The Non-Developer's Deployment Guide
A plain-English guide to deploying vibe-coded AI apps: hosting, backends, auth, databases, secrets, domains, monitoring, costs, and release paths.
01 Start Here
If your demo works on your laptop but you do not yet know how to put it in front of strangers, this guide is for you.
Deployment means taking something that works locally and making it available to anyone on the internet. You do not need to become a DevOps engineer. You need to know which parts to outsource, where secrets belong, and which defaults are safe enough to start with.
The safest mental model
Frontend is public. Backend is private. Database is protected. Secrets stay server-side. Your frontend code ships to every user's browser. Anything inside it can be seen. API keys, payment secrets, database passwords, and AI provider keys must live on the server side.
02 The 60-Second Cheat Sheet
If you read nothing else, start here. Pick the row closest to your app and use it as your default. You can refine later when you have real traffic, real users, or a real customer requirement.
Web SaaS / AI app
Vercel + Supabase
Best first choice for Next.js dashboards, AI assistants, internal tools, and most user-account web apps.
Mobile app
Firebase or Expo + Supabase
Use Firebase when you want mature mobile SDKs and real-time sync. Use Expo + Supabase when you want SQL and more backend control.
Landing page / blog
Cloudflare Pages or Netlify
Fast, cheap, simple, and usually enough for marketing pages, docs, portfolios, and content sites.
Python / API backend
Render + Neon + Vercel
A clean path for FastAPI, Flask, Django, Node APIs, background jobs, and always-on services.
Enterprise / regulated
AWS, GCP, or Azure with help
Use when a customer, compliance requirement, procurement team, or existing company infrastructure demands it.
Cannot decide
Vercel + Supabase + Sentry
The safest default for most non-developer web apps in 2026: fast to ship, easy to understand, and upgradeable.
The default 2026 starter stack
- FrontendVercel for app UI; Cloudflare Pages for static marketing pages
- BackendVercel Functions, Supabase Edge Functions, Render, or Cloud Run
- DatabaseSupabase Postgres for most apps; Firebase Firestore for mobile real-time apps
- AuthSupabase Auth, Firebase Auth, or Clerk
- FilesSupabase Storage, Firebase Storage, S3, or Cloudflare R2
- MonitoringSentry + UptimeRobot + platform logs + budget alerts
- DomainCloudflare Registrar or your existing registrar
- AI callsServer-side only, with per-user limits and provider spend caps
03 What You Are Actually Deploying
Every deployed app is made of layers. Once you can name the layers, platform marketing pages become much easier to understand.
| Layer | What it does | Common services |
|---|---|---|
| Frontend | The screen users see | React, Next.js, Vue, Svelte on Vercel, Netlify, Cloudflare Pages |
| Backend / API | Runs private logic | Vercel Functions, Netlify Functions, Render, Railway, Cloud Run |
| Database | Stores structured data | Supabase Postgres, Firebase Firestore, Neon, MongoDB Atlas |
| Auth | Login and sessions | Supabase Auth, Firebase Auth, Clerk, Auth0, Cognito |
| File storage | Stores images, PDFs, audio, video | Supabase Storage, Firebase Storage, S3, Cloudflare R2 |
| AI provider | Generates text, images, code, embeddings | OpenAI, Anthropic, Gemini, OpenRouter |
| CDN | Serves files near users | Built into modern hosts; Cloudflare and Fastly are common |
| Secrets | Stores private keys outside code | Platform environment variables, Secret Manager, Doppler, Vault |
| Monitoring | Tells you what broke | Sentry, UptimeRobot, platform logs, budget alerts |
Static vs. dynamic apps
Static apps are like a photo album: the same files are served to every visitor. Landing pages, docs, portfolios, blogs, and simple marketing sites belong here.
Dynamic apps are like a tailor shop: the response changes based on who is logged in, what they typed, what the database says, or what the AI returns. Dashboards, booking systems, chatbots, checkouts, and collaboration tools belong here.
That distinction drives most deployment decisions. Static apps can live almost anywhere cheaply. Dynamic apps need a place for private code, state, permissions, and secrets.
04 Frontend Hosting
Frontend hosting is the easiest part of the stack. Most modern options are good. The decision is about developer experience, cost behavior, framework fit, and whether your app also needs backend logic.
Vercel
Vercel is the default home for Next.js apps. It gives you GitHub-based deploys, preview URLs for every branch, fast CDN delivery, serverless functions, image optimization, and a workflow that feels almost invisible when the app is configured correctly.
Use Vercel when:
- You are building with Next.js, React, or a framework Vercel supports well.
- You want preview deployments for every pull request or branch.
- You have a web SaaS, dashboard, AI assistant, or authenticated web app.
- You want your frontend and lightweight API routes in the same place.
Watch the cost model:
- Personal hobby projects can often start free, but commercial work generally belongs on a paid plan.
- Bandwidth, image optimization, function usage, and team seats can change the real monthly cost.
- Viral traffic, bots, or DDoS events can create usage spikes if you do not set budget alerts and spend controls.
Vercel rule of thumb
Use Vercel for a serious Next.js product, but do not treat the deploy button as the whole launch checklist. Before sharing a public link, configure environment variables, production auth redirects, error tracking, analytics, and budget alerts.
Netlify
Netlify is strong for static sites, content-heavy sites, Jamstack projects, and teams that want broad framework support without going all-in on Next.js. It includes Git deploys, preview deploys, forms, serverless functions, redirects, edge functions, and simple domain management.
Use Netlify when:
- You are building a landing page, documentation site, blog, or marketing site.
- You want built-in form handling without wiring a backend.
- You use Astro, Eleventy, Hugo, Gatsby, SvelteKit, or another static-first framework.
- You want a familiar GitHub-to-preview-to-production workflow.
Watch out for:
- Advanced Next.js features can be better supported on Vercel first.
- Build-minute limits can matter for large content sites.
- Functions are useful, but a serious backend may still belong on Render, Railway, Supabase, or Cloud Run.
Cloudflare Pages
Cloudflare Pages is excellent for static sites and edge-first projects. The major appeal is cost behavior: Cloudflare’s network is built around bandwidth at enormous scale, so high-traffic static delivery can be much cheaper than usage-metered alternatives.
Use Cloudflare Pages when:
- You are shipping a static site, docs site, landing page, or content-heavy public site.
- You expect traffic spikes and want strong CDN economics.
- You want to combine Pages with Workers, KV, D1, Durable Objects, or R2.
- You care about global latency and edge delivery.
Watch out for:
- Cloudflare Workers are not a full Node.js server. Some Node packages and APIs may not work without changes.
- The platform is powerful, but the mental model is more edge-native than traditional-server-native.
- If your app needs a conventional long-running backend, combine Pages with a separate API on Render, Railway, or Cloud Run.
Firebase Hosting
Firebase Hosting is a good choice when your app already uses Firebase Auth, Firestore, Cloud Storage, or Cloud Functions. It serves static assets quickly and integrates neatly with the Firebase ecosystem.
Use Firebase Hosting when:
- You are building a mobile-first product with Firebase SDKs.
- You want one console for auth, database, storage, hosting, and functions.
- Your web app is mostly static but needs rewrites to Cloud Functions.
- Your team already understands Firebase projects and security rules.
Watch out for:
- Firebase Hosting itself serves static files; dynamic backend logic needs Cloud Functions or Cloud Run.
- Firestore and Storage security rules are launch-critical, not optional.
- Usage-based billing can surprise you if reads, writes, storage downloads, or functions scale unexpectedly.
Frontend platform comparison
| Platform | Best for | Strengths | Watch out for |
|---|---|---|---|
| Vercel | Next.js SaaS, AI apps, dashboards | Best Next.js DX, preview deploys, serverless routes | Cost spikes, team pricing, image/bandwidth usage |
| Netlify | Static sites, Jamstack, content | Forms, previews, broad static framework support | Next.js parity can lag Vercel |
| Cloudflare Pages | Static scale, docs, edge-first apps | Very strong CDN economics, Workers ecosystem | Workers are not full Node.js |
| Firebase Hosting | Firebase/mobile apps | Tight Firebase integration, static hosting, rewrites | Requires Functions/Run for backend logic |
Quick pick
- Building a Next.js SaaS or AI dashboard? Start with Vercel.
- Building a static marketing site or docs site? Start with Cloudflare Pages or Netlify.
- Already using Firebase for mobile, auth, Firestore, or push? Use Firebase Hosting.
- Expecting a lot of public bandwidth or file downloads? Evaluate Cloudflare Pages + R2 early.
- Need built-in form capture and a simple marketing workflow? Use Netlify.
05 Backend-as-a-Service
Backend-as-a-Service platforms give you database, auth, storage, and serverless functions without wiring five vendors together. They are attractive because they replace a large amount of backend setup with one project dashboard and client SDKs.
They do not remove backend thinking. You still need data modeling, permissions, migrations, backups, rate limits, and environment variables.
Supabase
Supabase is the most useful default for many vibe-coded web apps because it is built around PostgreSQL. The mental model is familiar: tables, rows, columns, relationships, SQL, and policies.
Supabase gives you:
- Postgres database for structured data.
- Auth for email/password, magic links, OAuth, and sessions.
- Row Level Security for database-enforced permissions.
- Storage for images, PDFs, and user uploads.
- Edge Functions for private server-side logic.
- Realtime for subscriptions and collaborative features.
- SQL access so you can inspect and repair data directly.
Use Supabase when:
- Your app has accounts, dashboards, projects, teams, subscriptions, or records.
- You want SQL instead of proprietary NoSQL queries.
- You expect to need exports, reports, analytics, joins, or admin views later.
- You want one backend platform but do not want to learn AWS yet.
Watch out for:
- Row Level Security must be designed carefully. Turning it on without policies blocks access; leaving it off can leak data.
- Free plans may not include the backup guarantees you want for production.
- Serverless functions need database connection pooling when traffic grows.
Firebase
Firebase is excellent for mobile-first and real-time products. It gives you mature SDKs, authentication, Firestore, Realtime Database, Cloud Storage, Cloud Messaging, Analytics, Hosting, and Cloud Functions.
Use Firebase when:
- You are building iOS, Android, Flutter, React Native, or a mobile-first web app.
- Offline sync, real-time updates, and push notifications are core to the experience.
- You want Google-native tooling and a mature mobile SDK ecosystem.
- Your data fits document-oriented access patterns.
Watch out for:
- Firestore is not a relational database. Query design and data duplication are normal.
- Read-heavy apps can become expensive if each screen triggers many document reads.
- Security rules are powerful but easy to get wrong.
- Moving away later can be painful if you structure your whole app around Firestore-specific patterns.
Supabase vs. Firebase
| Question | Supabase | Firebase |
|---|---|---|
| Data model | Relational Postgres | Document-based Firestore / Realtime Database |
| Best fit | SaaS, dashboards, AI apps, admin tools | Mobile, real-time sync, offline-first apps |
| Query style | SQL, joins, constraints | Document reads, collections, indexes |
| Permissions | Row Level Security policies | Firebase Security Rules |
| Portability | Stronger, because Postgres is standard | More proprietary data model |
| Learning curve | Database concepts matter | Data modeling feels easy at first, harder later |
Default recommendation
For most web apps, start with Supabase. For mobile apps where offline behavior, push, and real-time sync are central, start with Firebase. If you are unsure and your product looks like a SaaS dashboard, choose Supabase.
06 The Cloud Giants
AWS, Google Cloud, and Azure are powerful, reliable, and intimidating. They are not the best first teacher for most non-developers. They matter when you need enterprise controls, compliance, private networking, heavy infrastructure, or customer-mandated cloud alignment.
Amazon Web Services
AWS is the broadest cloud platform. It has services for almost everything: S3 for files, Lambda for serverless functions, RDS for relational databases, DynamoDB for NoSQL, CloudFront for CDN, Cognito for auth, Secrets Manager for secrets, CloudWatch for logs, and IAM for access control.
Use AWS when:
- Your customer or employer already runs on AWS.
- You need enterprise procurement, compliance, or region controls.
- You have engineering help.
- You need mature infrastructure beyond what simpler platforms provide.
Do not start on AWS just because it sounds professional. For a first app, AWS can turn deployment into a month-long infrastructure project.
Google Cloud Platform
GCP is a natural fit for teams already using Firebase, Google Workspace, BigQuery, Vertex AI, or Google Cloud infrastructure. For vibe-coded apps, the most approachable GCP path is often Firebase Hosting plus Cloud Run plus Cloud SQL.
Useful GCP services:
- Cloud Run for containerized web services and AI backends.
- Cloud SQL for managed Postgres or MySQL.
- Secret Manager for private keys.
- Cloud Logging and Cloud Monitoring for production visibility.
- Firebase Hosting/Auth/Firestore for app-facing pieces.
- Vertex AI when your AI workflow must live in Google Cloud.
Use GCP when:
- You want containers without managing Kubernetes.
- You are already in Firebase and need a stronger backend.
- You need BigQuery, Vertex AI, or Google-native enterprise tooling.
Microsoft Azure
Azure is strongest when the customer or organization is already Microsoft-centered. It works well with Entra ID, Microsoft 365, .NET, enterprise procurement, and Azure DevOps.
Useful Azure services:
- Azure Static Web Apps for static frontends plus serverless APIs.
- Azure App Service for web apps and APIs in many languages.
- Azure Functions for serverless logic.
- Azure SQL Database and Cosmos DB for data.
- Azure Key Vault for secrets.
- Application Insights for monitoring.
Use Azure when:
- Your customers require Microsoft identity, SSO, or procurement.
- Your team uses .NET or Azure DevOps.
- The business environment is already Microsoft-first.
When to use a cloud giant
Use AWS, GCP, or Azure when at least one of these is true:
- A real customer requires it.
- Compliance, audit, procurement, or data residency requirements demand it.
- You have an engineer or DevOps partner available.
- You need private networking, container orchestration, advanced observability, or enterprise identity.
- Your app is already generating enough revenue to justify infrastructure complexity.
Otherwise, start simpler. A simple app on Vercel and Supabase that real users can access today beats a perfect AWS diagram that never ships.
07 Authentication
Authentication is not just a login screen. It includes signup, password reset, email verification, sessions, permissions, social login, multi-factor authentication, organizations, roles, and sometimes enterprise SSO.
Do not build auth from scratch unless authentication is literally your product. Auth mistakes become security incidents.
Provider options
| Provider | Best for | Why people choose it | Watch out for |
|---|---|---|---|
| Supabase Auth | Supabase apps | Integrated with Postgres and RLS | UI is more DIY than Clerk |
| Firebase Auth | Mobile-first apps | Mature SDKs, social login, phone auth | Best when the rest of the app is also Firebase |
| Clerk | Polished auth UX | Great UI components, Next.js integration, organizations | MAU and B2B features can affect pricing |
| Auth0 | Enterprise identity | SSO, compliance, enterprise configuration | Expensive and often overkill for MVPs |
| Cognito | AWS-heavy teams | Native inside AWS | Less friendly for beginners |
| WorkOS | B2B enterprise SSO | SAML, SCIM, directory sync | Use when enterprise customers ask for it |
Practical default
- If you use Supabase for your database, start with Supabase Auth.
- If you use Firebase for mobile, start with Firebase Auth.
- If login quality is a product differentiator, consider Clerk.
- If a company customer asks for SAML, SCIM, or enterprise SSO, evaluate WorkOS, Auth0, Clerk B2B, or Cognito.
Before launch, test:
- Signup.
- Login.
- Logout.
- Password reset.
- Email verification.
- Social login, if enabled.
- Production redirect URLs.
- User deleting or exporting their data, if relevant.
08 Databases
The database decision affects everything later: reporting, permissions, migrations, exports, debugging, integrations, and how painful it is to change your app.
Supabase / PostgreSQL
Postgres is the best default for many web apps because it is standard, relational, mature, and understandable. It handles structured data, joins, constraints, indexes, transactions, JSON, full-text search, and vector extensions such as pgvector.
Use it for:
- SaaS apps.
- Dashboards.
- Internal tools.
- AI apps with users, projects, documents, and usage records.
- Products that may need exports, reports, or admin operations.
Firebase Firestore
Firestore is a document database built for real-time and mobile use cases. It works well when your app reads and writes documents by known paths and syncs them to clients quickly.
Use it for:
- Mobile apps.
- Real-time chat or collaborative state.
- Offline-first experiences.
- Apps already deep in Firebase.
Avoid it when:
- You need complex relational queries.
- You expect heavy reporting.
- You need SQL exports or joins.
- Your cost model depends on reading many documents per screen.
MongoDB Atlas
MongoDB Atlas stores flexible JSON-like documents. It can work well for apps where records vary in shape, but that flexibility can become inconsistency if you do not maintain schemas at the application layer.
Use it when:
- Your team already knows MongoDB.
- The app naturally stores document-shaped records.
- You need managed MongoDB rather than running it yourself.
Neon
Neon is serverless Postgres. It is useful when you want Postgres but do not want your database tied to your hosting platform. Branching and scale-to-zero behavior make it attractive for modern app workflows.
Use it when:
- Your frontend is on Vercel, Netlify, or Cloudflare but you want independent Postgres.
- You want database branching for previews or development.
- You want serverless-friendly Postgres without managing servers.
PlanetScale
PlanetScale is built around MySQL-compatible serverless database workflows. It can be strong for teams that know MySQL and want branching-style database operations.
Use it when:
- Your app or team prefers MySQL.
- You need serverless database workflows.
- You understand the tradeoffs around constraints, relations, and migration style.
AWS RDS and DynamoDB
RDS is managed relational database hosting for Postgres, MySQL, and other engines. DynamoDB is AWS’s high-scale NoSQL key-value/document database.
Use RDS when you need a conventional relational database inside AWS. Use DynamoDB when you have very high-scale, well-understood access patterns and AWS engineering support. Do not pick DynamoDB as a beginner default.
Vector databases for AI apps
Vector databases store embeddings: numerical representations of meaning. They are useful for semantic search, retrieval-augmented generation, recommendation, clustering, and "find similar" features.
Options:
- pgvector in Supabase or Neon: best first choice when you already use Postgres.
- Pinecone: dedicated managed vector database for scale and performance.
- Weaviate: open-source and managed vector search platform.
- Qdrant: strong open-source vector database with managed options.
- Chroma: useful for local prototypes and small experiments.
For most early AI apps, start with pgvector inside Postgres. Add a dedicated vector database only when search volume, latency, or vector scale demands it.
Database comparison
| Database | Best for | Avoid when |
|---|---|---|
| Supabase Postgres | SaaS, dashboards, AI tools, relational data | You refuse to learn basic relational modeling |
| Firestore | Mobile, real-time, offline-first | Complex joins, reporting, unpredictable reads |
| Neon | Serverless Postgres with independent hosting | You need an all-in-one backend platform |
| MongoDB Atlas | Flexible documents | You need strict relational consistency |
| PlanetScale | MySQL/serverless teams | You want a beginner all-in-one stack |
| DynamoDB | AWS-scale access patterns | You are still discovering your data model |
| pgvector / vector DB | Semantic search and RAG | You only need keyword search |
The permission trap
If users have private data, do not rely only on frontend checks. Enforce access rules in the database or backend. In Supabase, that means Row Level Security. In Firebase, that means Security Rules.
09 File Storage
Do not put images, PDFs, audio, or video directly into your database. Store files in object storage and keep only the file URL, path, owner ID, size, MIME type, and metadata in your database.
| Storage | Best for | Watch out for |
|---|---|---|
| Supabase Storage | Apps already on Supabase | Configure bucket policies and signed URLs correctly |
| Firebase Storage | Mobile apps and Firebase projects | Security rules and download costs matter |
| S3 | AWS production systems | Powerful, but IAM and bucket policies are easy to misconfigure |
| Cloudflare R2 | Cost-sensitive apps with many downloads | Best paired with Cloudflare’s ecosystem |
| GCS / Azure Blob | GCP or Azure-centered teams | Use when the rest of the stack is already there |
For user uploads, define:
- Maximum file size.
- Allowed file types.
- Who can upload.
- Who can download.
- Whether files are public, private, or signed-link only.
- How files are deleted when a user deletes an account.
- Whether uploads should be scanned, compressed, or resized.
Bandwidth and egress
File-heavy apps can become expensive because storage is not the only cost. Downloads, image transformations, and data leaving a platform can cost more than the stored files themselves. For public assets at scale, compare Cloudflare R2 and CDN behavior early.
10 Architecture Patterns
Architecture is just the shape of your app. Most deployed products fit one of a few patterns. Choose the simplest pattern that supports the product you are actually launching.
Four levels of abstraction
| Level | What you manage | Examples | Use when |
|---|---|---|---|
| Static hosting | Files and build settings | Cloudflare Pages, Netlify, Firebase Hosting | The site has no private server logic |
| Full-stack platform | App code and environment variables | Vercel, Netlify Functions | You need UI plus small serverless APIs |
| Backend-as-a-Service | Tables, auth, policies, functions | Supabase, Firebase | You want backend features without managing servers |
| Cloud infrastructure | Services, permissions, networking, monitoring | AWS, GCP, Azure | You need enterprise control or scale |
Six common architecture patterns
| Pattern | Stack | Good for | Risk |
|---|---|---|---|
| BaaS shortcut | Vercel + Supabase | Most SaaS MVPs and AI apps | Poor RLS/policy design |
| JAMstack classic | Cloudflare Pages or Netlify + external APIs | Marketing, docs, content | Not enough backend for complex apps |
| Full-stack platform | Vercel app routes/functions + managed DB | Next.js apps | Serverless limits and costs |
| Cloud-native pro | Cloud Run/Lambda + managed DB + secret manager | Production APIs, enterprise | Too complex for first app |
| Edge-first | Cloudflare Pages + Workers + R2 + D1/KV | Global low-latency apps | Runtime compatibility |
| AI-powered app | Frontend + server-side AI gateway + DB + cache | Chatbots, copilots, RAG | Token cost and long-running jobs |
AI cost defense pattern
AI apps need one extra layer: a server-side AI gateway. Do not call OpenAI, Anthropic, Gemini, or any paid model provider directly from browser code.
The gateway should:
- Check that the user is authenticated.
- Validate input length and file size.
- Enforce per-user, per-team, and per-IP rate limits.
- Cache common responses when possible.
- Use cheaper models for simple tasks.
- Stream responses when latency matters.
- Store usage records for cost analysis.
- Reject requests after a user hits their plan limit.
- Keep provider API keys in server-side environment variables only.
11 Environment Variables and Secrets
The golden rule: anything prefixed or configured as public can be seen by users.
Frontend frameworks often use prefixes such as NEXT_PUBLIC_, PUBLIC_, or VITE_ to expose values to the browser. Those values are not secret. They are configuration.
Common private secrets
- OpenAI, Anthropic, Gemini, or OpenRouter API keys.
- Database service-role keys.
- Stripe or payment provider secret keys.
- Webhook signing secrets.
- Email provider API keys.
- Admin tokens.
- Cloud service credentials.
- JWT signing secrets.
Common public configuration
- Public Supabase URL.
- Supabase anon key, if Row Level Security is correctly configured.
- Public Firebase config.
- Public analytics ID.
- Site URL.
- Feature flags that do not reveal private logic.
Where to store secrets
| Platform | Where secrets go |
|---|---|
| Vercel | Project Settings → Environment Variables |
| Netlify | Site Configuration → Environment Variables |
| Cloudflare Pages/Workers | Settings → Variables and Secrets |
| Firebase / GCP | Firebase config for public values; Secret Manager for private values |
| Render | Environment tab |
| Railway | Variables tab |
| AWS | Secrets Manager or Parameter Store |
| Azure | Key Vault or App Service configuration |
Security checklist
- Add
.envand.env.localto.gitignore. - Store production secrets in the hosting platform dashboard.
- Never put AI provider keys in React, Vue, Svelte, or client-side code.
- Never commit service-role database keys.
- Rotate any key that was committed to GitHub.
- Use separate development and production keys.
- Verify webhook signatures for payments and auth events.
- Set monthly usage limits in AI, hosting, and cloud dashboards.
- Review logs to ensure secrets are not printed.
Most common launch mistake
When an AI-generated app “works” but exposes the AI provider key in frontend code, it is not production-ready. Move the call behind a server route before sharing the app publicly.
12 Domains, DNS, and SSL
A domain turns a temporary platform URL into a real product. DNS is the system that points that domain to your hosting platform. SSL/TLS is the certificate layer that makes the site https://.
The usual workflow:
- Buy a domain from a registrar such as Cloudflare, Namecheap, Squarespace Domains, GoDaddy, or your local provider.
- Add the domain in your hosting platform.
- Copy the DNS records shown by your host.
- Paste those records into the registrar’s DNS settings.
- Wait for propagation.
- Let the hosting platform issue SSL automatically.
- Test both
example.comandwww.example.com.
Common DNS record types
| Record | What it does | Example use |
|---|---|---|
| A | Points a domain to an IP address | Root domain to a server |
| AAAA | Points a domain to an IPv6 address | IPv6 hosting |
| CNAME | Points one domain name to another | www to platform URL |
| TXT | Verifies ownership or configures security | Domain verification, SPF, DKIM |
| MX | Routes email | Google Workspace, Microsoft 365, email providers |
Most modern hosts provision SSL automatically. Your job is to add the DNS records exactly as the platform shows them, wait for propagation, and test the final URL.
Beginner recommendation
If you do not already own a domain, Cloudflare Registrar is a clean default. It keeps registrar, DNS, CDN, and security controls in one place without upsell-heavy domain management.
13 CI/CD for Non-Developers
CI/CD means your app rebuilds and redeploys automatically when you push to GitHub. You do not need to become a CI/CD expert, but you do need a repeatable deploy path.
The beginner-friendly workflow:
- Work on your app locally or in your AI coding tool.
- Commit and push to GitHub.
- Hosting platform builds a preview.
- Test the preview URL.
- Merge to the main branch.
- Production deploys automatically.
- Check logs after deploy.
What to test in preview:
- Signup, login, logout, and password reset.
- Database reads and writes.
- File upload and download.
- AI calls through the server.
- Payment checkout and webhook handling, if present.
- Mobile layout.
- Error states.
If that sounds boring, good. Deployment should become boring. The process is healthy when every change has a preview, every deploy is reproducible, and rollback is possible.
14 Monitoring and Alerts
You cannot fix what you cannot see. Add monitoring before you invite strangers.
| Tool | What it catches |
|---|---|
| Sentry | Frontend and backend exceptions, stack traces, source maps |
| UptimeRobot / Better Stack | Site down, health check failure, unreachable pages |
| Hosting logs | Build failures, function errors, request details |
| Database logs | Slow queries, permission errors, connection problems |
| Budget alerts | Cloud, AI, and hosting spend |
| Analytics | Where users enter, leave, and convert |
At minimum:
- Install Sentry or similar error tracking.
- Add uptime monitoring for the homepage and a health endpoint.
- Enable platform logs.
- Set budget alerts on hosting, cloud, database, and AI providers.
- Test one fake error to confirm the alert reaches you.
Budget alerts
Set alerts before public launch, not after. Useful thresholds are often:
- First warning: the monthly cost you would notice.
- Second warning: the monthly cost you would need to explain.
- Third warning: the monthly cost that should stop traffic or disable expensive features.
For AI products, also set hard caps in the model provider dashboard where available. Hosting can be cheap while model calls become the real bill.
15 Recommended Stacks by App Type
This section is intentionally practical. Pick the app type that looks most like your product, start there, and only change the stack when a specific constraint appears.
| App type | Recommended stack | Why it works | Upgrade trigger |
|---|---|---|---|
| Landing page / blog | Cloudflare Pages or Netlify | Fast static hosting, low cost, easy domain setup | Need app accounts, payments, or private data |
| SaaS MVP | Vercel + Supabase + Sentry | Fast Next.js deploys, Postgres, auth, storage | Need complex background jobs or enterprise SSO |
| AI chatbot / assistant | Vercel + Supabase + server-side AI route | Keeps model keys private and stores conversations | Long jobs, heavy RAG, high token spend |
| Mobile app | Firebase or Expo + Supabase | Firebase for mobile sync; Supabase for SQL control | Complex reporting or migration pressure |
| Realtime collaboration | Supabase Realtime or Firebase | Built-in subscriptions and client SDKs | Need custom presence, CRDTs, or extreme scale |
| Small e-commerce | Shopify or hosted checkout + static/frontend app | Avoids building payments/order ops too early | Need custom marketplace logic |
| Python / Node API | Render or Railway + Neon/Supabase | Always-on backend without Kubernetes | Need containers, queues, or cloud compliance |
| Internal tool | Vercel + Supabase or Retool-like tool | Simple auth, tables, admin views | Needs enterprise permissions/audit |
| File-heavy public site | Cloudflare Pages + R2 | Strong bandwidth economics | Need dynamic app backend |
| Enterprise app | AWS/GCP/Azure + experienced engineer | Compliance, identity, networking, audit | Use only when required |
Stack selection rule
Do not choose the most powerful stack. Choose the stack that makes the next correct action obvious. Your first production stack should help you ship safely, observe usage, and change direction without rewriting everything.
16 Step-by-Step Deployment Paths
These paths are deliberately concrete. They are not the only way to deploy, but they are reliable starting paths for common app shapes.
Path A — Vercel + Supabase for a web SaaS or AI app
Best for: Next.js SaaS apps, AI assistants, dashboards, internal tools, and products with user accounts.
- Create a Supabase project.
- Create the minimum tables you need: users/profiles, projects, documents, messages, usage, or whatever your app actually stores.
- Enable Supabase Auth.
- Configure local and production redirect URLs.
- Create Row Level Security policies before inviting real users.
- Create storage buckets if users upload files.
- Add server-side API routes for AI calls, Stripe calls, or private database operations.
- Push code to GitHub.
- Import the repo into Vercel.
- Add environment variables in Vercel for Supabase URL, anon key, service role key if used server-side only, and AI provider keys.
- Deploy a preview.
- Test signup, login, logout, database writes, RLS behavior, file uploads, and AI calls.
- Connect a custom domain.
- Add Sentry, uptime checks, analytics, and budget alerts.
- Launch to a small group before posting publicly.
Path B — Netlify + Supabase for a static or content site
Best for: marketing sites, content sites, docs, lead capture, and sites that may need light backend behavior.
- Push the site to GitHub.
- Create a Netlify project from the Git repo.
- Set the build command, usually
npm run build. - Set the publish directory, such as
dist,out,build, or framework-specific output. - Add environment variables if needed.
- Deploy a preview.
- Add Netlify Forms if you need lead capture without a custom backend.
- Add Netlify Functions only for small server-side tasks.
- Connect a custom domain.
- Let Netlify provision SSL.
- Add analytics and submit your sitemap.
Path C — Render for a full-stack API or Python backend
Best for: FastAPI, Flask, Django, Express, background workers, webhooks, and APIs that need to stay warm.
- Push backend code to GitHub with
requirements.txt,package.json, or aDockerfile. - Create a Render Web Service.
- Select the runtime or Docker deployment.
- Set the build command.
- Set the start command.
- Add environment variables.
- Create managed Postgres if needed.
- Deploy and watch logs.
- Create a
/healthendpoint. - Connect your frontend to the Render API URL.
- Add a custom domain and SSL.
- Move to a paid always-on plan before serious public traffic if cold starts are unacceptable.
Path D — Railway for a fast MVP or prototype
Best for: quick APIs, prototypes, hackathon apps, and teams that value speed over perfect cost predictability.
- Push code to GitHub.
- Create a Railway project.
- Deploy from the GitHub repo.
- Let Railway detect build settings.
- Add variables in the Variables tab.
- Add a database service if needed.
- Generate a Railway domain.
- Connect a custom domain when ready.
- Watch usage closely, especially when multiple services are running.
- Move to a more predictable setup if the MVP becomes a production product.
Path E — Firebase for a mobile-first app
Best for: iOS, Android, Flutter, React Native, and apps that need mobile SDKs, offline sync, or push notifications.
- Create a Firebase project.
- Add iOS, Android, or web app credentials.
- Enable Firebase Auth.
- Configure auth providers and production redirect/callback settings.
- Choose Firestore or Realtime Database.
- Design collections and indexes around your actual screens.
- Write security rules before launch.
- Add Cloud Storage for files.
- Add Cloud Functions or Cloud Run for private logic.
- Connect mobile SDKs.
- Test login, offline behavior, upload/download, and push notifications.
- Set billing alerts before switching to a paid plan.
Path F — Cloud Run for a containerized AI backend
Best for: AI APIs, Python services, long-running endpoints, model orchestration, and backends that need containers.
- Package the backend in Docker.
- Keep AI provider keys server-side only.
- Push code to GitHub.
- Build the container with Cloud Build or GitHub Actions.
- Deploy to Cloud Run.
- Store secrets in Secret Manager.
- Connect to Cloud SQL, Neon, Supabase, or another managed database.
- Set concurrency, memory, CPU, region, min instances, and max instances.
- Add request logging.
- Add budget alerts and max instance limits.
- Add Sentry or OpenTelemetry.
- Put a queue in front of jobs that take longer than a normal web request.
Path G — GCP full production with Firebase Hosting, Cloud Run, and Cloud SQL
Best for: teams already in Google Workspace, Firebase projects that outgrow simple functions, and products that need an all-Google production setup.
- Create a GCP project.
- Deploy the static frontend to Firebase Hosting.
- Containerize the backend and deploy it to Cloud Run.
- Provision Cloud SQL Postgres, or use Firestore if NoSQL is truly the right model.
- Store secrets in Secret Manager.
- Reference secrets from Cloud Run, not from frontend code.
- Use Firebase Auth or Google Cloud Identity Platform.
- Configure custom domains.
- Add Cloud Logging, Cloud Monitoring, uptime checks, and budget alerts.
- Document deploy, rollback, and database restore steps.
Path H — Azure for Microsoft-centered teams
Best for: enterprise clients on Microsoft contracts, .NET apps, internal tools using Entra ID, and teams already in Azure.
- Choose Azure Static Web Apps for a static frontend plus serverless API.
- Choose Azure App Service for a conventional web app or API.
- Use Azure SQL Database, Cosmos DB, or managed Postgres depending on the data model.
- Store secrets in Azure Key Vault.
- Use managed identity where possible instead of copying secrets around.
- Add custom domains with managed SSL.
- Wire deployment through GitHub Actions or Azure DevOps Pipelines.
- Add Application Insights.
- Configure Azure Cost Management alerts.
- Use Entra ID when enterprise identity is required.
Path I — AWS for AWS-centered teams
Best for: enterprise, regulated apps, AWS-heavy customers, and teams with AWS engineering support.
- Use Amplify if you want the beginner AWS frontend/full-stack path.
- Use Lambda + API Gateway for serverless APIs.
- Use ECS/Fargate or App Runner alternatives only if you know why serverless is not enough.
- Use RDS for relational data or DynamoDB for known high-scale access patterns.
- Use Cognito for auth if the app must stay AWS-native.
- Use S3 for files and CloudFront for CDN.
- Store secrets in Secrets Manager or Parameter Store.
- Use IAM roles carefully; avoid broad permissions.
- Use CloudWatch for logs and metrics.
- Set AWS Budgets immediately.
- Budget for experienced help if users, revenue, or compliance risk are involved.
17 Cost and Scalability
The dangerous costs are rarely the monthly subscription line items. The dangerous costs are usage-based: bandwidth, function execution, database reads, file egress, AI tokens, logs, and storage.
Before launch, estimate:
requests per user per day × users per month × cost per request = monthly variable cost
Then ask whether your price leaves margin.
Cost breakdown by stage
| Stage | Users | Frontend | Backend | Database | Auth | Typical total |
|---|---|---|---|---|---|---|
| Prototype | 0–10 | $0 | $0 | $0 | $0 | $0 |
| MVP | 10–1K | $0–20 | $0–25 | $0–25 | $0–25 | $0–95 |
| Early traction | 1K–10K | $20–60 | $7–50 | $25–100 | $0–100 | $52–310 |
| Growth | 10K–50K | $20–200 | $25–200 | $50–500 | $50–500 | $145–1,400 |
| Scale | 50K+ | Depends on usage | Depends on usage | Depends on usage | Depends on MAU | Requires measurement |
These are rough planning ranges, not price guarantees. Platform pricing changes, and your app’s behavior matters more than the logo on the invoice.
Main cost drivers
| Driver | What it is | How to control it |
|---|---|---|
| Seats | Per-team-member charges | Keep admin teams small; check collaboration pricing |
| Compute | Function duration, CPU/RAM, containers | Optimize code; avoid long jobs in request handlers |
| Database | Storage, connections, reads/writes | Add indexes, avoid read amplification, use pooling |
| Auth | Monthly active users, organizations, MFA, SSO | Match auth provider to stage and B2B needs |
| Storage | File size and retained uploads | Compress, resize, delete unused files |
| Bandwidth / egress | Data leaving the platform | Use CDN and compare R2/S3/Supabase/Firebase behavior |
| Build minutes | Time spent building on every deploy | Cache builds; avoid unnecessary rebuilds |
| AI API calls | Model tokens, embeddings, image/audio generation | Rate-limit, cache, use cheaper models, cap usage |
| Logs | High-volume logs retained too long | Sample logs and set retention policies |
Hidden costs to watch
- Egress and bandwidth. Data leaving a platform can cost more than storing the data.
- AI API overruns. Repeated prompts, long contexts, retries, and bots can burn budget quickly.
- Database connection limits. Serverless functions can create many connections. Use pooling.
- Cold starts. Free services that sleep cost you in user experience.
- Build minutes. Large apps and frequent deploys can consume free build quotas.
- Image optimization. Automatic image services are convenient but can become a usage line item.
- Logs and analytics. High-volume telemetry can become expensive if retained forever.
Pricing changes
Platform pricing and free-tier limits change. Treat every number in any guide as approximate. Before launch, check official pricing pages, set budget alerts, and add hard spend limits where the platform allows them.
18 Common Mistakes and Troubleshooting
Avoiding these mistakes will save hours of debugging and potentially hundreds or thousands of dollars.
The mistakes
| Mistake | Why it hurts | Better default |
|---|---|---|
| Shipping API keys in frontend code | Anyone can steal them from browser code | Proxy AI and payment calls through a backend |
| Launching without budget alerts | Viral traffic or bots can create surprise bills | Set alerts before sharing publicly |
| Putting files in the database | Databases are not designed for large binary files | Use object storage and store URLs/metadata in the DB |
| Trusting frontend-only permissions | Users can bypass UI checks | Enforce permissions in backend/database rules |
| Leaving Firebase/Supabase in test mode | Anyone may read/write/delete data | Default deny; write explicit rules/policies |
| Choosing AWS because it feels serious | Complexity slows learning and shipping | Start simpler unless a real constraint requires AWS |
| Skipping monitoring | You learn about failures from users | Install Sentry and uptime checks before launch |
| Editing production data without backup | One mistake can destroy user data | Snapshot/export first |
| Building auth from scratch | Auth bugs become security bugs | Use Supabase Auth, Firebase Auth, Clerk, Auth0, or Cognito |
| Running long AI jobs inside one request | Requests time out and users retry | Use streaming, queues, background workers, or async jobs |
Troubleshooting quick reference
| Symptom | Likely cause | Fix |
|---|---|---|
| Works locally but fails after deploy | Missing environment variables | Compare local .env with production variables |
| Login works locally but not in production | Wrong callback or redirect URL | Add production domain in auth provider settings |
| Empty data after login | RLS/security rules blocking access | Review Supabase policies or Firebase rules |
| Users can see other users’ data | Missing database/backend permission checks | Enforce owner/team checks server-side |
| 404 on API route | Function path or routing mismatch | Check platform route conventions |
| 500 after deploy | Secret missing, database unreachable, bad build | Read server logs first |
| Database connection errors | Too many serverless connections | Use connection pooling or serverless-friendly DB |
| Custom domain not working | DNS not propagated or wrong record | Check A/CNAME/TXT records and wait |
| SSL certificate pending | DNS validation incomplete | Fix DNS and retry verification |
| App slow on first request | Cold start or sleeping service | Upgrade plan, set min instances, or use always-on |
| AI response times out | Job too long for HTTP request | Stream, queue, or background the job |
| File upload fails | Storage rules/policies wrong | Review bucket permissions and MIME limits |
| Unexpected bill | Usage-based pricing spike | Add budgets, caps, alerts, and rate limits |
19 Voices from Users and Communities
The recommendations above are opinionated, but they should not sound like vendor marketing. The patterns below are paraphrased from public builder communities: Hacker News, Reddit, product forums, Indie Hackers, dev.to, X, platform communities, and conversations around vibe-coded apps. They are not endorsements or direct quotes. They are recurring field notes.
How to read this section
Every platform has happy users and frustrated users. The useful question is not “which platform has complaints?” Every platform does. The useful question is “which complaints would actually matter for my app?”
VercelBilling anxiety
Common refrain: the deploy was easy; the surprise was usage-based billing.
The recurring community story is not that Vercel is bad. Builders still love the preview workflow and Next.js fit. The anxiety appears when traffic spikes, bots, DDoS events, image-heavy pages, or missing spend controls turn a small app into a large invoice.
Practical response: use Vercel when it fits, but configure budgets, monitor bandwidth, understand image optimization charges, and do not launch public links blind.
FirebaseFast start, hard scale
Common refrain: Firebase feels magical until the data model needs real queries.
Firebase gets praised for auth, mobile SDKs, offline sync, and real-time behavior. Complaints usually arrive later: read-heavy pricing, Firestore query limits, security rule complexity, and difficulty reshaping data once production usage exists.
Practical response: use Firebase for mobile and real-time apps; estimate reads per screen; design security rules early; avoid using Firestore as if it were SQL.
SupabaseLove with caveats
Common refrain: it is the backend that finally feels understandable.
Supabase earns strong affection because Postgres, Auth, Storage, Edge Functions, and Row Level Security fit together in a way builders can reason about. The caveat from production users is also consistent: schema design, migrations, backups, and policies still matter.
Practical response: choose Supabase for web apps, but learn enough RLS to avoid both overexposure and self-inflicted “why is nothing loading?” bugs.
ClerkDX vs. price curve
Common refrain: auth was solved quickly; then the team checked MAU and B2B feature pricing.
Developers praise Clerk for polished UI, fast Next.js integration, organizations, and a better auth experience than most DIY implementations. The hesitation is cost, dependency risk, and whether the product needs that level of auth polish yet.
Practical response: use Clerk when auth UX matters or B2B orgs are central. Use Supabase Auth or Firebase Auth when basic login is enough.
Render / RailwayHeroku successors
Common refrain: I wanted my backend online without learning Kubernetes.
Both platforms are popular with solo builders because they turn GitHub repos into running APIs quickly. Render gets credit for predictable production hosting. Railway gets credit for speed and simplicity. The warning is that multiple services, databases, and always-on workloads can add up.
Practical response: use them for APIs and backends, but track each service as a separate cost line.
Fly.ioPower vs. complexity
Common refrain: the platform is powerful, but it asks you to understand infrastructure earlier.
Fly.io attracts developers who want apps close to users, persistent processes, and more control than a serverless platform gives. The frustration pattern is billing confusion, operational concepts, and a steeper learning curve for non-developers.
Practical response: consider Fly.io when you understand why you need it. Do not make it your first deployment teacher unless you are comfortable debugging infrastructure.
AWSThe pilgrimage
Common refrain: everyone eventually learns AWS is a platform and a curriculum.
Many builders respect AWS after they understand it. Fewer recommend it as a first stop for non-developers. The common story is starting on AWS to look serious, then spending more time on IAM, networking, logging, and service choices than on the product.
Practical response: use AWS when the business case is real. Otherwise, ship on a simpler stack and migrate only when constraints justify the cost.
AI appsThe real bill
Common refrain: hosting was cheap; model calls were not.
For AI products, the hosting bill is often not the dangerous part. The expensive part is unbounded model usage: repeated prompts, long contexts, retries, bots, uploads, embeddings, and missing per-user limits.
Practical response: cache common responses, cap usage per account, limit input size, use cheaper models when possible, and set hard provider limits before launch.
Next.js / VercelCoupling debate
Common refrain: the best developer experience can feel like vendor gravity.
Developers like the smooth Next.js-on-Vercel path, but some worry about relying too heavily on platform-specific features, pricing assumptions, and serverless behavior. The debate is not whether the stack works. It does. The debate is how portable you need to remain.
Practical response: use the convenient path, but keep business logic modular, avoid unnecessary proprietary services, and document deployment assumptions.
CloudflareCost relief, runtime tradeoff
Common refrain: the bandwidth problem got easier; the runtime model changed.
Cloudflare gets enthusiastic reactions from builders with high-traffic or file-heavy sites because bandwidth and egress economics are strong. The tradeoff is compatibility: Workers are excellent for edge logic, but not every full Node.js package or backend pattern moves cleanly.
Practical response: use Cloudflare for static scale, edge functions, and R2. Keep conventional backends elsewhere if your dependencies expect full Node.js.
Vibe codersThe hidden curriculum
Common refrain: AI made the demo; production still required judgment.
Vibe coders consistently report the same gap: AI tools can generate working screens and flows quickly, but they often miss validation, permissions, backups, monitoring, cost limits, secret handling, and failure modes.
Practical response: treat deployment as the checklist that turns a convincing demo into something safe enough for strangers.
The pattern across these voices is consistent: the tools are strong, but blind defaults are expensive. Choose a simple stack, set limits early, and treat launch as the beginning of operations, not the end of building.
20 Decision Matrix
| Situation | Start with | Why |
|---|---|---|
| First app, learning deployment | Cloudflare Pages or Netlify | Fewest moving parts |
| Next.js SaaS MVP | Vercel + Supabase | Best speed-to-working-product ratio |
| AI chatbot / assistant | Vercel + Supabase + server-side AI gateway | Keeps keys private and usage measurable |
| Mobile app | Firebase or Expo + Supabase | Mobile SDKs or SQL control |
| Static site / marketing site | Cloudflare Pages | Cost-effective global static hosting |
| Python backend | Render + Neon or Supabase | Easy always-on API path |
| Real-time collaboration | Supabase Realtime or Firebase | Built-in real-time primitives |
| Global low-latency app | Cloudflare Pages + Workers | Edge-first delivery |
| File-heavy public app | Cloudflare R2 + CDN | Better bandwidth economics |
| Enterprise SSO | Clerk, WorkOS, Auth0, or Cognito | Mature identity features |
| Compliance-heavy app | AWS/GCP/Azure with experienced help | Audit, controls, regions, procurement |
| Zero-budget side project | Cloudflare Pages + Supabase free tier | Strong free starting point |
| Cheapest scale | Cloudflare stack + R2 + managed Postgres | Good bandwidth and database separation |
| Customer requires Microsoft | Azure Static Web Apps/App Service + Entra ID | Matches enterprise identity/procurement |
| Customer requires AWS | Amplify/Lambda/RDS/S3 with help | Meets AWS-native requirements |
The cannot-decide default
If you still cannot decide, use Vercel + Supabase + Sentry for a web app, or Cloudflare Pages for a static site. That decision is good enough to learn from, easy enough to ship, and not so exotic that another developer will be confused later.
21 Glossary
API — A way for software systems to talk to each other.
Backend — Server-side code that users cannot directly see.
BaaS — Backend-as-a-Service: database, auth, storage, and functions as a managed platform.
CDN — A network that serves files from locations close to users.
CI/CD — Automatic build, test, and deploy workflow.
Cold start — Delay when a sleeping serverless function or service wakes up for the first request.
Container — A packaged app environment that runs consistently across servers.
DNS — The internet’s address system.
Egress — Data leaving a cloud or hosting provider, often billable.
Environment variables — Configuration values stored outside code.
Frontend — The part users see in the browser or app.
IAM — Identity and Access Management, usually cloud permissions.
Object storage — Storage for files such as images, PDFs, videos, and backups.
RAG — Retrieval-Augmented Generation, where an AI model uses retrieved documents or data before answering.
RLS — Row Level Security, database-enforced access rules.
Serverless — Code that runs as functions while the platform manages servers.
Static site — Prebuilt files served to every visitor.
Webhook — An automated message sent from one service to another when something happens.
22 Final Default
If you are still unsure, use this:
For most non-developer web apps
- FrontendVercel
- BackendVercel Functions or Supabase Edge Functions
- DatabaseSupabase Postgres
- AuthSupabase Auth
- FilesSupabase Storage
- MonitoringSentry + UptimeRobot
- Cost controlsBudget alerts, provider spend caps, and per-user AI limits
The platform matters less than the habit of shipping. Start with the simplest stack that can safely put your product in front of real users. Monitor costs. Protect secrets. Upgrade only when real constraints force you to.
About the Author

Jaehee Song
Enterprise data platform architect with 20+ years of experience building data systems for Fortune 500 companies. AI development educator who has taught vibe coding and AI development to hundreds of students. Founder of Seattle Partners, helping Korean technology startups navigate the US market.