Why Synthetiq
AI has made it possible to generate code through conversation. But production software requires authentication, access control, credential management, deployment, and monitoring. Today, most AI-generated projects start from a blank slate: rebuilding this same infrastructure from scratch and risking the AI getting it wrong, or foregoing it entirely because the user doesn’t know what they don’t know. For non-technical users, the gap between prototype and production is a wall. An AI agent can build an app in minutes, but there’s no path from that prototype to something that’s shared with a team, secured for real users, and deployed to production. Not without diving into the code the agent wrote and becoming a developer yourself. Even for technical teams, every new project means reinventing the same integrations, the same auth flows, the same access control logic, and hoping the AI gets it right every time.Closing the gap
Synthetiq aims to close this gap by providing a platform for building AI-generated apps that can answer four key questions deterministically:- Who has access to what? Authentication, RBAC, and row-level security are built into the platform and auditable from configuration.
- Does the app do what I want? Build-time manifests trace every page to its procedures, services, workflows, and database tables, capturing the full architecture automatically.
- Is it working in production? Deployment infrastructure, logging, metrics, and admin panels are scaffolded into every app.
- Can I maintain and iterate? Modular services, end-to-end type safety, version control, sharing, collaboration, and an org app store make apps sustainable without requiring code expertise.
Design principles
These principles shape what the platform controls, what it leaves to the agent, and what it can guarantee as a result.Platform provides the 90%
Every app built on Synthetiq shares the same infrastructure: authentication, access control, database, API layer, service integrations, AI agent, background processing, admin panels, monitoring, and deployment. The AI agent doesn’t build any of this — it fills in the 10% that’s unique: design, business logic, and configuration. This isn’t just a convenience. It means every AI-generated app in an organization has the same security model, the same access control patterns, the same API conventions, and the same deployment process. Consistency at scale, without relying on the agent to be consistent.One way to do everything
Traditional frameworks give developers implementation freedom: choose your auth strategy, pick your ORM pattern, structure your API however you want. This works for experienced engineers but creates an unbounded problem space for AI agents, where every implementation choice is another opportunity for a subtle mistake. Synthetiq inverts this. You have full freedom over what you build, any feature, any domain, any business logic, but zero freedom over how the platform layers are implemented. There is one way to define a route, one way to access data, one way to integrate a service, one way to enforce permissions. This constraint is what makes everything else possible. Because the framework enforces exactly how every app is structured, it can validate security at build time, generate complete API manifests, auto-generate RLS policies from configuration, and guarantee that the app’s architecture matches its declared intent. A permissive framework can’t offer any of these guarantees. It would have to account for every possible implementation choice.Clear app/service boundary
Everything external to an app’s core CRUD is a service: Slack, Shopify, Salesforce, a document editor, an LLM provider, even workflows. Services are created and managed separately from apps, with a strict boundary between them. This boundary enables capabilities that tightly coupled integrations cannot:- Scope-gated access — control which users can call which tools on which service
- Request-time credential hydration — credentials are injected per-request, never stored in app code
- App-level vs. user-level credentials — easily support shared credentials (e.g. a Claude API key) or each user’s own account (e.g. Gmail)
- Monitoring and control — block, alert on, or audit specific service tool calls
Deterministic auditability
Every layer of access control is driven by the same RBAC system, configured through a scaffolded admin UI:| Layer | What’s controlled | How |
|---|---|---|
| Pages | Which users can access which pages | Role-based route protection |
| API routes | Which users can call which procedures | Scope-gated backend procedures |
| Data | Which rows a user can read or write | RLS policies generated from RBAC + membership relations |
| Services | Which services an in-app AI agent can call | AI agent scopes tied to user roles |
| Architecture | Full view of pages → API routes → services → workflows → database | Generated manifest files from static analysis |
Platform-managed security
Authentication, credentials, access control, and infrastructure are built into the platform. The AI agent and user don’t build these layers — they configure them. Define which roles exist, which scopes they grant, and which services are available. The platform handles the underlying infrastructure, wiring, and enforcement automatically. This is especially important for non-technical users who may not know these layers need to exist in the first place:| Concern | Traditional approach | Synthetiq |
|---|---|---|
| Authentication | Implement OAuth, session management, JWT validation | Built-in — zero app code |
| Access control | Build RBAC from scratch | Declarative configuration, enforced at build and runtime |
| Credentials | Store in env vars, manage rotation manually | Platform-managed, never exposed to app code |
| Database security | Manually implement row-level access | RLS policies auto-generated from RBAC configuration |
| Service connections | Each app builds its own integrations | Pre-built service clients with scope-gated access |
| Deployment | Configure CI/CD, Dockerfiles, infrastructure | One click |
| Monitoring | Instrument logging, set up dashboards | Built-in metrics, logs, and dashboards |
Modular, E2E typed system
The platform enforces separation of concerns: services are independent modules, workflows are standalone processes, and app code stays focused on business logic. This modularity keeps individual components simple, enables reuse across apps, makes the system maintainable as it grows, and increases AI agent accuracy by reducing the scope of what the agent needs to get right at any given time. Synthetiq is a single connected system with typed boundaries at every layer, from database schema to backend procedures to generated service clients to deployment configuration. This isn’t just type safety. It’s what enables an AI agent to orchestrate the entire software development lifecycle. Because everything is integrated, the agent gets a closed feedback loop: write code → build → static analysis catches errors → agent reads structured feedback → agent fixes → build succeeds → deploy → monitor. This loop is what increases AI agent accuracy and reliability.Composability
Every app automatically exposes its backend procedures as an HTTP API, an MCP server, and an OAuth 2.0 provider — no additional code required. This means any app can be consumed by other apps, external AI tools, or third-party integrations the moment it’s built. Combined with the service model, this creates compounding value:- Connect to anything — any external API becomes a typed, scope-gated service
- Build apps on apps — consume one app’s API from another
- Share across an org — publish apps and services to the organization store, control access with contributor/install roles
- Version everything — every push creates a versioned snapshot that can be shared and installed across the organization