← Unlock Integrations Visit UnlockSFX ↗
System case study · UnlockSFX

Anatomy of a one-person
sound-effects studio.

UnlockSFX is a game-audio studio shipped by a solo developer: an AI web app that generates game-ready sound effects from a text prompt, a native desktop app (Forge) that makes them offline, and a public API that drives editor plugins. This is what it's actually built from — every service it talks to, the database underneath it, and everything it takes to stand up from an empty repo.

2
Products
6
External services
13
DB tables
12
Migrations
~19
Env secrets
01

What it is

Three surfaces, one backend

AI web app

The site at unlocksfx.com. Describe a sound, get a royalty-free clip in seconds. Credit-metered (≈1 credit / 5s), Stripe-billed, with a library, projects, and an admin ops dashboard.

Next.js · React

Forge desktop

A tiny native Windows app (Tauri). No AI, fully offline — a procedural synth plus a Sample Lab to import and reshape your own audio. Sold once for $9.99 with an offline license key + 75 bonus AI credits.

Tauri · Rust

Editor plugins

Godot & Unity add-ons that generate SFX without leaving the editor, calling the public API with user-issued keys.

GDScript · C#
02

All the connections

Clients → app → services
Clients Application · Vercel Services Web browser Forge desktop Godot / Unity plugins Next.js 16 app marketing · auth · app · public API · billing webhooks SupabaseAuth · PostgresStorage StripeCheckoutWebhooks ElevenLabsText→SFX AI ResendEmail CloudflareDNS · TurnstileCRM worker
request data / fulfilment Stripe webhook → app CRM worker → own schema
03

The stack

Deployed on Vercel from GitHub main

Application

Next.js 16 (App Router) · React 19 · TypeScript · Tailwind CSS v4. Server Actions for mutations, route handlers for the webhook & public API, shadcn-style local UI primitives, Zod validation.

nextreactzodlucide-reacttailwind-mergeclsx

Integrations SDK layer

Thin, swappable providers: a pluggable audio-provider interface (mock for local dev, ElevenLabs in prod), the Stripe SDK, and the Supabase SSR client for auth-aware server + browser access.

stripe@supabase/ssr@supabase/supabase-jsserver-only
04

External services

What each does · and why it's there

core Supabase

The whole backend: email/password auth, a Postgres database, and storage (a private bucket for generated audio, a public one hosting the Forge installer).

core Vercel

Hosting. GitHub main auto-deploys — no config file, Next.js is auto-detected. Production env + secrets live here, scoped to production.

money Stripe

One-time payments — credit packs and the Forge license — via Checkout. A signed webhook fulfils each purchase (grant credits, mint license, email key).

audio ElevenLabs

The AI engine — text-to-sound-effects generation. Metered per second; the app tracks estimated provider cost per job for margin. A free mock provider runs the whole app locally with no key.

email Resend

Transactional email — the Forge license key on purchase — from a verified unlocksfx.com domain. Also backs Supabase Auth's signup/reset emails over SMTP.

edge Cloudflare

DNS for the domain, Turnstile CAPTCHA against signup abuse, and a Worker that writes leads into a locked-down, isolated schema.

Plus a self-hosted licensing primitive — Ed25519 signing where the server holds the private key and the shipped Forge app verifies offline against an embedded public key.

05

The backend database

Supabase Postgres · 13 tables · RLS everywhere

13 tables, one clean schema

Everything the product needs, all under Row-Level Security — users and credit balances, projects, generated clips, generation jobs, a full credit ledger, Stripe purchases, API keys, Forge licenses, and app settings (including a generation kill switch).

Money moves safely

Credits and money move only through locked-down, server-side routines — never client math. Credits are reserved atomically before any paid work, then settled or refunded, so concurrent requests can't over-spend.

Security & storage

Row-Level Security on every table (own-rows-or-admin); webhooks use the service role. Audio lives in a private bucket served via short-lived signed URLs; the Forge installer in a public one.

isolated Multi-tenant by schema

A separate product's data lives in its own isolated schema in the same instance, reachable only by a dedicated least-privilege role — a leaked key for one can never touch the other's data.

06

How sound & money flow

The three paths that matter

Generate a sound

  1. Reserve the user's credits atomically
  2. Call the AI provider; the prompt is the sole creative driver
  3. Upload the clip to private storage and record it
  4. Settle — charge on success, refund on failure

Buy credits

  1. Stripe Checkout (login required), pack in metadata
  2. Payment fires a signed webhook back to the app
  3. The webhook grants credits and records revenue
  4. Idempotent per session — retries never double-grant

Buy Forge

  1. $9.99 Checkout fires the fulfilment webhook
  2. Mint a signed license key; grant 75 credits
  3. Email the key and store the license
  4. Buyer activates the app offline; download from storage