Stop rebuilding the same .NET plumbing. Ship your SaaS instead.
Almost every SaaS starter is Node. Slicekit is the serious one for .NET, with auth, a finished admin, GDPR tooling and observability already built. Start on the 20% that is actually your product.
fig. 01 · the shipped admin user detail page, captured from the running template
Bill of materials
.NET 10
Minimal API
PostgreSQL
EF Core
RabbitMQ
messaging + outbox
React 19
Vite + TypeScript
TanStack
Router + Query
Tailwind v4
shadcn/ui
33
granular permissions
user and admin, mirrored in the UI, scoped per API key
64
API endpoints
auth, account, admin and API keys, documented in OpenAPI
2
UI languages
English and Dutch shipped, the i18n pattern takes more
4
test projects
unit, architecture, feature (real Postgres) and API
Every number above is countable in the source you receive. No invented hour-savings math.
No testimonials yet, and that's fine
Don't take my word for it. Check it yourself.
Slicekit is early, so there are no logos to parade. Instead, everything you need to judge it is open before you buy: the running app, the full documentation and every dependency named.
The live demo
Sign in and click through the real admin and account surface.
The full docs
Every how-to that ships with the template, public and searchable.
The API reference
The live OpenAPI / Scalar reference for all 64 endpoints.
The whole stack, named
Every open-source package listed and linked upstream, nothing hidden.
01The product
Real screens from the running template
Every screenshot below is captured from the app you receive, light and dark, with the capture script included so you can re-shoot them as you make it yours.
The admin panel ships finished: a sortable, paginated user table with account state, last login and a detail view per user.
Per user: enable or disable the account, grant or revoke individual permissions, revoke sessions, manage API keys, read the audit history, or impersonate with a logged reason.
Authorization is granular grants, not roles. The full catalog of 33 permissions, grouped and individually toggleable, with one-click presets, read-only flags, and the same set scoped per API key.
Every security-relevant action lands in a hash-chained audit trail. Filter by category, action, outcome and date, or jump straight into Grafana.
Users manage their own security: password and email changes, TOTP two-factor, passkeys, and linked OAuth accounts, all wired to the API.
TOTP enrollment with QR code, manual secret and downloadable recovery codes. Disable and regenerate flows are included too.
Scoped API keys with per-key permissions, optional expiry, one-time reveal, rotation and last-used tracking.
Active sessions per device, with one-click revocation. Refresh tokens rotate in families, so a stolen token revokes the whole chain.
GDPR self-service: users export everything held about them as JSON or delete their account, which anonymizes personal data while keeping referential integrity.
02Architecture
Watch one feature travel the whole stack
Slicekit is built on vertical slice architecture: code is organised by feature, not by technical layer, so everything one use case needs lives in one folder you can read, change or delete in one place. The pattern applies on both sides of the wire, and the architecture overview walks the whole thing end to end.
A feature in Slicekit is a single slice, from the button to the database and back. Here is the exact path a request takes, the technology at each step, and the short list of files you actually write to add one.
Each slice is split in two: your feature logic lives in Slicekit.Core, and the web layer is a thin adapter on top. That separation is deliberate. Stand up a CLI, a background worker or a scheduled job and it reuses the same core code with no web server involved. Errors come back in one predictable shape, so the SPA maps each one straight to the field or message that caused it.
Organised by layer
One feature cuts through every layer. To change it you touch four places.
Organised by feature
One feature is one column. Read it, change it or delete it in one place.
-
01 Frontend
You call one typed hook
React 19 · TanStack Query
useCreateApiKey()Your component calls a single hook. No fetch boilerplate, no manual cache wiring, no loading-state spaghetti.
-
02 Type-safe client
The client handles the wire
TypeScript · one API client
apiFetch<Response>('/api/v1/…')Cookie sessions, the CSRF header and a silent refresh-and-retry on 401 live inside one client. Errors come back typed and map straight onto your form fields, localized.
-
03 API edge
The endpoint guards the door
.NET 10 · Minimal API
.RequirePermission().RequireRateLimiting()Authorization, validation, rate limiting and CSRF are declared on the route as policy, never hand-rolled inside the handler.
-
04 Messaging
Messaging routes the command
Wolverine CQRS · event-driven core
bus.InvokeAsync(command)The endpoint hands the command to the Wolverine bus, which finds the handler by convention. This is the boundary between the HTTP host and Slicekit.Core: any other host (a CLI, a worker) can dispatch the same command.
-
05 Domain
Your handler runs the logic
Domain-driven design · Slicekit.Core
aggregate.Raise(new ApiKeyCreated(…))Pure business logic, living in Slicekit.Core with no dependency on the web host. The aggregate enforces its own invariants and raises a domain event to record what happened.
-
06 Persistence
One transaction persists it
PostgreSQL · EF Core
await db.SaveChangesAsync(ct)State and outgoing messages commit together in a single transaction. No partial writes, no orphaned side effects.
-
07 Async work
Events fan out, reliably
RabbitMQ · transactional outbox
PublishAsync(integrationEvent)The outbox guarantees at-least-once delivery: events survive crashes and consumers are written idempotent, so a rare redelivery is harmless. Email, search indexing and webhooks react asynchronously, after the request already returned.
One trace, end to end. Every step above is a single OpenTelemetry span tree: follow one click from the button to the database in Grafana.
The backend ships on the modern .NET layout: a readable slicekit.slnx solution file instead of GUID-laden XML, central package management so every NuGet version is pinned once in Directory.Packages.props, and shared build settings in one Directory.Build.props.
03Security & accounts
The auth surface nobody wants to build twice
This is where templates usually hand-wave. Slicekit ships the mechanisms, named precisely, so you can audit the claims against the code you buy.
Cookie sessions, hardened
Built on ASP.NET Core Identity: tokens live in HttpOnly cookies with CSRF protection on every state-changing request. Refresh tokens rotate in families, so reuse of a stale token is detected as theft and revokes the whole chain.
Passkeys and TOTP
WebAuthn passkeys (FIDO2) for passwordless sign-in, TOTP two-factor with QR enrollment and downloadable recovery codes. Both managed by the user, both shipped working.
33 permissions, no roles
Authorization is granular grants, not role guesswork. Endpoints declare their permission as route policy, the UI mirrors the same catalog, and API keys carry their own scoped subset.
Hash-chained audit trail
Every security-relevant action is recorded with actor, resource, outcome and a sequence number. Each entry carries the hash of the previous one, so tampering breaks the chain visibly.
Impersonation, accountable
Support can act as a user only with a logged reason. The original admin stays in the token as an act claim, and both identities land in the audit trail.
Account emails, all eight templated
Eight transactional emails, ready to send: welcome, email verification, password reset and changed, email-change request and confirmation, a registration attempt on a known address, and a session-theft alert. One responsive, dark-mode Razor layout over any SMTP.
Sessions, revocable per device
Every active session is listed per device in settings, each one revocable on its own or all at once. They sit on the rotating refresh-token families above, so revoking is real, not cosmetic.
Verification and reset by token
New sign-ups verify their email by signed token. Password reset and email change run on single-use, time-boxed tokens, and TOTP recovery codes are one-time and regenerable. No long-lived links, no reusable flows.
The unglamorous rest
Breach-checked passwords (Have I Been Pwned), account lockout with admin unlock, five rate-limit policies, security headers, PII encrypted at rest and reverse-proxy header trust. Done once, correctly.
Read the full details in the docs: Authentication, Audit trail, Permissions.
04Privacy & GDPR
GDPR tooling built in, not bolted on
The data-subject rights that usually become a panicked sprint before launch (export, erasure, consent) ship as working features, with an architecture test that keeps them honest as your data model grows.
Data export, self-service
Users download everything held about them from the privacy settings, no support ticket needed. The export walks the same personal-data surface the deletion flow erases.
Erasure with anonymization
Account deletion soft-deletes the user and anonymizes the personal fields, so foreign keys and audit history stay intact while the person disappears from the data.
Export and erasure cannot drift
An architecture test fails the build if a personal-data field is exported but not erased, or erased but not exported. Compliance enforced by CI, not by code review memory.
Versioned consent
Registration records which version of the terms and privacy policy the user accepted, and when. Update your legal documents and the consent trail keeps up.
PII encrypted and redacted
Personal fields are encrypted at rest via ASP.NET Data Protection, and a Sensitive attribute keeps them out of audit payloads and logs.
Your infrastructure, your data
Every service in the stack is open source and self-hosted: Postgres, Redis, RabbitMQ, MinIO, the Grafana stack. No third-party data processors by default.
Read the full details in the docs: Data export and erasure, Personal data model.
Slicekit ships the technical controls; it is not legal advice. Your privacy policy, data processing agreements and retention choices remain yours.
05Frontend
The frontend is finished, not a stub
Most templates ship a login page and wish you luck. Slicekit ships the whole account surface: settings, security, sessions, API keys, privacy and a working admin, in two languages, in three themes.
Read the full details in the docs: Frontend overview, Frontend permissions, Internationalization.
-
Full settings area
profile, security, sessions, API keys, privacy
-
Finished admin panel
user table, detail view, impersonation, cache controls
-
i18n with EN + NL
validation and API errors localized too
-
Light, dark and system themes
OKLch tokens, no flash on load
-
One typed API client
CSRF header and silent refresh-retry built in
-
Forms that speak API
React Hook Form + Zod, server errors map to fields
-
Permission-gated UI
the same 33 permissions drive what renders
-
Typed file-based routing
TanStack Router with automatic code splitting
-
GDPR self-service
data export and account deletion with anonymization
06Observability & ops
You can see what it's doing in production
Observability is wired in from the first request, not retrofitted after the first incident. The same pipeline carries the audit trail into Loki, where the admin panel queries it.
Three signals, one pipeline
OpenTelemetry traces, metrics and logs flow through the collector to Tempo, Prometheus and Loki. One click in the UI is one span tree in Grafana.
Dashboards and alerts, provisioned
Four Grafana dashboards and six Prometheus alert rules ship preconfigured, with Alertmanager wired for routing. Day-one operations, not a TODO.
Tests that mean something
Unit tests for logic, architecture tests that fail the build when a boundary is crossed, and feature tests that run against a real PostgreSQL via Testcontainers.
CI from the first push
Pull requests build both apps, run the full test suite and scan for vulnerable packages. Main builds a multi-stage Docker image with an attached SBOM and provenance attestation, plus a frontend SBOM, and pushes to GHCR.
Read the full details in the docs: Deployment, Configuration, Testing.
Also in the box: OAuth sign-in with Google and GitHub (and room for more providers), file uploads to S3-compatible storage, scheduled background jobs via TickerQ, a typed feature-flag endpoint the SPA reads on boot, and the Astro marketing site you are reading right now, documentation pages and all.
07Open source
Built on tools you already trust
No proprietary runtime, no vendor SDK you cannot replace. Slicekit composes mainstream open-source projects, each documented upstream and each named here, so you know exactly what you are adopting.
API & domain
- Wolverine CQRS, messaging & outbox
- ASP.NET Core Identity identity & password store
- EF Core ORM & migrations
- Npgsql PostgreSQL driver for EF Core
- FluentValidation request validation
- fido2-net-lib passkeys (WebAuthn)
- FusionCache caching with Redis backplane
- TickerQ background jobs
- FluentEmail Razor email templates
- AWS SDK for .NET S3-compatible storage client
- Serilog structured logging
- Scalar OpenAPI reference UI
Frontend
- React 19 UI runtime
- Vite build & dev server
- TanStack Router typed file-based routing
- TanStack Query server state
- shadcn/ui components on Radix UI
- Tailwind CSS v4 styling
- React Hook Form forms
- Zod schema validation
- i18next internationalization
- SimpleWebAuthn passkey ceremonies
- Lucide icon set
- Sonner toast notifications
Infrastructure & ops
Testing & quality
The full dependency list ships in the repository manifests. Every main-branch build attaches an SBOM and provenance attestation to the Docker image and generates a separate frontend SBOM.
08AI-assisted development
A codebase your AI assistant can actually navigate
Coding agents thrive on structure and fail on surprises. Slicekit is shaped so a model, or a new teammate, lands working features instead of guessing. The same things that make it AI-ready make it human-ready.
AGENTS.md routers
Per-side instruction files point an agent at the right conventions before it writes a line. Read natively by Claude Code, Codex, Copilot, Cursor and the rest.
Predictable slices
Every feature has the same shape in the same place. The agent copies a slice and renames it. No hunting across layers, no bespoke wiring.
Types as a safety net
End-to-end TypeScript and C# mean a wrong guess fails at compile time, not in production. The model gets instant, precise feedback.
Tests as guardrails
Architecture tests fail the build when a boundary is crossed. Autonomous edits stay inside the lines you set.
LLM-clean docs
Every docs page is served as raw Markdown at /docs/<slug>.md. Clean context to paste into a model or pull into a tool.
Explicit over clever
Named handlers, obvious folders, no hidden magic. Code written to be read, by the next engineer or the next agent.
09How it works
Running in minutes, productive in an hour
The template is designed to be cloned and understood quickly. Four steps from zero to your own feature shipping across the stack.
Buy & scaffold
Get your license, then let new.sh clone the template and rename everything (project name, domains, API-key prefix, fresh secrets) across the API, the SPA and this site in one command.
Bring up infrastructure
One docker compose up -d starts Postgres, Redis, RabbitMQ, MinIO and the observability stack.
Run both apps
Start the .NET API and the Vite dev server; hot reload on both, talking over typed HTTP.
Ship your first slice
Copy an existing slice, rename it, and you have a new feature across the whole stack.
# 0. scaffold your own project (renames everything)
$ curl -fsSL https://slicekit.dev/scripts/new.sh | bash -s -- --name MyApp
# 1. infrastructure
$ docker compose up -d
# 2. the API (http://localhost:5076)
$ dotnet run --project api/src/Slicekit.Api
# 3. the SPA (http://localhost:3003)
$ cd frontend && pnpm dev
✓ api ready · ✓ spa ready · ✓ otel streamingfig. 02 · from scaffold to running stack in four commands
Gerwin Kuijntjes
Certified Software Engineer
- Engineer-architected
- Human-reviewed
- Tested & typed
Why I built Slicekit
I'm Gerwin, a certified software engineer. On project after project I rebuilt the same foundation: authentication, an audited admin, observability, the typed client between an API and its UI. And the moment one went to production in the EU (where I live), it had to satisfy GDPR (data export, deletion, consent), so that got built too. Every time, the first month went to plumbing instead of the product.
Slicekit is the foundation I wish I'd had. The decisions are made, the hard parts are solved, and the boring 80% is already shipped, with tens of hours of optimization on top to get the defaults, the performance and the developer experience right. You start on the 20% that is actually your product.
Every line is verified, not just written. Architecture tests enforce the boundaries, integration tests run against a real database, and nothing ships unread. The architecture, the decisions and the accountability are mine.
10Pricing
Buy once. Own the source. Ship.
No subscription, no per-seat metering on what you build, no platform to depend on. The auth surface alone (passkeys, TOTP, OAuth, sessions and an audited admin) is weeks of specialist work to get right. Here it is finished, for a one-time €149 (excl. VAT).
Early-bird pricing for the first 100 customers. The price rises after that.
Solo license
€149 €279
Early bird · 47% off · first 100
one-time · excl. VAT · Commercial license · One developer
One developer, unlimited products of your own (including paid client work).
- Full source: .NET 10 API, React 19 SPA, landing page
- Auth: passkeys, TOTP, OAuth, sessions, 33 permissions
- Finished admin: users, impersonation, audit log
- Event-driven core: CQRS, outbox, RabbitMQ
- Observability: OpenTelemetry, Grafana, alerts
- Infra & CI: Docker Compose, GitHub Actions, tests
- Lifetime updates and full documentation
Team license
€399 €749
Early bird · 47% off · first 100
one-time · excl. VAT · Commercial license · Up to 5 developers
Your whole team. Built to resell client work on.
- Everything in Solo, for up to 5 developers
- Use across unlimited client and internal projects
- Priority email support from the author
14-day money-back guarantee: email within 14 days for a full refund, no questions asked.
Need more than 5 seats or something custom? Email me .
FAQ
Questions before you buy
The licensing, updates and refund details, in plain terms. Anything else, email us.
Can I evaluate it before I buy?
Yes, and you should. The live demo lets you sign in and explore the real admin and account surface: user management, impersonation, audit logs, sessions, passkeys and all the settings screens. The full documentation is public and searchable. The OpenAPI reference lists every endpoint with request and response schemas, and you can run calls against the live demo API. The landing site and the docs you are reading now ship in the box as a static Astro project, so you can judge the code approach from what is already in front of you. Buy when you are confident.
What exactly do I get when I buy?
Access to the private Git repository with the full source: the .NET 10 API, the React 19 SPA, this marketing site and the documentation. You clone it, run scripts/new.sh to rename everything to your product, and it is yours to build on.
Is this production-ready or a proof of concept?
It is a starting point for a production system, not a toy. The stack is standard and deliberately boring: .NET 10, EF Core on PostgreSQL, RabbitMQ for messaging. The auth surface ships with breach-checked passwords, rotating refresh tokens, CSRF protection and a hash-chained audit trail. Four test projects cover unit logic, architecture boundaries, feature tests against a real database via Testcontainers and API contracts. GitHub Actions builds a Docker image with an SBOM and a vulnerability scan on every push to main. Nothing in here is a shortcut you will regret at scale.
Is the code AI-generated?
No. Every architectural decision was made by an engineer, every pattern has a reason, and every line was reviewed before it shipped. AI tools are used the way any working developer uses them today: for speed on mechanical tasks. The design, the trade-offs and the accountability are human. The AGENTS.md files and the docs explain the reasoning behind each pattern. The architecture tests enforce the boundaries so the codebase stays honest as it grows.
How is this different from ABP Framework or other .NET boilerplates?
ABP is a framework you build on: it has a proprietary runtime, its own abstractions and an upgrade path you must follow. Slicekit is source code you own. No framework to depend on, no SDK to call, no license server that needs to stay online. You get standard .NET 10, standard EF Core, standard ASP.NET Core Identity. Read it, rename it, delete what you do not need. From that point it is just your code. The patterns are documented and enforced by tests, not locked behind a library.
Do I need to be a .NET expert to use it?
No. Every feature follows the same vertical-slice shape in the same place, the docs walk through adding one, and the per-side AGENTS.md files orient new engineers and AI agents alike. If you know C# and TypeScript, you will be productive quickly.
Can my AI coding assistant work in this codebase?
Yes, by design. Per-side AGENTS.md routers, predictable slices, end-to-end types and architecture tests give tools like Claude Code, Codex, Copilot and Cursor the structure they need to land working changes instead of guessing.
What does the Solo license allow, and when do I need Team?
The Solo license lets one developer build on unlimited products of your own, including paid client work. You cannot resell or redistribute Slicekit itself as a template or starter kit. The Team license covers up to five developers. Need more than five seats or something custom? Email me.
Is it really one-time? Any subscription or per-seat fees?
One-time. No subscription, no recurring fee, and no per-seat metering on the users or revenue of what you ship. You buy the source once and own your copy.
What do 'lifetime updates' include, and how do I pull them in?
You keep access to the repository and every update pushed to it: dependency bumps, new slices, security fixes. Because it is plain Git, you add Slicekit as an upstream remote and merge updates on your own schedule, resolving against your changes like any other branch.
What if Slicekit shuts down or stops being maintained?
Nothing changes for your product. You have the full source: there is no runtime to depend on, no hosted service your app calls, nothing that needs to stay online for your product to work. If updates stop arriving tomorrow, your codebase is unchanged. Even in the worst case you already have everything you bought on your own machine from the first clone.
What if it is not for me?
There is a 14-day money-back guarantee, no questions asked. If Slicekit does not fit your project, email within 14 days of purchase and I refund you in full. The demo, the docs and this page are all public so you can judge most of it before you ever pay.
From the blog
Notes on the build
Engineering decisions, architecture deep-dives and product updates from the people building the template.
-
We do not ship MediatR. Here is what we ship instead, and the catch
Why Slicekit builds on Wolverine instead of MediatR-plus-a-bus, the 2024-25 licensing shift that makes it a buying concern, and an honest look at what you give up.
-
Assume the token is stolen: passkeys, cookies and refresh-token rotation
Start from the worst case, a credential already in the wrong hands, and work backward: passkeys with no stealable secret, HttpOnly cookies XSS cannot read, and family-based refresh-token rotation as a tripwire.
-
CQRS is not your mediator, and the outbox is not magic
Two misconceptions trip up most CQRS posts: that routing commands through a mediator is CQRS, and that an outbox gives exactly-once delivery. Here is what each pattern actually is, and what Slicekit relies on.
Own the foundation, ship the product
Slicekit hands you the 80% of a .NET SaaS that is the same every time (event-driven architecture, enterprise auth, a finished admin panel, observability and CI) wired together and tested. Buy it once and spend your first month on the 20% that is actually your product.