Full-stack SaaS template · .NET 10 + React 19
The complete .NET SaaS foundation. Already built.
Almost every SaaS starter is Node. This is the serious one for .NET: an event-driven API and a typed React SPA, with enterprise auth, a finished admin and full observability in the box.
fig. 01 · the shipped admin user detail page, captured from the running template
Bill of materials
.NET 10
Minimal API
PostgreSQL
EF Core
RabbitMQ
messaging + outbox
React 19
Vite + TypeScript
TanStack
Router + Query
Tailwind v4
shadcn/ui
33
granular permissions
user and admin, mirrored in the UI, scoped per API key
64
API endpoints
auth, account, admin and API keys, documented in OpenAPI
2
UI languages
English and Dutch shipped, the i18n pattern takes more
4
test projects
unit, architecture, feature (real Postgres) and API
Every number above is countable in the source you receive. No invented hour-savings math.
01The product
Real screens from the running template
Every screenshot below is captured from the app you receive, light and dark, with the capture script included so you can re-shoot them as you make it yours.
The admin panel ships finished: a sortable, paginated user table with account state, last login and a detail view per user.
Per user: enable or disable the account, grant or revoke individual permissions, revoke sessions, manage API keys, read the audit history, or impersonate with a logged reason.
Authorization is granular grants, not roles. The full catalog of 33 permissions, grouped and individually toggleable, with one-click presets, read-only flags, and the same set scoped per API key.
Every security-relevant action lands in a hash-chained audit trail. Filter by category, action, outcome and date, or jump straight into Grafana.
Users manage their own security: password and email changes, TOTP two-factor, passkeys, and linked OAuth accounts, all wired to the API.
TOTP enrollment with QR code, manual secret and downloadable recovery codes. Disable and regenerate flows are included too.
Scoped API keys with per-key permissions, optional expiry, one-time reveal, rotation and last-used tracking.
Active sessions per device, with one-click revocation. Refresh tokens rotate in families, so a stolen token revokes the whole chain.
GDPR self-service: users export everything held about them as JSON or delete their account, which anonymizes personal data while keeping referential integrity.
02Architecture
Watch one feature travel the whole stack
Slicekit is built on vertical slice architecture: code is organised by feature, not by technical layer, so everything one use case needs lives in one folder you can read, change or delete in one place. The pattern applies on both sides of the wire, and the architecture overview walks the whole thing end to end.
A feature in Slicekit is a single slice, from the button to the database and back. Here is the exact path a request takes, the technology at each step, and the short list of files you actually write to add one.
Each slice is split in two: your feature logic lives in Slicekit.Core, and the web layer is a thin adapter on top. That separation is deliberate. Stand up a CLI, a background worker or a scheduled job and it reuses the same core code with no web server involved. Errors come back in one predictable shape, so the SPA maps each one straight to the field or message that caused it.
Organised by layer
One feature cuts through every layer. To change it you touch four places.
Organised by feature
One feature is one column. Read it, change it or delete it in one place.
-
01 Frontend
You call one typed hook
React 19 · TanStack Query
useCreateApiKey()Your component calls a single hook. No fetch boilerplate, no manual cache wiring, no loading-state spaghetti.
-
02 Type-safe client
The client handles the wire
TypeScript · one API client
apiFetch<Response>('/api/v1/…')Cookie sessions, the CSRF header and a silent refresh-and-retry on 401 live inside one client. Errors come back typed and map straight onto your form fields, localized.
-
03 API edge
The endpoint guards the door
.NET 10 · Minimal API
.RequirePermission().RequireRateLimiting()Authorization, validation, rate limiting and CSRF are declared on the route as policy, never hand-rolled inside the handler.
-
04 Messaging
Messaging routes the command
Wolverine CQRS · event-driven core
bus.InvokeAsync(command)The endpoint hands the command to the Wolverine bus, which finds the handler by convention. This is the boundary between the HTTP host and Slicekit.Core: any other host (a CLI, a worker) can dispatch the same command.
-
05 Domain
Your handler runs the logic
Domain-driven design · Slicekit.Core
aggregate.Raise(new ApiKeyCreated(…))Pure business logic, living in Slicekit.Core with no dependency on the web host. The aggregate enforces its own invariants and raises a domain event to record what happened.
-
06 Persistence
One transaction persists it
PostgreSQL · EF Core
await db.SaveChangesAsync(ct)State and outgoing messages commit together in a single transaction. No partial writes, no orphaned side effects.
-
07 Async work
Events fan out, reliably
RabbitMQ · transactional outbox
PublishAsync(integrationEvent)The outbox guarantees at-least-once delivery: events survive crashes and consumers are written idempotent, so a rare redelivery is harmless. Email, search indexing and webhooks react asynchronously, after the request already returned.
One trace, end to end. Every step above is a single OpenTelemetry span tree: follow one click from the button to the database in Grafana.
The backend ships on the modern .NET layout: a readable slicekit.slnx solution file instead of GUID-laden XML, central package management so every NuGet version is pinned once in Directory.Packages.props, and shared build settings in one Directory.Build.props.
03Security & accounts
The auth surface nobody wants to build twice
This is where templates usually hand-wave. Slicekit ships the mechanisms, named precisely, so you can audit the claims against the code you buy.
Cookie sessions, hardened
Built on ASP.NET Core Identity: tokens live in HttpOnly cookies with CSRF protection on every state-changing request. Refresh tokens rotate in families, so reuse of a stale token is detected as theft and revokes the whole chain.
Passkeys and TOTP
WebAuthn passkeys (FIDO2) for passwordless sign-in, TOTP two-factor with QR enrollment and downloadable recovery codes. Both managed by the user, both shipped working.
33 permissions, no roles
Authorization is granular grants, not role guesswork. Endpoints declare their permission as route policy, the UI mirrors the same catalog, and API keys carry their own scoped subset.
Hash-chained audit trail
Every security-relevant action is recorded with actor, resource, outcome and a sequence number. Each entry carries the hash of the previous one, so tampering breaks the chain visibly.
Impersonation, accountable
Support can act as a user only with a logged reason. The original admin stays in the token as an act claim, and both identities land in the audit trail.
Account emails, all eight templated
Eight transactional emails, ready to send: welcome, email verification, password reset and changed, email-change request and confirmation, a registration attempt on a known address, and a session-theft alert. One responsive, dark-mode Razor layout over any SMTP.
Sessions, revocable per device
Every active session is listed per device in settings, each one revocable on its own or all at once. They sit on the rotating refresh-token families above, so revoking is real, not cosmetic.
Verification and reset by token
New sign-ups verify their email by signed token. Password reset and email change run on single-use, time-boxed tokens, and TOTP recovery codes are one-time and regenerable. No long-lived links, no reusable flows.
The unglamorous rest
Breach-checked passwords (Have I Been Pwned), account lockout with admin unlock, five rate-limit policies, security headers, PII encrypted at rest and reverse-proxy header trust. Done once, correctly.
04Privacy & GDPR
GDPR tooling built in, not bolted on
The data-subject rights that usually become a panicked sprint before launch (export, erasure, consent) ship as working features, with an architecture test that keeps them honest as your data model grows.
Data export, self-service
Users download everything held about them from the privacy settings, no support ticket needed. The export walks the same personal-data surface the deletion flow erases.
Erasure with anonymization
Account deletion soft-deletes the user and anonymizes the personal fields, so foreign keys and audit history stay intact while the person disappears from the data.
Export and erasure cannot drift
An architecture test fails the build if a personal-data field is exported but not erased, or erased but not exported. Compliance enforced by CI, not by code review memory.
Versioned consent
Registration records which version of the terms and privacy policy the user accepted, and when. Update your legal documents and the consent trail keeps up.
PII encrypted and redacted
Personal fields are encrypted at rest via ASP.NET Data Protection, and a Sensitive attribute keeps them out of audit payloads and logs.
Your infrastructure, your data
Every service in the stack is open source and self-hosted: Postgres, Redis, RabbitMQ, MinIO, the Grafana stack. No third-party data processors by default.
Slicekit ships the technical controls; it is not legal advice. Your privacy policy, data processing agreements and retention choices remain yours.
05Frontend
The frontend is finished, not a stub
Most templates ship a login page and wish you luck. Slicekit ships the whole account surface: settings, security, sessions, API keys, privacy and a working admin, in two languages, in three themes.
-
Full settings area
profile, security, sessions, API keys, privacy
-
Finished admin panel
user table, detail view, impersonation, cache controls
-
i18n with EN + NL
validation and API errors localized too
-
Light, dark and system themes
OKLch tokens, no flash on load
-
One typed API client
CSRF header and silent refresh-retry built in
-
Forms that speak API
React Hook Form + Zod, server errors map to fields
-
Permission-gated UI
the same 33 permissions drive what renders
-
Typed file-based routing
TanStack Router with automatic code splitting
-
GDPR self-service
data export and account deletion with anonymization
06Observability & ops
You can see what it's doing in production
Observability is wired in from the first request, not retrofitted after the first incident. The same pipeline carries the audit trail into Loki, where the admin panel queries it.
Three signals, one pipeline
OpenTelemetry traces, metrics and logs flow through the collector to Tempo, Prometheus and Loki. One click in the UI is one span tree in Grafana.
Dashboards and alerts, provisioned
Four Grafana dashboards and six Prometheus alert rules ship preconfigured, with Alertmanager wired for routing. Day-one operations, not a TODO.
Tests that mean something
Unit tests for logic, architecture tests that fail the build when a boundary is crossed, and feature tests that run against a real PostgreSQL via Testcontainers.
CI from the first push
Pull requests build both apps, run the full test suite and scan for vulnerable packages. Main builds a multi-stage Docker image with an attached SBOM and provenance attestation, plus a frontend SBOM, and pushes to GHCR.
Also in the box: OAuth sign-in with Google and GitHub (and room for more providers), file uploads to S3-compatible storage, scheduled background jobs via TickerQ, a typed feature-flag endpoint the SPA reads on boot, and the Astro marketing site you are reading right now, documentation pages and all.
07Open source
Built on tools you already trust
No proprietary runtime, no vendor SDK you cannot replace. Slicekit composes mainstream open-source projects, each documented upstream and each named here, so you know exactly what you are adopting.
API & domain
- Wolverine CQRS, messaging & outbox
- ASP.NET Core Identity identity & password store
- EF Core ORM & migrations
- Npgsql PostgreSQL driver for EF Core
- FluentValidation request validation
- fido2-net-lib passkeys (WebAuthn)
- FusionCache caching with Redis backplane
- TickerQ background jobs
- FluentEmail Razor email templates
- AWS SDK for .NET S3-compatible storage client
- Serilog structured logging
- Scalar OpenAPI reference UI
Frontend
- React 19 UI runtime
- Vite build & dev server
- TanStack Router typed file-based routing
- TanStack Query server state
- shadcn/ui components on Radix UI
- Tailwind CSS v4 styling
- React Hook Form forms
- Zod schema validation
- i18next internationalization
- SimpleWebAuthn passkey ceremonies
- Lucide icon set
- Sonner toast notifications
Infrastructure & ops
Testing & quality
The full dependency list ships in the repository manifests. Every main-branch build attaches an SBOM and provenance attestation to the Docker image and generates a separate frontend SBOM.
08AI-assisted development
A codebase your AI assistant can actually navigate
Coding agents thrive on structure and fail on surprises. Slicekit is shaped so a model, or a new teammate, lands working features instead of guessing. The same things that make it AI-ready make it human-ready.
AGENTS.md routers
Per-side instruction files point an agent at the right conventions before it writes a line. Read natively by Claude Code, Codex, Copilot, Cursor and the rest.
Predictable slices
Every feature has the same shape in the same place. The agent copies a slice and renames it. No hunting across layers, no bespoke wiring.
Types as a safety net
End-to-end TypeScript and C# mean a wrong guess fails at compile time, not in production. The model gets instant, precise feedback.
Tests as guardrails
Architecture tests fail the build when a boundary is crossed. Autonomous edits stay inside the lines you set.
LLM-clean docs
Every docs page is served as raw Markdown at /docs/<slug>.md. Clean context to paste into a model or pull into a tool.
Explicit over clever
Named handlers, obvious folders, no hidden magic. Code written to be read, by the next engineer or the next agent.
09How it works
Running in minutes, productive in an hour
The template is designed to be cloned and understood quickly. Four steps from zero to your own feature shipping across the stack.
Buy & scaffold
Get your license, then let scripts/new-slicekit.sh clone the template and rename everything (project name, domains, API-key prefix, fresh secrets) across the API, the SPA and this site in one command.
Bring up infrastructure
One docker compose up -d starts Postgres, Redis, RabbitMQ, MinIO and the observability stack.
Run both apps
Start the .NET API and the Vite dev server; hot reload on both, talking over typed HTTP.
Ship your first slice
Copy an existing slice, rename it, and you have a new feature across the whole stack.
# 1. infrastructure
$ docker compose up -d
# 2. the API (http://localhost:5076)
$ dotnet run --project api/src/Slicekit.Api
# 3. the SPA (http://localhost:3003)
$ cd frontend && pnpm dev
✓ api ready · ✓ spa ready · ✓ otel streamingfig. 02 · from clone to running stack in three commands
Gerwin Kuijntjes
Certified Software Engineer
- Engineer-architected
- Human-reviewed
- Tested & typed
Why I built Slicekit
I'm Gerwin, a certified software engineer. On project after project I rebuilt the same foundation: authentication, an audited admin, observability, the typed client between an API and its UI. Every time, the first month went to plumbing instead of the product.
Slicekit is the foundation I wish I'd had. The decisions are made, the hard parts are solved, and the boring 80% is already shipped, with tens of hours of optimization on top to get the defaults, the performance and the developer experience right. You start on the 20% that is actually your product.
It is built with AI in the loop, never on autopilot. AI accelerates the typing; the architecture, the boundaries and the accountability are mine. Architecture tests enforce the structure, integration tests run against a real database, and nothing ships unread. Accelerated craftsmanship, not AI slop.
10Pricing
One license. Yours to ship.
Buy Slicekit once and the entire stack is yours: no subscription, no per-seat metering on what you build, no platform to depend on. The auth surface alone (passkeys, TOTP, OAuth, sessions and an audited admin) is weeks of specialist work to get right; here it is finished, for a one-time $299.
Lifetime license
$299 one-time
Commercial license · One developer
- Full source for the .NET 10 API, React 19 SPA and this landing page
- Auth done: passkeys, TOTP, OAuth, sessions, 33 permissions
- Finished admin: users, impersonation, audit log, cache
- Event-driven core: CQRS, outbox, RabbitMQ integration events
- Observability: OTel, Grafana dashboards, alerts, audit trail
- Infra & CI: Docker Compose, GitHub Actions, 4 test projects
- Lifetime updates and the complete documentation
14-day money-back guarantee
Building with a team or need to white-label? Talk to us about team licensing .
FAQ
Questions before you buy
The licensing, updates and refund details, in plain terms. Anything else, email us.
What exactly do I get when I buy?
Access to the private Git repository with the full source: the .NET 10 API, the React 19 SPA, this marketing site and the documentation. You clone it, run scripts/new-slicekit.sh to rename everything to your product, and it is yours to build on.
What does the one-developer license allow?
One developer builds with it, on unlimited products of your own, including paid client work. You cannot resell or redistribute Slicekit itself as a template or starter kit. Extra seats or white-labelling are a quick email away.
Is it really one-time? Any subscription or per-seat fees?
One-time. No subscription, no recurring fee, and no per-seat metering on the users or revenue of what you ship. You buy the source once and own your copy.
What do 'lifetime updates' include, and how do I pull them in?
You keep access to the repository and every update pushed to it: dependency bumps, new slices, security fixes. Because it is plain Git, you add Slicekit as an upstream remote and merge updates on your own schedule, resolving against your changes like any other branch.
Do I need to be a .NET expert to use it?
No. Every feature follows the same vertical-slice shape in the same place, the docs walk through adding one, and the per-side AGENTS.md files orient new engineers and AI agents alike. If you know C# and TypeScript, you will be productive quickly.
Can my AI coding assistant work in this codebase?
Yes, by design. Per-side AGENTS.md routers, predictable slices, end-to-end types and architecture tests give tools like Claude Code, Codex, Copilot and Cursor the structure they need to land working changes instead of guessing.
What if it is not for me?
There is a 14-day money-back guarantee. If Slicekit does not fit your project, email within 14 days of purchase for a full refund.
From the blog
Notes on the build
Engineering decisions, architecture deep-dives and product updates from the people building the template.
-
We do not ship MediatR. Here is what we ship instead, and the catch
Why Slicekit builds on Wolverine instead of MediatR-plus-a-bus, the 2024-25 licensing shift that makes it a buying concern, and an honest look at what you give up.
-
Assume the token is stolen: passkeys, cookies and refresh-token rotation
Start from the worst case, a credential already in the wrong hands, and work backward: passkeys with no stealable secret, HttpOnly cookies XSS cannot read, and family-based refresh-token rotation as a tripwire.
-
CQRS is not your mediator, and the outbox is not magic
Two misconceptions trip up most CQRS posts: that routing commands through a mediator is CQRS, and that an outbox gives exactly-once delivery. Here is what each pattern actually is, and what Slicekit relies on.
Own the foundation, ship the product
Slicekit hands you the essential 80% of a SaaS (event-driven architecture, enterprise auth, a finished admin panel, observability and CI) wired together and tested. Buy it once and spend your time on the 20% that is your product.