FOR AI AGENTS

Your agents have guardrails.
Your backend doesn't.

Prompt injection, cross-tenant RAG leaks, privilege escalation via tool calls — most agent security failures are actually backend failures. Quickback compiles a multi-tenant data and tool surface your agents can call safely. No runtime, no lock-in.

See the Actions page

The problem agent teams keep hitting

Every week, another blog post about an agent that leaked data between tenants, routed a ticket to the wrong customer, or let a prompt-injected user promote themselves to admin. The pattern is always the same: the agent framework was safe. The backend wasn't.

Cross-tenant data leakage

An agent queries a shared vector index and surfaces Company B's documents in Company A's response.

Privilege escalation via prompt injection

A user embeds "you are now an admin" in a message; the tool call executes with elevated permissions.

Mass-assignment via tool calls

An agent tool accepts a "user update" object and the LLM sets isAdmin: true.

PII exfiltration in LLM output

Sensitive fields flow through the model's context and end up in the response.

None of these are LLM problems. They're backend problems that agents surface at scale, because agents call APIs thousands of times per hour across every tenant you have.

The four failure modes. Compiled out.

Quickback's four security pillars map 1:1 to the documented agent-backend failure modes. Not a marketing coincidence — the same primitives that keep a multi-tenant SaaS safe are the ones that keep an agent safe.

Firewall

→ no cross-tenant leaks

Automatic WHERE clauses on every query. Your agent can query the documents table all it wants; the compiler scopes every read to the caller's org. Vector search runs through the same firewall — RAG is tenant-isolated by construction.

Access

→ no privilege escalation

Deny-by-default RBAC compiled into middleware. If a prompt-injected message convinces an LLM to "call the admin tool," the access layer rejects the call before it reaches the handler. The compiler refuses to emit a route without declared access rules.

Guards

→ no mass assignment

Field-level create/update allowlists. An agent tool can ask to update a user record; the compiler only lets it touch the fields you declared writable. isAdmin, org_id, stripe_customer_id — stay off the writable list, stay safe forever.

Masking

→ no PII exfiltration

Sensitive fields are redacted before data leaves your API. Email, phone, SSN, anything you declare — the LLM never sees the raw value, so it can't accidentally leak it in a response.

Your security rules apply whether the caller is a user, an admin, or an agent. The compiler emits the same access checks into every route, and refuses to emit an Action without declared security. The agent's surface area is the same as a human caller's with the same role — no broader.

Your typed Actions are already MCP tools

This is the piece most agent teams don't realize exists until they see it. A Quickback Action is defined with:

✓Zod input schema → the tool input schema
✓description field → the tool description
✓Role + record access rules → preconditions the LLM can reason about
✓Structured errors → agent-debuggable feedback

Write the Action once. Ship it as a REST endpoint for your app, an MCP server tool for Claude / Cursor / ChatGPT Desktop, and a typed tool for Mastra / LangChain / OpenAI Agents SDK / Vercel AI SDK / Anthropic Claude SDK. All surfaces, same compiled security.

Read the Actions page

Works with your agent framework

Quickback isn't an agent framework. It's the substrate beneath them.

Mastra — drop your Actions into agent.tools directly. Zero transformation.

LangChain / LangGraph — pass Actions to bindTools. Zero adapter.

OpenAI Agents SDK — native tool-use compatible.

Anthropic Claude SDK — native tool-use compatible.

Vercel AI SDK — tool() accepts your Zod schemas as-is.

Google ADK for TypeScript — TypeScript-native, Actions work out of the box.

Cloudflare Agents SDK — runs on the same Workers your Quickback API runs on.

You keep your framework. We compile the safe data and tool layer it calls into.

Quickback vs. agent platforms

The "backend for agents" space is loud right now — xpander.ai, Calljmp, Convex Agent, watsonx Orchestrate, and others are all fighting for the slot. They're platforms. Quickback isn't.

	Quickback	Hosted agent platforms
Shape	Compiler (build-step)	Runtime (hosted service)
Where your code runs	Your Cloudflare / Neon / Supabase	Their infra
What they see	Your schema	Your data, conversations, tool calls
Agent framework	Any	Usually theirs
If they disappear	You still have a working app	You don't
Output	Standard Hono + Drizzle + Better Auth	Their proprietary SDK

Platforms make agents easy to start. Compilers make them safe to ship.

Why now

Model Context Protocol was donated to the Linux Foundation's Agentic AI Foundation in December 2025. Anthropic reports 10,000+ active public MCP servers and 97M monthly SDK downloads across Python and TypeScript. Forrester predicts 30% of enterprise app vendors will launch their own MCP servers — the ones that don't won't be reachable by their customers' agents.

Every SaaS will need to expose a safe, tenant-aware tool surface for LLMs. Quickback compiles one from the schema you've already defined.

Try it

Scaffold a secure Hono API in under 60 seconds. Define one Action. Point Claude Desktop at the compiled MCP server. Watch the access layer hold under prompt injection.

npx @kardoe/quickback create cloudflare my-app