublic/llms.txt).https://yourdomain.com/opengraph-imagereturns your OG image.- A test purchase via Stripe test mode triggers the delivery email and the admin notification.
- A login attempt with an invalid password returns a generic error, not a database message.
- Security headers verified at securityheaders.com (target A or A+).
Redeploying
Vercel redeploys automatically on push to your main branch. Manual redeploy:
- Dashboard: project > Deployments > latest > Redeploy.
- CLI:
npx vercel --prod
For pre-launch verification beyond what's listed above, run the Pre-launch Security Audit checklist.