Next.js 15 AI SaaS — API Key Leak to Five-Figure Invoice

Most AI SaaS tutorials stop at a chatbot demo. They skip the infrastructure that turns a prototype into a product: authentication, billing, multi-tenancy, rate limiting, and usage tracking. Without these, you have a tech demo, not a business.

This guide builds a complete, deployable AI SaaS application from the first commit to production. By the end, you have a running application with: authenticated users scoped to their own data, AI chat with streaming responses, per-user token quotas enforced before every AI call, Stripe metered billing that converts token consumption into revenue, and a Vercel deployment with isolated environments.

The stack is deliberate: Next.js 15 App Router for the application layer, Supabase for auth and data, Stripe for metered billing, Vercel AI SDK for model orchestration, and Upstash Redis for rate limiting. Each choice optimizes for developer velocity without sacrificing production readiness.

One warning before we start: the most expensive mistake in AI SaaS is building AI features before solving rate limiting and billing. The production incident below happened to a real team. It shapes every architectural decision in this guide.

What You Will Build

Before writing any code, understand exactly what this guide produces. The finished application is a deployable AI chat SaaS with the following capabilities:

Authenticated users can sign up, log in via email or OAuth, and access only their own data. The database enforces this at the row level — no application code can accidentally leak one user's conversations to another.

Each user has a monthly token quota. Before every AI call, the application checks the remaining quota. If the user has exceeded their limit, they receive a clear upgrade prompt. If they are within limits, the AI call proceeds and the token consumption is recorded.

A streaming chat interface sends messages to an AI model and displays the response word-by-word as it is generated. The model is called server-side — the API key never reaches the browser.

Stripe metered billing tracks every token consumed and generates invoices automatically at the end of each billing period. Users who exceed the free tier are billed based on actual usage.

The application deploys to Vercel with three isolated environments: local development, preview (one per pull request), and production. Each environment has its own Supabase project and Stripe account.

The build order is non-negotiable: scaffold first, then schema, then auth, then rate limiting, then AI, then billing, then deployment. Each layer depends on the previous one. Skipping layers creates rework.

Prerequisites and Stack Overview

Before starting, verify the following accounts and tools are available.

Accounts required: Supabase (free tier is sufficient to start), Stripe (test mode for development), Vercel (Hobby plan supports this stack), Upstash (free tier supports the rate limiting patterns in this guide), and an OpenAI account with API access.

Local tools required: Node.js 20+ or Bun 1.1+, the Supabase CLI for migrations, the Stripe CLI for local webhook testing, and Git.

The stack choices are deliberate. Next.js 15 App Router provides Server Components, Route Handlers, and Server Actions in a single deployable unit — no separate backend service. Supabase bundles authentication, PostgreSQL with Row Level Security, and file storage behind one SDK. Stripe metered billing maps token consumption to revenue without custom invoice logic. Vercel AI SDK abstracts the AI model provider — swap between OpenAI and Anthropic without changing application code. Upstash provides serverless Redis with a per-request pricing model that suits Vercel's serverless execution model.

Project Scaffold and Environment Validation

The project structure sets conventions for the entire codebase. Every module has a predictable location. Every import path is explicit.

The directory structure separates concerns: lib contains all server-side integrations (Supabase, Stripe, AI), components contains the UI, and app contains routing. Within lib, each integration is an isolated module. This prevents circular imports and makes each module independently testable.

Environment variables are validated at startup using a Zod schema. Missing or malformed variables fail the build — not a customer request at 2am. The validation runs once at module load time on the server. Client-safe variables use the NEXT_PUBLIC_ prefix; server-only variables do not.

Database Schema and Row Level Security

The schema is designed for multi-tenancy from the first migration. Every table has a user_id column. Row Level Security policies enforce that users access only their own rows. No application-level authorization code is needed for basic data access — the database enforces it.

The schema has three domains. User management: profiles extends the Supabase auth.users table with application-specific fields including the Stripe customer ID and subscription status. Content: conversations and messages store the chat history scoped to each user. Usage tracking: usage_records stores the token count and cost of every AI call, which feeds directly into Stripe metered billing.

Indexes are placed on (user_id, created_at DESC) for all tenant-scoped tables. This composite index serves the dominant query pattern: fetch a user's recent items in reverse chronological order.

The service role key bypasses RLS. It is used only in webhook handlers and admin operations — never in user-facing request handlers.

Authentication and Middleware

Supabase Auth handles the entire authentication lifecycle. The application does not implement auth logic — it consumes auth state from Supabase.

The middleware pattern is critical and must be implemented exactly as shown. The middleware runs on every request, calls getUser() to validate and refresh the session token, and redirects unauthenticated users away from protected routes. Without it, session tokens expire and users are logged out silently — or worse, RLS policies see a null user ID and block all data access.

The key distinction: always use getUser() in middleware and server-side code, never getSession(). getSession() returns cached session data that may be stale. getUser() makes a network request to Supabase to validate the token and return fresh user data. This is the single most common Supabase Auth bug in Next.js applications.

Rate Limiting with Upstash Redis

Rate limiting must exist before any AI call can be made. This is not an optimization — it is a business requirement. Without it, a single user or a viral launch can generate an unbounded API bill.

Upstash provides serverless Redis with per-request billing, which fits Vercel's serverless execution model. The @upstash/ratelimit package provides multiple algorithm implementations. For AI SaaS, use sliding window — it provides smooth rate limiting that prevents burst abuse while allowing legitimate usage.

The rate limiter uses the authenticated user ID as the identifier, not the IP address. IP-based rate limiting is trivially bypassed with a VPN. User ID-based limiting requires authentication, which means every limited request is traceable to a specific account.

Two rate limits are enforced: a per-minute limit that prevents burst abuse (10 requests per minute per user) and a per-day limit that enforces the daily token budget (100 requests per day on the free tier). Both checks happen before the AI call is initiated.

AI Orchestration with Vercel AI SDK

AI streaming responses require a Route Handler — not a Server Action. This is a critical architectural distinction. Server Actions return serializable values; they cannot return streaming Response objects with ReadableStream bodies. The Vercel AI SDK's useChat hook expects to call an HTTP endpoint that responds with a streaming body. That pattern requires a Route Handler at app/api/chat/route.ts.

Server Actions are appropriate for non-streaming AI operations: generating titles, summarizing content, classifying text, or any operation where you wait for the complete response before returning. For streaming chat responses — the primary use case in this guide — use a Route Handler.

The Route Handler enforces the complete request lifecycle: authenticate the user, check rate limits, verify token quota, call the AI model, record usage on completion, and return the streaming response. Every step happens server-side. The API key is a server-only environment variable that never appears in client bundles.

Stripe Metered Billing

Stripe metered billing ties AI token consumption to revenue automatically. Each AI response records a meter event in Stripe. At the end of the billing period, Stripe aggregates all events and generates an invoice.

The integration has two paths. Subscription creation: a Checkout Session creates the customer, subscription, and payment method in one step. Usage recording: a meter event is created after each AI response, containing the token count for that response.

Webhooks handle the subscription lifecycle: payment success, payment failure, subscription cancellation, and trial expiry. The webhook handler must be idempotent — Stripe retries failed webhooks, and processing the same event twice can double-credit or double-charge a customer. The processed_webhook_events table (created in the schema migration) stores event IDs to prevent duplicate processing.

The webhook handler uses the raw request body for signature verification. Next.js App Router parses request bodies by default — use request.text() before stripe.webhooks.constructEvent() to get the unparsed body.

Deployment and Environment Isolation

The application deploys to Vercel with three isolated environments: local development, preview (one per pull request), and production. Isolation means each environment has its own Supabase project, its own Stripe account in test mode for preview and production mode for production, and its own set of environment variables.

Sharing a Supabase project or Stripe account between environments is a common mistake with expensive consequences. A migration that runs correctly in preview can corrupt production if the environments share the same database. A test webhook can flip a production user's subscription status.

The deployment checklist ensures nothing is missed across all three environments.

After initial deployment, reset the monthly token usage counter for all users at the start of each billing period. This runs as a scheduled Supabase Edge Function or a cron job via Vercel Cron.

Frequently Asked Questions