The vibe-coded app launch checklist: what to check before going live

You shipped fast. Now ship safely. This is the complete pre-launch checklist for an AI-built web app — what to set, what to check, what to watch for the day you go live. Each item is one or two sentences of plain English. Skip nothing on the P0 list.

Why this list exists

Vibe coding skips the traditional launch-checklist step. The platforms ship you a working app, but the seven hours of mundane pre-launch grunt work that a senior engineer would do in the background — robots.txt, sitemap, canonical URLs, accessibility labels, secret-leak checks — isn't part of the chat flow. This is that list, written out.

P0 · Before you push to production

1. Custom domain configured with HTTPS — Vercel, Netlify, Fly, and Cloudflare Pages all auto-issue Let's Encrypt certs. Don't launch on yourapp.vercel.app.
2. robots.txt at /robots.txt — allow / to all crawlers, disallow /admin/ and /api/, explicitly allow GPTBot / ClaudeBot / PerplexityBot if you want AI citations.
3. sitemap.xml exists and lists every public URL — Next.js, Astro, Nuxt all have built-in generators.
4. Canonical URLs on every page — prevents Google from treating /page, /page/, and /page?ref=x as three duplicates.
5. Open Graph + Twitter Card meta on every page — without them you get a blank rectangle when shared.
6. Privacy policy and terms pages exist — legally required if you collect any data, mandatory for GDPR if you have EU users.
7. Exactly one <h1> per page — Google uses it to determine page topic. Vibe-coded apps commonly ship with all-h2 headings (the AI's default).
8. Page titles 50–60 characters, descriptive, keyword-led — 'Run audit · MyApp' beats 'Home'.

P0 · Compliance gates

These are the patterns plaintiff lawyers, regulators, and acquirers actually check. Failing any one of them on a commercial site is asking for trouble.

1. Every form input has a real <label> — not placeholder-only. This is the #1 most-cited ADA violation in 2025 demand letters.
2. Color contrast on every text-against-background combination meets WCAG 2.2 AA (4.5:1 for body, 3:1 for large text).
3. Alt text on every informative image; alt="" only on purely decorative ones.
4. No tracking pixels fire before user consent if you have any EU users (Meta Pixel, Google Ads, TikTok, GA4 with cookies, Mixpanel with cookies).
5. No exposed secrets in the client bundle — Stripe secret keys, OpenAI keys, Supabase service-role keys, AWS credentials.
6. Cookie banner shown before non-essential cookies — or use cookieless analytics (Cloudflare Web Analytics, Plausible, Fathom) and skip the banner entirely.
7. Run a Comply Code scan on your URL — surfaces what the plaintiff bar would cite. Free, no signup.

P0 · Analytics, monitoring, support

1. Web analytics installed — Cloudflare Web Analytics (free, cookieless), Plausible ($9/mo), or Vercel Analytics. Pick one.
2. Error tracking installed — Sentry free tier, Vercel error logs, or your platform's equivalent. You cannot fix bugs you don't know about.
3. Uptime monitoring — BetterStack free tier or UptimeRobot. Get a Slack/email ping when your site is down.
4. Database backup configured — if you have a database, automate a daily snapshot. Most platforms have this built in but it's often opt-in.
5. Google Search Console verified — submit your sitemap here on launch day.
6. Bing Webmaster Tools verified — covers Bing and shares index data with OpenAI / ChatGPT.
7. Real email forwarding for hello@yourdomain / support@yourdomain / security@yourdomain — Cloudflare Email Routing is free.
8. Someone (probably you) checks that inbox at least once per day for the first month.
9. Contact page exists with at least one channel that isn't a form — an email address founders can reply to.

Day-of launch · the 30-minute version

Block 30 minutes the morning of your launch. Run through this list. If anything breaks, you've caught it before users do.

1. Submit your sitemap to Google Search Console.
2. Submit your sitemap to Bing Webmaster Tools.
3. Run a complete signup or checkout flow with your own real email — does it land, can you log back in, do all the buttons work?
4. Send one transactional email to yourself and check that it lands in inbox, not spam. Set SPF, DKIM, DMARC if you haven't.
5. Paste your URL into the Twitter / X Card Validator (cards-dev.twitter.com/validator) — verify OG image renders.
6. Paste your URL into Slack, LinkedIn, Discord — visually check the preview cards.
7. Run PageSpeed Insights (pagespeed.web.dev) — fix any red issues, ignore the orange ones for now.
8. Run WAVE or axe DevTools on your home page — fix any critical accessibility findings.
9. Schedule your launch post: Indie Hackers, Hacker News (Show HN), Twitter / X, Product Hunt (Tuesday morning works better than Monday).

P1 · First-week growth setup

Not blockers, but they compound. Do these in the first week if you can.

• Add an FAQ block to your home page (3–6 Q&As) — single best AEO move you can make in 30 minutes.
• Add structured data: Organization, WebSite, and either SoftwareApplication or Product. Schema.org has the templates.
• Write one introductory blog post answering '[your category] for [your audience]' — the canonical search someone makes when discovering you.
• Submit to relevant directories: BetaList, Indie Hackers, Toolify, There's An AI For That. Skip the spammy ones.
• Set up real Stripe integration even if pricing is 'free for now' — wire the infra before you need it.
• Set up a domain email signature with your actual name and a photo — anonymous founder = trust ceiling.

Common mistakes that tank a launch

These are the patterns we see repeatedly when scanning vibe-coded apps in their first week.

1. robots.txt that blocks everything (Disallow: /) — usually inherited from a staging template, never flipped back.
2. Both yourapp.vercel.app and yourdomain.com indexed as duplicates — set canonicals to the custom domain.
3. Tracking pixels firing on first page-load before any cookie banner — instant GDPR violation if you have EU users.
4. Stripe checkout form with placeholder-only inputs — exactly the ADA pattern that triggers demand letters.
5. Public Supabase URL hardcoded in client bundle with no row-level security — anyone can read your tables.
6. No 404 page — visitors hit a generic Vercel / Fly error and bounce.
7. All h2 headings, no h1 — Google can't determine page topic, ranks the page lower.
8. OG image is a tiny screenshot — should be 1200×630, with text large enough to read on a phone.

What to ignore

There's a lot of launch advice online. Most of it is selling you something. Things you can safely skip on day one:

• 'Submit to 200 directories' — most are dead or scammy. The 5–10 real ones are enough.
• Buying backlinks — Google actively penalizes this. Don't.
• Running 47 analytics tools — one is enough. Add more only when you have a question one can't answer.
• 'Launch on Product Hunt at 12:01 AM Pacific' — Tuesday morning at 8 AM PT works better and you get to sleep.
• Paid ads from day one — you don't have product-market-fit data yet, so you can't tell which ads are working.
• Every 'SEO secret' thread on Twitter — almost universally marketing for an agency.

After launch · when to revisit

1. Day 7 — read your error logs. Fix anything recurring. Look at your analytics top-pages and top-referrers to see what's working.
2. Day 14 — check Google Search Console for indexing status. Re-submit sitemap if pages aren't indexed yet.
3. Day 30 — re-run your compliance scan. Vibe-coded apps drift fast as new features ship.
4. Day 90 — look at your funnel data. Where are people dropping off? That's the focus area for the next iteration.