u/Adorable-Stress-4286

I'm a backend engineer, been shipping production apps for 9 years. The last 8 months ive been auditing apps for friends, freelance clients, and a few small startup teams. 50+ apps now, ranging from one-pager landers to full-stack SaaS with 1000+ users.

The speed is wild. Stuff that used to take me a sprint takes AI an afternoon. But theres a pattern i keep seeing: vibe coded apps work great with 5 users, then something starts breaking around user 50, and by user 500 the founder is in panic mode in my DMs.

Here are the 6 things that almost always break. Plain English, paste-ready fixes.

1. The "Auth Emails Vanish" Problem

The Vibe: You ship signup. People sign up. It works on your machine.

The Reality: Supabase Auth uses its default SMTP for outbound. Default SMTP has terrible deliverability. Half your auth emails go to spam, the other half land in promotions tab.

The Trap: Users sign up, never verify, never come back. Your "1000 signups" is actually 400 verified users and you have no idea because you arent tracking deliverability.

The Fix: Configure custom SMTP with proper SPF / DKIM / DMARC records before launch. In Supabase: Auth → SMTP Settings → use Resend or Postmark with verified domain. Set up DMARC at p=quarantine minimum. Test with "mail-tester.com" before going live.

2. The "Public RLS" Catastrophe

The Vibe: AI says your tables have RLS enabled.

The Reality: RLS being "enabled" means nothing if your policies are wrong. Default-generated policies are often true for everything.

The Trap: Anyone who finds your supabase URL can read your entire database. Your users data, payment info, everything. Theres a researcher who audited 200+ vibe coded apps and found 89% of them had this exact issue.

The Fix: Open Supabase studio → Authentication → Policies for every table. Each policy should reference auth.uid() matched against an owner column. Run this query to find all your tables with permissive policies: SELECT tablename, policyname, qual FROM pg_policies WHERE schemaname = 'public'; and review every row by hand.

3. The "Stripe Webhook Wide Open" Mistake

The Vibe: Your app is wired up with Stripe checkout. Users can pay. Money is moving.

The Reality: The webhook endpoint that updates user subscriptions probably isnt verifying the Stripe signature. The agent often skips this step unless explicitly asked.

The Trap: Anyone can POST a fake webhook to your endpoint and upgrade themselves to a paid plan for free. Or worse, downgrade everyone elses subscriptions.

The Fix: In your edge function or webhook handler, verify the signature using stripe.webhooks.constructEvent(rawBody, signature, webhookSecret). The webhook secret is in your Stripe dashboard under Developers → Webhooks → Signing secret. Never log it. Store it as a Supabase secret, not in your code.

4. The "Context Rot Cascade"

The Vibe: Youre 4 months in. The agent has been your pair programmer the whole time.

The Reality: After enough back-and-forth, the agent loses track of what your app actually does. It starts "fixing" things by breaking working features.

The Trap: One day you ask for a small change, the agent rewrites your auth flow, breaks 3 unrelated things, and you spend 2 days debugging.

The Fix: Three habits. One, commit to GitHub before every agent run. Two, use Chat Mode to plan before Agent Mode executes (Chat Mode is 1 credit, doesnt write code). Three, when the app gets to about 80 components, start scoping prompts to specific files: "only modify components/Pricing.tsx, dont touch anything else."

5. The "Free Tier Abuse" Drain

The Vibe: Your app uses OpenAI / Anthropic / some AI API. Free tier was generous. Costs were predictable.

The Reality: You didnt add rate limiting. The agent gave you a frontend "Generate" button connected to an edge function that hits OpenAI directly.

The Trap: One Twitter mention, one Reddit post, one bot scraping your site, and youll wake up to a $400 OpenAI bill from a few hours of someone hitting your endpoint in a loop.

The Fix: Rate limit at the edge function level. Use Upstash Redis or Supabase's built-in rate limiting. Limit free users to 5 requests per minute, paid users to 30. Set a hard daily cap. Set spending limits on your OpenAI account in their dashboard. This isnt optional, this will happen.

6. The "Onboarding Drip Doesnt Exist" Gap

The Vibe: Users sign up. Your job is done. They'll figure it out.

The Reality: Activation rate for vibe coded apps without an onboarding email sequence hovers around 12-18%. With even a basic 3-email sequence, that jumps to 35-50%.

The Trap: You spent 3 months building. Got 200 signups from a launch post. Two weeks later, only 24 of them ever returned to the app. You assume the product is bad. The product might be fine. The retention loop is missing.

The Fix: At minimum: Day 0 welcome email, Day 2 "have you tried [main feature]" email, Day 7 "heres what other users are doing" email. These can be templated. Tools that handle this from your Supabase database directly without code: Loops, "Customer.io", Resend with custom edge functions. Pick one. Set it up before launch, not after.

Most of these took clients of mine multiple painful weeks to figure out. The fixes themselves are usually a few hours of work. Use code review tools such as Vibe Coach to double check your code before launching your app. The lesson is: vibe coding solves the building problem. It does not solve the "running a real product" problem. Thats still on you.

curious which one of these has bit yall the worst. and if theres a 7th i should add to the list.

Something I keep telling the founders I work with that I think is worth sharing here too. This isn't about leaving Base44. Base44’s gotten genuinely great this past year, the Agent is solid, prod databases, App Storage, Auth, the deployment story is real now. I build on it too.

But there's a thing that catches non-technical founders off guard once their app starts mattering, and it's the difference between using Base44 and being locked into Base44. Those are different things and most people don't notice the second one until they need it not to be true.

The stuff I'm talking about owning, in the order I'd worry about it:

Your code. The Base44 is great as a workspace but your code should also live on GitHub. Connect it the day you start. This isn't about leaving, it's about having a real backup, real commit history, and the ability to invite a dev to look at it without giving them your Base44 account. Base44 has Git built in now, just connect it.

Your database. This is the big one. If your app has users, the users are in the database. If the database is on Base44’s managed Postgres, you're trusting Base44 with your most important asset. Their prod DB stuff works fine, I'm not knocking it. But you should know how to export it, you should have a regular backup somewhere you control (S3, Backblaze, anywhere not Base44), and ideally you have a path to running it elsewhere if you ever need to. I default to managed Postgres on whatever platform the app eventually runs on, or Neon for staging branches. The point isn't which provider, the point is the connection string is something you control.

Your auth. Base44 Auth is a one-click magic and that's exactly why it's risky to lean on it for a real product. If you ever want to move the app, your users' auth is now somewhere you can't take with you. For anything you're charging money for, I use Clerk or Auth.js (formerly NextAuth) with the user records living in your own database. Slightly more setup, but your users are yours.

Your storage. App Storage is convenient but same story. If your users are uploading files, those files should be in an object storage bucket you own. Cloudflare R2 is what I use most lately, no egress fees, S3-compatible API. You can absolutely point it at Base44-hosted code, the storage just lives somewhere you control.

Your environments. This is the part that signals "real engineering setup" more than anything. You should have:

- A staging environment that's a full copy of production, separate database, separate everything

- A way to deploy to staging first, test, then promote to production

- Database migrations that run automatically when you deploy (Drizzle Kit handles this well, `npx drizzle-kit migrate` in your deploy script)

- The ability to roll back if something breaks

Base44 gives you dev and prod databases now which is a step in this direction. For more serious setups I usually have GitHub Actions running tests on PR, deploying to staging on merge to main, and prod on a tagged release. Sounds heavy, takes about a day to set up once, then you never think about it again.

What owning all this looks like in practice. Your stack ends up being:

- Code on GitHub

- Database wherever (Neon, Supabase, managed Postgres on your provider, your call)

- Auth via Google or similar, user records in your DB

- File storage on R2 or S3

- App itself running wherever (Base44 deployments are fine, Railway, Vercel, whatever fits)

- Migrations via Drizzle Kit, environments separated, deploys automated

The nice thing is once you have this, the question of "should I migrate off Base44" becomes mostly irrelevant. You're not locked in. You can stay on Base44 forever, or move when it makes sense, and either way your business doesn't depend on a single platform's continued existence.

Not saying every project needs all of this on day one. A weekend prototype absolutely doesn't. But once you have paying users, or you're starting to feel like this thing might actually become something, this is the order I'd add the pieces in. Most of it is one or two days of work each, spread out over a few weeks.

If anyone's at the point of wanting to set this up properly and is stuck on where to start, happy to walk through it with a few of you in the comments this week. No pitch, just trying to write up the most common stumbling blocks for a follow-up post. I always recommend founders to run a code review on https://getvibecodingcoach.com before launching their apps. They would check your security, performance, scalability, and database. Make sure to push your code to GitHub first. You may book a free consultation session with them to ask any questions once the report is generated.

Drop a reply with where you are (rough stack, what you've already got, what's tripping you up) and I'll go through them.

Something I keep telling the founders I work with that I think is worth sharing here too. This isn't about leaving Google Antigravity. Google Antigravity’s gotten genuinely great this past year, the Agent is solid, prod databases, App Storage, Auth, the deployment story is real now. I build on it too.

But there's a thing that catches non-technical founders off guard once their app starts mattering, and it's the difference between using Google Antigravity and being locked into Google Antigravity. Those are different things and most people don't notice the second one until they need it not to be true.

The stuff I'm talking about owning, in the order I'd worry about it:

Your code. The Google Antigravity is great as a workspace but your code should also live on GitHub. Connect it the day you start. This isn't about leaving, it's about having a real backup, real commit history, and the ability to invite a dev to look at it without giving them your Google Antigravity account. Google Antigravity has Git built in now, just connect it.

Your database. This is the big one. If your app has users, the users are in the database. If the database is on Google Antigravity’s managed Postgres, you're trusting Google Antigravity with your most important asset. Their prod DB stuff works fine, I'm not knocking it. But you should know how to export it, you should have a regular backup somewhere you control (S3, Backblaze, anywhere not Google Antigravity), and ideally you have a path to running it elsewhere if you ever need to. I default to managed Postgres on whatever platform the app eventually runs on, or Neon for staging branches. The point isn't which provider, the point is the connection string is something you control.

Your auth. Google Antigravity Auth is a one-click magic and that's exactly why it's risky to lean on it for a real product. If you ever want to move the app, your users' auth is now somewhere you can't take with you. For anything you're charging money for, I use Clerk or Auth.js (formerly NextAuth) with the user records living in your own database. Slightly more setup, but your users are yours.

Your storage. App Storage is convenient but same story. If your users are uploading files, those files should be in an object storage bucket you own. Cloudflare R2 is what I use most lately, no egress fees, S3-compatible API. You can absolutely point it at Google Antigravity-hosted code, the storage just lives somewhere you control.

Your environments. This is the part that signals "real engineering setup" more than anything. You should have:

- A staging environment that's a full copy of production, separate database, separate everything

- A way to deploy to staging first, test, then promote to production

- Database migrations that run automatically when you deploy (Drizzle Kit handles this well, `npx drizzle-kit migrate` in your deploy script)

- The ability to roll back if something breaks

Google Antigravity gives you dev and prod databases now which is a step in this direction. For more serious setups I usually have GitHub Actions running tests on PR, deploying to staging on merge to main, and prod on a tagged release. Sounds heavy, takes about a day to set up once, then you never think about it again.

What owning all this looks like in practice. Your stack ends up being:

- Code on GitHub

- Database wherever (Neon, Supabase, managed Postgres on your provider, your call)

- Auth via Google or similar, user records in your DB

- File storage on R2 or S3

- App itself running wherever (Google Antigravity deployments are fine, Railway, Vercel, whatever fits)

- Migrations via Drizzle Kit, environments separated, deploys automated

The nice thing is once you have this, the question of "should I migrate off Google Antigravity" becomes mostly irrelevant. You're not locked in. You can stay on Google Antigravity forever, or move when it makes sense, and either way your business doesn't depend on a single platform's continued existence.

Not saying every project needs all of this on day one. A weekend prototype absolutely doesn't. But once you have paying users, or you're starting to feel like this thing might actually become something, this is the order I'd add the pieces in. Most of it is one or two days of work each, spread out over a few weeks.

If anyone's at the point of wanting to set this up properly and is stuck on where to start, happy to walk through it with a few of you in the comments this week. No pitch, just trying to write up the most common stumbling blocks for a follow-up post. I always recommend founders to run a code review on Vibe Coach before launching their apps. They would check your security, performance, scalability, and database. Make sure to push your code to GitHub first. You may book a free consultation session with them to ask any questions once the report is generated.

Drop a reply with where you are (rough stack, what you've already got, what's tripping you up) and I'll go through them.

When I saw my first coding “Hello World” print 14 years ago, I was hooked.

Since then, I’ve built over 130 apps. From AI tools to full SaaS platforms, I’ve worked with founders using everything from custom code to no-code AI coding platforms such as Google Antigravity.

If you’re a non-technical founder building something on one of these tools, it’s incredible how far you can go today without writing much code.

But here’s the truth. What works with test data often breaks when real users show up.

Here are a few lessons that took me years and a few painful launches to learn:

1. Token-based login is the safer long-term option If your builder gives you a choice, use token-based authentication. It’s more stable for web and mobile, easier to secure, and much better if you plan to grow.
2. A beautiful UI won’t save a broken backend Even if the frontend looks great, users will leave if things crash, break, or load slow. Make sure your login, payments, and database are tested properly. Do a full test with a real credit card flow before launch.
3. Launching doesn’t mean ready. Before going live:
   • Use a real domain with SSL
   • Keep development and production separate
   • Never expose your API keys or tokens in public files
   • Back up your production database regularly. Tools can fail, and data loss hurts the most after you get users
4. Security issues don’t show up until it’s too late. Many apps get flooded with fake accounts or spam bots. Prevent that with:
   • Email verification
   • Rate limiting
   • Input validation and basic bot protection
5. Real usage will break weak setups. Most early apps skip performance tuning. But when real users start using the app, problems appear
   • Add pagination for long lists or data-heavy pages
   • Use indexes on your database
   • Set up background tasks for anything slow
   • Monitor errors so you can fix things before users complain
6. Migrations for any database change:
   • Stop letting the AI touch your database schema directly.
   • A migration is just a small file that says "add this column" or "create this table." It runs in order. It can be reversed. It keeps your local environment and production database in sync.
   • Without this, at some point your production app and your database will quietly get out of sync and things will break in weird ways with no clear error. It is one of the worst situations to debug, especially if you are non-technical.
   • The good news: your AI assistant can generate migrations for you. Just ask it to use migrations instead of editing the schema directly. Takes maybe 2 minutes to set up properly.

Looking back, every successful project had one thing in common. The backend was solid, even if it was simple.

If you’re serious about what you’re building, even with no-code or AI tools, treat the backend like a real product. Not just something that “runs in the background”.

There are 6 things that separate "cool demo" from "people pay me monthly and they're happy about it":

1. Write a PRD before you prompt the agent
2. Learn just enough version control to undo your mistakes
3. Treat your database like it's sacred
4. Optimize before your users feel the pain
5. Write tests (or make sure the agent does)
6. Get beta testers, and listen to them

Not trying to sound preachy. Just sharing things I learned the hard way so others don’t have to. If you want to check out if your codebase has these issues above, Vibe Coach has this code review tool that deeply reviews your code about these issues (as well as other issues). Make sure to push your code to GitHub first. You may book a free technical consultation session with them after the code review is done. They will walk your through your report and answer any questions if you have.

If you’ve already run into some of these issues in your own app, I’d be curious what you found.