FAQ

Production-ready in shape. Every subsystem ships fully integrated: auth (sessions, 2FA, passkeys, OAuth), Stripe billing with idempotent webhooks, S3 uploads, structured logs, abuse throttling, captcha, multi-tenant organizations, and a four-tier test setup.

What's left is your product: brand, copy, legal pages, live Stripe prices, production OAuth URLs. Going To Production is the checklist for those. You deploy a working app on day one; making it ready for paying users is a short focused pass, not weeks of setup.

Three things:

• End-to-end type safety: one Zod schema flows from form to test to database via oRPC and Prisma.
• Multi-tenancy shipped, not bolted on: organizations, members, invitations, seat limits, and last-owner protection from day one.
• The production tail taken seriously: webhook idempotency, source-map upload, abuse throttling, structured logs, parallel-safe tests.

See API, Webhooks And Async Workflows, and Testing for each.

Yes. Daily work (marketing copy, new dashboard pages, new oRPC procedures, translation keys) is junior-friendly, and the docs walk through each in <Steps> blocks. Save senior input for deploy decisions, the security pre-launch checklist, and swapping core providers. A common pattern: one senior owns setup and pre-launch, juniors handle features after.

Three reasons:

• You own the data: sessions, user records, and OAuth tokens live in your Postgres, not a third-party SaaS.
• No per-MAU pricing: hosted auth bills per active user, which compounds at scale.
• Multi-tenancy built in: the organization plugin (members, invitations, roles) is extended with seat limits and last-owner protection.

See Authentication.

oRPC is OpenAPI-native: /api-reference ships an interactive spec from each procedure's .route(...) automatically. tRPC needs a plugin and a separate generator step for the same result. Type safety, Zod validation, and TanStack Query integration are equivalent. See API.

One product covers product analytics, web analytics, session replay, error tracking, and logs (via OTLP). One vendor, one bill, one cookie banner, one dashboard. The four-file packages/analytics is small enough to swap later (Sentry, Datadog) if you outgrow it. See Analytics and Monitoring.

Yes for every provider; effort scales with integration depth:

• Email (Plunk → Resend / SES / Mailgun / Postmark / Sendgrid): ~10 lines in packages/email/src/client.ts.
• Storage (any S3-compatible store): change AWS_ENDPOINT_URL_S3 and credentials.
• Database host (any Postgres): change DATABASE_URL.
• Database engine (Postgres → MySQL): swap the Prisma datasource and rewrite a few Postgres-only queries.
• Analytics (PostHog → anything): four-file rewrite of packages/analytics.
• Stripe (→ Paddle / LemonSqueezy / Polar): rewrite packages/payments. Biggest swap here.
• Auth (Better Auth → anything): rewrite packages/auth and the session shape the middleware reads.

The kit isn't built to make you swap, just so you can if you must.

Postgres is the default, and several models use Postgres-specific features (advisory locks, JSON columns, sliding-window indexes). MySQL works with a datasource swap plus rewriting the few Postgres-only queries. MongoDB needs more work since Prisma handles its relations differently. Recommendation: stay on Postgres unless you have a strong reason to switch.

Not yet. Workers needs a Prisma adapter swap and edge-compatible session handling, neither of which ships. Supported targets today: Vercel, Fly.io, Render, and self-hosted Docker. Cloudflare is on the roadmap.

The shipped UI is web-only (Next.js + React + Tailwind). The API in packages/api is HTTP and platform-agnostic, so a React Native or native client can call it. You'll need a mobile session strategy: Better Auth supports JWT mobile auth via a plugin, but it isn't wired in by default. No mobile shell ships in the box.

Updates are new versions you pull from the private repo, not patches you cherry-pick. What survives long-term:

• Edit apps/web and its components freely: you own them.
• Edit packages/ui primitives freely. They live in your repo.
• Add procedures in packages/api/src/router/*; keep the middleware chain intact so updates merge cleanly.
• Treat packages/auth, packages/payments, and packages/database as "ours plus yours" and re-merge by hand at update time.

Standard commercial-kit posture, not unique to SyntaxKit.

Near-zero to start with the recommended providers:

• Postgres: Neon or Supabase free tier.
• Email: Plunk and Resend both have free tiers.
• Analytics: PostHog (1M events/month free).
• Storage: Cloudflare R2 free tier, no egress fees.
• Captcha: Cloudflare Turnstile is free.
• Abuse: Upstash Redis free tier.
• AI: pay per token (model-dependent).
• Stripe: payment percentage only; no platform fees from the kit.
• Hosting: Vercel hobby tier, Fly.io free machines, or Docker on a $5 VPS.

You can run at zero monthly cost in development and well into early production. Costs scale with traffic above each free tier.

No certification ships: that's a buyer-side concern tied to your hosts and procedures, not the code. The kit does ship the primitives audits expect: structured logs, webhook event records (StripeWebhookEvent, OutboundEffect), signed sessions, encrypted cookies, abuse throttling, captcha. For GDPR it includes PostHog consent helpers (optOut, optIn, hasOptedOut) but no cookie banner UI. Bring your own CMP. Compliance-friendly, not compliance-certified.

Most apps eventually pick one of Vercel Cron, Inngest, Trigger.dev, or Upstash QStash, and they suit different shapes. Forcing one would lock you in. Instead the kit ships the OutboundEffect dedupe pattern (claimEffect / releaseEffectClaim) that any queue or cron can reuse for at-least-once delivery. See Webhooks And Async Workflows: Async Workflows.

Only on the Agency tier, which covers white-label client work plus all your own personal, commercial, and team projects. Solo and Studio allow unlimited use on your own products but not deliverables for paying clients. Need client work on Solo or Studio? Upgrade to Agency. See the License.

Yes on every tier; seats vary:

• Solo: one named developer, unlimited products you own.
• Studio: up to five developers in one organization, unlimited org-owned products.
• Agency: up to ten developers, unlimited owned products plus client deliverables.

No, on every tier. You can't resell, sublicense, or redistribute the kit (or a barely-modified derivative) as a starter kit, boilerplate, template, course material, or competing product. Public source mirrors (paste-bin, public repos, AI training sets) and sharing beyond your seat count are also forbidden.

Not in your shipped product: the compiled JavaScript can strip all kit attribution, and your marketing has no requirement. The license only asks you to keep attribution headers in the source code where they exist, so future maintainers know what's vendored from the kit.

Yes, a no-questions-asked window (the exact day count is on the License page). Email support with your order id inside it and we refund in full and revoke access. After it closes, the sale is final.

Every tier gets email support at the address on the License page. Higher tiers get faster response times and a dedicated Discord channel; the specifics are on the pricing page. Scope is the kit itself: bugs, integration, deployment. Your own product code and custom feature work are out of scope.

Email support is the main channel for both. With repository access, GitHub issues on the private repo also work, and the Discord (Studio and Agency tiers) is the quickest way to ask.

Yes, for as long as the kit is published. The license is perpetual and includes lifetime access to future versions, delivered through the same private GitHub repo: pull the latest, merge, and run any migration steps the changelog notes. No expiring update window on any tier.