Skip to main content
Back to Blog
Tutorial5 min read

How to Deploy a Bolt App to Production (Without It Falling Apart)

Bolt gets you a working prototype fast — but the StackBlitz export is only the starting point. Here's how to deploy your Bolt app to production with proper hosting, a real backend, and security that holds up.

Share:

Your Bolt app runs in StackBlitz. The preview works, the UI looks good, and you're ready to share it with users. But "it works in StackBlitz" and "it's running in production" are not the same thing.

Bolt runs your app in a sandboxed StackBlitz environment. That environment doesn't exist in production. This guide covers every step from export to live deployment.

1. Export your project from StackBlitz

Bolt runs on StackBlitz WebContainers. Your first step is getting the code out.

Option A: Download as ZIP — Click the download button in the Bolt interface. This gives you the full project directory.

Option B: Push to GitHub — Connect your GitHub account and push directly. This is the better option because you'll need version control anyway.

Once exported, open the project locally and run:

npm install
npm run dev

If it doesn't run locally, fix that first. Common issues:

  • Missing environment variables that StackBlitz had configured
  • Dependencies that worked in WebContainers but need native builds locally
  • Hardcoded localhost URLs in the code

2. Add a real backend

This is where most Bolt apps fall short. Bolt tends to generate client-heavy apps — sometimes entirely client-side. That's fine for a prototype, but in production you need server-side logic.

Signs your app needs a backend:

  • API keys in client-side code (anyone can see these in browser dev tools)
  • Database queries running directly from the browser
  • No authentication or authorisation layer
  • Business logic in React components instead of API routes

If your Bolt app is a Next.js project, add API routes in the app/api/ directory. If it's a Vite/React app, you'll need to either add an Express backend or migrate to a framework that supports server-side code.

3. Move secrets out of the client

Search your entire codebase for hardcoded keys:

grep -r "sk_" src/
grep -r "api_key" src/
grep -r "secret" src/

Every secret except Supabase's public anon key must live server-side. Create a .env.local file for local development and configure environment variables in your hosting provider's dashboard for production.

4. Choose a hosting provider

Bolt projects are typically React or Next.js. Your main options:

  • Vercel — Best for Next.js apps. Zero-config deployment, automatic preview URLs, edge functions.
  • Netlify — Good for static sites and simple apps. Generous free tier.
  • Railway — Better if your app needs a persistent backend process or database.

For most Bolt apps, Vercel is the path of least resistance:

npx vercel

This deploys your app and gives you a URL in under a minute. But don't stop here — there's still work to do.

5. Set up a database properly

If your Bolt app uses Supabase (many do), make sure:

  • Row Level Security is enabled on every table
  • Policies restrict access based on the authenticated user
  • You're using the production Supabase project, not the development one

If your app needs a database but doesn't have one yet, Supabase or PlanetScale are both solid choices. Don't use SQLite in production — it doesn't handle concurrent connections well.

6. Add input validation

Bolt generates forms that look polished but often skip validation entirely. Every form input needs:

  • Client-side validation for user experience (instant feedback)
  • Server-side validation for security (the one that actually matters)

Use Zod for schema validation — it works on both client and server:

import { z } from "zod";

const contactSchema = z.object({
  email: z.string().email(),
  message: z.string().min(1).max(1000),
});

7. Set up error monitoring

When something breaks in production, you need to know immediately — not when a user emails you. Install Sentry or a similar service:

npm install @sentry/nextjs

This takes 15 minutes and saves hours of debugging blind. For more on why AI-generated apps crash and how to prevent it, read why AI-generated apps keep crashing.

8. Configure CI/CD

Don't deploy by running commands manually. Set up automatic deployments:

  1. Push to GitHub
  2. Connect your repo to Vercel (or your hosting provider)
  3. Every push to main deploys automatically
  4. Every pull request gets a preview URL

This prevents the "it works on my machine" problem and gives you a safety net for every change.

The deployment checklist

Before you go live:

  • [ ] Project runs locally after export from StackBlitz
  • [ ] No API keys or secrets in client-side code
  • [ ] Server-side validation on all form inputs
  • [ ] Database has Row Level Security enabled (if using Supabase)
  • [ ] Error monitoring installed (Sentry or similar)
  • [ ] Environment variables configured in hosting provider
  • [ ] Custom domain connected with HTTPS enforced
  • [ ] Tested on real mobile devices
  • [ ] CI/CD pipeline connected to your repo

Need help?

Deploying a Bolt app to production takes more than clicking "Deploy." If your app needs backend work, security hardening, or you just want someone to review it before launch, request a free audit. We specialise in Bolt apps and can tell you exactly what needs fixing.

For the full production readiness checklist covering all vibe-coded apps, see our complete production checklist.

Get articles like this in your inbox

Practical tips on shipping vibe-coded apps. No spam.

Keep reading

5 min readHow to Deploy a Cursor Project to Production (The Complete Guide)4 min readHow to Deploy a Lovable App to Production (Without Getting Hacked)

Want to know where your app stands?

Get a free 5-point security snapshot from our dev team — no strings attached.

Get Free Audit →Book a Call