Quickback Quickback

THE API

Quickback API

The multi-tenant-first API. Define your schema, security rules, and access policies in TypeScript. Quickback compiles them into a production-ready Hono API with four built-in security layers.

Declarative. Fast. Developer-first — CLI, MCP Server, and Claude Code Skill out of the box.

Read the Docs

SEE IT IN ACTION

~50 lines in. Production API out.

Define your schema and security rules once. The compiler generates every route, every middleware, every type.

quickback/features/candidates/candidates.ts 
export default defineTable(candidates, {
  firewall: { organization: {}  },
  guards: {
    createable: ["name", "email", "resumeUrl"],
    updatable: ["name", "resumeUrl"],
  },
  masking: {
    email: { roles: ["recruiter", "hiring-manager"] },
    phone: { roles: ["recruiter"] },
  },
  crud: {
    list:   { access: { roles: ["recruiter", "hiring-manager"] } },
    create: { access: { roles: ["recruiter"] } },
    update: { access: { roles: ["recruiter", "hiring-manager"] } },
    delete: { access: { roles: ["owner"] } },
  },
});
generated: src/routes/candidates.ts compiled output 
// Firewall: org isolation middleware
app.use('/api/v1/candidates/*', async (c, next) => {
  const ctx = c.get('ctx');
  if (!ctx.organizationId) throw new ForbiddenError();
  await next();
});

// Access: list (recruiter, hiring-manager)
app.get('/api/v1/candidates', async (c) => {
  const ctx = c.get('ctx');
  await checkAccess(ctx, 'candidates', 'list');
  let query = db.select().from(candidates);
  query = applyFirewall(query, ctx);
  const results = await query;
  return c.json({ data: applyMasking(results, ctx) });
});

// Guards: only permitted fields written
app.post('/api/v1/candidates', async (c) => {
  await checkAccess(ctx, 'candidates', 'create');
  const body = await parseGuarded(c, ['name', 'email', 'resumeUrl']);
  return c.json({ data: await db.insert(candidates).values(body) });
});
$ npx @kardoe/quickback compile

SECURITY MODEL

Four layers of security compiled in.

Four Layers. Compiled In. Non-Negotiable.

Multi-tenancy isn't an afterthought — it's the foundation.

Every request passes through four security layers before touching your data. Define them declaratively. The compiler enforces them.

Layer 1

Firewall

Tenant isolation enforced at the database query level. Every query is scoped. Cross-tenant data leaks are structurally impossible.

Layer 2

Access

Role-based permissions. Deny by default. Every endpoint requires an explicit access grant — compiled into middleware, not bolted on after.

Layer 3

Guards

Field-level write protection. Only permitted fields can be created or updated. Injection of arbitrary fields is blocked at the API boundary.

Layer 4

Masking

PII redaction in every response. Sensitive fields are hidden based on role. Sensitive data never leaks — it's filtered before the response is sent.

Every request, every time

Request Firewall Access Guards Masking Response

Write Once. Deploy Anywhere.

The same definitions compile to different targets. Same security rules, same access model — your choice of database and runtime.

Cloudflare

Cloudflare D1

Recommended

Full Hono API on Cloudflare Workers with D1 (SQLite at the edge). Zero cold starts. 300+ edge locations. Part of the Quickback Stack.

quickback create cloudflare my-app
Neon

Neon

Full Hono API with serverless Postgres. Uses Neon Authorize for database-level RLS on top of the four API security layers.

quickback create neon my-app

Using Supabase? See Quickback for Supabase RLS — compile RLS policies for your existing Supabase project.

DEVELOPER EXPERIENCE

Three Ways to Build

Whether you prefer the terminal, your AI assistant, or your IDE — Quickback meets you there.

CLI

Create projects, compile definitions, manage auth, and deploy — all from the terminal.

quickback create cloudflare my-app quickback compile quickback login

MCP Server

Connect any MCP-compatible AI tool to Quickback. Browse your schema registry, validate definitions, and trigger compiles from inside your AI workflow.

@quickback/mcp-server

Claude Code Skill

A dedicated Claude Code skill that understands Quickback's API, schema format, and security model. Describe your feature — get correct definitions back.

Get the skill →

WHAT COMPILES OUT

REST API

CRUD routes + batch operations for every table. Custom action endpoints from defineActions().

OpenAPI 3.1 Spec

Auto-generated and served at /openapi.json. Import into Postman or generate typed clients.

TypeScript Types

Fully typed interfaces for every resource. Use with openapi-typescript for end-to-end type safety.

DB Migrations

Drizzle-kit migrations auto-generated on every compile. Schema changes are tracked and versioned.

WANT MORE?

Supabase Alternative

Quickback API is included in Quickback Stack.

The Stack adds the full Cloudflare infrastructure layer on top — realtime with Durable Objects, storage with R2, vector search with Vectorize, queues, and email. Everything a SaaS needs, running on your own Cloudflare account.

Explore Quickback Stack

Ready to compile?

Read the Docs