# Quickback

> Build your app. We compile the backend.

Quickback is a backend compiler that transforms declarative TypeScript definitions into secure, production-ready APIs. You define your database schema and security rules in a single file using Drizzle ORM — Quickback compiles them into a deployable backend with authentication, role-based permissions, tenant isolation, and field-level security.

The output is standard TypeScript (Hono, Drizzle, Better Auth) running on your own infrastructure. Not a managed platform — real code you own and control.

## How It Works

1. **Define** — Schema + security rules in TypeScript using `defineTable()`
2. **Compile** — Quickback generates API routes, middleware, migrations, and RLS policies
3. **Deploy** — Standard tooling to Cloudflare Workers, Supabase, or Neon

## Four Security Layers

Every API request passes through four layers in order:
- **Firewall** — Tenant isolation via automatic WHERE clauses
- **Access** — Role-based CRUD permissions (deny by default)
- **Guards** — Field modification rules (protected/immutable fields)
- **Masking** — PII redaction for unauthorized viewers

## Documentation

### Getting Started

- [Quick Start](https://docs.quickback.dev/definitions/quick-start): Define database tables with security configuration and compile them into a production-ready API in minutes.
- [How It All Fits Together](https://docs.quickback.dev/definitions/concepts): The mental model for Quickback: every request passes through four security layers in order — Firewall, Access, Guards, Masking.
- [Complete Example](https://docs.quickback.dev/definitions/examples): See what you define and what Quickback generates — from a single TypeScript file to a full API with security.
- [CLI Reference](https://docs.quickback.dev/compiler/cli): Create, compile, and manage backend projects. One command to scaffold, one to compile.

### Defining Your Backend

- [Database Schema](https://docs.quickback.dev/definitions/database-schema): Define tables using Drizzle ORM with defineTable(). Schema and security config live in a single TypeScript file.
- [CRUD Endpoints](https://docs.quickback.dev/definitions/crud-endpoints): Auto-generated RESTful endpoints for list, get, create, update, delete, and upsert with filtering, pagination, and batch operations.
- [Views](https://docs.quickback.dev/definitions/views): Column-level security that controls which fields are visible based on the requesting user's role.
- [Actions](https://docs.quickback.dev/definitions/actions): Custom API endpoints for business logic beyond CRUD — workflows, integrations, and complex operations with type-safe handlers.

### Security Pillars

- [Firewall — Data Isolation](https://docs.quickback.dev/definitions/firewall): Automatic WHERE clauses that scope every query by user, organization, or team. Prevents cross-tenant data access at the database level.
- [Access — Role & Condition-Based Control](https://docs.quickback.dev/definitions/access): Define who can perform CRUD operations and under what conditions. Role-based and record-level access rules, deny by default.
- [Guards — Field Modification Rules](https://docs.quickback.dev/definitions/guards): Control which fields can be set on create vs update. Protected fields, immutable fields, and computed defaults.
- [Masking — Field Redaction](https://docs.quickback.dev/definitions/masking): Hide PII from unauthorized users. Built-in masks for email, phone, SSN, credit cards, plus custom redaction rules.

### Compiler

- [Compiler](https://docs.quickback.dev/compiler/compiler): Transforms declarative TypeScript definitions into optimized production code, validates security configuration, and generates database migrations.
- [Cloud Compiler](https://docs.quickback.dev/compiler/cloud-compiler): Compile in the cloud without local dependencies. Send definitions, get back a complete deployable project.
- [Local Compiler](https://docs.quickback.dev/compiler/compiler-local): Run the compiler locally via Docker for offline development and CI/CD pipelines.

### Deployment Targets

- [Cloudflare Stack](https://docs.quickback.dev/stack/cloudflare): Full-stack edge deployment: Hono API on Workers, D1 database, Better Auth, R2 file storage, KV, Queues, and Durable Objects for realtime.
- [D1 Database](https://docs.quickback.dev/stack/cloudflare/d1-database): SQLite at the edge with automatic migrations, split read/write databases, and Quickback security layers.
- [KV Storage](https://docs.quickback.dev/stack/cloudflare/kv-storage): Global key-value storage for sessions, cache, and configuration data.
- [File Storage (R2)](https://docs.quickback.dev/stack/cloudflare/file-storage): S3-compatible object storage with presigned uploads and Quickback access control.
- [Automatic Embeddings](https://docs.quickback.dev/stack/cloudflare/embeddings): Vector embeddings via Workers AI and Queues for semantic search on your data.
- [Custom Queue Handlers](https://docs.quickback.dev/stack/cloudflare/queues): Background job processing with Cloudflare Queues for async workflows.
- [Realtime](https://docs.quickback.dev/stack/cloudflare/realtime): WebSocket notifications via Durable Objects for live updates on data changes.
- [Supabase](https://docs.quickback.dev/stack/supabase): Compile Quickback definitions into Supabase RLS policies for Postgres-level security.
- [Supabase RLS](https://docs.quickback.dev/stack/supabase/rls): Generated Row Level Security policies that enforce firewall, access, and masking rules directly in Postgres.
- [Neon](https://docs.quickback.dev/stack/neon): Serverless Postgres with compiled RLS policies and branching support.
- [Neon RLS](https://docs.quickback.dev/stack/neon/rls): Row Level Security for Neon databases compiled from Quickback definitions.
- [Supabase vs Cloudflare](https://docs.quickback.dev/stack/cloudflare/supabase-vs-cloudflare): Comparison of deployment targets — when to use Supabase RLS vs the full Cloudflare edge stack.

### Authentication

- [Better Auth Plugins](https://docs.quickback.dev/stack/better-auth-plugins): Open-source plugins for Better Auth: email OTP, magic links, passkeys, anonymous auth, and more.
- [Authentication Security](https://docs.quickback.dev/stack/auth-security): Cookie security, rate limiting, CORS, and cross-domain auth configuration for production.

### Account UI

- [Account UI](https://docs.quickback.dev/stack/account-ui): Pre-built React authentication and account management UI for Better Auth with multi-tenant organization support.
- [Environment Variables](https://docs.quickback.dev/stack/account-ui/environment-variables): Complete reference for configuring Account UI deployment.
- [Feature Flags](https://docs.quickback.dev/stack/account-ui/features): Enable and configure Account UI features — sign-up, OAuth providers, passkeys, organizations.
- [Customization](https://docs.quickback.dev/stack/account-ui/customization): Customize branding, labels, and messaging in the Account UI.
- [Worker Setup](https://docs.quickback.dev/stack/account-ui/worker): Deploy Account UI to Cloudflare Workers.
- [Account App](https://docs.quickback.dev/stack/cloudflare/account-app): Full auth frontend connected to the Quickback Stack with Better Auth integration.

### Developer Tools

- [Claude Code Integration](https://docs.quickback.dev/stack/claude-code-plugin): AI-powered skill for Claude Code that provides documentation lookup and code generation for Quickback definitions.
- [Quick Reference](https://docs.quickback.dev/stack/reference): Cheat sheet of all definition options: firewall, access, guards, masking, actions, schema, and query parameters.