SaaS Boilerplate

Next.js + Hono Starter

A Turborepo monorepo where Hono runs as a real backend — not Next.js API routes. Typed end-to-end with OpenAPI, Prisma, and Supabase Auth wired from day one.

Next.js 16Hono APIPrisma ORMSupabase AuthOpenAPI/ZodTurborepo
Get the code on GitHub

Full source, issues, and discussions—fork the monorepo, run it locally, and adapt auth, API routes, and Prisma models to your product.

Open repository

How it fits together

Two apps, two shared packages, one build graph. The API is a real Hono server — not a Next.js route handler.

apps/apps/webNext.js 16 · App Routershadcn/ui · Zustandapps/apiHono · OpenAPI/ZodJWT · Cookie sessionspackages/@repo/databasePrisma schema · migrationsgenerated client · seed@repo/typesshared TS types · enumsrole constants · Prisma re-exportSupabase Auth · PostgreSQL · pnpm workspaces · Turborepo
apps/web

Next.js App Router with auth-aware layouts, dashboard scaffold, and shadcn/ui components.

apps/api

Hono server with versioned routes, Zod/OpenAPI schemas, service layer, and JWT middleware.

packages/*

Prisma and migrations in database; shared contracts in types. The API imports both; the web app imports types and calls the API.

What the code looks like

Schema-first API routes. Typed user context. Protected server pages. This is what you clone into.

Hono route with OpenAPI + auth
apps/api/src/routes/v1/users.ts
// apps/api/src/routes/v1/users.ts
const route = createRoute({
  method: "get",
  path: "/api/v1/users/me",
  middleware: [authMiddleware],
  responses: {
    200: { content: { "application/json": { schema: UserSchema } } },
  },
})

app.openapi(route, async (c) => {
  const user = c.get("user")          // typed — set by authMiddleware
  const profile = await userService
    .findById(user.id)                 // @repo/database Prisma client
  return c.json(profile)
})
Next.js protected server page
apps/web/app/(dashboard)/overview/page.tsx
// apps/web/app/(dashboard)/overview/page.tsx
import { getServerUser } from "@/lib/auth/server"
import { redirect } from "next/navigation"

export default async function OverviewPage() {
  const user = await getServerUser()
  if (!user) redirect("/auth/sign-in")

  return <Dashboard user={user} />
}
Also included out of the box
  • Sign-up / sign-in / forgot password flows
  • Token refresh + HTTP-only cookie sessions
  • RBAC middleware (USER / ADMIN / DEMO roles)
  • Prisma migrations workflow with seed scripts
  • OpenAPI docs served at /api/v1/docs
  • Husky + commitlint + pnpm workspace scripts

Architecture & features

Security, typed API contracts, and a monorepo workflow you can extend without fighting the template.

Authentication
Email/password sign-up and login, session refresh, forgot password, and optional Google OAuth.
Authorization
Protected API routes with Bearer tokens and optional role-based access (RBAC).
User Management
Profile and account settings, password change, and account deletion.
Turborepo workflow
Run dev/build/lint/typecheck across apps and packages with caching-friendly tasks and pnpm workspaces.
Typed API contracts
Hono routes with schema-first validation and OpenAPI docs; shared TypeScript types live in packages for reuse.
Quick start
Install dependencies, configure environment variables, run migrations, and start the web and API dev servers.

Build real SaaS faster

Opinionated where it matters (auth, API contracts, DB workflow), flexible where it counts (your product).

Use cases, benefits, deployment
Explore the starter from three angles. Each tab has room to be specific.
Who this is for
  • MVP builders
    You want signup/login, protected pages, and a real database on day one—not mock auth.
  • Teams shipping internal tools
    You need RBAC, a clean service layer, and a typed API surface you can extend safely.
  • B2B SaaS
    You value explicit contracts (OpenAPI) and predictable backend structure as features grow.
  • Client work / templates
    You want a consistent foundation you can reuse, customize, and keep maintainable across projects.
Typical first changes
  • Update landing copy/branding and the nav anchors
  • Add your first domain model in Prisma and run migrations
  • Create your first feature module (web) + versioned route (api)
  • Lock down protected endpoints and role rules

Community Reviews

Used this boilerplate? Share a quick note — it helps other developers decide.

💡 Your feedback helps other developers find the right starter.
What builders say
Swipe through recent reviews from the community.
Loading reviews…

Let's connect

Have questions, feedback, or ideas? I'd love to hear from you. Reach out anytime.

EmailLinkedInGitHub
Quick contact
Direct links to connect—no forms, no spam.
Send an email
LinkedInGitHub

💬 Your feedback helps us improve!