Sign InStart Free →

ENTERPRISE DEVELOPER CONSOLE

The Enterprise Developer Console

A headless, zero-trust command center for your API and Agentic products. Deploy secure credential vaults, hybrid OpenAPI documentation, and native community forums in minutes.

Book a Technical Demo Read the Spec
Zero-Trust
proxy architecture
SHA-256
key hashing
OpenAPI 3.0
native import
tsvector
full-text community search

Step 2 — Security Architecture

The SandboxProxyService Architecture

Most API playgrounds are massive security vulnerabilities. They force users to paste raw API keys into the browser, exposing them to XSS attacks. Aforo's console uses a zero-trust backend proxy.

BROWSER
The Browser UI

1. Sanitized Payload

The developer configures the request. The browser sends only the endpoint path and body to the Aforo backend. Raw API keys are never present in the DOM.

SERVER
The Backend Proxy

2. Server-Side Injection

The SandboxProxyService verifies the user's JWT, retrieves their active sk_live_ token from the Postgres vault, and injects the Authorization header server-side.

GATEWAY
The Gateway

3. Upstream Execution

The proxy forwards the authenticated request to the Kong/Apigee gateway, captures the response, strips credentials, and returns execution timing to the browser.

Browser→ endpoint + body →SandboxProxyService→ JWT verify + sk_live_ inject →Kong / Apigee→ strip creds →response + timing→ Browser

Step 3 — Cryptographic Material

API Key Provisioning & Vault Storage

Keys are cryptographically generated using SecureRandom and immediately hashed via SHA-256 before storage. The raw secret is returned exactly once.

Raw key never persisted — only the SHA-256 hash is written to DB
key_subscription_bindings enforces lifecycle coupling — cancel → revoke atomically
CLIENT_CREDENTIALS format for MCP/AI Agent; BEARER_TOKEN for API products
Validate path: hash lookup + active binding check, Redis-cached for 30s
key-provisioning.log
[PRICING_SERVICE]Key creation requested for subscription: sub_xyz789...
[VAULT]Generating cryptographic material (BEARER_TOKEN)...
[VAULT]Hashing secret with SHA-256...
[DB]INSERT INTO api_keys (accessor_type, status) VALUES ('APP', 'ACTIVE');
[DB]INSERT INTO key_subscription_bindings (key_id, sub_id);
[RESPONSE]Raw secret returned to client. Material destroyed from memory.

Step 4 — Developer Documentation

Hybrid Documentation Engine

Aforo uses a hybrid approach to developer documentation. Hand-author conceptual guides in CommonMark Markdown via our split-pane editor, and let Aforo dynamically render your API reference directly from imported OpenAPI 3.0 or GraphQL specifications. No build steps. No rigid MDX compilers.

CommonMark Authoring

Hand-author conceptual guides in standard Markdown via our split-pane editor. No proprietary syntax, no MDX compilation step.

# Getting Started
## Authentication
Pass your `X-Storefront-Key`
header on every request.

OpenAPI 3.0 Import

Drop a spec URL or upload a YAML/JSON file. Aforo dynamically renders interactive API reference — no build step, no deployment.

POST /api/v1/docs/api-specs
{
  "productId": "prod_xyz",
  "specFormat": "OPENAPI_3",
  "sourceUrl": "https://..."
}

Tree Navigation

Hierarchical doc tree with parent_id self-FK, drag-to-reorder, max 3 levels deep. Version-controlled via doc_page_versions.

doc_pages(
  id, parent_id,
  product_id,
  title, slug,
  sort_order,
  status
)

Step 5 — Community Infrastructure

Native Community Forums

Third-party forum integrations fracture the developer experience. Aforo provides a fully native community engine built directly into the console. No Discourse embed, no Intercom widget — your forum lives inside your portal, sharing your auth session.

Search
PostgreSQL tsvector + GIN indexes
·Full-text thread + reply search
·Weighted ranking: title > body
·Instant — no external Elasticsearch
Reputation
+1 per upvote received
·+5 per accepted answer
·Badge allocation: New Member → Top Contributor
·Reputation stored on community_user_profiles
Data Model
Hierarchical categories (parent_id FK)
·Threaded replies via parent_reply_id self-FK
·community_threads → community_replies (nested)
·Soft-deletes on threads + replies (deleted_at)
Moderation
Kafka topic: aforo.community.events
·Report queue: community_reports table
·Actions: warn, soft-delete, ban (is_banned)
·Admin moderation queue in Developer Console

Ship a production-grade
Developer Console in a sprint.

Zero-trust key vault. Hybrid docs. Native community. AST-validated AI component builder. Every component is production-grade on day one.

Book a Technical Demo Headless Revenue Engine Platform Ops