Marketplace on Next.js 16 (App Router) + Postgres (Neon) + Clerk

✓ Verified 2026-06-21 · next 16.2.9 · postgres 3.4.9 · @clerk/nextjs 7.5.7

Type-checked against the real SDKs, migration applied to a live Postgres, pooling tested — then tracked for upstream drift and re-verified when it moves. How we verify →

What you're getting

Next.js 16 App Router — file-based routing, server components, and the Edge proxy (Next 16's renamed middleware).
Postgres on Neon via Drizzle ORM and the postgres-js driver.
Clerk — hosted identity (sign-in UI, sessions, user management) mounted via middleware + provider.
Two-sided marketplace — seller profiles, a listings catalog, buyer orders with price capture, periodic seller payouts, and per-listing reviews.

Setup

bun add next react react-dom drizzle-orm postgres @clerk/nextjs

Environment variables:

DATABASE_URL — Neon pooled (-pooler) connection string
NEXT_PUBLIC_CLERK_PUBLISHABLE_KEY
CLERK_SECRET_KEY
CLERK_WEBHOOK_SECRET — svix secret that verifies Clerk webhook signatures

Apply the schema: bunx drizzle-kit push

Initialization

src/lib/db.ts — Database client

import { drizzle } from "drizzle-orm/postgres-js";
import postgres from "postgres";

// Neon pooled endpoint = PgBouncer transaction mode → prepared statements off.
// ponytail: single module-level client; the serverless runtime + PgBouncer do
// the pooling, so no custom pool/globalThis singleton dance needed.
const client = postgres(process.env.DATABASE_URL!, { prepare: false });

export const db = drizzle({ client });

// ponytail: Clerk is hosted — set NEXT_PUBLIC_CLERK_PUBLISHABLE_KEY and
// CLERK_SECRET_KEY in the env. The publishable key is read client-side by
// <ClerkProvider>; the secret key is read server-side by clerkMiddleware().
// Both are picked up from the environment automatically — no wiring needed.

proxy.ts — Route protection

// Clerk proxy for Next.js 16 (App Router) (Next 16 renamed middleware.ts → proxy.ts; clerkMiddleware is still the helper).
import { clerkMiddleware, createRouteMatcher } from "@clerk/nextjs/server";

// ponytail: guard the SaaS app surface; widen the matcher per app-type.
const isProtectedRoute = createRouteMatcher([
  "/dashboard(.*)",
  "/settings(.*)",
]);

export default clerkMiddleware(async (auth, request) => {
  // auth.protect() bounces logged-out users to Clerk's hosted sign-in.
  if (isProtectedRoute(request)) {
    await auth.protect();
  }
});

export const config = {
  // Clerk's documented matcher: skip Next internals + static files unless
  // referenced in search params, and always run on API/tRPC routes.
  matcher: [
    "/((?!_next|[^?]*\\.(?:html?|css|js(?!on)|jpe?g|webp|png|gif|svg|ttf|woff2?|ico|csv|docx?|xlsx?|zip|webmanifest)).*)",
    "/(api|trpc)(.*)",
  ],
};

app/layout.tsx — Root layout / provider

// Root layout — <ClerkProvider> is required for Next.js 16 (App Router).
import { ClerkProvider } from "@clerk/nextjs";
import type { ReactNode } from "react";

export default function RootLayout({ children }: { children: ReactNode }) {
  return (
    <ClerkProvider>
      <html lang="en">
        <body>{children}</body>
      </html>
    </ClerkProvider>
  );
}

Two-sided marketplace schema: sellers, listings, orders, payouts & reviews

Sellers & payout onboarding — one seller profile per Better Auth user, holding payout-provider account id and an approval status (pending/active/suspended)
Listings catalog & pricing — seller-owned items with integer priceCents and a draft/active/sold/archived lifecycle
Marketplace orders & buyers — buyer-to-listing purchase records with amount captured at creation and a 6-state fulfillment status
Seller payouts & settlement periods — net-amount remittance rows keyed by seller + text period, one per settlement window with a 4-state processing status
Listing reviews & ratings — one review per reviewer per listing (unique constraint), with a CHECK enforcing rating between 1 and 5

import { relations, sql } from "drizzle-orm";
import {
  bigint,
  check,
  index,
  integer,
  pgTable,
  text,
  timestamp,
  unique,
  uuid,
} from "drizzle-orm/pg-core";
// Better Auth owns identity; we only reference its `user` table by id.
import { user } from "./auth-schema";

export type SellerStatus = "pending" | "active" | "suspended";
export type ListingStatus = "draft" | "active" | "sold" | "archived";
export type OrderStatus =
  | "pending"
  | "paid"
  | "shipped"
  | "completed"
  | "refunded"
  | "canceled";
export type PayoutStatus = "scheduled" | "processing" | "paid" | "failed";

/** Supply side: a user who sells. One seller profile per user. */
export const sellers = pgTable(
  "sellers",
  {
    id: uuid("id").primaryKey().defaultRandom(),
    // Better Auth's user.id is text — match it, don't recast.
    userId: text("user_id")
      .notNull()
      .references(() => user.id, { onDelete: "cascade" }),
    displayName: text("display_name").notNull(),
    // ponytail: opaque payout-provider account id (Stripe Connect / PayPal) —
    // no provider FK needed; nullable until onboarding completes.
    payoutAccountId: text("payout_account_id"),
    status: text("status")
      .$type<SellerStatus>()
      .notNull()
      .default("pending"),
    createdAt: timestamp("created_at", { withTimezone: true })
      .notNull()
      .defaultNow(),
  },
  (t) => [
    // One seller profile per identity.
    unique("sellers_user_unique").on(t.userId),
    index("idx_seller_status").on(t.status),
    check(
      "sellers_status_check",
      sql`${t.status} in ('pending','active','suspended')`,
    ),
  ],
);

/** Catalog: each listing belongs to a seller. priceCents keeps money integer. */
export const listings = pgTable(
  "listings",
  {
    id: uuid("id").primaryKey().defaultRandom(),
    sellerId: uuid("seller_id")
      .notNull()
      .references(() => sellers.id, { onDelete: "cascade" }),
    title: text("title").notNull(),
    description: text("description"),
    priceCents: integer("price_cents").notNull().default(0),
    status: text("status")
      .$type<ListingStatus>()
      .notNull()
      .default("draft"),
    createdAt: timestamp("created_at", { withTimezone: true })
      .notNull()
      .defaultNow(),
  },
  (t) => [
    // Browse a seller's catalog; filter the storefront by live listings.
    index("idx_listing_seller").on(t.sellerId),
    index("idx_listing_status").on(t.status),
    check(
      "listings_status_check",
      sql`${t.status} in ('draft','active','sold','archived')`,
    ),
  ],
);

/** Demand side: a buyer (Better Auth user) purchases a listing. */
export const marketplaceOrders = pgTable(
  "marketplace_orders",
  {
    id: uuid("id").primaryKey().defaultRandom(),
    // The buyer is a Better Auth user — text id, like sellers.userId.
    buyerId: text("buyer_id")
      .notNull()
      .references(() => user.id, { onDelete: "cascade" }),
    listingId: uuid("listing_id")
      .notNull()
      .references(() => listings.id),
    // Captured at purchase time — independent of later listing price edits.
    amountCents: integer("amount_cents").notNull(),
    status: text("status")
      .$type<OrderStatus>()
      .notNull()
      .default("pending"),
    createdAt: timestamp("created_at", { withTimezone: true })
      .notNull()
      .defaultNow(),
  },
  (t) => [
    // Buyer's order history; reconcile orders against a listing.
    index("idx_order_buyer").on(t.buyerId),
    index("idx_order_listing").on(t.listingId),
    check(
      "marketplace_orders_status_check",
      sql`${t.status} in ('pending','paid','shipped','completed','refunded','canceled')`,
    ),
  ],
);

/** Money out: a payout settles a seller's earnings for a period. */
export const payouts = pgTable(
  "payouts",
  {
    id: uuid("id").primaryKey().defaultRandom(),
    sellerId: uuid("seller_id")
      .notNull()
      .references(() => sellers.id, { onDelete: "cascade" }),
    // Net amount remitted to the seller (gross minus marketplace fee).
    amountCents: bigint("amount_cents", { mode: "number" }).notNull(),
    status: text("status")
      .$type<PayoutStatus>()
      .notNull()
      .default("scheduled"),
    // Settlement window this payout covers, e.g. "2026-06".
    period: text("period").notNull(),
    createdAt: timestamp("created_at", { withTimezone: true })
      .notNull()
      .defaultNow(),
  },
  (t) => [
    // One payout per seller per settlement window.
    unique("payouts_seller_period_unique").on(t.sellerId, t.period),
    index("idx_payout_seller").on(t.sellerId),
    index("idx_payout_status").on(t.status),
    check(
      "payouts_status_check",
      sql`${t.status} in ('scheduled','processing','paid','failed')`,
    ),
  ],
);

/** Trust signal: a reviewer (Better Auth user) rates a listing 1-5. */
export const reviews = pgTable(
  "reviews",
  {
    id: uuid("id").primaryKey().defaultRandom(),
    listingId: uuid("listing_id")
      .notNull()
      .references(() => listings.id, { onDelete: "cascade" }),
    // Reviewer is a Better Auth user — text id.
    reviewerId: text("reviewer_id")
      .notNull()
      .references(() => user.id, { onDelete: "cascade" }),
    rating: integer("rating").notNull(),
    body: text("body"),
    createdAt: timestamp("created_at", { withTimezone: true })
      .notNull()
      .defaultNow(),
  },
  (t) => [
    // One review per reviewer per listing.
    unique("reviews_listing_reviewer_unique").on(t.listingId, t.reviewerId),
    // Render a listing's reviews + aggregate its rating.
    index("idx_review_listing").on(t.listingId),
    check("reviews_rating_check", sql`${t.rating} between 1 and 5`),
  ],
);

export const sellersRelations = relations(sellers, ({ one, many }) => ({
  user: one(user, { fields: [sellers.userId], references: [user.id] }),
  listings: many(listings),
  payouts: many(payouts),
}));

export const listingsRelations = relations(listings, ({ one, many }) => ({
  seller: one(sellers, {
    fields: [listings.sellerId],
    references: [sellers.id],
  }),
  orders: many(marketplaceOrders),
  reviews: many(reviews),
}));

export const marketplaceOrdersRelations = relations(
  marketplaceOrders,
  ({ one }) => ({
    buyer: one(user, {
      fields: [marketplaceOrders.buyerId],
      references: [user.id],
    }),
    listing: one(listings, {
      fields: [marketplaceOrders.listingId],
      references: [listings.id],
    }),
  }),
);

export const payoutsRelations = relations(payouts, ({ one }) => ({
  seller: one(sellers, {
    fields: [payouts.sellerId],
    references: [sellers.id],
  }),
}));

export const reviewsRelations = relations(reviews, ({ one }) => ({
  listing: one(listings, {
    fields: [reviews.listingId],
    references: [listings.id],
  }),
  reviewer: one(user, {
    fields: [reviews.reviewerId],
    references: [user.id],
  }),
}));

Connection & security

## Next.js 16 ↔ Postgres pooling (Neon pooled endpoint, PgBouncer transaction mode)

Connect through Neon's **pooled** endpoint (`-pooler` host) via `DATABASE_URL`. Serverless
functions are short-lived and concurrent, so PgBouncer in **transaction mode** is what keeps
Postgres' connection ceiling from being blown.

### `prepare: false` is mandatory
Transaction-mode PgBouncer hands each transaction a different backend, so server-side prepared
statements (postgres-js' default) silently break across the pool. Disable them on the client:
`postgres(url, { prepare: false })`. This is also why **Drizzle, not Prisma**, is paired here —
Prisma's prepared-statement reliance is a blocked intersection on this endpoint.

### Connection reuse
- Construct the postgres-js client at **module scope** (`src/lib/db.ts`) so warm function
  instances reuse one socket instead of opening one per request.
- Cap the driver pool small — `max: 1` per instance. The shared pool lives in PgBouncer, not in
  your function; a large per-instance `max` just multiplies idle connections across instances.
- Keep `idle_timeout` ~20s and `connect_timeout` ~10s so frozen instances release backends fast.

### No session-level features
Transaction mode forbids anything that spans transactions on one backend: `LISTEN/NOTIFY`,
session-scoped `SET`, advisory-lock sessions, server-side cursors, and `WITH HOLD`. Need any of
those? Use Neon's **direct** (non-pooled) endpoint for that path only.

### Thresholds
- Drizzle/postgres-js: `prepare: false`, `max: 1`, `idle_timeout: 20`, `connect_timeout: 10`.
- Neon Free pooled budget is ~10k client connections; keep concurrency well under the project's
  `max_connections` (often 100–900 by plan) by leaning on PgBouncer, never on driver pooling.

Verified identity sync (Clerk)

✓ Clerk users sync into a local user table idempotently — duplicate, out-of-order, and concurrent webhooks converge to one correct row, so your foreign keys resolve. Replayed against a live database, not just type-checked.

Local user table

import { pgTable, text, timestamp } from "drizzle-orm/pg-core";

// Local mirror of Clerk identity — the FK target app-type schemas reference as user.
// id = Clerk's user id, so existing user_id foreign keys resolve once the sync runs.
export const user = pgTable("user", {
  id: text("id").primaryKey(), // = Clerk user id
  email: text("email"),
  firstName: text("first_name"),
  lastName: text("last_name"),
  imageUrl: text("image_url"),
  updatedAt: timestamp("updated_at", { withTimezone: true }), // staleness key (Clerk updated_at)
  createdAt: timestamp("created_at", { withTimezone: true }).notNull().defaultNow(),
});

src/lib/identity/record.ts

import { and, eq, isNull, lt, or } from "drizzle-orm";
import { user } from "./schema";

export type ClerkUserEvent = {
  type: string;
  data: {
    id: string;
    email_addresses?: { email_address: string }[];
    first_name?: string | null;
    last_name?: string | null;
    image_url?: string | null;
    updated_at?: number;
  };
};

// Idempotent + concurrency-safe sync of a Clerk user into the local user table.
// Keyed on id (= Clerk id, the PK); the staleness guard lives in the UPDATE WHERE so
// a late/older event cannot clobber newer state. user.deleted removes the row.
export async function recordClerkEvent(
  // ponytail: loosely typed Drizzle client so the emitted core stays portable.
  db: any,
  event: ClerkUserEvent,
): Promise<{ changed: boolean }> {
  const d = event.data;
  if (event.type === "user.deleted") {
    const deleted = await db.delete(user).where(eq(user.id, d.id)).returning({ id: user.id });
    return { changed: deleted.length > 0 };
  }

  const email = d.email_addresses?.[0]?.email_address ?? null;
  const eventAt = new Date(d.updated_at ?? 0);
  const fields = {
    email,
    firstName: d.first_name ?? null,
    lastName: d.last_name ?? null,
    imageUrl: d.image_url ?? null,
    updatedAt: eventAt,
  };

  const updated = await db
    .update(user)
    .set(fields)
    .where(and(eq(user.id, d.id), or(isNull(user.updatedAt), lt(user.updatedAt, eventAt))))
    .returning({ id: user.id });
  if (updated.length > 0) return { changed: true };

  const [existing] = await db.select({ id: user.id }).from(user).where(eq(user.id, d.id)).limit(1);
  if (existing) return { changed: false };

  const inserted = await db
    .insert(user)
    .values({ id: d.id, ...fields })
    .onConflictDoNothing({ target: user.id })
    .returning({ id: user.id });
  return { changed: inserted.length > 0 };
}

app/api/webhooks/clerk/route.ts

// Clerk identity webhook for Next.js 16 (App Router). Clerk webhooks are svix — verify the
// signature, then hand the event to the idempotent recordClerkEvent.
import { Webhook } from "svix";
import { db } from "@/lib/db";
import { recordClerkEvent, type ClerkUserEvent } from "@/lib/identity/record";

const USER_EVENTS = new Set(["user.created", "user.updated", "user.deleted"]);

export async function POST(request: Request): Promise<Response> {
  const secret = process.env.CLERK_WEBHOOK_SECRET;
  if (!secret) return Response.json({ error: "Server misconfigured" }, { status: 500 });

  const raw = await request.text();
  const headers = Object.fromEntries(request.headers.entries());

  let event: ClerkUserEvent;
  try {
    event = new Webhook(secret).verify(raw, headers) as ClerkUserEvent;
  } catch {
    return Response.json({ error: "Invalid signature" }, { status: 403 });
  }

  if (USER_EVENTS.has(event.type)) await recordClerkEvent(db, event);
  return Response.json({ ok: true });
}

Decisions & compatibility

Auth runs in proxy.ts (Next 16's renamed middleware) on the Edge runtime: it gates on the session cookie's presence only — full session validation happens in Server Components and route handlers, not in the proxy.
prepare: false is mandatory — Neon's pooled endpoint is PgBouncer in transaction mode, where server-side prepared statements break across the pool.
Drizzle is paired here (not Prisma): Prisma's prepared-statement reliance is incompatible with transaction-mode pooling.
Hosted: Clerk owns identity and does NOT create a local `user` table. Store `clerk_user_id` as text without a foreign key, or sync Clerk users into a local table via webhook before relying on FKs to `user`.
Order amountCents is captured at purchase time independently of the listing's priceCents — editing a listing price later cannot corrupt historical order records.
Payouts enforce a unique constraint on (sellerId, period), so each seller gets exactly one settlement row per billing window; duplicate payout jobs are rejected at the DB level.
Clerk is a hosted identity provider and does not create a local `user` table. This schema's foreign keys to `user` assume a local identity table (as Better Auth provides). With Clerk, store `clerk_user_id` as a text column without a foreign key, or sync Clerk users into a local `users` table via webhook before relying on these FKs.