Back to the Demo Gallery · exhibit n°015 · Shaina Bushnell
Writing sample · technical writing · and yes, this checklist is real, I use it
Field Notes · Shaina Bushnell

Taking a Next.js + Supabase App to Production: The Complete Checklist

Your app works on localhost. Nice. Now comes the part between "works on my machine" and "works for paying customers," written so nothing surprises you at 11pm on launch night.

By Shaina Bushnell · from real deploys, not theory · 6 min read
01 Accounts02 Env vars03 Database 04 Auth redirects05 Webhooks06 Deploy07 Smoke test08 Handoff

01The accounts audit

Before touching code, confirm who owns what. Production incidents love apps deployed from a developer's personal account.

02Environment variables

Every key lives in an encrypted store, never in the repo, or even in a chat message. The typical Next.js + Supabase set looks like this:

# Browser-safe (still mark Sensitive in Vercel)
NEXT_PUBLIC_SUPABASE_URL=https://<ref>.supabase.co
NEXT_PUBLIC_SUPABASE_ANON_KEY=sb_publishable_...

# Server-only. Leaks here are incidents, not oopsies.
SUPABASE_SERVICE_ROLE_KEY=...
STRIPE_SECRET_KEY=sk_live_...
STRIPE_WEBHOOK_SECRET=whsec_...
RESEND_API_KEY=re_...
Where this bitesAnything prefixed NEXT_PUBLIC_ ships to the browser. That's by design for the URL and anon key, but if a "secret" ever gets that prefix to fix a build error, you have published it. Check twice.

Set every variable for all three Vercel environments (Production, Preview, Development), and mark all of them Sensitive. Yes, even the public ones. It costs nothing and builds the right habit.

03Database: migrations in order, then RLS

Migrations are numbered for a reason. Run them in sequence against the production project, and resist the urge to "just paste the schema" from your dev database.

# Link the production project, then push in order
supabase link --project-ref <prod-ref>
supabase db push

Then verify Row Level Security before a single real user signs up:

04Auth redirect URLs

The classic launch bug: login works locally and fails silently in production, because Supabase only redirects to URLs it has been told about.

05Webhooks

Webhooks are configured per environment, and pointing production Stripe at a preview URL is a rite of passage nobody enjoys. Using Stripe as the example:

# The endpoint lives at your real domain
https://app.example.com/api/webhooks/stripe

# Test it fires end to end before launch
stripe trigger payment_intent.succeeded
Sanity saverLog the event type and ID for every webhook received, even ones you ignore. The first time statuses "stop syncing," that log answers whether Stripe stopped sending or you stopped listening.

06The deploy itself

# From the project root, once everything above is green
vercel --prod

Then connect the custom domain in Vercel, let it issue the certificate, and update the Site URL from step 04 if the final domain changed. Redeploy after any env var edit, variables are baked in at build time, not read live.

07The ten-minute smoke test

On the production URL, on a real phone and a laptop, as a brand-new user. Tap each item as you go, they check off.

08Handoff and key rotation

If someone else built this for you, the last step is making it fully yours: transfer the Vercel and Supabase projects to your accounts, then rotate every key the builder ever touched, service role, Stripe secrets, email API keys, and update the env vars with the new values. A good developer will walk you through this without being asked. It's how you know you hired one.

This checklist is the written version of a service I actually offer, taking finished apps live, tested, and handed over clean. If yours is sitting at ninety percent, I'm easy to find.