WHY HONO
Hono APIs with security compiled in.
You write the schema and the rules. Quickback writes the Hono — typesafe, multi-tenant, audit-ready from day one.
Hono is right.
What it needs is a security compiler.
The TypeScript backend debate is over. For new APIs in 2026, Hono won — it's what serious teams reach for the second they open a terminal. Fast, edge-native, typesafe from the first keystroke, and the only framework that runs unmodified on Cloudflare Workers, Bun, Deno, and Node.
But Hono is a router. It stops at routing. Everything that makes an API production — multi-tenancy, RBAC, field-level permissions, PII masking, audit trails, tenant isolation — is on you.
Quickback compiles it in.
Why Hono won
Type-first, not type-retrofitted
Hono was TypeScript from day one. Express wasn't — and you feel it every time you fight @types/express for a type that should have been obvious.
2.8M weekly downloads
Up roughly 340% year-over-year in late 2025. It stopped being a contender and became the default.
End-to-end types via hc<AppType>()
Your client knows what your server will return, at compile time. No codegen step, no OpenAPI dance, no any.
One codebase, every runtime
The same API runs on Cloudflare Workers, Bun, Deno, Vercel, and Node — no rewrites, no polyfills. Express can't run on Workers at all.
Sources: hono.dev, pkgpulse 2026 benchmarks, dev.to Hono-on-Workers coverage.
Where Hono leaves you
Hono ships routing, middleware primitives, and a Zod validator hook. That's the spec. Everything else is a bring-your-own decision.
- ✕Validation — you'll wire up Zod and
@hono/zod-validator - ✕Auth — Better Auth, Lucia, Clerk, Auth0, roll-your-own
- ✕ORM — Drizzle, Prisma, Kysely
- ✕Multi-tenancy — DIY, on every query, forever
- ✕RBAC — DIY, usually
if (user.role === 'admin')scattered across 40 files - ✕Field-level permissions — DIY, and the thing that lets a PATCH request promote a user to admin
- ✕PII masking — DIY, usually forgotten until a security review
- ✕Audit trails — DIY, usually bolted on the week before a SOC 2 audit
- ✕Tenant isolation — DIY, and the thing that leaks Org B's data to Org A when you forget a
WHEREclause
What Quickback compiles in
One TypeScript file per resource. Schema and four security rules in the same place. Compiled into Hono middleware and route handlers — every endpoint correct by construction.
Firewall — tenant isolation at the DB level
Automatic WHERE clauses scoped to the user's org or team. Impossible to forget.
Access — deny-by-default RBAC
Role-based permissions compiled into middleware, not checked at runtime. If you didn't grant it, it doesn't exist.
Guards — field-level protection
Control which fields can be set on create vs. update. Kills mass-assignment attacks at the compiler level.
Masking — PII redaction by role
Sensitive fields redacted in API responses before data leaves your server. Email, phone, SSN, anything you declare.
export default defineTable(candidates, {
firewall: { organization: {} },
guards: {
createable: ["name", "email", "phone", "resumeUrl"],
updatable: ["name", "phone", "resumeUrl"],
},
masking: {
email: { roles: ["recruiter", "hiring-manager"] },
phone: { roles: ["recruiter"] },
},
crud: {
list: { access: { roles: ["recruiter", "hiring-manager"] } },
create: { access: { roles: ["recruiter"] } },
update: { access: { roles: ["recruiter", "hiring-manager"] } },
delete: { access: { roles: ["owner"] } },
},
});// Generated: src/routes/candidates.ts
app.use('/api/v1/candidates/*', orgFirewall());
app.get('/api/v1/candidates', async (c) => {
const ctx = c.get('ctx');
await checkAccess(ctx, 'candidates', 'list');
let query = db.select().from(candidates);
query = applyFirewall(query, ctx);
const results = await query;
return c.json({ data: applyMasking(results, ctx) });
});
// … plus typed POST, PATCH, DELETE
// with guards + access compiled inYou write 20 lines. You get a secure, tenant-isolated, field-guarded, PII-masked Hono API. The output is standard TypeScript — readable, debuggable, and yours.
The shape
Not a platform. A build-step.
Quickback has no runtime. Your definitions go in. Code comes out. That code runs on your Cloudflare account, your Neon database, your Supabase project — not ours. We never connect to your database. We never see your data. We operate at the schema level and emit standard libraries: Hono, Drizzle, Better Auth.
Recompile whenever your rules change. Your action handlers — the custom business logic you write by hand — are never overwritten. If you stop using Quickback tomorrow, your app still ships. There's nothing to migrate off, because there's nothing hosted on our side.
That's the whole shape. A compiler, not a control plane.
The 2026 stack, made secure
Every modern TypeScript backend is converging on the same shape. Quickback compiles all of it from one TypeScript file per resource.
Same definitions, same output shape, whether you're on D1 at the edge or Neon Postgres.
Quickback vs. platforms
| Quickback | Hosted backend platforms | |
|---|---|---|
| Shape | Compiler (build-step) | Runtime (hosted service) |
| Where your code runs | Your infrastructure | Their infrastructure |
| What they see | Your schema | Your data |
| If they disappear | You still have a working app | You don't |
| Dependency | Standard TypeScript libs | Their SDK + their runtime |
Why not Encore? NestJS? Convex?
Encore.ts
A platform with its own Rust runtime. Excellent if you want Encore's opinions end-to-end. But you don't emit Hono — you emit Encore. Quickback emits standard Hono; you can run it anywhere Hono runs.
NestJS
A 2015-era enterprise framework — decorator-heavy, DI-first, built before edge runtimes existed. Fine for large Angular-adjacent teams; strange for a new edge-native SaaS.
Convex
A reactive database platform with excellent DX — but it's a hosted runtime, not a compiler. If you want real code you own on infrastructure you control, Quickback is the other answer.
Supabase
We compile to it. Your existing Supabase project keeps working; Quickback generates your RLS for you so you stop writing policies by hand. The Cloudflare and Neon targets are a one-flag swap.
Try it
One command. Scaffold a secure Hono API on Cloudflare in under 60 seconds.