WHY QUICKBACK
Stop Building Backends.
Start Shipping Products.
You have a frontend. You have an idea. Quickback compiles your schema and security rules into a production-ready backend - so you can focus on the thing your users actually pay for.
Backend Security Is Hard. You Shouldn't Have to Be an Expert.
You know the drill: RLS policies that silently fail, role checks scattered across 40 files, a PATCH endpoint that lets anyone set isAdmin: true.
What you're doing now
- ✕ Writing RLS policies by hand and hoping they cover every case
- ✕
Sprinkling
if (user.role === 'admin')across your codebase - ✕ Forgetting the WHERE clause that leaks Org B's data to Org A
- ✕ Building auth UI from scratch - login, signup, org management, passkeys
- ✕ Asking ChatGPT to write your security layer (and hoping it's right)
What Quickback gives you
- ✓ One TypeScript file per resource: schema + security in one place
- ✓ Four security layers compiled into every endpoint automatically
- ✓ Tenant isolation enforced at the database level - impossible to forget
- ✓ Production-ready auth UI with passkeys, magic links, org management
- ✓ AI skill that generates security-correct definitions with full context
THE COMPILER
Define Once. Compile to Any Backend.
Write your schema and security rules in TypeScript. The compiler generates production-ready output for Supabase, Cloudflare, or Neon.
Supabase
Compiled RLS policies only. Keep your existing Supabase stack -add compiled security.
RLS Policies · No API generated
Cloudflare D1
Full Hono API + SQLite at the edge. Auth, storage, queues, realtime included.
Full API · Edge Runtime
Neon
Full Hono API + RLS via Neon Authorize + Better Auth. Serverless Postgres.
Full API · Serverless Postgres
export default defineTable(todos, {
firewall: { organization: {} },
guards: {
createable: ["title", "content"],
updatable: ["title", "content"],
protected: { status: ["complete"] },
},
crud: {
list: { access: { roles: ["member", "admin"] } },
create: { access: { roles: ["member", "admin"] } },
update: { access: { roles: ["member", "admin"] } },
delete: { access: { roles: ["admin"] } },
},
views: {
summary: {
fields: ["id", "title", "status"],
access: { roles: ["member"] },
},
full: {
fields: ["id", "title", "content", "status"],
access: { roles: ["admin"] },
},
},
});-- Generated by Quickback Compiler
-- Firewall: org isolation
CREATE POLICY "todos_org_isolation" ON "todos"
FOR ALL USING (
organization_id = auth.jwt() ->> 'org_id'
);
-- Access: list + select
CREATE POLICY "todos_select" ON "todos"
FOR SELECT USING (
auth.jwt() ->> 'role' IN ('member', 'admin')
);
-- Access + Guards: insert (title, content only)
CREATE POLICY "todos_insert" ON "todos"
FOR INSERT WITH CHECK (
auth.jwt() ->> 'role' IN ('member', 'admin')
);
-- Guards: restrict writable columns
CREATE FUNCTION todos_guard_columns()
RETURNS TRIGGER AS $$
BEGIN
IF TG_OP = 'INSERT' THEN
NEW.status := NULL;
ELSIF TG_OP = 'UPDATE' THEN
NEW.status := OLD.status;
END IF;
RETURN NEW;
END; $$ LANGUAGE plpgsql;
-- Access: delete (admin only)
CREATE POLICY "todos_delete" ON "todos"
FOR DELETE USING (
auth.jwt() ->> 'role' = 'admin'
);BUILT-IN SECURITY
Four Layers. Zero Gaps.
Every endpoint is protected by four declarative security layers. Define them once, and they compile directly into your code.
Firewall
Tenant isolation at the database level. Every query is scoped to the user's organization or user ID. Impossible to forget.
Prevents:
- • Cross-tenant data leakage
- • Forgotten WHERE clauses
Access
Role-based permissions, deny by default. If you don't grant access, it doesn't exist. Compiled into middleware, not checked at runtime.
Prevents:
- • Unauthorized CRUD operations
- • Privilege escalation
Guards
Field-level protection. Control which fields can be set on create vs update. Protected fields require explicit typed actions.
Prevents:
- • Mass assignment attacks
- • PATCH soup
Masking
PII redaction built in. Define sensitive fields. Quickback masks them in API responses based on role. Sensitive data never leaks.
Prevents:
- • SSN exposure
- • Email harvesting
Typed Actions, Not PATCH Soup
When CRUD isn't enough, Actions give you typed business operations with access controls, preconditions, and audit trails. Never overwritten on recompile.
actions: {
approve: {
description: 'Approve invoice for payment',
input: z.object({
notes: z.string().optional()
}),
access: {
roles: ['finance', 'admin'],
record: { status: { equals: 'pending' } }
},
execute: async ({ db, ctx, record, input }) => {
// Your business logic
return {
status: 'approved',
approvedBy: ctx.user.id
};
}
}
}- Typed inputs
Zod validation on every action
- Role + record conditions
Check both who's calling and what state the record is in
- Never overwritten
Recompile your API without losing custom logic
- Automatic audit trail
Every action logged with who, what, when
- AI-ready
Actions become safe tool definitions for LLMs
Error Messages That Make Sense
When something fails, Quickback tells you exactly why. Debuggable by humans AND AI agents.
✕ Typical API error
Good luck debugging that.
✓ Quickback error
AI agents can read this and adjust. Developers can debug without guessing.
Auth UI You Don't Have to Build
A production-ready React SPA for login, signup, org management, and admin. Deploy to Cloudflare Workers on your subdomain.
Passkeys
WebAuthn-based passwordless authentication. Modern, secure, frictionless.
Magic Link + OTP Combo
Custom pluginClick the link or type the code. Either way, you're in.
Org Management
Teams, invitations, role assignments. Multi-tenancy from day one.
Admin Panel
User management, API keys, session control. Everything an admin needs.
Anonymous Users
Let users try before they sign up. Seamless upgrade to full account.
One Command Deploy
Deploy to Cloudflare Workers with npx wrangler deploy. Your subdomain, your control.
Three Steps to Production
Define your data + rules
Use Drizzle ORM for your schema. Add security rules, access policies, and typed actions - all in TypeScript.
Choose your target
Supabase for compiled RLS. Cloudflare for a full edge stack. Neon for serverless Postgres. Or both.
Compile and ship
Run npx @kardoe/quickback compile and deploy. Complete backend in minutes.
AI-ASSISTED DEVELOPMENT
Describe It. Get a Compiled Backend.
The Claude Code skill understands Quickback's security model. Describe your feature in plain English and get a complete, security-correct definition.
I'll create the invoices feature with:
- • Firewall - org-scoped isolation
- • Guards - createable fields locked, status protected
- • Access - member (list, create), finance (list, create, update), admin (all)
- • Masking - amount masked for member role
- • Action -
approve()with record condition on status
Writing to quickback/features/invoices/invoices.ts...
Install globally
npm install -g @kardoe/quickback-skill Or via CLI
quickback claude install Real Code. Really Yours.
Quickback is a compiler, not a platform. The output is standard TypeScript - Hono, Drizzle, Better Auth - on infrastructure you control.
FOR STARTUPS
Multi-Tenancy First. SOC 2 Ready.
Quickback starts with multi-tenancy, not bolts it on later. Every resource is scoped, every action is audited, and your security rules are version-controlled code - exactly what auditors want to see.
Multi-Tenant by Default
Org isolation isn't optional - it's the first thing you define. Every query, every endpoint, every action is scoped to the right tenant. No accidental data leaks, even under pressure to ship.
Backend-as-Code for Auditors
Your security rules live in TypeScript, in Git, with full history. Auditors can review your access control, field guards, and masking rules in a single PR. No runtime configs to inspect - everything is compiled and versioned.
Automatic Audit Trails
Every table gets createdAt, createdBy, modifiedAt, modifiedBy, deletedAt, and deletedBy - automatically. Every action is logged. When your SOC 2 auditor asks "who changed what and when," you have the answer.