PocketBase
Open Source realtime backend in 1 file — embedded SQLite, auth, file storage, and admin UI as a single Go binary.
PocketBase is an open-source Go backend that ships everything a modern application needs — embedded SQLite database, realtime subscriptions, built-in authentication, file storage, and a full admin dashboard — in a single statically-linked executable. There are no external services to configure, no Docker images to orchestrate, and no cloud accounts required.
Developers can download a prebuilt binary for their platform and start serving in seconds, or import PocketBase as a Go library and build custom business logic on top of its core interfaces. The embedded JavaScript VM (powered by Goja) lets you extend behavior with hooks, migrations, and custom routes without recompiling the Go binary. Cross-platform builds cover Linux, macOS, Windows, and ARM64 with no CGO dependency.
PocketBase has accumulated over 59,000 GitHub stars since its 2022 launch, making it one of the fastest-growing backend-in-a-box projects in the open-source ecosystem. It is released under the MIT License, meaning it can be freely used in commercial products, modified, and redistributed without restriction.
The project maintains dual release streams — a stable series and an LTS branch — enabling teams to adopt new features at their own pace while receiving security backports on older releases.
What You Get
- Embedded SQLite with realtime SSE subscriptions - Collections are backed by SQLite with a built-in server-sent events broker that pushes record changes to connected clients in real time, eliminating the need for polling or a separate message queue.
- Pluggable authentication system - Supports email/password, OAuth2 providers (Google, GitHub, Apple, and more), one-time passwords, and magic links, all with email verification and password reset flows included out of the box.
- Auto-generated REST API with filter expressions - Every collection automatically gets list, view, create, update, and delete endpoints. Developers write collection-level permission rules using the fexpr filter language (e.g.
id = @request.auth.id) that compile to SQL at runtime. - Built-in file storage with S3 support - Handles file uploads and serves them through signed URLs. Storage targets switch between local disk and any S3-compatible provider via a single configuration change, with no application code changes.
- Admin dashboard (Superuser UI) - A full-featured web UI built with Svelte for managing collections, records, users, auth rules, API keys, scheduled cron jobs, and server logs — no separate admin tooling required.
- JavaScript extension engine (JSVM) - The Goja runtime lets developers write hooks, migrations, custom routes, and cron jobs in TypeScript/JavaScript files that are loaded at startup without recompiling, with auto-generated TypeScript types for IDE support.
- Go library mode - PocketBase can be imported as a standard Go module, enabling developers to add custom HTTP routes, middleware, and business logic while retaining the single-binary deployment model.
- Geo-point and rich field types - Collections support text, number, boolean, date, email, URL, file, relation, JSON, select, editor, password, geo-point, and auto-date fields, each with validation and type-safe access.
Common Use Cases
- Rapid MVP or prototype backend - A solo developer downloads the PocketBase binary, defines their data schema through the admin UI, and has a working REST API with auth and file uploads in under an hour — no backend code required.
- Flutter or React Native mobile backend - A mobile developer uses the official Dart SDK or JavaScript SDK to connect their app to PocketBase, taking advantage of realtime subscriptions to sync data between devices without managing a WebSocket server.
- Self-hosted Firebase/Supabase replacement - A team migrating away from a managed BaaS deploys PocketBase on a single VPS, recreates their collections and auth rules through the admin UI, and updates their frontend client without changing application logic.
- Internal tools and admin panels - A startup builds an internal operations dashboard where team members can view and update records through the PocketBase admin UI directly, using collection access rules to enforce role-based visibility.
- Headless CMS for small sites - A freelance developer defines content collections (posts, authors, tags) in PocketBase, uses the JS SDK to fetch data from a static site generator at build time, and optionally enables realtime previews for editors.
- Custom Go backend with built-in data layer - A Go developer imports PocketBase as a library, registers custom API routes using
app.OnServe(), and builds domain-specific business logic while delegating auth, file handling, and data storage to the embedded core.
Under The Hood
Architecture
PocketBase is built around a well-defined App interface in its core package that acts as the single contract for all subsystems — database access, settings, cron scheduling, realtime subscriptions, file storage, mailer, and hooks. The BaseApp struct fulfills this interface by composing these subsystems as injected dependencies rather than global singletons, enabling isolated testing through mock implementations. HTTP handlers in the apis layer communicate exclusively through the App interface, achieving genuine separation between transport and business logic. Extensibility is implemented via a typed hook system where registered callbacks bind to lifecycle events without modifying core code. The plugin layer (JavaScript VM, auto-updater, migration runner) attaches to these hooks at startup, keeping the core package dependency-free and independently testable.
Tech Stack
The backend is written in Go 1.25+ and uses the standard library HTTP server without any external web framework. SQLite is embedded using modernc.org/sqlite, a pure-Go driver that eliminates CGO and enables fully static cross-platform binaries. Database access goes through pocketbase/dbx, a lightweight query builder. The filter expression language is powered by ganigeorgiev/fexpr, a custom expression parser that compiles permission rules to SQL at query time. The JavaScript VM uses dop251/goja with Node.js compatibility shims from goja_nodejs. The admin dashboard is a Svelte single-page application compiled into the Go binary at build time via go:embed. Authentication tokens use golang-jwt/jwt/v5, and OAuth2 integrations are handled through the standard golang.org/x/oauth2 package.
Code Quality
The repository contains an extensive test suite with over 180 test files organized alongside their production counterparts, following Go conventions. Tests range from unit tests for individual field validators to integration tests that exercise full HTTP request/response cycles against an in-memory database. Table-driven tests are used consistently throughout. Error handling is explicit: functions return structured validation errors using ozzo-validation rather than opaque strings, and HTTP handlers convert domain errors to typed API error responses with appropriate status codes. A golangci.yml configuration enforces linting rules and code style. GitHub Actions CI runs the full test suite on each push and manages cross-platform release builds.
What Makes It Unique
The defining technical innovation is the combination of a production-grade backend feature set with a zero-dependency, single-binary deployment that runs identically on every supported platform. The filter expression language (fexpr) deserves particular attention: collection-level access rules like status = 'active' && @request.auth.role = 'admin' are user-defined strings in the admin UI that are parsed and compiled to parameterized SQL on every request, eliminating both hardcoded authorization logic and SQL injection risk. The addition of a native geo-point field type with lat/lon validation reflects how the pluggable field registry enables first-class domain types. The dual runtime model — standalone binary via prebuilt releases and Go library via go get — means the same project can serve developers who want zero-config deployment and those who need full programmatic control, without maintaining separate codebases.
Self-Hosting
PocketBase is released under the MIT License, which grants unrestricted permission to use, copy, modify, merge, publish, distribute, sublicense, and sell the software. There are no copyleft obligations, no viral licensing conditions, and no requirement to open-source code built on top of it. Developers and companies can embed PocketBase in commercial products, offer hosted PocketBase services to customers, or build proprietary extensions without any licensing fees or attribution requirements beyond preserving the MIT copyright notice.
Running PocketBase yourself means you own the full operational stack. The binary stores all data in a local pb_data directory containing SQLite database files, uploaded files, and auto-cert TLS certificates. There is no clustering or built-in high-availability — PocketBase is designed as a single-process application. Operators are responsible for configuring backups (the admin UI includes a manual backup tool, or you can automate SQLite snapshots with litestream or similar), monitoring uptime, applying version updates by replacing the binary, and scaling storage either locally or by pointing to an S3-compatible bucket. The ./pocketbase update command can perform in-place binary updates. For most indie projects, small SaaS products, and internal tools, a single well-resourced VPS handles the load comfortably.
There is no official paid cloud tier, managed hosting service, or enterprise support contract offered by the PocketBase project. This means you trade away things like managed backups, automatic scaling, SLA-backed uptime guarantees, and vendor support channels in exchange for full data ownership and zero ongoing cost. The community forum on GitHub Discussions and the documentation site at pocketbase.io are the primary support resources. Third-party providers such as PocketHost and various cloud marketplaces offer managed PocketBase hosting if you want operational simplicity without running infrastructure yourself.
Related Apps
Supabase
Developer Tools · Databases · Search
The open-source Postgres development platform that replaces Firebase with authentication, real-time APIs, edge functions, storage, and vector embeddings — all built on PostgreSQL.
Supabase
Apache 2.0OpenBB
Databases · Analytics · Invoicing Finance
The AI Workspace for Finance: Connect Data, Run AI Agents, Build Analytics
OpenBB
OtherNocoDB
No Code Platforms · Databases · Low Code Platforms
Turn any SQL database into a collaborative no-code spreadsheet with automatic REST APIs and real-time views.