Wapka Platform — The Biggest Update Yet: Subsite Engine v1, Lua Framework, REST API & Native Apps
Posted: Fri May 22, 2026 3:18 am
Wapka Platform — The Biggest Update Yet: Subsite Engine v1, Lua Framework, REST API & Native Apps
After months of intensive development, we're thrilled to announce the largest platform update in Wapka's history. This isn't just a feature update — it's a complete architectural overhaul that transforms Wapka from a website builder into a full-stack application platform.
Try it now: https://wapka.zuna.id | Dev Server:
The Subsite Engine — How Your Sites Are Now Served
We've completely rebuilt the execution layer that powers every Wapka site. The new Subsite Engine supports three runtimes side-by-side:
Lua Web Framework — SSR Without the Hassle
This is the crown jewel of the update. The Lua engine gives you a full web framework running inside a secure sandbox:
Save this in your site's `server_config` field and it's live instantly. Zero-config SSR.
Native App Marketplace
We've introduced a pluggable Native App system. Apps implement a standard `NativeApp` interface and are registered in the marketplace. Users install with one click — the platform handles the rest:
[hr][/hr]
Full REST API — 10 Entity Types, JWT + API Key Auth
The SDK now exposes a comprehensive JSON REST API covering every entity in the platform:
[hr][/hr]
Admin Panel — Complete Control
The admin panel has been rebuilt from the ground up with 14 dedicated services:
We've moved to fully stateless JWT-based authentication across the entire platform:
Architecture at a Glance
All running in Docker containers behind HAProxy with shared MySQL, Redis, and CDN infrastructure.
[hr][/hr]
What's Next?
Questions? Feedback? Reply below or reach out on our forum.
— The Wapka Team
After months of intensive development, we're thrilled to announce the largest platform update in Wapka's history. This isn't just a feature update — it's a complete architectural overhaul that transforms Wapka from a website builder into a full-stack application platform.
Try it now: https://wapka.zuna.id | Dev Server:
The Subsite Engine — How Your Sites Are Now Served
We've completely rebuilt the execution layer that powers every Wapka site. The new Subsite Engine supports three runtimes side-by-side:
- Tag Engine — The classic {{TAG}} macro language you know and love, fully backwards-compatible with 50+ functions and 29 widget types.
- Lua Framework (Beta v1) — A complete sandboxed server-side web framework. Write backend logic in Lua, and it runs instantly. No build step, no deployment, no server management.
- Native Engine — Pre-built, first-party PHP applications installable from our marketplace with one click. Automatic install/upgrade lifecycles and version tracking.
Lua Web Framework — SSR Without the Hassle
This is the crown jewel of the update. The Lua engine gives you a full web framework running inside a secure sandbox:
- Routing: GET, POST, PUT, DELETE, PATCH with `:param` pattern matching
- Middleware: Built-in CORS, JSON body parsing, auth, admin gating — plus custom middleware
- Hooks: `before`, `after`, and `error` lifecycle hooks
- Twig Templates: Sandboxed Twig 3.x with HTML auto-escaping, includes, extends, blocks, and 30+ filters. No PHP access.
- Input Validation: Laravel-style validator with `required`, `email`, `min:`, `max:`, `in:`, `regex:`, and more — 100% pure Lua
- HTTP Client: Python-requests-style API (`http.get()`, `http.post()`, etc.) with SSRF protection, private IP blocking, rate limiting, and redirect validation
- API Bridge: Full CRUD access to 9 entity types directly from Lua — users, forums, posts, messages, files, pages, codes, data, sites
- ZIP Static Mounting: Upload a ZIP archive and serve it as a static website at a URL prefix with auto `index.html` fallback
- Flash Messages: Cookie-backed, HMAC-signed, no sessions required — fully stateless
- Dry-Run Mode: Test your Lua code against live data without side effects — add `?__dry_run=1` to any URL
Code: Select all
-- A complete dynamic page in Lua
local app = framework()
app:get('/', function(ctx)
local posts = api.posts:list({limit = 10})
local users = api.users:list({limit = 5})
local v = validator(ctx.params, {
name = {required = true, min = 3},
email = {required = true, email = true}
})
if v:passes() then
flash:set('success', 'Form submitted!')
return ctx:redirect('/thank-you')
end
return app:render('home.twig', {
posts = posts,
users = users,
errors = v:errors()
})
end)
app:run()
Native App Marketplace
We've introduced a pluggable Native App system. Apps implement a standard `NativeApp` interface and are registered in the marketplace. Users install with one click — the platform handles the rest:
- Automatic page and collection creation on install
- Version tracking with upgrade callbacks
- Graceful fallback to Welcome app if an app is broken or disabled
- Categories: blog, ecommerce, portfolio, business, social, utility
[hr][/hr]
Full REST API — 10 Entity Types, JWT + API Key Auth
The SDK now exposes a comprehensive JSON REST API covering every entity in the platform:
Code: Select all
+------------------+--------------------------------------------------------------+
| Entity | Operations |
+------------------+--------------------------------------------------------------+
| Users | get, list, create, update, login, online, me, delete, stats |
| Sites | get, list, firewall config |
| Pages | get, list with filters |
| Forums | get, list, create, rename, delete |
| Posts | get, list, create, update, soft-delete, hard-delete, restore |
| Messages | send, chat, conversations, unread count, edit, delete |
| Files | get, list, upload, import from URL, rename, delete |
| Folders | get, list, create, rename, delete |
| Codes (Widgets) | get, list, create, update, delete, copy, move, reorder |
| Data (NoSQL) | collections, get, find with filters, create, update, delete, |
| | restore, purge |
+------------------+--------------------------------------------------------------+
- Auth: API Key (`wpk_` prefix, SHA-256 hashed) or JWT (HS256, configurable TTL)
- Rate Limiting: Per-scope (public 30/min, user 300/min, admin 1000/min)
- IP Control: Allow/block lists with wildcard support
- Field-Level Access: Five persona tiers — Public, User, Moderator, Admin, Superadmin — each sees different fields
- Field Selection: GraphQL-like `?fields=UserInfo(username,avatar)` for precise responses
[hr][/hr]
Admin Panel — Complete Control
The admin panel has been rebuilt from the ground up with 14 dedicated services:
- Site Management: CRUD, config, stats, permanent destroy with data preservation
- API Firewall: Per-site method control, rate limits, IP lists, field rules, JWT toggles
- User Groups: Create/delete groups, add/remove members by ID, username, or email
- URL Rewrites: Up to 100 rewrite rules per site
- Template Packs: ZIP-based template installation and switching
- Native Apps: Marketplace browser, install, uninstall, reset
- Analytics: Visitor stats, unique IPs, top pages and referrers
We've moved to fully stateless JWT-based authentication across the entire platform:
- `wk_token` cookie — HS256 JWT, 7-day TTL
- No PHP sessions anywhere — zero server-side state
- Cookie-based flash messages (`wk_flash`, 30s TTL, base64+JSON, httponly, secure)
- Structured Logging: Access logs (buffered 500-line batches), error logs (30 days), debug logs (3 days), per-error trace dumps
- Trace IDs: Every request gets a unique `X-Trace-Id` header for diagnostics
- Friendly Error Pages: In debug mode, errors include contextual explanations like "Your Lua script tried to access a field on a nil value" with full stack traces
- Dry-Run Mode: Test any operation — all DB writes roll back, response tagged with `X-Dry-Run: 1`
- Health Endpoint: `/_wapka/trace` returns diagnostic info (site_id, engine, Lua availability, TLS/HTTP2)
- SSRF-Protected HTTP Client: Private IP blocking, metadata endpoint blocking, redirect validation, 5MB response cap, 50-request limit
Architecture at a Glance
Code: Select all
Request → SiteResolver (finds your site)
→ Pipeline (middleware: trace, logging, dry-run)
→ EngineResolver (picks Tag / Lua / Native)
→ Engine::handle()
→ Response (HTML, JSON, redirect, file)
[hr][/hr]
What's Next?
- More native apps in the marketplace
- Lua framework: WebSocket support, scheduled tasks, file upload handling
- OpenAPI 3.0 spec for the REST API
- PHPUnit test suite
- Analytics dashboard
- Usage-based billing
Questions? Feedback? Reply below or reach out on our forum.
— The Wapka Team