Instant REST API for any database

GopServer is a universal REST API server supporting PostgreSQL, MySQL, SQLite, MSSQL and Oracle. Once configured, it automatically exposes full CRUD operations for every table — no extra code, no recompilation required.

Configure your database, define your tables in a JSON file, start the server. Your API is ready.

JWT authentication, advanced filtering, pagination, CORS — everything included from day one.

Documentation
# conf/app.conf
db_type = postgres
db_server = localhost
db_port = 5432
httpport = 8080
jwt_secret = strong_random_key
runmode = prod
# Start the server
./gopserver
✓ Running on port 8080
# Health check
GET /health
{ "success": true,
 "status": "OK",
 "db": "OK" }
# JWT Login
POST /api/v1/auth/login
{ "email": "viorel.grafu@idealogic.ro",
 "password": "pass" }
# Response
{ "token": "eyJ..." }
# Auto CRUD + filters
GET /api/v1/products?
 category=Electronics
 &price__lte=500
 &sortby=price&limit=20
Authorization: Bearer TOKEN
PostgreSQL
MySQL · SQLite
MSSQL · Oracle

About GopServer

GopServer is a universal REST API server supporting multiple relational database engines. Once configured, it automatically exposes complete CRUD operations for any table — without writing a single line of extra code or recompiling the application.

Why we built GopServer

Every backend project starts with the same repetitive work: CRUD endpoints, authentication, filtering, pagination. GopServer eliminates all that boilerplate — configure it once, start the server, and your API is ready.

Need to add a new table? Edit a JSON file and restart. Switching from PostgreSQL to MySQL? Change a single parameter in the config. No recompilation, no new code.

Perfect for rapid prototyping, internal tools, server-to-server integrations, or as a backend for mobile apps and SPAs.

The binary is fully static — no runtime dependencies needed. Drop it on a server and it runs on Windows, Linux or macOS.

PostgreSQL · MySQL · SQLite · MSSQL · Oracle
Automatic full CRUD for every table
JWT auth + session cookie + static token
Advanced filtering with 14 operators
Windows, Linux, macOS — static binary
JSON config files — no recompilation needed

Powerful Features

GopServer comes with everything you need for a solid REST API backend: multi-database support, complete authentication, advanced filtering, built-in security and straightforward JSON-based configuration.

🆕
New in v1.3 — Per-table operation control

Each table in tables.json now supports three new flags: allow_post, allow_put and allow_delete. Set them to 1 to enable write operations, 0 to block them (HTTP 403). All three default to 0 if omitted — GET is always allowed. This gives you fine-grained, per-table control over who can create, update or delete records without any extra code.

Multi-Database Support

Switch your database with a single config parameter

GopServer natively supports the most popular relational database engines. Switching between them requires only a config file change — no code changes whatsoever:

  • PostgreSQL (v12+) — default port 5432
  • MySQL / MariaDB (5.7+ / 10.3+) — default port 3306
  • SQLite — local file, no separate server, auto-created if missing
  • Microsoft SQL Server (2012+) — default port 1433
  • Oracle Database (12c R2+) — default port 1521, db_name = service name

All drivers are bundled in the static binary. Nothing extra to install on the server.

Automatic CRUD for Every Table

A complete API with zero lines of code

Define your tables in a JSON file and the server automatically exposes all required operations:

  • GET /api/v1/{table} — paginated list (up to 100 per page) — always enabled
  • GET /api/v1/{table}/{id} — single record by primary key — always enabled
  • POST /api/v1/{table} — create a new record — requires allow_post: 1
  • PUT /api/v1/{table}/{id} — partial update — requires allow_put: 1
  • DELETE /api/v1/{table}/{id} — delete a record — requires allow_delete: 1

Write operations are disabled by default (HTTP 403). Enable only what each table needs. Adding a new table: edit tables.json, restart. Done.

Complete Authentication

JWT, session cookie and static token

GopServer supports three authentication methods, all configurable from app.conf:

  • JWT (Bearer token) — recommended for mobile apps and SPAs; token valid for 24 hours
  • Session cookie — for browser-based web apps; session lasts 3600 seconds by default
  • Static token — never expires, ideal for server-to-server integrations; set via api_token in app.conf

Passwords are verified via SHA-512 with salt. The auth table, identifier columns and password column are fully configurable.

Use any existing table in your database as the user source — no special schema required.

Filtering, Sorting & Pagination

14 filter operators directly in the URL

All parameters are passed as query strings and can be freely combined:

  • Pagination: ?limit=20&page=3 — default 10/page, max 100
  • Sorting: ?sortby=price&order=desc
  • Exact filter: ?category=Electronics
  • Operators: gt, gte, lt, lte, contains, icontains, startswith, endswith, isnull and more
  • Distinct values: ?distinct=category — great for populating dropdowns

Example: /api/v1/products?category=Electronics&price__lte=500&sortby=price&order=asc&limit=20&page=1

Built-in Security

Hidden fields, locked fields, per-table operation control

Control exactly what each column and each table can do via tables.json:

  • hidden — excluded from GET + blocked at POST (e.g. password, salt)
  • locked — cannot be changed via PUT (e.g. created_at, unique_code)
  • hidden + locked — completely invisible and impossible to set via API
  • allow_post / allow_put / allow_delete — set to 1 to enable, 0 to block. If omitted, defaults to 0 (blocked). Blocked operations return HTTP 403
  • Tables not listed in tables.json are completely inaccessible
  • Filters and sorts are validated against the allowed column list — SQL injection impossible through these mechanisms

The primary key cannot be changed via PUT or set via POST. GET is always allowed for any table listed in tables.json.

Raw SQL for Complex Queries

JOINs, aggregations, subqueries — when you need more power

When standard filters aren't enough, enable the raw SQL endpoint in app.conf (allow_raw_query = true):

  • JOINs across tables — e.g. orders with customer data
  • Aggregations: COUNT, SUM, AVG, GROUP BY, HAVING
  • IN() filtering — multiple values for the same column
  • Subqueries and complex SQL expressions
  • Auto-enforced restrictions: SELECT only, semicolons forbidden, authentication always required

Recommended for dev environments or trusted internal users only. Keep allow_raw_query = false in production.

Setup Guide

Everything you need to get GopServer up and running. Follow the steps in order — from installation to your first authenticated API call.

File Structure

GopServer requires a minimal folder structure. All files in conf/ are plain text editable with any editor. The logs/ directory is created automatically on first start.

gopserver.exe  (or ./gopserver on Linux)
conf/
  ├── app.conf  — main configuration
  ├── tables.json  — tables exposed via API
  └── messages.json  — API messages / i18n
logs/app.log  (auto-created)
Important: Any change to files in conf/ requires a server restart to take effect.

Configuring app.conf

The main configuration file. Two environment sections: [dev] and [prod]. The server uses the section indicated by the runmode value.

# General
runmode = prod       # dev | prod
httpport = 8080
language = EN
# Database
db_type = postgres  # postgres|mysql|sqlite|mssql|oracle
db_server = localhost
db_port = 5432
db_user = app_user
db_password = strong_password
db_name = my_database
# JWT — MUST be changed!
jwt_secret = random_key_min_32_chars
# Authentication
auth_table = users
auth_columns = email;phone
auth_pass_column = password
auth_salt_column = salt
Security: Generate a strong jwt_secret: openssl rand -hex 32

Configuring tables.json

Define which tables are accessible via the API, how each column behaves, and which write operations are permitted. Add one block per table. Changes require a restart.

{ "users": { "pk": "id_", "columns": ["id_","name","email", "password","salt","active"], "hidden": ["password","salt"], "locked": ["password","salt","created_at"], "allow_post": 1, "allow_put": 1, "allow_delete": 0 }, "products": { "pk": "id_", "columns": ["id_","sku","name", "category","price","stock"], "hidden": [], "locked": [], "allow_post": 1, "allow_put": 1, "allow_delete": 1 } }
hidden = excluded from GET + blocked at POST  |  locked = blocked at PUT  |  allow_post / allow_put / allow_delete = 1 to enable, 0 to block (HTTP 403). Default: 0 if omitted. GET is always allowed.

Authentication & First API Call

User passwords must be stored as SHA-512 with salt in the database. After login you receive a JWT token valid for 24 hours, which you attach to every request.

# Hash password (PostgreSQL example)
encode(digest('pass'||'salt','sha512'),'hex')
# Login
POST /api/v1/auth/login
{"email":"viorel.grafu@idealogic.ro",
"password":"pass"}
# Response
{"success":true,"token":"eyJ..."}
# Authenticated request
GET /api/v1/products
Authorization: Bearer eyJ...
Check server status anytime: GET /health — no authentication required.

License Activation

Without a license the server runs in demo mode: GET limited to 3 records, POST / PUT / DELETE disabled. Activation takes 5 simple steps.

Step 1 — Get your server's HWID:
curl -X POST http://localhost:8080/activate
→ {"hwid": "a3f7c2d1e8b5..."}
Step 2 — Send HWID to the vendor
viorel.grafu@idealogic.ro or WhatsApp
Step 3 — Receive your license key
Step 4 — Add to app.conf:
license_key = your_received_key
Step 5 — Restart + check logs/app.log
→ "License validated successfully."
Note: The license is hardware-bound — valid only on the machine for which the HWID was generated.

Running as a System Service

GopServer can run as a system service to start automatically on boot and restart on failure.

Windows (NSSM — nssm.cc):
nssm install GopServer C:\path\gopserver.exe
nssm start GopServer
Linux (systemd):
[Service]
WorkingDirectory=/opt/gopserver
ExecStart=/opt/gopserver/gopserver
Restart=on-failure
sudo systemctl enable gopserver
sudo systemctl start gopserver
Stop the server:
Windows: taskkill /F /IM gopserver.exe
Linux:   systemctl stop gopserver
There is no hot-reload. Any change to conf/ requires a stop + restart.

 Quick Setup Checklist

1. Edit conf/app.conf
db_type, db_server, db_port, db_user, db_password, db_name, jwt_secret, auth_table, auth_columns, license_key, runmode=prod
2. Edit conf/tables.json
Add all tables, set pk, columns, hidden and locked for each one. Set allow_post / allow_put / allow_delete (1 = enabled, 0 = blocked — default 0 if omitted)
3. Prepare the auth table
Passwords must be stored as SHA-512 with salt in the database
4. Start the server and check /health
Expected: {"success": true, "status": "Server functional"}
5. Test login
POST /api/v1/auth/login with your email and password
6. Test your first authenticated GET
GET /api/v1/{your_table} with header Authorization: Bearer TOKEN

 Practical Examples (curl)

Login & get token

curl -X POST http://localhost:8080/api/v1/auth/login \
  -H "Content-Type: application/json" \
  -d '{"email":"viorel.grafu@idealogic.ro","password":"pass"}'

GET with filters & pagination

curl "localhost:8080/api/v1/products?
  category=Electronics&price__lte=500
  &sortby=price&order=asc&limit=20" \
  -H "Authorization: Bearer TOKEN"

POST — create a record

curl -X POST localhost:8080/api/v1/products \
  -H "Authorization: Bearer TOKEN" \
  -H "Content-Type: application/json" \
  -d '{"sku":"EL-001","name":"55 TV",
     "category":"Electronics","price":1999}'

PUT — partial update

curl -X PUT localhost:8080/api/v1/products/43 \
  -H "Authorization: Bearer TOKEN" \
  -H "Content-Type: application/json" \
  -d '{"price":1799.99,"stock":8}'

DELETE & health check

# Delete a record
curl -X DELETE localhost:8080/api/v1/products/43 \
  -H "Authorization: Bearer TOKEN"

# Health check (no auth needed)
curl http://localhost:8080/health

Raw SQL — complex queries

# Requires allow_raw_query=true in app.conf
curl -G localhost:8080/api/v1/raw \
  -H "Authorization: Bearer TOKEN" \
  --data-urlencode "q=SELECT o.id, o.total,
   u.name FROM orders o
   JOIN users u ON u.id_=o.user_id
   WHERE o.status='delivered'"

Lifetime Pricing

GopServer operates in two modes: demo (free, with restrictions) and fully activated (hardware-bound lifetime license). No monthly subscription — pay once, use forever.

Free

€0

Demo mode — no license required

  • GET functional — max 3 records returned
  • GET /table/{id} works normally
  • Health check (/health)
  • Activation endpoint (/activate)
  • POST disabled (HTTP 403)
  • PUT disabled (HTTP 403)
  • DELETE disabled (HTTP 403)
  • Full pagination disabled
  • Responses include license_warning + HWID
Recommended

Activated

€300

Lifetime license — hardware-bound

  • Full CRUD — POST, PUT, DELETE enabled
  • GET with full pagination (up to 100/page)
  • All supported databases
  • JWT auth + session cookie + static token
  • Advanced filtering with 14 operators
  • Raw SQL endpoint (configurable)
  • No license warnings in responses
  • Lifetime license — no subscription
  • Email support included

 Hardware-bound license — valid on the machine (physical or virtual) for which the HWID was generated. Moving to a new server? Contact us for a reissue.

Our Team

Our team is made up of experienced software developers and data professionals passionate about creating efficient, developer-friendly backend tools. We focus on delivering powerful, practical solutions that help companies ship faster and manage their data with confidence. With a strong background in SQL, enterprise systems and API design, we turn complexity into simplicity.

Viorel Grafu

Viorel Grafu

Founder & CEO

Costi Antonoiu

Costi Antonoiu

Senior Programmer

Andrei Dolcescu

Andrei Dolcescu

Data Scientist

Ariana Grafu

Ariana Grafu

Marketing Specialist

Contact

Have questions or need support? We're here to help. Reach out via email or WhatsApp — whether you're evaluating the demo or running a licensed instance, our team is ready to assist you every step of the way.

Address

Bratia din Vale, Valcea
str. Principala, 190
240247, Romania

Ramnicu Valcea
aleea Ionel Geanta, nr 2
Valcea, Romania