Quickback Overview

Quickback is a backend compiler that transforms declarative resource definitions into a fully-featured, production-ready API. You define your database schema, security rules, and business logic in TypeScript—Quickback compiles it into optimized API endpoints, database queries, and middleware.

How It Works

Define your database schema using Drizzle ORM
Configure security layers (firewall, access, guards, masking) for each resource
Compile your definitions into a deployable backend
Deploy to Supabase, Cloudflare Workers, or your own infrastructure

The compiler analyzes your definitions at build time, catching configuration errors before deployment and generating efficient, type-safe code.

Security Philosophy: Locked Down by Default

Quickback is secure by default. Nothing is accessible until you explicitly open it up.

Layer	Default State	What You Must Do
Firewall	ON - all data isolated	Define ownership scope OR explicitly mark as `exception`
Guards	LOCKED - no fields modifiable	Explicitly list `createable`, `updatable` fields
Access	DENIED - no CRUD operations	Explicitly define `access` rules with roles
Actions	BLOCKED - no custom routes	Explicitly define `guard` for each action

This means:

A resource with no definition = completely inaccessible
Forgot to add a field to createable? = 400 error on create
Forgot to add a field to updatable? = 400 error on update
No access rule? = 403 forbidden
No firewall ownership? = compilation error

You must deliberately open each door. This prevents accidental data exposure.

The Five Security Layers

Quickback provides five distinct layers of security that work together to protect your data:

1. Firewall - Data Isolation

The firewall automatically generates WHERE clauses to isolate data by user, organization, or team. This ensures users can only access data they own or have permission to see.

Learn more about Firewall →

2. Access - Role & Condition-Based Control

Define who can perform CRUD operations and under what conditions. Combine roles with record-level conditions for fine-grained access control.

Learn more about Access →

3. Guards - Field Modification Rules

Control which fields can be modified in CREATE vs UPDATE operations. Protect sensitive fields and ensure data integrity.

Learn more about Guards →

4. Masking - Field Redaction

Hide sensitive data from unauthorized users while showing it to those with permission. Built-in masks for common data types like email, phone, SSN.

Learn more about Masking →

5. Actions - Custom Routes

Create custom business logic endpoints beyond CRUD. Define access control, input validation, and handlers for your custom operations.

Learn more about Actions →

Database Schema

Before defining your resources, you'll need to define your database tables. Quickback uses Drizzle ORM for type-safe schema definitions.

Learn about Database Schema →

Next Steps

Ready to get started? Check out the Quick Start Guide to see how these layers work together in a complete example.

Quickback Overview ​

How It Works ​

Security Philosophy: Locked Down by Default ​

The Five Security Layers ​

1. Firewall - Data Isolation ​

2. Access - Role & Condition-Based Control ​

3. Guards - Field Modification Rules ​

4. Masking - Field Redaction ​

5. Actions - Custom Routes ​

Database Schema ​

Next Steps ​