A single developer, working part-time, can ship a production-ready SaaS MVP with paying customers in two to four weeks using this stack. No DevOps team. No AWS certification. No dedicated database administrator. Next.js, Supabase, and Vercel together close the gap between validated idea and live product faster than any alternative stack available in 2026 — and they do it at ₹0 in infrastructure costs until you have enough customers to comfortably pay for more.
Why This Stack for a Solo Indian SaaS Founder
Each tool in this combination solves a specific overhead problem that kills solo SaaS projects before they reach customers.
Next.js App Router gives you a full-stack application in a single repository. Your UI, your API routes, your server-side rendering, and your edge middleware all live in one codebase that one developer can reason about without context-switching between separate frontend and backend projects. For a solo founder, this means fewer moving parts, fewer deployment pipelines, and fewer "it works on my machine" bugs.
Supabase replaces four separate services with one: PostgreSQL for your relational database, a built-in authentication system with magic link and OAuth support, file storage for user-uploaded documents and images, and realtime subscriptions for live dashboard updates. Before Supabase, a solo founder building the same product would need to wire together a separate auth provider, a separate database host, a separate storage service, and a separate realtime layer — each with its own API keys, billing, and failure modes. Supabase's free tier supports 500MB of database storage, 1GB of file storage, and 50,000 monthly active users. For an MVP serving early customers, this is more than adequate.
Vercel handles deployment with zero configuration. Connect your GitHub repository and every push to main goes live automatically. Every pull request gets a preview URL — a live, shareable version of your feature branch that you can send to a potential customer for feedback before it merges. The Hobby plan is free and handles 100GB of bandwidth per month, which comfortably covers an early-stage MVP with hundreds of active users.
Compare this to a self-managed AWS setup for the same product: EC2 instance configuration, RDS PostgreSQL setup, S3 for storage, Cognito for auth, API Gateway for routing, and CloudFront for CDN — two weeks of infrastructure work minimum, and a monthly bill of ₹5,000 to ₹10,000 from day one before you have a single paying customer. The Next.js + Supabase + Vercel combination defers that cost until you have revenue to absorb it.
The Architecture Overview
Here is how the pieces connect in a typical SaaS MVP built on this stack:
Frontend and API layer: Next.js App Router handles both server-side rendered pages and API routes. React Server Components fetch data directly from Supabase without an intermediate API call — faster for the user, simpler for the developer. Client components handle interactive state. API routes handle webhook ingestion and server-side operations that require secrets.
Data and auth layer: Supabase PostgreSQL stores all application data. Supabase Auth manages user sessions with JWT tokens stored in HTTP-only cookies. Supabase Storage handles file uploads with automatic CDN delivery. Supabase Realtime pushes database changes to connected clients without polling.
Deployment layer: Vercel builds and deploys on every GitHub push. Environment variables — Supabase project URL, anon key, service role key, Razorpay keys, Stripe keys — are set in the Vercel dashboard and injected at build and runtime. Vercel Edge Network serves the application globally from the nearest point of presence.
Billing layer: Razorpay Subscriptions for Indian customers (UPI Autopay, cards, net banking). Stripe for international customers and NRI payments. Transactional email via Resend or AWS SES — Resend has a generous free tier and works natively with Next.js server actions.
Setting Up Supabase Auth in Next.js App Router
The correct Supabase Auth setup for App Router uses the @supabase/ssr package, which handles cookie-based session management properly across server components, client components, and middleware. The older @supabase/auth-helpers-nextjs package does not support App Router correctly and should be avoided for new projects.
Install both required packages:
npm install @supabase/supabase-js @supabase/ssrCreate two Supabase client helpers. The server client uses the Next.js cookies() function to read and write session cookies on the server. The browser client is a singleton instance for client components that need to trigger auth events like sign-in and sign-out. Your middleware.ts file runs the server client on every request to refresh the session before it expires, keeping users logged in without requiring re-authentication.
For Indian SaaS users, magic link authentication removes the password friction that causes drop-off during onboarding. A user enters their email, receives a one-click login link, and lands inside your product — no password to remember, no SMS OTP dependency, and it works on every device including feature phones with email apps. Google OAuth is worth adding for the segment of Indian professionals who prefer social login.
Row Level Security — The Feature That Makes Supabase Production-Ready
Row Level Security is Supabase's most important production feature. It enforces data isolation at the database level, which means a bug in your application code cannot accidentally expose one customer's data to another customer — the database itself prevents the query from returning the wrong rows.
Without RLS, your entire application data is protected only by the correctness of your API logic. One missed authentication check in one API route, and a logged-in user could access another user's records. This is not a theoretical risk — it is the most common data leak pattern in early-stage SaaS products.
With RLS enabled, you write policies that run at the database level before any data is returned. A simple policy for a projects table looks like this:
CREATE POLICY "Users can only access their own projects"
ON projects
FOR ALL
USING (auth.uid() = user_id);This policy runs on every SELECT, INSERT, UPDATE, and DELETE against the projects table. If a request carries a JWT for user A, auth.uid() returns user A's ID, and the policy filters to only rows where user_id matches. User B's rows are invisible regardless of how the API route is written. Enabling RLS on every user-data table and writing explicit policies is not optional hygiene for a production SaaS — it is the foundation that lets you ship quickly without fear of catastrophic data exposure bugs.
Multi-Tenancy Pattern for Indian SaaS
Many Indian SaaS products need a workspace or organisation layer. A CA firm wants one account where multiple accountants can manage separate client workspaces. A logistics company wants one subscription where dispatchers in different branches have access to their own view.
The standard database schema for this pattern uses three tables: a users table (managed by Supabase Auth), a workspaces table, and a workspace_members junction table that connects users to workspaces with a role field (owner, admin, member). All application data — projects, documents, records — has a workspace_id foreign key rather than a user_id.
The RLS policy for this pattern checks workspace membership rather than direct user ownership:
CREATE POLICY "Members can access workspace data"
ON projects
FOR ALL
USING (
workspace_id IN (
SELECT workspace_id FROM workspace_members
WHERE user_id = auth.uid()
)
);This allows any member of a workspace to read and write workspace data, while completely blocking access from non-members. The CA firm example works naturally: one accountant can belong to five client workspaces and switch between them in the UI, with the RLS policy ensuring they only ever see data for the workspace they are currently operating in.
Billing Integration — Razorpay for India, Stripe for International
Indian SaaS products need two billing systems because the payment methods that Indian customers prefer — UPI Autopay, domestic debit cards, net banking — are not available through Stripe for Indian issuers. Razorpay Subscriptions handles the full Indian payment stack natively. Stripe handles international cards and NRI payments.
In your database, a subscriptions table needs a billing_provider column (values: 'razorpay' or 'stripe') alongside the subscription ID, status, plan, and billing period fields. When a customer subscribes, your API route checks their location or payment preference, creates the subscription in the appropriate gateway, and stores the result.
Both gateways deliver subscription lifecycle events (payment succeeded, payment failed, subscription cancelled) via webhooks. Your Next.js API route at /api/webhooks/razorpay and /api/webhooks/stripe receives these events, verifies the signature, and updates the subscription status in Supabase. The Supabase Realtime subscription in your frontend can then reactively update the UI when a payment status changes — no polling required.
Razorpay charges a transaction fee rather than a monthly platform fee, and the first ₹5 lakh of GMV processed through Razorpay Subscriptions carries no additional subscription platform fee, making it cost-effective for early-stage products. Stripe charges 2-3% per transaction for international cards. Neither requires a minimum monthly commitment at MVP scale.
Deployment and CI/CD with Vercel
Connecting your GitHub repository to Vercel takes approximately five minutes. Every push to your main branch triggers an automatic production deployment. Every pull request creates an isolated preview deployment at a unique URL — this is the feature that separates Vercel from simpler hosting options for a solo developer who wants to show work-in-progress to customers or co-founders.
Environment variables — Supabase URL, Supabase anon key, Supabase service role key, Razorpay key ID, Razorpay key secret, Stripe secret key, Stripe webhook secret — are set in the Vercel dashboard under Project Settings. Vercel automatically injects them at build time and runtime. Never commit these values to your repository.
Vercel Analytics, available on all plans, provides Core Web Vitals monitoring per page without requiring you to instrument your code. For a SaaS product, slow page loads during onboarding create drop-off that is invisible in your analytics until you measure it. Vercel's built-in performance monitoring surfaces these issues early.
Upgrade from the Hobby plan to Vercel Pro (approximately ₹1,700 per month) when you need: Vercel Cron Jobs for scheduled tasks, team member access to the dashboard, or the ability to remove Vercel's branding from preview deployment URLs before sharing them with enterprise customers.
What This Stack Cannot Do
Every architectural choice involves trade-offs, and this stack has clear limits worth knowing before you commit.
Supabase free tier limits: 500MB database storage, 1GB file storage, 50,000 monthly active users. When you cross these thresholds, Supabase Pro costs $25 per month (approximately ₹2,100). That is a healthy milestone — it means your product has 50,000 engaged users, which justifies the cost many times over.
Vercel Hobby limits: 100GB bandwidth per month, no Cron Jobs, no team collaboration features. These limits are adequate for an MVP but will constrain you as you grow. Pro plan removes bandwidth limits and adds cron job support.
Supabase Realtime performs well up to approximately 100 concurrent connections. Beyond that, under sustained load, it begins to show latency and occasional dropped messages. If your product's core value depends on real-time updates for thousands of simultaneously connected users — live collaboration, trading dashboards, live event tracking — plan to migrate to a dedicated realtime service like Pusher or self-hosted Soketi before you hit that scale. For most Indian SaaS MVPs, 100 concurrent connections is not a constraint you will face in the first year.
Background jobs are not natively supported on Vercel Hobby. API routes time out after 10 seconds (60 seconds on Pro). Long-running tasks — generating PDF reports, sending batch emails, processing uploaded files — need to be offloaded to a background job service. Trigger.dev integrates cleanly with Next.js and Supabase and has a free tier adequate for most early-stage needs.
Frequently Asked Questions
Should I use Supabase Auth or a third-party like Clerk or Auth0?
Supabase Auth handles the authentication requirements of most MVPs without additional cost or complexity — magic link, Google OAuth, and session management are all included. Clerk is worth its $25 per month when you need pre-built authentication UI components that work without custom styling, built-in organisation and team management without writing the schema yourself, or advanced MFA options like TOTP and SMS without custom implementation. Auth0 is designed for enterprise-scale applications and brings complexity that is counterproductive at the MVP stage. For an Indian SaaS starting out on the free tier, Supabase Auth paired with shadcn/ui for the UI components gives you full control and keeps your infrastructure cost at zero longer.
How do I handle DPDPA 2023 compliance with Supabase?
Supabase's Mumbai region — ap-south-1 on AWS — is available when you create a new project. Selecting it ensures Indian user data is stored and processed within India, directly addressing the data localisation intent of the Digital Personal Data Protection Act 2023. This is a one-time decision made at project creation; migrating an existing Supabase project between regions requires manual data export and re-import, so choose the correct region before you have production data. Add a privacy policy to your product that clearly documents what data you collect, why, and how long you retain it. For SaaS products handling health records, financial data, or children's data, DPDPA 2023 imposes additional obligations — infrastructure localisation through Supabase covers the data residency requirement, but the legal compliance obligations around consent, data principal rights, and breach notification require a DPDPA compliance specialist to address fully.
When should I migrate away from this stack?
This combination of Next.js, Supabase, and Vercel comfortably supports a SaaS product to ₹1 crore ARR — roughly 300 to 500 paying Indian SME customers on typical ₹2,000 to ₹3,000 per month pricing. Supabase Pro at $25 per month extends that ceiling to approximately ₹5 crore ARR before database performance becomes a consideration. Migration away from this stack becomes worth evaluating when your product requires GPU-backed infrastructure for AI inference (Vercel does not offer GPU instances), when your team grows to the point where monorepo complexity warrants dedicated frontend and backend services, or when a specific compliance requirement mandates self-hosted infrastructure that neither Supabase nor Vercel can satisfy. At ₹5 crore ARR, the constraints you will encounter are almost always organisational and product complexity, not infrastructure throughput — this stack is not your bottleneck.