Vibe Coding: How Apps Actually Work

Tier 1 · The shape of it

What vibe coding is

Building software by describing what you want in plain English to an AI, and judging the result by whether it works, not by reading the code.

You steer on outcomes. The AI writes, runs and fixes the actual code underneath. The skill isn't typing code. It's knowing what you want, recognising when it's wrong, and describing the fix clearly.

The work always moves in the same loop:

You describe an outcome ("show younger kids a friendly progress bar, not a scary exam grade").
The AI turns it into code and puts it somewhere it can run.
You test it against reality on a real device.
It's wrong in some way. You describe what's off.
Repeat until it's right, then ship it.

Set your expectations

Things being a bit wrong on the first pass is the normal state, not a sign of failure. Most of vibe coding is that fourth step: spotting what's off and saying so. Get comfortable there and the whole thing stops feeling stressful.

The five parts of any app

Almost every app is the same five pieces. Learn these names and you can follow any conversation about how an app works.

The screen — "frontend"

Everything the user sees and taps, running on their phone or browser. It mostly asks for things and displays what comes back. It holds no real secrets and stores nothing permanently itself.

The workers — "backend / functions"

Small programs on a server that each do one job: fetch a question, mark an answer, take a payment. The screen asks; a worker does the actual work and sends the result back.

The memory — "database"

The permanent filing cabinet: users, scores, who has paid. Anything that must survive the app being closed and reopened lives here. A common one is Supabase.

The brain-for-hire — "the AI"

When an app needs content written or judged on the fly (a fresh question, marking a written answer), a worker calls an AI model and gets text back.

The landlord — "hosting"

A service that runs the whole thing on the public internet so anyone can reach your web address. Vercel is a popular one. "Deploying" is handing it a new version to put live.

The one sentence to remember

An app is a screen that asks, workers that do, a memory that remembers, a brain that writes, and a landlord that hosts it. Everything below is a zoom-in on one of those.

Local vs live

The most useful idea in the whole guide. There are two versions of any app: the local copy on the computer where work happens, and the live version that real users actually hit.

They are different copies, and a change isn't real for users until it's deployed to the live one. You can change a colour, see it look perfect on your screen, and users still see the old version, because your change is sitting on the local copy and hasn't been pushed live yet.

A question that solves half your problems

When something "should work but doesn't," ask first: is the live version actually running the change I think it is? Very often the fix was made but never deployed, so users are still on the old one.

Why apps break in ways that feel mad

Apps rarely break with a clear "here's the problem" message. They tend to misbehave in a handful of classic ways. Knowing the shapes means you can describe what you're seeing, which is most of the battle.

Stale state. The app remembers things (you're logged in, your current screen). When that memory goes out of date, buttons can quietly stop responding even though nothing looks broken. The fix is usually to refresh or log back in.
Caching. Phones and browsers keep old copies of an app to load faster. So a fix goes live, but your device stubbornly shows yesterday's version. Fully closing and reopening clears it.
Silent failure. The nastiest kind: something fails but nothing shouts about it, so you just see "nothing happened." Good building makes apps fail loudly so problems are visible.
Config and secrets. Settings and keys live separately from the code. If one is missing or wrong, the code can be perfect and the app still won't work.

How to be genuinely helpful when reporting a bug

Describe exactly what you saw and did: "I tapped play and nothing happened, no error." That short, precise description points straight at one of the shapes above. Vague ("it's broken") makes it ten times slower to find.

Tier 2 · The builder's tools

Git & GitHub

Git is a time machine with save points. As an app is built, you make commits — labelled snapshots of the whole project at a moment ("added login," "fixed scoring"). Each one is frozen forever, so the project is a long chain of save points going back to the start.

Undo anything. Broke it this afternoon? Roll back to this morning's commit and the bad change vanishes. This is why a good builder experiments fearlessly: there's always a way back.
A full history. Exactly what changed, when, and why.
No "final_v2_REALLY_final" folders. One project, infinite history, no mess.

Branches: parallel universes

A branch is a parallel copy where you can try something risky without touching what works. The live version lives on a branch called main. To attempt a big redesign you make a new branch, go wild there, and only merge it back into main once it's good. Until then, main keeps serving real users untouched.

GitHub: the cloud home

Git runs on a computer; GitHub is the website where projects live in the cloud — the master copy everyone agrees on. You push your commits up to it and pull the latest down.

Why this matters to you

It's the real answer to "what if my laptop dies." Once code is pushed to GitHub, the laptop is just a window onto it. Lose the laptop, get a new one, pull everything back in minutes. Your work isn't tied to any one machine.

The machinery around it

The supporting cast you'll hear named constantly.

The terminal. The text window a developer types commands into instead of clicking. Faster and more powerful for this kind of work; many tools only have a text interface.
SSH. A secure way to log into another computer over the internet and use its terminal as if you were sitting at it. How people work on servers from anywhere.
A server / VPS. A computer in a data centre that's always on and never loses its connection — unlike a laptop. Apps that need to run 24/7 live on one.
Processes & pm2. A "process" is a running program. Apps must run around the clock, but a crashed program stays dead. A babysitter tool like pm2 keeps them alive and restarts them after a reboot.
Ports. A computer has thousands of numbered doors; each running app listens at one. Numbers are how several apps share one machine without colliding.
Domains, DNS, HTTPS. A web address is a friendly name. DNS is the phone book that turns it into the computer's real address. A reverse proxy then routes visitors to the right app and adds the padlock (HTTPS) that encrypts the connection.
Packages & npm. Nobody writes everything from scratch. Packages are bundles of code other people wrote that you bolt in (a login system, a date handler); npm is the warehouse you pull them from. Standing on others' work is normal and sensible.
Deploying. The act of pushing a new version live. Sometimes a single command, sometimes automatic the moment you push to GitHub. Either way it's the bridge from "works on my machine" to "live for everyone."

Tier 3 · The engine room

How a database really works

You know it's the filing cabinet. Here's the actual structure, because it's simpler than it sounds.

A database is a set of tables, and a table is basically a spreadsheet. An app might have a users table (one row per person, with columns for id, email, whether they've paid) and a scores table (one row each time someone answers a question).

The clever part is the link between tables. Every user has a unique id, and every score row carries that id. So "show me this person's progress this week" means: find their id, then pull every score row with that id from the last seven days. You link by id instead of copying someone's name onto hundreds of rows. That linking is why it's called a "relational" database.

SQL is the language you ask it questions in — basically structured sentences like "give me all scores where user = X and date is after Monday."
Indexes are pre-sorted lookups (like the index at the back of a book) that keep those questions instant as the data grows.
Supabase is a rock-solid database (called Postgres) wrapped with a ready-made login system and an auto-built way for apps to talk to it. It's a database with the tedious parts already done.

How logins & security work

Passwords are never actually stored

A sane app never keeps your real password. It stores a hash — your password run through a one-way scrambler that cannot be reversed. When you log in, it scrambles what you typed and compares the two scrambles. A match means you're right, and the real password was never kept anywhere. (A pinch of per-user randomness, called salt, stops two identical passwords producing the same scramble.)

Staying logged in: tokens

Proving your password once is step one. Every later tap also has to prove it's still you, but you don't retype the password each time. On success the server hands your device a token — a signed pass — stored in a cookie, and every later request quietly carries it. If that pass expires or stops matching, the server stops trusting it and you get logged out.

The security principles underneath

Secrets live apart from the code, in "environment variables" held by the running machine — because code gets shared (eg to GitHub), and a secret written into the code is a secret published to the world.
A leaked key is a real emergency. Someone could spend your money or read your data. That's why keys are never pasted around casually.
Hashing vs encryption. Encryption is a locked box you can reopen with a key (used for the HTTPS padlock). Hashing is a one-way shredder you can't reverse (used for passwords). Mixing them up is a classic mistake.
Least trust. The real checks ("is this person actually a paying member?") happen on the server, never just on the screen. A hidden button isn't security; a server refusing the request is.

Tier 4 · How the magic works

Programming languages

Computers only truly understand binary — on and off. A programming language is a human-writable layer that gets translated down to that. There are many because there are many jobs; you wouldn't frame a house with a screwdriver.

A web app is unusual in that it speaks several at once, each handling one layer:

HTML — the skeleton

What's on the page: this is a heading, this is a button. No looks, no behaviour.

CSS — the skin

Colour, spacing, fonts, layout. The brand colours, the rounded buttons, the readable type. Pure looks.

JavaScript — the muscles

Behaviour: what happens when you tap. It's the only language browsers run, so every interactive site uses it — and it also runs server workers, so it covers both ends of an app.

TypeScript — JavaScript with a seatbelt

JavaScript plus "types": you declare that a score is a number and an email is text, and the computer catches the mix-ups before anything ships. Common in serious modern apps.

SQL — the database's language

How a worker asks the filing cabinet for exactly the rows it needs.

Python — the AI & data favourite

Not always in an app's core, but the language of AI and data work, so you'll hear it constantly.

React isn't a language — it's a framework, a big pre-built kit on top of JavaScript that makes building app screens far less painful. A framework is to a language what a kit car is to raw metal: same underlying material, most of the hard structure already made for you.

How AI really works, and tokens

A large language model — the AI you build with, and the AI inside an app writing content — is a giant next-chunk predictor. Trained on an enormous amount of text, it learned the patterns of language and code well enough to continue any prompt sensibly. Predict the next bit, over and over, very fast. That's the whole trick.

Tokens: the unit of everything

The AI doesn't read letters or whole words. It reads tokens — chunks of roughly three-quarters of a word. A short word is one token; a longer or unusual one is two or three. Both what you send in and what comes back are measured in tokens.

Why tokens matter

You pay per token, in and out, so longer prompts and longer answers cost more and take longer. It's why apps that generate a lot of content often use cheaper or free models for the high-volume work, and save the expensive, cleverer models for the genuinely hard tasks.

The context window: short-term memory

The AI can only hold so many tokens in view at once — a lot, but finite. Push past it and the oldest parts drop out of sight. This is why very long conversations sometimes "forget" things said near the start, and why building with AI involves keeping the important context in front of it.

Training vs using

Training is the months-long, hugely expensive process where the model's maker teaches it patterns from data. It happens once. Using the finished model to answer — every reply, every piece of content an app generates — is called inference, and it's cheap and quick by comparison. You never pay to train; you pay small amounts to use. Bigger models are smarter but slower and pricier, so the craft is matching the model to the job.

Two different AIs — keep them separate

The AI you build with: a clever, conversational assistant that writes and fixes your app's code.
The AI inside the app: a model your app calls to generate or mark content for users, live and at scale, usually on a tight budget.
Same underlying technology, very different jobs and costs.

Why it gets things wrong

It predicts plausible text, not verified truth. The same machinery that writes a clean answer can write a confident wrong one — that's called a hallucination. It's exactly why good apps put guardrails around AI output (checking, auto-marking, limits) rather than trusting it blindly. Fluent is not the same as correct.

Your job as the human

In vibe coding the human isn't redundant — the human is the product brain. The valuable work is:

Taste and judgment. Is this good? Is it fun? Would the people you're building for actually use it? An AI can't feel that.
Knowing the user. Your understanding of the people you're serving is the spec. Without it, the AI is guessing.
Testing against reality. Trying the real thing on a real device, on the live version. The AI can check the plumbing; only you can judge the experience.
Calling it when something's off. An AI will sometimes claim something's done when it's half-done. "Are you sure — did you actually check?" is a fair and useful question.

How to get great results

Describe outcomes, not solutions. Give concrete examples ("like Duolingo's streak"). Test the real thing on a real device. When something breaks, say exactly what you saw. And push back when an answer is vague or unproven.

Quick glossary

Frontend: The screen the user taps. Runs on their device.
Backend / function: A server-side worker that does one job and sends back a result.
Database: The permanent memory. Linked spreadsheets you query. Eg Supabase.
API: A defined way for one program to ask another for something.
Git: The time machine: labelled save points (commits) for a whole project.
Branch: A parallel copy to try risky things. main is the live one.
GitHub: The cloud home and master copy of code.
Push / pull: Send commits up to GitHub / grab the latest down.
Deploy: Push a new version live so real users get it.
Local vs live: The work copy vs the version users actually hit.
Terminal: The text window for typing commands instead of clicking.
SSH: Securely logging into another computer's terminal over the internet.
Server / VPS: An always-on computer in a data centre.
pm2: A tool that keeps apps running and restarts them if they crash.
Port: A numbered door on a computer that a program listens at.
DNS: The phone book turning a web name into a computer's address.
Reverse proxy: Routes visitors to the right app and adds the HTTPS padlock.
Package / npm: Borrowed code others wrote / the warehouse you pull it from.
Environment variable: A secret or setting held by the machine, kept out of the code.
Hash: A one-way scramble. How passwords are stored so they can't be un-scrambled.
Token (login): A signed pass your device carries to prove you're still logged in.
Cookie: A small bit of data a site stores on your device, such as that pass.
HTML / CSS / JavaScript: Skeleton / skin / muscles of a web page.
TypeScript: JavaScript with a safety harness that catches mistakes early.
SQL: The language for asking a database questions.
React: A pre-built kit on top of JavaScript for building app screens.
Token (AI): A chunk of text (~3/4 of a word) the AI reads and is billed by.
Context window: The AI's finite short-term memory, measured in tokens.
Inference: Using a trained model to answer. Cheap and quick. What apps do live.
Hallucination: The AI confidently producing plausible but wrong output.