Coyotes and Candles: Building a Full-Service Creative Platform for a Two-Person Business

Role: Solo Full-Stack Developer & Co-founder

Timeline: June 2026 (~8 days active development)

Client: Coyotes and Candles (my wife Alli's and my Helsinki-based creative services business)

Status: Live and taking bookings

THE HOOK

Built a production-grade booking, billing, and live-session platform from scratch in 8 days as the sole developer — replacing a patchwork of third-party tools with a single, unified system that handles everything from first visit through payment, live video session, and post-session follow-up. 330 commits. Real money. Real clients from day one.

THE CHALLENGE

My wife Alli and I run Coyotes and Candles together — she delivers live tarot readings and runs TTRPG campaigns as a GM; I handle everything technical. The idea was sound but the infrastructure didn't exist yet.

What the market offered:

  • Calendly for scheduling — no payment, no rooms, no recurring billing

  • Zoom for video — separate login, no VTT, no session tools

  • Patreon or Ko-fi for subscriptions — no booking integration

  • Discord for community — separate platform, no campaign access control

  • Manual invoicing for everything else

What we actually needed:

  • Customers book, pay, and join their session without leaving our site

  • Recurring campaign subscriptions with proper lifecycle handling (skips, cancellations, payment failures, forming campaigns with delayed billing)

  • A full virtual tabletop built into the video room — no download for clients

  • A community space automatically gated to enrolled players

  • A complete admin back-office so Alli and I have full visibility without digging through Stripe and email

WHAT I BUILT

Platform Scale

Metric Count Booking flows 6 (tarot, one-shot, private group, group circle, campaign seat, free join) Payment integrations 2 active (Stripe + PayPal), both with full webhook lifecycle handling Automated email types 20+ (confirmations, reminders, reschedules, failures, recovery, notifications) VTT features Tokens, fog of war, character sheets, music sync, drawing, dice, undo/redo Community features Channels, DMs, reactions, push notifications, moderation, Discord mirroring Character systems D&D 5e (full sheet + SRD compendium) + Shadowrun 4e (full sheet + Chummer import) Languages English (Finnish and EU compliance infrastructure throughout) Git commits 330

For Customers

  • Service browsing with instant booking for one-off sessions and recurring campaigns

  • Real-time availability calendar per GM, with per-GM booking buffers enforced

  • Stripe and PayPal checkout, with embedded Stripe for one-time payments and native PayPal Subscriptions API for recurring billing

  • Gift cards (custom amounts, emailed to recipient, redeemable at checkout)

  • Promo and discount codes with per-code use limits and expiry

  • Forming campaigns — reserve a seat and save payment details now, no charge until the campaign hits its minimum player count and a first session date is confirmed

  • Automatic full refund on cancellation (48h+ before session)

  • Self-service reschedule from the account page

  • Abandoned checkout recovery emails

  • Timezone-aware session times throughout — every time converts to the customer's local timezone

For Session Delivery

  • Built-in video rooms via Agora — no app download, no separate link

  • Full virtual tabletop on canvas: token drag-and-drop, multi-scene management, fog of war, layer controls, measurement tools, AoE templates, freehand drawing broadcast live

  • D&D 5e character sheets with full SRD compendium, spell browser, and condition tracking — tokens sync HP to sheets

  • Shadowrun 4e character sheets with Chummer import, d6 dice pool roller, Edge spending, and initiative tracker

  • GM-controlled music via YouTube (playlists or single tracks, synced to all participants)

  • Per-participant volume controls, noise suppression slider, and in-app mic/speaker switching

  • Two-way DiceCloud sync via the CarmaCloud browser extension

For Community

  • Discord-style channel system built into the site — campaign channels automatically created and access-gated to enrolled players

  • Sub-channels, direct messaging, emoji reactions, typing indicators, DM read receipts

  • Web push notifications including closed-tab delivery

  • Pinned messages, in-channel search, and moderation tools (reports, bans, audit log)

  • Optional Discord webhook mirroring for General/Updates channels

For Admin

  • Full booking and campaign management dashboard

  • Player management: kick, skip sessions, price changes (reductions immediate, increases require player email confirmation), PayPal reauth on campaign start

  • Session notes per campaign (GM private notes, shared recaps, per-player notes)

  • Attendance tracking with per-session chips per player

  • Analytics hub: traffic (cookieless, first-party), revenue, P&L with expense tracking

  • Google Search Console integration for real keyword and click data

  • Production error monitoring with grouped deduplication and email-on-first-occurrence alerting

  • EU candle compliance tracker (GPSR technical files, CLP labels, PCN references) for the handmade goods launch later this year

TECHNICAL ARCHITECTURE

Frontend: Next.js 16 (App Router), deployed to UpCloud VPS via pm2 with zero-downtime deploys using a build-beside-and-symlink-swap strategy — the live server is never deleted mid-build.

Backend: Supabase (PostgreSQL, Auth, Realtime), with Row Level Security hardened across six rounds of security auditing. All privileged operations use the service role server-side; the anon key never touches write paths.

Payments: Stripe for one-time checkout (embedded) and recurring subscriptions. PayPal via the native Subscriptions API — Stripe's PayPal integration doesn't support recurring billing, so this required a separate implementation with lazy plan creation, pending-booking state storage across redirects, and full webhook lifecycle handling.

Video: Agora for live video and voice, with token refresh handling for long sessions and per-participant volume routing.

Security: Nonce-based CSP with unsafe-inline removed from script-src. Atomic DB operations for seat decrements, gift card reservations, and promo code claims. Timing-safe comparisons, path traversal prevention, open redirect patching, and HTML-injection-safe email templating.

Compliance: GDPR erasure and export covering all PII stores. Finnish VAT (25.5%) applied throughout. Full toiminimi legal identity (Y-tunnus: 3572436-7) in footer, Terms, Privacy Policy, and JSON-LD structured data.

One platform replacing Calendly, Zoom, a VTT subscription, a community platform, a subscription billing service, and a manual admin process — built and shipped to production in 8 days, serving real paying clients from day one. Alli runs the sessions. I built everything else.

Finnish sole trader · Caitlyn Carmabella Nayeli · Y-tunnus: 3572436-7 · coyotesandcandles.com

Next

Bluumo: Two-sided wellness marketplace