Authentication
Google OAuth and email + one-time-code sign-up out of the box, with one JWT that works as a cookie on web and a Bearer token on native.
- OAuth + OTP
- JWT
- settings-gated
Auth, billing & realtime includedThe full-stack
The full-stack
SaaS starter kit
Authentication, payments, realtime, an admin panel and a mobile app — production-ready on day zero. One typed codebase, four clients.
- Go
- Echo
- React 19
- React Native
- Next.js
- Stripe
- MySQL
- WebSocket
skeletonny — zsh
$ git clone skeletonny && make up
✓ backend go · echo · gorm ready on :8080
✓ frontend react 19 · vite ready on :5173
✓ stripe webhooks listening
→ ship your product, not the plumbingA stack that ships
Batteries included, opinions optional
Backend
- Go
- Echo v4
- GORM
- MySQL
- dig DI
Web
- React 19
- Vite
- TypeScript
- TanStack Query
- Tailwind
Mobile
- React Native
- Expo
- SecureStore
Platform
- Stripe
- Google OAuth
- Resend
- GCS
- WebSocket
Features
The hard parts, already built
Every feature below is wired across the backend, web and mobile — not a stub. Delete what you don't need and keep shipping.
Billing
Stripe subscriptions with Free / Pro / Team tiers and trials, a credit-pack ledger, idempotent webhooks and the hosted Customer Portal.
- Subscriptions
- Credits ledger
- Webhooks
Realtime
A WebSocket pipeline pushes live updates to web and native clients, with per-user routing and automatic reconnect handled for you.
- WebSocket
- Per-user
- Reconnect
Admin panel
Manage user accounts behind an is-admin gate — create, edit, set passwords and inspect — wired through the same typed API as the app.
- User management
- Role gate
File storage
Upload and serve user-generated binaries through a Google Cloud Storage connector, ready for avatars, attachments and exports.
- GCS
- Uploads
- Serving
i18n + shared types
Internationalisation across web and native, plus one @skeletonny/shared package so the API surface stays typed end to end.
- i18n
- Shared API
- Type-safe
Architecture
One codebase, every client
A clean, interface-driven Go core feeds a single typed API package that every client consumes. Change a type once and the whole stack follows.
Web
React 19 · Vite SPA
Mobile
React Native · Expo
Landing
Next.js
@skeletonny/shared
typed API client & domain types
Go backend
Echo · GORM · dependency injection · REST + WebSocket
MySQLStripeGoogleResendGCS
Engineered, not generated
Decisions you'd make anyway, already made
The defaults are the security-conscious ones. The corners aren't cut — they're documented.
Idempotent webhooks
Stripe events are deduplicated and re-fetched, never trusted blindly — no double charges, no lost state.
No user enumeration
Login and OTP failures return one canonical error, so the API never leaks which accounts exist.
Constant-time OTP
Verification codes are compared in constant time to close timing side-channels on short secrets.
Fail-safe defaults
Auth gates fail open on a settings blip and entitlements fail closed — each chosen on purpose.
Transactional integrity
Account deletion cancels billing first, then wipes secrets in a single rollback-safe transaction.
Durable docs
Every domain ships a context document explaining what it does and why — not just how.
Start with the boring 80%. Build the part that matters.
Skeletonny hands you auth, billing, realtime and a mobile app on day one — so day two is your product.