TL;DR: Day-one auth is sign-in + protected routes + user records. Day-one payments are one Stripe Checkout flow + a webhook that marks the order paid. Everything else is phase two.
Founders often bundle "full billing platform" into an MVP. That is how 24-hour builds become 24-day builds. Here is the checklist we actually ship.
Auth (NextAuth / Auth.js)
- Email + password or Google OAuth (pick one for v1)
- JWT sessions for edge middleware (no DB session lookups on every page)
-
user_idon every project request — no email-only ownership - Protected routes:
/request,/dashboard, admin ops path - Safe
callbackUrlhandling — block open redirects
Payments (Stripe)
- One Checkout Session per order (deposit or full tier price)
- Metadata:
requestId, tier, customer email - Webhook:
checkout.session.completed→ mark projectpaid - Success URL includes
session_id— never trust UUID alone - Admin-only checkout creation for custom quotes
What we defer
- Subscriptions, invoices, coupons, tax automation
- Customer portal for self-serve billing
- Multiple payment methods beyond Checkout defaults
- Refund UI (webhook handler only until ops needs it)
Test before launch
- Sign in → submit request → pay fixed tier
- Webhook replay in Stripe dashboard → status becomes
paid - Wrong user cannot open another customer's payment or dashboard project
- Custom quote: admin sets price → customer approves → checkout
Ship with us
Fixed tiers (Spark, Launch, Scale) include this stack by default. Sign in to start or read how to prepare your request.
Related posts
Ready to ship your MVP?
Start your project