Stoma

Named after the tiny pores in plant leaves that regulate what passes through, Stoma gives you the same fine-grained control over your API traffic.

What is Stoma?

Stoma is a declarative API gateway you define in TypeScript and deploy with your standard workflow. Instead of maintaining a separate proxy service with YAML files or admin dashboards, you define routes, policies, and upstreams as typed objects in your codebase — version-controlled, PR-reviewed, and deployed through your existing pipeline.

• Gateway as code. Your entire gateway configuration is TypeScript. Version it in Git, review changes in PRs, roll back with a standard deploy.
• Type-safe from config to runtime. Routes, policies, and upstreams are all typed. Misconfigure a JWT policy? Your editor catches it before your users do.
• Deploy anywhere. Cloudflare Workers, Node.js, Deno, Bun, Lambda@Edge — as part of your application or as a standalone service.
• Batteries included. Built-in policies across auth, traffic control, resilience, and transformation — composable, priority-ordered, and individually tree-shakeable.

Even in the browser…

---

Why Stoma?

API gateways in the JavaScript ecosystem are often stuck between two suboptimal paths:

1. Heavy Infrastructure: Kong, KrakenD, or AWS API Gateway. Powerful, but separate services configured with YAML, operating independently from your code. You lose type safety and pay for extra infrastructure.
2. Legacy Libraries: Older libraries like Express Gateway are often unmaintained, locked to legacy frameworks, and not built for modern edge runtimes.

Stoma is the third option: a declarative gateway library that lives in your codebase and deploys with your standard workflow.

Gateway as Code

Configured with code, not YAML. Version your gateway in Git, review changes in PRs, and rollback instantly with your standard deployment pipeline. Read More

Type-Safe Ergonomics

Full type safety from configuration to runtime. Your editor provides autocomplete for policies and upstreams, catching mistakes before your users do. Read More

No Extra Infrastructure

No sidecars, no control planes, no admin UIs. Define your gateway in code and deploy it with your existing pipeline. Read More

Multi-runtime

Runs on Cloudflare Workers, Node.js, Deno, Bun, Fastly, Lambda@Edge, and more — using standard Web APIs. Read More

---

Developer Experience First

Stoma is built by developers, for developers. We believe your gateway should be as easy to maintain as your application code.

Git Versionable

No more “hidden” configuration in an Admin UI. Your routes and policies live in your repo, making it easy to see why a change was made. Read More

Composable

Split large gateways into multiple modules. Use standard TypeScript patterns to share policies and route definitions across projects. Read More

Local Development

Run your entire gateway locally with node, bun, wrangler dev, or any runtime. No need for complex Docker setups just to test a rate limit. Read More

Type-Aware Pipelines

Built-in policies are fully typed. If a policy requires a specific configuration, TypeScript will tell you immediately. Read More

---

Build a Gateway in Seconds

1. Install the library

   npm install @homegrower-club/stoma hono

2. Define your configuration Create a GatewayConfig that describes your routes, policies, and upstreams.

   import { createGateway, jwtAuth, rateLimit, requestLog, cors, health } from "@homegrower-club/stoma";
   
   const gateway = createGateway({
     name: "my-api",
     basePath: "/api",
     policies: [requestLog(), cors()],
     routes: [
       health(), // Built-in health check
       {
         path: "/users/*",
         pipeline: {
           policies: [
             jwtAuth({ secret: "env:JWT_SECRET" }),
             rateLimit({ max: 100, windowSeconds: 60 }),
           ],
           upstream: {
             type: "url",
             target: "https://users-api.internal.example.com",
           },
         },
       },
     ],
   });
   
   export default gateway.app;

3. Deploy anywhere Export as a module for Cloudflare Workers, or serve with Node.js, Deno, or Bun. The output is a standard Hono app.

---

What do you need?

I need to add auth/rate-limiting

Start with the Quick Start to see how policies like JWT auth and rate limiting work together.

I need a production-ready pattern

Browse Recipes for copy-paste solutions like webhook protection, caching, and shadow traffic.

I need a specific policy

Explore Policies by category: Auth, Traffic, Resilience, Transform.

I need to write a custom policy

Learn Policy Authoring to extend Stoma with your own middleware.

---

Comparison

Feature	Stoma	Kong	KrakenD	Express Gateway
Configuration	TypeScript (Type-safe)	YAML / Admin API	JSON	YAML / JSON
Execution	TypeScript Library	Separate Service	Separate Binary	Middleware
Language	TypeScript	Lua / Go	Go	JavaScript
Multi-runtime	Yes (Edge & Server)	No (Container)	No (Binary)	No (Node only)
Bundle size	Lightweight (Core)	100MB+ Image	80MB+ Binary	50MB+ Modules
Status	Active	Active	Active	Unmaintained

See full comparison →

---

Batteries Included: Comprehensive Built-in Policies

Stoma ships with a comprehensive suite of policies, sorted into logical categories to handle every aspect of your API lifecycle.

Authentication

JWT, API Key, Basic Auth, OAuth2 Introspection, RBAC, JWS, and RFC 9421 HTTP Signatures. Read More

Traffic Control

Rate Limiting, IP/Geo Filtering, Caching, SSL Enforcement, JSON Threat Protection, and Traffic Shadowing. Read More

Resilience

Circuit Breakers, Retries, Timeouts, and Latency Injection for testing. Read More

Transformation

CORS, Request/Response Rewriting, JSON Validation, and Content Assignment. Read More

---

Platform-Specific Power

While Stoma is runtime-agnostic, it can leverage platform-specific features like Cloudflare Service Bindings for zero-latency communication between Workers.

Read More about Upstreams

Cloudflare Workers

upstream: {
  type: "service-binding",
  service: "USERS_SERVICE",
}

Declare in wrangler.jsonc for high-performance Worker-to-Worker routing.

Universal Proxy

upstream: {
  type: "url",
  target: "https://api.example.com",
}

Works on any runtime (Node.js, Deno, Bun) using standard fetch.

---

Next Steps

Quick Start

Build your first gateway in minutes. Go to Quick Start

Policy Reference

Explore the full list of built-in policies. Browse Policies

Architecture

Understand the request lifecycle and core concepts. How it works

Recipes

Production-ready patterns and copy-paste examples. View Recipes

Tip

Stoma is currently on it’s version 0.1.0 RC, but is used in production to power high-performance, multi-tenant API gateways.