The latest articles on Forem by Launchstack310 (@launchstack310). https://forem.com/launchstack310 https://media2.dev.to/dynamic/image/width=90,height=90,fit=cover,gravity=auto,format=auto/https:%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Fuser%2Fprofile_image%2F3775262%2F6cba6aba-d99f-431c-9cbf-18419d617902.PNG https://forem.com/launchstack310 en Launchstack310 Wed, 11 Mar 2026 11:43:07 +0000 https://forem.com/launchstack310/what-nobody-tells-you-about-building-a-saas-auth-payments-emails-and-infrastructure-16op https://forem.com/launchstack310/what-nobody-tells-you-about-building-a-saas-auth-payments-emails-and-infrastructure-16op <p>Building a SaaS is fun… until you reach the boring parts.<br> Auth. Payments. Emails. Edge cases. Infrastructure.<br> These are the things that turn a weekend project into weeks of work. Most founders start a SaaS thinking about the product. But the real complexity often comes from everything around it.<br> Here's what nobody tells you.</p> <ol> <li>Authentication Is Never Just "Login" Everyone thinks auth is a checkbox. It's not. You need:</li> </ol> <p>Email/password login with proper password hashing (bcrypt, not MD5)<br> OAuth (Google, GitHub) — because users don't want another password<br> JWT tokens with refresh logic — access tokens expire, and you need to handle that gracefully<br> Password reset via email with secure, time-limited tokens<br> Session management — what happens when a user logs in from two devices?<br> Rate limiting on login endpoints to prevent brute force attacks</p> <p>In Flask, a minimal JWT setup looks like this:<br> pythonfrom flask_jwt_extended import JWTManager, create_access_token, jwt_required</p> <p>jwt = JWTManager(app)</p> <p>@app.route('/login', methods=['POST'])<br> def login():<br> user = verify_credentials(request.json)<br> access_token = create_access_token(identity=user.id)<br> return jsonify(access_token=access_token)</p> <p>@app.route('/protected')<br> @jwt_required()<br> def protected():<br> return jsonify(message="you're in")<br> Simple. But that's 5% of the work. The other 95% is the edge cases: expired tokens, invalid tokens, revoked tokens, CORS issues in production, OAuth callback URLs, email verification flows...<br> Most developers spend 1-2 weeks just on auth. And that's before writing a single line of their actual product.</p> <ol> <li>Payments Are Where Things Get Expensive to Get Wrong Stripe is the standard. But wiring it up correctly takes more time than people expect. The basics:</li> </ol> <p>Create a checkout session<br> Handle the payment success redirect<br> Store the subscription status in your database</p> <p>The part that actually matters:</p> <p>Webhooks — Stripe sends events asynchronously. If your server is down for 10 minutes, you miss them.<br> Signature verification — anyone can send fake POST requests to your webhook endpoint if you don't verify the Stripe signature<br> Idempotency — the same webhook event can arrive multiple times. Your handler needs to be idempotent.<br> Failed payments — what happens when a user's card is declined? Do you downgrade them immediately? Send an email? Give a grace period?<br> Subscription changes — upgrades, downgrades, cancellations mid-cycle. Proration logic is not fun.</p> <p>This is the Stripe webhook handler you actually need in production:<br> <a href="mailto:python@webhooks_bp.route">python@webhooks_bp.route</a>('/stripe', methods=['POST'])<br> def stripe_webhook():<br> payload = request.data<br> sig_header = request.headers.get('Stripe-Signature')</p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>try: event = stripe.Webhook.construct_event( payload, sig_header, endpoint_secret ) except ValueError: return jsonify({'error': 'Invalid payload'}), 400 except stripe.error.SignatureVerificationError: return jsonify({'error': 'Invalid signature'}), 400 if event['type'] == 'checkout.session.completed': handle_checkout_completed(event['data']['object']) elif event['type'] == 'customer.subscription.deleted': handle_subscription_cancelled(event['data']['object']) return jsonify({'status': 'ok'}) </code></pre> </div> <p>Skip the signature verification and you're vulnerable. Skip the idempotency and you'll double-charge users. Skip the failed payment handling and you'll lose revenue silently.<br> Most developers spend another 1-2 weeks on payments. At minimum.</p> <ol> <li>Emails Are a Reliability Problem, Not a Code Problem Sending an email in Python is three lines of code. Sending emails reliably is a different problem. You need transactional emails for:</li> </ol> <p>Email verification on signup<br> Password reset<br> Payment confirmation<br> Subscription renewal reminder<br> Failed payment notification<br> Account deletion confirmation</p> <p>The code is simple with a service like Resend:<br> pythonimport resend</p> <p>resend.api_key = os.getenv("RESEND_API_KEY")</p> <p>def send_purchase_confirmation(to_email, user_name):<br> resend.Emails.send({<br> "from": "LaunchStack <a href="mailto:noreply@launchstack.space">noreply@launchstack.space</a>",<br> "to": to_email,<br> "subject": "Your purchase is confirmed",<br> "html": f"</p> <p>Hey {user_name}, you're all set.</p>"<br> })<br> But the real work is: <p>HTML email templates that look good on all clients (Gmail, Outlook, Apple Mail)<br> Handling bounces and unsubscribes<br> Not ending up in spam<br> Making sure emails actually send when your server is under load</p> <p>Another few days of work, at minimum.</p> <ol> <li><p>The Edge Cases Nobody Thinks About<br> These are the things that will break your app at 2am six months after launch:<br> User deletes their account — do you hard delete or soft delete? What happens to their data? Their subscription? Their invoices?<br> Refunds — a user wants their money back. How does that flow through your system? Does it automatically cancel their subscription?<br> Concurrent requests — two requests hit your server at the same time and both try to update the same user record. Race condition.<br> Database migrations — you need to add a column to a table that has 50,000 rows. Your app can't go down while this runs.<br> Token expiry edge cases — user has the app open in two tabs. One tab refreshes the token. The other tab tries to use the old token. What happens?<br> None of these are hard to solve individually. But each one takes time to think through, implement, and test.</p></li> <li><p>Infrastructure Is the Tax You Pay to Ship<br> You have a working local app. Now you need to deploy it.</p></li> </ol> <p>Hosting — Vercel for the Next.js frontend is easy. Flask backend needs a server: Railway, Render, Fly.io, a VPS.<br> Database — local SQLite is fine for development. Production needs PostgreSQL, proper backups, connection pooling.<br> Environment variables — you have 15 env vars. Where do they live? How do you manage them across dev, staging, and production?<br> CORS — your frontend at yourdomain.com can't talk to your backend at api.yourdomain.com until you configure this correctly.<br> SSL — HTTPS everywhere. Let's Encrypt is free but you need to set it up.<br> Monitoring — how do you know when your app is down? When an error happens?</p> <p>This is the CORS config that actually works in production with Flask:<br> pythonCORS(app, resources={<br> r"/<em>": {<br> "origins": "</em>",<br> "methods": ["GET", "POST", "PUT", "DELETE", "OPTIONS"],<br> "allow_headers": ["Content-Type", "Authorization"],<br> "supports_credentials": True,<br> "max_age": 3600<br> }<br> })<br> Getting infrastructure right is another week of work. Maybe two.</p> <p>The Real Timeline<br> Here's what building a SaaS actually looks like for most developers:<br> TaskExpectedRealityAuthentication2 days1-2 weeksPayments1 day1-2 weeksEmails2 hours2-3 daysInfrastructure1 day1 weekEdge cases—Ongoing<br> That's 4-6 weeks before you've written a single line of your actual product.</p> <p>Why SaaS Boilerplates Exist<br> This is exactly why SaaS boilerplates exist.<br> Instead of spending weeks setting up authentication, payments, and infrastructure, many founders start from a pre-built foundation that already handles all of this correctly.<br> That's actually why I built LaunchStack — a production-ready Next.js + Flask boilerplate for Python developers. It comes with JWT auth, Google OAuth, Stripe payments with webhook handling, transactional emails via Resend, and a complete deployment setup.<br> The goal is simple: skip the boring parts. Start with everything already working. Ship the product you actually want to build.<br> If you're a Python developer who wants to launch a SaaS without spending weeks on setup, check it out.</p> python flask saas webdev Launchstack310 Fri, 20 Feb 2026 06:00:11 +0000 https://forem.com/launchstack310/why-setup-hell-kills-more-saas-startups-than-bad-ideaspublished-4kn7 https://forem.com/launchstack310/why-setup-hell-kills-more-saas-startups-than-bad-ideaspublished-4kn7 <p>Most SaaS startups don't die because the idea was bad.<br> They die because the founder spent six weeks wiring up JWT refresh tokens, Stripe webhooks, and OAuth callbacks — and never once asked a real person: "Would you pay for this?"<br> They shipped configuration. Not value.<br> If you've ever burned two weeks on infrastructure before writing a single line of product code, this post is for you.</p> <p>Setup Hell Is a Psychology Problem, Not a Technical One<br> Here's the part nobody talks about: Setup Hell isn't about bad planning. It's about how your brain is wired.<br> Your brain craves certainty. It wants problems with clear inputs, clear outputs, and a small dopamine hit when the tests pass. Authentication gives you that. Stripe integration gives you that. Even CORS debugging — as painful as it is — gives you that.<br> You know what doesn't?<br> Sending a cold DM to a stranger asking if they'd pay for something that doesn't exist. That's rejection territory. That's ambiguity. That's the terrifying possibility that your idea isn't as good as you think.<br> So instead of doing the uncomfortable thing, you open your terminal. You run create-next-app. You start building auth.<br> It feels productive. It feels responsible.<br> It isn't.</p> <p>Setup feels like progress because it's controllable. Validation feels dangerous because it's not.</p> <p>Every solved technical problem reinforces the loop. You fix the token rotation bug — you feel competent. You fix the CORS error — you feel productive. Each small win deepens the illusion that you're building a business when you're actually building a shelter.<br> The most dangerous founders aren't the lazy ones. They're the hardworking ones building the wrong things.<br> Perfect architecture. Zero users.</p> <p>What "Just Setting Up Auth and Payments" Actually Costs<br> Founders consistently underestimate this by 5x. Here's what the timeline actually looks like:<br> Day 1 — JWT basics. Generate tokens, verify them, protect a route. Feels great.<br> Day 2 — Refresh tokens. Token rotation, secure storage, race conditions when multiple tabs refresh simultaneously, the httpOnly cookies vs localStorage debate. Twelve conflicting Stack Overflow answers. You pick one.<br> Day 3 — Password reset. That means email sending. Email sending means an email provider, DNS records, SPF, DKIM — all so your reset emails don't hit spam. Time-limited tokens. Edge cases for duplicate requests.<br> Day 5 — You haven't written a single line of product code.<br> But you keep going. You're "almost done."<br> Day 6-7 — OAuth. Google login seems straightforward until:</p> <p>Callback URLs behave differently in dev vs production<br> CORS blocks the redirect<br> Google's user object doesn't match your email/password schema<br> You lose an afternoon to a missing trailing slash in allowed origins</p> <p>Day 8-10 — Stripe. Checkout works locally. Webhooks fire. Beautiful. You deploy and everything breaks:</p> <p>Wrong webhook URL in production<br> Signature verification fails because middleware parses the raw body before Stripe's verification step<br> Three hours on Stack Overflow — the fix is in a 2022 comment<br> You still need idempotency handling for duplicate events<br> Environment variables differ across dev, staging, and prod</p> <p>Day 14 — You have auth, OAuth, Stripe, and a deployment pipeline.<br> You also have zero users, zero revenue, and zero evidence that anyone wants what you're building.</p> <p>The False Progress Trap<br> This is what makes Setup Hell so dangerous. It feels indistinguishable from real work.<br> What feels like progress:</p> <p>Implementing JWT refresh token rotation<br> Perfecting OAuth callback flows<br> Debugging Stripe webhook signatures<br> Getting CORS headers exactly right</p> <p>What actually moves a business forward:</p> <p>Talking to 10 potential customers<br> Getting 1 pre-order<br> Sending 20 cold emails<br> Shipping a landing page that converts</p> <p>One list makes you feel good. The other makes you money.</p> <p>Infrastructure is safe work. Talking to customers is risky work. The safe work will kill your startup.</p> <p>Early-Stage SaaS Is a Speed Game<br> The only question that matters in the first 30 days: is there a market here?<br> Everything that accelerates that answer is valuable. Everything that delays it is waste. It doesn't matter how elegant your waste is.<br> The math is unforgiving. You have finite energy before life intervenes — savings thin out, motivation fades, the market window shifts. Every day spent on plumbing is a day subtracted from your runway.<br> And unlike financial runway, motivation runway doesn't show on a spreadsheet. You don't notice it depleting until it's gone.<br> I've watched talented developers spend three months building technically impressive SaaS products, launch to silence, and quit within two weeks. They burned their creative energy on infrastructure and had nothing left for the unglamorous work of finding customers.<br> Meanwhile, the founder who shipped a half-broken MVP in ten days is already iterating on real feedback. Their code is worse in every dimension. But they know something priceless: what their users actually want.<br> The market doesn't care about your architecture. It doesn't care about your test coverage. It doesn't care if your tokens rotate every fifteen minutes or every fifteen hours. The market cares about one thing — does this solve my problem?<br> You can't answer that from inside your code editor.</p> <p>Every day spent polishing setup is borrowed from your runway. And the interest rate compounds.</p> <p>Leverage Compounds. Infrastructure Doesn't.<br> Not all work hours produce equal results.</p> <p>An hour debugging CORS misconfig → zero leverage<br> An hour talking to potential customers → compound leverage<br> An hour writing content that drives inbound → compound leverage</p> <p>The difference: leverage keeps working after you stop. Infrastructure doesn't.<br> The founders who break through ruthlessly protect their highest-leverage hours. They refuse to spend a week on problems that have already been solved. They use existing solutions for the commodity parts — auth, payments, email, deployment — and pour everything into the parts that are genuinely novel.<br> The parts that only they can build.<br> This is why smart founders reuse infrastructure aggressively.<br> Boilerplates. Starter kits. Templates. Anything that buys back time.<br> Not because they're lazy. Because they understand opportunity cost at a visceral level. Every hour rebuilding Stripe webhook verification for the fourteenth time is an hour not spent on the feature that makes someone pull out their credit card. Every day lost to OAuth debugging is a day your competitor is shipping.<br> If you can buy back two weeks of setup time, that's two weeks of customer conversations, landing page experiments, and real-world validation. Two weeks that could mean the difference between a launched product and another abandoned repo.<br> The only part that matters is the 10% only you can build. That's where your startup lives or dies. Not in your JWT implementation. Not in your webhook handler.<br> This is why production-ready starter stacks exist. But the tool isn't the point. The principle is: stop rebuilding solved problems.<br> The reason Setup Hell keeps happening isn't lack of discipline. It's that modern SaaS infrastructure is fragmented and heavy. Auth. Payments. Webhooks. Environments. Email. You either rebuild it all yourself or stitch five half-documented tools together and pray they work in production.<br> This is exactly why we built LaunchStack. A production-ready Flask + Next.js codebase with JWT auth, Stripe payments, OAuth, email, and deployment already wired — so you can skip the plumbing and ship what actually differentiates your product.</p> <p>Ship or Die<br> The graveyard of dead SaaS startups is not filled with bad ideas.<br> It's filled with good ideas that never got a fair shot. Founders who spent their best weeks on problems that were already solved. Who perfected infrastructure for products that never met a customer.<br> Setup Hell is comfortable. It protects you from the vulnerability of putting something imperfect in front of real people and asking them to pay.<br> But comfort doesn't build businesses. Velocity does.<br> You can refactor auth.<br> You can clean up the code.<br> You can rebuild the pipeline.<br> You cannot resurrect a startup that never validated.<br> Ship the thing. Talk to humans. Get uncomfortable.</p> <p>If you're about to spend your next two weeks wiring auth and Stripe, ask yourself:<br> Is this the part only you can build?<br> → LaunchStack — Skip setup. Ship product.</p> sass startup webdev python Launchstack310 Tue, 17 Feb 2026 07:48:41 +0000 https://forem.com/launchstack310/how-to-structure-a-production-ready-flask-saas-project-folder-architecture-that-scales-1jml https://forem.com/launchstack310/how-to-structure-a-production-ready-flask-saas-project-folder-architecture-that-scales-1jml <p>You started with <code>app.py</code>. All your routes in one file. Models at the top, config hardcoded, Stripe webhook handler jammed between the login route and a TODO comment you wrote at 1AM.</p> <p>It worked. For a while.</p> <p>Then you added OAuth. Then a webhook handler that needed access to your User model and your email service. Then an admin route that needed authentication middleware. Then environment-specific config for staging vs production. And suddenly, every change required scrolling through 800 lines to find the right section, and every new feature broke something unrelated.</p> <p>This isn't a Flask problem. Flask gives you freedom. The problem is that no one shows you what production-ready freedom looks like — especially for a SaaS application where authentication, payments, webhooks, and email are first-class concerns from day one.</p> <p>This is the exact project structure I use for Flask SaaS backends paired with a Next.js frontend. It has survived auth rewrites, Stripe integration, multi-environment deployment, and real production traffic. It scales to 10,000+ users without becoming a maintenance nightmare.</p> <h2> Why Most Flask SaaS Projects Become Unmaintainable </h2> <p>Flask's minimalism is its greatest strength and its most dangerous trap.</p> <p>The official Flask tutorial gives you a flat structure: <code>auth.py</code>, <code>blog.py</code>, <code>templates/</code>, <code>static/</code>. That's fine for a blog. It's a disaster for a SaaS.</p> <p>Here's what actually happens when you build a SaaS with a tutorial-grade structure:</p> <p><strong>Month 1:</strong> Everything lives in 3-4 files. You're moving fast. Routes, models, helpers — all accessible, all in one place.</p> <p><strong>Month 2:</strong> You add Stripe. Now your <code>routes.py</code> has authentication endpoints, payment endpoints, webhook handlers, and user profile routes. It's 600+ lines. You start losing track of which functions depend on what.</p> <p><strong>Month 3:</strong> You need to change how you handle Stripe subscription cancellation. The handler is in <code>routes.py</code>, the database update is inline, and the email notification is called directly from the route. You change one thing, break two others.</p> <p>The root cause is always the same: <strong>business logic mixed with route handlers.</strong> When your route function handles HTTP parsing, database queries, payment processing, and email sending — you don't have a web application. You have a script that happens to respond to HTTP requests.</p> <h3> The three architectural mistakes that kill Flask SaaS projects </h3> <p><strong>1. No service layer.</strong> Route handlers directly query the database, call Stripe, and send emails. Every route becomes a tangled chain of dependencies that's impossible to test or reuse.</p> <p><strong>2. Flat file organization.</strong> All routes in one file, all models in one file. Works until you have 15 models and 40 routes. Then every git merge becomes a conflict.</p> <p><strong>3. Config hardcoded or scattered.</strong> Database URLs in <code>app.py</code>, Stripe keys in <code>routes.py</code>, CORS origins in <code>__init__.py</code>. Deploying to staging vs production becomes a manual find-and-replace operation.</p> <h2> The Production-Ready Architecture Blueprint </h2> <p>Here's the full structure. Every directory has a specific responsibility. Nothing leaks across boundaries.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>backend/ ├── app/ │ ├── __init__.py # Application factory │ ├── extensions.py # Flask extensions (db, migrate, mail, cors) │ │ │ ├── config/ │ │ ├── __init__.py │ │ ├── base.py # Shared settings │ │ ├── development.py # Dev overrides │ │ ├── production.py # Prod settings │ │ └── testing.py # Test settings │ │ │ ├── models/ │ │ ├── __init__.py # Export all models │ │ ├── user.py # User + auth fields │ │ ├── subscription.py # Stripe subscription data │ │ └── mixins.py # Shared model logic (timestamps, soft delete) │ │ │ ├── routes/ │ │ ├── __init__.py # Register all blueprints │ │ ├── auth.py # Login, register, refresh, logout │ │ ├── oauth.py # Google, GitHub OAuth flows │ │ ├── payments.py # Checkout, billing, plan management │ │ ├── webhooks.py # Stripe webhook handler │ │ ├── users.py # Profile, settings, account │ │ └── admin.py # Admin-only endpoints │ │ │ ├── services/ │ │ ├── __init__.py │ │ ├── auth_service.py # Token generation, password hashing │ │ ├── stripe_service.py # All Stripe API interactions │ │ ├── email_service.py # Transactional emails │ │ └── user_service.py # User CRUD, account logic │ │ │ ├── schemas/ │ │ ├── __init__.py │ │ ├── auth.py # Login/register validation │ │ ├── user.py # User response shapes │ │ └── payment.py # Payment request validation │ │ │ ├── middleware/ │ │ ├── __init__.py │ │ ├── auth_middleware.py # JWT verification decorator │ │ └── admin_middleware.py # Admin role check │ │ │ └── utils/ │ ├── __init__.py │ ├── responses.py # Standardized JSON responses │ ├── errors.py # Error handlers │ └── helpers.py # Date formatting, slugs, etc. │ ├── migrations/ # Alembic migration files ├── tests/ │ ├── conftest.py # Test fixtures │ ├── test_auth.py │ ├── test_payments.py │ └── test_webhooks.py │ ├── .env.development ├── .env.production ├── .env.example ├── requirements.txt ├── wsgi.py # Production entry point └── run.py # Development entry point </code></pre> </div> <p>This isn't theoretical. This is the structure running in production behind a real SaaS application.</p> <h3> Layer-by-layer breakdown </h3> <p><strong><code>app/__init__.py</code> — The application factory</strong></p> <p>The application factory pattern is non-negotiable for any serious Flask project. It lets you create multiple app instances with different configs — essential for testing.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="c1"># app/__init__.py </span><span class="kn">import</span> <span class="n">os</span> <span class="kn">from</span> <span class="n">flask</span> <span class="kn">import</span> <span class="n">Flask</span> <span class="kn">from</span> <span class="n">app.extensions</span> <span class="kn">import</span> <span class="n">db</span><span class="p">,</span> <span class="n">migrate</span><span class="p">,</span> <span class="n">cors</span><span class="p">,</span> <span class="n">mail</span> <span class="k">def</span> <span class="nf">create_app</span><span class="p">(</span><span class="n">config_name</span><span class="o">=</span><span class="bp">None</span><span class="p">):</span> <span class="n">app</span> <span class="o">=</span> <span class="nc">Flask</span><span class="p">(</span><span class="n">__name__</span><span class="p">)</span> <span class="c1"># Load config </span> <span class="k">if</span> <span class="n">config_name</span> <span class="ow">is</span> <span class="bp">None</span><span class="p">:</span> <span class="n">config_name</span> <span class="o">=</span> <span class="n">os</span><span class="p">.</span><span class="n">environ</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="sh">'</span><span class="s">FLASK_ENV</span><span class="sh">'</span><span class="p">,</span> <span class="sh">'</span><span class="s">development</span><span class="sh">'</span><span class="p">)</span> <span class="n">app</span><span class="p">.</span><span class="n">config</span><span class="p">.</span><span class="nf">from_object</span><span class="p">(</span><span class="sa">f</span><span class="sh">'</span><span class="s">app.config.</span><span class="si">{</span><span class="n">config_name</span><span class="si">}</span><span class="s">.Config</span><span class="sh">'</span><span class="p">)</span> <span class="c1"># Initialize extensions </span> <span class="n">db</span><span class="p">.</span><span class="nf">init_app</span><span class="p">(</span><span class="n">app</span><span class="p">)</span> <span class="n">migrate</span><span class="p">.</span><span class="nf">init_app</span><span class="p">(</span><span class="n">app</span><span class="p">,</span> <span class="n">db</span><span class="p">)</span> <span class="n">cors</span><span class="p">.</span><span class="nf">init_app</span><span class="p">(</span><span class="n">app</span><span class="p">,</span> <span class="n">origins</span><span class="o">=</span><span class="n">app</span><span class="p">.</span><span class="n">config</span><span class="p">[</span><span class="sh">'</span><span class="s">ALLOWED_ORIGINS</span><span class="sh">'</span><span class="p">],</span> <span class="n">supports_credentials</span><span class="o">=</span><span class="bp">True</span> <span class="p">)</span> <span class="n">mail</span><span class="p">.</span><span class="nf">init_app</span><span class="p">(</span><span class="n">app</span><span class="p">)</span> <span class="c1"># Register blueprints </span> <span class="kn">from</span> <span class="n">app.routes</span> <span class="kn">import</span> <span class="n">register_blueprints</span> <span class="nf">register_blueprints</span><span class="p">(</span><span class="n">app</span><span class="p">)</span> <span class="c1"># Register error handlers </span> <span class="kn">from</span> <span class="n">app.utils.errors</span> <span class="kn">import</span> <span class="n">register_error_handlers</span> <span class="nf">register_error_handlers</span><span class="p">(</span><span class="n">app</span><span class="p">)</span> <span class="k">return</span> <span class="n">app</span> </code></pre> </div> <p><strong><code>app/extensions.py</code> — Extension instances</strong></p> <p>Extensions are instantiated without an app, then initialized in the factory. This prevents circular imports — one of the most common Flask headaches.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="c1"># app/extensions.py </span><span class="kn">from</span> <span class="n">flask_sqlalchemy</span> <span class="kn">import</span> <span class="n">SQLAlchemy</span> <span class="kn">from</span> <span class="n">flask_migrate</span> <span class="kn">import</span> <span class="n">Migrate</span> <span class="kn">from</span> <span class="n">flask_cors</span> <span class="kn">import</span> <span class="n">CORS</span> <span class="kn">from</span> <span class="n">flask_mail</span> <span class="kn">import</span> <span class="n">Mail</span> <span class="n">db</span> <span class="o">=</span> <span class="nc">SQLAlchemy</span><span class="p">()</span> <span class="n">migrate</span> <span class="o">=</span> <span class="nc">Migrate</span><span class="p">()</span> <span class="n">cors</span> <span class="o">=</span> <span class="nc">CORS</span><span class="p">()</span> <span class="n">mail</span> <span class="o">=</span> <span class="nc">Mail</span><span class="p">()</span> </code></pre> </div> <p><strong><code>app/config/</code> — Environment-specific settings</strong></p> <p>Never use a single config file with <code>if</code> statements. Separate files per environment. Each inherits from a base.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="c1"># app/config/base.py </span><span class="kn">import</span> <span class="n">os</span> <span class="k">class</span> <span class="nc">Config</span><span class="p">:</span> <span class="n">SECRET_KEY</span> <span class="o">=</span> <span class="n">os</span><span class="p">.</span><span class="n">environ</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="sh">'</span><span class="s">SECRET_KEY</span><span class="sh">'</span><span class="p">)</span> <span class="n">SQLALCHEMY_TRACK_MODIFICATIONS</span> <span class="o">=</span> <span class="bp">False</span> <span class="n">JWT_SECRET_KEY</span> <span class="o">=</span> <span class="n">os</span><span class="p">.</span><span class="n">environ</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="sh">'</span><span class="s">JWT_SECRET_KEY</span><span class="sh">'</span><span class="p">)</span> <span class="c1"># Stripe </span> <span class="n">STRIPE_SECRET_KEY</span> <span class="o">=</span> <span class="n">os</span><span class="p">.</span><span class="n">environ</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="sh">'</span><span class="s">STRIPE_SECRET_KEY</span><span class="sh">'</span><span class="p">)</span> <span class="n">STRIPE_WEBHOOK_SECRET</span> <span class="o">=</span> <span class="n">os</span><span class="p">.</span><span class="n">environ</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="sh">'</span><span class="s">STRIPE_WEBHOOK_SECRET</span><span class="sh">'</span><span class="p">)</span> <span class="c1"># Email </span> <span class="n">MAIL_SERVER</span> <span class="o">=</span> <span class="n">os</span><span class="p">.</span><span class="n">environ</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="sh">'</span><span class="s">MAIL_SERVER</span><span class="sh">'</span><span class="p">)</span> <span class="n">MAIL_PORT</span> <span class="o">=</span> <span class="nf">int</span><span class="p">(</span><span class="n">os</span><span class="p">.</span><span class="n">environ</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="sh">'</span><span class="s">MAIL_PORT</span><span class="sh">'</span><span class="p">,</span> <span class="mi">587</span><span class="p">))</span> <span class="c1"># CORS </span> <span class="n">ALLOWED_ORIGINS</span> <span class="o">=</span> <span class="n">os</span><span class="p">.</span><span class="n">environ</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="sh">'</span><span class="s">ALLOWED_ORIGINS</span><span class="sh">'</span><span class="p">,</span> <span class="sh">''</span><span class="p">).</span><span class="nf">split</span><span class="p">(</span><span class="sh">'</span><span class="s">,</span><span class="sh">'</span><span class="p">)</span> </code></pre> </div> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="c1"># app/config/development.py </span><span class="kn">from</span> <span class="n">app.config.base</span> <span class="kn">import</span> <span class="n">Config</span> <span class="k">class</span> <span class="nc">Config</span><span class="p">(</span><span class="n">Config</span><span class="p">):</span> <span class="n">DEBUG</span> <span class="o">=</span> <span class="bp">True</span> <span class="n">SQLALCHEMY_DATABASE_URI</span> <span class="o">=</span> <span class="sh">'</span><span class="s">sqlite:///dev.db</span><span class="sh">'</span> <span class="n">ALLOWED_ORIGINS</span> <span class="o">=</span> <span class="p">[</span><span class="sh">'</span><span class="s">http://localhost:3000</span><span class="sh">'</span><span class="p">]</span> </code></pre> </div> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="c1"># app/config/production.py </span><span class="kn">import</span> <span class="n">os</span> <span class="kn">from</span> <span class="n">app.config.base</span> <span class="kn">import</span> <span class="n">Config</span> <span class="k">class</span> <span class="nc">Config</span><span class="p">(</span><span class="n">Config</span><span class="p">):</span> <span class="n">DEBUG</span> <span class="o">=</span> <span class="bp">False</span> <span class="n">SQLALCHEMY_DATABASE_URI</span> <span class="o">=</span> <span class="n">os</span><span class="p">.</span><span class="n">environ</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="sh">'</span><span class="s">DATABASE_URL</span><span class="sh">'</span><span class="p">)</span> <span class="n">ALLOWED_ORIGINS</span> <span class="o">=</span> <span class="p">[</span> <span class="sh">'</span><span class="s">https://yourdomain.com</span><span class="sh">'</span><span class="p">,</span> <span class="sh">'</span><span class="s">https://www.yourdomain.com</span><span class="sh">'</span> <span class="p">]</span> </code></pre> </div> <h2> The Service Layer — Why It Changes Everything </h2> <p>The service layer is the single most important architectural decision in this structure, and the one most Flask developers skip.</p> <p>Without a service layer:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="c1"># Route handler doing everything </span><span class="nd">@auth_bp.route</span><span class="p">(</span><span class="sh">'</span><span class="s">/api/auth/register</span><span class="sh">'</span><span class="p">,</span> <span class="n">methods</span><span class="o">=</span><span class="p">[</span><span class="sh">'</span><span class="s">POST</span><span class="sh">'</span><span class="p">])</span> <span class="k">def</span> <span class="nf">register</span><span class="p">():</span> <span class="n">data</span> <span class="o">=</span> <span class="n">request</span><span class="p">.</span><span class="nf">get_json</span><span class="p">()</span> <span class="c1"># Validation — in the route </span> <span class="k">if</span> <span class="ow">not</span> <span class="n">data</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="sh">'</span><span class="s">email</span><span class="sh">'</span><span class="p">)</span> <span class="ow">or</span> <span class="ow">not</span> <span class="n">data</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="sh">'</span><span class="s">password</span><span class="sh">'</span><span class="p">):</span> <span class="k">return</span> <span class="nf">jsonify</span><span class="p">({</span><span class="sh">'</span><span class="s">error</span><span class="sh">'</span><span class="p">:</span> <span class="sh">'</span><span class="s">Missing fields</span><span class="sh">'</span><span class="p">}),</span> <span class="mi">400</span> <span class="c1"># Business logic — in the route </span> <span class="n">existing</span> <span class="o">=</span> <span class="n">User</span><span class="p">.</span><span class="n">query</span><span class="p">.</span><span class="nf">filter_by</span><span class="p">(</span><span class="n">email</span><span class="o">=</span><span class="n">data</span><span class="p">[</span><span class="sh">'</span><span class="s">email</span><span class="sh">'</span><span class="p">]).</span><span class="nf">first</span><span class="p">()</span> <span class="k">if</span> <span class="n">existing</span><span class="p">:</span> <span class="k">return</span> <span class="nf">jsonify</span><span class="p">({</span><span class="sh">'</span><span class="s">error</span><span class="sh">'</span><span class="p">:</span> <span class="sh">'</span><span class="s">Email taken</span><span class="sh">'</span><span class="p">}),</span> <span class="mi">409</span> <span class="c1"># More business logic — still in the route </span> <span class="n">user</span> <span class="o">=</span> <span class="nc">User</span><span class="p">(</span><span class="n">email</span><span class="o">=</span><span class="n">data</span><span class="p">[</span><span class="sh">'</span><span class="s">email</span><span class="sh">'</span><span class="p">])</span> <span class="n">user</span><span class="p">.</span><span class="nf">set_password</span><span class="p">(</span><span class="n">data</span><span class="p">[</span><span class="sh">'</span><span class="s">password</span><span class="sh">'</span><span class="p">])</span> <span class="n">db</span><span class="p">.</span><span class="n">session</span><span class="p">.</span><span class="nf">add</span><span class="p">(</span><span class="n">user</span><span class="p">)</span> <span class="n">db</span><span class="p">.</span><span class="n">session</span><span class="p">.</span><span class="nf">commit</span><span class="p">()</span> <span class="c1"># Token generation — also in the route </span> <span class="n">tokens</span> <span class="o">=</span> <span class="nf">generate_tokens</span><span class="p">(</span><span class="n">user</span><span class="p">.</span><span class="nb">id</span><span class="p">)</span> <span class="c1"># Email — you guessed it, in the route </span> <span class="nf">send_welcome_email</span><span class="p">(</span><span class="n">user</span><span class="p">.</span><span class="n">email</span><span class="p">)</span> <span class="n">response</span> <span class="o">=</span> <span class="nf">make_response</span><span class="p">(</span><span class="nf">jsonify</span><span class="p">({...}))</span> <span class="n">response</span><span class="p">.</span><span class="nf">set_cookie</span><span class="p">(</span><span class="sh">'</span><span class="s">refresh_token</span><span class="sh">'</span><span class="p">,</span> <span class="n">tokens</span><span class="p">[</span><span class="sh">'</span><span class="s">refresh_token</span><span class="sh">'</span><span class="p">],</span> <span class="p">...)</span> <span class="k">return</span> <span class="n">response</span> </code></pre> </div> <p>With a service layer:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="c1"># Route handler — only handles HTTP </span><span class="nd">@auth_bp.route</span><span class="p">(</span><span class="sh">'</span><span class="s">/api/auth/register</span><span class="sh">'</span><span class="p">,</span> <span class="n">methods</span><span class="o">=</span><span class="p">[</span><span class="sh">'</span><span class="s">POST</span><span class="sh">'</span><span class="p">])</span> <span class="k">def</span> <span class="nf">register</span><span class="p">():</span> <span class="n">data</span> <span class="o">=</span> <span class="n">request</span><span class="p">.</span><span class="nf">get_json</span><span class="p">()</span> <span class="n">result</span><span class="p">,</span> <span class="n">error</span> <span class="o">=</span> <span class="n">auth_service</span><span class="p">.</span><span class="nf">register_user</span><span class="p">(</span> <span class="n">email</span><span class="o">=</span><span class="n">data</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="sh">'</span><span class="s">email</span><span class="sh">'</span><span class="p">),</span> <span class="n">password</span><span class="o">=</span><span class="n">data</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="sh">'</span><span class="s">password</span><span class="sh">'</span><span class="p">)</span> <span class="p">)</span> <span class="k">if</span> <span class="n">error</span><span class="p">:</span> <span class="k">return</span> <span class="nf">error_response</span><span class="p">(</span><span class="n">error</span><span class="p">.</span><span class="n">message</span><span class="p">,</span> <span class="n">error</span><span class="p">.</span><span class="n">status_code</span><span class="p">)</span> <span class="n">response</span> <span class="o">=</span> <span class="nf">make_response</span><span class="p">(</span><span class="nf">success_response</span><span class="p">(</span><span class="n">result</span><span class="p">.</span><span class="n">user_data</span><span class="p">))</span> <span class="n">response</span><span class="p">.</span><span class="nf">set_cookie</span><span class="p">(</span><span class="sh">'</span><span class="s">refresh_token</span><span class="sh">'</span><span class="p">,</span> <span class="n">result</span><span class="p">.</span><span class="n">refresh_token</span><span class="p">,</span> <span class="p">...)</span> <span class="k">return</span> <span class="n">response</span> </code></pre> </div> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="c1"># app/services/auth_service.py </span><span class="k">def</span> <span class="nf">register_user</span><span class="p">(</span><span class="n">email</span><span class="p">,</span> <span class="n">password</span><span class="p">):</span> <span class="sh">"""</span><span class="s">Pure business logic. No HTTP. No Flask request/response.</span><span class="sh">"""</span> <span class="k">if</span> <span class="ow">not</span> <span class="n">email</span> <span class="ow">or</span> <span class="ow">not</span> <span class="n">password</span><span class="p">:</span> <span class="k">return</span> <span class="bp">None</span><span class="p">,</span> <span class="nc">ServiceError</span><span class="p">(</span><span class="sh">'</span><span class="s">Missing fields</span><span class="sh">'</span><span class="p">,</span> <span class="mi">400</span><span class="p">)</span> <span class="n">existing</span> <span class="o">=</span> <span class="n">User</span><span class="p">.</span><span class="n">query</span><span class="p">.</span><span class="nf">filter_by</span><span class="p">(</span><span class="n">email</span><span class="o">=</span><span class="n">email</span><span class="p">).</span><span class="nf">first</span><span class="p">()</span> <span class="k">if</span> <span class="n">existing</span><span class="p">:</span> <span class="k">return</span> <span class="bp">None</span><span class="p">,</span> <span class="nc">ServiceError</span><span class="p">(</span><span class="sh">'</span><span class="s">Email already registered</span><span class="sh">'</span><span class="p">,</span> <span class="mi">409</span><span class="p">)</span> <span class="n">user</span> <span class="o">=</span> <span class="nc">User</span><span class="p">(</span><span class="n">email</span><span class="o">=</span><span class="n">email</span><span class="p">)</span> <span class="n">user</span><span class="p">.</span><span class="nf">set_password</span><span class="p">(</span><span class="n">password</span><span class="p">)</span> <span class="n">db</span><span class="p">.</span><span class="n">session</span><span class="p">.</span><span class="nf">add</span><span class="p">(</span><span class="n">user</span><span class="p">)</span> <span class="n">db</span><span class="p">.</span><span class="n">session</span><span class="p">.</span><span class="nf">commit</span><span class="p">()</span> <span class="n">tokens</span> <span class="o">=</span> <span class="nf">generate_tokens</span><span class="p">(</span><span class="n">user</span><span class="p">.</span><span class="nb">id</span><span class="p">)</span> <span class="n">email_service</span><span class="p">.</span><span class="nf">send_welcome</span><span class="p">(</span><span class="n">user</span><span class="p">.</span><span class="n">email</span><span class="p">)</span> <span class="k">return</span> <span class="nc">AuthResult</span><span class="p">(</span><span class="n">user</span><span class="o">=</span><span class="n">user</span><span class="p">,</span> <span class="n">tokens</span><span class="o">=</span><span class="n">tokens</span><span class="p">),</span> <span class="bp">None</span> </code></pre> </div> <p>The difference:</p> <ul> <li> <strong>Routes</strong> handle HTTP concerns only: parsing requests, setting cookies, returning responses.</li> <li> <strong>Services</strong> handle business logic: validation, database operations, calling other services.</li> <li> <strong>Services are testable without HTTP.</strong> You can test <code>register_user()</code> without mocking Flask requests.</li> <li> <strong>Services are reusable.</strong> The same <code>register_user()</code> works whether called from a REST endpoint, a CLI command, or a background job.</li> </ul> <h3> Structuring the Stripe service </h3> <p>Stripe integration is where clean architecture pays off the most. Every Stripe interaction goes through one service:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="c1"># app/services/stripe_service.py </span><span class="kn">import</span> <span class="n">stripe</span> <span class="kn">import</span> <span class="n">os</span> <span class="n">stripe</span><span class="p">.</span><span class="n">api_key</span> <span class="o">=</span> <span class="n">os</span><span class="p">.</span><span class="n">environ</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="sh">'</span><span class="s">STRIPE_SECRET_KEY</span><span class="sh">'</span><span class="p">)</span> <span class="k">class</span> <span class="nc">StripeService</span><span class="p">:</span> <span class="nd">@staticmethod</span> <span class="k">def</span> <span class="nf">create_checkout_session</span><span class="p">(</span><span class="n">user</span><span class="p">,</span> <span class="n">price_id</span><span class="p">,</span> <span class="n">success_url</span><span class="p">,</span> <span class="n">cancel_url</span><span class="p">):</span> <span class="sh">"""</span><span class="s">Create a Stripe checkout session.</span><span class="sh">"""</span> <span class="k">return</span> <span class="n">stripe</span><span class="p">.</span><span class="n">checkout</span><span class="p">.</span><span class="n">Session</span><span class="p">.</span><span class="nf">create</span><span class="p">(</span> <span class="n">customer_email</span><span class="o">=</span><span class="n">user</span><span class="p">.</span><span class="n">email</span><span class="p">,</span> <span class="n">payment_method_types</span><span class="o">=</span><span class="p">[</span><span class="sh">'</span><span class="s">card</span><span class="sh">'</span><span class="p">],</span> <span class="n">line_items</span><span class="o">=</span><span class="p">[{</span><span class="sh">'</span><span class="s">price</span><span class="sh">'</span><span class="p">:</span> <span class="n">price_id</span><span class="p">,</span> <span class="sh">'</span><span class="s">quantity</span><span class="sh">'</span><span class="p">:</span> <span class="mi">1</span><span class="p">}],</span> <span class="n">mode</span><span class="o">=</span><span class="sh">'</span><span class="s">subscription</span><span class="sh">'</span><span class="p">,</span> <span class="n">success_url</span><span class="o">=</span><span class="n">success_url</span><span class="p">,</span> <span class="n">cancel_url</span><span class="o">=</span><span class="n">cancel_url</span><span class="p">,</span> <span class="n">metadata</span><span class="o">=</span><span class="p">{</span><span class="sh">'</span><span class="s">user_id</span><span class="sh">'</span><span class="p">:</span> <span class="nf">str</span><span class="p">(</span><span class="n">user</span><span class="p">.</span><span class="nb">id</span><span class="p">)}</span> <span class="p">)</span> <span class="nd">@staticmethod</span> <span class="k">def</span> <span class="nf">cancel_subscription</span><span class="p">(</span><span class="n">subscription_id</span><span class="p">):</span> <span class="sh">"""</span><span class="s">Cancel a Stripe subscription.</span><span class="sh">"""</span> <span class="k">return</span> <span class="n">stripe</span><span class="p">.</span><span class="n">Subscription</span><span class="p">.</span><span class="nf">modify</span><span class="p">(</span> <span class="n">subscription_id</span><span class="p">,</span> <span class="n">cancel_at_period_end</span><span class="o">=</span><span class="bp">True</span> <span class="p">)</span> <span class="nd">@staticmethod</span> <span class="k">def</span> <span class="nf">verify_webhook</span><span class="p">(</span><span class="n">payload</span><span class="p">,</span> <span class="n">sig_header</span><span class="p">,</span> <span class="n">webhook_secret</span><span class="p">):</span> <span class="sh">"""</span><span class="s">Verify and construct a webhook event.</span><span class="sh">"""</span> <span class="k">return</span> <span class="n">stripe</span><span class="p">.</span><span class="n">Webhook</span><span class="p">.</span><span class="nf">construct_event</span><span class="p">(</span> <span class="n">payload</span><span class="p">,</span> <span class="n">sig_header</span><span class="p">,</span> <span class="n">webhook_secret</span> <span class="p">)</span> </code></pre> </div> <p>Now your webhook route is clean:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="c1"># app/routes/webhooks.py </span><span class="nd">@webhooks_bp.route</span><span class="p">(</span><span class="sh">'</span><span class="s">/api/webhooks/stripe</span><span class="sh">'</span><span class="p">,</span> <span class="n">methods</span><span class="o">=</span><span class="p">[</span><span class="sh">'</span><span class="s">POST</span><span class="sh">'</span><span class="p">])</span> <span class="k">def</span> <span class="nf">stripe_webhook</span><span class="p">():</span> <span class="n">payload</span> <span class="o">=</span> <span class="n">request</span><span class="p">.</span><span class="n">data</span> <span class="n">sig_header</span> <span class="o">=</span> <span class="n">request</span><span class="p">.</span><span class="n">headers</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="sh">'</span><span class="s">Stripe-Signature</span><span class="sh">'</span><span class="p">)</span> <span class="k">try</span><span class="p">:</span> <span class="n">event</span> <span class="o">=</span> <span class="n">stripe_service</span><span class="p">.</span><span class="nf">verify_webhook</span><span class="p">(</span> <span class="n">payload</span><span class="p">,</span> <span class="n">sig_header</span><span class="p">,</span> <span class="n">current_app</span><span class="p">.</span><span class="n">config</span><span class="p">[</span><span class="sh">'</span><span class="s">STRIPE_WEBHOOK_SECRET</span><span class="sh">'</span><span class="p">]</span> <span class="p">)</span> <span class="k">except</span> <span class="nb">Exception</span><span class="p">:</span> <span class="k">return</span> <span class="nf">error_response</span><span class="p">(</span><span class="sh">'</span><span class="s">Invalid signature</span><span class="sh">'</span><span class="p">,</span> <span class="mi">400</span><span class="p">)</span> <span class="n">handlers</span> <span class="o">=</span> <span class="p">{</span> <span class="sh">'</span><span class="s">checkout.session.completed</span><span class="sh">'</span><span class="p">:</span> <span class="n">handle_checkout</span><span class="p">,</span> <span class="sh">'</span><span class="s">customer.subscription.deleted</span><span class="sh">'</span><span class="p">:</span> <span class="n">handle_cancellation</span><span class="p">,</span> <span class="sh">'</span><span class="s">invoice.payment_failed</span><span class="sh">'</span><span class="p">:</span> <span class="n">handle_payment_failed</span><span class="p">,</span> <span class="p">}</span> <span class="n">handler</span> <span class="o">=</span> <span class="n">handlers</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="n">event</span><span class="p">[</span><span class="sh">'</span><span class="s">type</span><span class="sh">'</span><span class="p">])</span> <span class="k">if</span> <span class="n">handler</span><span class="p">:</span> <span class="nf">handler</span><span class="p">(</span><span class="n">event</span><span class="p">[</span><span class="sh">'</span><span class="s">data</span><span class="sh">'</span><span class="p">][</span><span class="sh">'</span><span class="s">object</span><span class="sh">'</span><span class="p">])</span> <span class="k">return</span> <span class="nf">success_response</span><span class="p">({</span><span class="sh">'</span><span class="s">received</span><span class="sh">'</span><span class="p">:</span> <span class="bp">True</span><span class="p">})</span> </code></pre> </div> <p>For the full implementation of JWT authentication, Stripe webhook verification, and CORS configuration that goes inside this structure, see the companion guide: <a href="https://dev.to/blog/flask-jwt-authentication-stripe-webhooks-cors-guide">Flask JWT Authentication, Stripe Webhooks &amp; CORS: The Complete Python SaaS Guide</a>.</p> <h2> What Most Tutorials Get Wrong </h2> <h3> Putting everything in <code>__init__.py</code> </h3> <p>The application factory should create the app and register extensions. It should not contain routes, models, or business logic. If your <code>__init__.py</code> is more than 40 lines, you're doing too much there.</p> <h3> Using a single <code>models.py</code> </h3> <p>One file works until you have User, Subscription, Invoice, PasswordReset, OAuthToken, and AuditLog models. Split models by domain. Import them all in <code>models/__init__.py</code> so Alembic can detect them:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="c1"># app/models/__init__.py </span><span class="kn">from</span> <span class="n">app.models.user</span> <span class="kn">import</span> <span class="n">User</span> <span class="kn">from</span> <span class="n">app.models.subscription</span> <span class="kn">import</span> <span class="n">Subscription</span> <span class="c1"># Alembic needs all models imported to detect schema changes </span><span class="n">__all__</span> <span class="o">=</span> <span class="p">[</span><span class="sh">'</span><span class="s">User</span><span class="sh">'</span><span class="p">,</span> <span class="sh">'</span><span class="s">Subscription</span><span class="sh">'</span><span class="p">]</span> </code></pre> </div> <h3> Skipping the schema layer </h3> <p>Without input validation, your services accept anything and fail unpredictably. Schemas validate incoming data before it touches business logic:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="c1"># app/schemas/auth.py </span><span class="kn">from</span> <span class="n">dataclasses</span> <span class="kn">import</span> <span class="n">dataclass</span> <span class="nd">@dataclass</span> <span class="k">class</span> <span class="nc">RegisterInput</span><span class="p">:</span> <span class="n">email</span><span class="p">:</span> <span class="nb">str</span> <span class="n">password</span><span class="p">:</span> <span class="nb">str</span> <span class="k">def</span> <span class="nf">validate</span><span class="p">(</span><span class="n">self</span><span class="p">):</span> <span class="n">errors</span> <span class="o">=</span> <span class="p">[]</span> <span class="k">if</span> <span class="ow">not</span> <span class="n">self</span><span class="p">.</span><span class="n">email</span> <span class="ow">or</span> <span class="sh">'</span><span class="s">@</span><span class="sh">'</span> <span class="ow">not</span> <span class="ow">in</span> <span class="n">self</span><span class="p">.</span><span class="n">email</span><span class="p">:</span> <span class="n">errors</span><span class="p">.</span><span class="nf">append</span><span class="p">(</span><span class="sh">'</span><span class="s">Valid email required</span><span class="sh">'</span><span class="p">)</span> <span class="k">if</span> <span class="ow">not</span> <span class="n">self</span><span class="p">.</span><span class="n">password</span> <span class="ow">or</span> <span class="nf">len</span><span class="p">(</span><span class="n">self</span><span class="p">.</span><span class="n">password</span><span class="p">)</span> <span class="o">&lt;</span> <span class="mi">8</span><span class="p">:</span> <span class="n">errors</span><span class="p">.</span><span class="nf">append</span><span class="p">(</span><span class="sh">'</span><span class="s">Password must be at least 8 characters</span><span class="sh">'</span><span class="p">)</span> <span class="k">return</span> <span class="n">errors</span> </code></pre> </div> <h3> Hardcoding environment values </h3> <p>Every config value that changes between environments belongs in an environment variable. No exceptions. Not the database URL. Not the Stripe key. Not the CORS origins. Not the JWT secret. If it's hardcoded, it will break when you deploy.</p> <h2> Scaling Considerations </h2> <h3> Scaling to a team </h3> <p>This structure makes onboarding straightforward. A new developer needs to understand:</p> <ul> <li>Routes handle HTTP only</li> <li>Services handle business logic</li> <li>Models handle data</li> <li>Config handles environment</li> </ul> <p>They can work on <code>payments.py</code> without understanding <code>oauth.py</code>. They can modify <code>stripe_service.py</code> without touching any route handler. Merge conflicts drop dramatically because concerns live in separate files.</p> <h3> Scaling to features </h3> <p>Adding a new feature follows a predictable pattern:</p> <ol> <li>Create model in <code>models/</code> </li> <li>Create service in <code>services/</code> </li> <li>Create routes in <code>routes/</code> </li> <li>Add schema in <code>schemas/</code> if needed</li> <li>Register blueprint in <code>routes/__init__.py</code> </li> </ol> <p>Every feature follows the same pattern. No guessing where code should live.</p> <h3> Scaling to integrations </h3> <p>SaaS applications accumulate integrations: Stripe, email providers, analytics, background jobs. Each integration gets its own service. The service layer acts as an adapter — if you switch from SendGrid to Resend, you change one file. No routes touched.</p> <h3> Scaling to 10,000+ users </h3> <p>At this scale, the structure itself doesn't change. What changes is infrastructure:</p> <ul> <li> <strong>Database:</strong> Move from SQLite to PostgreSQL (config change only — same SQLAlchemy models)</li> <li> <strong>Caching:</strong> Add Redis for session storage and frequently accessed data</li> <li> <strong>Background jobs:</strong> Add Celery for email sending and heavy processing</li> <li> <strong>Monitoring:</strong> Add structured logging in the service layer</li> </ul> <p>The architecture supports all of this because concerns are already separated. Adding Redis caching to <code>user_service.py</code> doesn't require touching any routes.</p> <h2> Integrating Cleanly with a Next.js Frontend </h2> <p>A Flask SaaS backend paired with Next.js has a specific communication pattern. The structure supports it by design:</p> <p><strong>All routes return JSON.</strong> There are no templates, no server-rendered HTML. The <code>routes/</code> directory is purely an API layer. Every response follows a consistent shape:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="c1"># app/utils/responses.py </span><span class="k">def</span> <span class="nf">success_response</span><span class="p">(</span><span class="n">data</span><span class="p">,</span> <span class="n">status_code</span><span class="o">=</span><span class="mi">200</span><span class="p">):</span> <span class="k">return</span> <span class="nf">jsonify</span><span class="p">({</span> <span class="sh">'</span><span class="s">status</span><span class="sh">'</span><span class="p">:</span> <span class="sh">'</span><span class="s">success</span><span class="sh">'</span><span class="p">,</span> <span class="sh">'</span><span class="s">data</span><span class="sh">'</span><span class="p">:</span> <span class="n">data</span> <span class="p">}),</span> <span class="n">status_code</span> <span class="k">def</span> <span class="nf">error_response</span><span class="p">(</span><span class="n">message</span><span class="p">,</span> <span class="n">status_code</span><span class="o">=</span><span class="mi">400</span><span class="p">):</span> <span class="k">return</span> <span class="nf">jsonify</span><span class="p">({</span> <span class="sh">'</span><span class="s">status</span><span class="sh">'</span><span class="p">:</span> <span class="sh">'</span><span class="s">error</span><span class="sh">'</span><span class="p">,</span> <span class="sh">'</span><span class="s">error</span><span class="sh">'</span><span class="p">:</span> <span class="p">{</span><span class="sh">'</span><span class="s">message</span><span class="sh">'</span><span class="p">:</span> <span class="n">message</span><span class="p">}</span> <span class="p">}),</span> <span class="n">status_code</span> </code></pre> </div> <p><strong>CORS is configured once, globally.</strong> In <code>extensions.py</code> and initialized in the factory. Not scattered across individual routes.</p> <p><strong>Authentication flows through middleware.</strong> The <code>auth_middleware.py</code> decorator verifies JWT tokens. Routes that need protection simply add the decorator. The frontend sends tokens in the Authorization header. Refresh tokens travel via httpOnly cookies.</p> <p><strong>Webhooks bypass auth middleware.</strong> Stripe webhooks come from Stripe's servers, not from your frontend. The <code>webhooks.py</code> blueprint doesn't use JWT verification — it uses Stripe signature verification instead. Keeping webhooks in a separate blueprint makes this natural.</p> <p>This clean separation means your Next.js frontend can be developed independently. It talks to a documented JSON API. It doesn't depend on Flask internals, template rendering, or server-side state. You can replace the frontend entirely without touching the backend.</p> <h2> From Architecture to Execution </h2> <p>Good project structure is a force multiplier. It doesn't write your code for you, but it ensures that every line of code you write has a clear place to live, a clear responsibility, and a clear path to scale.</p> <p>The structure in this guide has been tested across real SaaS applications — from first commit to production deployment to paying users. It handles authentication, payments, webhooks, email, and multi-environment configuration without becoming a maze of interdependent files.</p> <p>If you're starting a Flask SaaS project today, adopt this structure from the beginning. Migrating a messy codebase into clean architecture is ten times harder than starting clean.</p> <p>And if you'd rather skip the setup entirely and start with this architecture already built — with JWT authentication, Google and GitHub OAuth, Stripe payments, email system, and admin dashboard all wired together and production-ready — that's exactly what <a href="https://dev.to/">LaunchStack</a> is.</p> <p><a href="https://dev.to/">Launching February 24 on Product Hunt</a>. Early bird at $99.</p> <p>The architecture is the easy part to explain. The hard part is building everything inside it correctly. That's the part that takes weeks.</p> flask python webdev tutorial Launchstack310 Mon, 16 Feb 2026 08:59:50 +0000 https://forem.com/launchstack310/i-wasted-3-weeks-on-flask-auth-before-writing-a-single-feature-heres-the-production-ready-setup-268f https://forem.com/launchstack310/i-wasted-3-weeks-on-flask-auth-before-writing-a-single-feature-heres-the-production-ready-setup-268f <p>I'm a Python dev building a SaaS.</p> <p>Here's what my first month actually looked like:</p> <ul> <li> <strong>Week 1:</strong> JWT auth. Errors I didn't understand.</li> <li> <strong>Week 2:</strong> OAuth loops at 2AM.</li> <li> <strong>Week 3:</strong> Stripe webhooks failing in production.</li> <li> <strong>Month 1:</strong> Still no real feature shipped.</li> </ul> <p>The idea wasn't bad. I was stuck in setup hell.</p> <p>Most tutorials show "how to make it work" — not how to make it <strong>production-safe</strong>. So I documented everything that broke, every edge case, every mistake.</p> <p>Here's the exact production-ready code I ended up with.</p> <h2> The Infrastructure Trap Nobody Warns You About </h2> <p>Flask is minimal by design. That's its strength — and the trap.</p> <p>With Django, you get auth, admin, and ORM out of the box. With Flask, you build everything from scratch. For a learning project, that's valuable. For a SaaS you're trying to ship, it means weeks of setup before you write a single line of your actual product.</p> <p>What "setup hell" actually costs you:</p> <ul> <li> <strong>Week 1-2:</strong> JWT authentication (with OAuth it's 3 weeks)</li> <li> <strong>Week 3:</strong> Stripe integration + webhook verification</li> <li> <strong>Week 4:</strong> CORS, deployment, environment variables</li> <li> <strong>Week 5+:</strong> The idea has lost momentum. Most projects stop here.</li> </ul> <h2> Flask JWT Authentication — Production-Ready </h2> <p>Most tutorials give you a single JWT that expires in 7 days. That's a security hole in production.</p> <p><strong>The correct pattern:</strong></p> <ul> <li> <strong>Access token:</strong> Short-lived (15 minutes). Stored in memory on the client. Used for every API request.</li> <li> <strong>Refresh token:</strong> Long-lived (7-30 days). Stored in an httpOnly cookie. Used only to get new access tokens.</li> </ul> <p>If an access token is stolen, it expires in 15 minutes. The refresh token is never accessible to JavaScript, so XSS attacks can't steal it.</p> <h3> Complete JWT implementation </h3> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="c1"># auth.py </span><span class="kn">import</span> <span class="n">jwt</span> <span class="kn">import</span> <span class="n">datetime</span> <span class="kn">from</span> <span class="n">functools</span> <span class="kn">import</span> <span class="n">wraps</span> <span class="kn">from</span> <span class="n">flask</span> <span class="kn">import</span> <span class="n">request</span><span class="p">,</span> <span class="n">jsonify</span><span class="p">,</span> <span class="n">make_response</span> <span class="kn">from</span> <span class="n">models</span> <span class="kn">import</span> <span class="n">User</span> <span class="n">SECRET_KEY</span> <span class="o">=</span> <span class="n">os</span><span class="p">.</span><span class="n">environ</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="sh">'</span><span class="s">JWT_SECRET_KEY</span><span class="sh">'</span><span class="p">)</span> <span class="n">ACCESS_TOKEN_EXPIRY</span> <span class="o">=</span> <span class="mi">15</span> <span class="c1"># minutes </span><span class="n">REFRESH_TOKEN_EXPIRY</span> <span class="o">=</span> <span class="mi">30</span> <span class="c1"># days </span> <span class="k">def</span> <span class="nf">generate_tokens</span><span class="p">(</span><span class="n">user_id</span><span class="p">:</span> <span class="nb">int</span><span class="p">)</span> <span class="o">-&gt;</span> <span class="nb">dict</span><span class="p">:</span> <span class="n">access_payload</span> <span class="o">=</span> <span class="p">{</span> <span class="sh">'</span><span class="s">user_id</span><span class="sh">'</span><span class="p">:</span> <span class="n">user_id</span><span class="p">,</span> <span class="sh">'</span><span class="s">exp</span><span class="sh">'</span><span class="p">:</span> <span class="n">datetime</span><span class="p">.</span><span class="n">datetime</span><span class="p">.</span><span class="nf">utcnow</span><span class="p">()</span> <span class="o">+</span> <span class="n">datetime</span><span class="p">.</span><span class="nf">timedelta</span><span class="p">(</span><span class="n">minutes</span><span class="o">=</span><span class="n">ACCESS_TOKEN_EXPIRY</span><span class="p">),</span> <span class="sh">'</span><span class="s">iat</span><span class="sh">'</span><span class="p">:</span> <span class="n">datetime</span><span class="p">.</span><span class="n">datetime</span><span class="p">.</span><span class="nf">utcnow</span><span class="p">(),</span> <span class="sh">'</span><span class="s">type</span><span class="sh">'</span><span class="p">:</span> <span class="sh">'</span><span class="s">access</span><span class="sh">'</span> <span class="p">}</span> <span class="n">refresh_payload</span> <span class="o">=</span> <span class="p">{</span> <span class="sh">'</span><span class="s">user_id</span><span class="sh">'</span><span class="p">:</span> <span class="n">user_id</span><span class="p">,</span> <span class="sh">'</span><span class="s">exp</span><span class="sh">'</span><span class="p">:</span> <span class="n">datetime</span><span class="p">.</span><span class="n">datetime</span><span class="p">.</span><span class="nf">utcnow</span><span class="p">()</span> <span class="o">+</span> <span class="n">datetime</span><span class="p">.</span><span class="nf">timedelta</span><span class="p">(</span><span class="n">days</span><span class="o">=</span><span class="n">REFRESH_TOKEN_EXPIRY</span><span class="p">),</span> <span class="sh">'</span><span class="s">iat</span><span class="sh">'</span><span class="p">:</span> <span class="n">datetime</span><span class="p">.</span><span class="n">datetime</span><span class="p">.</span><span class="nf">utcnow</span><span class="p">(),</span> <span class="sh">'</span><span class="s">type</span><span class="sh">'</span><span class="p">:</span> <span class="sh">'</span><span class="s">refresh</span><span class="sh">'</span> <span class="p">}</span> <span class="k">return</span> <span class="p">{</span> <span class="sh">'</span><span class="s">access_token</span><span class="sh">'</span><span class="p">:</span> <span class="n">jwt</span><span class="p">.</span><span class="nf">encode</span><span class="p">(</span><span class="n">access_payload</span><span class="p">,</span> <span class="n">SECRET_KEY</span><span class="p">,</span> <span class="n">algorithm</span><span class="o">=</span><span class="sh">'</span><span class="s">HS256</span><span class="sh">'</span><span class="p">),</span> <span class="sh">'</span><span class="s">refresh_token</span><span class="sh">'</span><span class="p">:</span> <span class="n">jwt</span><span class="p">.</span><span class="nf">encode</span><span class="p">(</span><span class="n">refresh_payload</span><span class="p">,</span> <span class="n">SECRET_KEY</span><span class="p">,</span> <span class="n">algorithm</span><span class="o">=</span><span class="sh">'</span><span class="s">HS256</span><span class="sh">'</span><span class="p">)</span> <span class="p">}</span> <span class="k">def</span> <span class="nf">require_auth</span><span class="p">(</span><span class="n">f</span><span class="p">):</span> <span class="nd">@wraps</span><span class="p">(</span><span class="n">f</span><span class="p">)</span> <span class="k">def</span> <span class="nf">decorated</span><span class="p">(</span><span class="o">*</span><span class="n">args</span><span class="p">,</span> <span class="o">**</span><span class="n">kwargs</span><span class="p">):</span> <span class="n">auth_header</span> <span class="o">=</span> <span class="n">request</span><span class="p">.</span><span class="n">headers</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="sh">'</span><span class="s">Authorization</span><span class="sh">'</span><span class="p">)</span> <span class="k">if</span> <span class="ow">not</span> <span class="n">auth_header</span> <span class="ow">or</span> <span class="ow">not</span> <span class="n">auth_header</span><span class="p">.</span><span class="nf">startswith</span><span class="p">(</span><span class="sh">'</span><span class="s">Bearer </span><span class="sh">'</span><span class="p">):</span> <span class="k">return</span> <span class="nf">jsonify</span><span class="p">({</span><span class="sh">'</span><span class="s">error</span><span class="sh">'</span><span class="p">:</span> <span class="sh">'</span><span class="s">Missing authorization header</span><span class="sh">'</span><span class="p">}),</span> <span class="mi">401</span> <span class="n">token</span> <span class="o">=</span> <span class="n">auth_header</span><span class="p">.</span><span class="nf">split</span><span class="p">(</span><span class="sh">'</span><span class="s"> </span><span class="sh">'</span><span class="p">)[</span><span class="mi">1</span><span class="p">]</span> <span class="k">try</span><span class="p">:</span> <span class="n">payload</span> <span class="o">=</span> <span class="n">jwt</span><span class="p">.</span><span class="nf">decode</span><span class="p">(</span><span class="n">token</span><span class="p">,</span> <span class="n">SECRET_KEY</span><span class="p">,</span> <span class="n">algorithms</span><span class="o">=</span><span class="p">[</span><span class="sh">'</span><span class="s">HS256</span><span class="sh">'</span><span class="p">])</span> <span class="k">if</span> <span class="n">payload</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="sh">'</span><span class="s">type</span><span class="sh">'</span><span class="p">)</span> <span class="o">!=</span> <span class="sh">'</span><span class="s">access</span><span class="sh">'</span><span class="p">:</span> <span class="k">return</span> <span class="nf">jsonify</span><span class="p">({</span><span class="sh">'</span><span class="s">error</span><span class="sh">'</span><span class="p">:</span> <span class="sh">'</span><span class="s">Invalid token type</span><span class="sh">'</span><span class="p">}),</span> <span class="mi">401</span> <span class="n">request</span><span class="p">.</span><span class="n">user_id</span> <span class="o">=</span> <span class="n">payload</span><span class="p">[</span><span class="sh">'</span><span class="s">user_id</span><span class="sh">'</span><span class="p">]</span> <span class="k">except</span> <span class="n">jwt</span><span class="p">.</span><span class="n">ExpiredSignatureError</span><span class="p">:</span> <span class="k">return</span> <span class="nf">jsonify</span><span class="p">({</span><span class="sh">'</span><span class="s">error</span><span class="sh">'</span><span class="p">:</span> <span class="sh">'</span><span class="s">Token expired</span><span class="sh">'</span><span class="p">,</span> <span class="sh">'</span><span class="s">code</span><span class="sh">'</span><span class="p">:</span> <span class="sh">'</span><span class="s">TOKEN_EXPIRED</span><span class="sh">'</span><span class="p">}),</span> <span class="mi">401</span> <span class="k">except</span> <span class="n">jwt</span><span class="p">.</span><span class="n">InvalidTokenError</span><span class="p">:</span> <span class="k">return</span> <span class="nf">jsonify</span><span class="p">({</span><span class="sh">'</span><span class="s">error</span><span class="sh">'</span><span class="p">:</span> <span class="sh">'</span><span class="s">Invalid token</span><span class="sh">'</span><span class="p">}),</span> <span class="mi">401</span> <span class="k">return</span> <span class="nf">f</span><span class="p">(</span><span class="o">*</span><span class="n">args</span><span class="p">,</span> <span class="o">**</span><span class="n">kwargs</span><span class="p">)</span> <span class="k">return</span> <span class="n">decorated</span> </code></pre> </div> <h3> Login endpoint with refresh token in httpOnly cookie </h3> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="nd">@app.route</span><span class="p">(</span><span class="sh">'</span><span class="s">/api/auth/login</span><span class="sh">'</span><span class="p">,</span> <span class="n">methods</span><span class="o">=</span><span class="p">[</span><span class="sh">'</span><span class="s">POST</span><span class="sh">'</span><span class="p">])</span> <span class="k">def</span> <span class="nf">login</span><span class="p">():</span> <span class="n">data</span> <span class="o">=</span> <span class="n">request</span><span class="p">.</span><span class="nf">get_json</span><span class="p">()</span> <span class="n">user</span> <span class="o">=</span> <span class="n">User</span><span class="p">.</span><span class="n">query</span><span class="p">.</span><span class="nf">filter_by</span><span class="p">(</span><span class="n">email</span><span class="o">=</span><span class="n">data</span><span class="p">[</span><span class="sh">'</span><span class="s">email</span><span class="sh">'</span><span class="p">]).</span><span class="nf">first</span><span class="p">()</span> <span class="k">if</span> <span class="ow">not</span> <span class="n">user</span> <span class="ow">or</span> <span class="ow">not</span> <span class="n">user</span><span class="p">.</span><span class="nf">check_password</span><span class="p">(</span><span class="n">data</span><span class="p">[</span><span class="sh">'</span><span class="s">password</span><span class="sh">'</span><span class="p">]):</span> <span class="k">return</span> <span class="nf">jsonify</span><span class="p">({</span><span class="sh">'</span><span class="s">error</span><span class="sh">'</span><span class="p">:</span> <span class="sh">'</span><span class="s">Invalid credentials</span><span class="sh">'</span><span class="p">}),</span> <span class="mi">401</span> <span class="n">tokens</span> <span class="o">=</span> <span class="nf">generate_tokens</span><span class="p">(</span><span class="n">user</span><span class="p">.</span><span class="nb">id</span><span class="p">)</span> <span class="n">response</span> <span class="o">=</span> <span class="nf">make_response</span><span class="p">(</span><span class="nf">jsonify</span><span class="p">({</span> <span class="sh">'</span><span class="s">access_token</span><span class="sh">'</span><span class="p">:</span> <span class="n">tokens</span><span class="p">[</span><span class="sh">'</span><span class="s">access_token</span><span class="sh">'</span><span class="p">],</span> <span class="sh">'</span><span class="s">user</span><span class="sh">'</span><span class="p">:</span> <span class="n">user</span><span class="p">.</span><span class="nf">to_dict</span><span class="p">()</span> <span class="p">}))</span> <span class="n">response</span><span class="p">.</span><span class="nf">set_cookie</span><span class="p">(</span> <span class="sh">'</span><span class="s">refresh_token</span><span class="sh">'</span><span class="p">,</span> <span class="n">tokens</span><span class="p">[</span><span class="sh">'</span><span class="s">refresh_token</span><span class="sh">'</span><span class="p">],</span> <span class="n">httponly</span><span class="o">=</span><span class="bp">True</span><span class="p">,</span> <span class="n">secure</span><span class="o">=</span><span class="bp">True</span><span class="p">,</span> <span class="n">samesite</span><span class="o">=</span><span class="sh">'</span><span class="s">Lax</span><span class="sh">'</span><span class="p">,</span> <span class="n">max_age</span><span class="o">=</span><span class="mi">60</span> <span class="o">*</span> <span class="mi">60</span> <span class="o">*</span> <span class="mi">24</span> <span class="o">*</span> <span class="mi">30</span> <span class="p">)</span> <span class="k">return</span> <span class="n">response</span> </code></pre> </div> <h3> Common JWT errors and exact fixes </h3> <p><strong><code>DecodeError: Not enough segments</code></strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="c1"># ❌ Wrong — includes "Bearer " prefix </span><span class="n">token</span> <span class="o">=</span> <span class="n">request</span><span class="p">.</span><span class="n">headers</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="sh">'</span><span class="s">Authorization</span><span class="sh">'</span><span class="p">)</span> <span class="n">jwt</span><span class="p">.</span><span class="nf">decode</span><span class="p">(</span><span class="n">token</span><span class="p">,</span> <span class="n">SECRET_KEY</span><span class="p">,</span> <span class="n">algorithms</span><span class="o">=</span><span class="p">[</span><span class="sh">'</span><span class="s">HS256</span><span class="sh">'</span><span class="p">])</span> <span class="c1"># ✅ Correct — split and take the token part </span><span class="n">auth_header</span> <span class="o">=</span> <span class="n">request</span><span class="p">.</span><span class="n">headers</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="sh">'</span><span class="s">Authorization</span><span class="sh">'</span><span class="p">)</span> <span class="n">token</span> <span class="o">=</span> <span class="n">auth_header</span><span class="p">.</span><span class="nf">split</span><span class="p">(</span><span class="sh">'</span><span class="s"> </span><span class="sh">'</span><span class="p">)[</span><span class="mi">1</span><span class="p">]</span> </code></pre> </div> <p><strong><code>InvalidSignatureError</code></strong></p> <p>Your SECRET_KEY is different between environments:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="c1"># ❌ Wrong — changes on every restart </span><span class="n">SECRET_KEY</span> <span class="o">=</span> <span class="n">os</span><span class="p">.</span><span class="nf">urandom</span><span class="p">(</span><span class="mi">32</span><span class="p">)</span> <span class="c1"># ✅ Correct — consistent across restarts </span><span class="n">SECRET_KEY</span> <span class="o">=</span> <span class="n">os</span><span class="p">.</span><span class="n">environ</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="sh">'</span><span class="s">JWT_SECRET_KEY</span><span class="sh">'</span><span class="p">)</span> </code></pre> </div> <p><strong>Token works locally, fails in production</strong></p> <p>Always use <code>utcnow()</code>:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="c1"># ✅ Always use utcnow(), never datetime.now() </span><span class="sh">'</span><span class="s">exp</span><span class="sh">'</span><span class="p">:</span> <span class="n">datetime</span><span class="p">.</span><span class="n">datetime</span><span class="p">.</span><span class="nf">utcnow</span><span class="p">()</span> <span class="o">+</span> <span class="n">datetime</span><span class="p">.</span><span class="nf">timedelta</span><span class="p">(</span><span class="n">minutes</span><span class="o">=</span><span class="mi">15</span><span class="p">)</span> </code></pre> </div> <h2> Stripe Webhooks — Why Yours Are Failing </h2> <p>Stripe signs every webhook with your endpoint's signing secret. To verify it, you need the <strong>raw request body</strong> — not the parsed JSON.</p> <p>This is where most developers break it:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="c1"># ❌ Wrong — body already parsed, signature will never match </span><span class="nd">@app.route</span><span class="p">(</span><span class="sh">'</span><span class="s">/api/webhooks/stripe</span><span class="sh">'</span><span class="p">,</span> <span class="n">methods</span><span class="o">=</span><span class="p">[</span><span class="sh">'</span><span class="s">POST</span><span class="sh">'</span><span class="p">])</span> <span class="k">def</span> <span class="nf">stripe_webhook</span><span class="p">():</span> <span class="n">data</span> <span class="o">=</span> <span class="n">request</span><span class="p">.</span><span class="nf">get_json</span><span class="p">()</span> <span class="n">payload</span> <span class="o">=</span> <span class="n">json</span><span class="p">.</span><span class="nf">dumps</span><span class="p">(</span><span class="n">data</span><span class="p">)</span> <span class="n">sig_header</span> <span class="o">=</span> <span class="n">request</span><span class="p">.</span><span class="n">headers</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="sh">'</span><span class="s">Stripe-Signature</span><span class="sh">'</span><span class="p">)</span> <span class="n">event</span> <span class="o">=</span> <span class="n">stripe</span><span class="p">.</span><span class="n">Webhook</span><span class="p">.</span><span class="nf">construct_event</span><span class="p">(</span><span class="n">payload</span><span class="p">,</span> <span class="n">sig_header</span><span class="p">,</span> <span class="n">WEBHOOK_SECRET</span><span class="p">)</span> <span class="c1"># ✅ Correct — raw bytes, never parse first </span><span class="nd">@app.route</span><span class="p">(</span><span class="sh">'</span><span class="s">/api/webhooks/stripe</span><span class="sh">'</span><span class="p">,</span> <span class="n">methods</span><span class="o">=</span><span class="p">[</span><span class="sh">'</span><span class="s">POST</span><span class="sh">'</span><span class="p">])</span> <span class="k">def</span> <span class="nf">stripe_webhook</span><span class="p">():</span> <span class="n">payload</span> <span class="o">=</span> <span class="n">request</span><span class="p">.</span><span class="n">data</span> <span class="c1"># Raw bytes </span> <span class="n">sig_header</span> <span class="o">=</span> <span class="n">request</span><span class="p">.</span><span class="n">headers</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="sh">'</span><span class="s">Stripe-Signature</span><span class="sh">'</span><span class="p">)</span> <span class="n">event</span> <span class="o">=</span> <span class="n">stripe</span><span class="p">.</span><span class="n">Webhook</span><span class="p">.</span><span class="nf">construct_event</span><span class="p">(</span><span class="n">payload</span><span class="p">,</span> <span class="n">sig_header</span><span class="p">,</span> <span class="n">WEBHOOK_SECRET</span><span class="p">)</span> </code></pre> </div> <h3> Production webhook handler </h3> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="nd">@app.route</span><span class="p">(</span><span class="sh">'</span><span class="s">/api/webhooks/stripe</span><span class="sh">'</span><span class="p">,</span> <span class="n">methods</span><span class="o">=</span><span class="p">[</span><span class="sh">'</span><span class="s">POST</span><span class="sh">'</span><span class="p">])</span> <span class="k">def</span> <span class="nf">stripe_webhook</span><span class="p">():</span> <span class="n">payload</span> <span class="o">=</span> <span class="n">request</span><span class="p">.</span><span class="n">data</span> <span class="n">sig_header</span> <span class="o">=</span> <span class="n">request</span><span class="p">.</span><span class="n">headers</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="sh">'</span><span class="s">Stripe-Signature</span><span class="sh">'</span><span class="p">)</span> <span class="k">try</span><span class="p">:</span> <span class="n">event</span> <span class="o">=</span> <span class="n">stripe</span><span class="p">.</span><span class="n">Webhook</span><span class="p">.</span><span class="nf">construct_event</span><span class="p">(</span> <span class="n">payload</span><span class="p">,</span> <span class="n">sig_header</span><span class="p">,</span> <span class="n">WEBHOOK_SECRET</span> <span class="p">)</span> <span class="k">except</span> <span class="nb">ValueError</span><span class="p">:</span> <span class="k">return</span> <span class="nf">jsonify</span><span class="p">({</span><span class="sh">'</span><span class="s">error</span><span class="sh">'</span><span class="p">:</span> <span class="sh">'</span><span class="s">Invalid payload</span><span class="sh">'</span><span class="p">}),</span> <span class="mi">400</span> <span class="k">except</span> <span class="n">stripe</span><span class="p">.</span><span class="n">error</span><span class="p">.</span><span class="n">SignatureVerificationError</span><span class="p">:</span> <span class="k">return</span> <span class="nf">jsonify</span><span class="p">({</span><span class="sh">'</span><span class="s">error</span><span class="sh">'</span><span class="p">:</span> <span class="sh">'</span><span class="s">Invalid signature</span><span class="sh">'</span><span class="p">}),</span> <span class="mi">400</span> <span class="n">event_type</span> <span class="o">=</span> <span class="n">event</span><span class="p">[</span><span class="sh">'</span><span class="s">type</span><span class="sh">'</span><span class="p">]</span> <span class="k">if</span> <span class="n">event_type</span> <span class="o">==</span> <span class="sh">'</span><span class="s">checkout.session.completed</span><span class="sh">'</span><span class="p">:</span> <span class="nf">handle_checkout_completed</span><span class="p">(</span><span class="n">event</span><span class="p">[</span><span class="sh">'</span><span class="s">data</span><span class="sh">'</span><span class="p">][</span><span class="sh">'</span><span class="s">object</span><span class="sh">'</span><span class="p">])</span> <span class="k">elif</span> <span class="n">event_type</span> <span class="o">==</span> <span class="sh">'</span><span class="s">customer.subscription.deleted</span><span class="sh">'</span><span class="p">:</span> <span class="nf">handle_subscription_cancelled</span><span class="p">(</span><span class="n">event</span><span class="p">[</span><span class="sh">'</span><span class="s">data</span><span class="sh">'</span><span class="p">][</span><span class="sh">'</span><span class="s">object</span><span class="sh">'</span><span class="p">])</span> <span class="k">elif</span> <span class="n">event_type</span> <span class="o">==</span> <span class="sh">'</span><span class="s">invoice.payment_failed</span><span class="sh">'</span><span class="p">:</span> <span class="nf">handle_payment_failed</span><span class="p">(</span><span class="n">event</span><span class="p">[</span><span class="sh">'</span><span class="s">data</span><span class="sh">'</span><span class="p">][</span><span class="sh">'</span><span class="s">object</span><span class="sh">'</span><span class="p">])</span> <span class="k">return</span> <span class="nf">jsonify</span><span class="p">({</span><span class="sh">'</span><span class="s">status</span><span class="sh">'</span><span class="p">:</span> <span class="sh">'</span><span class="s">ok</span><span class="sh">'</span><span class="p">}),</span> <span class="mi">200</span> </code></pre> </div> <h3> Testing locally with Stripe CLI </h3> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># Forward webhooks to your local Flask server</span> stripe listen <span class="nt">--forward-to</span> localhost:5001/api/webhooks/stripe <span class="c"># Trigger a test event</span> stripe trigger checkout.session.completed </code></pre> </div> <h2> CORS — Why It Works Locally But Breaks in Production </h2> <p>Locally, browsers are lenient with localhost. In production with HTTPS, CORS becomes strict. Any request with credentials requires explicit <code>Access-Control-Allow-Credentials: true</code> AND a specific origin (wildcards won't work).<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="c1"># ❌ Wrong — wildcard won't work with credentials </span><span class="nc">CORS</span><span class="p">(</span><span class="n">app</span><span class="p">,</span> <span class="n">origins</span><span class="o">=</span><span class="sh">"</span><span class="s">*</span><span class="sh">"</span><span class="p">)</span> <span class="c1"># ✅ Correct — explicit origins with credentials </span><span class="kn">from</span> <span class="n">flask_cors</span> <span class="kn">import</span> <span class="n">CORS</span> <span class="n">ALLOWED_ORIGINS</span> <span class="o">=</span> <span class="p">[</span> <span class="sh">"</span><span class="s">http://localhost:3000</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">https://yourdomain.com</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">https://www.yourdomain.com</span><span class="sh">"</span><span class="p">,</span> <span class="p">]</span> <span class="nc">CORS</span><span class="p">(</span><span class="n">app</span><span class="p">,</span> <span class="n">origins</span><span class="o">=</span><span class="n">ALLOWED_ORIGINS</span><span class="p">,</span> <span class="n">supports_credentials</span><span class="o">=</span><span class="bp">True</span><span class="p">,</span> <span class="n">allow_headers</span><span class="o">=</span><span class="p">[</span><span class="sh">"</span><span class="s">Content-Type</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">Authorization</span><span class="sh">"</span><span class="p">],</span> <span class="n">methods</span><span class="o">=</span><span class="p">[</span><span class="sh">"</span><span class="s">GET</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">POST</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">PUT</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">DELETE</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">OPTIONS</span><span class="sh">"</span><span class="p">]</span> <span class="p">)</span> </code></pre> </div> <p>On the Next.js side:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="kd">const</span> <span class="nx">response</span> <span class="o">=</span> <span class="k">await</span> <span class="nf">fetch</span><span class="p">(</span><span class="s2">`</span><span class="p">${</span><span class="nx">API_URL</span><span class="p">}</span><span class="s2">/api/endpoint`</span><span class="p">,</span> <span class="p">{</span> <span class="na">method</span><span class="p">:</span> <span class="dl">'</span><span class="s1">GET</span><span class="dl">'</span><span class="p">,</span> <span class="na">credentials</span><span class="p">:</span> <span class="dl">'</span><span class="s1">include</span><span class="dl">'</span><span class="p">,</span> <span class="na">headers</span><span class="p">:</span> <span class="p">{</span> <span class="dl">'</span><span class="s1">Authorization</span><span class="dl">'</span><span class="p">:</span> <span class="s2">`Bearer </span><span class="p">${</span><span class="nx">accessToken</span><span class="p">}</span><span class="s2">`</span><span class="p">,</span> <span class="dl">'</span><span class="s1">Content-Type</span><span class="dl">'</span><span class="p">:</span> <span class="dl">'</span><span class="s1">application/json</span><span class="dl">'</span><span class="p">,</span> <span class="p">},</span> <span class="p">})</span> </code></pre> </div> <h2> The Real Cost </h2> <div class="table-wrapper-paragraph"><table> <thead> <tr> <th></th> <th>Without boilerplate</th> <th>With production-ready base</th> </tr> </thead> <tbody> <tr> <td>Time to first feature</td> <td>4-8 weeks</td> <td>Day 1</td> </tr> <tr> <td>JWT auth</td> <td>Build from scratch</td> <td>Already done</td> </tr> <tr> <td>Stripe webhooks</td> <td>Signature errors, retry loops</td> <td>Production-ready</td> </tr> <tr> <td>CORS</td> <td>Breaks in production</td> <td>Configured</td> </tr> <tr> <td>OAuth</td> <td>1-2 weeks per provider</td> <td>Included</td> </tr> </tbody> </table></div> <p>The cost isn't just time. It's momentum. Every week on infrastructure is a week you're not validating your idea.</p> <h2> You Can Build All This Yourself. Or You Can Ship Faster. </h2> <p>Everything in this guide is buildable. The code is here. The patterns are solid.</p> <p>But you'll spend those days debugging instead of building your product.</p> <p>That's why I built <a href="https://launchstack.space" rel="noopener noreferrer">LaunchStack</a> — a Next.js + Flask boilerplate that ships with all of this pre-configured. JWT auth with refresh tokens, Stripe webhooks, CORS, Google &amp; GitHub OAuth, email system, admin dashboard.</p> <p>Everything in this article, already working on day one.</p> <p><strong>Launching February 24. Early bird at $99.</strong></p> <p>👉 <a href="https://launchstack.space" rel="noopener noreferrer">launchstack.space</a></p> <p><em>Have questions about any of the code above? Drop a comment — I'll answer everything.</em></p> python flask webdev tutorial