# The Rust API

> A stateless, manifest-driven Cargo workspace — no per-resource code.

The Rust API is entirely manifest-driven. There is no per-resource code: the crates read `schema.rastack.json` at startup and serve every model from it.

## The request brain

`rastack-api-core` is the framework-free heart of the system: `handle(ctx, ApiRequest) -> ApiResponse`. Because it has no HTTP framework, it builds for `wasm32` — which is exactly why the browser and the server enforce identical rules. It provides:

- manifest-driven CRUD and the DRF-shaped list envelope,
- **foreign-key validation on writes** — a bad reference is rejected before it is stored,
- **access control** — the permission gate, row-level security, and tenant scoping.

## The HTTP adapter

`rastack-api` is a thin [axum](https://github.com/tokio-rs/axum) adapter around the core: the `/api/{app}/v1/{model}/` route set, the `/admin` module, and Cognito JWT verification (RS256 against a pinned JWKS).

```bash title="terminal"
# run the API against a local warehouse
npx rastack serve --warehouse data/warehouse

# with Cognito JWT verification
rastack-server serve --jwks <url> --issuer <iss> --audience <aud>
```

## The admin site

The `/admin` browser is Django-admin-style and manifest-driven: a resource index, a changelist with search and pagination, and add/change/delete forms. Foreign keys render as `<select>`s over the target table and as links from a changelist cell to the related record.

> **Tip:** Launch it with `npx rastack admin --warehouse data/warehouse`.

---

_Source: [https://reactapistack.com/docs/rust-api](https://reactapistack.com/docs/rust-api) · Full docs as one file: [llms-full.txt](https://reactapistack.com/llms-full.txt)_
