THE ENGINE

Quickback Compiler

Turns your TypeScript definitions into Supabase RLS policies or a full Hono + Drizzle API. Same security rules, multiple targets.

Read the Docs

One Definition, Multiple Targets

Write your schema, security rules, and access policies once. The compiler generates production-ready output for whichever platform you choose.

Supabase

Compiled RLS policies only. Keep your existing Supabase Auth, Storage, and Realtime - Quickback just adds the security layer.

Cloudflare D1

Full Hono API + SQLite database. Routes, Drizzle ORM, Better Auth - all running at the edge.

Neon

Full Hono API + serverless Postgres with compiled RLS. Uses Neon Authorize + Better Auth for database-level security on top of the API layer.

SEE IT IN ACTION

Define once. Compile to any target.

The same definition compiles to Supabase RLS policies or a full Hono API. You choose the target.

quickback/features/todos/todos.ts

export default defineTable(todos, {
  firewall: { organization: {}  },
  guards: {
    createable: ["title", "content"],
    updatable: ["title", "content"],
    protected: { status: ["complete"] },
  },
  crud: {
    list:   { access: { roles: ["member", "admin"] } },
    create: { access: { roles: ["member", "admin"] } },
    update: { access: { roles: ["member", "admin"] } },
    delete: { access: { roles: ["admin"] } },
  },
  views: {
    summary: {
      fields: ["id", "title", "status"],
      access: { roles: ["member"] },
    },
    full: {
      fields: ["id", "title", "content", "status"],
      access: { roles: ["admin"] },
    },
  },
});

compiled output

-- Generated by Quickback Compiler

-- Firewall: org isolation
CREATE POLICY "todos_org_isolation" ON "todos"
  FOR ALL USING (
    organization_id = auth.jwt() ->> 'org_id'
  );

-- Access: list + select
CREATE POLICY "todos_select" ON "todos"
  FOR SELECT USING (
    auth.jwt() ->> 'role' IN ('member', 'admin')
  );

-- Access: delete (admin only)
CREATE POLICY "todos_delete" ON "todos"
  FOR DELETE USING (
    auth.jwt() ->> 'role' = 'admin'
  );

// Generated: src/routes/todos.ts

// Firewall: org isolation middleware
app.use('/api/v1/todos/*', async (c, next) => {
  const ctx = c.get('ctx');
  if (!ctx.organizationId) throw new ForbiddenError('No org context');
  await next();
});

// Access: list (member, admin)
app.get('/api/v1/todos', async (c) => {
  const ctx = c.get('ctx');
  await checkAccess(ctx, 'todos', 'list');
  let query = db.select().from(todos);
  query = applyFirewall(query, ctx);
  const results = await query;
  return c.json({ data: applyMasking(results, ctx) });
});

// View: summary (member) - field projection
app.get('/api/v1/todos/views/summary', async (c) => {
  await checkAccess(ctx, 'todos', 'view:summary');
  const results = await db
    .select({ id, title, status })
    .from(todos);
  return c.json({ data: results });
});

Four Layers of Security, Compiled In

Every compiled API is protected by four declarative security layers. Define them once, and they compile directly into your code.

Firewall

Tenant isolation enforced at the database level. Every table needs a scope column.

Access

Role-based permissions. Deny by default. Compiled into middleware.

Guards

Field-level protection. Only permitted fields can be written.

Masking

PII redaction in responses. Sensitive data never leaks.

How It Works

Define your data + rules

Use Drizzle ORM for your schema. Add security rules, access policies, and typed actions - all in TypeScript.

Choose your target

Supabase for RLS-only. Cloudflare for a full edge stack. Neon for a full API with RLS + Better Auth.

Login, compile, and ship

Run quickback login, then quickback compile and deploy. Complete backend in minutes.

Ready to compile?

Read the Docs