KitRocket

Go to Production

Complete checklist for launching your KitRocket app in production.

Before going live, run through this checklist. Each section covers a critical area.

Environment variables

Verify every variable is set in your production environment:

DATABASE_URL          ✓ Production database connection string
AUTH_SECRET           ✓ Unique, random 32+ character secret
BETTER_AUTH_URL       ✓ Your production URL (https://yourdomain.com)
GOOGLE_CLIENT_ID      ✓ With production callback URL registered
GOOGLE_CLIENT_SECRET  ✓
GITHUB_CLIENT_ID      ✓ With production callback URL registered
GITHUB_CLIENT_SECRET  ✓
DODO_API_KEY          ✓ Live mode key (not test mode)
DODO_WEBHOOK_SECRET   ✓ Webhook signing secret
RESEND_API_KEY        ✓ With verified domain
EMAIL_FROM            ✓ Matches verified domain

Check that no test/development values leaked into production.

Database

  • Run pnpm db:push against the production database
  • Verify all tables exist
  • Check that connection pooling is enabled (use port 6543 for Supabase)
  • Set up automated backups (Supabase does this by default)
  • Test database connectivity from your hosting platform

Authentication

  • AUTH_SECRET is unique and not shared with development
  • BETTER_AUTH_URL matches your production domain exactly
  • OAuth callback URLs updated for all providers:
    • Google: https://yourdomain.com/api/auth/callback/google
    • GitHub: https://yourdomain.com/api/auth/callback/github
  • Test registration, login, logout, and OAuth flows in production
  • Magic link emails arrive and work

Payments

  • Switch DodoPayments to live mode (not test mode)
  • Update webhook URL: https://yourdomain.com/api/webhook/dodo
  • Verify webhook is receiving events (check DodoPayments logs)
  • Test a real checkout flow (you can refund the test purchase)
  • Pricing displays correctly
  • Subscription status updates work via webhooks

Email

  • Domain verified in Resend
  • EMAIL_FROM uses your verified domain
  • Welcome emails send on registration
  • Magic link emails deliver successfully
  • Check email deliverability (not going to spam)

Domain and SSL

  • Custom domain configured in Vercel
  • DNS records propagated (A record or CNAME)
  • SSL certificate provisioned (Vercel handles this automatically)
  • Redirect www to non-www (or vice versa)
  • Test the site loads on both http:// and https:// (http should redirect)

SEO

  • <title> and <meta description> set for every page
  • Open Graph tags present (test with opengraph.xyz)
  • Sitemap at /sitemap.xml includes all public pages
  • robots.txt allows crawling of public pages
  • Favicon and app icons set in /public/
  • Structured data (JSON-LD) on key pages

Performance

  • Run Lighthouse audit — aim for 90+ on all scores
  • Images optimized (use Next.js <Image> component)
  • Fonts loaded with next/font (no layout shift)
  • No unused JavaScript in the bundle
  • API routes respond in under 500ms

Security

  • No hardcoded secrets in source code
  • .env.local is in .gitignore
  • All API routes check authentication where required
  • Input validation on all forms and API endpoints
  • Rate limiting on authentication endpoints
  • CORS configured correctly (Next.js handles this by default)
  • Security headers set:
const securityHeaders = [
  { key: "X-Frame-Options", value: "DENY" },
  { key: "X-Content-Type-Options", value: "nosniff" },
  { key: "Referrer-Policy", value: "strict-origin-when-cross-origin" },
  { key: "Permissions-Policy", value: "camera=(), microphone=(), geolocation=()" },
];

Error monitoring

Set up error tracking so you know when things break in production:

pnpm add @sentry/nextjs
npx @sentry/wizard@latest -i nextjs

Follow the setup wizard to configure Sentry. It adds error tracking for both client and server.

Alternative: LogRocket, Datadog, or Axiom

Any error monitoring service that supports Next.js works.

Analytics

If using the Pro tier PostHog module:

  • NEXT_PUBLIC_POSTHOG_KEY set to production project
  • User identification working after login
  • Key events tracking (signup, checkout, feature usage)
  • Session recording enabled (optional, for debugging)

Monitoring

  • Set up uptime monitoring (e.g., BetterUptime, Checkly, UptimeRobot)
  • Monitor the health of key endpoints:
    • GET / — landing page
    • GET /api/auth/session — auth system
    • POST /api/webhook/dodo — webhook endpoint

Post-launch

After going live:

  1. Monitor error rates for the first 24 hours
  2. Watch webhook logs for failed deliveries
  3. Check email deliverability — are emails landing in inbox?
  4. Test the full user journey — register, login, checkout, use product, cancel
  5. Set up alerts for downtime, error spikes, and failed payments

Quick deploy command

If everything checks out:

git add .
git commit -m "feat: production-ready configuration"
git push origin main

Vercel deploys automatically on push to main.

Migrate to Stripe

Replace DodoPayments with Stripe for payment processing.

Claude Code Setup

Set up Claude Code with your KitRocket project for AI-assisted development.

On this page

Environment variablesDatabaseAuthenticationPaymentsEmailDomain and SSLSEOPerformanceSecurityError monitoringSentry (recommended)Alternative: LogRocket, Datadog, or AxiomAnalyticsMonitoringPost-launchQuick deploy command