DEV.co
Open-Source Databases · jeffknupp

sandman2

sandman2 is a Python tool that automatically generates a REST API from an existing database without writing code. Point it at your database (SQLite, PostgreSQL, MySQL, Oracle, etc.), and it introspects the schema to create a fully functional RESTful API with an admin interface.

Source: GitHub — github.com/jeffknupp/sandman2
2k
GitHub stars
217
Forks
Python
Primary language
Apache-2.0
License (OSI-approved)

Key facts

Objective fields from the source. Values we can't verify are shown as “Unknown” rather than guessed.

FieldValue
Repositoryjeffknupp/sandman2
Ownerjeffknupp
Primary languagePython
LicenseApache-2.0 — OSI-approved
Stars2k
Forks217
Open issues45
Latest releaseUnknown
Last updated2026-07-06
Sourcehttps://github.com/jeffknupp/sandman2

What sandman2 is

Built on SQLAlchemy's automap feature, sandman2 dynamically generates REST endpoints and CRUD operations for all tables in a connected database. It provides hypermedia support, an admin UI, and can be deployed as a CLI tool or Docker container.

Quickstart

Get the sandman2 source

Clone the repository and explore it locally.

terminalbash
git clone https://github.com/jeffknupp/sandman2.gitcd sandman2# follow the project's README for install & configuration

Need it deployed, integrated, or customized instead? DEV.co ships production installs.

Best use cases

Legacy database rapid API exposure

Quickly expose an existing legacy database to modern applications without rewriting ORM code or building custom API handlers. Ideal for teams needing immediate programmatic access to inherited data stores.

Internal data access portal

Enable non-technical stakeholders or cross-functional teams to read/modify database records through a REST interface and web admin UI without direct database access or SQL knowledge.

Prototype and demo environments

Rapidly stand up a working REST API for a database to validate concepts, run demos, or integrate with third-party tools before building a production-grade custom API.

Implementation considerations

  • Install via pip and provide a SQLAlchemy connection string; most setups are operational within minutes.
  • Review which database tables are exposed by default; restrict sensitive tables via code customization if needed.
  • Database driver libraries (e.g., psycopg2, pymysql) must be installed separately for each target database type.
  • The admin interface is automatically generated but may require CSS/JavaScript customization for branding or advanced UX.
  • Run behind a reverse proxy (nginx, etc.) and apply API gateway policies if deploying to production.

When to avoid it — and what to weigh

  • Complex business logic required — If your API must enforce intricate validation rules, custom workflows, or domain-specific transformations beyond basic CRUD, sandman2's auto-generated endpoints will be insufficient. Custom API development is needed.
  • Fine-grained API security and access control — Auto-generated endpoints expose all tables uniformly. If you need role-based access, column-level permissions, or complex authorization policies, sandman2 does not provide adequate built-in controls.
  • High-volume production APIs — sandman2 is optimized for rapid deployment, not optimized query performance or horizontal scaling. Production APIs with strict SLAs, heavy traffic, or complex query patterns should use a purpose-built solution.
  • Non-relational or hybrid databases — sandman2 depends entirely on SQLAlchemy, which supports relational databases only. If your primary data store is NoSQL, graph, or a hybrid model, sandman2 is not applicable.

License & commercial use

Apache License 2.0 (Apache-2.0). A permissive OSI-approved license allowing commercial use, modification, and distribution with appropriate attribution and liability disclaimers.

Apache-2.0 is a permissive open-source license that permits commercial use without royalty obligations. You may use sandman2 in proprietary products provided you include a copy of the license and any copyright notices. No warranty or indemnification is provided; review Apache-2.0 terms and consult legal counsel if required for your specific use case.

DEV.co evaluation signals

Editorial assessment — not user reviews. Directional, with an explicit confidence level.

SignalAssessment
MaintenanceModerate
DocumentationAdequate
License clarityClear
Deployment complexityLow
DEV.co fitGood
Assessment confidenceHigh
Security considerations

Auto-generated endpoints expose all tables uniformly with minimal built-in access control. No authentication or authorization is enforced by default; you must add API gateway, reverse proxy authentication, or custom middleware. Database credentials are passed via connection strings; manage secrets securely (e.g., environment variables, secret stores). SQL injection risk is mitigated by SQLAlchemy's parameterized queries, but input validation and rate limiting must be applied externally. Run in a trusted network or behind TLS/auth in production. No security audit or vulnerability disclosure process is documented.

Alternatives to consider

PostgREST

Standalone tool that auto-generates a REST API directly from a PostgreSQL schema without Python dependency. Offers stronger built-in row-level security and is lighter-weight for PostgreSQL-only setups.

Hasura

GraphQL-first auto-API platform with role-based access control, real-time subscriptions, and multi-database support. More feature-rich for modern applications but requires a separate service deployment.

Custom FastAPI / Flask-SQLAlchemy

Write a lightweight REST API in Python using FastAPI or Flask with SQLAlchemy ORM. Provides full control over endpoints, validation, and business logic at the cost of more development effort.

Software development agency

Build on sandman2 with DEV.co software developers

sandman2 can have your database REST API running in minutes. Start with the quickstart guide, or contact our team to discuss integrating sandman2 into your API strategy.

Talk to DEV.co

Related open-source tools

Surfaced by semantic similarity across the DEV.co open-source index.

Related on DEV.co

Explore the category and the services that help you build with it.

sandman2 FAQ

Can sandman2 handle multiple databases at once?
Not natively in a single instance. You would need to run separate sandman2 processes for each database or integrate sandman2 into a custom Flask app that manages multiple connections.
Does sandman2 auto-generate API documentation?
Not in Swagger/OpenAPI format by default. The admin UI provides a basic interface for exploring tables. You would need to add documentation middleware or use an external tool to generate OpenAPI specs.
Is authentication included?
No. You must add authentication and authorization via a reverse proxy, API gateway, or custom middleware wrapping the sandman2 instance.
Can I modify or restrict which tables are exposed?
Yes. You can integrate sandman2 into a custom Python application and configure which models/tables are registered, but this requires coding beyond the simple CLI tool.

Software development & web development with DEV.co

Adopting sandman2 is usually one piece of a larger software development effort. As a software development agency, DEV.co provides software development services and web development expertise — pairing senior software developers and web developers with your team to design, build, and operate open-source databases software in production.

Ready to Free Your Data?

sandman2 can have your database REST API running in minutes. Start with the quickstart guide, or contact our team to discuss integrating sandman2 into your API strategy.