What actually goes into a production-ready SaaS boilerplate (hint: it's not just auth)

Every developer who's shipped a SaaS product has had the same moment: you stare at a blank repo and think "I'll just wire up auth real quick." Three weeks later you're still fighting OAuth redirect URIs, forgetting to hash passwords correctly, and trying to remember if you added rate limiting to the login endpoint. Auth is the obvious starting point. But it's not the hard part. What people miss when they think about "production-ready" Here's a non-exhaustive list of what a real production SaaS needs beyond auth: Payments that don't break Stripe webhooks are notoriously tricky. You need idempotency keys, signature verification on every incoming webhook, retry handling, and logic for subscription states: trialing , active , past_due , canceled . Miss any of these and you'll have users who upgraded but still see the free tier — or get double-charged. API rate limiting Every public endpoint needs it. Not just "limit to 100 req/minute globally" — per-user, per-endpoint rate limiting with pr