v0.6.0 Now Available

The Rust Frameworkfor Speed, Security & Efficiency

Type-safe APIs for latency-sensitive systems — trading platforms, AI inference services, real-time data pipelines, and backend infrastructure where every millisecond counts.

Start Building
crates.io versionCI statuslicenseMSRVunsafe forbidden
server.rs
use ultimo::prelude::*;

#[tokio::main]
async fn main() -> ultimo::Result<()> {
 // Initialize app
 let mut app = Ultimo::new();


 // Define a route
 app.get("/hello", |ctx| async move {
 ctx.json(json!({ "message": "Hello from Ultimo!" })).await
 });


 // Start server
 app.listen("127.0.0.1:3000").await
}

Built For Systems Where Every Millisecond Counts

Ultimo is designed for backend workloads where speed, security, and efficiency are non-negotiable requirements.

Financial Services

Trading systems, risk engines, payment processing — where tail latency directly impacts revenue.

AI & ML Backends

Inference serving, model orchestration, and feature pipelines that need predictable response times.

Bot Execution

Trading bots, automation engines, and webhook processors that react to events in milliseconds.

Real-Time Systems

Live data feeds, notifications, and collaborative tools over WebSocket pub/sub channels.

Backend Infrastructure

API gateways, microservices, and data pipelines deployed as single static binaries.

Zero GC pauses100% safe RustSingle binary deployPredictable memory

Everything you need to ship

Ultimo combines the raw performance of Rust with the developer experience of modern full-stack frameworks.

Blazing Fast

Native Rust speed on the Hyper + Tokio core, with a higher-level developer experience.

O(1) constant-time routing
Built on Hyper + Tokio
Zero-cost abstractions, no GC
Regression-guarded in CI

Type-Safe RPC

Define your API once in Rust, get fully typed TypeScript clients automatically.

Automatic TypeScript generation
Full IDE autocomplete
Compile-time type checking
Single source of truth

Hybrid Design

REST + JSON-RPC 2.0 in one app with batch requests and notifications.

RESTful routing
JSON-RPC 2.0 with batch
Notifications (fire-and-forget)
Standard error codes

WebSocket Support

Zero-dependency RFC 6455 compliant WebSocket with built-in pub/sub system.

Zero external dependencies
Built-in pub/sub
Type-safe handlers
Production-ready with 93 tests

Secure by Default

Authentication, authorization, and hardening ship in the box — in 100% safe Rust.

JWT + API-key auth, scope guards
Sessions, CSRF, security headers
#![forbid(unsafe_code)]
Supply-chain CI (audit + deny)

Uncompromising
Performance

Ultimo is a thin layer over Hyper and Tokio — the same core that powers the fastest Rust servers — so you get native speed with a higher-level developer experience. We measure what the framework itself costs and guard it in CI.

O(1) routing

Constant-time route lookup — 10 routes or 10,000, the same cost.

Built on Hyper + Tokio

The proven async HTTP core of the Rust ecosystem — no re-implementation.

Regression-guarded

Every framework change is benchmarked in CI — we don't get slower by accident.

Route lookup time

In-process micro-benchmark — constant as the routing table grows.

10 routesO(1)
100 routesO(1)
500 routesO(1)
Reproduce it yourself → docs/performance
Secure by default

Security is a
first-class pillar

Built in safe Rust with secure defaults across the stack — authentication, authorization, CSRF, hardened headers, and supply-chain checks ship in the box, not as an afterthought.

Read the security guide →

What's built in

  • 100% safe Rust — #![forbid(unsafe_code)], zero unsafe in the framework
  • Secure-by-default sessions & cookies (HttpOnly/Secure/SameSite, 256-bit ids)
  • JWT auth (HS256, algorithm pinned, exp validated)
  • API-key auth with a pluggable store (SHA-256 hashed, constant-time)
  • Authorization guards — scope checks across JWT & API-key identities
  • CSRF protection (double-submit cookie, constant-time compare)
  • Security-headers middleware (HSTS, X-Frame-Options, Referrer-Policy, …)
  • Request body-size limits (DoS guard)
  • Supply-chain CI — cargo-audit + cargo-deny on every change

End-to-End Type Safety

Define your API in Rust. Get TypeScript clients automatically. Catch errors at compile time, not runtime.

backend/src/main.rs
Rust
struct User { 
    id: u32, 
    name: String, 
    email: String 
} 

rpc.query( 
    "getUser", 
    |id: u32| async move {...} 
);
frontend/src/client.ts
Generated
export interface User { 
    id: number; 
    name: string; 
    email: string; 
} 

// Fully typed! 
const user = await client.getUser(1); 
console.log(user.name);

How Ultimo Compares

Axum, Actix, and friends are excellent, minimal HTTP layers. Ultimo builds on the same Rust core and adds the full-stack pieces — typed clients, RPC, auth — so you ship features instead of wiring boilerplate.

Ultimo

TypeScript Types
Auto
OpenAPI Generation
Auto
JSON-RPC Support
REST Support
Request Validation
Authentication
Client Generation
Auto
CORS
Rate Limiting
Planned
Dev Server
Planned

Axum

TypeScript Types
Manual
OpenAPI Generation
Manual
JSON-RPC Support
REST Support
Request Validation
Manual
Authentication
Manual
Client Generation
Manual
CORS
Manual
Rate Limiting
Manual
Dev Server

Actix Web

TypeScript Types
Manual
OpenAPI Generation
Manual
JSON-RPC Support
REST Support
Request Validation
Manual
Authentication
Manual
Client Generation
Manual
CORS
Manual
Rate Limiting
Manual
Dev Server

Rocket

TypeScript Types
Manual
OpenAPI Generation
Manual
JSON-RPC Support
REST Support
Request Validation
Authentication
Manual
Client Generation
Manual
CORS
Manual
Rate Limiting
Manual
Dev Server

Warp

TypeScript Types
Manual
OpenAPI Generation
Manual
JSON-RPC Support
REST Support
Request Validation
Manual
Authentication
Manual
Client Generation
Manual
CORS
Manual
Rate Limiting
Manual
Dev Server

Built-in   Requires manual setup/crates   Planned   Not available

Ready to build your next high-performance backend?

Join the developers building faster, safer, and more reliable applications with Ultimo.