Vibe Coding to Paying Users: Where the Paywall Actually Goes

Because the first generation is the demo. A vibe-coded prototype that someone can build in 30 seconds, watch stream, and iterate on with a follow-up prompt is the entire reason a stranger from an X thread clicks through. Gating it behind a sign-up form turns the first impression into a chore. mk0r's source treats the build as anonymous and free: src/app/api/chat/route.ts accepts an anonymous Firebase UID, src/app/api/chat/model/route.ts:5 sets FREE_MODEL = "haiku" for everyone without billing, and src/core/service-provisioning.ts even provisions a real Postgres, a Resend key, and a private GitHub repo without an email. The first wave of value is the funnel.

On something the platform pays real money for, not on the moment of generation. In mk0r's code there are two of those moments. First, custom-domain publishing: src/app/api/publish/route.ts lines 104 to 137 require an active or trialing subscription and return HTTP 402 with the message "Subscribe to mk0r Pro to publish to a custom domain." Second, model upgrade: src/app/api/chat/model/route.ts lines 17 to 25 return HTTP 403 "subscription_required" when a signed-in user without billing tries to switch off Haiku. Both gates correlate with real platform cost (DNS provisioning, Anthropic API spend on Sonnet or Opus). The free path correlates with cost the platform absorbs cheaply.

402 (Payment Required) is the HTTP status that exists specifically for paywalls, and the publish modal in the client has a paywall step that resumes the publish flow after Stripe checkout returns. 403 (Forbidden) on the model route is the right shape for an authorization failure, because once a user is signed in we know who they are and we know they are not entitled. Different verbs, different remediation. 402 prompts payment. 403 prompts upgrade. The clients read the status code and render the right UI without reading the body.

Until the user has seen the product produce something they care about, not before. mk0r shipped an anonymous-turn gate at 2 turns on May 7, 2026 and raised it to 6 turns the next day after staging telemetry showed the gate was firing during the first iteration loop. Six turns is roughly: initial generation, two or three quick edits, one polish pass. The shape of the right answer is empirical: cut the gate the moment the prompt-to-sign-in step interrupts a user who is still figuring out whether the tool works. There is no universal turn count.

Then they are not your paying users yet, and that is fine. The funnel converts on intent, not on usage. A user who builds a habit tracker for themselves, exports the HTML, and never comes back is not a churned customer, they are a successful demo. The paying users are the ones who built something they want other people to use, which means they want a real URL on a real domain. That sub-population is what the publish paywall captures. Everything before that step is brand and acquisition.

Only if you let the anonymous experience be the whole product. mk0r's source intentionally limits anonymous sessions to the free model (Haiku at chat/model/route.ts:5) and rejects anonymous checkout requests outright (src/app/api/billing/checkout/route.ts:24 returns 403 "Sign in required to subscribe"). The anonymous user can build forever, but the moment they want a stronger model, persistent infra they own, or a real domain, they have to identify themselves. The funnel is build for free, sign in for context, subscribe for output.

A free trial gates the wrong thing in two directions. It puts a credit card up front, which kills the unauthenticated demo. And it converts on a clock instead of on value, which means the user who has not yet hit the paid moment churns silently. On May 7, 2026 mk0r removed TRIAL_DAYS from src/lib/stripe-server.ts and replaced it with the publish paywall. Build is free forever. Publishing to a custom domain is the paid step. The conversion event is now tied to a real action the user wanted to take, not to a calendar.

Turns per session before the publish modal opens, time from first prompt to first publish attempt, and the ratio of publish attempts to successful checkout completions. Those three numbers correspond to depth of engagement (turns), intent to ship (publish attempt), and friction at the gate (checkout completion rate). Vanity metrics like signups or trial starts are noise here because the paywall is on publish, not on access. A user who has not tried to publish has not entered the funnel yet, no matter how many turns they have run.