1
1 Comment

Your vibe coded backend will fail in production. Here's how to prevent that.

Claude Code makes it incredibly easy to generate working APIs. They seem ok and they famously "work on my machine". Until real users show up and your application needs to perform under load.

When code is cheap, structure, boundaries, and decisions are everything. Software architecture matters now more than ever.

The problem isn’t that AI writes bad code.

It’s that production constraints are often an afterthought and AI will never assume them for you unless you explicitly prompt for it.

Below are the most common failure points I see in vibe coded APIs — and how a few precise prompt constraints completely change the outcome and reduce your headaches in the future.

1. No rate limiting

The problem

Vibe coded endpoints accept unlimited requests by default.

What happens in production

Someone scripts 10,000 requests in minutes - intentionally or not - and your database falls over.

How to fix it (in the prompt)

Be explicit about limits and enforcement.

“Limit requests to 100 per hour per user using Redis.
Return HTTP 429 with a Retry-After header when exceeded.”

This forces the model to design for abuse, not just correctness.

2. No pagination

The problem

AI often writes get endpoints for “all records” because it’s the simplest solution that just works straight away.

What happens in production

A user with 50,000 records hits the endpoint once and crashes your server - or times out every request.

How to fix it (in the prompt)

“Use cursor-based pagination.
Maximum 100 items per response per user.
Return nextCursor for infinite scrolling.”

Properly paginated endpoints are necessary for survival.

3. No authorization

The problem

Generated APIs frequently assume “if you’re authenticated, you’re allowed.”

What happens in production

User A can read or mutate User B’s data by guessing an ID.

This is one of the fastest ways to ship a critical security bug.

How to fix it (in the prompt)

“Enforce authorization on each request.
Return HTTP 403 on violation.”

Never let authorization be implied in your backend.

4. Hard deletes

The problem

AI defaults to DELETE FROM table WHERE id = ?.

What happens in production

One accidental delete and data is gone forever. No audit trail, no logs.

How to fix it (in the prompt)

“Use soft deletes through a status field.
On deletion, mark record's status as inactive.”

Production systems assume mistakes will happen.

5. No validation

The problem

Generated APIs often trust incoming input.

What happens in production

XSS payloads

Unexpected data shapes

Massive request bodies (10–16MB) that crash your app or DB

How to fix it (in the prompt)

“Enforce strict validation schema for every input field, with explicit types, size limits, and sanitization rules”

Validation is a defensive boundary of your system.

6. No optimistic locking

The problem

Concurrent updates overwrite each other silently.

What happens in production

Two users edit the same resource. Last write wins. One user’s changes disappear without warning.

How to fix it (in the prompt)

“Use optimistic locking.
Check updatedAt in the transaction.
Return HTTP 409 if the record has changed.”

Concurrency bugs don’t show up in demos on localhost.

7. No idempotency

The problem

Vibe coded APIs assume requests happen once.

What happens in production

Retries from clients create duplicate records in your DB.

How to fix it (in the prompt)

“Require an idempotency key per request.
Return the cached result on retries.”

If retries exist, idempotency is mandatory.

8. Side effects before persistence

The problem

Generated code sends emails, webhooks, or notifications before committing state.

What happens in production

Email sent while DB is updating records. DB write fails. System is now out of sync.

How to fix it (in the prompt)

“Persist state first.
Trigger side effects only after a successful commit.”

Side effects must be downstream of truth.

9. No timeouts

The problem

External calls wait forever by default.

What happens in production

One slow dependency ties up your entire request pool.

How to fix it (in the prompt)

“Set explicit timeouts.
Fail fast and return a controlled error.”

Latency is a failure mode.

10. No observability

The problem

Logs are an afterthought or missing entirely.

What happens in production

Something breaks and you can’t answer what happened or where, making your debugging a nightmare.

How to fix it (in the prompt)

“Create structured logs for each user action, use correlation IDs for requests”

If you can’t see it, you can’t fix it.

In this day and age of founders vibe coding their entire applications using one or two prompts, knowing how to prompt properly and produce code that survives in the real world is a differentiation and a skill that makes a difference.

on February 2, 2026
  1. 1

    Solid list. The prompt constraint approach works but it highlights the real issue - you are doing the AI's job for it. Every one of these 10 points is something a senior dev would catch in review. The AI just skips them because it optimizes for "works on first run" not "survives in production."

    The part that gets me is the review tax. Even if you nail all 10 constraints in your prompt, you still have to read every line of output to verify the AI actually followed them. And if you run the same prompt again tomorrow, you get different code. So your review starts from scratch every time.

    We are building a frontend coding agent specifically to fix this. The idea is that if the generation is deterministic - same input, same output - then you only need to review a pattern once. After that, every future generation follows the approved pattern without re-review.

    The backend side you described here is even harder because the failure modes are less visible. A missing rate limiter does not show up until someone actually hammers your endpoint.

Trending on Indie Hackers
The hardest part isn't building anymore User Avatar 114 comments The feature you're most sure about is the one you should question first User Avatar 110 comments 5 days post-launch: Top 50 on Product Hunt, zero signups, and why I think that's actually fine User Avatar 86 comments I let 3 LLMs argue on the famous AI "Car wash: Walk or Drive" problem to prove a point. User Avatar 50 comments Before you build another feature, use this workflow User Avatar 45 comments Built a local-first privacy extension. Looking for feedback. User Avatar 35 comments