@rapidd/core
v2.1.8
Published
Code-first REST API framework for TypeScript. Database in, API out.
Maintainers
mertdalbudakReadme
Rapidd
Code-first REST API framework for TypeScript. Database in, API out.
Why Rapidd
Rapidd generates a fully-featured REST API from your database schema — then gets out of your way. It's not a scaffolder that dumps code you'll rewrite. It's not a hosted service between you and your data. It's a framework you own, extend, and deploy anywhere.
Unlike Hasura or Supabase, you get a full TypeScript codebase — no vendor lock-in, no managed service dependency. Unlike PostgREST, you get auth, ACL, middleware hooks, and utilities built in. Unlike Strapi, it's schema-first via Prisma, not UI-driven.
- Zero to API in 3 commands — CRUD endpoints with filtering, pagination, relations, and field selection
- Convention over configuration — auto-detects auth tables, password fields, DB provider, and RLS support. Every default overridable
- Production-grade from day one — security headers, JWT with refresh rotation, row-level security, per-model ACL, rate limiting
- Batteries included — HTTP client, SMTP mailer with templates, file uploads, rate limiting, i18n across 10 languages
- Fully extensible — before/after middleware on every CRUD operation, custom routes alongside generated ones
Quick Start
mkdir my-api && cd my-api
npx @rapidd/core create-project && npm installSet DATABASE_URL in .env, then add your schema in prisma/schema.prisma(or create from DB via npx prisma db pull):
npx rapidd build # generate models, routes & ACL scaffold
npm run dev # http://localhost:3000Every table gets full CRUD endpoints. Auth is enabled automatically when a user table is detected. Every auto-detected value — auth fields, password hashing, JWT secrets, session store — is overridable via env vars. See .env.example for the full list.
Getting Started guide — full walkthrough with project structure
How It Compares
| | Rapidd | Hasura | PostgREST | Supabase | Strapi | |---|:---:|:---:|:---:|:---:|:---:| | Full source code ownership | ✓ | — | — | — | ✓ | | Schema-first (no UI) | ✓ | ✓ | ✓ | ✓ | — | | REST API | ✓ | partial | ✓ | ✓ | ✓ | | Multi-database | ✓ | ✓ | — | — | ✓ | | Built-in auth | ✓ | — | — | ✓ | ✓ | | Per-model ACL | ✓ | ✓ | — | — | ✓ | | Row-level security | ✓* | ✓ | ✓ | ✓ | — | | Before/after middleware | ✓ | — | — | — | ✓ | | Custom routes alongside generated | ✓ | — | — | ✓ | ✓ | | No vendor dependency | ✓ | ✓ | ✓ | — | ✓ |
* PostgreSQL only. All other features support PostgreSQL and MySQL/MariaDB.
Query API
All generated endpoints support filtering, relations, field selection, sorting, and pagination.
GET /api/v1/posts?filter=status=active,title=%typescript%
GET /api/v1/posts?filter=createdAt=after:2025-01-01,views=gte:100
GET /api/v1/posts?include=author,comments.user&fields=id,title,author.name
GET /api/v1/posts?sortBy=createdAt&sortOrder=desc&limit=10&offset=2020+ filter operators for strings, numbers, dates, arrays, nulls, and nested relation fields. Responses include pagination metadata with total, count, limit, offset, and hasMore.
Query API wiki — all operators, composite PKs, relation filtering
Authentication
Auto-enabled when a user table is detected.
POST /auth/login { "user": "[email protected]", "password": "..." }
POST /auth/logout Authorization: Bearer <token>
POST /auth/refresh { "refreshToken": "..." }
GET /auth/me Authorization: Bearer <token>Four strategies — bearer (default), basic, cookie, and custom header — configurable globally via AUTH_STRATEGIES env var or per endpoint prefix in config/app.json:
{
"endpointAuthStrategy": {
"/api/v1": ["basic", "bearer"],
"/api/v2": "bearer"
}
}Set null for the global default, a string for a single strategy, or an array for multiple. Route-level config takes highest priority, then prefix match, then global default.
Multi-identifier login lets users authenticate with any unique field (email, username, phone) in a single endpoint.
Production: JWT_SECRET and JWT_REFRESH_SECRET must be set explicitly. The server refuses to start without them to prevent session invalidation on restart.
Authentication wiki — session stores, route protection, per-endpoint strategy overrides
Access Control
Define per-model rules in src/config/acl.ts. Enforced on every CRUD operation, relation include, and field selection.
const acl: AclConfig = {
model: {
posts: {
canCreate: (user, data) => user.role !== 'GUEST',
getAccessFilter: (user) => user.role === 'ADMIN' ? {} : { authorId: user.id },
getUpdateFilter: (user) => user.role === 'ADMIN' ? {} : { authorId: user.id },
getDeleteFilter: (user) => user.role === 'ADMIN' ? {} : false,
getOmitFields: (user) => user.role !== 'ADMIN' ? ['internalNotes'] : [],
}
}
};Return {} for full access, a filter object to scope records, or false to deny.
Access Control wiki — all 5 ACL methods, relation ACL, 404 vs 403 distinction
Model Middleware
Hook into any CRUD operation before or after execution.
// Auto-timestamps
Model.middleware.use('before', 'create', async (ctx) => {
ctx.data.createdAt = new Date();
ctx.data.createdBy = ctx.user?.id;
return ctx;
});
// Soft deletes (scoped to a specific model)
Model.middleware.use('before', 'delete', async (ctx) => {
ctx.softDelete = true;
ctx.data = { deletedAt: new Date(), deletedBy: ctx.user?.id };
return ctx;
}, 'posts');Supports create, update, upsert, upsertMany, delete, get, getMany, and count. Middleware can abort operations, modify data, and short-circuit with cached results.
Model Middleware wiki — all hooks, context object, patterns (soft delete, validation, caching)
Row-Level Security
Auto-enabled for PostgreSQL. Define which variables to inject in src/config/rls.ts:
// src/config/rls.ts
const rlsContext: RlsContextFn = (request) => ({
current_user_id: request.user?.id ?? null,
current_tenant_id: request.headers['x-tenant-id'] ?? null,
});CREATE POLICY tenant_isolation ON orders
USING (tenant_id = current_setting('app.current_tenant_id')::int);Row-Level Security wiki — policy examples, RLS vs ACL comparison
Built-in Utilities
| Utility | Description | Docs |
|---------|-------------|------|
| ApiClient | Config-driven HTTP client with Bearer, Basic, API Key, and OAuth2 auth. Automatic token caching, retries, and fluent builder. | Wiki |
| Mailer | SMTP email with EJS template rendering, layout wrappers, i18n support, batch sending, and attachments. | Wiki |
| File Uploads | Multipart uploads with MIME validation, size limits, and type presets (images, documents, etc.). | Wiki |
| Rate Limiting | Redis-backed with automatic memory fallback. Per-path configuration via config/rate-limit.json. | Wiki |
| i18n | 10 languages included. Auto-detected from Accept-Language header. Parameter interpolation in error messages. | Wiki |
Production & Deployment
NODE_ENV=production
JWT_SECRET=your-secret-here # Required — server won't start without it
JWT_REFRESH_SECRET=your-refresh-secret
ALLOWED_ORIGINS=yourdomain.com
TRUST_PROXY=truenpm run build && npm start
# or Docker
docker build -t my-api . && docker run -p 3000:3000 --env-file .env my-apiSecurity defaults in production: HSTS, Content-Security-Policy, X-Content-Type-Options, Referrer-Policy, and CORS with explicit origin whitelisting — all enabled automatically.
Deployment wiki — Docker Compose, nginx reverse proxy, production checklist, horizontal scaling
Packages
| Package | Description |
|---------|-------------|
| @rapidd/core | Framework runtime, project scaffolding, and unified npx rapidd CLI |
| @rapidd/build | Code generation — models, routes, and ACL from your Prisma schema |
npx @rapidd/core create-project # scaffold a new project
npx rapidd build # generate from schema (after npm install)Documentation
Full documentation: github.com/MertDalbudak/rapidd/wiki
Getting Started · Configuration · Query API · Authentication · Access Control · Model Middleware · Row-Level Security · ApiClient · Mailer · File Uploads · Rate Limiting · i18n · Deployment
Contributing
Issues and pull requests are welcome. If you find a bug or have a feature request, open an issue.
License
Built by Mert Dalbudak