Forem: Juan Florville The latest articles on Forem by Juan Florville (@juan_florville_4469653226). https://forem.com/juan_florville_4469653226 https://media2.dev.to/dynamic/image/width=90,height=90,fit=cover,gravity=auto,format=auto/https:%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Fuser%2Fprofile_image%2F2681973%2F8c34b721-3c01-4d22-9066-2f17fbedabd7.jpg Forem: Juan Florville https://forem.com/juan_florville_4469653226 en Building a production-ready Rails 8 API + Vite/React/TanStack monorepo starter Juan Florville Wed, 06 May 2026 13:01:49 +0000 https://forem.com/juan_florville_4469653226/building-a-production-ready-rails-8-api-vitereacttanstack-monorepo-starter-18n1 https://forem.com/juan_florville_4469653226/building-a-production-ready-rails-8-api-vitereacttanstack-monorepo-starter-18n1 <h1> Building a production-ready Rails 8 API + Vite/React/TanStack monorepo starter </h1> <p>I've started more SaaS projects than I'd like to admit, and every single one began the same way: two days wiring up auth, configuring CORS, setting up Docker, writing the same CI pipeline, and making the same architectural decisions I'd already made three times before.</p> <p>So I built <a href="https://github.com/jcflorville/rails-tanstack-starter" rel="noopener noreferrer">rails-tanstack-starter</a> — an open source monorepo template that has all of that done before you write your first line of product code.</p> <p>This post explains the decisions behind it.</p> <h2> The stack </h2> <div class="table-wrapper-paragraph"><table> <thead> <tr> <th>Layer</th> <th>Technology</th> </tr> </thead> <tbody> <tr> <td>Backend</td> <td>Ruby on Rails 8 (API mode)</td> </tr> <tr> <td>Frontend</td> <td>Vite + React 19 + TypeScript</td> </tr> <tr> <td>Routing</td> <td>TanStack Router</td> </tr> <tr> <td>Data</td> <td>TanStack Query</td> </tr> <tr> <td>UI</td> <td>Tailwind CSS v4 + shadcn/ui</td> </tr> <tr> <td>Database</td> <td>PostgreSQL</td> </tr> <tr> <td>Jobs</td> <td>Solid Queue</td> </tr> <tr> <td>Deploy</td> <td>Kamal 2 → single VPS</td> </tr> <tr> <td>CI</td> <td>GitHub Actions</td> </tr> </tbody> </table></div> <p>Not a trendy stack — a boring, productive one. Every piece has been around long enough to have its rough edges solved.</p> <h2> Decision 1: Session cookies, not JWT </h2> <p>This is the most common question I get, so let me address it upfront.</p> <p>The Rails API uses HttpOnly session cookies for auth. No JWT. No token storage on the client. No refresh logic.</p> <p><strong>Real logout.</strong> With JWT, you can't truly invalidate a token before it expires unless you maintain a blocklist — which defeats the "stateless" benefit entirely. With server-side sessions, destroying the session is a genuine logout. Instantly.</p> <p><strong>XSS-proof by default.</strong> HttpOnly cookies are inaccessible to JavaScript. A compromised dependency can't <code>document.cookie</code> your auth token out of the browser. JWT stored in <code>localStorage</code> has no such protection.</p> <p><strong>Rails 8 supports it natively.</strong> The new authentication generator handles session creation, cookie signing, and the <code>Current.user</code> pattern. No gems needed.</p> <p>The frontend setup is one line — <code>credentials: 'include'</code> on every request:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="c1">// src/lib/api-client.ts</span> <span class="kd">const</span> <span class="nx">response</span> <span class="o">=</span> <span class="k">await</span> <span class="nf">fetch</span><span class="p">(</span><span class="s2">`/api/v1</span><span class="p">${</span><span class="nx">path</span><span class="p">}</span><span class="s2">`</span><span class="p">,</span> <span class="p">{</span> <span class="na">credentials</span><span class="p">:</span> <span class="dl">'</span><span class="s1">include</span><span class="dl">'</span><span class="p">,</span> <span class="na">headers</span><span class="p">:</span> <span class="p">{</span> <span class="dl">'</span><span class="s1">Content-Type</span><span class="dl">'</span><span class="p">:</span> <span class="dl">'</span><span class="s1">application/json</span><span class="dl">'</span> <span class="p">},</span> <span class="p">...</span><span class="nx">options</span><span class="p">,</span> <span class="p">});</span> </code></pre> </div> <p>CORS is configured with an explicit origin and <code>credentials: true</code> — no wildcards, which would break cookie auth anyway.</p> <h2> Decision 2: Monorepo, but loosely coupled </h2> <p><code>apps/web</code> and <code>apps/api</code> are completely independent applications. They share nothing but HTTP.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>apps/ ├── web/ # Vite + React — its own package.json, Dockerfile, deploy config └── api/ # Rails 8 — its own Gemfile, Dockerfile, deploy config </code></pre> </div> <p>This is intentional. Shared packages in a monorepo sound appealing until you spend an afternoon debugging a TypeScript version mismatch between workspaces. For a two-app setup, the overhead isn't worth it.</p> <p>The benefit of keeping them together: one repo, one PR, one CI run, shared git history. When an API change breaks the frontend, you see it in the same commit.</p> <h2> Decision 3: Thin controllers, service objects </h2> <p>Controllers are deliberately thin:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight ruby"><code><span class="c1"># app/controllers/api/v1/users_controller.rb</span> <span class="k">def</span> <span class="nf">create</span> <span class="n">result</span> <span class="o">=</span> <span class="no">Users</span><span class="o">::</span><span class="no">CreateService</span><span class="p">.</span><span class="nf">new</span><span class="p">(</span><span class="ss">params: </span><span class="n">user_params</span><span class="p">).</span><span class="nf">call</span> <span class="k">if</span> <span class="n">result</span><span class="p">.</span><span class="nf">success?</span> <span class="n">start_new_session_for</span><span class="p">(</span><span class="n">result</span><span class="p">.</span><span class="nf">data</span><span class="p">)</span> <span class="n">render</span> <span class="ss">json: </span><span class="no">UserSerializer</span><span class="p">.</span><span class="nf">render</span><span class="p">(</span><span class="n">result</span><span class="p">.</span><span class="nf">data</span><span class="p">),</span> <span class="ss">status: :created</span> <span class="k">else</span> <span class="n">render</span> <span class="ss">json: </span><span class="p">{</span> <span class="ss">errors: </span><span class="n">result</span><span class="p">.</span><span class="nf">errors</span> <span class="p">},</span> <span class="ss">status: :unprocessable_content</span> <span class="k">end</span> <span class="k">end</span> </code></pre> </div> <p>All business logic lives in <code>app/services/</code>. Every service returns a <code>ServiceResult</code> — success or failure, with data or errors. This makes testing business logic trivial without touching HTTP:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight ruby"><code><span class="c1"># spec/services/users/create_service_spec.rb</span> <span class="n">it</span> <span class="s2">"creates the user and returns a success result"</span> <span class="k">do</span> <span class="n">result</span> <span class="o">=</span> <span class="no">Users</span><span class="o">::</span><span class="no">CreateService</span><span class="p">.</span><span class="nf">new</span><span class="p">(</span> <span class="ss">params: </span><span class="p">{</span> <span class="ss">email_address: </span><span class="s2">"new@example.com"</span><span class="p">,</span> <span class="ss">password: </span><span class="s2">"password123"</span> <span class="p">}</span> <span class="p">).</span><span class="nf">call</span> <span class="n">expect</span><span class="p">(</span><span class="n">result</span><span class="p">).</span><span class="nf">to</span> <span class="n">be_success</span> <span class="n">expect</span><span class="p">(</span><span class="n">result</span><span class="p">.</span><span class="nf">data</span><span class="p">).</span><span class="nf">to</span> <span class="n">be_persisted</span> <span class="k">end</span> </code></pre> </div> <h2> Decision 4: Centralized error handling in BaseController </h2> <p>Every API controller inherits from <code>BaseController</code>, which handles the most common exceptions so individual controllers don't have to:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight ruby"><code><span class="c1"># app/controllers/api/v1/base_controller.rb</span> <span class="k">class</span> <span class="nc">BaseController</span> <span class="o">&lt;</span> <span class="no">ApplicationController</span> <span class="n">rescue_from</span> <span class="no">ActiveRecord</span><span class="o">::</span><span class="no">RecordNotFound</span><span class="p">,</span> <span class="ss">with: :not_found</span> <span class="n">rescue_from</span> <span class="no">ActionController</span><span class="o">::</span><span class="no">ParameterMissing</span><span class="p">,</span> <span class="ss">with: :bad_request</span> <span class="n">rescue_from</span> <span class="no">ActiveRecord</span><span class="o">::</span><span class="no">RecordInvalid</span><span class="p">,</span> <span class="ss">with: :unprocessable</span> <span class="kp">private</span> <span class="k">def</span> <span class="nf">not_found</span><span class="p">(</span><span class="n">e</span><span class="p">)</span> <span class="n">render</span> <span class="ss">json: </span><span class="p">{</span> <span class="ss">error: </span><span class="n">e</span><span class="p">.</span><span class="nf">message</span> <span class="p">},</span> <span class="ss">status: :not_found</span> <span class="k">end</span> <span class="k">def</span> <span class="nf">bad_request</span><span class="p">(</span><span class="n">e</span><span class="p">)</span> <span class="n">render</span> <span class="ss">json: </span><span class="p">{</span> <span class="ss">error: </span><span class="n">e</span><span class="p">.</span><span class="nf">message</span> <span class="p">},</span> <span class="ss">status: :bad_request</span> <span class="k">end</span> <span class="k">def</span> <span class="nf">unprocessable</span><span class="p">(</span><span class="n">e</span><span class="p">)</span> <span class="n">render</span> <span class="ss">json: </span><span class="p">{</span> <span class="ss">errors: </span><span class="n">e</span><span class="p">.</span><span class="nf">record</span><span class="p">.</span><span class="nf">errors</span> <span class="p">},</span> <span class="ss">status: :unprocessable_content</span> <span class="k">end</span> <span class="k">end</span> </code></pre> </div> <p>Without this, a <code>User.find(params[:id])</code> that fails returns an HTML 500 error page from Rails — the worst possible response from a JSON API.</p> <h2> Decision 5: TanStack Router over React Router </h2> <p>Two features made the difference:</p> <p><strong>Type-safe route params.</strong> No more <code>params.id</code> returning <code>string | undefined</code>. Route params are fully typed based on your route definitions.</p> <p><strong>Integrated loader pattern.</strong> Data fetching co-located with the route definition, not scattered across <code>useEffect</code> calls in components.</p> <p>Combined with TanStack Query for server state, the data layer is solid:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="c1">// src/features/auth/api.ts</span> <span class="k">export</span> <span class="kd">function</span> <span class="nf">useMe</span><span class="p">()</span> <span class="p">{</span> <span class="k">return</span> <span class="nf">useQuery</span><span class="p">({</span> <span class="na">queryKey</span><span class="p">:</span> <span class="p">[</span><span class="dl">'</span><span class="s1">me</span><span class="dl">'</span><span class="p">],</span> <span class="na">queryFn</span><span class="p">:</span> <span class="p">()</span> <span class="o">=&gt;</span> <span class="nx">apiClient</span><span class="p">.</span><span class="kd">get</span><span class="o">&lt;</span><span class="nx">User</span><span class="o">&gt;</span><span class="p">(</span><span class="dl">'</span><span class="s1">/me</span><span class="dl">'</span><span class="p">),</span> <span class="na">retry</span><span class="p">:</span> <span class="kc">false</span><span class="p">,</span> <span class="p">});</span> <span class="p">}</span> </code></pre> </div> <h2> Decision 6: Kamal 2 for deployment </h2> <p>Kubernetes is overkill for a new SaaS. Heroku gets expensive fast past the hobby tier. Kamal 2 hits a sweet spot: Docker-based deploys to a plain VPS with zero infrastructure to manage.</p> <p>Both apps deploy as separate containers on the same server. The frontend (Nginx) serves the static React build. The API (Rails + Thruster) handles requests. SSL via Let's Encrypt is automatic.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># Deploy API</span> <span class="nb">cd </span>apps/api <span class="o">&amp;&amp;</span> kamal deploy <span class="c"># Deploy frontend (from repo root)</span> kamal deploy <span class="nt">-c</span> apps/web/config/deploy.yml </code></pre> </div> <p>Database migrations run automatically on every deploy via the Docker entrypoint — no manual migration step, no deploy scripts to maintain.</p> <h2> What's included out of the box </h2> <p><strong>Authentication — fully wired end to end</strong></p> <ul> <li>Sign up, sign in, sign out</li> <li>Password reset via time-limited email tokens</li> <li> <code>Current.user</code> pattern throughout the API</li> </ul> <p><strong>CI/CD via GitHub Actions</strong></p> <ul> <li>Backend: RuboCop · Brakeman · bundler-audit · RSpec</li> <li>Frontend: ESLint · Prettier · TypeScript · Vitest</li> <li>Two parallel jobs on every push and PR</li> </ul> <p><strong>Developer experience</strong></p> <ul> <li> <code>docker compose up</code> starts everything: Postgres, API with hot reload, frontend with HMR</li> <li>Pre-push git hook lints only changed files — fast local feedback without running the full suite</li> </ul> <h2> Getting started </h2> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># Use the GitHub template button, or clone directly</span> git clone https://github.com/jcflorville/rails-tanstack-starter.git my-app <span class="nb">cd </span>my-app <span class="c"># Replace placeholders: {{PROJECT_NAME}}, {{WEB_DOMAIN}}, {{API_DOMAIN}}, etc.</span> <span class="c"># Set up git hooks</span> git config core.hooksPath .githooks <span class="c"># Copy env files and start</span> <span class="nb">cp </span>apps/api/.env.example apps/api/.env <span class="nb">cp </span>apps/web/.env.example apps/web/.env docker compose up </code></pre> </div> <p>Visit <code>http://localhost:5173</code>. Sign in with the seed user (<code>test@example.com</code> / <code>password</code>) and start building.</p> <p>The repo is at <strong><a href="https://github.com/jcflorville/rails-tanstack-starter" rel="noopener noreferrer">github.com/jcflorville/rails-tanstack-starter</a></strong> — set up as a GitHub template so you can hit "Use this template" without forking.</p> <p>If you end up using it or have questions about any of the decisions, I'd love to hear from you in the comments.</p> rails react typescript webdev