Cost to fix a broken Bolt app in 2026.

Bolt.new is cheap to start. A $20/month Pro subscription gets you unlimited projects and enough tokens to get a working prototype up in an afternoon. For founders who need to validate an idea quickly, it is outstanding value. The economics change once the app stops being a prototype. The apps we get hired to fix are not the ones that failed in the first week — they're the ones that “work” for three months, acquire a few dozen paying users, and then hit a bug the AI cannot fix. By that point the founder has sunk several thousand dollars into token spend, has real user data at risk, and needs the problem solved in days, not weeks. That's the engagement this guide is priced for.

The honest answer to “how much does it cost to fix a Bolt app” is: it depends on what's broken and how long you've been trying to fix it yourself. Below are the five engagement shapes we actually sell, with real price ranges, what each covers, what it doesn't cover, and when to choose it. Every engagement starts with a free 48-hour audit, and the audit itself tells you which engagement shape fits your situation — so you don't have to guess from this guide.

1. Emergency triage: $299

What it covers: one critical, production-down bug diagnosed and fixed within 48 hours. Classic triage scenarios: checkout is returning 500 errors and nobody can pay, all users got logged out after a deploy and cannot log back in, the Stripe webhook stopped firing and subscriptions are drifting out of sync, the production database is refusing connections because a secret rotated, the OAuth redirect is suddenly broken because a URL changed. One root cause, one fix, verified working in production, with a written summary of what was wrong and what we changed.

What it doesn't cover:multiple broken systems (that's a different engagement), underlying architectural problems that caused the bug (those get flagged for follow-up work, but triage is triage — one fire, one extinguisher), adding features, preventative hardening of other code paths. Triage is a narrow scalpel for a narrow problem.

When to use it:your production app is down right now, you are losing money or users in real time, and the blast radius is one specific system. Don't use it for “everything feels fragile” — that's a hardening engagement, not triage.

Examples of what we've shipped in a single triage: a webhook endpoint that returned 500 because a Stripe API update changed the event payload shape (fix: updated the type assertion and added handling for both versions); an OAuth callback that was still pointed at the original StackBlitz URL after a domain change (fix: updated the redirect URI in Google Cloud Console and the allow-list in Supabase); a production env var that was never set in Vercel after a migration, causing every authenticated request to crash (fix: added the var, redeployed).

See emergency triage scope.

2. Security audit: $499

What it covers: a full security review of the Bolt app, delivered as a written report within 48 hours. We check every Supabase table for Row Level Security status and policy correctness, every API endpoint for authentication and authorisation checks, the client bundle for accidentally exposed service-role keys or admin credentials, every storage bucket for public-access misconfigurations, every OAuth redirect URL for still-valid StackBlitz URLs or other stale values, and the Stripe webhook for signature verification and idempotency.

What you receive:a written report with every finding categorised as Critical, High, Medium, or Low. Critical means “fix this week, data is exposed or the app is vulnerable to account takeover.” High means “fix this month, there is a real incident path.” Medium and Low are harder edges with known mitigations. Each finding includes: what we found, how we found it, what the incident path is if it's not fixed, and what the remediation looks like.

What it doesn't cover: the fix work itself. The audit is the diagnosis. Remediation is quoted separately — often as a production hardening engagement, sometimes as a narrower integration fix if the findings are concentrated in one area.

When to use it:you have more than ten paying users, you're storing any user data more sensitive than an email address, and you haven't had a professional eye on the security posture of the app. Across the Bolt apps we've audited, 94% had at least one Critical finding — usually an RLS gap. If you haven't had an audit, assume you have one of these too.

See security audit scope.

3. Integration fix: $799

What it covers: one broken integration fixed end-to-end with full testing, delivered in 3–5 days. The scope is deliberately narrow — one integration, all of its edge cases, done right. Common scopes:

• Stripe subscription billing: idempotent webhook handler, full event surface (checkout.session.completed, invoice.paid, invoice.payment_failed, customer.subscription.updated, customer.subscription.deleted, charge.refunded, charge.dispute.created, plus customer portal), subscription state mirrored in your database, dunning-email wiring, tested with stripe trigger for every event.
• Supabase RLS across all tables: enable RLS on every table with user data, write explicit policies per operation per role, integration tests that assert cross-tenant isolation, service-role-key usage audited and scoped to server-only code paths.
• OAuth with multiple providers:Google, GitHub, and Microsoft wired correctly with production redirect URLs, session persistence tested across a browser restart, token refresh verified, the “user exists with a different provider” edge case handled cleanly.
• Custom third-party API integration: retries with exponential backoff, rate-limit handling, structured error responses, secret rotation documented.

What it doesn't cover: broken integrations outside the defined scope. If your Stripe is broken and your RLS is missing andyour OAuth is pointing at StackBlitz, that's three integration fixes or a production hardening engagement — it's not one.

When to use it:one specific system is broken and the rest of the app is genuinely solid (confirmed by an audit, not by vibes). This is the right engagement for founders who've hit a specific wall — usually payments or RLS — and just need that wall removed.

Common Bolt integration failures we see: Stripe checkout works but invoice.payment_failed and customer.subscription.deleted were never wired, so cancelled or failed subscribers still have access to paid features weeks after their cards declined. Supabase tables exist but every table has either no RLS policies at all or a single USING (true) policy that grants read access to every authenticated user regardless of ownership. OAuth that works on localhost because the dev redirect URI matches, but hits redirect_uri_mismatchin production because the production URI was never added to the provider's console.

See integration fix scope.

4. Production hardening: $3,999

What it covers:a full codebase stabilisation pass over 3–4 weeks. This is the engagement we recommend for any Bolt app with paying users that hasn't had a professional production pass. The scope is the union of every common Bolt failure mode, fixed once, across the whole app:

• Row Level Security on every Supabase table with user data, with explicit policies per operation, integration tests that assert isolation, and service-role-key usage scoped to server-only code.
• Auth edge cases: session refresh over long-lived sessions, OAuth redirect URLs verified in every provider console, password reset and email verification flows tested end-to-end, email templates pointing at the production domain, the onAuthStateChange listener wired up so the UI reflects auth state without page refreshes.
• Stripe full webhook surface with idempotency, signature verification, all eight events we see matter in a subscription business, tested with stripe trigger, and observability on every webhook delivery (we want to see which events we received and which state transitions they produced).
• Deployment pipeline: CI/CD with preview environments per PR, environment variable management with production secrets scoped to production only, health checks on the production deploy, a documented rollback procedure tested before it's needed.
• TypeScript clean-up: remove the any types the AI used when it couldn't infer a shape, fix the implicit anys, tighten function signatures, enable strict mode in tsconfig.jsonif it wasn't enabled, make the build pass cleanly without type errors.
• Performance audit: identify N+1 query patterns in the Supabase or ORM layer, add indexes where the query plan requires them, reduce bundle size by code-splitting or removing dead dependencies, eliminate obvious re-render loops the AI introduced with badly placed useEffect or useState calls.
• Observability: Sentry (or equivalent) for error tracking, structured logs going somewhere queryable, an uptime monitor on the production domain, alerting for severity-1 events.

What it doesn't cover:new feature development — this is a hardening engagement, not a build engagement. If you need new features on top of the hardening, that's MVP completion (section 5). It also doesn't cover migrating off Bolt onto a self-hosted Next.js codebase — that's platform migration (section 6), which can be combined with hardening as a single engagement.

When to use it:you have paying users, the app “works” in the sense that the happy paths complete, but you know there are sharp edges — the audit flagged Critical and High findings, or you've had a couple of incidents in the last quarter, or you're preparing for a fundraising round or an enterprise sale and the tech needs to pass scrutiny. This is the most common engagement we run for Bolt apps with real users.

See our hardening engagement scope.

5. MVP completion: $7,499

What it covers:the hardening pass from section 4, plus significant new feature development that the AI couldn't finish. 6–8 week engagement. The feature set is scoped in writing before we start and typically includes one or two of:

• Custom billing that Stripe doesn't do out of the box (usage metering, seat-based pricing with proration, custom invoicing for enterprise contracts).
• An admin dashboard for support, refunds, and user management — the feature Bolt apps almost always skip because the AI only builds the customer-facing side.
• Multi-tenancy: converting a single-tenant app into a workspace/organisation model with invitations, role-based access, and tenant-scoped data. This almost always requires an RLS rewrite alongside it.
• A custom auth flow (SSO, SAML, magic links with a branded domain, invite-only access) the AI stubbed but never finished.
• An integration with a platform the AI has no training data for (a niche CRM, an ERP, a legacy SOAP API).

What it doesn't cover:ongoing maintenance once shipped (that's the retainer). If the feature list grows during the engagement, we re-scope together before proceeding — we don't absorb unlimited scope under a fixed fee.

When to use it:you're pre-launch or have a small user base, you need to add one or two significant features before you can launch publicly or close a customer, and you also want the existing code hardened to production quality in the same engagement. The combination saves money versus doing the two as sequential engagements.

See MVP completion scope.

6. Platform migration: $3,999–$7,499

What it covers: moving the Bolt app off StackBlitz onto a self-hosted Next.js codebase on Vercel that you fully own. The scope:

• Vite-to-Next.js conversion: the build system, routing, and rendering model all swap.
• Environment variable migration: VITE_ prefixes become NEXT_PUBLIC_, server-only secrets lose their client prefix, secrets moved from the Bolt UI into Vercel's env var manager.
• Auth update: Supabase Auth or Clerk SSR setup for Next.js, middleware for session handling, redirect URLs updated in every provider console.
• Webhook endpoint migration: Stripe webhook URL changed in the Stripe dashboard from the StackBlitz preview URL to the production domain, new signing secret rotated and installed.
• Custom domain: DNS cutover, SSL certificate provisioning, redirects from the StackBlitz URL for any inbound links.
• CI/CD pipeline: GitHub repo connected to Vercel, preview deployments per PR, production deploy on merge to main.

Why the price range:the lower end ($3,999) is a simple app — under 20 components, one auth provider, Supabase, Stripe, no custom backend. The higher end ($7,499) is an app with multiple auth providers, custom API routes, significant business logic in the frontend that needs to move server-side during migration, or a large component count that increases the conversion surface area. The audit tells us which end of the range you're on before you commit.

When to use it:you want to own the codebase, get off per-token billing, integrate with a professional dev workflow (PR reviews, CI, rollbacks), and stop being blocked by whatever StackBlitz can or can't do. See the full Bolt to Next.js migration guide for the step-by-step technical process.

7. What makes a Bolt app cost more to fix

The prices above are ranges because real-world apps vary. Here are the factors that push a given engagement toward the higher end of its range — or occasionally into a bigger engagement shape than you expected.

Time in the fix loop

The fix loop is the pattern where every prompt to fix one bug introduces or re-surfaces a different bug. Apps that have been in the loop for days or weeks accumulate contradictory patterns as the AI tries one approach, abandons it, tries another, and leaves dead code behind from each attempt. The longer the loop, the more reverse-engineering we have to do to untangle what the app was supposed to do versus what it currently does. Twenty hours in the fix loop typically adds a week of diagnostic work on top of the stated scope.

Number of broken integrations

One broken integration is an integration fix ($799, 3–5 days). Two broken integrations is usually two integration fixes stacked ($1,500, 1–2 weeks). Three or more broken integrations crosses the threshold where hardening becomes cheaper than stacking fixes — at that point we recommend the $3,999 engagement instead, because the work to understand the codebase happens once rather than three times.

Missing product spec

If you can hand us a one-page description of what the app is supposed to do and what each user role can see and do, that's two days of discovery we don't have to bill for. If we have to derive the spec by reading the code and guessing what was intended, that's real time. The best thing a founder can do before hiring us is write a crisp one-pager: user roles, core flows, the invariants (“no user should ever see another user's data,” for example).

Production data that cannot be touched

If you have real users and real data, we cannot do fix work directly on production. We need a staging environment with a copy of the production schema (anonymised data preferred). Setting up staging is a one-time cost the first time we engage — usually half a day — and it's included in the quote. If production data includes regulated personal information (healthcare, finance, children's data), the compliance overhead adds days to the timeline.

Custom domain already in use

If you're migrating a live domain with real inbound traffic (search engines sending users, email campaigns, bookmarks, inbound OAuth redirects from integrations), the deployment cannot be a flag-day cutover. We run old and new in parallel, verify the new production deploy under real load, cut DNS with a short TTL, and keep a rollback ready. That's maybe a day more careful work than migrating a preview URL.

What makes an engagement cheaper

Conversely, the factors that push toward the lower end of a range: a written product spec exists, the app is pre-launch or has a small tolerant user base, the codebase is small (under 20 components), the stack is canonical (Supabase + Stripe + Next.js-compatible auth), there's no custom domain yet, and the founder can make decisions quickly when we surface a question. Every one of those shaves hours off the engagement.

Start with a free 48-hour audit →