The four pieces every first website needs after the landing page

If a landing page is your introduction, four things are what come next: a way to sign up, a way to pay, a way to email, and a way to remember who someone is. Together they turn visitors into users. Skipping any one of them is what most first websites do, and what keeps them stuck at "we have a homepage" forever.

Authentication: knowing who showed up

Auth is the difference between "anonymous visitor" and "person you can talk to again". The two things every modern auth flow needs: email-based signup (magic link or password) and a session that survives the browser closing.

In 2026 the friction-free choice for most stacks is Supabase Auth (free tier covers 50k monthly active users) or Clerk (more polished UX, free up to 10k MAU). Both handle email, OAuth providers, and session management without you writing crypto code. The mistake is rolling your own — bcrypt, JWT signing, password reset emails, session cookies. Every one of those is a place to leak data. Use a managed auth provider until you have a real reason not to.

Skip social logins for the first version. Email is universal. Adding Google later takes 30 minutes; supporting six providers from day one is a tax with no payoff.

Payments: the part that decides if this is real

A site that takes money is a different animal from a site that does not. The shortest path to charging cards in 2026 is Stripe Checkout (hosted page, you redirect, they handle PCI compliance) or Polar.sh for digital products (simpler, lower fees, handles VAT and US sales tax automatically). Both are one webhook handler away from updating your own database when someone pays.

The mistake most first websites make is wiring custom checkout pages early. Hosted checkout looks less custom but converts as well or better, removes all your PCI liability, and saves a week of work. Move to a custom checkout when you have data showing it would help, not before.

Email: the way you stay in touch when they leave

Email is the only channel you own. Algorithms do not decide who sees it; nobody can shadowban it. The two pieces: transactional email (welcome, receipt, password reset, triggered by user actions) and marketing email (newsletters, product updates, lifecycle).

For transactional, Resend or Postmark. Both have generous free tiers and clean APIs. Avoid Mailchimp for transactional: it was built for marketing and deliverability for one-off triggered sends is measurably worse. For marketing, Resend (audiences feature shipped late 2024), Beehiiv (newsletter-first), or ConvertKit if you already have a list there.

The thing most first websites skip: a "set up your email preferences" link in the footer of every marketing email. Lifetime customer if you let them choose what they hear about. Unsubscribed forever if their only option is the all-or-nothing button.

A database that knows who is who

This is the piece that ties the other three together. Auth says "this is user 4291". Payments say "user 4291 just paid". Email says "send user 4291 a receipt". The database is what makes any of that survive a page reload.

For a first website, Postgres via Supabase or Neon. Both have free tiers that cover real traffic and both auto-scale into paid when you outgrow it. Skip MongoDB unless you have a specific reason: relational gives you reporting, joins, and constraints out of the box, and that is what you want at month three when you wonder how many paid users came from Twitter.

One table per concept. Users, orders, sessions, events. Do not normalize early; do not denormalize early either. The first schema you write will be wrong. That is fine. Iterate.

What this looks like put together

A visitor lands on your homepage. They click sign up: email-only, magic link. They get an account row in your users table. They browse, hit a paid feature, get sent to Stripe Checkout. Payment succeeds, webhook fires, updates their tier column to "paid". Welcome email goes out via Resend with their receipt. Two weeks later you send a product update via the same email service. They unsubscribe, or they do not.

That is the loop. Every piece is mature, free or cheap to start, and well-documented. The reason most first websites die is not that any one piece is hard. It is that all four together feel intimidating, so people delay, and momentum dies in the delay.

Common questions

Should I build auth myself to save money?

No. Supabase Auth and Clerk both have free tiers that exceed what most first sites will use in a year. The cost of doing it yourself is measured in security incidents, not dollars.

How do I handle taxes on international payments?

Stripe Tax (paid add-on) and Polar (built-in, no extra cost) both handle EU VAT, US sales tax, and most international cases automatically. Skip this on day one if you are not selling to businesses; add it once revenue justifies the line item.

Do I need a CRM?

Not in the first year. Your database plus your email tool covers it. CRMs (HubSpot, Pipedrive, Attio) make sense when you are talking to specific customers manually at scale. For a first website, the data lives in your own tables and you query it with SQL.