How to test a vibe-coded app before your users do

"Works on my machine" is not testing

You described what you wanted, an AI builder wrote it, and the happy path works. That's a great place to start — and a risky place to ship from. Vibe coding compresses the build, but it also quietly skips the step where a skeptical human tries to break the thing. Real users are that skeptical human. They paste emoji into your name field, sign up with a + alias, open the app on a cracked Android phone on hotel Wi-Fi, and leave the instant something feels off.

Testing a vibe-coded app isn't about unit tests or coverage numbers. It's about one question: does this hold up when a real person actually uses it? Here's how to find out.

The 9-point pre-launch checklist

Run these by hand on your live URL. Each maps to a way real users — or attackers — routinely break new apps.

1. Can a stranger actually sign up?

Open your app in a private window — no saved logins, no autofill — and create an account like a first-timer. A surprising number of vibe-coded apps have a signup button that goes nowhere, a confirmation email that never lands, or a verify link that 404s. If you use email and password, try an address with a + in it (you+test@gmail.com); naive validation rejects these, and you'll never know you're turning people away at the door.

2. Feed every form hostile input

Into each text field, paste a 2,000-character string, some emoji, an apostrophe, and <img src=x onerror=alert(1)>. Nothing should crash, and that last one should show up as literal text. If it pops an alert box, you have a cross-site-scripting hole an attacker can use to run code in your users' browsers.

3. Use it on a phone

Most of your traffic is mobile. Shrink the window to 375px wide, or just open it on your phone. Check that nothing overflows the screen, buttons are big enough to tap, and the on-screen keyboard doesn't cover the field you're typing into.

4. Follow every button to its end

"Get started," "Upgrade," "Pricing" — does each land somewhere real, or a dead end? Walk your checkout, billing, and account flows all the way through, not just to the first screen.

5. Refresh in the middle of things

Start a flow, then hit reload. Does it recover, or lose everything? Press the browser's back button right after submitting a form. Real users do this constantly, and brittle apps fall over.

6. Read the code you shipped to the browser

Open dev tools, go to the Network tab, reload, and look at your JavaScript bundles. AI builders love to hard-code secrets. Search the source for sk_, SUPABASE, apiKey, and SECRET. Anything that looks like a private key sitting in the browser is public to the world — rotate it and move it server-side.

7. Knock on your database

If you're on Supabase or Firebase, confirm Row Level Security (or security rules) are actually on. The default for a rushed build is often "anyone can read everything." Make sure an anonymous visitor can't list your users table.

8. Check your promises against reality

Open your privacy policy and your landing page. Do they match what the app does? If the policy says "no trackers" but you loaded analytics, that's a claim-vs-reality gap — and a legal one. (More in our GDPR checklist.)

9. Can a user leave?

Sign up, then try to delete your account. GDPR's Right to Erasure says users must be able to. Most vibe-coded apps have no delete path at all.

If you do only one thing: open your app in a private window and try to become a customer. You'll find more than you expect.

The fast way: let something break it for you

Doing all nine by hand, every time you ship, is the kind of chore that doesn't survive a busy week. That's the gap Blinkof fills. You paste your URL; it signs up, types the hostile input, walks your flows, reads your bundles and database, checks your privacy policy, and even tries to delete its own account — then hands you a report where every issue comes with a paste-ready fix prompt for your AI builder.

It's this nine-point checklist, run in under a minute, by something that doesn't get bored or skip step six.