Code your backend with AI. Deploy it globally.

Describe it in plain language and let AI build it — or write it yourself. Either way you ship a production-grade backend, deployed to the edge worldwide. Built for professional developers and vibe coders alike.

Start free on Cloud → Read the docs →
Runs on Bun Node.js Deno
Deploy to Docker Cloudflare Vercel Netlify Deno Deploy AWS Lambda Google Cloud Azure
ai-native

Ask your data anything, in plain language.

Type a question and a model turns it into a reviewable query — then runs it. Every plan passes through your permissions DSL, so each caller sees only the rows and fields their role allows.

Try Ask AI on Cloud MCP spec
Ask in natural language claude-haiku-4-5
Who were our 10 most valuable customers last month?
synthesizing
plan → collections.list read permissions DSL filters rows
tokens 380latency 28msrows 10
namelifetime_valuelast_order_at
Lena Voss$28,1422026-05-22
Theo Ranganathan$22,0052026-05-19
Yuki Okafor$18,8302026-05-23
Permissions DSL applied · 0 fields redacted+7 more rows
mcp · agents

Build it with an agent. Ship it like a pro.

A streamable MCP server ships in the box — point Claude, Codex, Cursor, or any agent at it and build by talking. Every tool call runs through your permissions DSL, with a per-key tool allowlist and read-only guards.

74 tools
MCP tool catalog
Every admin capability is an MCP tool — grouped, type-validated, and DSL-filtered before it runs.
pak_8f2a…
Per-key guards
Bind a tool allowlist and a read-only flag to any access key — agents inherit the guards of the key they used.
streamable http
Connect a client
Stateless POST /mcp for tenant agents, /api/admin/mcp for ops bots — JSON-RPC over HTTP.
1 · connect — point your agent at the MCP server, once
# Claude Code
claude mcp add --transport http backlex \
  https://acme.backlex.com/mcp \
  --header "Authorization: Bearer pak_8f2a…"
2 · ask — then just say what you want
you ▸Add a campaigns collection with name, budget, start_date and status — then seed 3 sample rows.
mcp ▸
schema.create_collection campaigns
collections.create campaigns ×3
ran through your permissions DSL · per-key allowlist + read-only guards apply

same wiring for Cursor, Claude Desktop, or any MCP client — one URL + a pak_… key · falls back to ANTHROPIC_API_KEY

capabilities

Everything a backend ships with, none of the lock-in.

No black box. The collection editor in the admin runs the same DDL your migrations would have. The permission DSL the admin writes is the same string your client sends as ?filter.

Dynamic schema
Define collections in the admin, each becomes a physical c_<slug> table. CREATE TABLE runs against your live DB, no redeploy.
drizzle · pg + sqlite/d1
Permissions DSL
JSON predicates that compile to Drizzle SQL fragments and match in-process for realtime. Same syntax in roles, REST ?filter, and GraphQL.
$user.id · _eq · _in · $or
REST + GraphQL
Every collection auto-exposes /api/items/:slug with filter/sort/expand/projection. GraphQL synthesised from the same metadata. Bulk + atomic writes on both.
openapi 3.1 · graphql-yoga
Realtime
SSE in Bun, Durable Object + WebSocket on Workers. Per-event permission filter means subscribers see only what their role can read.
sse · durable objects
Edge functions
JavaScript sandbox with a host bridge for ctx.db / fetch / email. Bun worker thread, QuickJS-WASM, or remote HTTP — auto-selected per runtime.
quickjs · bun worker · http
Storage + image transforms
Local FS in dev, R2 / S3 on edge. Image resize via Bun.Image, CF Image Resizing, or passthrough — same URL shape.
r2 · s3 · fs
Webhooks & Flows
HMAC-signed outbound webhooks per event, plus a visual flow builder for branching multi-step automations. Fire-and-forget — never blocks API responses.
items.* · auth.* · cron
AI Agents
Agents that reason over your data and call your tools in a persisted reason→act loop. Every tool call runs through your permissions DSL; optional per-thread vector memory.
threads · tools · memory
Auth, not yours to maintain
better-auth wrapper: email, OAuth, magic link, OTP, passkey, 2FA, SAML 2.0 SSO, LDAP / AD. Per-IP rate-limiting + account lockout built in.
better-auth · 2fa
Activity + revisions
One activity table, dot-namespaced actions (item.update, auth.login). Every CRUD writes a row to revisions — point-in-time restore included.
audit log · point-in-time
Unified messaging
Push (FCM, APNs, Web Push) and SMS (Twilio, Amazon SNS) from one API. Per-tenant credentials, device + phone registries, and templates — all built in.
fcm · apns · web-push · sms
Durable job queue
Background work that retries with exponential backoff, dead-letters after N tries, and runs on a schedule. Rides the cron tick — no Redis, no extra binding.
retry · dead-letter · runAt
Resumable uploads
TUS 1.0.0 chunked uploads survive dropped connections and resume from the committed offset. Native R2 / S3 multipart under the hood.
tus 1.0.0 · multipart
Draft & publish
First-class draft / published status: drafts hidden from readers without a publish permission, and scheduled publishing the cron tick applies when due.
_status · publishAt
Feature flags
Toggle features and ship remote config without a deploy. Per-workspace or global, with rollout-percentage and permission-DSL targeting, evaluated per caller.
rollout % · targeting
Offline-first sync
Keep a local copy that works offline: an incremental changefeed with delete tombstones, SSE live updates, and an offline write queue that flushes on reconnect.
changefeed · indexeddb · lww
integrations

Fan record events out to the tools you already run.

Connect a workspace from the admin and every data event flows to chat, alerting, analytics, search, and issue trackers. Scope by collection, secrets encrypted at rest — no glue code.

Slack Discord Microsoft Teams Telegram Datadog Sentry PagerDuty Opsgenie PostHog Segment GitHub Linear Jira Algolia Meilisearch
chat · alerting · analytics · search · issue tracking · plus HMAC-signed webhooks & visual flows
global edge

Your backend, where your users are.

Deploy to Cloudflare Workers and your API runs in 330+ cities on six continents. The request never crosses an ocean to find its origin — database reads, live subscriptions, and file fetches all happen at the city closest to the user.

live anycast routing · 330+ cities
San Jose SJC
12 ms
Ashburn IAD
9 ms
London LHR
8 ms
Frankfurt FRA
7 ms
Istanbul IST
11 ms
Singapore SIN
14 ms
Tokyo NRT
10 ms
Sydney SYD
16 ms
São Paulo GRU
15 ms
Johannesburg JNB
19 ms
01
Reads stay local
Database reads are served from the city closest to your users. Writes sync to the primary in the background, so a read never waits on another region.
02
Realtime, region-free
Each collection has its own live channel that pins to the nearest edge node. Clients stream updates over WebSocket or SSE — no round-trip to a central server.
03
Files at the edge
Uploads and downloads are served from edge storage with zero egress fees. Image resizing runs at the same location, so the payload never travels twice.
cloud · managed

Don't want to run it yourself? backlex Cloud hosts it for you.

Same Apache-2.0 codebase, same admin, same API — running on Cloudflare's Workers + D1 + R2. 30 seconds from signup to first deploy, 50ms first request, 330+ edge cities. One-click export if you ever want to bring it back home.

Start free — no card → See pricing private beta · 100K requests / mo on free
Multi-region routing
3 regions by default (IAD, FRA, IST). Up to 11 on Scale. Optional region pinning for data residency.
anycast · region pin
Auto backup + PITR
Daily snapshots, 7-day rollback (Pro), 30 days (Scale). One-click restore from the admin.
daily snapshot · versioned
Custom domain + edge SSL
Bring your own domain. Certificates rotate automatically. No add-on fee, no config.
api.acme.app · cname
Preview branches
Git push → ephemeral environment. Same admin, isolated DB and storage. Auto-cleanup on PR close.
preview-247.backlex.com
Usage panel + alerts
Requests, CPU, DB reads/writes, storage, bandwidth — live in dashboard. Email at 80% and 100%, no surprise bills.
slack · email · webhooks
Your exit is preserved
One-click full export — schema + data + storage. Same Apache-2.0 backlex, so your own server runs it in minutes.
sql + storage archive · 1-click
quickstart

Five minutes from clone to your first item.

Sign up the first user. They get admin. From there, define a collection in the admin and the API endpoint exists immediately — no redeploy, no codegen step, no schema versioning gymnastics.

Drop a column, the column is gone. Rename a collection, the API path moves with it.

Full getting-started → Permissions DSL
terminal

        
client sdks

Ship in any language. One API, eleven SDKs.

TypeScript is the reference client; native clients ship for ten more languages. Every one wraps the same REST + SSE surface — CRUD, a fluent query builder, auth, realtime, and storage.

TypeScript
fetch · browser + node
Python
httpx
Go
net/http · stdlib
Rust
serde_json · wasm-ready
Swift
URLSession · iOS
Dart
flutter · ios+android+web
Kotlin
jvm · android
Java
java.net.http
.NET
httpclient · zero deps
Ruby
net/http · stdlib
PHP
curl
Browse all SDKs →
Client SDKs docs Browse the source ↗ one canonical query grammar · idiomatic in each language · Rust core compiles to WebAssembly
why backlex

The trade-offs, in one table.

Other tools do parts of this. backlex's design choice is to keep every part under one source tree, behind one API, deployable to five targets — without forking.

Capability backlex Supabase Firebase Directus Roll-your-own
Self-host, Apache-2.0 licensed partial no
Runs on Cloudflare Workers no no no if you build it
Change schema at runtime migrations only schemaless depends
Adopt an existing database as-is no no limited depends
Declarative row & field permissions RLS Security Rules build it
Per-event realtime permission filter RLS-based rules-based no build it
Edge functions sandbox + host bridge Cloud Functions no build it
Visual flow builder no no build it
Client SDKs (official) 11 langs 4 5 JS / TS build it
Unified messaging (push + SMS) OTP only push only no build it
Durable job queue (retry + DLQ) pgmq Cloud Tasks no build it
Feature flags + remote config no Remote Config no build it
Offline-first sync PowerSync built-in no build it
SAML 2.0 + LDAP / AD enterprise enterprise enterprise build it
Full head-to-head: vs Supabasevs Firebasevs Directusvs Strapivs Appwritevs AWS Amplify

Self-host stays the default — most teams want to own their own DB credentials. backlex Cloud (managed, private beta) runs the same Apache-2.0 codebase on Cloudflare for teams who'd rather not, with one-click export so you can leave any time.

philosophy
“Everything an operator needs lives behind one URL. The schema editor writes the same DDL your migrations would have. The permission DSL the admin writes is the same string your client sends as a query parameter. There is no second layer to learn.”
— from docs/DESIGN.md

The backend ships with the docs. Start there.

Five-minute getting-started, the permission DSL spec, five deploy walkthroughs, and a sandbox guide. All in one place.

Open the docs → Start free on Cloud