Getting Started

What Slicekit includes

A map of what ships in the box: the foundations every SaaS needs, already assembled and tested, with a guide for each.

On this page

The foundation, already built
Identity and access
The architecture
Data and operations on data
The frontend
Production concerns
Working in it

The foundation, already built

Slicekit is not an empty repo with a framework bolted on. It is a working system: the parts every SaaS needs are assembled, wired together and tested, so your first commit is a feature instead of plumbing. This page is the map. Each capability links to the guide that shows you how to use and extend it.

Identity and access

Cookie sessions with CSRF. Server-side sessions backed by Redis, not bearer tokens in the browser. See authentication.
Roles and permissions. A typed Allow permission catalogue enforced on endpoints and mirrored to the SPA. See adding a permission and permissions in the UI.
OAuth providers. Sign in with external providers alongside the cookie session. See adding an OAuth provider.
Two-factor authentication. TOTP enrollment, verification and recovery codes. See two-factor authentication.
Admin impersonation. Support staff can act as a user, with the action recorded. See impersonation.

The architecture

Vertical slices. One feature, one folder; no layered free-for-all. See adding a vertical slice and the architecture overview.
Domain-driven design. Aggregates own their invariants and raise events. See domain-driven design.
CQRS over Wolverine. Commands, queries and a message bus, with handlers discovered automatically. See CQRS and domain events.
Reliable messaging. A transactional outbox makes integration events safe to publish. See domain and integration events.
A shared error taxonomy. Result<T> and AppError map cleanly onto ProblemDetails responses. See error handling.

Data and operations on data

PostgreSQL with EF Core. Migrations apply on start in development and as a deploy step in production. See adding a database migration.
Pagination. Shared primitives for paged, sortable lists end to end. See pagination.
File storage. An S3-compatible abstraction, MinIO locally and any bucket in production. See file storage.
Auditing. Emit “who did what” events that flow to Loki and an admin audit log. See auditing.
GDPR tooling. Per-user data export and erasure built in. See data export and GDPR.

The frontend

A typed React SPA. Vite, TanStack Router and Query, and shadcn/ui. See frontend overview.
One typed API client. Cookies and CSRF handled for you, wrapped in TanStack Query. See the typed API client.
Forms. React Hook Form and Zod, wired to the client and its server-side validation errors. See building a form.
Internationalisation. Namespaced translations and a language switcher. See adding a language.

Production concerns

Rate limiting. Named policies you apply per endpoint. See rate limiting.
API versioning. Add a v2 without breaking existing clients. See adding an API version.
Observability. Traces, metrics and logs over OpenTelemetry into Grafana. See observability.
Configuration by environment variable. Placeholders in appsettings.json, secrets injected from the environment. See configuration.
Deployment and reverse proxy. Standard images, OTLP exporters, forwarded-header support. See deployment and reverse proxy.
CI. GitHub Actions builds, tests and lints both sides on every push.

Working in it

Testing. A fast unit and architecture suite, plus Testcontainers integration tests. See testing a feature.
Removing what you do not need. A clean recipe for deleting a slice across both sides. See removing a feature.
AI-assisted development. AGENTS.md routers and per-side conventions so coding agents have the context they need. See AI-assisted development.

Ready to run it? Start with getting started.