Show HN: Corral – Auth and Stripe billing that AI coding agents can set up

[rgthelen]

Hey HN. I built Corral because every time I asked an AI coding agent to "add auth and payments," it hallucinated for an hour and produced broken code. Wrong imports, phantom endpoints, a login page wired to nothing.

The problem isn't the agent. It's that auth-to-billing-to-gating is genuinely hard to wire, and there's no machine-readable spec for how to do it.

Corral is an open-source CLI (MIT) that gives your agent a spec it can read (llms.txt), then scaffolds auth + Stripe billing into your existing project. It detects your framework (Express, Next.js, Hono, Fastify, and 13+ more), embeds into your existing server (doesn't create a new one), and generates working components: profile page, admin dashboard, plan gating, Stripe checkout, usage metering. One YAML config file controls everything.

The agent workflow is 9 commands. Every command supports --json. Errors include a "fix" field. Exit 0 means deploy-ready.

I hardened this across 10 framework/DB combos with blind agent tests: 3 AI models, 3 rounds each, then a 10-agent fleet. Found and fixed real edge cases like Express 4 vs 5 route patterns, Vite proxy ordering, and agents creating duplicate servers instead of embedding into existing ones.

To try it, paste this into any AI coding agent:

  Read: https://llama-farm.github.io/corral/llms.txt
  Add auth and Stripe billing to my app.

Built on Better Auth + Stripe. 18 CLI commands, 30+ templates.

GitHub: https://github.com/llama-farm/corral npm: npx create-corral init Docs: https://llama-farm.github.io/corral/

[mhamann]

Super interesting. Auth and Payments seem like things you don't want to or can't build yourself. (I'm waiting for the day when I can just use BTC or UDSC for everything.)

Have you thought about supporting additional auth providers? Or providing a way for other auth services to add support for their products?

[rgthelen]

Thanks! On auth providers — Corral already supports 9 OAuth providers out of the box (Google, GitHub, Apple, Discord, Microsoft, Twitter, Facebook, GitLab, LinkedIn) plus email/password, magic links, and email OTP. Adding a new one is one command:

corral add provider github Under the hood, Corral is built on Better Auth, which has a plugin architecture. Any Better Auth plugin works with Corral — so if someone builds a provider plugin for Better Auth, it automatically works here too. We're not reinventing auth crypto, just making it agent-installable.

On the crypto payments front — that's actually a great use case for Corral's plugin model. The billing layer is modular (Stripe today, but the gating/metering layer doesn't care where the payment event comes from). A BTC/USDC payment plugin that fires the same "user upgraded to plan X" event would slot right in. Interesting idea.

[rgthelen]

It 100% runs locally, is easy to deploy, and it wires it right into your app - even cooler, if you have a JS backend, no extra server, if you have python, go, ruby, etc, it will have your agent create a tiny side-car so you don't need an extra container, etc.

Let me know what you think!

[rachelradulo]

This validates something we keep seeing-the bottleneck for AI agents isn't intelligence, it's that tooling isn't yet built for how they actually work. Structured specs and parseable errors > docs written for humans. Really cool to see this ship.

[rgthelen]

Thanks for following along since day 1!

[rachelradulo]

How do agents handle the Stripe webhook setup? That's always been the gnarliest part for me manually.

[rgthelen]

webhooks are the part where most agent-built auth falls apart. Here's how Corral handles it:

The server-express.ts template generates the webhook route with the raw body parser before express.json() (Stripe requires the raw body for signature verification — agents almost always get this wrong). The route handles checkout.session.completed, customer.subscription.updated, and customer.subscription.deleted events and auto-updates the user's plan in your database.

So when your agent runs corral init, the webhook endpoint is already in your server at /api/corral/webhook, with Stripe signature verification wired in. Your agent just needs to:

corral stripe sync — creates the products/prices in Stripe Set STRIPE_WEBHOOK_SECRET in .env For local dev: stripe listen --forward-to localhost:3000/api/corral/webhook That's it. The agent doesn't have to figure out raw body parsing, event routing, or idempotency — the template handles all of it. And since corral doctor checks for the webhook secret in your env, the agent gets told if it's missing.

The worst Stripe webhook bugs I found during testing were (1) express.json() parsing the body before the webhook route sees it, and (2) agents putting the webhook route after auth middleware that rejects unsigned requests. Both are baked into the template ordering now.

[rachelradulo]

ah makes sense, excited to hook it up to a project

[bobbyradford]

That is pretty cool. Simple and useful.