Your app works locally. Now what?
You built your app with vibe coding. The prototype runs on your machine. You've shown it to a few people, the feedback is good.
But "it works on my machine" and "it's online, people can sign up and pay" are two very different things. Between the two lies deployment. And that's where a lot of vibe-coded projects get stuck.
This guide gives you a concrete path, step by step. No abstract theory — just tools, choices, and decisions. If you've already gone through the pre-launch checklist, this guide is the natural next step: how to set up what the checklist verifies.
1. Choose your hosting
This is the first decision, and it shapes a lot of what follows. Good news: in 2026, the options are simple and affordable.
If your app is a Next.js / React site
Vercel is the obvious pick. They created Next.js, so the integration is seamless. Connect your GitHub repo, and every time you push code, your app updates automatically. The free plan is enough to start. As you grow, pricing scales with you.
Netlify does the same thing, with a bit more flexibility if you're not using Next.js.
If your app has a more complex backend
You have an API, a server, background jobs? You need something more flexible.
- Railway: you describe what you need (a Node app, a PostgreSQL database, a Redis cache) and Railway deploys it. The interface is clean, pricing is transparent. Best simplicity-to-power ratio in 2026.
- Fly.io: slightly more technical, but your apps run close to your users. Ideal if you have users around the world.
- Render: a solid alternative to Railway, with a generous free tier.
What to avoid
Don't manage your own server. No bare VPS, no manual web server setup. That's constant maintenance, and it's not where you create value.
Quick pick: if you're starting out with a Next.js app, go with Vercel. If you need a backend, go with Railway. You can always migrate later.
2. Set up your database
If your app stores data (and it probably does), you need a production database. Not the one running on your laptop — a real one, hosted and backed up.
Which type to choose?
- PostgreSQL: the default choice. Reliable, powerful, free. If you don't know what to pick, pick PostgreSQL.
- SQLite (via Turso or LiteFS): great for small apps. Simpler, less configuration. But watch out for limits if you grow fast.
- Supabase: PostgreSQL + a web interface + auth + file storage. It's the Swiss Army knife. Very popular in the vibe coding community.
Migrations: the thing AI often forgets
Your database will evolve. You'll add columns, tables, change types. Migrations are the mechanism that lets you do this cleanly, without losing data.
AI rarely generates correct migrations on the first try. Always check:
- That the migration can be rolled back
- That existing data isn't overwritten
- That you test the migration on a copy of your data before running it in production
Tools: Prisma (most popular), Drizzle (lightest), or Supabase's built-in migrations.
What AI often gets wrong here: it generates a migration that drops a column and creates a new one instead of renaming it. Result: all the data in that column is gone. On your dev machine, you don't notice — your database is empty anyway. In production, it's a silent disaster. The kind of thing a simple
ALTER TABLE RENAME COLUMNwould have solved, but AI almost never gets right on the first try.
3. Handle authentication
Authentication is the most annoying thing to code yourself. It's also the first thing that'll cost you users if it's done poorly. So don't code it yourself.
Turnkey solutions
- Clerk: signup, login, session management, all included. Next.js integration is excellent. Free up to 10,000 users.
- Auth.js (formerly NextAuth): open-source, flexible, you stay in control. A bit more setup, but no dependency on a paid service.
- Supabase Auth: if you're already using Supabase for your database, might as well use their auth too. It's consistent and avoids multiplying services.
What to verify
Whatever you choose, make sure:
- Sessions expire (a user doesn't stay logged in forever)
- "Forgot password" works end to end
- Protected pages are actually protected (test in incognito mode)
- You handle roles if your app needs them (admin vs regular user)
What AI often gets wrong here: it protects pages on the client side (with an
if (!user) redirect), but forgets to protect the API routes behind them. Result: anyone can call/api/admin/usersdirectly from their browser and access sensitive data. The interface looks secure. The backend isn't at all.
4. Automate deployments with CI/CD
CI/CD is just a fancy term for: "when I push code, my app updates automatically, and if something's wrong, it stops before breaking anything."
GitHub Actions: the simple choice
If your code is on GitHub (and it should be), GitHub Actions is the natural pick. Free for public repos and very affordable for private ones.
A basic pipeline does three things:
- Checks that your code compiles without errors
- Tests that your tests pass
- Deploys if everything is green
If you're using Vercel or Railway, automatic deployment is already built in when you connect your repo. CI/CD adds a verification layer before deployment.
The minimum to set up
- A check that runs your tests on every push
- Automatic deployment on your main branch
- A preview environment for feature branches (Vercel does this automatically)
The trap: not having CI/CD and deploying "by hand" with a direct push. It works at first. The day you break something in production on a Friday night, you'll regret it.
5. Set up monitoring
You can't fix what you can't see. In production, you need to know when something goes wrong — ideally before your users do.
Errors: Sentry
Sentry captures every error in your app, with full context: which page, which user, which browser, what action triggered the problem. The free plan is more than enough to start.
Integration takes 10 minutes. It's probably the most valuable 10 minutes of your entire deployment.
What AI often gets wrong here: it installs Sentry but sends every single error without filtering. Result: you get 200 alerts a day for harmless errors (a user losing their WiFi connection, a bot scanning your site). After 48 hours, you mute the notifications. And the day a real error hits, you don't see it. Setting up Sentry is easy. Setting up Sentry so it's actually useful is a different story.
Performance: your hosting provider
Vercel, Railway, and others provide basic metrics: response time, memory usage, number of requests. Start by looking at what they offer before adding another tool.
Alerts: don't fly blind
Set up at minimum:
- An email alert when your app crashes (Sentry does this)
- An alert when your app goes offline (UptimeRobot, free)
- A weekly glance at your hosting metrics
6. Secure the basics
The launch checklist covers security in detail. Here, we focus on concrete infrastructure actions.
Secrets management
Your API keys, database passwords, third-party service tokens — all of these must be in environment variables, never in your code.
- Every hosting provider (Vercel, Railway, Render) has an interface for managing environment variables
- Never commit a
.envfile to your Git repo - Use different values for development and production
What AI often gets wrong here: it adds fallback values in the code — something like
const dbUrl = process.env.DATABASE_URL || "postgres://localhost:5432/myapp". In dev, it works. In production, if your environment variable is misconfigured, your app silently connects to a database that doesn't exist, or worse, the wrong one. No visible error. Just data that disappears.
HTTPS everywhere
If you use Vercel, Railway, or Netlify, it's automatic. Just verify your custom domain shows the padlock in the address bar. Without HTTPS, browsers show a warning and your users leave.
Security headers
Add these HTTP headers in your app's configuration:
X-Content-Type-Options: nosniffX-Frame-Options: DENYStrict-Transport-Security(forces HTTPS)
On Next.js, this is configured in next.config.js in a few lines. Ask AI to add them for you.
7. Backups and plan B
Automatic backups
Your database must be backed up automatically. Most services do this by default, but verify:
- That backups are enabled (some free plans don't include them)
- That you can restore a backup (test it once, for real)
- That backups are kept long enough (at least 7 days)
Rolling back
If a deployment breaks something, you need to be able to go back to the previous version in 2 minutes. That's called a rollback.
- Vercel: one click in the dashboard to revert to the previous deployment
- Railway: same thing, you can redeploy any past version
- GitHub:
git revert+ push, and your CI/CD does the rest
The test: do a rollback now, on a test environment. The day you need it for real, you don't want to be figuring out how.
8. Open-source tools that make a difference
One of the perks of vibe coding is that the open-source community is massive. Here are the free tools that can replace paid services — or complement them.
| Need | Open-source tool | Paid alternative |
|---|---|---|
| Database | PostgreSQL | — |
| Auth | Auth.js | Clerk |
| Backend-as-a-service | Supabase (self-hosted) | Supabase Cloud |
| Error monitoring | GlitchTip | Sentry |
| Analytics | Plausible, Umami | Google Analytics |
| Transactional email | — | Resend, Postmark |
| File storage | MinIO | AWS S3, Cloudflare R2 |
| CI/CD | GitHub Actions | — |
Open source is free in money but not in time. If you self-host a tool, you're the one updating it, you're the one fixing it when it breaks. For a founder launching, managed services are often the best investment. You pay a few dollars a month to not think about it.
9. The "go live" checklist
Before sending the link to your first users, go through this list:
- My app is deployed on production hosting (not local)
- My custom domain is set up with HTTPS
- My database is hosted and automatically backed up
- Auth works end to end (signup, login, forgot password)
- My secrets are in environment variables, not in the code
- I have an error monitoring tool (Sentry or equivalent)
- I've tested a rollback (going back to the previous version)
- I've tested my app on mobile
- My deployments are automatic (CI/CD or hosting provider auto-deploy)
- I've gone through the security checklist
Each unchecked item is a risk. Some are acceptable at launch (you can live without sophisticated CI/CD at first). Others aren't (no backups = no safety net).
You don't have to do this alone
This guide covers a lot of ground. If you're just starting out, it can feel overwhelming. Here's the good news: most of these steps take hours to set up, not weeks.
And if you want someone to do it with you — or for you — that's exactly what our Pro Stack offer covers. We take your vibe-coded prototype, deploy it to production with solid foundations, and you walk away with an app ready for real users.
Vibe coding is incredible for building fast. But to last, you need foundations. This guide gives you the map. It's up to you whether you make the journey alone or with a guide.
