The backend APIs you stop rewriting
Auth and transactional email, ready to drop in. Multi-tenant from day one. Flat REST surfaces your agents can read. No SDK to install, no dashboard to click through.
Built in the open. Dogfooded across every ProductCraft product.
// Verify a Heimdall token on any requestconst claims = await verify(bearerToken, { jwksUri: 'https://api.heimdall.productcraft.co/v1/.well-known/jwks.json', expectedAid: APP_ID,});// Send a DKIM-signed transactional email through Envoiawait fetch(`${envoi}/v1/apps/${APP_ID}/tenancies/${teamId}/templates/welcome/send`, { method: 'POST', headers: { Authorization: `Bearer ${ENVOI_KEY}` }, body: JSON.stringify({ from: 'hello@acme.com', to: claims.email, data: { name: claims.name }, }),});Why ProductCraft
Built for teams shipping something, not managing dashboards
Integrate in an afternoon
Flat REST endpoints, OpenAPI specs, curl-first docs. No SDK to install, no client library to go stale.
Agent-ready by design
Predictable URLs, flat JSON, human-readable errors. Claude and Cursor read our APIs and get the call right first try.
Multi-tenant from day one
Every resource is tenancy-scoped. Per-app JWT isolation, per-team API keys, per-tenant rate limits. Your customers never see each other.
Audited, not bolted on
DKIM keys encrypted at rest. Audit logs on every mutation. Cryptographic isolation between tenants, enforced at the token and schema layers.
Products
One API family. One mental model.
Each service solves a backend sprint your team keeps rerunning. Consistent REST, tenancy built in, curl-first docs, and no vendor lock-in on the data model.
Heimdall
Multi-tenant auth without the sprint
One REST API for users, roles, tenants, and machine-to-machine tokens. Per-tenant JWKS, scoped permissions, audit log on every action. Swap in for Auth0 without rewriting your guards.
- Per-tenant JWT scoping (aid claim + isolated JWKS)
- RBAC with resource.action permissions
- Machine-to-machine tokens, scoped + revocable
- User, invite, and session management
- Audit log queryable by API
- Flat, LLM-friendly REST surface
Envoi
Transactional email on your own domain
Bring your domain, get a DKIM keypair in seconds, send through one endpoint. Handlebars templates, per-team API keys, bounce-fed suppression, inbound parsing with SPF/DKIM/DMARC results. No third-party relay hiding your signing story.
- Per-domain DKIM keypair, encrypted at rest
- Handlebars templates with render preview
- Tenancy-scoped hdk_live_* API keys
- Automatic bounce capture + suppression
- Sliding-window rate limits per team
- Inbound mail with parsed MIME + auth results
Trawl
Structured web data, one API call
POST a URL and a schema. An agent visits the page, extracts the data, and posts the result to your webhook. No scrapers to maintain, no selectors to patch.
- LLM-driven extraction with schema validation
- Custom output schema per request
- Signed webhook delivery
- Live job dashboards
- Full tracing and observability
- Zero data retention by default
Rally
Waitlists without the spreadsheet
Validate, deduplicate, and track signups through one API. Embeddable forms, webhooks on every entry, CSV export, and Heimdall hooks when you need gated access.
- Signup API with validation and dedupe
- OpenAPI-documented endpoints
- Built-in analytics and CSV export
- Webhook notifications on new entries
- Embeddable form components
- Heimdall integration for gated lists
Agora
Social features without the sprint
Feeds, follows, reactions, comments, ranking. One REST API for the social layer you keep rebuilding and shipping late.
- Activity feeds and timelines
- Social graph (follow, block, mute)
- Reactions, comments, and threads
- Configurable ranking algorithms
- Moderation and safety tooling
- Flat, LLM-friendly REST surface
Stop rewriting the same backend
Auth and transactional email are solved. Drop in Heimdall and Envoi, and get back to the parts of your product that only you can build.