Launch
Production launch checklist
The short operational runbook for getting Slotly safely from built to ready.
Automated smoke
Run the public production checks before and after deploys.
External consoles
OAuth and email verification still happen outside the app.
Manual QA
Authenticated user flows need one real admin account pass.
Coming Soon after mobile app
These items stay documented, but they are parked until the iOS and Android foundation is complete.
- Microsoft Outlook OAuth and guest Outlook overlays
- Zoom OAuth and automatic Zoom meeting creation
- Production authenticated smoke account and API key
- Custom domain automation
- Stripe paid bookings and connected payouts
- Twilio SMS reminders
- Upstash durable rate limiting
Preflight order
Work through these in order when preparing a production release. Each step has a concrete signal so the launch state is easy to verify.
1. Confirm deploy target
Use GitHub push for production deploys so Vercel's ignoreCommand can skip non-runtime changes and control On-Demand Build spend. After pushing, npm run smoke:deploy waits for the live commit before running smoke.
Done when
The latest runtime commit is on origin/main and the Vercel deployment is tied to that commit.
2. Verify external consoles
Run npm run oauth:redirects, npm run vercel:env:audit, and npm run launch:env, then confirm the active Google redirects before testing Google integrations. Microsoft, Zoom, and custom-domain automation are Coming Soon after the mobile app.
Done when
npm run oauth:redirects matches the Google console, and npm run vercel:env:audit plus npm run launch:env have no required failures.
3. Prove email delivery
Verify the Resend sender domain with npm run resend:domain, run npm run email:delivery for the checklist, review Settings > Email delivery readiness, then send a Settings email test and one real booking confirmation.
Done when
npm run resend:domain passes, Settings shows Email delivery readiness as Ready, and both messages appear as delivered in Resend logs from the verified sender.
4. Run smoke checks
Run public smoke after every deploy. Set SLOTLY_EXPECTED_COMMIT when you want smoke to confirm production is serving the intended Git commit.
Done when
npm run smoke:prod passes and /api/status reports the expected commit.
5. Run the launch gate
After Vercel env is pulled locally, run npm run launch:ready to execute the current automated readiness gate in order.
Done when
npm run launch:ready passes, then the manual admin/provider-console confirmations are complete.
6. Finish human QA
Use Settings > Launch QA checklist with one admin account to walk the actual product: create a link, book it, make a team event, and inspect Dashboard, Bookings, and Teams. Run npm run launch:qa for the matching runbook.
Done when
The Settings launch QA checklist is complete and the same meeting data appears consistently on all logged-in calendar surfaces.
Automated production smoke
Run npm run smoke:deploy after a GitHub push to wait for the new commit and then run public smoke. To run smoke immediately, use npm run smoke:prod. To test another deployment, pass a URL: npm run smoke:prod -- https://example.vercel.app.
- Landing, login, pricing, docs, and status pages return HTML.
- OpenAPI JSON returns version 3.1.0 and includes booking endpoints.
- Guest calendar busy endpoint rejects unauthenticated requests.
- Settings email test endpoint rejects unauthenticated requests.
- Google guest OAuth endpoint redirects or reports missing config.
- Host Google OAuth endpoint redirects unauthenticated users to login.
- Launch env check reports missing required production, email, and active OAuth variables.
- Deferred items are listed as Coming Soon after the mobile app instead of failing the current launch gate.
Full automated launch gate
Pull production environment values locally, then run one command to execute the automated release gate in order. It runs redirect output, Vercel env audit, launch env validation, Resend domain verification, and public smoke. Authenticated smoke is Coming Soon after the mobile app.
When the gate reports a required missing value, add it in Vercel, pull production env locally, push a normal Git commit so Vercel rebuilds, and rerun the gate.
Vercel project automation: Coming Soon
Custom-domain automation needs the Slotly Vercel project ID, team ID, and a scoped Vercel API token. We will tackle this after the mobile app; npm run vercel:project-env remains as the setup helper for that later pass.
Email delivery verification
Resend DNS can be verified automatically, but inbox delivery still needs one admin pass. Run npm run email:delivery, send the Settings test email, book one real test meeting, and confirm both messages show as delivered in Resend logs.
Admin launch QA
The Settings page includes the interactive Launch QA checklist. Run npm run launch:qa for the same six production flows with pass criteria, then mark each item complete in Settings.
Google OAuth console
Keep Google verification deferred until after mobile app work, but make sure the redirect list is ready. Run npm run oauth:redirects for the production checklist.
- https://getslotly.io/auth/callback
- https://getslotly.io/api/integrations/google/callback
- https://getslotly.io/api/guest-calendar/google/callback
Microsoft OAuth console
Coming Soon after the mobile app. Keep these redirects documented so the Azure setup is ready when we resume Outlook work.
- https://getslotly.io/api/integrations/outlook/callback
- https://getslotly.io/api/guest-calendar/outlook/callback
Resend sender domain
Verify the sender domain in Resend, make sure Vercel has RESEND_API_KEY and RESEND_FROM, then run vercel env pull .env.local and npm run resend:domain.
- RESEND_API_KEY
- RESEND_FROM=Slotly <notifications@getslotly.io>
- RESEND_REPLY_TO=support@getslotly.io
- npm run resend:domain
Vercel production secrets
Confirm core production secrets before inviting real teams. Custom domain automation, payment, SMS, and durable rate-limit secrets are Coming Soon after the mobile app.
- GUEST_CALENDAR_COOKIE_SECRET
- GOOGLE_OAUTH_CLIENT_ID / GOOGLE_OAUTH_CLIENT_SECRET
- Coming Soon: VERCEL_API_TOKEN / VERCEL_PROJECT_ID / VERCEL_TEAM_ID for custom domain automation
- Coming Soon: STRIPE_SECRET_KEY / STRIPE_WEBHOOK_SECRET / price IDs
- Coming Soon: TWILIO_ACCOUNT_SID / TWILIO_AUTH_TOKEN / TWILIO_FROM_NUMBER
- Coming Soon: UPSTASH_REDIS_REST_* for durable rate limiting
SMS reminders
Coming Soon after the mobile app. Slotly records skipped deliveries when Twilio is missing, so this is not a current launch blocker.
- TWILIO_ACCOUNT_SID
- TWILIO_AUTH_TOKEN
- TWILIO_FROM_NUMBER
- Invitee phone number on booking form
- Twilio message logs after a test reminder
Stripe billing
Coming Soon after the mobile app. The setup guide remains here for the future paid-bookings pass.
- STRIPE_SECRET_KEY
- STRIPE_WEBHOOK_SECRET
- STRIPE_PRO_PRICE_ID / STRIPE_TEAM_PRICE_ID
- Webhook: /api/billing/webhook
- Stripe Connect Express for paid host payouts
Durable rate limiting
Coming Soon after the mobile app. Slotly falls back to per-instance memory limits when Redis is missing.
- UPSTASH_REDIS_REST_URL
- UPSTASH_REDIS_REST_TOKEN
- Settings > Production readiness: Durable rate limiting
- X-RateLimit-* response headers
Credential setup packet
These are the account-owned values that cannot be generated safely by automation. Google is active now; Microsoft, Zoom, smoke-account values, and the other provider-owned packets are Coming Soon after the mobile app. Run npm run oauth:providers later for Microsoft and Zoom setup, or npm run oauth:providers -- --json for a machine-readable credential packet.
Microsoft Outlook OAuth
Create in
Coming Soon after the mobile app. Azure app registration setup stays documented for the later Outlook pass.
Vercel values
- MICROSOFT_CLIENT_ID
- MICROSOFT_CLIENT_SECRET
Scopes
- offline_access
- openid
- profile
- User.Read
- Calendars.Read
- Calendars.ReadWrite
Redirects
- https://getslotly.io/api/integrations/outlook/callback
- https://getslotly.io/api/guest-calendar/outlook/callback
Verify
After mobile app, Settings > Outlook connects for a host, and the public booking page guest Outlook overlay redirects successfully.
Zoom OAuth
Create in
Coming Soon after the mobile app. Zoom OAuth setup stays documented for the later meeting-link pass.
Vercel values
- ZOOM_CLIENT_ID
- ZOOM_CLIENT_SECRET
Scopes
- user:read:user
- meeting:write:meeting
Redirects
- https://getslotly.io/api/integrations/zoom/callback
Verify
After mobile app, Settings > Zoom connects, then a Zoom location event can create a meeting link.
Google OAuth
Create in
Google Cloud Console OAuth client
Vercel values
- GOOGLE_OAUTH_CLIENT_ID
- GOOGLE_OAUTH_CLIENT_SECRET
Scopes
- openid
- userinfo.email
- userinfo.profile
- calendar.readonly
- calendar.events
Redirects
- https://getslotly.io/auth/callback
- https://getslotly.io/api/integrations/google/callback
- https://getslotly.io/api/guest-calendar/google/callback
Verify
Google login reaches Supabase callback, Settings > Google Calendar connects, and guest Google overlay redirects successfully.
Production smoke user
Create in
Slotly production account plus Dashboard > Developer
Vercel values
- SLOTLY_SMOKE_EMAIL
- SLOTLY_SMOKE_PASSWORD
- SLOTLY_SMOKE_API_KEY
Verify
After mobile app, npm run smoke:env passes, then npm run smoke:auth:strict reports the smoke user's email and API plan.
Authenticated manual smoke: Coming Soon
These steps will confirm user-facing product flows that public smoke tests cannot touch without a real account. We will wire this into the launch gate after the mobile app foundation is complete.
npm run smoke:auth:strict with a dedicated smoke account configured through SLOTLY_SMOKE_EMAIL and SLOTLY_SMOKE_PASSWORD. Add SLOTLY_SMOKE_API_KEY from the same account to verify API identity plus read-only REST API checks for event types, bookings, people, and teams. Run npm run smoke:account for the setup checklist, or npm run supabase:service-role before automated bootstrap. Then run vercel env pull .env.local, then npm run smoke:env to confirm the local smoke configuration is complete.Smoke account setup
- After mobile app work resumes, create a dedicated production user, for example smoke@getslotly.io.
- Make sure the smoke user is on a Standard or Team entitlement so API-key routes are allowed.
- Sign in as the smoke user and create an API key from Dashboard > Developer.
- Set SLOTLY_SMOKE_EMAIL and SLOTLY_SMOKE_PASSWORD to that user's login credentials.
- Set SLOTLY_SMOKE_API_KEY to an API key generated by the same smoke user.
- Use npm run smoke:account when you want the exact setup and Vercel env commands.
- Optional: run npm run supabase:service-role for the local-only key checklist, then npm run smoke:bootstrap -- --apply.
- Run vercel env pull .env.local, then npm run smoke:env to confirm the required variables are present and valid.
- Later, run npm run smoke:auth:strict and confirm the API key identity check reports the smoke user email.
- Sign in as an admin and confirm the Production readiness card has no unexpected Action items.
- Create a solo event type, copy the slotly.to booking link, and book a test meeting.
- Create a team calendar event and confirm it appears in Dashboard, Bookings, and Team calendar surfaces.
- Connect Google Calendar as a guest on a public booking page and verify busy slots disappear.
- Verify confirmation email delivery in Resend logs for the test booking.
- Run npm run smoke:prod after every production deploy. Authenticated smoke is Coming Soon after the mobile app.