$ cat ./guides/choosing-your-saas-stack
How to Choose Your SaaS Stack by Category: Auth, Payments, and Analytics
Picking a SaaS stack is mostly a series of pricing-cliff and lock-in bets, not a feature beauty contest. This guide gives concrete defaults for the three categories every SaaS needs first, auth, payments, and analytics, with real price points and the migration traps that bite later. It closes with an honest take on how launch directories and backlinks actually move the needle.
## Choose by constraint, not by feature list
Every tool demos well. What separates them six months in is four axes: time-to-first-integration (hours to a working signup or charge), the pricing cliff (where the bill jumps as you grow), migration cost (how painful it is to leave), and lock-in (whether you can export your own data). Pre-revenue, optimize for speed and a real free tier. Post product-market-fit, optimize against the pricing cliff and lock-in, because those are what you cannot fix cheaply later.
Do the boring exercise before you commit: write down your expected monthly active users and transaction volume at 6 months and at 18 months, then price each candidate at both points. Most tools are free at launch and brutal at 50k users. A tool that costs $0 today and $900/month at your 18-month projection is a different decision than its landing page suggests.
## Auth: the hardest thing to migrate, so decide early
Managed options, with rough 2025-2026 pricing you should re-verify: Clerk is fastest to ship in React/Next (prebuilt components), free to about 10,000 MAU, then roughly $25/month plus ~$0.02 per extra MAU. Supabase Auth is bundled with Supabase Postgres, ~50,000 MAU free, $25/month Pro then ~$0.00325 per MAU, the obvious pick if you already use Supabase. Auth0 is free to ~7,500 MAU but famous for a steep cliff into the hundreds per month once you need orgs, MFA, or enterprise features. WorkOS AuthKit is free up to 1M users and bills mainly for enterprise SSO (around $125 per SAML connection per month), so it shines the day you start selling to enterprises that demand SAML and SCIM.
Open-source and self-host: Better Auth or Auth.js (NextAuth) carry a $0 license but you own the maintenance and security patching. Note that Lucia is now a learning resource, not a maintained library, so don't start a new project on it. Rolling your own with argon2 and server sessions only makes sense if authentication is genuinely your core IP.
The trap: auth touches user passwords, sessions, and every protected route, so it is the most expensive layer to swap. Decide now whether B2B organizations, SSO, and SCIM are on your 12-month roadmap. Retrofitting multi-tenant orgs onto a consumer auth setup is close to a rebuild, so if enterprise SSO is coming, start on a tool with an SSO path (Clerk orgs, WorkOS) even if it looks like overkill today.
## Payments: merchant of record vs. you-are-the-merchant
The real fork is who is legally the seller. With Stripe you are the merchant: about 2.9% + $0.30 per US card charge, Stripe Billing adds ~0.5-0.7% for subscriptions, Stripe Tax adds ~0.5% per transaction, and you are responsible for registering and remitting VAT or sales tax in every jurisdiction where you cross a threshold. Maximum control and flexibility, maximum paperwork.
Merchant-of-record providers (Paddle, Lemon Squeezy, Polar) become the seller of record and handle global VAT/sales tax, invoicing, and most fraud and chargebacks for a flat fee around 5% + $0.50. For a solo founder selling worldwide, that roughly 2% premium over Stripe buys you out of tax registration in dozens of countries, which is usually worth it under about $500k ARR. Context: Lemon Squeezy was acquired by Stripe in 2024 and still operates; Polar (~4% + $0.40) is the newer developer-focused MoR.
Decision rule: selling globally with a small team and no appetite for tax ops, use an MoR; needing fine-grained usage metering, marketplace splits, or already employing a finance person, go Stripe direct. Migration is real pain in both directions: moving card data between processors means PCI scope and customer re-tokenization, and going from an MoR to Stripe means you suddenly inherit all the tax obligations the MoR was quietly handling.
## Analytics: split web from product, and watch event pricing
Keep two questions separate: web analytics (traffic, sources, which pages) and product analytics (funnels, retention, per-event behavior). One tool trying to do both usually does both poorly, and you end up paying for the worse half.
Concrete picks. For privacy-first web analytics, Plausible runs about $9/month for 10k monthly pageviews and needs no cookie banner in the EU because it stores no personal data; Umami self-hosted is $0. For product analytics, PostHog is the default for most indie SaaS: ~1M events/month free, with session replay (5k/month free), feature flags, and experiments bundled, so it replaces three separate tools before you pay a cent. GA4 is free but sampled, slow to learn, and needs a consent banner in the EU, so reach for it only when you need Google Ads attribution.
The trap is event-volume billing. PostHog and Mixpanel charge per event, so a chatty frontend that fires on every scroll can 10x your bill overnight. Define an event taxonomy first, instrument the 15-30 events that actually map to your funnel, and batch or drop the rest. If you are privacy-sensitive or expect high volume, self-hosting PostHog or Plausible caps the downside.
## The launch layer: directories, links, and what they're actually worth
Once the stack runs, your problem becomes discovery, and that is where backlinks matter. A backlink is just a link from another site to yours; its SEO value hinges on whether it is dofollow (passes link equity, the modern descendant of PageRank, and can help you rank) or nofollow (carries rel="nofollow", which since 2019 Google treats as a hint and generally does not pass ranking equity). Related attributes are rel="sponsored" for paid links and rel="ugc" for user-generated ones. Domain Authority (Moz) and Domain Rating (Ahrefs) are third-party 0-100 scores estimating a domain's link strength; they are not Google ranking factors, just relative signals. One dofollow link from a relevant DR 40 site outweighs ten nofollow links from unrelated DR 5 directories.
How directories fit, honestly: most listings are nofollow by default, and that is fine. A nofollow link still sends real referral traffic, gets your launch crawled and indexed faster, and builds brand recognition. Curated, topically relevant directories (a developer or SaaS directory linking a SaaS) are worth a listing; generic 'submit to 500 directories' link farms get ignored or can hurt you, so skip them. As a concrete example, codenation.dev is a SaaS/dev directory on an aged domain (DR ~16) that gives free listings a nofollow link and reserves dofollow for paid or featured placements. That is the normal directory model: the free listing earns its keep through referral traffic and discovery, and the paid dofollow upgrade is only worth buying if you have decided that specific domain's authority and audience genuinely match your niche.
A sane launch plan: get listed on 5-10 relevant directories (your category, your framework's 'built with' showcase, your payment or auth provider's customer gallery), engineer one Product Hunt or Hacker News moment for the traffic spike, then earn dofollow links the durable way through a useful blog post, an open-source tool, or a free calculator other people cite. Don't buy bulk links; one relevant dofollow beats a hundred junk ones every time.
## A sane default stack, and when to revisit it
If you want defaults to start building today: Clerk or Supabase Auth for auth, a merchant-of-record (Lemon Squeezy, Polar, or Paddle) for payments, and PostHog plus Plausible for analytics. That combination reaches revenue on generous free tiers with no tax registration, and a solo founder can actually run it.
Re-evaluate on triggers, not on a calendar. First, when a tool's next pricing tier would cost more than a day of your time to replace it. Second, when you land a customer who demands SSO/SCIM or a signed DPA. Third, when a vendor holds something you cannot export, such as your auth users or your full event history. Until one of those fires, leave the stack alone and ship features. As a one-line stress test, write the projected bill for each tool at 10x your current usage; the worst cliff is the one to watch.