create-sst-run
v0.1.0
Published
Create a Bun, React, Hono, Drizzle, Better Auth, and SST starter app.
Readme
SST Run
A minimal full-stack starter for Bun, React, Hono, Better Auth, Drizzle, PostgreSQL, and SST.
Create A Project
npx create-sst-run my-appIf you omit my-app, the CLI prompts for the project name.
When published under the create-sst-run package name, this also works with:
npm create sst-run@latest my-appThe create script copies the starter into a new directory, rewrites the generated root package name, and can optionally run bun install and git init.
Stack
- Bun workspaces for package management and scripts
- React 19, Vite, TanStack Router, TanStack Query, Tailwind CSS v4, and shadcn/ui source components in
apps/web - Hono, Better Auth, Drizzle ORM, and PostgreSQL in
apps/api - Shared Zod contracts in
packages/shared - Runtime environment validation in
packages/config - SST for AWS deployment with same-origin
/apirouting
Workspace Layout
apps/
api/ Hono API, auth, feature modules, Drizzle schema
web/ React app, routes, API client, UI components
packages/
config/ Environment validation
shared/ Shared Zod contracts and typesThe API keeps feature behavior under apps/api/modules/<feature>. The starter includes a small example module that shows the route/service/shared-contract pattern.
Development
Install dependencies:
bun installCreate local env files:
cp apps/api/.env.example apps/api/.env.local
cp apps/web/.env.example apps/web/.env.localFill in the API values in apps/api/.env.local, then run:
bun run devLocal ports default to:
- Web:
3000 - API:
6769 - Drizzle Studio:
4984
Useful commands:
bun run type-check
bun run lint
bun run build
bun run --cwd apps/api test:unitEnvironment
apps/api/.env.local is validated by packages/config/env.ts.
Required API values:
DATABASE_URLBETTER_AUTH_SECRET
Optional API values:
DATABASE_URL_UNPOOLEDfor Drizzle Kit migrationsAUTH_CANONICAL_ORIGINfor deployed preview OAuth flowsAUTH_ALLOWED_HOST, set by SST for deployed auth host validationOAUTH_PROXY_SECRET, defaults toBETTER_AUTH_SECRETif omittedGOOGLE_CLIENT_IDandGOOGLE_CLIENT_SECRETfor Google sign-inGOOGLE_ALLOWED_DOMAINto restrict Google sign-in to one Workspace domain
Web env values are optional and currently only control local ports.
Database
The schema lives in apps/api/db/schema.ts. The starter keeps the Better Auth tables and exports a baseColumns helper for application-owned tables.
Generate and run migrations after changing the schema:
bun run db:generate
bun run db:migrateUse db:push only for disposable local databases.
Authentication
Better Auth is mounted under /api/auth. The browser talks to auth and API routes through the same origin:
- Local Vite proxies
/apito the API dev server. - Deployed SST routes
/api/*to the API service.
Google sign-in is enabled when GOOGLE_CLIENT_ID and GOOGLE_CLIENT_SECRET are set. For local development with the default web port, configure Google OAuth with:
- Authorized JavaScript origin:
http://localhost:3000 - Authorized redirect URI:
http://localhost:3000/api/auth/callback/google
Deployment
SST configuration lives in sst.config.ts. Production and preview stages read secrets from AWS Secrets Manager:
- Production default:
prod/sst-run - Preview default:
preview/sst-run/<stage>
Set SST_RUN_SECRET_NAME to override the production secret name.
Deploy with:
bunx sst deploy --stage production