ultimo 0.5.0

Ultimo is a modern Rust web framework built on Hyper + Tokio: secure-by-default, fast, and type-safe end to end — with automatic TypeScript client generation from your Rust API. REST and JSON-RPC live in one app, and the framework is 100% safe Rust (#![forbid(unsafe_code)]).

Why Ultimo

🚀 Automatic TypeScript clients — define your API in Rust, get a fully typed TS client generated for you.
🔄 REST + JSON-RPC in one app — plain HTTP routes and RPC procedures side by side.
🔌 WebSockets — RFC 6455 with a built-in pub/sub system (zero extra deps).
🔐 Auth, built in — JWT and API-key middleware plus scope-based authorization guards.
🛡️ Secure by default — 100% safe Rust, secure sessions/cookies, CSRF, security-headers middleware, request body-size limits, and supply-chain CI.
⚡ Fast — native Rust on the Hyper + Tokio core, O(1) constant-time routing, benchmarks regression-guarded in CI (details).
🗄️ Databases — first-class SQLx and Diesel integration (PostgreSQL / MySQL / SQLite).
🧪 Testing utilities — in-process TestClient, response assertions, and fixtures.

Quick start

[dependencies]
ultimo = "0.5"
tokio = { version = "1", features = ["full"] }
serde = { version = "1", features = ["derive"] }

use ultimo::prelude::*;

#[derive(Serialize, Deserialize)]
struct User {
    id: u32,
    name: String,
}

#[tokio::main]
async fn main() -> ultimo::Result<()> {
    let mut app = Ultimo::new();

    app.get("/users/:id", |ctx: Context| async move {
        let id: u32 = ctx
            .req
            .param("id")?
            .parse()
            .map_err(|_| UltimoError::BadRequest("invalid id".into()))?;
        ctx.json(User { id, name: format!("User {id}") }).await
    });

    println!("→ http://127.0.0.1:3000");
    app.listen("127.0.0.1:3000").await
}

MSRV: Rust 1.86. Everything beyond the core is opt-in via Cargo features (see below).

Type-safe clients

Ultimo's headline feature: define an API once in Rust and generate a typed TypeScript client — no hand-written types, no drift.

# Generate a TypeScript client from your RPC definitions
cargo run -p ultimo-cli -- generate --project ./backend --output ./client

// Generated, fully typed — autocomplete + compile-time checks
const user = await client.getUser({ id: 1 });
console.log(user.name);

See TypeScript Clients for the full workflow.

Feature flags

Everything is opt-in (default = []):

Feature	What it enables
`websocket`	RFC 6455 WebSocket support + pub/sub
`session`	Cookie-based session management
`jwt`	JWT authentication middleware (HS256)
`api-key`	API-key authentication with a pluggable store
`csrf`	CSRF protection (double-submit cookie)
`static-files`	Static file serving + SPA fallback (`serve_static`, `serve_spa`)
`compression`	Automatic gzip/brotli response compression (pure Rust, no C deps)
`client-gen`	Derive RPC client TypeScript types from Rust types (via `ts-rs`)
`testing`	In-process `TestClient`, assertions, fixtures
`test-helpers`	WebSocket test helpers (for integration tests)
`sqlx-postgres` · `sqlx-mysql` · `sqlx-sqlite`	SQLx integration per backend
`diesel-postgres` · `diesel-mysql` · `diesel-sqlite`	Diesel integration per backend

ultimo = { version = "0.5", features = ["websocket", "jwt", "sqlx-postgres"] }

CLI

cargo install ultimo-cli   # installs the `ultimo` binary

ultimo new my-app --template fullstack                 # scaffold a new project
ultimo generate --project ./backend --output ./client  # generate the TypeScript client

ultimo dev and ultimo build are not implemented yet — use cargo run and cargo build --release for now. See the roadmap.

Documentation

Full guides at docs.ultimo.dev — getting started, routing, middleware, RPC + TypeScript clients, OpenAPI, sessions, authentication, WebSockets, database integration, testing, and performance.

Examples

Runnable examples live in examples/ — including session-auth and jwt-auth full-stack demos. Run one with:

cargo run -p jwt-auth-example

Contributing

Issues and PRs welcome. See CONTRIBUTING.md and the roadmap. Security policy: SECURITY.md.