Our Stack
Built to be boring in the best way
Genkō runs on a small set of proven, best-in-class tools. No exotic dependencies, no clever abstractions — just solid infrastructure that clinics can rely on, with HIPAA-aligned data handling built into every layer.
The full stack
Eight dependencies. Eight reasons each one earns its place.
Framework
Next.js 15
App Router with React Server Components gives us fast page loads, streaming, and a clean separation between server and client code. We ship zero JavaScript for pages that do not need it.
TypeScript strict mode. No any types.
Database & Auth
Supabase
PostgreSQL with Row-Level Security enforces tenant isolation at the database layer — not just in application code. Every query is scoped to the authenticated organization by policy, not by convention.
Auth, realtime, storage — all first-party.
Billing
Stripe
Checkout, subscription management, and webhook-driven plan enforcement. Stripe handles PCI compliance so patient payment data never touches our servers.
Webhooks verified with HMAC signatures.
Auth Tokens
jose
Standards-compliant JWT verification runs entirely in the middleware edge runtime — no database round-trips on every request. Tokens are verified with RS256 and short expiry.
Stateless. No session storage.
Resend
Transactional email for appointment confirmations, reminders, and password resets. Designed for developers — clean API, instant delivery, and built-in DKIM/SPF.
React-based email templates.
Validation
Zod
Every API route validates its input with a Zod schema before touching the database. No request reaches business logic without being fully typed and validated at the boundary.
Runtime types inferred from schemas.
Styling
Tailwind CSS 4
Utility-first CSS with zero runtime overhead. Tailwind 4 ships with the new Oxide engine — native CSS variables, container queries, and faster builds.
No CSS-in-JS. No runtime styles.
Deployment
Vercel
Edge network with 50+ regions, automatic HTTPS, preview environments per pull request, and built-in analytics. Zero-config Next.js deployment with instant rollbacks.
Vercel Analytics enabled for real-user metrics.
Architecture principles
The rules that keep the codebase small and the system reliable.
- Thin application layer
- Pages call lib functions and render results. No queries live in components. No business logic lives in pages. Every layer does exactly one thing.
- Database-enforced tenancy
- Row-Level Security policies live in Postgres, not in application code. A misconfigured query cannot leak data across organizations — the database will reject it.
- Stateless middleware
- Authentication runs at the edge in under 5ms by verifying a JWT locally. No database calls, no HTTP round-trips — just cryptographic proof.
- Explicit over implicit
- TypeScript strict mode with no any types. Zod validation at every API boundary. If it compiles and passes validation, it is the right shape.
Security & compliance
How data is handled at every layer.
Encryption at rest
All data is encrypted at rest via Supabase / AWS RDS encryption. Encryption keys are managed by the cloud provider.
Encryption in transit
All traffic uses TLS 1.2+. HSTS is enforced via Vercel's edge network. No plaintext communication.
Row-Level Security
Postgres RLS policies ensure every query is scoped to the requesting organization. A bug in application code cannot expose another tenant's data.
Minimal data collection
We collect only what is needed to run the platform. Analytics are aggregated and non-personal. No patient data is used for advertising.
HIPAA alignment
Infrastructure is selected and configured to support HIPAA-covered entities. Business Associate Agreements are available on request.
Webhook verification
All inbound webhooks (Stripe, Supabase) are verified with HMAC signatures before processing. Replayed or tampered events are rejected.
Ready to run on this stack?
Genkō is free to start. No credit card required.