Why AI SaaS Stack Decisions Are Different From Regular Web Apps
An AI SaaS has layers a regular web app does not — prompt engineering infrastructure, rate limiting, cost management, async AI jobs — and the stack you choose either makes those layers easy or hard.
See also: FastAPI vs Next.js for AI SaaS backends and lessons from building two AI SaaS products.
Three requirements changed every decision I made on the affiliate marketing SaaS I built:
Regular CRUD SaaS optimises for forms and dashboards. AI SaaS optimises for non-deterministic outputs, token budgets, and async reconciliation jobs running alongside user-facing tools. Stack choices that ignore those layers feel fast in week one and painfully expensive in month three.
- Structured output needs a validation layer. Gemini returns JSON wrapped in markdown fences three to eight percent of the time. Without Zod at the parse boundary, that becomes silent UI bugs — not typed errors you catch at deploy time.
- AI API costs need control. SDK choice is not neutral. Nine tools generating structured outputs daily turns a thirty-three-times price gap between Gemini and GPT-4o into $20–40/month versus $600–800/month at moderate usage.
- Long-running work needs async infrastructure. Hourly sales sync from six affiliate networks runs on Vercel Cron with CRON_SECRET protection — not blocking Server Actions or user-facing requests.
This is not a "best of 2026" listicle. It is a decision log from shipping ~58,600 lines across ~280 TypeScript files on Next.js 16.0.8, React 19.2.1, and TypeScript 5 with Turbopack dev filesystem cache enabled for fast HMR. Every choice below has a reason and an alternative I almost picked instead.
The Complete Stack: Every Layer With Its Reason
Next.js 16 + PostgreSQL + Google Gemini + Vercel is the AI SaaS tech stack 2026 Next.js PostgreSQL combination I would ship again — not because it is fashionable, but because each component earns its place by solving a specific production problem.
| Layer | Technology | Why chosen | Almost used instead |
|---|---|---|---|
| Framework | Next.js 16 (App Router) | Server Actions remove API boilerplate for AI tools | Remix |
| Language | TypeScript 5 | Non-negotiable at 280 files | JavaScript |
| AI (text) | Google Gemini 2.5 Flash | 33× cheaper than GPT-4o at comparable structured-output quality | OpenAI GPT-4o |
| AI (images) | Gemini 2.5 Flash Image | Native image gen, same SDK, multiple aspect ratios | DALL-E 3 |
| Database | PostgreSQL | Relational: users→sales→links→clicks need foreign keys | MongoDB |
| ORM | Prisma 7 | Generated TypeScript types + migrations | Mongoose, Drizzle |
| Validation | Zod 4 | Single library: env, AI output, Server Actions, forms | Yup |
| Env validation | @t3-oss/env-nextjs | Build fails if env vars missing — no silent prod errors | dotenv-safe |
| Auth | NextAuth v5 | Native Next.js 16, credentials-only for invite product | Clerk |
| Hosting | Vercel | Next.js native, cron jobs, edge network, zero ops | Railway |
| CSS | Tailwind CSS 4 | Zero config, JIT, utility-first | Styled Components |
| UI components | shadcn/ui | Copy-paste components you own — no bundle bloat | Chakra UI |
| Charts | Recharts | React-native, composable, no configuration hell | Chart.js |
| Canvas editor | Fabric.js 5 | Richest object model, inline text editing, serialisation | Konva.js |
What I'd change on the next project
Supabase PostgreSQL instead of managing my own Postgres instance. Supabase gives managed PostgreSQL, automatic backups, built-in connection pooling — critical on Vercel serverless where each function invocation opens a fresh TCP connection — and a dashboard for data inspection. Supabase + Prisma replaces my current Neon setup with less ops work. Everything else on the table above stays.
The stack also includes Recharts for composable sales analytics dashboards, Fabric.js 5 for a Canva-style ad canvas with undo/redo and keyboard shortcuts, and AES-256-GCM encrypted affiliate API keys at rest — none of which appear in generic "SaaS boilerplate" lists but all of which shaped real architecture decisions.
What I would not change
Next.js 16, PostgreSQL, Gemini, Zod, and Server Actions for AI tools — non-negotiable together. These five decisions are what made nine tools fast to build and reliable in production. Hassan Raza documents individual subsystems across hassanr.com; this post is the map.
One rule I follow for every stack decision: "Will this be easier or harder to maintain in six months?" If you cannot answer that question with specifics — not vibes — research more before committing. Trendy stacks that feel fast on day one often become migration projects on day one hundred eighty.
The Framework Layer: Why Next.js 16 and Not Remix
Next.js 16 with Server Actions is the right choice for AI SaaS because it eliminates the entire API routes layer for AI tools — nine tools, zero /api/[tool]/route.ts files.
Server Actions — the killer feature for AI platforms
Each AI tool wizard calls a Server Action: auth check → rate limit → Zod validate input → call Gemini service → Zod validate output → return typed result to the UI. Full TypeScript end to end. No fetch(), no request serialisation, no duplicate auth middleware per route. Per-user rate limiting with image-specific cooldowns lives in the action layer — a two-to-three-day build the first time, reused across all nine tools. I almost chose Remix for its server-first forms philosophy — but nine separate route handlers versus nine action files was not a close call.
// next.config.ts
import type { NextConfig } from 'next'
import './src/env' // Validates env at build time — fails loudly if misconfigured
const nextConfig: NextConfig = {
experimental: {
// React 19 Compiler — reduces unnecessary re-renders on AI-heavy wizard UIs
reactCompiler: true,
turbo: {
// Turbopack dev filesystem cache — faster HMR on 280-file codebases
},
},
// bcryptjs uses native Node APIs — keep it server-only
serverExternalPackages: ['bcryptjs'],
}
export default nextConfig
What Remix gets right (and why I still chose Next.js)
Remix has server-first forms, less client React overhead, and a clean mental model for data loading. Fair credit. But: smaller ecosystem, no Turbopack dev cache on large codebases, weaker first-class Vercel integration, and no React Compiler for the AI-heavy UI work. React 19.2.1 with the Compiler enabled reduced manual memoization across multi-step wizards. For an AI SaaS with many server-side tool calls, Server Actions plus Vercel plus Compiler beat Remix's philosophy advantages.
The Data Layer: PostgreSQL + Prisma + Zod Everywhere
PostgreSQL wins over MongoDB for AI SaaS because multi-entity relational data — users → affiliate accounts → sales → links → clicks → conversions — needs foreign keys and unique constraints, not flexible documents that drift at scale.
Why Prisma is worth the setup
Prisma 7 generates the client into src/generated/prisma. Migrations are tracked; Prisma Studio inspects local data. The AffiliateSale model uses @@unique([userId, network, externalOrderId]) — that three-field composite key makes idempotent hourly sync possible. Trivial in PostgreSQL. In MongoDB it requires manual index management and discipline every migration.
// src/env.ts — imported in next.config.ts so build fails before deploy
import { createEnv } from '@t3-oss/env-nextjs'
import { z } from 'zod'
export const env = createEnv({
server: {
DATABASE_URL: z.string().url(),
NEXTAUTH_SECRET: z.string().min(32),
NEXTAUTH_URL: z.string().url(),
GOOGLE_GEMINI_API_KEY: z.string().min(1),
ENCRYPTION_KEY: z.string().length(64), // 64 hex chars for AES-256-GCM
CRON_SECRET: z.string().min(16).optional(),
SALES_TRACKING_DRY_RUN: z.enum(['true', 'false']).optional(),
},
client: {
NEXT_PUBLIC_APP_URL: z.string().url(),
},
runtimeEnv: {
DATABASE_URL: process.env.DATABASE_URL,
NEXTAUTH_SECRET: process.env.NEXTAUTH_SECRET,
NEXTAUTH_URL: process.env.NEXTAUTH_URL,
GOOGLE_GEMINI_API_KEY: process.env.GOOGLE_GEMINI_API_KEY,
ENCRYPTION_KEY: process.env.ENCRYPTION_KEY,
CRON_SECRET: process.env.CRON_SECRET,
SALES_TRACKING_DRY_RUN: process.env.SALES_TRACKING_DRY_RUN,
NEXT_PUBLIC_APP_URL: process.env.NEXT_PUBLIC_APP_URL,
},
})
If GOOGLE_GEMINI_API_KEY is missing, the build fails with a typed, descriptive error — not a production deploy where every AI tool returns 500. Secrets stay server-only: never prefix API keys with NEXT_PUBLIC_.
Zod at every layer (the multiplier effect)
The same Zod library validates environment variables at build, Gemini JSON at parse time, Server Action inputs at invocation, and form data at submit. One library, one mental model, typed errors at every boundary. Without Zod schemas on AI output, markdown-wrapped JSON requires manual type guards in every service file — duplication that compounds with each new tool. The generateTextWithSchema utility centralises fence stripping and parse failure context so every service throws the same shaped error when Gemini drifts off schema.
The AI Layer: Why Google Gemini Instead of OpenAI
Gemini 2.5 Flash costs $0.075 per million input tokens versus GPT-4o's $2.50 per million — a thirty-three-times difference — with comparable output quality for structured ad copy, page descriptions, and video scripts. At production scale, this is not a marginal saving.
I almost standardised on OpenAI GPT-4o for the familiar SDK and excellent documentation. Then I ran the math on nine tools, each generating structured JSON outputs multiple times per user session. Moderate usage landed at $20–40/month on Gemini versus $600–800/month on GPT-4o for the same call volume. Output quality for policy-aware Facebook ad copy, YouTube script sections, and Instagram captions was comparable in blind review. The trade is developer experience versus cost — at production scale, cost wins unless your margin per AI call is enormous.
| Google Gemini 2.5 Flash | OpenAI GPT-4o | |
|---|---|---|
| Text input cost | ~$0.075/1M tokens | ~$2.50/1M tokens |
| Cost ratio | 1× (baseline) | ~33× more expensive |
| Image generation | ✅ Native (Gemini Flash Image) | ✅ DALL-E 3 (separate API) |
| Structured JSON | ✅ Reliable with Zod parsing | ✅ Reliable with json_object mode |
| Context window | 1M tokens | 128k tokens |
| SDK quality | @ai-sdk/google — good | OpenAI SDK — excellent docs |
| Rate limits | Generous free tier | Usage-based |
| At $100/month budget | ~133M input tokens | ~4M input tokens |
| My verdict | ✅ Better for cost-sensitive production | Great DX, hard to justify cost |
How the Gemini integration actually works
// lib/ai/generate-text-with-schema.ts
// Called by every AI service in the platform
import { generateText } from 'ai'
import { google } from '@ai-sdk/google'
import { z, type ZodSchema } from 'zod'
export async function generateTextWithSchema<T>(params: {
prompt: string
schema: ZodSchema<T>
model?: string
}): Promise<T> {
const { prompt, schema, model = 'gemini-2.5-flash' } = params
const { text } = await generateText({
model: google(model),
prompt,
})
// Gemini sometimes wraps JSON in ```json ... ``` markdown fences
const cleaned = text
.replace(/^```(?:json)?\s*/i, '')
.replace(/\s*```$/i, '')
.trim()
const parsed = JSON.parse(cleaned)
return schema.parse(parsed) // Throws ZodError if shape doesn't match
}
Image generation with Gemini Flash Image
Image tools use @google/genai with responseModalities: ['IMAGE'], supporting 1:1, 16:9, and 4:5 aspect ratios in one API call. Output converts from base64 to data URI for immediate UI preview. The Facebook Page Starter wizard generates logo, profile photo, and cover image in sequence — not parallel. Error handling follows the same three-class pattern as text: auth errors (4xx, do not retry), rate limits (429, exponential backoff), server errors (5xx, retry with cap). Classifying these correctly on first build saves days of production debugging when traffic spikes.
Never generate Gemini images in parallel. The image API has stricter rate limits than the text API. Sequential generation with a 500ms–1s delay between calls is mandatory for multi-image tools like the five-step page wizard that outputs logo + profile + cover. Parallel calls trigger 429s that cascade into user-visible failures.
Auth, UI, and Infra: The Supporting Layer
NextAuth v5, Tailwind 4 + shadcn/ui, and Vercel form a supporting layer that requires minimal configuration and scales to any traffic level without infrastructure management.
NextAuth v5 — credentials-only for invite-only products
Invite-only product: no public registration. NextAuth v5 with Credentials provider gives full control — username and password, bcryptjs at twelve rounds, JWT sessions with thirty-day expiry, session fields for id, email, username, and role. Route protection runs through src/proxy.ts (replacing middleware.ts in v5). Clerk is excellent for public sign-up flows, social OAuth, and magic links — overkill and monthly cost for admin-provisioned accounts. When your product needs public registration with Google login on day one, Clerk wins. When accounts are provisioned by an admin, NextAuth wins on cost and control.
Tailwind 4 + shadcn/ui — own your UI
shadcn/ui is not a component library — it is copy-paste Radix primitives you own. Button, Card, Dialog, Sheet, Command, Tabs — no version conflicts, no bundle bloat, full customisation. Tailwind 4 eliminates the config file entirely. Geist Sans + Mono for typography. next-themes for dark/light with class strategy. Professional dashboard UI in days, not weeks. I almost chose Chakra UI — heavier, more opinionated, external dependency I do not control.
The right stack isn't the one with the most GitHub stars. It's the one where version 2 of your product is easier to build than version 1. Every decision in this stack was about reducing future friction, not maximising present comfort.
Vercel — Next.js native hosting with cron included
No ops overhead. Cron via vercel.json at 0 * * * * for hourly sales sync from six affiliate network adapters. CRON_SECRET plus x-vercel-cron header protection. Edge network built-in. Environment variables validated at build through import './src/env' in next.config.ts — misconfigured deploys fail in CI, not in user sessions. For anything beyond what Vercel handles — long-running workers, custom networking — Railway or Render is the next step, not a premature choice on day one.
Set trustHost: true in your NextAuth v5 config before deploying to Vercel. Without it, authenticated routes and cron jobs throw a silent host-mismatch error through Vercel's proxy infrastructure. I document the same fix in the Vercel Cron background jobs post and the NextAuth v5 RBAC post on hassanr.com.
Frequently Asked Questions
The best AI SaaS tech stack in 2026 is Next.js 16, PostgreSQL, Prisma, Google Gemini, Vercel, and Zod everywhere. Hassan Raza shipped a production platform with nine AI tools and ~280 TypeScript files on this stack—not as a recommendation, but as delivered code. AI SaaS needs layers regular web apps skip: Zod-validated structured outputs, per-user rate limiting, token cost control, and Vercel Cron for async jobs. Next.js Server Actions remove nine API route files for nine tools. Gemini 2.5 Flash costs $0.075 per million input tokens versus GPT-4o's $2.50—a thirty-three-times difference at moderate usage. Choose components that make AI-specific friction easy, not fashionable.
Next.js is the pragmatic SaaS default in 2026—Server Actions are the deciding factor for AI products. Hassan Raza uses App Router plus React Server Components to keep client bundles small while AI logic runs server-side with full TypeScript types. Vercel integration is seamless; Turbopack and the React Compiler speed development on large codebases. Remix is the honest alternative—server-first forms, simpler mental model—but smaller ecosystem, no React Compiler, and weaker first-class Vercel support. For a platform with many authenticated AI tool calls, eliminating /api/[tool]/route.ts files via Server Actions beats framework philosophy debates.
PostgreSQL is the right database for most AI SaaS products because the data is relational. Users own affiliate network accounts; accounts produce sales; links generate clicks; clicks convert—with foreign keys and unique constraints enforcing shape. Hassan Raza's idempotent sales sync relies on @@unique([userId, network, externalOrderId])—trivial in PostgreSQL, manual index management in MongoDB. MongoDB fits genuinely document-shaped, variable-schema content—not typical multi-entity SaaS. Prisma 7 generates TypeScript types from the schema so database and application stay synchronized through migrations.