Bolt.new App Broken After Deploy? 5 Most Common Causes (2026)
Bolt.new App Broken After Deploy? 5 Most Common Causes (2026)
Scope of this page:Bolt.new-specific production breaks — StackBlitz preview vs. real host. For tool-agnostic fixes see the error-signature pages under /fix/ (linked inline per failure below). Shopping for a paid rescue? Fix my AI app.
Your Bolt.new app almost always breaks for one of five reasons: missing production env vars (deep dive), Netlify build command mismatch (deep dive), Supabase Row-Level Security off (deep dive), Stripe webhooks pointing at StackBlitz preview (deep dive), or OAuth redirect URLs still on localhost (deep dive). Veracode reports a large share of AI-generated code ships with known security flaws, so assume at least one of these is live in your app.
Quick fix for Bolt.new App Broken After Deploy
Fix 1 — Set every env var on your production host
In Bolt, open the .env file and list every key. Typical Bolt stacks need VITE_SUPABASE_URL, VITE_SUPABASE_ANON_KEY, STRIPE_SECRET_KEY, and any third-party keys.
On Netlify: Site settings → Environment variables. On Vercel: Project → Settings → Environment Variables. Add every key with production values — never paste your Bolt preview values. Redeploy, then hard-refresh.
Bolt’s preview silently falls back to shared credentials the WebContainer pre-wires. Production has no such fallback.
Deeper fixes when the quick fix fails
- 02
Fix 2 — Match Netlify build command and Node version
Most Bolt apps are Vite + React. The correct Netlify config is: Build command
npm run build, Publish directorydist.Pin your Node version: add a
.nvmrcfile containing20(or whateverpackage.jsonenginesspecifies). Netlify defaults to an older Node that breaks Vite 5+.If the build log shows
Cannot find module 'rollup', deletepackage-lock.json, runnpm installlocally, commit, redeploy. - 03
Fix 3 — Enable Supabase Row-Level Security on every table
Bolt’s Supabase integration creates tables with RLS off by default. Go to Supabase → Authentication → Policies. Every table must show RLS Enabled. Add a minimum per-user policy:
create policy "Users see own rows" on public.your_table for select using (auth.uid() = user_id);
Test with two users in incognito windows. If RLS has been off since launch, rotate the anon key and assume data was scraped.
- 04
Fix 4 — Repoint Stripe webhook to production domain
In Stripe Dashboard → Webhooks, delete the WebContainer URL and add the production endpoint:
https://yourapp.com/api/stripe-webhook.Copy the new
whsec_...signing secret into your Netlify/Vercel env asSTRIPE_WEBHOOK_SECRET. Verify the raw request body (not parsed JSON) when callingstripe.webhooks.constructEvent. - 05
Fix 5 — Update OAuth redirect URLs on all three surfaces
Three places still say localhost after a Bolt deploy:
- Supabase:Authentication → URL Configuration → Site URL + Redirect URLs
- Google Cloud Console:Credentials → OAuth 2.0 Client → Authorized redirect URIs
- App code: any hardcoded
redirectToinsignInWithOAuth
Test in an incognito window. A fresh session catches cached OAuth state that masks a broken redirect.
Still broken after all five?
You’re in the rare 10%. Usually one of:
- CORS on a custom serverless function — check function response headers.
- Base path mismatch —
vite.config.tsbasemust match your deploy path. - Netlify redirects file missing for SPA routing — add
/* /index.html 200to_redirects.
Why AI-built apps hit Bolt.new App Broken After Deploy
Bolt.new runs your app inside a StackBlitz WebContainer — a browser-based sandbox that auto-injects env vars, auto-wires Supabase keys, and runs with permissive CORS. The moment you deploy to Netlify or Vercel, every one of those conveniences disappears. The preview worked; production doesn’t, and the Bolt AI has no visibility into your deploy target.
On top of that, Bolt’s token-first workflow encourages rapid iteration that piles up debt. The same user who sees “every new deployment deploys into another universe rather than updating the existing site” usually also has three sets of env vars, two Stripe webhook URLs, and no single source of truth for which build the live site is running.
“Bolt.new ate tokens like a parking meter eats coins.”
Diagnose Bolt.new App Broken After Deploy by failure mode
Open the deployed site in an incognito window, open DevTools (right-click → Inspect → Console), and match the symptom to the row below before changing anything.
| Symptom | Root cause | Fix |
|---|---|---|
| Blank page, console shows supabaseUrl is undefined | Env vars not set on Netlify/Vercel | Fix #1 |
| Netlify build fails with exit code 2 or missing package | Wrong build command or Node version | Fix #2 |
| Login succeeds but data is empty, or users see each other's rows | Supabase RLS disabled | Fix #3 |
| Stripe checkout works but subscription never activates | Webhook URL still pointing at preview | Fix #4 |
| Login redirects to localhost or a StackBlitz URL | OAuth callback misconfigured | Fix #5 |
Related errors we fix
Still stuck with Bolt.new App Broken After Deploy?
If any of these apply, a fixed-price fix will save you token spirals:
- →You've been stuck for >4 hours
- →You've burned >500k tokens on the same issue
- →You have paying customers affected right now
- →You're scared to launch because of security
Bolt.new App Broken After Deploy questions
Why does my Bolt.new app work in preview but break in production?+
How do I deploy a Bolt.new app to Netlify correctly?+
Why is my Bolt.new app burning through millions of tokens?+
Is my Bolt.new app safe to launch?+
How much does it cost to fix a broken Bolt.new app?+
Can I move my Bolt.new project off the platform?+
Ship the fix. Keep the fix.
Emergency Triage restores service in 48 hours. Break the Fix Loop rebuilds CI so this error cannot ship again.
Hyder Shah leads Afterbuild Labs, shipping production rescues for apps built in Lovable, Bolt.new, Cursor, Replit, v0, and Base44. our rescue methodology.
Bolt.new App Broken After Deploy experts
If this problem keeps coming back, you probably need ongoing expertise in the underlying stack.