# Slicekit > Slicekit is a professional, production-grade SaaS template: an event-driven .NET 10 API (vertical slices, DDD, CQRS, messaging) paired with a typed React 19 SPA (TanStack, shadcn/ui). Passkeys, TOTP, OAuth, granular permissions, a finished admin panel, a hash-chained audit trail, full observability and CI included. Buy once, own the code. Slicekit is a full-stack SaaS template: an event-driven .NET 10 API (vertical slices, DDD, CQRS, messaging) paired with a typed React 19 SPA (TanStack, shadcn/ui). The docs below cover setup, architecture, and how to build features across both sides. Each link points to clean Markdown. ## Getting Started - [Introduction](https://slicekit.dev/docs/introduction.md): What Slicekit is, who it is for, and how the documentation is organised. - [What Slicekit includes](https://slicekit.dev/docs/what-slicekit-includes.md): A map of what ships in the box: the foundations every SaaS needs, already assembled and tested, with a guide for each. - [Getting started](https://slicekit.dev/docs/getting-started.md): Clone the template, bring up local infrastructure, and run both the API and the frontend. - [Project structure](https://slicekit.dev/docs/project-structure.md): A tour of the repository: the API, the frontend, infrastructure, docs and CI. - [AI-assisted development](https://slicekit.dev/docs/ai-assisted.md): Why Slicekit is a codebase your AI coding assistant can actually work in, and how to get the most from it. ## Concepts - [Architecture overview](https://slicekit.dev/docs/architecture.md): Vertical slice architecture, the .NET projects and the patterns that divide them, the React SPA, and how a feature is added across both sides. - [Adding a vertical slice](https://slicekit.dev/docs/vertical-slices.md): A step-by-step recipe for adding a new feature, from the command in Slicekit.Core to the thin HTTP endpoint in Slicekit.Api. - [CQRS and domain events](https://slicekit.dev/docs/cqrs-and-events.md): How commands, queries and events flow through Wolverine, and the transactional outbox that makes messaging reliable. - [Domain-driven design](https://slicekit.dev/docs/domain-driven-design.md): Aggregates, invariants and domain events: how the domain model is structured and why handlers stay thin. - [Authentication & permissions](https://slicekit.dev/docs/authentication.md): Cookie sessions with CSRF, role and permission checks, admin impersonation and the audit trail. ## Backend guides - [Adding a database migration](https://slicekit.dev/docs/adding-a-migration.md): Create, apply and review EF Core migrations against the AppDbContext, and how migrations run on startup. - [Adding a permission](https://slicekit.dev/docs/adding-a-permission.md): Define a new permission in the Allow catalogue, assign it to roles, and enforce it on endpoints and in the UI. - [The settings pattern](https://slicekit.dev/docs/settings-pattern.md): Add strongly-typed, validated configuration with the settings pattern and bind it from appsettings and environment variables. - [Adding an OAuth provider](https://slicekit.dev/docs/oauth-provider.md): Wire up an external OAuth provider (Google, GitHub, ...) alongside the cookie sessions, end to end. - [Two-factor authentication](https://slicekit.dev/docs/two-factor-auth.md): How time-based one-time password (TOTP) two-factor authentication works, and how to enroll, verify and recover. - [Rate limiting](https://slicekit.dev/docs/rate-limiting.md): Apply and tune rate-limit policies on endpoints, and the defaults that ship with the template. - [Pagination](https://slicekit.dev/docs/pagination.md): Return paged, sortable list results with the shared pagination primitives, from query to typed client. - [Auditing](https://slicekit.dev/docs/auditing.md): Record who did what by emitting audit events, and where the trail is stored and surfaced. - [Domain and integration events](https://slicekit.dev/docs/domain-events.md): Publish and handle domain and integration events over Wolverine, with the transactional outbox for reliability. - [Error handling](https://slicekit.dev/docs/error-handling.md): The Result and AppError taxonomy, how failures map to ProblemDetails responses, and how to add an error type. - [File storage](https://slicekit.dev/docs/file-storage.md): Upload, store and serve files through the S3-compatible storage abstraction (MinIO locally). - [Adding an API version](https://slicekit.dev/docs/api-versioning.md): Introduce a new API version (v2) without breaking existing clients. - [Data export & GDPR](https://slicekit.dev/docs/data-export.md): Export a user's personal data and handle deletion, the GDPR-oriented personal-data tooling. - [Impersonation](https://slicekit.dev/docs/impersonation.md): Let admins safely impersonate a user for support, with the audit trail that records it. - [Removing a feature](https://slicekit.dev/docs/removing-a-feature.md): Cleanly delete a vertical slice across the API, frontend, permissions and tests. - [Testing a feature](https://slicekit.dev/docs/feature-testing.md): Unit-test handlers and aggregates with the fast suite, and cover endpoints with Testcontainers integration tests. ## Frontend - [Frontend overview](https://slicekit.dev/docs/frontend-overview.md): The React SPA: its slice-per-feature layout, routing with TanStack, and the shadcn/ui design system. - [The typed API client](https://slicekit.dev/docs/api-client.md): How the frontend talks to the API: one typed client, cookies and CSRF handled for you, wrapped in TanStack Query. - [Adding a frontend feature](https://slicekit.dev/docs/adding-a-frontend-feature.md): Build a new feature slice in the React SPA: route, data hooks, components and types. - [Adding a language](https://slicekit.dev/docs/i18n.md): Add a new language to the SPA, where translation namespaces live, and how strings are looked up. - [Building a form](https://slicekit.dev/docs/forms.md): Build a validated form with React Hook Form and Zod, wired to the typed API client and its errors. - [Permissions in the UI](https://slicekit.dev/docs/frontend-permissions.md): Show, hide and guard UI by the current user's permissions, mirrored from the API. ## Operations - [Observability](https://slicekit.dev/docs/observability.md): Traces, metrics and logs through OpenTelemetry into Grafana, and how to instrument your own slices. - [Deployment](https://slicekit.dev/docs/deployment.md): Building the production images, configuration through environment variables, and running the production stack. - [Configuration](https://slicekit.dev/docs/configuration.md): How the template is configured: appsettings as development placeholders, environment-variable overrides in production, and the local port map. - [Reverse proxy](https://slicekit.dev/docs/reverse-proxy.md): Run the API behind a reverse proxy (TLS, forwarded headers, cookies) in production. ## Landing site - [Overview](https://slicekit.dev/docs/landing-site.md): The marketing site in landing/: a static Astro site with no React or runtime, and the map of files you change to make it your own. - [Brand and navigation](https://slicekit.dev/docs/landing-site-brand.md): Change brand copy, URLs, pricing and SEO defaults in src/config/site.ts, and edit the header and footer links in src/config/navigation.ts. - [Theming and dark mode](https://slicekit.dev/docs/landing-site-theming.md): Recolour the site through the design tokens in global.css, swap fonts, and understand the class-based dark mode and the shared vertex mark. - [Content and assets](https://slicekit.dev/docs/landing-site-content.md): Add blog posts and documentation pages through Astro content collections, refresh product screenshots, and regenerate Open Graph images. ## Optional - [Full documentation (single file)](https://slicekit.dev/llms-full.txt): every doc concatenated as Markdown. - [Interactive API reference](https://api.slicekit.dev/scalar): OpenAPI explorer for the .NET API. - [We do not ship MediatR. Here is what we ship instead, and the catch](https://slicekit.dev/blog/why-not-mediatr): Why Slicekit builds on Wolverine instead of MediatR-plus-a-bus, the 2024-25 licensing shift that makes it a buying concern, and an honest look at what you give up. - [Assume the token is stolen: passkeys, cookies and refresh-token rotation](https://slicekit.dev/blog/auth-passkeys-and-token-rotation): Start from the worst case, a credential already in the wrong hands, and work backward: passkeys with no stealable secret, HttpOnly cookies XSS cannot read, and family-based refresh-token rotation as a tripwire. - [CQRS is not your mediator, and the outbox is not magic](https://slicekit.dev/blog/cqrs-events-and-the-outbox): Two misconceptions trip up most CQRS posts: that routing commands through a mediator is CQRS, and that an outbox gives exactly-once delivery. Here is what each pattern actually is, and what Slicekit relies on. - [One typed contract, and the one interceptor that makes auth invisible](https://slicekit.dev/blog/typed-api-contract): The engineering case for a single typed client between .NET and React: one place for cookies, CSRF and a 401 silent-refresh interceptor, hand-mirrored types you keep honest against the API, and server validation errors mapped back onto form fields. - [Permissions, not roles, but we stopped short of Zanzibar](https://slicekit.dev/blog/permissions-not-roles): Slicekit sits between coarse RBAC and relationship-based auth: a flat permission catalogue enforced on the API and mirrored in the UI. Here is what that buys you, and the day you should outgrow it. - [Architecture tests that fail CI, and the violations they cannot catch](https://slicekit.dev/blog/architecture-tests-that-guard-boundaries): NetArchTest turns Slicekit layer and slice boundaries into build-failing fitness functions, Testcontainers keeps integration tests honest, and a passing rule is still only a floor. - [Tamper-evident, not tamper-proof: where the audit line really is](https://slicekit.dev/blog/tamper-evident-audit-trail): A hash-chained audit log makes tampering detectable, not impossible. Here is the exact limit, and what Slicekit does to push past it. - [GDPR erasure breaks your foreign keys](https://slicekit.dev/blog/gdpr-export-and-deletion): Why deleting a user is a data-modeling problem, not a one-line DELETE, and how Slicekit fails the build when a new personal-data field goes unclassified. - [OpenTelemetry from day one, and the cardinality mistake that blows up your bill](https://slicekit.dev/blog/observability-from-day-one): Wiring traces, metrics and logs in before the first feature is the easy part. The expensive trap is high-cardinality metric labels, and one rule keeps it from wrecking your storage bill. - [Why .NET and a modular monolith for a base you keep](https://slicekit.dev/blog/why-dotnet-for-a-base-you-keep): A base you run for years is judged on year three, not the first hour. Here is the case for the runtime and the architecture shape behind Slicekit. - [An AI can navigate this codebase. Here is where it still cannot be trusted](https://slicekit.dev/blog/an-ai-navigable-codebase): A predictable slice-per-feature layout makes Slicekit navigable for a coding agent, and the guardrails catch a narrow class of mistakes. A green build is not a correct feature, so human review of behavior stays essential. - [Vertical slices without the cargo cult](https://slicekit.dev/blog/vertical-slices-end-to-end): Vertical slices are a cohesion rule, not a war on Clean Architecture or DDD. The myths, the one principle that matters, and where slices actually bite. - [Introducing Slicekit: ship the product, not the plumbing](https://slicekit.dev/blog/introducing-slicekit): Why we built a premium, opinionated full-stack SaaS boilerplate around .NET 10 and React, and an honest account of what a template can and cannot do for you.