restheart
RESTHeart is a REST/GraphQL backend for MongoDB that exposes data through native APIs and a Model Context Protocol (MCP) server, enabling AI agents and developers to build applications without custom integration code. It runs on Java with Docker support and includes authentication, authorization, WebSocket, and real-time monitoring out of the box.
Key facts
Objective fields from the source. Values we can't verify are shown as “Unknown” rather than guessed.
| Field | Value |
|---|---|
| Repository | SoftInstigate/restheart |
| Owner | SoftInstigate |
| Primary language | Java |
| License | AGPL-3.0 — OSI-approved |
| Stars | 879 |
| Forks | 177 |
| Open issues | 22 |
| Latest release | 9.5.0 (2026-07-06) |
| Last updated | 2026-07-06 |
| Source | https://github.com/SoftInstigate/restheart |
What restheart is
Built on Java 25, Undertow, and virtual threads, RESTHeart provides CRUD, aggregations, filtering, sorting, pagination, GraphQL schema mapping, WebSocket change streams, and a native MCP server. It supports JWT, OAuth2, LDAP authentication; includes a plugin system for Java, Kotlin, JavaScript, and TypeScript extensions; and ships with Prometheus-compatible metrics.
Get the restheart source
Clone the repository and explore it locally.
git clone https://github.com/SoftInstigate/restheart.gitcd restheart# follow the project's README for install & configurationNeed it deployed, integrated, or customized instead? DEV.co ships production installs.
Best use cases
Implementation considerations
- AGPLv3 license requires source disclosure if deployed over a network unless a commercial license is obtained; review your deployment model and compliance requirements.
- Default credentials (admin/secret) must be changed in production; configure JWT, OAuth2, or LDAP authentication and set up ACL rules for multi-tenant or sensitive workloads.
- Java 25 and Undertow dependency; ensure your infrastructure supports Java runtime or use provided Docker/GraalVM native binary.
- Plugin system (Java, Kotlin, JS/TS) allows custom business logic but requires development effort; simple use cases may not need plugins.
- Monitoring via Prometheus endpoint and `/metrics-ui` dashboard; integrate with external stacks (Grafana, Datadog) or rely on built-in UI.
When to avoid it — and what to weigh
- Strict relational schema requirements — RESTHeart is MongoDB-first; complex multi-table joins and ACID transactions across collections are not native strengths. For SQL workloads, use traditional ORMs.
- Proprietary or commercial-only licensing needed — AGPLv3 requires source code disclosure for networked use. If you cannot meet AGPLv3 terms, you must negotiate a commercial license with SoftInstigate (not provided in data).
- Minimal operational overhead — Adds a Java middleware layer; requires MongoDB infrastructure, Docker orchestration, and monitoring. For ultra-simple CRUD, serverless functions may be simpler.
- Offline-first or edge deployments — RESTHeart is server-centric and requires active MongoDB connection. Not suitable for client-side sync or edge-only scenarios.
License & commercial use
Licensed under AGPLv3 (GNU Affero General Public License v3.0). AGPLv3 requires that if you deploy RESTHeart over a network and modify it, you must make source code available to network users under the same license. This is a copyleft obligation and stricter than permissive licenses.
Commercial use is subject to AGPLv3 terms. If you deploy RESTHeart as a networked service (e.g., SaaS, API backend), you must either (1) comply with AGPLv3 source disclosure requirements, or (2) obtain a commercial license from SoftInstigate (not detailed in provided data). Requires legal review before deployment.
DEV.co evaluation signals
Editorial assessment — not user reviews. Directional, with an explicit confidence level.
| Signal | Assessment |
|---|---|
| Maintenance | Active |
| Documentation | Adequate |
| License clarity | Needs review |
| Deployment complexity | Low |
| DEV.co fit | Strong |
| Assessment confidence | High |
Built-in authentication (JWT, OAuth2, LDAP, MongoDB-based users) and ACL authorization. Default credentials must be replaced in production. AGPLv3 deployment model requires source code disclosure unless licensed commercially—validate compliance with your security and IP policies. No specific details on vulnerability disclosure, penetration testing history, or encryption provided in data; requires independent security review.
Alternatives to consider
PostgREST (PostgreSQL)
Similar auto-REST API from SQL, but uses PostgreSQL not MongoDB; lighter permissive license (MIT); suitable for relational workloads.
MongoDB Atlas Data API (deprecated) + custom Express backend
MongoDB's native API (being phased out); custom Node.js/Express offers more control and flexibility but requires more boilerplate code.
Hasura (GraphQL)
Full-stack GraphQL engine with better real-time (subscriptions), multi-database support, and business logic; permissive license but more opinionated architecture.
Build on restheart with DEV.co software developers
Start with Docker Compose or deploy on RESTHeart Cloud. Connect your AI agents via MCP or use REST/GraphQL APIs. Review AGPLv3 licensing before production.
Talk to DEV.coRelated open-source tools
Surfaced by semantic similarity across the DEV.co open-source index.
Related on DEV.co
Explore the category and the services that help you build with it.
restheart FAQ
Can I use RESTHeart commercially without source disclosure?
What databases does RESTHeart support?
How do I connect AI agents (Claude, Cursor) to RESTHeart?
Do I need to write custom code for REST/GraphQL CRUD?
Work with a software development agency
From first prototype to production, DEV.co delivers software development services around tools like restheart. Our software development agency staffs experienced software developers and web developers for custom software development, web development, integrations, and ongoing support across mcp servers and beyond.
Ready to build a MongoDB backend with zero boilerplate?
Start with Docker Compose or deploy on RESTHeart Cloud. Connect your AI agents via MCP or use REST/GraphQL APIs. Review AGPLv3 licensing before production.