REST API
REST (Representational State Transfer) APIs are the backbone of modern web communication. They provide a uniform way for applications, services, and AI agents to access data using standard HTTP methods. DreamFactory auto‑generates REST APIs from any database schema, eliminating the need to write custom endpoint code. Each generated API follows OpenAPI 3.0 specifications, making it compatible with virtually any client, framework, or AI system.
Model Context Protocol (MCP)
The Model Context Protocol (MCP) defines how AI agents — Claude, GPT, local LLMs — request and receive structured data from enterprise systems. Instead of giving AI direct database access, MCP provides a standardized, governed interface. DreamFactory can serve as an MCP server, auto‑generating the protocol layer from your database schema so AI agents can query data through controlled, auditable endpoints without any custom code.
Role‑Based Access Control (RBAC)
RBAC lets you define exactly who can access what data and what operations they can perform. In DreamFactory, RBAC operates at the API level — you can restrict access down to specific tables, columns, and HTTP methods per role. This means an AI agent might have read‑only access to customer names but no access to financial data, while an admin API key gets full access. RBAC is essential for meeting compliance requirements like SOC 2, HIPAA, and GDPR.
OpenAPI Specification
OpenAPI 3.0 is the industry standard for documenting REST APIs. It describes every endpoint, parameter, request body, and response in a format that tools can automatically consume — generating client SDKs, documentation, and test suites. DreamFactory auto‑generates OpenAPI specs for every API it creates, meaning your database instantly gets machine‑readable documentation that modern frontends, mobile apps, and AI agents can use to discover and interact with your data.
API Key Management
API keys are the credentials that applications use to authenticate with your APIs. Proper management includes generating unique keys per application or user, setting expiration dates, enforcing usage quotas, and being able to instantly revoke compromised keys. DreamFactory provides built‑in API key management with per‑key rate limiting, role assignment, and automatic rotation capabilities — critical for maintaining security when multiple AI agents or applications access your data.
Rate Limiting
Rate limiting prevents abuse, protects databases from runaway queries, and ensures fair resource allocation across consumers. This is especially important when AI agents access your data — a misconfigured LLM could send thousands of queries per second. DreamFactory provides configurable rate limits per user, role, or API key, with customizable time windows and response behaviors. You can set different limits for different consumers, ensuring critical applications always have access while experimental AI agents are safely throttled.
Audit Trail
Audit trails are non‑negotiable for regulated industries. Every API call needs to be logged with the user's identity, timestamp, endpoint, HTTP method, and request/response payload. DreamFactory automatically logs every API interaction, creating a complete audit trail that satisfies SOC 2, HIPAA, GDPR, and FISMA requirements. This is especially critical when AI agents access sensitive data — you need proof of exactly what data was queried and by whom.
LDAP / Active Directory
LDAP (Lightweight Directory Access Protocol) and Microsoft Active Directory are the backbone of enterprise identity management. They store user credentials, group memberships, and organizational roles. DreamFactory integrates directly with LDAP/AD, allowing users to authenticate with their existing enterprise credentials. This eliminates the need for separate API passwords and ensures that when someone leaves the organization, their API access is automatically revoked through the same process that disables their corporate account.
HIPAA
The Health Insurance Portability and Accountability Act (HIPAA) requires healthcare organizations to implement administrative, physical, and technical safeguards for Protected Health Information (PHI). For API‑based data access, this means encryption in transit and at rest, role‑based access controls, complete audit logging, and the ability to track exactly who accessed what patient data. DreamFactory supports HIPAA‑compliant deployments through self‑hosted installation, RBAC, encrypted connections, and comprehensive audit trails.
FedRAMP
The Federal Risk and Authorization Management Program (FedRAMP) provides a standardized approach to security for cloud products and services. Government agencies are typically required to use FedRAMP‑authorized services. DreamFactory supports government deployments through self‑hosted installation on agency infrastructure, meaning it operates within the agency's existing Authority to Operate (ATO) boundary rather than requiring separate FedRAMP authorization as a cloud service.
SOC 2
SOC 2 (Service Organization Control Type 2) audits evaluate an organization's controls for security, availability, processing integrity, confidentiality, and privacy. For data access platforms, SOC 2 compliance requires demonstrating that you have proper access controls, audit logging, change management, and incident response procedures. DreamFactory's built‑in RBAC, audit trails, API key management, and rate limiting provide the technical controls that SOC 2 auditors look for.
FHIR (Fast Healthcare Interoperability Resources)
FHIR is the modern standard for healthcare data interoperability, replacing older formats like HL7 v2. It represents healthcare data as resources (Patient, Observation, Medication) accessible through REST APIs. While FHIR standardizes how healthcare data is exchanged, many healthcare organizations still have data in legacy formats and databases. DreamFactory can API‑enable these legacy healthcare databases, providing a bridge between older systems and modern FHIR‑based applications.
Legacy Modernization
Legacy modernization doesn't have to mean rewriting or migrating old systems. The API‑wrapping approach — placing a modern REST API layer on top of existing databases — is the lowest‑risk path. Your legacy DB2, Informix, Oracle, or SQL Server systems keep running exactly as they are. Modern applications, AI agents, and mobile apps access data through the API layer. DreamFactory automates this process: point it at a legacy database, and it generates a complete REST API with security, documentation, and governance in minutes.
Data Governance
Data governance encompasses who can access what data, how that access is controlled, and how it's audited. In the API era, governance happens at the API layer — controlling access through role‑based permissions, monitoring through audit logs, and enforcing limits through rate limiting and quotas. DreamFactory centralizes governance for all your databases in a single admin console, replacing scattered configurations with unified policy management across SQL Server, PostgreSQL, Oracle, and 20+ other sources.
API Gateway
An API gateway sits between clients (apps, AI agents, services) and your backend systems, handling cross‑cutting concerns like authentication, rate limiting, logging, and request transformation. While traditional API gateways like Kong or Apigee manage existing APIs, DreamFactory goes a step further by both generating the APIs and governing them — combining API creation and gateway functionality in a single platform.
Air‑Gapped Deployment
Air‑gapped environments are common in government, defense, and financial institutions where sensitive data cannot be exposed to external networks. Cloud‑only solutions are disqualified from these environments. DreamFactory supports fully air‑gapped deployments — it runs entirely on your infrastructure with no phone‑home requirements, external dependencies, or cloud connectivity needed. This makes it suitable for classified government systems, secure financial networks, and any environment where data isolation is mandatory.
Industry 4.0
Industry 4.0 represents the convergence of operational technology (OT) and information technology (IT) in manufacturing. It requires data from shop floor sensors, legacy production databases, ERP systems, and MES platforms to flow into modern analytics, AI models, and dashboards. The challenge is that much of this data is locked in legacy databases and proprietary systems. DreamFactory bridges this gap by API‑enabling manufacturing databases so modern Industry 4.0 applications can access production data through governed REST endpoints.
Self‑Hosted / On‑Premises
Self‑hosted deployment means the software runs on servers you control — whether in your data center, private cloud, or air‑gapped environment. Your data never leaves your infrastructure, and you control network access, encryption, and physical security. DreamFactory is designed for self‑hosted deployment, making it suitable for organizations with strict data residency requirements, regulatory constraints, or security policies that prohibit sending data to third‑party clouds.
OAuth 2.0
OAuth 2.0 is the industry standard for token‑based authorization. Instead of sharing passwords, applications receive time‑limited access tokens that define exactly what they can do. DreamFactory supports OAuth 2.0 for API authentication, allowing third‑party applications and AI agents to authenticate securely without ever handling user credentials. This is especially important in enterprise environments where credential sharing violates security policies.
SAML 2.0
Security Assertion Markup Language (SAML) 2.0 enables Single Sign‑On (SSO) across enterprise applications. When a user logs into their corporate identity provider (like Okta or Azure AD), SAML passes a secure assertion to downstream applications — including DreamFactory — so users don't need separate credentials. This simplifies access management and ensures that when employees are offboarded, their access to all SAML‑connected services is revoked simultaneously.
ETL (Extract, Transform, Load)
ETL is the traditional approach to data integration — batch‑processing data from source systems into data warehouses or lakes. While ETL works well for analytics and reporting, it introduces latency (data is only as fresh as the last batch run) and requires significant pipeline maintenance. DreamFactory takes a different approach: instead of moving data, it generates real‑time REST APIs that let applications query source databases directly through governed endpoints. This eliminates ETL latency and reduces infrastructure complexity.
GraphQL
GraphQL, developed by Facebook, allows clients to specify the exact fields they want returned — reducing over‑fetching and under‑fetching common with REST APIs. While GraphQL is powerful for frontend applications, it introduces complexity in security governance because clients can craft arbitrary queries. DreamFactory focuses on REST API generation with server‑side control over which fields are accessible per role, providing a more governable approach for enterprise data access.
CRUD Operations
CRUD maps directly to HTTP methods in REST APIs: POST (Create), GET (Read), PUT/PATCH (Update), and DELETE (Delete). DreamFactory auto‑generates all CRUD endpoints for every table in your database, and lets you control which operations each role can perform. For example, you might allow AI agents to only perform Read operations while administrative users get full CRUD access. This granular control is fundamental to data governance.
Stored Procedure
Stored procedures are common in legacy enterprise databases — they encapsulate decades of business rules in SQL code that runs directly on the database server. DreamFactory can expose stored procedures as REST API endpoints, meaning complex business logic that's been refined over years can be accessed by modern applications and AI agents without rewriting it. Each procedure gets its own endpoint with proper authentication and audit logging.
PCI‑DSS
PCI‑DSS mandates strict controls around cardholder data: encryption, access control, network segmentation, and detailed audit logging. Any API that touches payment card data must comply. DreamFactory's column‑level access control ensures that cardholder data fields (card numbers, CVVs, expiration dates) are only accessible to explicitly authorized roles. Combined with encrypted connections and complete audit trails, DreamFactory supports PCI‑DSS compliance at the data access layer.
GDPR
GDPR gives EU residents rights over their personal data — including the right to access, rectify, and delete it. For API platforms, GDPR compliance means knowing exactly where personal data is stored, controlling who can access it, maintaining audit logs of all access, and being able to delete individual records on request. DreamFactory's RBAC, audit logging, and self‑hosted deployment model support GDPR compliance by ensuring personal data is governed at every access point.
FISMA
FISMA requires federal agencies to develop, document, and implement information security programs based on NIST standards. This includes continuous monitoring, access control, audit logging, and incident response. DreamFactory's built‑in security features — RBAC, audit trails, encrypted connections, and self‑hosted deployment — align with FISMA requirements, particularly NIST 800‑53 controls for access control (AC), audit and accountability (AU), and system and communications protection (SC).
Authority to Operate (ATO)
Before any system can be deployed in a government environment, it must receive an ATO — a formal declaration that the system's security controls are adequate for the data it handles. The ATO process involves security assessment, documentation, and review of every component. DreamFactory's zero‑code approach accelerates ATO because there's no custom code to review — the platform itself is the application. Self‑hosted deployment means it operates within the agency's existing ATO boundary.
HL7 (Health Level Seven)
HL7 is the foundational messaging standard in healthcare IT, with HL7 v2 being the most widely deployed healthcare interface standard globally. HL7 messages use a pipe‑delimited format to exchange patient admissions, lab results, pharmacy orders, and clinical observations between systems. While FHIR is the modern successor, the vast majority of healthcare integration still runs on HL7 v2. DreamFactory complements HL7‑based systems by API‑enabling the databases that store and process HL7 data.
EHR (Electronic Health Record)
EHR systems like Epic, Cerner (Oracle Health), and Meditech are the primary clinical data systems in healthcare. They store patient demographics, diagnoses, medications, lab results, and clinical notes. While EHR vendors provide their own APIs, many organizations need to access the underlying database directly for analytics, reporting, and integration with non‑clinical systems. DreamFactory connects to the databases that power EHR systems, providing governed API access to clinical data.
Database Connector
Database connectors handle the low‑level communication protocols, authentication, and data type mapping required to interact with each database type. DreamFactory includes native connectors for 20+ databases — SQL Server, PostgreSQL, MySQL, Oracle, DB2, Informix, MongoDB, Snowflake, SAP HANA, and more. Each connector handles the database‑specific details, so the generated REST API presents a consistent interface regardless of the underlying database technology.
LLM (Large Language Model)
Large Language Models like GPT, Claude, Llama, and Mistral are the AI systems that increasingly need access to enterprise data. They can answer questions, generate reports, and automate workflows — but only if they can access your data securely. The challenge is governing that access: LLMs shouldn't have raw database credentials. DreamFactory provides the governed API layer that sits between LLMs and your databases, ensuring AI access is controlled, rate‑limited, and fully audited.
Data Residency
Data residency requirements dictate where data can physically exist — driven by regulations like GDPR (EU), PIPEDA (Canada), or industry‑specific mandates. Cloud‑hosted API platforms can be problematic because data may transit through or be stored in jurisdictions that violate residency requirements. DreamFactory's self‑hosted model eliminates this concern entirely: the platform runs on your infrastructure, in your jurisdiction, and data never leaves your control.
Zero‑Code / No‑Code
Zero‑code platforms let you accomplish technical tasks through configuration rather than coding. DreamFactory is zero‑code for API generation — you configure a database connection, set up roles and permissions, and the platform generates a complete REST API with documentation. No endpoints to write, no routes to configure, no security middleware to implement. This dramatically reduces deployment time, minimizes bugs, and simplifies security review (no custom code to audit).
IP Whitelisting
IP whitelisting adds a network‑level security layer to API access. Even if someone has valid API credentials, they can only make requests from approved IP addresses. DreamFactory supports IP whitelisting per API key or role, meaning you can restrict AI agent access to specific servers, limit partner access to known network ranges, and ensure that production API keys only work from your infrastructure. This defense‑in‑depth approach significantly reduces the attack surface.
SCADA
SCADA systems are the backbone of industrial automation in manufacturing, utilities, and infrastructure. They collect real‑time data from sensors and PLCs on the factory floor, storing it in databases for monitoring and historical analysis. While SCADA systems weren't designed for modern API access, the databases they write to can be API‑enabled by DreamFactory — giving modern analytics, AI, and dashboard applications governed access to industrial process data without touching the SCADA system itself.
ERP (Enterprise Resource Planning)
ERP systems — SAP, Oracle E‑Business Suite, Microsoft Dynamics — are the transactional backbone of most enterprises. They store financial records, inventory data, customer information, and operational metrics. Many organizations need to expose ERP data to modern applications, AI agents, and analytics platforms but can't modify the ERP system itself. DreamFactory connects to the underlying ERP database (SAP HANA, Oracle, SQL Server) and generates governed REST APIs, providing a modern integration layer without touching the ERP.
MES (Manufacturing Execution System)
MES systems bridge the gap between ERP (business planning) and SCADA (equipment control) in manufacturing. They manage work orders, track production in real‑time, enforce quality checks, and record genealogy data. MES data is critical for Industry 4.0 initiatives but often locked in proprietary databases. DreamFactory can API‑enable MES databases, making production data accessible to modern analytics, AI quality models, and supply chain visibility platforms through governed REST endpoints.
Digital Twin
Digital twins combine IoT sensor data, historical production records, and simulation models to create living digital replicas of physical assets — from individual machines to entire factories. Building digital twins requires real‑time API access to production databases, sensor data, maintenance logs, and quality records. DreamFactory provides the governed API layer that feeds digital twin platforms with live data from manufacturing databases without requiring changes to existing systems.
API Versioning
As databases evolve — new tables, renamed columns, schema changes — the APIs that expose them need to evolve too. API versioning ensures that existing applications continue to work while new consumers can use updated endpoints. DreamFactory handles this through its configuration layer: when your database schema changes, you can regenerate APIs while maintaining backward compatibility through role‑based endpoint configuration.
Webhook
Webhooks enable event‑driven architectures by pushing notifications when data changes — instead of requiring consumers to constantly poll for updates. DreamFactory supports webhooks that fire when API events occur (record created, updated, deleted), enabling real‑time integrations with downstream systems, notification services, and workflow automation tools. This is especially valuable for manufacturing and healthcare where timely data propagation is critical.