Gateway as Code
Configured with code, not YAML. Version your gateway in Git, review changes in PRs, and rollback instantly with your standard deployment pipeline.
Stoma
The API Gateway for the TypeScript Era.
Declarative API gateway as a TypeScript library. Runs anywhere Hono runs — Cloudflare Workers, Node.js, Deno, Bun, and more.
Why Stoma?
Section titled “Why Stoma?”API gateways in the JavaScript ecosystem are often stuck between two suboptimal paths:
- Heavy Infrastructure: Kong, KrakenD, or AWS API Gateway. Powerful, but separate services configured with YAML, operating independently from your code. You lose type safety and pay for extra infrastructure.
- Legacy Libraries: Older libraries like Express Gateway are often unmaintained, locked to legacy frameworks, and not built for modern edge runtimes.
Stoma is the third option: an embeddable gateway library that lives inside your application.
Type-Safe Ergonomics
Full type safety from configuration to runtime. Your editor provides autocomplete for policies and upstreams, catching mistakes before your users do.
Zero Infrastructure
Leverages Hono’s ultrafast router (~12KB, zero dependencies). No extra servers to manage, no extra latency.
Multi-runtime
Runs on any runtime Hono supports: Cloudflare Workers, Node.js, Deno, Bun, Fastly, Lambda@Edge, Vercel, and more.
Developer Experience First
Section titled “Developer Experience First”Stoma is built by developers, for developers. We believe your gateway should be as easy to maintain as your application code.
Git Versionable
No more “hidden” configuration in an Admin UI. Your routes and policies live in your repo, making it easy to see why a change was made.
Composable
Split large gateways into multiple modules. Use standard TypeScript patterns to share policies and route definitions across projects.
Local Development
Run your entire gateway locally with wrangler dev or node. No need for complex Docker setups just to test a rate limit.
Type-Aware Pipelines
Built-in policies are fully typed. If a policy requires a specific configuration, TypeScript will tell you immediately.
Build a Gateway in Seconds
Section titled “Build a Gateway in Seconds”-
Install the library
Terminal window npm install @homegrower-club/stoma hono -
Define your configuration Create a
GatewayConfigthat describes your routes, policies, and upstreams.import { createGateway, jwtAuth, rateLimit, requestLog, cors, health } from "@homegrower-club/stoma";const gateway = createGateway({name: "my-api",basePath: "/api",policies: [requestLog(), cors()],routes: [health(), // Built-in health check{path: "/users/*",pipeline: {policies: [jwtAuth({ secret: "env:JWT_SECRET" }),rateLimit({ max: 100, windowSeconds: 60 }),],upstream: {type: "url",target: "https://users-api.internal.example.com",},},},],});export default gateway.app; -
Deploy anywhere Stoma compiles your config into a standard Hono app. Export it as a module for Cloudflare Workers, or serve it with Deno, Bun, or Node.js.
Comparison
Section titled “Comparison”| Feature | Stoma | Kong | KrakenD | Express Gateway |
|---|---|---|---|---|
| Configuration | TypeScript (Type-safe) | YAML / Admin API | JSON | YAML / JSON |
| Execution | Embedded Library | Separate Service | Separate Binary | Middleware |
| Language | TypeScript | Lua / Go | Go | JavaScript |
| Multi-runtime | Yes (Edge & Server) | No (Container) | No (Binary) | No (Node only) |
| Bundle size | Lightweight (Core) | 100MB+ Image | 80MB+ Binary | 50MB+ Modules |
| Status | Active | Active | Active | Unmaintained |
Batteries Included: Comprehensive Built-in Policies
Section titled “Batteries Included: Comprehensive Built-in Policies”Stoma ships with a comprehensive suite of policies, sorted into logical categories to handle every aspect of your API lifecycle.
Authentication
JWT, API Key, Basic Auth, OAuth2 Introspection, RBAC, JWS, and RFC 9421 HTTP Signatures.
Traffic Control
Rate Limiting, IP/Geo Filtering, Caching, SSL Enforcement, JSON Threat Protection, and Traffic Shadowing.
Resilience
Circuit Breakers, Retries, Timeouts, and Latency Injection for testing.
Transformation
CORS, Request/Response Rewriting, JSON Validation, and Content Assignment.
Platform-Specific Power
Section titled “Platform-Specific Power”While Stoma is runtime-agnostic, it can leverage platform-specific features like Cloudflare Service Bindings for zero-latency communication between Workers.
upstream: { type: "service-binding", service: "USERS_SERVICE",}Declare in wrangler.toml for high-performance Worker-to-Worker routing.
upstream: { type: "url", target: "https://api.example.com",}Works on any runtime (Node.js, Deno, Bun) using standard fetch.
Next Steps
Section titled “Next Steps”Quick Start
Build your first gateway in 5 minutes. Go to Quick Start
Policy Reference
Explore the full list of built-in policies. Browse Policies
Architecture
Understand the request lifecycle and core concepts. How it works
Recipes
Production-ready patterns and copy-paste examples. View Recipes