Node.js · Express · MongoDB · Production-ready

SaaS backend. Complete. Ready to ship.

JWT auth with refresh tokens, Stripe subscriptions with full webhook handling, plan-gated endpoints, admin API, rate limiting, validation, logging — everything wired up and tested.

Get the boilerplate → See what's different €19 · one-time

# Setup in one command

$ bash scripts/setup.sh

✓ .env created with generated secrets

✓ Dependencies installed

$ npm run seed && npm run dev

✓ MongoDB connected

✓ Server running on http://localhost:3000

Express 4MongoDBMongoose 8 JWTbcryptStripe JoiHelmetWinston NodemailerJestSupertestDocker

Before vs after

What you get vs what you'd build.

Feature	Typical DIY	This boilerplate
JWT auth	—Access token only, no expiry	✓Access (15m) + refresh (7d), rotation, revocation
Password reset	—Rarely implemented correctly	✓Expiring tokens, no email enumeration, revoke all sessions
Stripe webhook	—// TODO: verify signature	✓4 events handled: upgrade, downgrade, update, payment_failed
Input validation	—if (!email) return res.send("error")	✓Joi schemas, structured errors, unknown fields stripped
Error handling	—try/catch in every route	✓asyncHandler + global handler covers Mongoose, JWT, Stripe
Rate limiting	—None	✓Global + auth (brute force) + API — all configured
Admin API	—None	✓Paginated user list, filter, stats, activate/deactivate
Tests	—None	✓11 Jest + Supertest integration tests
Logging	—console.log	✓Winston structured logs, Morgan HTTP, colorized in dev

Features

Every layer, production-grade.

AUTH

Full auth flow

STRIPE

Subscriptions

Checkout · Billing Portal · 4-event webhook handler · auto customer create

PLANS

Feature gates

requirePlan() · checkUsageLimit() · free/pro/enterprise tiers

ADMIN

User management

Paginated list · filter · stats · update role/plan · delete

VALIDATE

Joi validation

Schema on every endpoint · structured errors · unknown fields stripped

SECURITY

Security layers

Helmet · CORS · 3-tier rate limiting · NoSQL injection prevention

Email flows

Nodemailer · HTML templates for verify + reset · console mock in dev

Dev experience

asyncHandler · apiResponse · Winston · centralized config · seed script

Example

Add a plan-gated route in 3 lines.

All the middleware is already written. You just compose it.

const { authenticate } = require('../middleware/auth');

const { requirePlan, checkUsageLimit } = require('../middleware/checkPlan');

// Free users: max 100 calls/month

router.get('/data', authenticate, checkUsageLimit(100), handler);

// Pro only

router.get('/analytics', authenticate, requirePlan('pro', 'enterprise'), handler);

Pricing

One price. Ship forever.

€19

ONE-TIME · INSTANT DOWNLOAD · MIT LICENSE

Full source code — 26 files
JWT auth + Stripe subscriptions
Admin API + plan gates
11 Jest integration tests
Docker Compose ready
MIT license — commercial use OK
Future updates included

Download now — €19 →

30-day money-back guarantee · no questions asked

FAQ

Questions

What Node version do I need?

Node 18+ recommended. The Dockerfile uses Node 20 LTS.

Does it work without Stripe?

Yes. Auth, plans, and admin work fine without Stripe keys. The billing endpoints return 503 if not configured.

Can I use this for client projects?

Yes — MIT license. Use it in commercial SaaS, client work, or internal tools. No attribution required.

Can I add PostgreSQL instead of MongoDB?

Yes. The architecture is modular — swap Mongoose for Prisma/Sequelize and the middleware/routes stay the same.

Is TypeScript supported?

This boilerplate is JavaScript. If you need TypeScript, check our Express + TypeScript + Prisma boilerplate.

Refund policy?

30-day full refund, no questions asked.