Launch

Production launch checklist

The short operational runbook for getting Slotly safely from built to ready.

Automated smoke

Run the public production checks before and after deploys.

External consoles

OAuth and email verification still happen outside the app.

Manual QA

Authenticated user flows need one real admin account pass.

Coming Soon after mobile app

These items stay documented, but they are parked until the iOS and Android foundation is complete.

  • Microsoft Outlook OAuth and guest Outlook overlays
  • Zoom OAuth and automatic Zoom meeting creation
  • Production authenticated smoke account and API key
  • Custom domain automation
  • Stripe paid bookings and connected payouts
  • Twilio SMS reminders
  • Upstash durable rate limiting

Preflight order

Work through these in order when preparing a production release. Each step has a concrete signal so the launch state is easy to verify.

1. Confirm deploy target

Use GitHub push for production deploys so Vercel's ignoreCommand can skip non-runtime changes and control On-Demand Build spend. After pushing, npm run smoke:deploy waits for the live commit before running smoke.

Done when

The latest runtime commit is on origin/main and the Vercel deployment is tied to that commit.

2. Verify external consoles

Run npm run oauth:redirects, npm run vercel:env:audit, and npm run launch:env, then confirm the active Google redirects before testing Google integrations. Microsoft, Zoom, and custom-domain automation are Coming Soon after the mobile app.

Done when

npm run oauth:redirects matches the Google console, and npm run vercel:env:audit plus npm run launch:env have no required failures.

3. Prove email delivery

Verify the Resend sender domain with npm run resend:domain, run npm run email:delivery for the checklist, review Settings > Email delivery readiness, then send a Settings email test and one real booking confirmation.

Done when

npm run resend:domain passes, Settings shows Email delivery readiness as Ready, and both messages appear as delivered in Resend logs from the verified sender.

4. Run smoke checks

Run public smoke after every deploy. Set SLOTLY_EXPECTED_COMMIT when you want smoke to confirm production is serving the intended Git commit.

Done when

npm run smoke:prod passes and /api/status reports the expected commit.

5. Run the launch gate

After Vercel env is pulled locally, run npm run launch:ready to execute the current automated readiness gate in order.

Done when

npm run launch:ready passes, then the manual admin/provider-console confirmations are complete.

6. Finish human QA

Use Settings > Launch QA checklist with one admin account to walk the actual product: create a link, book it, make a team event, and inspect Dashboard, Bookings, and Teams. Run npm run launch:qa for the matching runbook.

Done when

The Settings launch QA checklist is complete and the same meeting data appears consistently on all logged-in calendar surfaces.

Automated production smoke

Run npm run smoke:deploy after a GitHub push to wait for the new commit and then run public smoke. To run smoke immediately, use npm run smoke:prod. To test another deployment, pass a URL: npm run smoke:prod -- https://example.vercel.app.

  • Landing, login, pricing, docs, and status pages return HTML.
  • OpenAPI JSON returns version 3.1.0 and includes booking endpoints.
  • Guest calendar busy endpoint rejects unauthenticated requests.
  • Settings email test endpoint rejects unauthenticated requests.
  • Google guest OAuth endpoint redirects or reports missing config.
  • Host Google OAuth endpoint redirects unauthenticated users to login.
  • Launch env check reports missing required production, email, and active OAuth variables.
  • Deferred items are listed as Coming Soon after the mobile app instead of failing the current launch gate.

Full automated launch gate

Pull production environment values locally, then run one command to execute the automated release gate in order. It runs redirect output, Vercel env audit, launch env validation, Resend domain verification, and public smoke. Authenticated smoke is Coming Soon after the mobile app.

When the gate reports a required missing value, add it in Vercel, pull production env locally, push a normal Git commit so Vercel rebuilds, and rerun the gate.

vercel env pull .env.local && npm run launch:ready

Vercel project automation: Coming Soon

Custom-domain automation needs the Slotly Vercel project ID, team ID, and a scoped Vercel API token. We will tackle this after the mobile app; npm run vercel:project-env remains as the setup helper for that later pass.

Email delivery verification

Resend DNS can be verified automatically, but inbox delivery still needs one admin pass. Run npm run email:delivery, send the Settings test email, book one real test meeting, and confirm both messages show as delivered in Resend logs.

Admin launch QA

The Settings page includes the interactive Launch QA checklist. Run npm run launch:qa for the same six production flows with pass criteria, then mark each item complete in Settings.

Google OAuth console

Keep Google verification deferred until after mobile app work, but make sure the redirect list is ready. Run npm run oauth:redirects for the production checklist.

  • https://getslotly.io/auth/callback
  • https://getslotly.io/api/integrations/google/callback
  • https://getslotly.io/api/guest-calendar/google/callback

Microsoft OAuth console

Coming Soon after the mobile app. Keep these redirects documented so the Azure setup is ready when we resume Outlook work.

  • https://getslotly.io/api/integrations/outlook/callback
  • https://getslotly.io/api/guest-calendar/outlook/callback

Resend sender domain

Verify the sender domain in Resend, make sure Vercel has RESEND_API_KEY and RESEND_FROM, then run vercel env pull .env.local and npm run resend:domain.

  • RESEND_API_KEY
  • RESEND_FROM=Slotly <notifications@getslotly.io>
  • RESEND_REPLY_TO=support@getslotly.io
  • npm run resend:domain

Vercel production secrets

Confirm core production secrets before inviting real teams. Custom domain automation, payment, SMS, and durable rate-limit secrets are Coming Soon after the mobile app.

  • GUEST_CALENDAR_COOKIE_SECRET
  • GOOGLE_OAUTH_CLIENT_ID / GOOGLE_OAUTH_CLIENT_SECRET
  • Coming Soon: VERCEL_API_TOKEN / VERCEL_PROJECT_ID / VERCEL_TEAM_ID for custom domain automation
  • Coming Soon: STRIPE_SECRET_KEY / STRIPE_WEBHOOK_SECRET / price IDs
  • Coming Soon: TWILIO_ACCOUNT_SID / TWILIO_AUTH_TOKEN / TWILIO_FROM_NUMBER
  • Coming Soon: UPSTASH_REDIS_REST_* for durable rate limiting

SMS reminders

Coming Soon after the mobile app. Slotly records skipped deliveries when Twilio is missing, so this is not a current launch blocker.

  • TWILIO_ACCOUNT_SID
  • TWILIO_AUTH_TOKEN
  • TWILIO_FROM_NUMBER
  • Invitee phone number on booking form
  • Twilio message logs after a test reminder

Stripe billing

Coming Soon after the mobile app. The setup guide remains here for the future paid-bookings pass.

  • STRIPE_SECRET_KEY
  • STRIPE_WEBHOOK_SECRET
  • STRIPE_PRO_PRICE_ID / STRIPE_TEAM_PRICE_ID
  • Webhook: /api/billing/webhook
  • Stripe Connect Express for paid host payouts

Durable rate limiting

Coming Soon after the mobile app. Slotly falls back to per-instance memory limits when Redis is missing.

  • UPSTASH_REDIS_REST_URL
  • UPSTASH_REDIS_REST_TOKEN
  • Settings > Production readiness: Durable rate limiting
  • X-RateLimit-* response headers

Credential setup packet

These are the account-owned values that cannot be generated safely by automation. Google is active now; Microsoft, Zoom, smoke-account values, and the other provider-owned packets are Coming Soon after the mobile app. Run npm run oauth:providers later for Microsoft and Zoom setup, or npm run oauth:providers -- --json for a machine-readable credential packet.

Microsoft Outlook OAuth

Create in

Coming Soon after the mobile app. Azure app registration setup stays documented for the later Outlook pass.

Vercel values

  • MICROSOFT_CLIENT_ID
  • MICROSOFT_CLIENT_SECRET

Scopes

  • offline_access
  • openid
  • profile
  • email
  • User.Read
  • Calendars.Read
  • Calendars.ReadWrite

Redirects

  • https://getslotly.io/api/integrations/outlook/callback
  • https://getslotly.io/api/guest-calendar/outlook/callback

Verify

After mobile app, Settings > Outlook connects for a host, and the public booking page guest Outlook overlay redirects successfully.

Zoom OAuth

Create in

Coming Soon after the mobile app. Zoom OAuth setup stays documented for the later meeting-link pass.

Vercel values

  • ZOOM_CLIENT_ID
  • ZOOM_CLIENT_SECRET

Scopes

  • user:read:user
  • meeting:write:meeting

Redirects

  • https://getslotly.io/api/integrations/zoom/callback

Verify

After mobile app, Settings > Zoom connects, then a Zoom location event can create a meeting link.

Google OAuth

Create in

Google Cloud Console OAuth client

Vercel values

  • GOOGLE_OAUTH_CLIENT_ID
  • GOOGLE_OAUTH_CLIENT_SECRET

Scopes

  • openid
  • userinfo.email
  • userinfo.profile
  • calendar.readonly
  • calendar.events

Redirects

  • https://getslotly.io/auth/callback
  • https://getslotly.io/api/integrations/google/callback
  • https://getslotly.io/api/guest-calendar/google/callback

Verify

Google login reaches Supabase callback, Settings > Google Calendar connects, and guest Google overlay redirects successfully.

Production smoke user

Create in

Slotly production account plus Dashboard > Developer

Vercel values

  • SLOTLY_SMOKE_EMAIL
  • SLOTLY_SMOKE_PASSWORD
  • SLOTLY_SMOKE_API_KEY

Verify

After mobile app, npm run smoke:env passes, then npm run smoke:auth:strict reports the smoke user's email and API plan.

Authenticated manual smoke: Coming Soon

These steps will confirm user-facing product flows that public smoke tests cannot touch without a real account. We will wire this into the launch gate after the mobile app foundation is complete.

Later, run npm run smoke:auth:strict with a dedicated smoke account configured through SLOTLY_SMOKE_EMAIL and SLOTLY_SMOKE_PASSWORD. Add SLOTLY_SMOKE_API_KEY from the same account to verify API identity plus read-only REST API checks for event types, bookings, people, and teams. Run npm run smoke:account for the setup checklist, or npm run supabase:service-role before automated bootstrap. Then run vercel env pull .env.local, then npm run smoke:env to confirm the local smoke configuration is complete.

Smoke account setup

  1. After mobile app work resumes, create a dedicated production user, for example smoke@getslotly.io.
  2. Make sure the smoke user is on a Standard or Team entitlement so API-key routes are allowed.
  3. Sign in as the smoke user and create an API key from Dashboard > Developer.
  4. Set SLOTLY_SMOKE_EMAIL and SLOTLY_SMOKE_PASSWORD to that user's login credentials.
  5. Set SLOTLY_SMOKE_API_KEY to an API key generated by the same smoke user.
  6. Use npm run smoke:account when you want the exact setup and Vercel env commands.
  7. Optional: run npm run supabase:service-role for the local-only key checklist, then npm run smoke:bootstrap -- --apply.
  8. Run vercel env pull .env.local, then npm run smoke:env to confirm the required variables are present and valid.
  9. Later, run npm run smoke:auth:strict and confirm the API key identity check reports the smoke user email.
  1. Sign in as an admin and confirm the Production readiness card has no unexpected Action items.
  2. Create a solo event type, copy the slotly.to booking link, and book a test meeting.
  3. Create a team calendar event and confirm it appears in Dashboard, Bookings, and Team calendar surfaces.
  4. Connect Google Calendar as a guest on a public booking page and verify busy slots disappear.
  5. Verify confirmation email delivery in Resend logs for the test booking.
  6. Run npm run smoke:prod after every production deploy. Authenticated smoke is Coming Soon after the mobile app.
The Settings page also includes a Production readiness card for live environment status. Start there when something looks off. After changing Vercel production environment variables, push a normal source commit so the live deployment is rebuilt with the new values.Open Settings