Auth, Stripe billing, credits and admin — already wired on plain PHP and SQLite. No build step, no npm supply chain, and the docs are written so your AI agent does the rest.
Each piece is plain, readable, and copyable. Delete what you don't need; the plumbing stays the same across every project.
Email code + magic-link login over SES SMTP, plus optional one-tap Sign in with Apple. No passwords, no reset screens, no auth-provider invoice. Session fixation handled, rate-limited by IP and email.
Hosted Checkout, monthly/yearly tiers, upgrade previews with proration, scheduled downgrades, signed webhooks, the billing portal, and one-time digital products.
Define tiers in one config file. Grant from webhooks, spend on actions — atomic and never negative.
Bearer-token auth, CSRF for browser actions, rate limits, and a notes CRUD you copy for real features.
Search users and webhooks, inspect Stripe state, revoke keys, block bad actors — no second app.
One file, automatic migrations on boot, and a backup script you point at cron. Sturdy, not magical — and it scales further than people expect.
Simple Stack is deliberately set up to be built end to end by AI agents: no framework, no build step, just a handful of readable files an agent holds in context all at once. You describe the product; your agent writes every line. That's the workflow we designed it for.
AGENTS.md, AI_HANDOFF.md and AI_TASK_PROMPTS.md brief your agent on the architecture, conventions, and the exact prompts to run — so it ships changes that fit the codebase, not generic boilerplate.
Plain PHP + SQLite + jQuery across a few files — no hidden magic, no codegen, no hydration. The whole app fits in context, so the agent reasons about all of it and rarely has to guess.
One .env, one plans file, one products file, and a doctor that says exactly what's missing. The agent fills the keys, runs the checks, and tells you when you're ready to charge.
Point your agent at AGENTS.md
— it walks you through setup, Stripe, email, and deploy.
Subscriptions, credits, one-time payments, API keys, and protected downloads are the primitives behind most modern SaaS. Bring your product idea — the money plumbing is already here.
Charge credits per render and gate premium models behind higher plans.
Meter messages or tokens with the credit ledger; tier access by plan.
Sell bearer keys with rate limits and a per-call credit cost — usage billing built in.
Sell templates, themes, UI kits, presets, ebooks or datasets — one-time payment, protected files.
Recurring plans that unlock content, tools, or a members-only area.
SEO checkers, generators, analytics, dashboards — any small paid utility.
Charge for listings or featured placement — the build-in-public playbook.
Sell access to lessons, a content library, or premium articles.
composer install then php scripts/install.php. SQLite and your .env are created for you.
Drop in your keys and price IDs. doctor.php tells you exactly what's missing before launch.
Change the copy, plans and theme. Light/dark and the whole design system come from CSS variables.
NGINX + PHP-FPM on a sub-$10 Hetzner VPS, point a domain, run the backup cron. Take real payments.
A typical JavaScript app trusts thousands of packages it never reads — and one malicious postinstall script owns your build. Simple Stack pulls a single Composer dependency and runs no install scripts. Less to audit, less to patch, far less to exploit.
Just PHPMailer, via Composer. A fresh React app pulls in 1,000+ transitive packages before you write a line.
Open-source malware jumped 156% in a year — and 98.5% of it landed in npm. Sonatype, 2024.
No node_modules, no bundler, no install scripts. Pages render on the server and work before JS loads.
That's the whole dependency list. You can read all of it.
Most SaaS dies of complexity, not competition.
Tens of thousands of queries a second from one file — reads never block writes in WAL mode.
SQLite quietly powers sites doing six figures of traffic a day. This is the production database.
Amazon SES is $0.10 per 1,000 emails — passwordless auth that rounds to nothing.
One Hetzner box runs NGINX, PHP-FPM, SQLite and cron backups. Plans start near €4. No platform tax.
That's the whole idea. Point your coding agent (Claude Code, Cursor, etc.) at AGENTS.md — it briefs the agent on the architecture, conventions and the exact prompts to run, then it walks you through the .env, Stripe keys, email, and deploy. Because there's no framework or build step and the whole app is a few readable files, the agent can hold all of it in context and rarely guesses. php scripts/doctor.php tells it (and you) exactly what's still missing before launch.
Yes — parameterised SQL throughout, signed Stripe webhooks, CSRF, rate limiting, session hardening and a security checklist. It's a starter, so you still own your legal pages, secrets and deploy, but the plumbing is real.
Because it's a tax you don't need. Server-rendered PHP plus a little jQuery means no bundler, no hydration, no node_modules, and no supply-chain tree to babysit — pages render instantly and work before JavaScript loads. This is the choice, not a limitation.
Better than most hosted databases people pay monthly for. SQLite serves tens of thousands of reads per second from a single file, and in WAL mode reads never block writes. It's the most widely deployed database on earth and comfortably powers sites doing 100k+ hits a day — indexes, WAL, and cron backups are already wired in. This is the production database.
Rename APP_NAME, swap the copy and plans, replace the legal pages, and toggle light/dark or restyle the CSS variables. The repo ships AI-handoff docs so your agent can do most of it for you.
One Hetzner Cloud VPS runs the whole stack for under $10 a month — their smallest shared-vCPU plans start around €4. Login emails on Amazon SES run $0.10 per 1,000, so 10,000 passwordless logins a month is $1. No per-seat platform bills, no managed-everything subscriptions quietly eating your margin.
A single download containing the full codebase, pre-built into five ready-to-run site types — subscriptions, digital downloads, AI credits, an API product, and the full showcase — plus the setup, Stripe, email, deploy and security guides and the AI-handoff docs. Copy the folder you want and ship. You get lifetime access to the version you buy.
Checkout is handled by Stripe — no account needed up front. The moment your payment clears we email a sign-in link and code to your Stripe email address. Click it and the download is waiting in your dashboard. If you ever want, you can link Apple or Google sign-in to the same account.
One person or one company. Build unlimited products from the starter for yourself or your company, modify it freely, deploy commercially, and let your AI tools and contractors work on your copy. You can't resell, redistribute, or republish the starter itself as a template or boilerplate. Anything you build with it is 100% yours. Full terms are in the licence and on the Terms page.
You get the version you buy, and you can re-download it any time from your dashboard. We actively use this stack on our own sites and plan to keep refining it — but future updates aren't guaranteed or part of the price. If we ship a meaningful update, buyers of that product are emailed so you can grab it.
Because this is a digital download that gives you the full source immediately, all sales are final — no refunds once you've accessed the download. By buying you agree to start that access right away and waive the usual 14-day cancellation right. Details are on the Refund Policy page.
It's been extensively security-reviewed and hardened — parameterised SQL, signed webhooks, CSRF, rate limiting, session hardening — and we run it on our own production sites. But no software is ever guaranteed secure, the threat landscape is moving fast, and once it's your deployment you own securing, testing and operating it. It's provided as-is and used at your own risk; we're not liable for security issues, breaches or data loss. See the Terms for the full disclaimer.
One download, five ready-to-run site types, every guide you need. Pay once and build anything — no subscription, no build step, no supply chain.