BFF Pattern
A Backend-for-Frontend can help a custom page compose data and actions without leaking credentials or overloading the event model.
Use a BFF for
- combining Cessy projections with third-party read data
- server-side calls that require secrets
- UI-specific aggregation that should not become a domain projection
- file transforms, exports, or imports that need controlled server logic
- feature flags or workspace-specific preview helpers
Do not use a BFF for
- replacing commands with arbitrary mutations
- bypassing permissions
- storing business facts outside the event history
- hiding long-running policy behavior from Activity
- making design-time API calls from runtime pages
Recommended shape
Keep the BFF thin:
- authenticate the user
- authorize against app intent
- call generated Cessy runtime APIs
- call approved external services
- return UI-shaped data
If the BFF starts owning decisions, move that behavior into commands, events, and policies.
Verification
Test the Cessy runtime path and the BFF path separately. A custom page is not verified until the command/projection contract works without the page and the page works against the published contract.