Home AI Tutorials

Build a Full-Stack Web App from Scratch with Z.ai GLM

Rifin De Josh
Rifin De Josh
0 min read
Table of Contents

I still remember the exact moment I realized I was done wrestling with monolithic codebases and fragmented development environments. I was sitting in my home office in New York, staring at a sprawling repository that would have taken me—on a good week—about 40 hours to refactor, build, and deploy as a full-stack web application. That’s four days of my life I wasn’t getting back.

Then I fed the entire thing to Z.ai GLM.

Build a Full-Stack Web App from Scratch with Z.ai GLM

What came back wasn’t just code. It was a working, deployable full-stack application—with a React frontend, a Node.js backend, a PostgreSQL schema, and authentication flows—all generated in about 90 minutes of active work. The AI didn’t just write snippets. It reasoned about the architecture, made intelligent trade-offs, and even caught a few edge cases I would have missed until production blew up in my face.

I’m not here to sell you on AI replacing developers. I’m here to show you exactly how I did it—the prompts that worked, the manual tweaks that saved the project from mediocrity, and the painful lessons I learned when the model hallucinated a database migration that would have nuked my production data.

Let’s get into the trenches.

TL;DR — Key Takeaways

  • Project Goal: Build a production-ready full-stack web application (task management dashboard with user authentication, real-time updates, and a REST API) from scratch.
  • Tool Used: Z.ai GLM-5.2 via the chat interface at chat.z.ai. I chose it because of the 1 million-token context window—enough to hold my entire project specification, API contracts, and multi-file architecture in a single session without losing the thread.
  • Time Spent: ~90 minutes of active prompting and tweaking, plus another 45 minutes of manual polish. Total: ~2.25 hours.
  • Cost: $0 for this project. I used the free tier with the $5 monthly credits that refresh every 30 days. The total token usage for the entire session was well under the free allowance.

The moment I stopped writing boilerplate and started directing traffic

Here’s the thing about building full-stack apps the old way: you spend 70% of your time on stuff that doesn’t matter. Setting up Express. Wiring up CORS. Writing the same CRUD endpoints you’ve written a hundred times. Configuring Passport.js for the hundred-and-first time. It’s not hard—it’s just tedious.

With GLM-5.2, I flipped that ratio. I spent 70% of my time thinking about architecture, user experience, and edge cases—and 30% of my time reviewing, tweaking, and integrating the code the AI generated. That’s the productivity shift that actually matters.

Step 1: The prep work that made or broke the entire session

Before I typed a single prompt, I did something most people skip: I wrote a project brief. Not a novel—just a clear, structured document that told the AI exactly what I wanted. This is the secret sauce. Garbage in, garbage out. But a well-structured brief? That’s the difference between getting a half-baked prototype and a production-ready application.

Here’s the exact prompt formula I used:

I need you to act as a senior full-stack developer. Build a complete web application with the following specifications:

PROJECT: TaskFlow - A team task management dashboard

TECH STACK:
- Frontend: React 18 with TypeScript, Tailwind CSS for styling, React Router for navigation
- Backend: Node.js with Express, Prisma ORM
- Database: PostgreSQL (provide the schema)
- Authentication: JWT-based auth with refresh tokens

CORE FEATURES:
1. User registration and login (email/password)
2. Dashboard showing all tasks assigned to the user
3. Create, edit, delete tasks (CRUD)
4. Task status: To Do, In Progress, Review, Done
5. Real-time updates via WebSocket (use Socket.io)
6. Comments on tasks
7. User profile page

API REQUIREMENTS:
- RESTful API with proper status codes
- All endpoints must be authenticated except /auth/login and /auth/register
- Input validation on all endpoints
- Error handling with meaningful messages

DATABASE SCHEMA:
- Users: id, email, password_hash, name, created_at, updated_at
- Tasks: id, title, description, status, priority, assigned_to, created_by, due_date, created_at, updated_at
- Comments: id, content, task_id, user_id, created_at

FRONTEND REQUIREMENTS:
- Responsive design (mobile-first)
- Dark mode toggle
- Loading states for all async operations
- Toast notifications for success/error messages
- Proper TypeScript types for all props and state

OUTPUT FORMAT:
Generate the complete file structure with all code. For each file, show the full path and the complete code. Do not use placeholders like "// rest of code here" — I need the full implementation.

Why this prompt worked:

  • Specific technology choices prevented the AI from guessing or using outdated libraries.
  • Explicit output format eliminated the "here's a skeleton, fill in the rest" problem.
  • Full schema definition gave the AI the data model upfront, so it didn't have to invent one.
  • No placeholders forced the AI to generate complete, runnable code.

Step 2: The generation phase—what actually came out

I pasted that prompt into the chat, hit enter, and watched GLM-5.2 go to work. The model has a maximum output of 128,000 tokens, which is more than enough for a full-stack application. The response came back in about 45 seconds—and it was massive.

Here’s what the AI generated:

  • Complete file structure with 27 files across frontend/, backend/, and prisma/ directories
  • Full React components with TypeScript interfaces, custom hooks for authentication and API calls, and a clean component hierarchy
  • Complete Express server with route handlers, middleware for authentication, validation schemas using Zod, and WebSocket setup
  • Prisma schema with the exact tables I specified, plus relations and indexes
  • Dockerfile and docker-compose.yml for containerized development
  • Environment variable template (.env.example) with all required configs
  • README.md with setup instructions

The code was impressively clean. The AI followed consistent naming conventions, used proper error handling, and even included comments explaining complex logic. The React components were functional with hooks—no class components in sight.

But here’s where things got interesting—and where I had to intervene.

The AI made a few decisions that were technically correct but practically questionable:

  • It used localStorage for token storage instead of HTTP-only cookies. This is a common pattern, but it’s less secure. I wanted cookies.
  • The WebSocket implementation was over-engineered—it set up a full pub/sub system when I just needed simple room-based notifications.
  • The password hashing used bcrypt with 10 rounds—fine for development, but I prefer 12 rounds for production.
  • It generated a migrations folder with the initial schema, but the migration file had a DROP TABLE statement that would have wiped existing data if I ran it on a live database. This was a red flag.

The tweaking formula I used:

When the initial output isn't quite right, don't start over. Instead, use incremental refinement:

The code looks great overall. Let me give you some corrections:

1. For authentication, replace localStorage with HTTP-only cookies. Update the login and logout flows accordingly.
2. Simplify the WebSocket setup—remove the pub/sub, just use rooms for task updates.
3. Change bcrypt rounds from 10 to 12.
4. Remove the DROP TABLE statement from the migration file—I need a safe migration that only creates tables if they don't exist.

Generate the updated versions of these specific files only:
- backend/src/middleware/auth.ts
- backend/src/socket/index.ts
- backend/src/utils/hash.ts
- prisma/migrations/20260101000000_init/migration.sql

This approach saved me from regenerating the entire project. The AI understood the context (thanks to that 1M token window) and made surgical changes to the specific files I mentioned.

Step 3: The human polish—where I earned my keep

Let me be brutally honest: the AI generated about 85% of the code perfectly. The remaining 15% required my hands-on attention. Here’s exactly what I had to fix manually:

  1. The environment variables were mismatched. The AI used DATABASE_URL in the Prisma schema but DB_URL in the server config. I spent 10 minutes aligning these across all files.
  2. The CORS configuration was too permissive. The AI set origin: '*' for development. I replaced it with a whitelist of allowed origins and added proper environment-based configuration.
  3. The error handling was inconsistent. Some endpoints returned { error: message }, others returned { message }. I standardized the error response format across all routes.
  4. The frontend state management was naive. The AI used React Context for auth state but didn't handle token refresh properly. I had to implement a token refresh interceptor for the API client.
  5. The TypeScript types had a few any escape hatches. I replaced them with proper union types and generics.
  6. The test data seeding script was missing. I wrote a quick seed script to populate the database with sample users and tasks for development.

⚠️ STRONG WARNING: Never deploy AI-generated code to production without a thorough review. The code looks correct—and often is correct—but subtle issues like the DROP TABLE migration or the permissive CORS settings can cause catastrophic failures. Always run the test suite, review security-critical code paths, and test the deployment process in a staging environment first.

Step 4: Exporting the final application

Z.ai doesn't have a "download project" button—it's a chat interface, not an IDE. Here's how I extracted everything efficiently:

  • Copy-paste file by file. I created the project directory locally, then for each file the AI generated, I copied the code and pasted it into the corresponding file. This took about 20 minutes for 27 files.
  • Used the "Continue" feature. For long responses that got cut off (rare, given the 128K output limit), I typed "continue" and the AI picked up exactly where it left off.
  • Installed dependencies and ran the project. I ran npm install in both the frontend and backend directories, set up the .env file, and started the servers. The application booted on the first try—no syntax errors, no missing imports.
  • Ran the migrations. I used npx prisma migrate dev to apply the schema. The migration ran successfully (after I fixed the DROP TABLE issue).
  • Tested the full flow. I registered a user, logged in, created tasks, updated statuses, added comments, and verified the WebSocket updates worked across multiple browser tabs. Everything functioned as expected.

Pro tip for beginners: If you're not comfortable with the command line, you can use a tool like Windsurf or Cursor that integrates AI directly into the IDE. GLM-5.2 is compatible with tools like Claude Code and Cline, so you can use it directly within your development environment.

The Prompt Engineering Matrix: what works for different styles

Here's a table I wish I had before I started. These are real prompts I tested, with their actual results:

Object Style/Goal My Exact Prompt Result Quality
Production-Ready Enterprise "Build a full-stack task management app with React, Node.js, PostgreSQL. Use JWT auth with refresh tokens, HTTP-only cookies. Implement role-based access control (Admin, Manager, User). Include comprehensive error handling, logging with Winston, and unit tests with Jest. Generate complete code for all files." Excellent. The AI generated a robust, well-structured application with proper separation of concerns. The test files were actually useful, not just placeholders.
Rapid Prototype (MVP) "I need a quick MVP for a task management app. Use React with Vite for the frontend, Express with lowdb for the backend (no PostgreSQL setup needed). Just simple CRUD, no auth for now. Keep it minimal but functional." Good. The code was simpler and faster to set up, but the lack of auth and a real database meant I had to rebuild significant portions later. Perfect for demos, not for production.
Experimental/Futuristic "Build a task management app using React Server Components, Next.js 15, Drizzle ORM, and Tailwind. Use Server Actions for mutations and Zod for validation. No REST API—everything through Server Actions." Mixed. The AI understood the tech stack but generated some patterns that weren't quite idiomatic for Next.js 15. The Server Actions worked, but the caching strategy was wrong. Required more manual fixes.

Subscription tier comparison: does paying more get you better code?

I tested the same prompt across different access tiers to see if the output quality changed. Here's what I found:

Tier Generation Speed Output Results Generation Limit Manual Revisions Needed
Free Tier ($5 credits/month) ~45 seconds for full response Same quality as paid tiers Limited to ~5 full project generations per month (token-based) ~15% of code needed manual fixes
Lite ($18/month) ~42 seconds Identical to free tier Unlimited within token allowance ~15% (same as free)
Pro ($18+/month) ~40 seconds Identical to free tier Priority access during peak times ~15% (no difference)

The honest takeaway: For generating code, the subscription tier doesn't affect output quality. The model is the same—you're just paying for higher rate limits, priority access, and additional features like the GLM Coding Plan integration with Claude Code. The free tier with $5 monthly credits is more than enough for occasional full-stack projects. If you're building daily, the $18/month Lite plan makes sense for the unlimited usage.

Project cost comparison: AI vs. hiring a human

Let's run the numbers. I'm based in New York, and the going rate for a freelance full-stack developer is around $80–$150/hour. A project of this scope—a full-stack task management app with auth, real-time updates, and a polished UI—would typically take a freelancer 3-5 days (24-40 hours).

  • Freelancer cost: 30 hours × $100/hour = $3,000 (minimum)
  • AI cost (my actual spend): $0 (used free credits) . If I were paying, the token cost would be roughly:
    • Input: ~15,000 tokens (the prompt + follow-ups) × $1.40/1M tokens = ~$0.02
    • Output: ~85,000 tokens (the generated code) × $4.40/1M tokens = ~$0.37
    • Total: ~$0.40

$0.40 vs. $3,000.

Is the AI better? No. The AI-generated code is roughly 85% of the quality of a senior developer's work. A human freelancer would produce more nuanced solutions, handle edge cases better, and write code that's easier to maintain long-term.

But here's the thing: I'm not choosing between AI and a human. I'm using the AI to handle the 85% grunt work, then I—the human—polish the remaining 15%. The result is a production-ready application in 2.25 hours instead of 30 hours, at a fraction of the cost. That's not a replacement. That's a superpower.

The Usability Verdict: how well does GLM-5.2 actually build full-stack apps?

Let me be specific: I'm rating GLM-5.2 specifically for generating full-stack web applications from a detailed specification. Not for writing poetry, not for summarizing documents, not for customer support. Just this one specific task.

Free Tier Rating: 8.5/10

Pros:

  • The 1M token context window is a game-changer. The AI remembered my entire project structure, all my requirements, and every previous correction across a 90-minute session.
  • Code quality is genuinely impressive—clean, well-structured, with proper error handling and modern patterns.
  • The model understands the full development workflow, from schema design to deployment.
  • Response speed is fast (~45 seconds for massive outputs).

Cons:

  • The free tier's $5 monthly credit is generous but limited. A single large project like this consumed about $0.40 in tokens—so you could build about 12 full projects per month for free. That's plenty for most developers.
  • The occasional hallucination (like the DROP TABLE migration) requires vigilance.
  • No direct IDE integration on the free tier—you'll be copy-pasting.

Paid Tier (Lite/Pro) Rating: 8.5/10

Same model, same quality. The only difference is higher rate limits and priority access. If you're a heavy user, the $18/month plan is worth it for the peace of mind.

Overall Verdict:

GLM-5.2 is one of the best AI coding assistants I've used for full-stack development, especially given the price-to-performance ratio. The MIT open-source license is a nice bonus for developers who want to self-host or modify the model.

Intercepting field obstacles: answers to the questions you're actually asking

The code the AI gave me doesn't run. What do I do?

First, check the obvious: did you install all dependencies? Did you set up the .env file correctly? 80% of "broken" code is environment issues, not AI mistakes. If the problem is in the code itself, paste the error message back into the chat and ask the AI to fix it. The 1M token context means it remembers the original code and can make precise corrections.

How do I get the AI to generate code for my specific tech stack?

Be explicit in your prompt. Don't say "build a web app"—say "build a web app using React 18 with Vite, Tailwind CSS, Express with Prisma, and PostgreSQL." The more specific you are, the less the AI has to guess.

I'm a beginner. Can I still use this?

Yes, but with a caveat: you need to understand the code well enough to review it. The AI will generate functional code, but you'll need to know how to run it, debug it, and deploy it. If you're completely new to web development, start with smaller projects first to build your confidence.

Will this replace my job as a developer?

No. It will replace the boring parts of your job. The AI handles boilerplate, repetitive CRUD operations, and standard patterns. You still need to think about architecture, security, user experience, and business logic. The developers who thrive will be the ones who learn to direct AI effectively.

Can I use GLM-5.2 for commercial projects?

Yes—the model is released under the MIT license, which permits commercial use. The code it generates is your code. Just make sure you review it thoroughly before shipping.

Your turn: let's build something together

I've shown you my exact workflow, the prompts that worked, the mistakes I made, and the manual fixes that turned an 85% solution into a 100% production application. Now it's your turn.

Here's what I want to know: What's the one full-stack application you've been putting off because it felt like too much work? Drop it in the comments below. Tell me the tech stack, the core features, and the biggest roadblock you're facing. I'll help you break it down into a prompt that GLM can execute.

Or better yet—take the prompt I used, adapt it to your project, and run it through Z.ai yourself. Come back and tell me what worked, what broke, and what you had to fix manually. That's how we all get better at this.

The days of spending 40 hours on boilerplate are over. The days of thinking deeply about architecture, user experience, and business value? Those are just beginning.

Let's build.

Post a Comment