Build any application with a robust, flexible, and production-ready REST API boilerplate. Everything you need, nothing you don't.
Thoughtfully designed, flexible, and ready for any project
One configuration file generates complete REST API with validation, permissions, and Swagger docs.
Zero BoilerplateModern React interface with shadcn/ui. Auto-generated forms, tables, and relations management.
Production ReadyPasswordless OTP system with JWT tokens. Email and SMS support with session management.
Secure by DefaultGranular RBAC with permission hierarchy. SUPERADMIN, ADMIN roles with fine-grained control.
FlexibleMulti-channel system: EMAIL, SMS, PUSH, INTERNAL. User subscriptions, scheduling, templates.
CompleteType-safe event-driven architecture. Decoupled modules, automatic handlers, audit logging.
ScalableHMAC-signed HTTP callbacks. Retry logic, delivery tracking, per-app subscriptions.
ReliableS3/MinIO storage with thumbnails, presigned URLs, polymorphic attachments, auto-cleanup.
EnterpriseDatabase-stored translations with Handlebars. RTL support, code-first sync, hot reload.
Global ReadyExternal app registration with API tokens. Secure token-based authentication, webhook management, and usage tracking.
API ReadyOpenAI-compatible client with automatic usage tracking, cost analysis, and multi-provider support (OpenAI, Anthropic, Azure, Ollama).
Interactive questionnaires with AI-generated questions. Ping-pong approach: AI asks questions based on previous answers, creating a dynamic conversation.
Intelligent questionnaires that adapt to responses
Create interactive surveys where AI generates contextual questions based on previous answers:
Admin creates wizard, gets public link
Respondent fills initial form
AI generates questions based on answers
Respondent answers questions
AI generates new questions (ping-pong)
Wizard completed, all data saved
AI analyzes all previous answers before generating new questions. Avoids repetition, focuses on gaps.
// AI considers:
- Project description
- All previous Q&A
- Missing information
AI provides suggested answers based on context. Respondents can accept, modify, or write their own.
Questions and suggestions generated in the wizard's language. Supports 12+ languages.
AI focuses on business requirements, not technical details:
// 1. Admin creates wizard
POST /admin/wizards
→ Returns: { id, publicUrl: "/wizard/{id}" }
// 2. Respondent starts wizard
POST /wizard/{id}/start
{ email, name, formData: { description, problem, ... } }
// 3. Generate AI questions
POST /wizard/{id}/generate-questions
{ count: 5 }
→ Returns: { questions: [{ question, suggestedAnswer }] }
// 4. Answer questions
POST /wizard/{id}/questions/{questionId}/answer
{ answer: "..." }
// 5. Generate more questions (ping-pong)
POST /wizard/{id}/generate-questions
→ AI considers all previous answers
// 6. Complete wizard
POST /wizard/{id}/complete
One config file = Complete REST API
Define a resource configuration, get 5 CRUD endpoints automatically:
export const usersConfig: ResourceConfig = {
name: 'users',
model: 'user',
searchFields: ['email', 'name'],
permissions: {
list: [AdminRole.ADMIN],
create: [AdminRole.SUPERADMIN],
},
schemas: { /* JSON Schema validation */ },
}
Generated Endpoints:
GET /admin/users - List with pagination, search, filtersGET /admin/users/:id - Get single recordPOST /admin/users - Create new recordPUT /admin/users/:id - Update recordDELETE /admin/users/:id - Delete recordSecure by design, flexible by nature
OTP-based authentication via email or SMS. Auto user creation, rate limiting, session management.
POST /auth/request-otp
POST /auth/verify-otp
POST /auth/refresh
Role-based access with granular permissions. SUPERADMIN bypass, ADMIN with permission checks.
permissions: [
'users',
'files',
'notifications.list'
]
Granular access control with permission hierarchy and categories:
dashboard, users, files
pages, i18n.*
system.*
notifications.*
ai.usage, ai.models
apps.*, apps.webhooks
Parent permissions cover children:
users // Full access (view, create, edit, delete)
└── users.readonly // View only (automatically included)
If admin has users permission, they automatically have users.readonly access.
// Different permissions for different operations
permissions: {
list: [AdminRole.ADMIN],
get: [AdminRole.ADMIN],
create: [AdminRole.SUPERADMIN],
update: [AdminRole.ADMIN],
delete: [AdminRole.SUPERADMIN]
}
Reach users everywhere they are
Domain events emit
Resolves config
EMAIL, SMS, PUSH, INTERNAL
SendGrid, Inforu, FCM
Per-event channel preferences. Users control how they receive notifications.
Preferred delivery times, timezone support. Respect user preferences.
Handlebars templates with i18n. Dynamic content with variables.
Subscribe to events, trigger webhooks and notifications automatically
Events are emitted when something happens in the system. Multiple handlers can react to the same event:
user.created
Send email/SMS
POST to external API
Log to database
// Emit an event
appEvents.emit('user.created', {
userId: 'user-123',
email: 'user@example.com',
name: 'John Doe'
}, {
shouldNotify: true,
priority: 1
})
Subscribe external apps to events. Receive HTTP callbacks with HMAC signatures when events occur.
// Subscribe to events
eventTypes: [
'user.created',
'order.shipped'
]
// → POST to your webhook URL
Users and admins subscribe to events. Receive notifications via EMAIL, SMS, PUSH, or INTERNAL channels.
// User preferences
channels: ['EMAIL', 'PUSH']
preferredDeliveryTime: '09:00'
Pre-defined events for common operations. Add custom events for your business logic.
user.created - New user registereduser.updated - User profile changedauth.otp.requested - OTP code sententity.created - Any entity createdentity.updated - Any entity updatednotification.failed - Delivery failedEvents defined in code, synced to database. Admins configure active channels and delivery times.
user.created with user dataSecure API access for external applications
External applications register and receive API tokens for authenticated access. Each app can have multiple tokens (production, staging, etc.) with independent expiration and access control.
Admin creates app in admin panel
Create API token with name and expiration
Send X-App-Token header in requests
Manage webhooks, view logs
// 1. Admin creates app and token
POST /admin/apps
POST /admin/app-tokens
→ Returns: { token: "app_xxx..." } (shown once!)
// 2. External app uses token
GET /api/v1/apps/me
Headers: X-App-Token: app_xxx...
// 3. Manage webhooks
GET /api/v1/apps/webhooks
POST /api/v1/apps/webhooks
{ url, eventTypes: ["user.created"] }
// 4. View delivery logs
GET /api/v1/apps/webhooks/:id/logs
Tokens are SHA-256 hashed before storage. Only token prefix is shown after creation. Automatic expiration and revocation support.
Token format: app_xxxxxxxx
Storage: SHA-256 hash
Display: app_xxxx... (prefix only)
Automatic tracking of token usage. Last used timestamp, active/inactive status, and expiration dates. Monitor API access patterns.
Apps can manage their own webhook subscriptions via API. Subscribe to events, view delivery logs, and manage endpoints programmatically.
// Self-service webhook management
POST /api/v1/apps/webhooks
{
url: "https://myapp.com/webhook",
eventTypes: ["user.created", "order.shipped"]
}
App-level and token-level access control. Deactivate apps or individual tokens without affecting others. Granular security management.
Multi-language support with database overrides
Translation system with code-first approach and database overrides. Supports 12+ languages with RTL support, Handlebars templates, and hot reload.
// Translation files: src/i18n/locales/{locale}/*.json
// Example: locales/en/common.json
{
"welcome": {
"title": "Welcome, {{name}}!"
}
}
// Use in code
const message = await i18n.t(
'common.welcome.title',
{ name: 'John' },
'en'
)
// → "Welcome, John!"
JSON files organized by locale and namespace. Version controlled, code-first approach. Easy to sync and maintain.
Admin can override translations in database without code changes. Perfect for client-specific customizations and A/B testing.
// DB override takes precedence
DB: "Welcome, {{name}}!"
File: "Hello, {{name}}!"
// → Uses DB version
Dynamic content with Handlebars syntax. Variables, conditionals, and helpers supported. Perfect for email and SMS templates.
"message": "{{#if paid}}Paid{{else}}Pending{{/if}}"
"count": "You have {{count}} items"
12+ languages supported with RTL (Right-to-Left) support for Hebrew, Arabic, and other RTL languages.
Track everything that happens in your system
Automatic logging of all CRUD operations. Track who changed what, when, and from where. Includes before/after states and change diffs.
// Auto-logged:
entity: 'User'
action: 'update'
actorType: 'ADMIN'
before / after / changes
Complete history of all EMAIL and SMS messages sent. Track delivery status, provider responses, and retry attempts.
Full delivery history for webhook calls. Track HTTP responses, retry attempts, and delivery failures.
Track all AI API calls with token usage, costs, and performance metrics. Analyze usage by model, user, and purpose.
model: 'gpt-4o'
inputTokens: 150
outputTokens: 300
totalCostCents: 0.34
purpose: 'translation'
Built for scale, designed for flexibility
High-performance HTTP framework
Auto-generated endpoints
Business logic separation
Decoupled communication
Type-safe database access
SendGrid, FCM, S3
Full TypeScript with JSON Schema validation. End-to-end type safety.
Templates and events defined in code, synced to database. Version controlled.
Cross-cutting concerns as plugins. Easy to extend and customize.
JWT-based auth, no server sessions. Horizontal scaling ready.