Your vibe-coded ecommerce app works on localhost. It has a product catalog, a cart, and a checkout flow. But "works on my machine" and "ready for real customers with real credit cards" are separated by a gap that breaks most AI-built stores.
Convex published their "6 Steps Before Taking Your Vibe-coded App to Production." Supabase released their master checklist. Both are excellent — for general apps. Neither covers what happens when your AI-built store processes its first $500 order and the payment silently fails because Stripe's webhook wasn't configured for production mode.
This checklist is specifically for ecommerce. Payments, inventory, customer data, PCI compliance — the things that turn a prototype into a real store.
The 15-Point Ecommerce Production Checklist
Print this. Check each item before you launch. If more than three items are unchecked, you're not ready.
Step 1: Switch From Test Mode to Live Payment Keys
Your vibe coding tool probably set up Stripe or PayPal in test mode. That means sk_test_ keys, not sk_live_ keys. Every payment processor has separate credentials for testing and production.
How to check: Search your codebase for sk_test_, pk_test_, or sandbox. If you find them, your store literally cannot accept real money.
The fix: Replace all test keys with live credentials. Store them as environment variables (never hardcoded). Verify with a real $1 transaction before launch.
Step 2: Verify Webhook Endpoints Are Production-Ready
AI tools set up webhook URLs pointing to localhost:3000 or your development server. In production, Stripe, PayPal, and shipping APIs need to hit your live domain.
How to check: Log into your Stripe dashboard → Developers → Webhooks. If the endpoint URL contains localhost, 127.0.0.1, or a dev subdomain, it's broken.
The fix: Update all webhook endpoints to your production URL. Test each one using Stripe's "Send test webhook" feature. Verify your server responds with 200 OK.
Step 3: Implement Webhook Signature Verification
This is the step AI-generated code almost always skips. Without signature verification, anyone can send fake webhook events to your server — fake orders, fake refunds, fake subscription confirmations.
How to check: Search your webhook handler for stripe.webhooks.constructEvent (Stripe) or equivalent verification. If it just parses the request body without verifying the signature, it's vulnerable.
The fix: Add signature verification using your payment provider's SDK. Stripe provides the whsec_ signing secret in your webhook settings. This prevents replay attacks and forged events.
Step 4: Validate Payment Amounts Server-Side
The most dangerous ecommerce vulnerability in AI-generated code: the checkout sends the price from the client. A user can open browser DevTools, change $499.99 to $0.01, and your server happily processes the order.
How to check: Find the code that creates the payment intent or checkout session. Does it accept the amount from the frontend request, or does it look up the price from your database?
The fix: Always calculate the total server-side. Fetch product prices from your database, apply discounts using server-validated coupon codes, and calculate shipping and tax on the server. The client should send item IDs and quantities, never prices.
Step 5: Set Up Error Monitoring
When your checkout breaks at 2 AM on a Saturday, you need to know. Vibe-coded apps typically have zero error tracking — errors disappear into browser consoles that nobody reads.
How to check: Search for Sentry, LogRocket, Bugsnag, or any error tracking SDK in your codebase. If you find nothing, errors are invisible.
The fix: Add Sentry (free tier handles up to 5,000 events/month). At minimum, track: payment failures, API errors, and unhandled exceptions. Set up Slack or email alerts for critical errors.
Step 6: Implement Rate Limiting
Without rate limiting, your store is vulnerable to: credential stuffing (someone tries 10,000 passwords on your login), cart abuse (bots adding items to drain inventory), and API abuse (someone hammers your endpoints until your hosting bill spikes).
How to check: Try submitting your login form 20 times in 10 seconds. If it lets you, there's no rate limiting.
The fix: Add rate limiting to authentication endpoints (5 attempts per minute), checkout endpoints (3 per minute per user), and API endpoints (60 per minute). Cloudflare's free tier includes basic rate limiting. For Vercel or Netlify, use middleware.
Step 7: Encrypt Customer Data at Rest
AI-generated code stores customer data (names, emails, addresses, phone numbers) in plain text. If your database is breached, everything is exposed.
How to check: Query your database directly. Can you read customer emails and addresses in plain text? If yes, they're not encrypted.
The fix: Encrypt sensitive fields at the application level before storing them. At minimum: email addresses, phone numbers, shipping addresses. Never store full credit card numbers — your payment processor (Stripe, PayPal) handles that.
Step 8: Add HTTPS Everywhere
Most deployment platforms (Vercel, Cloudflare, Netlify) automatically provide HTTPS. But AI-generated code sometimes hardcodes http:// URLs for API calls, images, or redirects.
How to check: Search your codebase for http:// (not https://). Check your deployment platform's SSL certificate status.
The fix: Replace all http:// references with https://. Add a redirect rule: all HTTP traffic → HTTPS. This is a PCI-DSS requirement for any store processing card payments.
Step 9: Test Cart Edge Cases
The AI built a happy-path checkout. Real customers will: add 47 of the same item, change quantities during checkout, apply expired coupon codes, navigate back and forward through checkout, open checkout in two tabs simultaneously, and use browsers with JavaScript partially disabled.
How to check: Spend 30 minutes trying to break your own checkout. Add impossible quantities, go back during payment, open duplicate tabs.
The fix: Add input validation (maximum quantities, minimum order amounts). Handle concurrent session conflicts. Test with the 10 most common breaking patterns. If you find three or more failures, your checkout isn't production-ready.
Step 10: Implement Inventory Sync
If your store shows "In Stock" but the item isn't actually available, you'll process orders you can't fulfill. AI-generated code often has no inventory management — or inventory that doesn't update when orders are placed.
How to check: Place a test order. Does the inventory count decrease? Add an item to cart in two different browsers. Can both complete checkout for the last remaining unit?
The fix: Implement inventory reservation at checkout start (not completion). Add stock checks before payment processing. Set up alerts for low-stock items. Handle oversell gracefully — either backorder notification or immediate refund.
Step 11: Add Proper Logging
When a customer says "my order went through but I didn't get a confirmation email," you need to trace exactly what happened. AI-generated code has either zero logging or logs everything to console.log (which disappears on restart).
How to check: Can you answer this question right now: "What happened with order #1234?" If you can't, your logging isn't production-ready.
The fix: Log every order state change (created, paid, fulfilled, refunded) with timestamps. Log all payment events. Log all email sends. Use structured logging (JSON format) so you can search logs later.
Step 12: Set Up Database Backups
Your vibe coding tool connected to Supabase, PlanetScale, or a hosted Postgres. Is it being backed up? If your database corrupts or someone accidentally deletes the products table, can you recover?
How to check: Log into your database provider's dashboard. Look for "Backups" or "Point-in-time Recovery." If you see nothing, you're one bad query away from losing everything.
The fix: Enable automated daily backups. Test a restore at least once before launch. Most hosted databases include backups on paid plans. Supabase Pro includes daily backups with 7-day retention.
Step 13: Configure Proper Email Delivery
AI-generated code sends order confirmations and shipping notifications through the app's default email. These emails land in spam — or don't send at all — because there's no authenticated email sender.
How to check: Place a test order. Does the confirmation email arrive? Check spam folder. Check your email provider's delivery logs.
The fix: Use a transactional email service (Resend, Postmark, SendGrid). Set up SPF, DKIM, and DMARC records for your domain. Test deliverability to Gmail, Outlook, and Yahoo.
Step 14: Load Test Before Launch
Your app works with one user. What happens with 50 concurrent users during a flash sale? AI-generated code often has N+1 database queries, unoptimized images, and no caching — problems that only surface under load.
How to check: Use a free load testing tool (k6, Artillery, or Locust). Simulate 50 users browsing and 10 users checking out simultaneously.
What to look for: Response times over 3 seconds, error rates above 1%, database connection pool exhaustion, memory leaks during sustained traffic.
The fix: Add database query optimization (indexes on frequently queried fields), implement caching for product catalog pages, optimize images (WebP format, lazy loading), and add a CDN for static assets.
Step 15: Create a Launch-Day Monitoring Dashboard
You launch. Traffic arrives. How do you know it's working? You need a single screen that shows: orders per hour, payment success rate, error count, server response time, and inventory levels.
How to check: Can you see all five metrics right now, without logging into five different services?
The fix: Set up a simple dashboard using your analytics + error monitoring + payment dashboard. At minimum, have Stripe's dashboard open showing real-time payments, and Sentry showing real-time errors. If the payment success rate drops below 95%, something is broken.
The 80% Wall
Replo's research puts it perfectly: "Vibe coding will feel like hitting a wall at the 80% mark. For ecommerce teams, that last 20% is everything."
That last 20% is this checklist. Your AI tool built the product pages, the cart, the checkout UI. It did not build: payment security, inventory management, error recovery, load handling, or compliance.
General production checklists (Convex, Supabase) cover steps 1, 5, and 12. The ecommerce-specific items — payment validation (Step 4), PCI compliance (Steps 3, 7, 8), inventory sync (Step 10), cart edge cases (Step 9) — are the ones that determine whether your store survives its first real customer.
When to Stop and Get Help
If you're stuck on more than five items on this checklist, the time investment to fix everything yourself often exceeds the cost of professional help. Common indicators:
- Payment integration is failing silently — you need someone who's debugged Stripe webhooks before
- You can't figure out server-side price validation — this is a security-critical fix, not a learning opportunity
- Load testing reveals fundamental architecture problems — N+1 queries and missing indexes require database expertise
- Customer data encryption feels overwhelming — PCI compliance isn't optional for stores processing cards
A production readiness assessment typically takes 2-3 days and costs $500-$2,000 — significantly less than the cost of launching with unresolved security vulnerabilities.
Complement your launch checklist with AI tools that automate monitoring, marketing, and customer service → AI Tools for Shopify Stores