Autumn

Autumn 0.4.0

Rust web framework for server-rendered apps

Autumn gives Rust developers a direct path from route handler to production-ready web app: typed routing, Maud templates, static assets, health checks, and deployment defaults.

Get startedRead the docs
Rust
use autumn_web::prelude::*;

#[get("/")]
async fn index() -> Markup {
    html! { h1 { "Hello, Autumn." } }
}

#[autumn_web::main]
async fn main() {
    autumn_web::app()
        .routes(routes![index])
        .run()
        .await;
}
Getting Started with AutumnThis guide takes you from zero to a running Autumn web app with routes, a database, HTML templates, interactive UI, and the published autumn-web 0.4 release line. Budget about 30 minutes.What Happens When...The questions you have at hour two, not hour one. This guide covers the failure modes, edge cases, and "what if" scenarios that the getting-started guide doesn't cover.Coming From Other FrameworksIf you think in Spring Boot, Django, or Rails, this guide maps the concepts you already know to their Autumn equivalents. Same ideas, different syntax.Accessibility in AutumnAutumn is designed to produce WCAG 2.1 AA-compliant HTML by default. This guide explains the built-in helpers, the patterns recommended for htmx-driven pages, and how to integrate autumn check --a11y into your CI pipeline.Middleware in AutumnAutumn ships a curated stack of built-in middleware — request IDs, security headers, CSRF, CORS, sessions, metrics, exception filters. That covers the boring-but-critical concerns most applications share. When you need something off the beaten path (a timeout, a rate limiter, a custom tracing span, a legacy header injector), reach for `AppBuilder::layer` and drop in any standard `tower::Layer`.Typed Path HelpersEvery route macro (#[get], #[post], #[put], #[delete], #[patch]) automatically emits a companion path-helper function alongside the handler:`autumn routes` — Route Inspection CLIautumn routes prints every mounted route — method, path, handler name, registration source, and active middleware — without starting the HTTP server or connecting to a database.Macro TransparencyAutumn relies on procedural macros to eliminate boilerplate. This guide shows you exactly what those macros generate so there are no surprises at runtime.Integration TestingAutumn ships a first-party test surface (autumn_web::test) that brings Rails-grade ergonomics to Rust integration testing: one line to boot a fully-wired app, assertions that chain, and a shared Postgres testcontainer that keeps your test suite fast.TransactionsUse Db::tx when a handler must perform multiple writes atomically.Database SeedingAutumn ships a first-class seed convention so a freshly-migrated database can be populated with representative data in a single command.File Storage in AutumnAutumn ships a pluggable file-storage abstraction so apps that accept user-uploaded files (avatars, attachments, generated reports) don't have to pick an SDK, design a key scheme, or hand-roll URL signing every time.MailEnable the optional mail subsystem when your app needs password resets, signup confirmations, or transactional notifications:Record-Level Authorization#[secured] answers "are you in?" — is this request authenticated, and is the user in one of the listed roles? It does not answer "are you allowed to act on this specific record?" That is the question every multi-user CRUD app has to answer at every write endpoint, and it is what Autumn's Policy trait, the #[authorize] macro, and the policy = argument on #[repository] exist for.Signed Webhook IntakeAutumn can verify third-party callbacks before your handler runs. The SignedWebhook extractor preserves the exact request bytes, checks the provider signature, applies timestamp tolerance, rejects replayed delivery IDs, and then hands the verified bytes and metadata to your route.Signing SecretsEvery production Autumn app that uses framework-owned signed state must have a stable, private signing secret provisioned before the server starts. This guide defines the contract, explains the dev/test defaults, and walks you through provisioning, multi-replica setup, and rotation.Realtime Channels, SSE, and htmx BroadcastsAutumn's ws feature provides a named channel registry for WebSockets, SSE, and server-rendered htmx fragments. Local development uses in-process tokio::broadcast channels. Multi-replica deployments can switch the same API to Redis pub/sub with autumn.toml.WebSockets in AutumnAutumn exposes WebSocket endpoints through the #[ws] attribute macro, so real-time routes use the same ergonomic shape as #[get] or #[post]:Background Jobs (`#[job]`)Autumn provides first-class ad-hoc background jobs for request-triggered async work.One-Off TasksUse one-off tasks for operational scripts that need normal Autumn context but should not become HTTP routes: backfills, cleanup jobs, customer-specific data fixes, replay scripts, and reports.Operating Background JobsAutumn ships a built-in jobs dashboard in autumn-admin-plugin for operators who need to inspect and recover request-triggered #[job] work without adding a separate queue UI.Multi-Replica Scheduled Tasks#[scheduled] defaults to the original in-process behavior: every running replica owns its own timer. That is convenient in development and preserves the local-compatible behavior of earlier releases, but it is not safe for tasks that send emails, call paid APIs, expire tokens, charge cards, or mutate shared state.Admin PanelAutumn ships a first-party autumn-admin-plugin that gives you a server-rendered CRUD back-office at /admin (configurable). The autumn generate admin command turns an existing #[model] into a fully-wired AdminModel without hand-writing the adapter.Code Generatorsautumn generate collapses the five-file dance of "add a resource" into a single command. Four subcommands cover the cases you actually hit:Replacing Autumn subsystems with custom implsThis guide is the per-trait how-to for tier-1 subsystem replacement. For the bigger picture — when to reach for tier-1 vs tier-2 (#[intercept]) vs tier-3 (Plugin) — see `extensibility.md`.Extensibility in AutumnAutumn ships with sensible defaults for everything — config loading, the database pool, the session store, the telemetry subscriber, error pages, the request cache, route handlers, middleware. None of those defaults are written in stone. The framework gives you three different mechanisms to swap them out, each suited to a different scope of change. Knowing which tier a piece of behaviour lives in is the fastest way to find the right hook.Cloud-Native AutumnThis guide is the blunt version: Autumn can run as a single-process monolith with almost no config, but that does not automatically make every default safe for multi-replica production.Deploying an Autumn AppThis guide walks you from a fresh autumn new project to a production-shaped container running against a real Postgres database. Every command is verbatim; no file editing is required to reach a running container.Docs Smoke ProcedureThis docs-smoke procedure certifies the public first-run path for the published Autumn 0.4.x line. It must use Rust 1.88.0+ and the published autumn-cli and autumn-web crates unless the release is explicitly in a pre-publish rehearsal.Internationalization (i18n)Autumn ships an opt-in i18n module that gives Spring Boot / Rails / Phoenix migrants the localization story they expect, with convention over configuration and a small, well-defined surface.