Creating Apps with AI Tools: Honest Truth After a Year in Production

# Create App with AI Tools: The Honest Truth After a Year in Production

I've been using AI tools to create apps in production for over a year now. Here's the honest, unfiltered version.

I run Beyin Digital in Abu Dhabi. We build e-commerce platforms, dashboards, and internal tools. When Cursor and Claude Code hit the scene, I jumped in headfirst. Six months later, I nearly lost a client because the AI-generated code had a silent database connection leak.

Here's what actually works—and what doesn't.

Why This Matters (and Why I Care)

The hype around "create app with AI tools" is deafening. Everyone promises you'll ship 10x faster. But the real world is messier.

In our last project—a multi-tenant SaaS for logistics—AI tools handled 60% of the boilerplate. But the remaining 40%? That's where architecture, security, and edge cases live. And that's where AI fails hard.

If you're building for production, not a demo, you need a strategy. Not just a tool.

The Basics You Actually Need

Start with a solid foundation. Here's what I use at Beyin:

// Strict TypeScript config - non-negotiable

{

"compilerOptions": {

"strict": true,

"noUncheckedIndexedAccess": true,

"exactOptionalPropertyTypes": true

}

AI tools generate sloppy types. This catches them before they hit production.

How I Build With It (Step by Step)

**Phase 1: Scaffold with AI, review manually**

I use Claude Code to generate the initial Next.js app with Supabase. But I read every file. I've caught it generating `any` types, missing error boundaries, and leaking env variables.

**Phase 2: Test boundaries, not features**

AI writes happy paths well. I spend 80% of my review time on edge cases: what happens when the database is down? When the user uploads a 2GB file? When the API rate-limits?

**Phase 3: Lock it down**

I add Zod validation on every API route. AI loves to skip input sanitization.

Mistakes I Made (So You Don't Have To)

1. **Trusting AI with auth logic** — It generated a JWT verification that skipped expiration checks. A security audit caught it. Never again.

2. **Letting AI write the initial schema** — It created 47 tables for a CRM that needed 12. The migration rollback took three days.

3. **Not testing AI-generated code in staging** — One update broke the entire payment flow. The AI didn't know about the Stripe webhook changes from last month.

Advanced Tips From Production

**Use AI for the boring stuff**: CRUD endpoints, form validation, test stubs. It excels here.

**Never use AI for**: Payment logic, auth, data migrations, or anything involving money.

**Always add a second pair of eyes**: We have a rule at Beyin—every AI-generated PR needs a human review. No exceptions.

My Honest Take

AI tools are incredible for speed. But they're not engineers. They don't understand your domain, your edge cases, or your tech debt.

The best approach? Use AI as a junior developer who types fast. Review everything. Test everything. And never forget: you're the one responsible when it breaks in production.

---

*Mohamed Qurashi | Full-Stack Developer at Beyin Digital | [https://qurashi.dev](https://qurashi.dev)*

---

**Further reading:**

[Why is conditional processing of a sorted array faster than of an unsorted array](https://stackoverflow.com/questions/11227809/why-is-conditional-processing-of-a-sorted-array-faster-than-of-an-unsorted-array)

[How do I undo the most recent local commits in Git?](https://stackoverflow.com/questions/927358/how-do-i-undo-the-most-recent-local-commits-in-git)

**Related articles on this blog:**

[ai code review checklist](/blog/ai-code-review-checklist)

[nextjs supabase production setup](/blog/nextjs-supabase-production-setup)