What Vibe Coding Gets Right โ and Why It Matters
Let us be honest about something first: AI coding tools are genuinely remarkable. If you built a working prototype of a real product in a weekend without a computer science degree, that is not a small thing. A year ago it was impossible.
The ability to turn a product idea into a working demo in hours has changed who can build software, and that is worth acknowledging. The tools are good at: generating UI components and screens, writing API endpoints for standard CRUD operations, creating authentication flows that look right, handling simple form logic and data display, and producing code that is readable and mostly coherent. Where they fall short is not in the code they write โ it is in the decisions they do not make.
Security. Scalability. Production infrastructure.
Regulatory compliance. Error handling at scale. These are the gaps that stop a working prototype from becoming a real product.
How to Deploy Your Website or Web App
If your project is a web app โ a Next.js, React, or similar frontend with a backend API โ the fastest path to a live deployment uses one of three platforms depending on your stack. Vercel is the standard for Next.js and React apps: connect your GitHub repo, configure your environment variables, and you can have a live URL in under ten minutes. Render or Railway work well for apps with a backend server (Node.js, Python, Django, FastAPI): they handle the infrastructure so you do not need to configure servers manually.
For more control โ if you need a specific server setup, custom domains with complex routing, or enterprise-grade infrastructure โ AWS, Azure, or Google Cloud with a simple VM or container setup gives you full control but requires more configuration. Before you deploy anything publicly: make sure your environment variables (API keys, database URLs, secrets) are not hardcoded in the code, that you are using HTTPS, and that you have basic rate limiting on any API endpoints. AI-generated code frequently skips these steps because they are not visible in a local demo.
How to Deploy Your Mobile App
Mobile deployment is meaningfully harder than web deployment โ and this is where the gap between 'works on my device' and 'approved and live' is largest. For iOS: you need an Apple Developer account (ยฃ99/year), a properly configured provisioning profile and code signing certificate, and an app that passes App Store Review. Apple's automated review scans for security issues โ hardcoded API keys, insecure data storage, missing privacy usage description strings (NSPrivacyUsageDescription) for every device capability your app uses.
Their human review checks that the app works without crashes on a real device, has complete functionality, and complies with their guideline on data collection, payments, and content. AI-generated code regularly fails at the security scan and the privacy string requirements. For Android: the Play Store is less strict but still requires a signed APK or AAB, a complete store listing, and compliance with their developer policies.
The most common blockers for AI-built Android apps are missing permissions declarations, incomplete privacy policies, and failing their data safety section requirements. If your app has been rejected or you want to avoid rejection: get the code audited before you submit. We do this regularly.
Integrations, Databases, and Single Sign-On
This is the section most vibe coders find the most daunting, and understandably so. Here is a plain-English breakdown of each. Databases: your AI-built app probably uses either a local file, an in-memory store, or a demo database that disappears when you restart the server.
For a real product, you need a persistent database. The two most common choices are PostgreSQL (for relational data โ users, bookings, transactions, anything with relationships) and MongoDB (for flexible, document-style data). Hosted options like Supabase (PostgreSQL), PlanetScale, or MongoDB Atlas give you a real database with a connection URL in under five minutes, and most AI tools can write the connection code if you give them the URL and schema.
Integrations with external services (payment processing via Stripe, email via Resend or SendGrid, SMS via Twilio) are usually the easiest part โ these services have excellent APIs and AI tools write clean integration code for them. Single Sign-On (SSO) with Google, Apple, or GitHub: this is where most people get confused. SSO is implemented via OAuth 2.0, which involves registering your app with the provider (Google Cloud Console, Apple Developer portal, GitHub developer settings), getting a client ID and secret, and handling the callback flow.
Libraries like NextAuth.js (for Next.js) or Auth0 (framework-agnostic) handle most of this complexity. The real complexity in SSO is not the initial setup โ it is handling token refresh, session management, and security edge cases correctly. This is one of the places where AI-generated code tends to implement the happy path but miss the edge cases that matter in production.
Security: What You Cannot Skip
Deploying an AI-built app with no security review is the equivalent of leaving your front door open. Not because the code is obviously broken โ often it looks fine. The problems are in what it does not do.
Common issues we find in AI-generated codebases before production deployment: API endpoints with no authentication check, meaning any user can access any other user's data by knowing the right URL pattern. SQL queries built by string concatenation rather than parameterised queries, making the app vulnerable to SQL injection. API keys and secrets committed to the codebase or exposed in client-side code where any user can find them in the browser's developer tools.
No rate limiting on authentication endpoints, making brute-force attacks trivial. No input validation on user-submitted data, creating cross-site scripting vulnerabilities. These are not obscure academic concerns โ they are the exact vulnerabilities that get exploited in practice, often by automated scripts that scan the public internet for them continuously.
Before you launch anything that handles real user data, run your codebase through an automated scanner (Snyk, CodeQL, or SonarQube have free tiers) and fix the critical findings.
When to Do It Yourself vs. When to Get Help
Here is the honest breakdown. You can probably handle deployment yourself if: your web app has no backend complexity beyond standard CRUD, you are not handling payments or sensitive personal data, and you are comfortable reading error messages and following documentation. You should get professional help if: your app has been rejected from the App Store or Play Store and you do not understand why.
You are handling healthcare data, financial data, or any data that has regulatory implications (HIPAA, GDPR, PCI-DSS). You need SSO, complex database architecture, or third-party integrations that have not gone smoothly. You want to scale beyond a few hundred users without everything breaking.
Or you simply want the confidence that what you are deploying is secure and will not embarrass you or expose your users. The AI got you 80% of the way there. That last 20% โ the production hardening, the security review, the proper deployment pipeline, the integrations that work reliably โ is where experienced engineers earn their value.
That is the work we do.
Built something with AI and need help getting it live?
We offer a free 30-minute audit call. Share your codebase or describe what you have built, and we will tell you exactly what is blocking your launch and what it would take to fix it. No commitment required.
Book a Free Audit CallFrequently Asked Questions
How can I deploy my website?
For Next.js or React apps, connect your GitHub repo to Vercel โ you can be live in under ten minutes. For apps with a backend server, Render or Railway handle the infrastructure for you. Before deploying publicly, ensure API keys are in environment variables (not hardcoded), your app uses HTTPS, and any public API endpoints have basic rate limiting.
How can I deploy my mobile app?
For iOS: create an Apple Developer account, configure code signing, and submit through App Store Connect. Apple's review checks for security issues, missing privacy strings, and guideline compliance. For Android: sign your APK or AAB and submit through Google Play Console with a complete store listing and privacy policy. AI-built apps commonly fail Apple's security scan and privacy requirement checks โ get the code reviewed before submitting if you want to avoid rejection.
I vibe coded an app or website. Now what do I do?
The next steps are: audit the code for hardcoded secrets and security gaps, set up a real database (Supabase or PlanetScale for a fast start), configure environment variables for all API keys, deploy to a hosting platform (Vercel for web, App Store or Play Store for mobile), set up error monitoring (Sentry has a free tier), and get a basic security review before you share it publicly with real users.
I don't understand integrations, databases, or single sign-on. Where do I start?
For databases: Supabase gives you a hosted PostgreSQL database with a connection URL in five minutes. For SSO (login with Google, Apple, GitHub): use NextAuth.js if you are on Next.js, or Auth0 for any stack โ these libraries handle OAuth complexity for you. For integrations: Stripe for payments, Resend for email, and Twilio for SMS all have excellent documentation and AI tools write clean code for them. The complexity is in the edge cases โ session management, token refresh, error handling โ which is where getting help pays off.
Is AI-generated code safe to deploy?
It depends on what you are deploying. AI-generated code frequently has security gaps that are not visible locally: unauthenticated API endpoints, hardcoded secrets, missing input validation, and no rate limiting. These are not visible in a demo but are actively exploited in production. Run your code through a free scanner (Snyk or SonarQube) and fix critical findings before launch. For anything handling real user data, payments, or health information, get a proper code review.