Realtime
Real-time updates via WebSockets with Cloudflare Durable Objects.
The Quickback Stack uses Cloudflare Durable Objects to broadcast real-time updates over WebSockets. CRUD events and custom broadcasts are delivered to connected clients with the same security layers (firewall isolation, role-based filtering, field masking) applied.
Architecture
┌─────────────┐ POST /broadcast ┌──────────────────┐
│ API Worker │ ───────────────────────► │ Realtime Worker │
│ (Quickback) │ │ (Durable Object) │
└─────────────┘ └────────┬─────────┘
│
WebSocket│
│
┌────────▼─────────┐
│ Browser Clients │
│ (WebSocket) │
└──────────────────┘- API Worker — Your Quickback-compiled API. Calls
realtime.insert()etc. after CRUD operations. - Realtime Worker — Separate Cloudflare Worker with Durable Object for managing WebSocket connections, one per organization.
- Browser Clients — Connect via WebSocket, receive filtered and masked broadcasts.
Key Features
| Feature | Description |
|---|---|
| Organization-scoped | Each org gets its own Durable Object instance |
| Role-based filtering | Only send events to users with matching roles |
| Per-role masking | Different users see different field values based on their role |
| User-specific targeting | Send events to a specific user within an org |
| Custom broadcasts | Arbitrary events beyond CRUD |
| Custom namespaces | defineRealtime() for type-safe event helpers |
| Two auth methods | Session tokens (browser) and API keys (server/CLI) |
Enabling Realtime
Add realtime to individual table definitions:
export default defineTable(claims, {
firewall: { organization: {} },
realtime: {
enabled: true,
onInsert: true,
onUpdate: true,
onDelete: true,
requiredRoles: ["member", "admin"],
fields: ["id", "title", "status"],
},
});And enable the realtime binding in your database config. The compiler generates the Durable Object worker and helper functions.
Pages
- Durable Objects Setup — Configuration, wrangler bindings, event formats, masking, and custom namespaces
- Using Realtime — WebSocket connection, authentication, and client-side handling