We wrote earlier about picking boring choices for the load-bearing layer of your stack. This is the longer version: the specific recommendations, with the reasoning, for the three places we see early-stage teams break ground most often.
Same disclaimer applies. We have biases. The specifics will age. The pattern won't.
Auth
Pick a managed identity provider on day one. Auth0, Clerk, Supabase Auth, Cognito if you're already deep in AWS — any of them is better than rolling your own. Yes, you'll pay per active user. The cost is invisible compared to the engineering hours you'd spend handling password resets, MFA flows, social login, account merges, and the eight years of CVEs you don't want to track.
What we look for: SSO support that won't require a rebuild for your first enterprise customer, MFA that doesn't fight users on mobile, a session model that works with both web and native, and an admin surface a non-engineer can audit. JWT verification done by your application, not by middleware that updates twice a year.
Payments
Stripe, Adyen, Razorpay (depending on your buyer geography) — but the choice of provider is less interesting than the choice of integration depth. Use the hosted checkout if you can; the engineering cost of a custom checkout almost always exceeds the conversion lift you imagine you'll get.
What we look for: webhook handling that's idempotent, a clean separation between the order model in your app and the payment model in the provider, and a sane test fixture story so you can simulate edge cases (failed payments, refunds, chargebacks, subscription pauses) without poking at the live API. Every payments incident we've seen at scale was a webhook handler that wasn't idempotent.
Observability
One tool for logs, metrics, and traces. Datadog, Honeycomb, or open-source equivalents wired through OpenTelemetry. The expensive thing is not the tool; it's having three of them stitched together with cron jobs that nobody owns.
What we look for: a structured-log discipline so a query against the logs actually answers a question, dashboards built around the questions on-call would ask (not vendor defaults), and SLOs your team agrees with — three or four of them, no more — with alerting that fires before customers notice.
The pattern that holds across all three
Three things show up every time we audit a load-bearing layer that's gone wrong. They're worth naming.
- Boring beats novel. Every time. The thing that quietly works is the thing you forget about, and forgetting about it is the goal.
- Done early beats done well. A passable Auth0 integration on day one is worth more than a perfectly-engineered custom auth in month nine.
- Integrated beats best-of-breed. One identity provider, one payment processor, one observability tool. Pick the one that's good enough at all three of its jobs, not the one that's perfect at one.
A note on cost
Yes, you'll pay vendors money for things you could build. That cost is bounded and predictable. The cost of the alternative — engineers carrying a homegrown auth flow, a homegrown billing pipeline, a homegrown logging stack into year three — is unbounded and unpredictable. Trade the right thing.
Save your engineering hours for the part of the product customers feel. That's where they belong.