Harshil Tomar

First year of building my dream dev + design agency 2025 gave us 35+ clients, 40+ projects, and a team of 5 Here's a glimpse of what we built at dreamlaunch.studio

This reddit user found the 10 Step Secret Sauce to hit $15k MRR in <60 Days ! here's the full Playbook ( STEAL THIS ): 1/ every tool solved one niche pain >not multiple use cases or broad platforms >one problem for one specific audience >dog groomers, painters, trainers, boring niches >specificity made selling easier 2/ pricing stayed boring too >most sat between $15 and $39/month >$9 attracted tire-kickers >$99 needed too much approval >$29 worked at 300 customers 3/ spreadsheets were the real competitor >they didn't replace other SaaS tools >they replaced messy manual processes >spreadsheet pain made the pitch obvious >“stop doing this manually” sells fast 4/ ideas came from inside the niche >founders worked in the industry already >or had friends inside the market >or studied complaints for months >none came from shower brainstorming 5/ the math was simple >300 customers at $29 = $8,700 MRR >most niches had 10,000+ possible buyers >they didnt need the whole market >just 300 people with pain the real takeaway: >pick boring niches >replace manual work >price for easy decisions the best micro-SaaS tools are invisible and quietly print.

@EXM7777 crazy run ! loved the article. a refresher in long time

Ultimate App Store Optimisation Cheatsheet : ( PS : i found this after shipping 6 apps ) > Put your main keyword in the title, not just the description > The subtitle is indexed. treat it like a second title > Your first screenshot needs to answer "why download this" in 2 seconds > Week 1 ratings velocity decides if Apple boosts you or buries you > Update every 2 weeks minimum. dead apps get buried > Test 3 icons before launch. the one you like is never the winner > Localise early. tier 2 markets convert cheaper and rank easier > Nobody reads your long description. put keywords there and move on > Small category rank > overall rank when you're starting out > use Astro for keyword research > Video preview in the listing. most people skip it and leave conversion on the table > In-app events show up in search now. most builders don't know this > Seasonal keywords. swap them quarterly. fix the listing. then run the traffic.

18 signs your AUTH system is a TICKING BOMB : 1/ You built it from scratch instead of using Clerk or Supabase Auth 2/ Roles stored as isAdmin: true/false boolean 3/ Permissions hardcoded in the frontend 4/ No "invited but not yet signed up" state. Team invites break onboarding. 5/ Sessions dont expire 6/ Sessions dont invalidate when password changes 7/ JWT secret is short, guessable, or never rotated 8/ No refresh token rotation 9/ Password reset links dont expire 10/ No rate limit on the reset endpoint 11/ Auth logic mixed into business logic. No separation. 12/ Authorization checked in the UI only, not the API 13/ User IDs are sequential integers exposed in URLs 14/ No audit log of auth events (logins, failures, role changes) 15/ OAuth state parameter not validated. CSRF on your login flow. 16/ "Remember me" stores credentials in localStorage 17/ Admin access granted by email domain check only 18/ No way to force-logout a compromised session We rebuilt an auth system mid-project last month because roles were designed as booleans. The founder said "we'll figure out roles later." We figured them out later. It cost 2 weeks. Design your roles before you write a single line of code. Bookmark this.

My daily blueprint as a 24 year old agency founder I've been asked about my routine a lot so here it is, properly opensrouces 7:00am > i wake up and head straight out for a walk before my brain starts loading up the day's problems. > no phone or algo pulls but purely just sun and movement. > i think the reason this works is because by the time i'm back home, i've already had 10-20 minutes where nothing was demanded of me. that separation matters more than people realise. 7:25am > back home; i try to read for 20 minutes. > sometimes i skip it depending on how i'm feeling and i don't stress about that. > but on the days i do it, I am able to feel like a task done and something learnt ! 8:00am > A pure hour of coding / some leverage task > This is the cleanest focused block of my entire day because the world hasn't fully woken up yet and nobody is asking me for anything. > I use this to learn something new or knock out grunt work that requires actual thinking. 11:00am → > This is where my day really begins. i pack up and head to Blue Tokai. and here's the thing about the cafe that i think people miss when they say "just work from home." it's not about the coffee or the ambience. it's about the ritual of getting there. → getting dressed and leaving the house → commuting, walking in → ordering and finding a spot → denoising for 10 minutes → pulling out the laptop → two minute break → plugging in music. by the time i actually open a doc, my brain has gone through this whole transition sequence and it's ready. it's not discipline. it's just a really reliable trigger i've built over months. Usually from 11 to 5 or 6pm i'm heads down on the actual agency work alongside @ilavanyajain. client responses, marketing campaign reviews, product build reviews, PM connects. this is where DreamLaunch actually runs. 6:00pm → gym. > This is the one thing i don't negotiate on regardless of how the day went > I try to follow a Push, Pull, Should, Legs workout split with maybe one day for stretching > Right now I am trying to actively cut so been adding in 15-20 mins on incline treadmill 8:30pm → > home. decompress, connect a bit ( with team / co founder ), sleep. thats the whole blueprint ! steal whatever part of this works for you.

This reddit dev gave the ULTIMATE GUIDE to VIBECODE an app in 2026 here's the full playbook ( Bookmark this ) : 1/ big market is not the app idea > mobile market is projected at $1.1T by 2034 > but “huge market” doesnt create demand > the app still needs one painful job > boring repeated tasks are where money hides 2/ the halo feature does the selling > one standout action people remember > photo to calories, chat to morning plan > no giant dashboard, no 20-feature MVP > one thing worth showing a friend 3/ MVP means deleting clever ideas > build the halo feature first > test it on your phone immediately > watch where people get confused > every extra feature slows the learning 4/ validation is watching behavior > check if similar apps already have users > read where the money is moving > give the prototype to real people early > users clicking wrong teaches more than compliments 5/ distribution starts before the App Store > TestFlight is not the first test > friends and community find the ugly gaps > App Store submission comes after repetition > polish matters after the loop works the actual lesson: > dont start with tools > dont start with market size > dont start with a feature list start with the painful loop !

@AmenaiSabuwala neat

That’s why hiring a ‘Designer’ is important

@starter_story Crazy numbers !

This girl is insane. 4 different apps doing $150K/month each! 🥶

@marcelkargul neat !

our team has been designing and developing so much products recently. crazy how many founders are building right now!

@pierreeliottlal GOJI

Most SaaS founders fail because they scale acquisition too late. We did the opposite. We focused on distribution before product perfection. That’s how we went from $0 to 2,000+ paying customers in 9 months with 0 outside funding. Here’s the exact growth system we used at GojiberryAI: STEP 1: Validate demand before building Most founders spend months building features nobody asked for. Instead: we started selling before the product even existed. We created a simple 7-slide deck: • the problem • the workflow • the expected result Then we started outbound immediately. Using GojiberryAI + manual sourcing, we targeted high intent leads through LinkedIn and cold email. Weekly targets: • 180 LinkedIn invites • 1,000 cold emails • 4-8 demos per day That was enough to validate demand. The signal we looked for was simple: people asking: “How much does it cost?” Before the SaaS existed, we were manually selling curated high intent lead lists. Once enough companies bought repeatedly, we automated the workflow and turned it into software. The goal at this stage is not scale. It’s getting your first 100 customers as fast as possible. STEP 2: Turn customer results into growth Once customers started getting results, distribution became easier. Our biggest unlock: Reddit. Not ads. Not SEO. Not partnerships. Just giving massive value publicly. What worked: • commenting on viral posts • sharing tactical breakdowns • posting real customer wins • explaining exactly how we generated pipeline No corporate branding. No polished marketing language. Just actionable content. At the same time: we kept outbound running aggressively every single day. First hires: 3 Customer Success Managers. Retention and customer wins became growth loops. STEP 3: Build an inbound engine Once we crossed ~$25k MRR, we doubled down on LinkedIn. Every person on the team: • posted daily • handled outbound daily We only published lead magnet style content: • frameworks • templates • playbooks • case studies • experiments And every post had the same CTA: “Comment X and I’ll send it.” That single mechanic generated thousands of inbound leads. Every week, each team member created: • 1 new lead magnet • multiple distribution angles from it We also added: • free tools • customer stories • motion design videos • better landing pages New hire: 1 Product Manager. STEP 4: Layer distribution channels At this point, the system already worked. Now the goal became: add more attention sources. We expanded into: • X/Twitter • LinkedIn influencers • newsletter sponsorships • partnerships But we never stopped the channels that already worked: • outbound • Reddit • LinkedIn content Most founders abandon winning channels too early. We scaled them harder instead. STEP 5: Scale paid acquisition Once the organic engine was stable, we added: • Meta Ads • Google Ads • UGC creators • B2B influencer campaigns Then we redesigned the entire website around conversion. At the same time: we scaled hiring across: • growth • engineering • sales And massively increased outbound volume with GojiberryAI. Our philosophy is simple: More targeted attention → more conversations → more demos → more customers Most startups die from lack of distribution, not lack of product. Build distribution earlier than everyone else. That changed everything for us. If you want to try GojiberryAI with a 14-day free trial instead of 7 days: Comment “GOJI” and I’ll send you access.

@forgebitz true that man ! I have seen so many shiny syndrome founders coming to build

"make something people want" sounds like the most obvious startup advice, but most people will spend years building something nobody wants

@ErnestoSOFTWARE crazy times we live in : )

$30K/mo for a recipe app where you literally just save recipes💀 you can build this in 48 hours → hire 2-5 UGC creators, → 60 videos/mo each →"5 years cooking and now I find this ?!" ( use this hook ) → pull 15M views monthly congratulations you are now rich off literally the simplest app eve

@athcanft bro dropping knowledge bombs for free !

5 things that got me to >$10K mrr with my mobile app 1. hard paywall i tested trials, freemium and eventually ended up on a hard paywall with no trial - 5-8% install to paid rate 2. increasing prices i started with $3.99/month and now offer $9.99/week or $49.99/year - this seems to be the best combo for maximizing LTV 3. onboarding i've tested all sorts of length of onboarding but 12-15 steps seems to be optimal for install to paid conversion (at least my apps) 4. tiktok ads i tried influencers, organic - but tiktok ads seems to have the highest effort : reward ratio - there's higher margins in influencers + organic but ads are so low effort it's great 5. ad tactics using tiktoks Smart+ campaigns, adding "comment bait" in ads (flashing men kissing etc.), NOT mentioning app CTAs (i.e. "download glowly") - all resulted in higher CTRs and conversions

@Harshh_designs thanks man

@Hartdrawss Love the overall vibe of this design.

Always sweating the details 🫡

@imrishabsharma its a hassle man, yea the ai tools create stunning visuals now, insane

@Hartdrawss #2 hits hard—getting screenshots right for every device size is tedious. That's why many teams use AI tools to generate store-ready variants in seconds. One screenshot error = instant rejection. Getting it right upfront saves weeks of back-and-forth.

20+ App Store MISTAKES that get your app REJECTED ( Extended Edition ) : Bookmark this ! 1/ App icon missing required 1024x1024 PNG. Instant rejection. 2/ Screenshots not covering all required device sizes 3/ Privacy policy URL not live at submission time 4/ Support email that doesnt actually work 5/ Data collection declared inaccurately. Reviewers check this now. 6/ Third-party SDKs on unapproved versions 7/ TestFlight not tested on a real device before submission 8/ Simulator showed green. Real iPhone showed crashes. (shipped this personally) 9/ No empty states. First-time users see blank screens with no guidance. 10/ Keyboard covers input fields on forms. Not caught until real device test. 11/ No push notification permission flow. Asking on app open = denied by 80% of users. 12/ Push tokens not refreshed. Tokens expire. Silent failures. 13/ No deep link handling. Notification taps go to home screen, not the relevant content. 14/ No offline state handling. App crashes with no internet. 15/ Paywall shown before user sees any value. Converts at 3x lower rate. 16/ Rating prompt shown too early. Before any win moment. 17/ Age rating doesnt match actual content 18/ Bundle ID mismatch between environments 19/ Certificates expired at build time 20/ No "What's New" in release notes. App Store listing looks abandoned. 21/ Memory leaks not caught. Fine in testing, crashes at 20 minutes of usage. 22/ COPPA compliance skipped for apps with no age gate App Store reviews take 24-48 hours. Every rejection adds a week. If you cant check every box, dont submit yet.

@Dmarketsniper thats fair yes, distribution is the key

@Hartdrawss Should add an eighth checkdo you have a single way to get users that doesn't depend on going viral? Most vibe coders ship something solid and then have no answer to that question.

This reddit user gave 7 checks every VIBE CODER ignores (until launch gets painful) : here's the full list ( save this before you push live ) : 1/ legal risk > privacy policy exists > data storage is clear > user info isnt handled recklessly > if you collect data > you are already in legal territory 2/ security headers > ask your agent to review baseline security > headers > cookies > CORS > content security policy > 2 minutes here can catch dumb gaps 3/ OWASP basics > check SQL injection > check XSS > check auth issues > check broken access control > you dont need enterprise security > you need to not be obvious prey 4/ secret leaks > no env values in frontend > no secrets in logs > no oversized API responses > no private fields returned by mistake > AI-generated code leaks weird stuff 5/ API keys > if the key is in browser > assume it is gone > move it server-side > proxy the request > lock down usage 6/ performance > run Lighthouse > check mobile load > check image sizes > check slow API calls > a working app can still feel broken 7/ rollback > commit before release > backup database > know how to undo > launch confidence comes from exit routes the actual lesson: > dont just ask AI to build > ask it to attack the build > ask it to test the build shipping fast is only impressive when the thing survives.

@itzsam_ai that first purchase just hits different man

@Hartdrawss first earning feels like wonder to us and when we spend it there's another level of joy

2 years ago, i earned my first income through instagram, 800 rupees the client had dm'd me saying he wanted a digital portrait of him and his girlfriend for her birthday. we went back and forth maybe five times on feedback and every time he just said "this is good, this is good" until it was done. that evening I walked to the local shop near my place and ordered chicken momos for ₹80. sat there eating them knowing that money was my own, came from a complete stranger who had chosen me ( the feeling was unmatched) i think the first rupee you earn yourself does something to your brain that no salary, no funding, no milestone can replicate. it gives you the confidence to trust yourself :) ps- those momos tasted like heaven ( i cant put it into words )

@0xdevug that first time buying something for family hits different

@Hartdrawss I also remembered my first stipend (11,000Rs) I got after my internship a year ago. I bought clothes for my parents and headphones for my sister 😊. That was a special moment for me 😊

20 things that will get your VIBE CODED app HACKED in 24 hours : Bookmark this RIGHT NOW ! 1/ API keys hardcoded in frontend JS > anyone who opens devtools can read them > cursor does this constantly > move all keys to your backend, never the client 2/ no rate limiting on /login > bots can try 10,000 combos while you sleep > add rate limiting + lockout after 5 failed attempts > this is table stakes, not optional 3/ SQL queries built with string concatenation > "SELECT * FROM users WHERE id=" + userId > thats SQL injection waiting to happen > use parameterized queries, always 4/ CORS set to wildcard (*) > any website can make authenticated requests to your API > it uses your users own cookies to do it > whitelist specific origins only 5/ JWTs stored in localStorage > one XSS attack steals every token on your site > localStorage is readable by any script on the page > use httpOnly cookies instead 6/ JWT secret is "secret" or from a tutorial > attackers test common secrets first > yours is probably on a wordlist already > generate a 256-bit random secret, rotate it 7/ admin routes protected only in the frontend > the server doesnt care about your React Router guards > hit the endpoint directly and it opens right up > protect every route server-side, no exceptions 8/ .env committed to git even once > its in the history even if you deleted the file > git log --all --full-history -- .env finds it instantly > rotate every key in that file immediately 9/ error responses showing stack traces or DB table names > you're giving attackers a map of your infrastructure > log errors server-side, return generic messages client-side > never expose internals in a response 10/ file uploads with no MIME type validation > upload a server-side script, get full access > extension checks alone dont protect you > validate MIME type server-side, not the filename 11/ passwords hashed with MD5 or SHA1 > rainbow tables crack MD5 in seconds > no salt = no protection > use bcrypt or argon2, no exceptions 12/ auth tokens that never expire > stolen session = permanent access forever > set an expiry on every token you issue > implement refresh token rotation 13/ auth middleware missing on internal API routes > AI adds middleware to obvious routes and skips the rest > audit every single endpoint manually > assume nothing is protected until you verify it 14/ server running as root > one exploit = full system access > run your app as a non-privileged user > this costs nothing to fix 15/ database port exposed to the internet > your postgres on port 5432 should never have a public IP > put it behind a firewall or private network > this is a one-click fix in most cloud providers 16/ IDOR vulnerability on resource endpoints > change the ID in the URL > can you access another users data? most vibe coded apps: yes > validate ownership server-side on every resource request 17/ no HTTPS enforcement > credentials sent over plain HTTP can be intercepted on any public network > enforce HTTPS at the server level, not just the frontend > redirect all HTTP traffic automatically 18/ sessions not invalidated on logout > the old session token still works after the user clicks logout > invalidate sessions server-side on every logout event > client-side cookie clearing is not enough 19/ npm packages not audited since setup > run npm audit right now > count the criticals > schedule this as part of every deploy 20/ open redirects in callback URLs > used to send users to phishing sites through your trusted domain > validate and whitelist every redirect destination > never trust user-supplied redirect URLs