Mirror of forum.nim-lang.org

13879 :: Sarcophagus: typed Mummy APIs with OpenAPI, JSON/CBOR, and OAuth2 support

• elcritch (orginal) [2026-04-25T18:08:38+02:00] view original

  I’ve been working on sarcophagus, a higher-level API layer for Nim’s Mummy web server.

  The current focus is tapis, a typed API/router layer inspired by FastAPI but designed around Nim’s static typing and metaprogramming. It lets you define routes as regular Nim procs and automatically handles parameter decoding, response serialization, OpenAPI generation, and structured error responses.

  Example:

  
  proc readItem(id: int, verbose: Option[bool]): ItemOut {.
    gcsafe, tapi(get, "/items/@id", summary = "Read item")
  .} =
    ItemOut(id: id, verbose: verbose.get(false))
  
  api.add(readItem)
  Run

  It also supports grouped params:

  
  proc listItems(params: Params[ListItemsParams]): ItemList {.
    gcsafe, tapi(get, "/items")
  .} =
    ...
  Run

  And OAuth2 security:

  
  let readSecurity = oauth2(config, ["items:read"])
  
  withSecurity(api, readSecurity):
    api.add(listItems)
    api.add(readItem)
  
  api.registerOAuth2(config)
  api.mountOpenApi()
  Run

  Features included so far:

  • Typed path/query/body decoding
  • Flat FastAPI-style handler params
  • Params[T] grouped params
  • JSON support, optional CBOR support
  • Generated /swagger.json
  • Structured error responses with optional stack traces
  • OAuth2 client credentials flow
  • JWT bearer token minting/validation
  • Scoped security in OpenAPI and runtime handlers
  • Mummy-compatible raw OAuth2 helpers

  There’s a secure example app in examples/tapis_secure that implements a small “goto” service with scoped OAuth2 and OpenAPI output.

  Repo: https://github.com/elcritch/sarcophagus

  I’d be interested in feedback on the API shape, especially the balance between FastAPI-style flat handlers and Nim-style typed wrapper objects.

---