The free, BYOK AI website builder — a Lovable, Bolt.new, and v0 alternative. Bring your own API key, pay your provider directly.
OpenThorn is a BYOK (bring-your-own-key) AI app builder. Describe what you want in plain language; the AI agent writes the code, previews it live in-browser, and deploys a working website to Cloudflare Pages. The platform is free — you only pay your AI provider's raw per-token rates, with no subscription and no markup.
Most AI builders charge $25–50/month for credits that resell API access at a markup. OpenThorn flips that model: you connect your own key from any of 18 providers and pay them directly. The platform itself is free. If you've hit the credit wall on Lovable, Bolt.new, or v0, OpenThorn is a browser-based BYOK alternative — pair it with a provider free tier (Gemini, Groq, Cerebras) or local Ollama and build for $0.
| OpenThorn | Others | |
|---|---|---|
| Platform cost | Free | $25–50+/month |
| AI billing | Pay your provider directly | Pay the platform in credits |
| Model choice | Any of 18 providers | Platform-selected |
| Code export | Always, no paywall | Often paywalled |
| API key ownership | Yours | Platform-managed |
- 18 AI providers — OpenAI, Anthropic, Google Gemini, DeepSeek, Mistral, Groq, Together AI, xAI, Cohere, Perplexity, OpenRouter, RodiumAi, Ollama, Fireworks AI, Cerebras, Azure OpenAI, Amazon Bedrock, NVIDIA NIM
- In-browser preview — generated code bundled with esbuild-wasm and rendered live; no server round-trip, no build wait
- One-click Cloudflare Pages deploy — from preview to public URL without leaving the app
- Full code export — download the generated source at any point; no proprietary format, no paywall
- Multi-provider fallback — if one provider hits a rate limit, the agent switches automatically and continues mid-run
- Real-time collaboration — multiplayer presence via Supabase Realtime
- Encrypted key storage — provider API keys are encrypted at rest with AES-256-GCM; raw keys never reach the client
- Templates & community — start from curated templates or browse community-published projects
| Layer | Technology |
|---|---|
| Frontend | React 19, TypeScript, Vite 6, CSS Modules, Framer Motion |
| Routing | React Router v7 |
| Auth / Database | Supabase (Postgres + RLS, Realtime, Storage) |
| Serverless API | Vercel Functions |
| In-browser bundler | esbuild-wasm |
| Deployment target | Cloudflare Pages |
| Rate limiting | Upstash Redis (optional) |
- Node.js 20+
- A Supabase project
- A Cloudflare account and API token
- A Vercel project for the API functions
git clone https://github.com/BuildingTechAlternatives/OpenThorn.git
cd OpenThorn
npm installcp .env.example .env| Variable | Required | Description |
|---|---|---|
VITE_SUPABASE_URL |
Yes | Supabase project URL (browser) |
VITE_SUPABASE_ANON_KEY |
Yes | Supabase anon key (browser) |
SUPABASE_URL |
Yes | Supabase project URL (server) |
SUPABASE_ANON_KEY |
Yes | Supabase anon key (server) |
CLOUDFLARE_API_TOKEN |
Yes | Cloudflare API token (Pages:Edit permission) |
CLOUDFLARE_ACCOUNT_ID |
Yes | Cloudflare account ID |
KEY_ENCRYPTION_SECRET |
Yes | 48-byte secret — generate with openssl rand -base64 48 |
UPSTASH_REDIS_REST_URL |
No | Upstash Redis URL for production rate limiting |
UPSTASH_REDIS_REST_TOKEN |
No | Upstash Redis token |
supabase db pushMigrations live in supabase/migrations/ and must be applied in order. All tables use Row Level Security.
npm run dev # http://localhost:5173The dev server includes shims for /api/* so the full stack works locally without deploying to Vercel.
npm run build # type-check + Vite build + SSR prerender
npm run test # Vitest
npm run lint # ESLint
npm run preview # serve the production build locallyapi/
_shared.ts JWT verification, rate limiting, AES-256-GCM encryption
deploy.ts Cloudflare Pages deployment endpoint
provider-keys.ts API key storage endpoint
src/
components/ UI components with co-located CSS Modules
pages/ Route-level page components (all lazy-loaded except landing)
lib/
agent.ts AI agent loop (~2,400 lines) — the core of the product
agent-prompt.ts System prompt, tool definitions, thinking params per provider
agent-plan.ts Persistent plan/requirements checklist
agent-memory.ts Cross-session lessons and changelog entries
preview-bundle.ts In-browser esbuild-wasm bundler
preview-runtime-check.ts Smoke tests against the preview iframe
data/ Static JSON (FAQ, blog metadata, glossary, comparisons)
supabase/
migrations/ Ordered SQL migrations
scripts/ Build-time scripts (prerender, OG images, IndexNow, changelog)
The app deploys on Vercel. vercel.json includes SPA rewrites and a strict Content Security Policy.
- Import the repo in the Vercel dashboard
- Set all required environment variables under Project > Settings > Environment Variables
- Deploy — Vercel runs
npm run buildautomatically
User-generated sites deploy to Cloudflare Pages via the /api/deploy endpoint using a shared platform token; end users do not need a Cloudflare account.
- Encrypted keys — provider API keys encrypted with AES-256-GCM; the raw key is never stored or returned to the client
- Row-level security — every Supabase table is protected by PostgreSQL RLS policies
- JWT verification — every API call validates the Supabase JWT server-side before processing
- Rate limiting — per-user, per-endpoint limits (in-memory in dev; Upstash Redis in production)
- Strict CSP — allowlists only
self, fonts,esm.sh,blob:, andwss:; no inline scripts - No source maps in production builds
MIT License — Copyright (c) 2026 Thomas Tschinkel
Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the "Software"), to deal in the Software without restriction, including without limitation the rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, and to permit persons to whom the Software is furnished to do so, subject to the following conditions:
The above copyright notice and this permission notice shall be included in all copies or substantial portions of the Software.
THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.