HomeDocumentation

Documentation

Beta

Developer Documentation

Backport is an open-source API gateway that adds WAF, rate limiting, caching & idempotency to any backend. Sign up, set your target URL, and start proxying — no code changes needed.

Getting Started

Quickstart Guide

1Create a free account
2Verify your email
3Go to Dashboard → Settings → Set your target backend URL
4Copy your API key from Dashboard → API Keys
5Start sending requests through the proxy

Get Started View Source

How It Works

Request Flow

Every request passes through the gateway pipeline before reaching your backend.

AuthValidate API key

WAFScan for threats

Rate LimitEnforce quotas

CacheServe from memory

ProxyForward to backend

Overview

Gateway Features

WAF Rules

Regex patterns

Core Modules

WAF, Rate, Cache, Idem

Attack Types

SQLi, XSS, Path, CMD, LDAP, XXE

Cache TTL

5 min

Default for GET requests

Authentication & API Keys

Every request through the Backport gateway must include a valid API key in the X-API-Key header. Keys are automatically created when you sign up and can be managed from the Dashboard.

How to get your API key

1.Sign up at backport-io.vercel.app/auth/signup
2.Verify your email (a 6-digit OTP is sent to your inbox)
3.After verification, your API key is returned automatically. You can also find it in Dashboard → API Keys.

Using your API key

# GET request through the gateway
curl -X GET https://backport-io.onrender.com/proxy/users \
  -H "X-API-Key: bk_your_key_here"

# POST request with idempotency (e.g. payments)
curl -X POST https://backport-io.onrender.com/proxy/checkout \
  -H "X-API-Key: bk_your_key_here" \
  -H "Idempotency-Key: txn_unique_12345" \
  -H "Content-Type: application/json" \
  -d '{"amount": 5000}'

Note: The /proxy/ prefix routes traffic through the gateway. The path after /proxy/ is forwarded to your configured target backend URL.

API Key limits by plan

PlanMax API Keys

Free1

Plus3

ProUnlimited

Proxy Endpoint

All traffic flows through a single proxy endpoint. The gateway authenticates your request, applies WAF rules, checks rate limits, serves from cache if available, and forwards to your configured backend.

Base URL

https://backport-io.onrender.com/proxy/{path}

Supports all HTTP methods: GET, POST, PUT, PATCH, DELETE, OPTIONS, HEAD

Request Headers

HeaderRequiredDescription

X-API-KeyYesYour Backport API key (starts with bk_)

Content-TypeNoStandard content type for POST/PUT requests

Idempotency-KeyNoUnique key to prevent duplicate POST/PUT/PATCH requests

Response Codes

CodeMeaning

200 OKRequest passed through gateway successfully

304 Not ModifiedResponse served from LRU cache (if caching is enabled)

401 UnauthorizedInvalid or missing API key

403 ForbiddenWAF blocked a malicious payload

429 Too Many RequestsRate limit exceeded for your plan

Response Headers

Backport adds the following headers to every proxied response, so you can monitor gateway behavior in your application.

HeaderDescription

X-Backport-CacheHIT or MISS — whether the response was served from cache

X-Backport-IdempotentREPLAY — if the idempotency key was already processed

X-Backport-LatencyTotal gateway processing time in milliseconds

WAF Security

Backport includes a Web Application Firewall (WAF) with 17 pre-compiled regex patterns that inspect every request at the gateway level before it reaches your backend. WAF can be toggled on/off from your dashboard settings. By default, WAF is OFF.Enable it when you're ready.

SQL Injection

5 patterns — UNION SELECT, DROP TABLE, OR 1=1, xp_cmdshell, sp_executesql

XSS Attacks

4 patterns — <script> tags, onerror handlers, javascript: URIs, <iframe>/<embed>

Path Traversal

2 patterns — ../ directory escapes, /etc/passwd, /proc/self access

Command Injection

3 patterns — shell metacharacters, subshell execution, backtick injection

LDAP Injection

1 pattern — detects LDAP filter manipulation syntax

XML/XXE

1 pattern — blocks <!DOCTYPE SYSTEM and <!ENTITY declarations

Important: The WAF uses regex-based pattern matching. While it covers common attack vectors, always validate and sanitize inputs at your application layer as defense-in-depth. WAF is a first line of defense, not a replacement for secure coding practices.

Rate Limiting

Backport applies a sliding-window rate limiter to protect your backend from traffic spikes and abuse. Rate limiting is enabled by default. When the limit is exceeded, requests get an HTTP 429 response and your backend is never hit.

Rate limits by plan

PlanRequests / minWindow

Free6060s sliding

Plus30060s sliding

Pro1,00060s sliding

How it works: Rate limits are tracked in-memory using a sliding window algorithm. Each request timestamp is stored per user. Timestamps older than 60 seconds are pruned. If the count exceeds your plan limit, the request is immediately rejected with HTTP 429.

LRU Caching

Heavy GET endpoints like analytics, reports, or lists often hit your database on every request. If you enable caching in your dashboard settings, Backport intercepts GET responses with status 200 and stores them in an in-memory LRU cache. By default, caching is OFF. Enable it from settings.

Only GET requests with 200 status are cached
Default TTL: 5 minutes — expired entries are evicted automatically
Maximum 1,000 cached entries — oldest entries are evicted when the limit is reached
Cached responses return with X-Backport-Cache: HIT header
Subsequent cache hits are served in under 2ms without touching your backend

Note: Cache is stored in-memory and resets on server restart. This is suitable for reducing repeated database queries for frequently accessed read endpoints.

Idempotency Keys

Duplicate POST requests are a common problem — especially for payments, orders, and form submissions. When a user loses connection and retries, your backend might process the same action twice. Backport solves this by storing the first response and replaying it for duplicate keys. Idempotency is enabled by default.

# First request — processed normally and cached
curl -X POST https://backport-io.onrender.com/proxy/checkout \
  -H "X-API-Key: bk_your_key" \
  -H "Content-Type: application/json" \
  -H "Idempotency-Key: txn_88910" \
  -d '{"amount": 5000, "currency": "INR"}'

# Retry with same Idempotency-Key — returns original response
# without hitting your backend
curl -X POST https://backport-io.onrender.com/proxy/checkout \
  -H "X-API-Key: bk_your_key" \
  -H "Content-Type: application/json" \
  -H "Idempotency-Key: txn_88910" \
  -d '{"amount": 5000, "currency": "INR"}

Works with POST, PUT, and PATCH methods
Triggered by the Idempotency-Key request header
Maximum 5,000 stored idempotency results per server
Duplicate requests return with X-Backport-Idempotent: REPLAY header

Dashboard API

The dashboard uses JWT-based authentication. After login, a token is returned that you can use to access your account data programmatically. All dashboard endpoints require an Authorization: Bearer <token> header.

Common Dashboard Endpoints

GET/api/user/meYour profile, API keys, and analytics summary

GET/api/user/keysList all your API keys

POST/api/user/keysCreate a new API key (body: {name})

DELETE/api/user/keys/{key_id}Delete an API key (cannot delete last one)

GET/api/user/settingsGet current gateway settings

PUT/api/user/settingsUpdate settings (target URL, toggles)

GET/api/user/logsLast 20 proxy request logs

GET/api/user/traffic15-minute traffic chart data

GET/api/user/analytics/statsFull analytics dashboard data

GET/api/billing/planCurrent plan details

# Login to get JWT token
curl -X POST https://backport-io.onrender.com/api/auth/login \
  -H "Content-Type: application/json" \
  -d '{"email": "you@example.com", "password": "your_password"}'

# Use the token to access dashboard API
curl -X GET https://backport-io.onrender.com/api/user/me \
  -H "Authorization: Bearer eyJhbGciOiJIUzI1NiIs..."