BRICQS is an AI-native cloud platform with its own compute, storage, database, secrets infrastructure, global edge network, and zero-credential security. Every organization gets dedicated storage and a secrets vault — no shared infrastructure between tenants. Below is what each piece actually does, with the real API surface behind it.
Connect an OpenAI, Anthropic, or Google API key to a project. BRICQS proxies chat completions through a unified, OpenAI-shaped endpoint — your code only ever talks to one API surface, regardless of which provider is behind it. The key is stored in your org's own dedicated secrets vault and never touches the application database.
POST /runtime/{project_id}/chat/completionsDeploy an open model (LLaMA, Mistral, Phi-3, Stable Diffusion XL, Whisper, BGE embeddings) to a real, dedicated GPU container on BRICQS Compute. You get a live HTTPS endpoint backed by an actual provisioned BRICQS Compute instance with development, preview, and production environments. Real BRICQS Monitor metrics (CPU%, memory%, GPU utilization%, request count, response time) are available with no app-level instrumentation required.
POST /deployments/deploy · POST /deployments/{id}/promoteA tool-using agent loop (Anthropic-backed) with a sandboxed calculator and an http_get tool. Runs up to 6 reasoning steps and returns the full tool-call trace alongside the final answer.
POST /agent/runUpload a PDF/DOCX/TXT to a project. BRICQS chunks and embeds it, then answers questions grounded only in retrieved chunks via vector similarity search. Documents are stored in your org's dedicated BRICQS Storage account.
POST /rag-project/{project_id}/documents · POST /rag-project/queryDefine an ordered list of steps. A step can run a prompt against its own project's provider, or call directly into a different project's RAG index, Agent, or GPU deployment — workflows aren't limited to their own runtime. Supports {{input}} and {{previous}} template variables with step-by-step execution logs.
PUT /workflow/{project_id}/definition · POST /workflow/{project_id}/runProvision a real, dedicated managed SQL database server — not a shared multi-tenant cluster. Each database gets its own server, its own table editor (browse/filter/insert/delete rows), a real SQL editor with saved/private/shared queries, a compute-tier picker backed by real dedicated hardware tiers, and a connection-string reveal that is logged every time it is viewed. Connect a GitHub repository to a database and pushes to your configured production branch auto-apply any pending SQL migrations — scoped to that one branch, so a push to a feature branch never touches your live data.
vector search is available on every provisioned database — no extension install required. This is the same vector store backing the RAG runtime.
POST /databases · GET /databases/{id}/tables · POST /databases/{db_id}/github/repoEvery GPU Runtime deployment can run in development, preview, or production — a project can hold all three simultaneously, each as its own real, separately billed BRICQS Compute instance. The app names use deterministic suffixes (-dev, -preview, no suffix for production) to avoid platform name length limits.
Promoting a preview to production provisions a fresh production container from the preview's exact configuration and only retires the prior production deployment once the new one is confirmed running — never a stop-then-create gap. If the retire call fails, a background retry thread attempts with exponential backoff (4 attempts, 30/60/120/240 second delays) rather than leaving a manual fallback instruction.
A live deploy pipeline shows real stage transitions: queued → connecting → creating container → provisioned → waiting for model → running. Each transition is tracked in the stage column and surfaced in the console's pipeline panel, polled every ~2 seconds.
GET /deployments/{id}/metrics — real BRICQS Monitor metrics (CPU%, memory%, GPU%, requests, response time)GET /deployments/activity — audit-log backed activity feed, filterable by deployment_idGET /deployments/summary — aggregated stats: active deployments, GPU hours, failure ratePOST /deployments/{id}/promote — zero-downtime promote with background retire-on-successBRICQS includes a full domain platform — not a CNAME-point-and-pray CDN integration. Domains are a first-class resource, decoupled from any single deployment. You can add a domain you already own or purchase a new one, then independently attach it to a GPU Runtime deployment, a workflow deployment, or leave it unattached and manage DNS from the console.
Every domain transitions through a real state machine: unattached → verifying → verified → ssl_pending → active (or failed). Each transition is driven by a real DNS check, cert issuance result, or Container App binding result — not a simulated status. WebSocket live updates push each job progress to the console without polling.
Search availability across TLDs, compare prices, and purchase domains backed by BRICQS Registrar. Registrant profiles can be saved and reused. Domain transfers (in and out) are supported with real EPP auth code flow and status polling. WHOIS privacy toggle is available per domain.
GET /domains/search?query=example&tld=.comPOST /domains/purchasePOST /domains/transferGET /domains/compare-prices?domain=example.comAdd, update, and delete A/AAAA/CNAME/MX/TXT/NS records. Import existing records from the live zone. Apply pre-built DNS templates (common setups for email providers, CDNs, etc.). Take DNS snapshots at any point and restore them with a single API call. An AI DNS assist endpoint suggests records based on your deployment context.
BRICQS SSL certificates are issued via DNS-01 challenge (no public HTTP endpoint required), with wildcard support (*.yourdomain.com). BRICQS writes the required _acme-challenge TXT record automatically when the domain's DNS is managed by BRICQS, waits for real propagation, then issues and binds the cert to the Container App. Cert transparency logs are visible per domain. Certificate revocation is supported.
Define custom edge routing rules per domain, served by the BRICQS edge router. Create URL redirects with any HTTP status code (301, 302, 307, 308) — BRICQS provisions a real Container App redirect app rather than a DNS-only approach. Enable a maintenance mode page that gates all traffic with a custom HTML/CSS page while the domain stays live.
Per-domain security checks cover: CAA records (restrict who can issue certs), DNSSEC status, HSTS header (auto-set for tenant domains routed through the edge router), cert transparency log presence, and email health (MX, SPF, DKIM, DMARC). A domain risk report aggregates findings across your entire portfolio.
Wildcard-eligible domains can have subdomains onboarded as tenant routes — each subdomain maps to a target deployment via the edge router. This powers multi-tenant SaaS setups where each customer gets a dedicated subdomain (e.g. customer.yourdomain.com) without a separate Container App per tenant.
POST /domains — add a domain or purchase a new onePOST /domains/{id}/ssl — request a TLS cert (DNS-01, wildcard supported)GET /domains/{id}/analytics — edge analytics (requests, bandwidth, threats, latency, cache hit ratio)POST /domains/{id}/cache/purge — purge Redis CDN cache by path or prefixGET /domains/{id}/security — CAA, DNSSEC, HSTS, cert transparency, email healthPOST /domains/{id}/tenants — onboard a subdomain as a tenant route via edge routerGET /domains/risk-report — cross-portfolio domain risk assessmentPOST /domains/{id}/ai-assist — AI-suggested DNS records for your deploymentEvery custom domain on BRICQS is served through a real edge router — a dedicated BRICQS Compute instance (BRICQS Edge Router) that is the actual traffic path, not a CDN integration. The edge router emits one JSON log line per request to stdout, which BRICQS Compute automatically indexes into BRICQS Monitor.
9 OWASP managed ruleset categories are applied to every request: SQL injection, XSS, remote file inclusion, path traversal, PHP injection, Apache injection, IIS injection, cross-site scripting, and scanner detection. Rules are evaluated in priority order; the first match blocks the request and logs it with the matching rule name.
Multi-signal bot scoring combines: per-IP request rate (5-second and 60-second windows), suspicious path patterns (crawlers, scanners, .env, wp-admin), user-agent fingerprint matching against known bot signatures, and IP reputation list lookup. A request exceeding the score threshold is blocked with a 403 and logged as blocked: true.
All 5 RIR delegation files (ARIN, RIPE, APNIC, LACNIC, AFRINIC) are downloaded and compiled into a binary-packed in-memory table of 259,824 IPv4 ranges (~2.5 MB). Each request is tagged with the originating country code, available in the country field of the log line and surfaced in edge analytics as top-5 countries.
Cacheable GET responses are stored in BRICQS Cache. The edge router authenticates using BRICQS Identity exclusively — Redis runs with key-based auth permanently disabled (zero-credential mode), meaning access keys are permanently disabled at the infrastructure level. A short-lived BRICQS Identity bearer token is acquired via BRICQS identity credential, the oid claim is decoded from the JWT payload (no metadata call required), and the token is refreshed every 40 minutes. Cache hits are logged with rule: "cache-hit" and the real cache hit ratio is computed in BRICQS Monitor from BRICQS Monitor.
The API server exposes a cache purge proxy endpoint. The purge token is stored as an encrypted Container App secret (not a plaintext env var) and is never exposed to API callers — the server holds it and proxies the purge request to the edge router.
POST /domains/{domain_id}/cache/purgeBRICQS enforces a zero-credential posture for all infrastructure-to-infrastructure communication:
the cache service scope, decodes the oid claim from the JWT payload, and authenticates to Redis using identity token credentials. No metadata call required. Token auto-refreshes every 40 minutes.key-based auth permanently disabled at the platform level. Access keys do not exist and cannot be re-enabled without an platform resource update.BRICQS secret store (encrypted at rest by BRICQS) and surfaced to services as named secret references, never as plaintext environment variables.Data Owner access policy on the Redis resource via BRICQS Identity policy binding.Every push to the main branch runs a fully automated pipeline with no manual steps:
pip-audit --strict, npm audit --audit-level=high.migrate.sh runs every pending SQL file against the live managed SQL database instance. Applied migrations are tracked in a schema_migrations table — idempotent, no file is applied twice.BRICQS Compute automatically collects platform telemetry for every deployed app with no application-side instrumentation required. BRICQS exposes this via the BRICQS Monitor SDK BRICQS Monitor metrics API API:
The GET /deployments/{id}/metrics?hours=6 endpoint returns a 5-minute-interval series for each metric. The deployment detail view renders these as inline line charts (hand-rolled SVG, no chart library dependency). For deployments with no traffic in the window, the response is an empty series — not a fabricated zero.
Distributed traces (per-request span data) are not yet available. Platform metrics give time-series aggregates — individual request traces require per-request tracing instrumentation inside the served model container, which does not exist yet. This is the one remaining honestly-deferred observability item.
curl https://api.bricqs.cloud/runtime/{project_id}/chat/completions \
-H "Content-Type: application/json" \
-d '{
"messages": [{"role": "user", "content": "Hello!"}]
}'from openai import OpenAI
client = OpenAI(
base_url="https://api.bricqs.cloud/runtime/{project_id}",
api_key="not-needed-for-session-auth",
)
response = client.chat.completions.create(
model="gpt-4o-mini",
messages=[{"role": "user", "content": "Hello!"}],
)
print(response.choices[0].message.content)Console requests are authenticated with your real BRICQS session token (issued by our own auth service, not a third party). Every destructive endpoint (stopping or deleting a deployment, deleting a project, writing a secret) verifies that token server-side and checks you actually own the resource or have org-level access to it, rather than trusting a client-supplied ID.
External calls to a runtime endpoint use a platform API key, generated from the API Keys page, sent as Authorization: Bearer <key>. Keys are stored hashed in managed SQL database — BRICQS never stores the plaintext value after the initial reveal.
provision-East region-edge.sh script, which is staged but blocked by the free-tier 1-environment limit.source: "github" to the deploy endpoint returns a 400. No git-sourced build pipeline exists yet.