Passwordless auth
Email code + magic-link login over SES SMTP, plus optional one-tap Sign in with Apple. No passwords, no reset screens, no auth-provider invoice. Session fixation handled, rate-limited by IP and email.
Auth, Stripe billing, credits and admin — already wired on plain PHP and SQLite. No build step, no npm supply chain, and the docs are written so your AI agent does the rest.
Each piece is plain, readable, and copyable. Delete what you don't need; the plumbing stays the same across every project.
Email code + magic-link login over SES SMTP, plus optional one-tap Sign in with Apple. No passwords, no reset screens, no auth-provider invoice. Session fixation handled, rate-limited by IP and email.
Hosted Checkout, monthly/yearly tiers, upgrade previews with proration, scheduled downgrades, signed webhooks, the billing portal, and one-time digital products.
Define tiers in one config file. Grant from webhooks, spend on actions — atomic and never negative.
Bearer-token auth, CSRF for browser actions, rate limits, and a notes CRUD you copy for real features.
Search users and webhooks, inspect Stripe state, revoke keys, block bad actors — no second app.
One file, automatic migrations on boot, and a backup script you point at cron. Sturdy, not magical — and it scales further than people expect.
Every install ships with this. Search users, replay webhooks, inspect billing and revoke keys — server-rendered, access-gated, no second app.
| User | Plan | Status | Joined |
|---|---|---|---|
| ada@hey.com | Pro | active | 2d ago |
| grace@dev.io | Scale | active | 5d ago |
| linus@kern.org | Starter | past due | 3w ago |
| margaret@nasa.gov | Pro | active | 1mo ago |
| spam@throwaway.cc | Free | blocked | 1mo ago |
invoice.paidevt_1Q8x…a3customer.subscription.updatedevt_1Q8w…f1checkout.session.completedevt_1Q8w…7cinvoice.payment_failedevt_1Q8v…02charge.refundedevt_1Q8u…9dcurl -H "Authorization: Bearer ss_live_••••" \ https://app.yoursaas.com/api.php?resource=notes { "ok": true, "data": [ "note_18f2", "note_18f9" ], "rate_limit": "58/60", "credits_left": 1840 }
Subscriptions, credits, one-time payments, API keys, and protected downloads are the primitives behind most modern SaaS. Bring your product idea — the money plumbing is already here.
Charge credits per render and gate premium models behind higher plans.
Meter messages or tokens with the credit ledger; tier access by plan.
Sell bearer keys with rate limits and a per-call credit cost — usage billing built in.
Sell templates, themes, UI kits, presets, ebooks or datasets — one-time payment, protected files.
Recurring plans that unlock content, tools, or a members-only area.
SEO checkers, generators, analytics, dashboards — any small paid utility.
Charge for listings or featured placement — the build-in-public playbook.
Sell access to lessons, a content library, or premium articles.
composer install then php scripts/install.php. SQLite and your .env are created for you.
Drop in your keys and price IDs. doctor.php tells you exactly what's missing before launch.
Change the copy, plans and theme. Light/dark and the whole design system come from CSS variables.
NGINX + PHP-FPM on a sub-$10 Hetzner VPS, point a domain, run the backup cron. Take real payments.
A typical JavaScript app trusts thousands of packages it never reads — and one malicious postinstall script owns your build. Simple Stack pulls a single Composer dependency and runs no install scripts. Less to audit, less to patch, far less to exploit.
Just PHPMailer, via Composer. A fresh React app pulls in 1,000+ transitive packages before you write a line.
Open-source malware jumped 156% in a year — and 98.5% of it landed in npm. Sonatype, 2024.
No node_modules, no bundler, no install scripts. Pages render on the server and work before JS loads.
That's the whole dependency list. You can read all of it.
Most SaaS dies of complexity, not competition.
Tens of thousands of queries a second from one file — reads never block writes in WAL mode.
SQLite quietly powers sites doing six figures of traffic a day. This is the production database.
Amazon SES is $0.10 per 1,000 emails — passwordless auth that rounds to nothing.
One Hetzner box runs NGINX, PHP-FPM, SQLite and cron backups. Plans start near €4. No platform tax.
Define plans in app/subscriptions.php, attach Stripe price IDs, and the checkout flow stays generic across every project.
Default access for new users and trial accounts.
For a small paid SaaS tier.
For heavier usage and premium features.
For power users and high-credit products.
Yes — parameterised SQL throughout, signed Stripe webhooks, CSRF, rate limiting, session hardening and a security checklist. It's a starter, so you still own your legal pages, secrets and deploy, but the plumbing is real.
Because it's a tax you don't need. Server-rendered PHP plus a little jQuery means no bundler, no hydration, no node_modules, and no supply-chain tree to babysit — pages render instantly and work before JavaScript loads. This is the choice, not a limitation.
Better than most hosted databases people pay monthly for. SQLite serves tens of thousands of reads per second from a single file, and in WAL mode reads never block writes. It's the most widely deployed database on earth and comfortably powers sites doing 100k+ hits a day — indexes, WAL, and cron backups are already wired in. This is the production database.
Rename APP_NAME, swap the copy and plans, replace the legal pages, and toggle light/dark or restyle the CSS variables. The repo ships AI-handoff docs so your agent can do most of it for you.
One Hetzner Cloud VPS runs the whole stack for under $10 a month — their smallest shared-vCPU plans start around €4. Login emails on Amazon SES run $0.10 per 1,000, so 10,000 passwordless logins a month is $1. No per-seat platform bills, no managed-everything subscriptions quietly eating your margin.
Passwordless sign-in, Stripe billing, credits and admin — already wired. Clone it, rename it, start charging.