The SaaS launch checklist for 2026: 25 things to verify
Auth, payments, email, webhooks, DNS, rate limits, backups, deploy gates, and monitoring — the complete pre-launch rundown.
Every SaaS launch has the same failure modes. Auth callbacks pointing at localhost. Stripe webhooks using test-mode secrets. Transactional emails blocked by missing SPF records. DNS propagation not complete. Rate limits set to development defaults. The difference between a smooth launch and a fire drill is whether you verified these before or after real users arrived.
Authentication and authorization
Verify OAuth redirect URIs point at production. Confirm password reset emails deliver and the reset link resolves. Check that session tokens have appropriate expiration. Ensure protected routes reject unauthenticated requests with proper status codes, not silent redirects to broken pages.
Payments and billing
Use restricted Stripe keys with minimum permissions. Verify webhook delivery with signature validation. Test the full checkout loop including the database side effect. Confirm success and cancel URLs resolve on the production domain. Check that subscription lifecycle events (upgrade, downgrade, cancel) update entitlements correctly.
Transactional email and SMS
Send a real email from the production domain and verify it lands in the inbox, not spam. Check SPF, DKIM, and DMARC records are published and aligned. Verify your sending domain is not on any blocklist. For SMS, confirm the provider account is active and the phone number is verified for the target region.
Database and backups
Confirm your production database is not paused (Supabase pauses inactive projects). Verify your backup schedule is active and recent. Run an integrity drill to confirm the database is intact and readable. Check that migrations are in sync between your codebase and the deployed schema.
API security
Enable rate limiting on all public endpoints. Validate and sanitize all user input. Set CORS to allow only your production origins. Return appropriate error codes without leaking stack traces. Rotate any keys that were exposed during development.
Infrastructure and DNS
Verify DNS records are propagated. Confirm SSL certificates are valid and not expiring within 30 days. Check that your CDN is caching static assets correctly. Verify environment variables match between staging and production. Confirm deploy rollback is possible if the launch fails.
Monitoring and alerting
Set up uptime monitoring before launch, not after. Configure alert channels (Slack, Discord, email) and verify delivery. Enable error tracking with enough context to diagnose failures. Plan for the first 24 hours with denser sampling and lower alert thresholds.
Automate the checklist
PreFlight turns this entire checklist into automated probes. Connect your providers, run a check, and get a scored report showing exactly what passed, what failed, and what to fix. No manual verification needed — the system probes your live stack and tells you the truth.
