Fairy
Foundation kits

Fairy-verified code kits.

Production-ready templates for the pieces AI gets wrong most often. Each kit is reviewed and signed off by a senior Fairy expert — not generated, verified.

Install via MCP

Call any kit from Claude Code, Cursor, or Windsurf.

fairy_install_stripefairy_install_authfairy_install_deploymentfairy_install_supabasefairy_install_emailfairy_install_llmfairy_install_slackfairy_install_salesforcefairy_install_twiliofairy_install_oktafairy_install_hubspot

Add Fairy to your editor: claude mcp add fairy --transport http --url https://askfairy.com/api/mcp -H "Authorization: Bearer fry_k_yourkey"

Don't have an API key? Get one in your dashboard →

Foundation kits

Stripe Webhooks

Verified

Production-ready webhook handler, verified by senior engineers.

A complete Stripe webhook handler with signature verification, idempotency handling, and all critical event types. Covers checkout, subscriptions, invoices, and payment failures — with a go-live security checklist.

fairy_install_stripe

Files generated

  • src/lib/stripe.ts
  • src/app/api/webhooks/stripe/route.ts
  • .env.example (Stripe vars)
  • STRIPE_CHECKLIST.md

Human-verified

  • Stripe signature verification (prevents spoofed events)
  • Idempotency guard (prevents double-processing on retries)
  • All critical subscription + payment events handled
  • 500 returned on handler error (Stripe will retry)
  • TypeScript types throughout

Cookie Auth

Verified

Secure httpOnly cookie sessions with scrypt password hashing.

A complete auth system using httpOnly cookies and Node.js built-in scrypt — no new packages. Includes session helpers, route protection middleware, login page, and API route with timing-safe password verification.

fairy_install_auth

Files generated

  • src/lib/auth.ts
  • middleware.ts
  • src/app/login/page.tsx
  • src/app/api/auth/login/route.ts
  • AUTH_CHECKLIST.md

Human-verified

  • scrypt password hashing (not bcrypt, not SHA1, not MD5)
  • Timing-safe comparison (prevents user enumeration)
  • httpOnly + Secure + SameSite cookies
  • Route protection middleware
  • Security checklist with common pitfalls

Deployment Hardening

Verified

Security headers, CI with secret scanning, go-live checklist.

Everything you need before going live: next.config.ts with CSP, HSTS, and X-Frame-Options; vercel.json; .env.example with all required vars; GitHub Actions CI with secret scanning; and a comprehensive go-live checklist.

fairy_install_deployment

Files generated

  • next.config.ts (security headers)
  • vercel.json
  • .env.example
  • .github/workflows/ci.yml
  • DEPLOYMENT_CHECKLIST.md

Human-verified

  • Content-Security-Policy, HSTS, X-Frame-Options, Permissions-Policy
  • Secret scanning in CI (catches committed API keys)
  • TypeScript + lint check on every PR
  • Prisma generate in CI pipeline
  • Go-live checklist covering database, Stripe, and auth

Supabase

Verified

DB + auth + RLS done right — the pitfalls that leak data, caught.

Browser + server + service-role clients, session-refresh middleware, and Row Level Security policies. Built around the two mistakes that quietly expose user data in vibe-coded apps: RLS left off, and trusting getSession() instead of getUser().

fairy_install_supabase

Files generated

  • src/lib/supabase/client.ts
  • src/lib/supabase/server.ts
  • middleware.ts
  • supabase/rls-policies.sql
  • SUPABASE_CHECKLIST.md

Human-verified

  • RLS enabled + explicit policies on every user-data table
  • getUser() (verified) used server-side, not getSession()
  • with check on write policies (can't insert others' rows)
  • Service-role key kept server-only, never NEXT_PUBLIC_
  • Auto-create-profile trigger on signup

Transactional Email

Verified

Resend, with the silent-failure and deliverability bugs handled.

A branded email lib with an error-checked send helper plus ready-made welcome, magic-link, and password-reset templates. The #1 email bug — not checking the returned error and silently dropping mail — is handled for you.

fairy_install_email

Files generated

  • src/lib/email.ts (shell + send + templates)
  • EMAIL_CHECKLIST.md

Human-verified

  • send() returns errors instead of silently dropping mail
  • User input HTML-escaped before interpolation
  • Domain verification + SPF/DKIM/DMARC checklist
  • Reply-to wired for real two-way replies
  • Transactional vs marketing domain separation advised

LLM API

Verified

Anthropic or OpenAI — streaming, server-only, spend-safe.

A server-only model client, a single-shot complete() helper with error handling, and a streaming /api/chat route. Built around the things that leak keys or run up bills: client-side keys, no rate limiting, and prompt injection.

fairy_install_llm

Files generated

  • src/lib/llm.ts (client + complete)
  • src/app/api/chat/route.ts (streaming)
  • LLM_CHECKLIST.md

Human-verified

  • API key kept server-only — never shipped to the browser
  • Errors caught so model failures degrade gracefully
  • maxDuration set for streaming routes on Vercel
  • Rate-limit + auth guidance on the chat endpoint
  • Prompt-injection: user input stays in the user turn

Slack

Verified

Bot messages + Events API, with spoofing and bot-loops handled.

Web API and incoming-webhook senders plus an Events API route that verifies the Slack signature, blocks replay attacks, and answers the URL-verification handshake. The bot-loop and 3-second-ACK pitfalls are handled.

fairy_install_slack

Files generated

  • src/lib/slack.ts
  • src/app/api/slack/events/route.ts
  • SLACK_CHECKLIST.md

Human-verified

  • Slack request signature verified on every inbound call
  • Timestamp replay protection (rejects >5 min old)
  • timingSafeEqual signature comparison
  • Bot ignores its own messages (no loops)
  • ACK within 3s, slow work async (no duplicate retries)

Salesforce

Verified

OAuth REST client with token caching and SOQL-injection safety.

Client-credentials OAuth with cached tokens and 401 refresh-retry, plus SOQL query and create/update helpers. Built around the API-limit and SOQL-injection mistakes that get integrations throttled or breached.

fairy_install_salesforce

Files generated

  • src/lib/salesforce.ts
  • SALESFORCE_CHECKLIST.md

Human-verified

  • Tokens cached, not re-fetched per call (saves API quota)
  • 401 → single refresh + retry
  • SOQL injection warning + escaping guidance
  • Daily API limit respected
  • Least-privilege integration user

Twilio SMS

Verified

Send + inbound webhook, with opt-out compliance and fraud guards.

An E.164-validated send helper (errors returned, not thrown) and an inbound webhook that verifies the Twilio signature. Covers STOP/HELP opt-out compliance and SMS-pumping fraud — the things that get you fined or run up a bill.

fairy_install_twilio

Files generated

  • src/lib/sms.ts
  • src/app/api/sms/inbound/route.ts
  • TWILIO_CHECKLIST.md

Human-verified

  • X-Twilio-Signature verified on inbound (no spoofing)
  • E.164 validation before every send
  • STOP/HELP opt-out compliance (TCPA)
  • Rate limiting against SMS-pumping fraud
  • Auth token kept server-only

Okta SSO

Verified

Enterprise OIDC login with the CSRF state check done right.

Login and callback routes for Okta OIDC Authorization Code, with httpOnly state-based CSRF protection, token exchange, and userinfo. Built around the state-verification and id_token-claim pitfalls that quietly break SSO security.

fairy_install_okta

Files generated

  • src/lib/okta.ts
  • src/app/api/auth/okta/login/route.ts
  • src/app/api/auth/okta/callback/route.ts
  • OKTA_CHECKLIST.md

Human-verified

  • state param generated, stored httpOnly, verified (CSRF)
  • Client secret server-only
  • id_token claims (iss/aud/exp) validation guidance
  • Session created server-side after exchange
  • Exact redirect-URI allowlist (no open redirects)

HubSpot

Verified

Idempotent contact upsert — no more duplicate-contact mess.

A Private-App CRM client with idempotent contact upsert (search-before-create), timeline notes, and 429 rate-limit backoff. Built around the duplicate-contact and rate-limit problems that pollute every CRM integration.

fairy_install_hubspot

Files generated

  • src/lib/hubspot.ts
  • HUBSPOT_CHECKLIST.md

Human-verified

  • Idempotent upsert (search by email before create)
  • 429 rate-limit backoff with Retry-After
  • Token kept server-only
  • Writes match privacy/consent records
  • Validates properties exist before writing

Before you build

Pre-build Brief

From $79

Brief a senior expert before you write a line of code.

Describe what you're about to build and your stack. A Fairy expert returns the patterns to follow, the pitfalls for your specific stack, and exactly what to verify in the AI output before you ship. Faster and cheaper than catching it in a full review.

Quick brief · $79

Key patterns + top 3 pitfalls. Returned in 24h.

Full brief · $199

Deep guidance report. Architecture review + specific test cases.

fairy_brief

Ready to ship with confidence?

Add Fairy to your AI coding environment in under a minute.

Connect via MCP Submit a review