Do I need a boilerplate, or can I just vibe-code my SaaS in 2026?
AI can write your auth flow, your Stripe integration, and your blog. But should it? The honest case for using a boilerplate even in an era when Claude Code can scaffold anything.
Every indie hacker Discord I am in has this question pinned somewhere right now:
Do I still need a boilerplate? Claude Code wrote my whole SaaS over the weekend.
I get asked this twice a week. I also ran the experiment on myself. Here is the honest answer.
You can vibe-code a SaaS in a weekend.
You should not ship that version to people who pay you money.
Rest of this post is the long form of those two sentences.
What “vibe coding” means
Skip this section if you already know.
The term was coined by Andrej Karpathy in early 2025. Vibe coding is when you tell an AI to build a feature and it just does it. You type “add Stripe checkout.” The agent edits ten files, runs the build, fixes its own errors, hands you a working button. You did not read every line. You did not stress over architecture. You went with the flow.
Tools in 2026: Claude Code, Cursor, Copilot Agents, Codex, Replit Agent, v0. All of them are good.
The distance from “I have an idea” to “I have code that runs” used to take weeks. Now it is an afternoon.
The distance from “code that runs” to “business that does not get hacked, billed wrong, or banned by Google” did not move an inch. That gap is the whole post.
What vibe coding does well
Be fair to the tools. They crush this stuff:
- CRUD pages. Lists, forms, edit views. Five minutes each.
- API endpoints. Validation in, JSON out. Boring on purpose.
- Landing pages. Pick a UI kit, describe sections, ship.
- Tests. Table tests in Go, Vitest in TS. AI loves writing tests.
- Refactors. Renames, moves, extractions. Genuinely better than I am.
If your product is a CRUD app for ten customers in a niche, you can ship the whole thing in a weekend. People do.
What vibe coding ships broken
Short list. Every item costs you real money the first time it bites.
1. Auth that almost works
You ask for a login form. You get one. It will probably:
- Hash passwords with bcrypt. Good.
- Set a session cookie. Good.
- Forget
HttpOnly,Secure,SameSite=Lax. Bad. - Skip rate limiting on
/login. Bad. - Leak which emails exist via the password reset flow. Very bad.
- Keep old sessions valid after a password change. Bad.
- Compare password hashes in non-constant time. Probably bad.
Every line is a one-line fix when you know to look. None of them is what the AI writes first. You will not know to look until the day someone tells you.
2. Stripe webhooks that look fine
This is the one I see most often. Here is what the AI hands you:
func handleStripeWebhook(w http.ResponseWriter, r *http.Request) {
body, _ := io.ReadAll(r.Body)
var event stripe.Event
json.Unmarshal(body, &event)
if event.Type == "checkout.session.completed" {
var session stripe.CheckoutSession
json.Unmarshal(event.Data.Raw, &session)
grantUser(session.CustomerEmail)
}
w.WriteHeader(http.StatusOK)
}
Looks fine. Tests pass. Stripe sends the event. User gets access. Ship, right?
Four bugs:
- No signature check. Anyone who finds your webhook URL can POST fake events and grant themselves any plan you sell. Real attack, common.
- No idempotency on
event.ID. Stripe guarantees at-least-once delivery. The same event lands twice eventually. You grant twice. Or charge twice. Or refund twice. - Every error is swallowed. The
_onUnmarshalis silent failure. The day Stripe changes a field name,CustomerEmailbecomes empty,grantUser("")runs, and you find out three weeks later from a support ticket. - Email as the user key. Users change emails. Stripe allows the same email on different customers. Use
session.Customerorsession.ClientReferenceID. The email field is for the receipt, not for your DB.
I have audited a few vibe-coded SaaS this year. Every one had at least one of these bugs. Some were taking real card payments while broken.
3. SEO that almost ranks
The AI gives you <title> and <meta description>. It rarely gives you:
- A sitemap that covers every URL.
- Canonical URLs on filtered or paginated pages.
- JSON-LD on blog posts and product pages.
- Server-rendered HTML for content (not JS-rendered).
- A
robots.txtthat lets Google in and locks staging out.
None of this is glamorous. All of it is the difference between “Google ranks me on day 30” and “Google has no idea I exist on day 300.”
4. Headers, CSRF, CSP
The AI ships almost none of:
- A real Content Security Policy with nonces.
X-Frame-Options,Referrer-Policy,X-Content-Type-Options,Permissions-Policy.- CSRF tokens on every state-changing form.
Your app runs fine without these. Your app gets owned fine without these too. The day you find out is the day a bored attacker finds you first.
5. Database that drifts
Vibe coding loves adding columns. It does not love writing the migration. It uses SERIAL where you need BIGSERIAL. It skips indexes. It packs three things into a JSON column that should have been its own table.
Forgivable when you are the only person on the project. By month three you cannot ship features because every change is a 200-line migration with a foot-gun.
6. The “you do not know what you do not know” problem
This is the big one.
Vibe coding optimizes for “make the screen do the thing.” Production SaaS is “make the screen do the thing safely, idempotently, billably, observably, legally, and at scale.”
The AI does not bring up topics you did not ask about. You do not ask about topics you did not know existed. The bug you ship is the bug you did not know to type the word for.
A boilerplate is the answer to that problem. Every one of those topics is already wired in. You did not have to know to ask.
“But my AI already costs $200 a month”
Here is the math that gets people.
You pay $200 a month for Claude Code or Cursor Pro. Good. That is a real edge, keep it.
A solid boilerplate is $99 to $399 (launch pricing, regular $199 to $799). Once.
You pay the AI $200 every month to repeatedly rediscover that Stripe webhooks need signature checks. You pay it $200 to relearn that cookies need HttpOnly. You pay it $200 to figure out the JSON-LD schema for a blog post. Every new chat. Every new session.
The AI starts every session knowing nothing about your project. A boilerplate is the project’s memory. The patterns and the conventions are already on disk where the AI reads them before its first reply. Your AI walks in already trained on the codebase.
You are not picking AI versus boilerplate. You are picking AI without a foundation versus AI with one. The version with a foundation ships in a week what the other version ships in a month.
Ninety nine bucks launch price (regular $199), once, to make the $200 a month you already pay actually pay off. That math is not hard.
How I actually work
The combo that pays my rent:
- Install a boilerplate. Auth, billing, email, deploy, all done before I write a line of product code.
- Make sure the conventions are documented so the AI can follow them.
- Vibe-code the product on top. The unique part. The thing only my app does.
- AI reads the conventions, writes code that already fits the patterns, I review and ship.
The boilerplate handles the part that is the same across every SaaS I will ever build. The AI handles the part that is different. I spend my hours on the thing that actually decides whether the product makes money, which is the product itself.
When you can skip a boilerplate
Be honest about this list:
- Internal tool that will never be public. No auth, no billing, no SEO.
- Portfolio demo. Ship and forget.
- Learning project where writing it yourself is the point.
- You have shipped ten SaaS already and your own boilerplate is in your head.
If you are not in one of those four, the answer is “use a boilerplate.” It is not even close.
The pushback I get
“I am locked into someone else’s choices.”
You bought the code. You can fork it. Change it. Delete half of it. The lock-in is aesthetic. The opinions are the value. That is the whole point.
“I have shipped SaaS before, I know what I am doing.”
Then you already have a boilerplate, in your head if not on disk. Use it. Codify it. The choice is “ship with a boilerplate” vs “ship slower without one.” Not “use this stranger’s repo” vs “be free.”
“The good boilerplate is not in my language.”
If your language has no good SaaS boilerplate in 2026, that is information about your ecosystem, not about boilerplates. Pick a stack that has one. Or write yours and sell it.
The actual answer
Can you vibe-code a SaaS in 2026?
Yes. Working v0.1 in a weekend. I have done it. Friends have done it. It is real.
Should you ship that to people who pay you money, without a foundation underneath?
No. You will spend the next six months patching what the AI did not know to handle. Meanwhile someone on a boilerplate is already shipping feature 5.
Use a boilerplate. Vibe-code the unique parts on top. Ship faster than the “write everything by hand” purists and the “let the AI do it all” optimists at the same time.
That is the combo that has made me money. Everything else has been an expensive learning experience.
Where to start
goilerplate is the Go + templ boilerplate I built to be the foundation under your AI. Auth, Polar and Stripe billing, email, blog, docs, deploy story, all wired before you type a line. Small enough that Claude Code, Cursor, and Copilot can keep it in working memory and reuse the patterns instead of reinventing them in session two.
Pair it with the AI tool you already pay for. The moat your AI cannot replicate is a working business with real customers paying real money. That is the only flex that counts.
If you are still comparing boilerplates, the head-to-head against supastarter and ShipFast is here.