cdkbase

AWS serverless · built for Claude Code

Skip the AWS wiring.
Ship the product.

cdkbase is a fork-ready serverless monorepo — web, mobile, a typed API, Postgres, auth, and billing across nine CDK stacks, live with one command. It ships with a Claude Code skill and MCP servers, so your agent can deploy, query, and extend it from the first prompt.

See what's inside

$299 one-time · lifetime source access · instant private-repo invite

AWS CDK · React Router v7 · Hono · Aurora DSQL · Cognito · Stripe · Expo · MCP

# one config file, then ship everything
$ pnpm run setup
✔ cdkbase.config.ts — accounts, domains, envs

$ AWS_PROFILE=acme-prod pnpm run deploy
Acme-prod-Dns         ✔ deployed
Acme-prod-Auth        ✔ deployed
Acme-prod-Db          ✔ deployed
Acme-prod-Api         ✔ deployed
Acme-prod-Web         ✔ deployed
Acme-prod-WebSpa      ✔ deployed
Acme-prod-McpDirect   ✔ deployed
Acme-prod-McpViaApi   ✔ deployed
Acme-prod-Billing     ✔ deployed

✔ 9 stacks · https://acme.com is live

What's inside

One repo. The whole product.

A pnpm monorepo where every layer already talks to every other — and nothing hides behind a CLI or code generator. What you buy is the code.

cdkbase/
├─ apps/
  ├─ web-ssr/        React Router v7 SSR — this very site
  ├─ web-spa/        Vite + React on S3/CloudFront
  └─ mobile/         Expo · React Native
├─ services/
  ├─ api/            Hono REST API · JWT middleware
  ├─ billing/        Stripe Checkout + Portal + webhook
  ├─ mcp-direct/     MCP server → straight to DSQL
  └─ mcp-via-api/    MCP server → through the API
├─ packages/
  ├─ auth/           Cognito core · pluggable token storage
  ├─ api-client/     typed client shared by every frontend
  └─ db/             Knex + IAM signer + DSQL-safe migrator
└─ infra/             nine CDK stacks, wired in one file

Nine focused CDK stacks

Each concern is its own CloudFormation stack, wired explicitly in one file. Don't need the SPA or the mobile app? Delete the stack and its folder — no feature flags, no dead code.

DnsAuthDbWebWebSpaApiMcpDirectMcpViaApiBilling

One auth core, three adapters

A framework-agnostic Cognito wrapper with pluggable token storage: httpOnly cookies on the SSR app, localStorage on the SPA, the device keychain on mobile. Hand-rolled login screens — no Amplify anywhere.

Typed end to end

Every frontend calls the API through the same typed client package. Change a route signature and the compiler tells you everywhere it matters.

Architecture

How a request flows.

Four clients, one auth gate, three Lambda services, one database — every hop is a managed service that scales to zero when idle.

One gate for every client

Web, SPA, mobile, and Claude all authenticate the same way: a Cognito JWT, verified in middleware before any handler runs. Public endpoints are an explicit allowlist, not an accident.

API Gateway in front of every Lambda

The API, billing, MCP servers, and SSR all sit behind API Gateway HTTP APIs with custom domains — one consistent front door, and none of the Function-URL traps newer AWS accounts ship with.

Nothing running while you sleep

Lambda, Aurora DSQL, S3, and CloudFront all bill by use — idle, the whole stack costs pennies. We published the numbers: what it costs to run a serverless SaaS.

CLIENTSWeb · SSRReact RouterVite · SPAS3 · CloudFrontExpo mobileReact NativeClaude · agentMCP clientCognito — JWT verified on every requestCOMPUTE · LAMBDAHono APIAPI GatewayBillingStripeMCP serverstwo serversDATAAurora DSQLserverless Postgres · IAM authCloudFront fronts the web apps · API Gateway fronts every LambdaMCP reaches data directly or through the API

Built for Claude Code

Your agent already knows this codebase.

Most templates assume a human reading docs. cdkbase ships its docs as machine-usable context — so Claude is oriented before it touches a file.

Claude Code~/acme · cdkbase fork
> add a projects table with CRUD endpoints, then deploy it to dev
 Skill(cdkbase)
  ⎿ operating manual — layout, deploys, DSQL limits

 Write(packages/db/migrations/…_projects.ts)
  ⎿ UUID keys, async index — DSQL-safe

 Write(services/api/src/routes/projects.ts)

 Bash(AWS_PROFILE=acme-dev pnpm run deploy)
  ⎿ ✔ 9 stacks · live at https://dev.acme.com

 Synthesizing… (esc to interrupt)

An operating manual, as a skill

The repo carries a Claude Code skill documenting the layout, deploy commands, DSQL limits, and guardrails. Claude reads it first — and stops making template-shaped mistakes.

Two MCP servers, OAuth included

Query your app's data from Claude over HTTP — one server goes straight to DSQL, one through the REST API. Cognito OAuth discovery is wired so claude.ai connects without ceremony.

Zero agent setup

.mcp.json and the skill come preconfigured. Open Claude Code in a fresh clone and it's productive — no prompt engineering required. And none of it gets in the way if you'd rather drive by hand.

What you actually get

One todo left: ship it.

Deployed, the template is a small, complete todo app — sign up, confirm, log in, and CRUD on all three frontends. It stops there on purpose.

Every layer, exercised

The todos feature runs UI → typed client → Hono API → Aurora DSQL, with a verified JWT on every request — on web, SPA, and mobile. If it works, your whole stack works.

Small on purpose

There's no invented product to bulldoze before you can start. Copy the todos pattern for your first real feature — migration, route, UI — then delete it.

Poke the live one

This site is the deployed template — create an account and the same todo app is yours to try.

Your todosSign out
What needs doing?Add
Provision an AWS account
pnpm run setup
pnpm run deploy — nine stacks live
Sign up · confirm · log in
Ship your product

Already debugged

AWS gotchas? We gotcha.

These are the failures that eat your second week on AWS — each one already hit, debugged, and encoded into the template, so the hours they cost get spent on your product instead.

Lambda Function URLs 403 on new AWS accounts

Accounts created since mid-2024 silently block public Function URLs — no toggle lifts it. Every Lambda here fronts API Gateway HTTP API instead, so it works on any account.

Aurora DSQL isn't quite Postgres

No SERIAL, no foreign keys, async-only indexes. The schema, queries, and a custom UUID-keyed migrator are DSQL-safe from the start — nothing to discover at migration time.

MCP OAuth fails silently without WWW-Authenticate

Claude's connectors need RFC 8414/9728 discovery and a real WWW-Authenticate on 401 — and Cognito doesn't speak Dynamic Client Registration. The shims are built in.

Stripe webhooks need the raw body

Signature verification breaks if anything parses the body first. The webhook mounts before parsers and auth, verifies the signature, and dedupes events by ID.

localStorage doesn't exist on the server

SSR auth uses server-authoritative httpOnly cookie sessions. The SPA and mobile apps plug localStorage and SecureStore into the same framework-agnostic auth core.

Secrets in Lambda env vars get reset by deploys

Stripe keys live in SSM SecureStrings — the Lambda env holds parameter names, not values, so a stray deploy can't blank your production keys.

How it works

From checkout to production in an afternoon.

No CI/CD to configure, no boilerplate to write — three steps and the stack is yours.

1

Buy & accept the invite

Enter your GitHub username at checkout. Right after payment, GitHub sends you a private invite to the repo — accept and clone.

2

Point it at your AWS account

pnpm run setup writes one config file — your accounts, domains, and environments. Sign in with AWS SSO and you're wired up.

3

Deploy & build yours

pnpm run deploy ships all nine stacks. Then add features yourself — or hand the repo to Claude Code and let it build with you.

FAQ

Questions, answered.

Do I need Claude Code to use it?

No. cdkbase is a complete, conventional AWS CDK codebase you can build on by hand. The Claude Code skill and MCP servers make an agent productive immediately, but they don't get in the way if you'd rather drive it yourself.

What will it cost to run on AWS?

Everything is serverless and scales to near-zero when idle — Lambda, Aurora DSQL, S3/CloudFront, and Cognito all have free tiers. A low-traffic project typically runs to a few dollars a month, and you pay AWS directly — cdkbase adds no runtime fees. We published a full breakdown: what it costs to run a serverless SaaS.

Can I use it for commercial and client projects?

Yes — the license covers unlimited personal and commercial apps. You can't resell the template itself as a competing starter kit. See the license for specifics.

How do I get the code after buying?

You enter your GitHub username at checkout. Immediately after payment, GitHub sends you a private invite to the repository — accept it from the email and clone.

Do I get updates?

Yes. It's a one-time purchase for lifetime access to the private repo, including fixes and improvements as they land.

What's the refund policy?

Because you get immediate access to the full source, purchases are generally final. If it's genuinely not working out, email support@cdkbase.com and we'll sort it out case by case.

Fork it, point it at your AWS account, and ship.

One-time purchase. Lifetime source access. Live on AWS the same afternoon.

Read the docs