Space Cloud

Space Cloud is an open-source, Kubernetes-native backend platform that eliminates the need to write backend code by dynamically generating secure GraphQL and REST APIs for any database. Rather than sending raw SQL or resolver code, clients describe queries as JSON objects that Space Cloud validates against configurable security rules before generating and executing the appropriate database operation.

Built in Go and designed around Kubernetes and Istio, Space Cloud handles the full backend stack: CRUD operations with cross-database joins, real-time data subscriptions via WebSocket, file storage integration with S3 and Google Cloud Storage, event-driven webhooks triggered by database or file events, and fine-grained JWT-based access control without requiring custom middleware.

The platform abstracts service mesh complexity by automatically applying Istio-based mTLS encryption, traffic policies, and autoscaling-to-zero to all deployed workloads. Developers interact with a unified GraphQL interface that spans databases, microservices, and file storage, making Space Cloud useful for teams who want Firebase-like developer ergonomics on infrastructure they control.

Space Cloud is currently in maintenance mode; the project recommends Hasura or WunderGraph for new deployments. Existing self-hosted installations remain fully functional under the Apache 2.0 license, and the codebase serves as a reference implementation of dynamic query generation and Kubernetes-native BaaS architecture.

What You Get

• Instant GraphQL and REST APIs - Automatically generates typed GraphQL endpoints for MongoDB, PostgreSQL, MySQL, and SQL Server from a schema definition, with support for queries, mutations, aggregations, and cross-database joins in a single request.
• Real-time Data Subscriptions - Delivers live database updates to connected clients via GraphQL subscriptions over WebSocket without requiring custom publish-subscribe infrastructure or polling logic.
• File Storage with Event Triggers - Built-in integration for uploading and downloading files to Amazon S3 and Google Cloud Storage, with automatic event triggers that invoke webhooks or serverless functions on file operations.
• Fine-Grained Access Control - Dynamic per-operation security rules that evaluate JWT claims, request context, and row-level conditions at query time, integrating with Auth0, Firebase Auth, or any JWT-compatible identity provider.
• Cross-Database Joins - Executes joins spanning multiple databases in a single GraphQL query — for example, joining a MongoDB collection with a PostgreSQL table — without requiring data to be colocated.
• Automatic Service Mesh - Applies Istio-based mTLS encryption, traffic splitting, circuit breaking, and observability to all microservices deployed through Space Cloud without requiring manual Istio configuration.
• Autoscale to Zero - Automatically scales HTTP workloads down to zero replicas during inactivity and back up on demand, reducing Kubernetes resource costs for low-traffic or batch services.
• Unified Microservices Gateway - Exposes custom HTTP services written in any language through the same GraphQL interface used for databases, enabling joins between service data and database records in a single query.

Common Use Cases

• Building a real-time dashboard without a backend - A frontend team exposes an existing PostgreSQL database through Space Cloud’s GraphQL API with row-level access rules tied to user JWT claims, delivering live-updating charts to a React app without writing any Node.js backend code.
• Rapidly prototyping a mobile app with file uploads - A developer scaffolds a mobile backend in hours by connecting MongoDB for user data and S3 for profile images, defining access rules in Space Cloud’s Mission Control UI rather than implementing REST endpoints manually.
• Securing a microservices architecture with mTLS - A platform team deploys several Go and Python services through Space Cloud’s runner component and gets automatic Istio-based mutual TLS, traffic policies, and health monitoring without writing Kubernetes service mesh manifests.
• Evaluating a self-hosted Firebase alternative - An engineering team migrating away from Firebase uses Space Cloud to replicate real-time database subscriptions, file storage, and JWT-based access control on their own Kubernetes cluster while retaining full ownership of data.
• Running cost-efficient scheduled batch jobs - A data team deploys periodic ETL services through Space Cloud’s autoscaling runner so workloads consume zero resources between scheduled runs and scale up only when processing data.

Under The Hood

Architecture Space Cloud follows a clean two-process architecture: a gateway that handles API translation, security enforcement, and query execution, paired with a runner that manages Kubernetes workload lifecycle including deployment, routing, secrets, and autoscaling. Within the gateway, a centralized module coordinator explicitly wires all subsystems at startup using dependency injection — each module (auth, crud, eventing, filestore, functions, realtime, schema) is an isolated struct that receives its dependencies through constructor functions rather than global state. The Crud interface abstracts all database backends behind a uniform 12-method contract, enabling MongoDB, PostgreSQL, MySQL, SQL Server, and embedded BoltDB to be swapped without touching query validation or security logic. Cross-cutting concerns like metrics and caching are separated into a global module layer shared across subsystems.

Tech Stack The core is implemented in Go using urfave/cli for CLI entry points and gorilla/mux for HTTP routing. GraphQL is served via graphql-go with graph-gophers/dataloader providing batched query resolution to avoid N+1 patterns. SQL databases are accessed through jmoiron/sqlx with goqu/v8 for type-safe dynamic query construction, while MongoDB uses the official driver and BoltDB serves as an embedded storage option. Authentication integrates with external JWT providers via golang-jwt, and real-time subscriptions are delivered over gorilla/websocket with HTTP long-polling as a fallback. TLS is managed automatically via CertMagic with Let’s Encrypt integration. Redis provides query result caching, and the runner communicates with the Kubernetes API and Istio control plane directly for workload management.

Code Quality Test coverage is moderate with table-driven patterns appearing consistently across auth, eventing, and database operation tests. The codebase uses interface-based abstractions throughout, making individual modules independently testable through mock implementations. Error handling follows standard Go conventions with explicit error returns, though custom error types are not used consistently across modules. Concurrency safety is handled via sync.RWMutex on all stateful structs, and the patterns are applied consistently. Naming follows Go idioms, and the separation between configuration types, model types, and business logic layers is clear. Inline documentation is present but not comprehensive across all packages.

What Makes It Unique Space Cloud’s most technically distinctive feature is its runtime query translation layer: clients submit JSON objects describing desired operations rather than raw SQL or handwritten resolvers, and Space Cloud dynamically generates, security-validates, and executes the appropriate database query. This abstraction enables cross-database joins — fetching related records from a MongoDB collection and a PostgreSQL table in a single GraphQL request — which is uncommon in open-source BaaS platforms. The native Kubernetes and Istio integration means service mesh capabilities including mTLS, traffic splitting, and autoscaling-to-zero are applied automatically to all workloads without requiring operators to author Istio manifests or configure autoscalers manually.

Self-Hosting

Space Cloud is released under the Apache License 2.0, a permissive open-source license that allows commercial use, modification, and redistribution without requiring derived works to be open-sourced. Organizations can deploy it in production environments, embed it in commercial products, or build proprietary integrations on top of it without triggering copyleft obligations. The only requirements are preservation of license and copyright notices.

Running Space Cloud yourself requires a working Kubernetes cluster with Istio installed, which represents a meaningful operational commitment. The gateway and runner processes must be deployed and kept healthy, and Istio’s service mesh configuration must be kept compatible with Space Cloud’s runner expectations. Database connections, schema migrations, TLS certificate renewal via CertMagic, and secret management through the runner are all operator responsibilities. The Mission Control web UI simplifies configuration but does not reduce the underlying Kubernetes and Istio operational surface area. Teams without existing Kubernetes expertise should plan for a learning curve before achieving a stable self-hosted deployment.

Space Cloud does not have an active commercial cloud tier or enterprise support offering — the project is currently in maintenance mode, with the maintainers recommending Hasura or WunderGraph for new projects. This means there is no managed upgrade path, no SLA-backed support channel, and no hosted alternative to fall back on. Security patches and bug fixes are unlikely to arrive regularly. Teams choosing to self-host should treat the codebase as stable but frozen, budget for maintaining their own fork if needed, and evaluate whether the feature set at the current version meets their requirements before committing.