Forgelab Developer Fixes Critical Payment Bug, Tightens Security Amid Stalled Revenue

Breaking: Silent Stripe Webhook Bug Could Have Broken Customer Payments

The solo developer behind Forgelab, a Nigeria-based API startup, quietly fixed a critical Stripe webhook bug this week that was silently breaking payment tracking for its two paying subscribers. Despite no new revenue, the fix ensures accurate usage monitoring for existing customers.

“This was exactly the kind of invisible bug that breaks your product for paying customers without anyone raising a hand,” the founder said in a weekly build-in-public update. “The webhook secret in .env was pointing to the wrong key — a test-mode vs live-mode mismatch introduced during setup.”

The bug caused every Stripe webhook to fail signature verification silently, leaving payments processing but downstream usage tracking unreliable. A standard environment variable mismatch during initial configuration was the root cause.

Security Audit Triggers Firewall Activation

Further analysis revealed that UFW, the Uncomplicated Firewall, had been installed but never activated on the server. The audit forced immediate activation, locking access to only ports 22, 80, and 443.

“This should have been day-one infrastructure. It was not,” the developer admitted. The move bolsters the security posture of all 11 running services.

Zero Vulnerabilities, New Customer Dashboard Launched

An npm audit across all 11 services returned zero critical or high vulnerabilities — a clean bill of health for the Node.js stack.

Meanwhile, a new customer dashboard went live on port 3010, giving subscribers a place to log in and manage their API keys. The feature had been on the backlog for weeks. All 11 services remain stable with no crashes or memory leaks, and an automated morning health check now runs daily at 7am via cron.

Background: A Solo Builder’s First Six Weeks

Forgelab launched six weeks ago as a solo project by a developer based in Africa, building API tools for developers on a shoestring stack: Node.js 20, Express, SQLite, Stripe, and Nginx. No venture capital, no team, no shortcuts.

The platform now offers 5 APIs: PDF manipulation, image processing, PDF-to-JSON extraction, QR code generation, and invoice generation — with pricing starting at $5 per month for 100 calls and a free tier of 5 calls monthly without a credit card.

What This Means: Reliability Up, Revenue Flat, Marketing Pivot Ahead

The combination of a critical bug fix, firewall hardening, and a clean audit demonstrates a commitment to production-grade reliability — but it hasn't moved the needle on revenue. Monthly recurring revenue remains at $20 MRR from two paying customers, unchanged for weeks.

“Revenue is not growing because I have not started marketing properly. Code does not sell itself,” the developer wrote. “This is the classic solo-builder trap: you keep building because building is comfortable, and selling is uncomfortable.”

Next week, the plan is to stop all new API work and focus entirely on outreach — targeting three external signups from real developers, crafting one SEO blog post for a genuine developer search query, and wiring up free browser tools to capture organic traffic.

By the Numbers: Week 6 Snapshot

• MRR: $20 (unchanged)
• Paying customers: 2
• Waitlist signups: 15
• APIs live: 5
• Services running: 11 of 11
• Blog articles: 7
• npm vulnerabilities: 0
• Uptime: 100%

“Building slow. Building honest,” the founder concluded. The full platform is at forgelab.africa.

— This is a breaking news summary of Forgelab's sixth weekly build-in-public update. Follow for ongoing coverage of indie developer infrastructure.