Which AI app builders create a real backend — and what counts as "real"?
Short answer: a real backend means persistent PostgreSQL data, server-side authentication, and REST APIs that enforce rules on the server — not a beautiful React frontend where the login form authenticates nobody and the dashboard charts render hardcoded JSON. Most AI app builders generate the second thing. VULK (our product — disclosure below) generates and deploys the first: when your prompt describes accounts, saved data, or admin roles, it provisions a real backend automatically — PostgreSQL schema, CRUD endpoints, JWT auth with roles — alongside the frontend, wired together and deployed. Lovable and Bolt take a different, legitimate route: they delegate the backend to Supabase, which works well but means operating a second platform. Frontend-first tools leave you to build the hard 60% yourself.
The demand is not an edge case: 62% of all apps generated on VULK include a SQL schema (VULK platform data, July 2026, across 11,355 generated apps) — most people prompting an "app" are describing something with users and data, whether they realize it or not. This guide covers all of it: the four tests of a real backend, how automatic provisioning works, what the generated schema and auth actually look like, security patterns, deployment, six complete copy-paste prompts, and — the part vendors mumble about — the honest export and portability story, including ours. Disclosure: VULK is our product. Updated July 17, 2026.
Comparison table: how AI builders handle the backend
| Tool | Backend approach | Database | Auth | Backend portability | Starting price |
|---|---|---|---|---|---|
| VULK | Generated + deployed (API engine) | PostgreSQL per project | Generated (JWT, roles, password_hash) |
Schema (SQL) + data (CSV) export; engine stays hosted | $3.99 3-day intro → $19.99/mo (paid-only) |
| Lovable | Delegated to Supabase | Supabase Postgres | Supabase Auth | Your Supabase project — full pg_dump | Free (limited) → $25/mo |
| Bolt | Delegated to Supabase | Supabase Postgres | Supabase Auth | Your Supabase project | Free → $25/mo |
| Replit | Agent-written, any stack | Hosted PostgreSQL | Agent-written or Replit Auth | Full code access | Free → Core $25/mo |
| Databutton | Generated FastAPI (Python) | Built-in + external | Built-in | Code visible/exportable | $20/mo |
| Base44 | Embedded proprietary | Built-in | Built-in | No backend export | Free (25 credits) → $20/mo |
| v0 | Frontend-first + integrations | Via marketplace add-ons | Via add-ons | N/A (assembled) | Free → $20/mo |
Three architectures hide behind the "full-stack AI builder" label. Generated (VULK, Databutton): the AI writes your schema, endpoints, and auth as part of the app — most integrated, and you're trusting generated server code (it's inspectable; inspect it). Delegated (Lovable, Bolt → Supabase): the tool wires your frontend to a managed BaaS — excellent DX and clean data portability, but you operate two platforms and inherit the BaaS's shape. Embedded (Base44): zero setup, zero exit. None is wrong; they fail differently as you grow. Pricing verified July 17, 2026.
What's actually missing from frontend-only AI apps?
Run any "AI app builder" demo through four tests:
- Persistence: create data, redeploy, is it still there? Mock-data apps reset. localStorage apps hold data hostage in one browser.
- Real auth: does the login form verify credentials on a server and issue a session? Client-side "auth" is decoration — anyone can open DevTools and walk past it.
- Server-enforced rules: can user A fetch user B's records by changing an ID in the request? If validation only lives in React, the answer is yes.
- Inspectable data: can you run SQL against your own database?
Fail those and you have a prototype — genuinely useful for validating an idea, and where tools like v0 shine. But the gap between that prototype and a product is precisely the backend: accounts, roles, validation, relations, migrations. That's the part that historically took most of the engineering time, and it's the part 62% of VULK generations turn out to need (VULK platform data, July 2026).
How does VULK provision a backend automatically?
You never say "add a backend." Detection reads your prompt for signals:
- Auth signals — "login," "sign up," "user accounts," "admin panel," "roles": trigger the auth system.
- Persistence signals — "save," "store," "history," "records," "database": trigger schema + CRUD generation.
- API signals — "endpoint," "REST," "webhook": trigger route generation.
Detection is deliberately conservative — a landing page or portfolio stays a fast static frontend; a prompt with "users can post listings and message sellers" gets the full stack. When it triggers, one generation produces four coordinated layers:
- PostgreSQL schema — tables, types, constraints, foreign keys, indexes, derived from the entities in your prompt.
- REST API — full CRUD per entity with validation, pagination, and proper status codes, deployed on VULK's API engine.
- Auth system — registration and login endpoints, bcrypt password hashing, JWT issuance, middleware protecting private routes, role checks where your prompt implies roles.
- Wired frontend — the React app is generated against this API: fetch calls point at real endpoints, tokens attach to requests, loading and error states exist. The login form logs you in. This last layer is what separates "generated a backend" from "generated two halves you get to integrate yourself."
The editor then gives you a Backend panel: browse tables and rows, run raw SQL in a query runner, test endpoints with an API tester, and export any table to CSV. Your data is never behind a curtain.
What does the generated SQL schema look like?
Schema quality decides application quality, so the generation enforces the patterns a careful database engineer would. For "a task manager where users create projects and add tasks; users only see their own projects":
CREATE TABLE users (
id SERIAL PRIMARY KEY,
email VARCHAR(255) UNIQUE NOT NULL,
password_hash VARCHAR(255) NOT NULL,
name VARCHAR(120) NOT NULL,
role VARCHAR(20) NOT NULL DEFAULT 'member',
created_at TIMESTAMPTZ NOT NULL DEFAULT now(),
updated_at TIMESTAMPTZ NOT NULL DEFAULT now()
);
CREATE TABLE projects (
id SERIAL PRIMARY KEY,
user_id INTEGER NOT NULL REFERENCES users(id) ON DELETE CASCADE,
name VARCHAR(160) NOT NULL,
created_at TIMESTAMPTZ NOT NULL DEFAULT now(),
updated_at TIMESTAMPTZ NOT NULL DEFAULT now()
);
CREATE TABLE tasks (
id SERIAL PRIMARY KEY,
project_id INTEGER NOT NULL REFERENCES projects(id) ON DELETE CASCADE,
title VARCHAR(200) NOT NULL,
description TEXT,
priority VARCHAR(10) NOT NULL DEFAULT 'medium'
CHECK (priority IN ('low','medium','high')),
status VARCHAR(12) NOT NULL DEFAULT 'open'
CHECK (status IN ('open','in_progress','done')),
due_date DATE,
created_at TIMESTAMPTZ NOT NULL DEFAULT now(),
updated_at TIMESTAMPTZ NOT NULL DEFAULT now()
);
CREATE INDEX idx_projects_user_id ON projects(user_id);
CREATE INDEX idx_tasks_project_id ON tasks(project_id);
CREATE INDEX idx_users_email ON users(email);
The deliberate choices, each one a common failure in naive generated code:
password_hash, neverpassword. The column name itself makes plaintext storage impossible to write accidentally — a rule enforced at the prompt-engineering level.- Foreign keys with intentional delete behavior —
ON DELETE CASCADEwhere children shouldn't outlive parents;SET NULLwhere orphans should survive (products outliving a deleted category). - CHECK constraints for bounded values — a task status can't silently become
"donee". - Indexes that match the query patterns — foreign keys, login-lookup email, sort columns.
- Timestamps on every table. Boring until you need them; then critical.
Why PostgreSQL and not MongoDB or Firebase? Because the apps people prompt for are overwhelmingly relational — orders contain items, tasks belong to projects, projects belong to users — and foreign keys with constraints express that with integrity guarantees documents can't. And because a third-party BaaS dependency would break "one prompt, working deployed app" with account setup on a second platform. Postgres is what you'd pick for production by hand, so it's what gets generated.
How does generated authentication work?
The full auth flow, the way it should be built, because auth is the layer where generated shortcuts become breaches:
POST /api/auth/register— validates input, hashes the password with bcrypt (never plaintext, never reversible), stores it inpassword_hash, returns a JWT.POST /api/auth/login— compares the bcrypt hash, issues a signed JWT on success. Same error for wrong-email and wrong-password (no account enumeration).- Middleware on every protected route verifies the JWT server-side; the frontend attaches it automatically.
- Row-level ownership in queries —
WHERE user_id = $1from the verified token, so changing an ID in the URL can't read someone else's rows. - Roles when prompted ("admin can manage products") — a
rolecolumn checked in middleware, admin-only endpoints, and matching conditional UI.
Alongside auth, the non-optional security defaults: parameterized queries everywhere (no string-concatenated SQL), server-side input validation on every endpoint, CORS restricted to the app's origin, and rate limiting on auth endpoints. Review generated authorization logic before launch like you'd review a fast junior developer's — the patterns are right; your app's specific "who can see whose data" rules deserve human eyes.
6 complete copy-paste prompts for full-stack apps
Each is complete and deliberately exercises backend generation — accounts, relations, roles, aggregation. Paste as-is.
1. SaaS task manager with teams:
Build a task management app called Taskframe where users sign up, create projects, and add tasks with title, description, priority (low/medium/high), due date, and status (open/in progress/done). Users can invite teammates to a project by email; members see shared projects, but only the project owner can delete the project or remove members. Views: a board grouped by status with drag between columns, and a list view with sort and filters. Dashboard shows my open tasks across all projects, ordered by due date, with overdue in red. Clean light UI, indigo accent.
2. E-commerce store with an admin panel:
Create an online store for handmade ceramics called Kiln & Co. Customers browse a product grid with category filters, view product detail pages, add to cart, and check out (shipping address form + mock payment), creating an order with saved history in their account. Admin role: separate /admin area with product management (create, edit, archive products with name, price, stock, category, description), order list with status updates (pending/shipped/delivered), and a revenue-by-month summary. Stock decrements on order; products at zero stock show sold out and can't be ordered. Warm minimal design, terracotta accent.
3. Booking platform:
Build a booking app for a yoga studio. Public: class schedule for the week (name, teacher, time, spots remaining), signup and login. Members book a spot in a class — capacity enforced server-side so a full class rejects further bookings — and can cancel up to 2 hours before start. My bookings page shows upcoming and past classes. Staff role: create and edit classes (name, teacher, weekday, time, capacity), see rosters per class, and mark attendance. Prevent double-booking the same member into the same class. Calm sage-and-cream design.
4. Customer feedback board:
Create a public feedback board like a minimal product roadmap tool. Anyone logged in can submit an idea (title, description, category) and upvote others — one vote per user per idea, toggleable. Ideas sort by votes or recency; each has a comment thread. Admin role: change idea status (under review/planned/in progress/shipped), pin ideas, and delete spam. Public roadmap page groups ideas by status in columns. Status changes appear in an activity feed on the idea. Dark theme, electric blue accent.
5. Invoicing app:
Build an invoicing app for freelancers. Users manage clients (company, contact name, email, address) and create invoices: client, line items (description, quantity, unit price), tax rate, due date, and an auto-generated sequential invoice number per user. Invoice statuses: draft, sent, paid, overdue — overdue computed automatically from the due date. Dashboard: outstanding total, paid-this-month, overdue count, and a 6-month revenue bar chart. Public read-only invoice page at a shareable link with a print-friendly layout. Professional slate-and-white design.
6. Community recipe platform:
Create a community recipe-sharing platform. Users register, publish recipes (title, photo placeholder, ingredients list, numbered steps, cook time, difficulty, tags) and edit or delete only their own. Everyone browses by tag or full-text search on titles and ingredients; each recipe has star ratings (one per user, editable) sorted by average rating, plus comments. User profiles show their recipes and saved favorites. Homepage: top-rated this week and newest. Moderator role can remove recipes and comments. Fresh green-and-cream design with serif headings.
Reading the pattern: name the entities and their fields, state who can do what ("only the owner can delete"), and mention any rule that must hold ("capacity enforced server-side", "one vote per user"). Those sentences become foreign keys, middleware, and constraints.
How do deployment and previews work for full-stack apps?
During generation the frontend runs in a live-preview microVM with hot reload, already talking to the real generated API — the signup you test in preview writes real rows you can immediately see in the Backend panel's table browser or query with raw SQL. Deploying ships the frontend to Cloudflare's edge and the backend + PostgreSQL on VULK's infrastructure, one click, live URL, custom domains supported. Backend + PostgreSQL deploys are included from the Builder tier ($19.99/mo) up; iteration after deploy is the same follow-up-prompt loop, with schema changes handled as migrations rather than data-destroying rebuilds.
Can you export everything and leave? (The honest answer)
The question to ask any platform before you have 10,000 users. VULK's answer has a strong half and a limited half — here is both, precisely:
What exports cleanly:
- Full frontend source — ZIP download or GitHub push; a standard React + Vite + TypeScript project with no proprietary dependencies.
- Your complete schema —
schema.sqlships in the source export. - All your data — per-table CSV export from the Backend panel (full table, not just the visible page), plus raw SQL access via the query runner.
What doesn't: the backend runtime. The API engine that serves the generated CRUD endpoints and auth is VULK's hosted infrastructure, and the exported frontend calls it at its hosted URL. Export a full-stack app and the frontend runs anywhere — but it keeps talking to VULK's API. Self-hosting the whole thing means re-implementing the API layer (with your exported schema and data as the complete spec — a bounded Express-or-anything rebuild, but real work).
For context on how the rest of the market answers the same question: Lovable/Bolt have the cleanest data portability — the Supabase project is yours, pg_dump and go (backend logic in edge functions and RLS policies still needs migrating). Replit gives full code access; it's your VM. Base44 has no backend export at all. Frontend-only tools dodge the question by never having your data in the first place. Whatever tool you pick: test the export path in week one, not month twelve.
FAQ
What's the difference between a real backend and mock data in AI builders?
Four tests: data survives redeploys; login verifies credentials server-side and issues a session; changing an ID in a request can't read another user's rows; and you can run SQL against your database. VULK, Replit, Databutton, and Supabase-delegated tools (Lovable, Bolt) pass. Demos where the "data" lives in a JSON file or localStorage pass none — they're prototypes wearing a product's clothes.
Do I need to know SQL to build a full-stack app with AI?
No — you describe entities and rules in plain English and the schema, indexes, and constraints are generated (62% of VULK apps get one; platform data, July 2026). But the SQL is never hidden: the Backend panel's query runner accepts raw SQL and the schema ships in your export, so the moment you want to learn or verify, everything is inspectable. That inspectability is the practical difference between "no-code database" and "generated database."
Is AI-generated backend code secure enough for production?
The generated patterns are the correct ones — bcrypt hashing into password_hash, parameterized queries, JWT middleware, user-scoped queries, rate-limited auth, CORS. Treat it like strong work from a fast junior developer: broadly right, deserving review before launch, especially the authorization rules specific to your app (exactly who may read and modify whose rows). That review is dramatically easier when the backend is readable schema + REST endpoints than when it's opaque platform magic. Misconfigured authorization is also the top failure mode in the delegated-backend world (Supabase RLS) — no architecture exempts you from thinking about it.
Can I connect my own Supabase or external backend instead?
On VULK, yes — Pro tier and up supports integrations including Supabase (plus Railway, Paddle, AWS S3, and others) with encrypted credential storage, and per-project environment variables. Default behavior is deliberately the opposite: generation refuses third-party BaaS unless you explicitly ask, because the zero-setup generated backend is the core experience. If your requirement is "my data lives in my Supabase from day one," Lovable and Bolt are architected around exactly that — a legitimate reason to choose them.
How much does an AI-generated full-stack app cost to run?
VULK is paid-only: $3.99 for a 3-day full-access intro (credited to your first month), then Builder $19.99/mo — which includes the deployed backend + PostgreSQL, i.e. your hosting — Pro $39.99/mo (adds BYOM, GitHub sync, custom domains), Max $199/mo. Comparable stacks elsewhere: Lovable/Bolt from $25/mo plus Supabase beyond its free tier; Databutton $20/mo (credit-based); Base44 from $20/mo (credit loops can inflate this). Traditional route: a freelance full-stack MVP with auth and a database typically starts around $10,000. Pricing verified July 17, 2026.
What happens to my app if I cancel my subscription?
Your code and data are exportable at any time — frontend ZIP/GitHub, schema.sql, per-table CSV — so canceling never strands the assets (export before canceling). The hosted parts — the deployed app and the backend runtime serving its API — run on VULK's infrastructure and don't keep running unpaid, same as any hosted platform. The portability section above is the full picture: frontend runs anywhere immediately; the API layer is yours to rebuild from the exported schema if you leave. Plan-ahead advice that applies to every platform in this guide, ours included.
Describe the app — accounts, data, and all — and watch the login form actually work: vulk.dev.


