// the find
Tencent/APIJSON
🏆 Real-Time no-code, powerful and secure ORM 🚀 providing APIs and Docs without coding by Backend, and Frontend(Client) can customize response JSONs 🏆 实时 零代码、全功能、强安全 ORM 库 🚀 后端接口和文档零代码,前端(客户端) 定制返回 JSON 的数据和结构
APIJSON lets frontend clients define their own query structure in JSON and sends it to a Java backend that parses it, builds SQL, and returns exactly what was asked for — no per-endpoint backend code needed. It's GraphQL's idea implemented as a JSON protocol over REST, aimed at teams where backend developers are the bottleneck. Primarily used in China, with a large ecosystem of community ports to Go, C#, Node, Python, and Rust.
The core idea genuinely works: one endpoint handles arbitrary nested queries, joins, filtering, and pagination without writing controller code. The access control model (the `Request` table in the DB defines what each role can do per table/method) is more auditable than scattered `@PreAuthorize` annotations. Database support is unusually broad — MySQL, Postgres, ClickHouse, ES, Redis, Kafka, and a dozen more are all first-class. The automatic API doc generation from the schema saves real time for teams that hate writing OpenAPI specs.
Giving clients freeform query construction is a footgun at scale — N+1 queries, full-table scans, and query depth explosions are easy to trigger if the access config is permissive, and the docs don't make the performance implications obvious. The security model requires you to populate a `Request` table correctly before going live; misconfiguration means clients can read tables you didn't intend. The project is almost entirely Chinese-language in practice (issues, docs, community), which is a real barrier for non-Chinese teams despite the English README. There's no way to express business logic that spans multiple tables atomically without falling back to 'remote function calls', which puts arbitrary Java back in the picture and undermines the no-code premise.