Why We Built Backport: An Open-Source API Gateway for Developers

When I started building APIs, I quickly realized that securing them was harder than building them. Cloudflare was too generic. Kong was too complex. AWS API Gateway had a pricing model that scared indie developers. So I built Backport.

The Problem We Faced

Every API I deployed faced the same problems: bots hammering endpoints, SQL injection attempts in query params, no visibility into who was calling my API, and no way to rate limit abusive clients. The existing solutions were either too expensive, too complex, or too generic.

Cloudflare is great for websites, but it sits in front of your entire domain. It cannot transform API responses, mock endpoints for frontend development, or give you per-endpoint analytics. Kong requires Kubernetes and a dedicated DevOps engineer. AWS API Gateway charges per request and the free tier is laughable for production use.

What Backport Does Differently

Backport is an HTTP reverse proxy purpose-built for APIs. It sits between your clients and your backend. You change one URL in your client code, add an API key header, and suddenly your API has enterprise-grade protection. Here is what it does out of the box:

Why Open Source

API security should not be locked behind enterprise paywalls. Every developer, whether building a side project or a production API, deserves protection from SQL injection, XSS, and abusive clients. By making Backport open source (MIT license), we ensure that the core security engine is transparent, auditable, and free for everyone.

The hosted version on Vercel + Render provides the dashboard, analytics, and team features for developers who want a managed experience. But the core proxy engine, WAF patterns, and rate limiting logic are all open source and self-hostable.

The Tech Stack

We chose each technology for a specific reason. Python FastAPI for the proxy engine because it handles async HTTP proxying with minimal overhead. Next.js for the dashboard because it provides the best developer experience for building React interfaces. SQLAlchemy for database models because it works with both SQLite (development) and PostgreSQL (production).

Frontend:  Next.js 16 + React 19 + TypeScript + Tailwind CSS
Backend:   Python 3.12 + FastAPI + SQLAlchemy
Database:  PostgreSQL (production) / SQLite (development)
Cache:     Redis (Upstash) with in-memory fallback
Proxy:     httpx async client with connection pooling
Deploy:    Vercel (frontend) + Render (backend)

What is Next

We are just getting started. The roadmap includes automatic log retention policies, real-time alerting via Slack and Discord, custom domain support, and an API marketplace where developers can share their WAF rules and response transformation templates.

If you are building an API and want protection without the complexity, give Backport a try. The free plan includes every feature for 3 months, no credit card required. And if you are a developer who wants to contribute, the code is on GitHub under the MIT license. We welcome pull requests, bug reports, and feature suggestions.