Free · No email wall · 27 items

The AI App Launch Checklist.

A self-audit you can run on your own AI-built MVP before you put real customers on it. Walk through it in 30–45 minutes. The honest count of what you can tick is your real production readiness.

Email me the PDF → Use it on this page

Last updated 2026·05 · v3.2 · 14,200+ founders have used it

SECTION 1 / 6

Authentication & sessions

Five questions about who can log in as whom.

Sessions expire Tokens have a real lifetime. Logout actually invalidates the session server-side.
High
JWTs verified server-side If you're using JWTs, they're verified on the server with the correct secret. Never on the client only.
High
Password reset doesn't leak existence "This email isn't registered" is a vulnerability. Reset always responds the same way.
Medium
Rate limit on login Brute force is rate-limited. Bonus: lockout / CAPTCHA after N failures.
Medium
OAuth callbacks validated State param checked. Redirect URI on an allowlist. Tokens never logged.
Medium

SECTION 2 / 6

Authorization & data

Where most AI-built apps fail in production.

Permissions enforced server-side "If user.role === admin" lives on the server, not just in the React component.
High
Row-level security on every table If you use Supabase / Postgres, RLS is on, with policies you understand.
High
You've tried to read another user's data You opened devtools, swapped an ID, and got a 403. Not a 200.
High
PII isn't logged Logs don't include emails, names, or auth tokens. PII fields are masked or omitted.
Medium
Soft-delete & account deletion Users can delete their account. Their data actually leaves on a defined timeline.
Medium

SECTION 3 / 6

Secrets & keys

Three lines of grep can ruin a launch.

No keys in the repo git log -S "sk_" returns nothing. No .env committed, ever.
High
No service-role keys in the browser Open the production bundle. Search for "service_role" and any vendor key prefix. Nothing found.
High
Webhooks verify signatures Stripe and other webhooks check the signing secret. Unverified requests are rejected.
High
Keys can be rotated You know how to rotate every key in production within an hour. You've done it once.
Medium

SECTION 4 / 6

Deployment & environments

If you can't ship a fix in ten minutes, you can't ship.

Deploys come from CI Pushing to main deploys, not running a script on your laptop.
Medium
Staging mirrors production Same stack, same config shape, separate data. You don't test in production by accident.
Medium
Rollback is one click You've rolled back at least once. It worked. You know how to do it under stress.
Medium
Environment variables in a dashboard Not in a Notion doc. Not in a Slack DM. The hosting platform's env page is the source of truth.
Strategic

SECTION 5 / 6

Backups, monitoring, on-call

Things that only matter on the worst day. Which is when they really matter.

Database backups exist Automated, off-site, point-in-time. Not a weekly export to your Google Drive.
High
You've restored from backup At least once. To a real environment. With a stopwatch.
High
Errors land somewhere you'll see them Sentry / Rollbar / equivalent, with a real notification channel. Not console.log.
Medium
Uptime check on the public URL You'll know the site is down before your customers tell you.
Medium
One-page incident runbook "If X breaks, do Y." Phone numbers. Vendor contacts. Where the secrets live.
Strategic

SECTION 6 / 6

Code & cost

The slow-burn ones that hurt next month, not this one.

Type checks & basic tests in CI tsc --noEmit passes. A handful of tests run on every PR. Not zero.
Medium
Spending caps on AI / LLM APIs Daily or monthly budget alerts. Hard caps, not just soft warnings. Never wake up to a $40k bill.
High
Rate limit on expensive endpoints Anything that calls an LLM, generates an image, or charges a card has a per-user rate limit.
Medium
You can read the codebase If a contractor opened it on Monday, they could ship a real change by Friday — no folklore required.
Strategic