The agency market is competitive. Your UX designs win awards, your branding strategies build strong brands, and your prototypes in Figma can look polished enough to move a client discussion forward quickly.
Then, however, comes the implementation phase, and the client puts a real technical specification on the table:
- “We need to connect this new B2B portal with our ERP system (SAP, QuickBooks, or NetSuite) in real time.”
- “The database must comply with strict security guidelines, including Row Level Security (RLS) and encryption of sensitive data.”
- “The system must handle synchronous connections to thousands of inventory items and process payments through multiple gateways under an SLA with a 99.9% uptime target.”
At this point, most design and UX agencies hit their technological ceiling. Finding, vetting, and paying senior backend developers full-time is expensive for small to medium-sized studios. Relying on unreliable freelancers, on the other hand, can compromise your reputation, deadlines, and contract terms.
How do you get out of this vicious cycle? The solution is a developer white-label partnership with a specialized engineering group. At the nolimeo technology studio, we operate as an invisible backend engine for leading UX and creative agencies. You deliver top-tier design and communication; we take responsibility for the complex server infrastructure, API integrations, and contractual SLA support, all under your own brand.
1. Why Is an In-House Backend a Risk for a UX Agency?
Building your own backend department inside a design studio brings huge operational and financial risks:
A. Extremely High Fixed Costs
A senior backend developer who can independently design a secure database architecture and connect an e-shop with an ERP system costs thousands of dollars a month, regardless of whether you have work for them or if your projects are currently stuck in the UX research phase.
B. Vetting Quality (Tech Vetting)
If you are a design studio led by a creative director or UX designer, you do not have the internal capacity to spot architectural flaws in a candidate's code during an interview. You often find out that the hired programmer cannot write a secure, optimized SQL query only when the first client's production server crashes under load.
C. Personal Dependency (Bus Factor)
If you have one backend developer in the team and they decide to leave overnight or fall ill in the middle of a critical project, your agency remains paralyzed. Finding a replacement takes months, and a new developer often refuses to continue with someone else's undocumented code.
2. How the White-Label Backend Partnership with nolimeo Works
The white-label model means that your agency remains the sole partner for the end client. You act as a full-service studio that can deliver even complex technical projects. We stay in the background, protected by a strict non-disclosure agreement (NDA).
[ Client ] ──► [ Your UX Agency ] ── (Communication, Figma, Frontend)
│
▼ (Under your brand / NDA)
[ nolimeo Engine ] ──── (TypeScript, Rust backend, Databases, SLA)
Three levels of our integration into your team:
- Invisible Partner (Ghost Mode): We communicate exclusively with your project managers and frontend developers. The client has no idea of our existence. We deliver the code to your GitLab/GitHub repositories.
- Integrated Team Member (Alias Mode): We get access to your Slack and an email inbox with your domain (e.g., [email protected]). We represent ourselves to the client as your internal backend specialists on joint technical calls.
- Consulting Partner: We help you as early as the tender phase. Our senior engineer will attend initial meetings with the client, design the technical architecture, and help you defend the budget in front of the client's IT director, increasing your chances of winning the project.
3. Technical Showcase: Secure, Scalable API Gateway Proxy for Agency Projects
When building modern headless websites (e.g., a Next.js frontend connected to a Payload CMS and Medusa.js backend), you need to ensure that the client's browser does not communicate directly with sensitive enterprise APIs.
Let's look at robust TypeScript code: an API Gateway Proxy middleware that manages authorization, implements rate limiting, and securely transforms requests from the frontend to internal microservices without exposing API keys. This is an example of the clean engineering approach we deliver to our agency partners.
// src/middleware/api-gateway-proxy.ts
import { NextRequest, NextResponse } from "next/server";
import { jwtVerify } from "jose";
const ENTERPRISE_SERVICE_URL = process.env.ENTERPRISE_SERVICE_URL || "https://api.internal.enterprise.lan";
const GATEWAY_JWT_SECRET = new TextEncoder().encode(process.env.GATEWAY_JWT_SECRET || "default_gateway_secret");
// Simple in-memory filter for rate-limiting (connected to Redis in production)
const rateLimitMap = new Map<string, { count: number; resetTime: number }>();
const MAX_REQUESTS_PER_MINUTE = 100;
function isRateLimited(ip: string): boolean {
const now = Date.now();
const clientData = rateLimitMap.get(ip);
if (!clientData) {
rateLimitMap.set(ip, { count: 1, resetTime: now + 60000 });
return false;
}
if (now > clientData.resetTime) {
rateLimitMap.set(ip, { count: 1, resetTime: now + 60000 });
return false;
}
clientData.count += 1;
return clientData.count > MAX_REQUESTS_PER_MINUTE;
}
/**
* API Gateway Middleware for Next.js / Node.js
* Ensures secure routing to internal ERP/CMS services under NDA
*/
export async function middlewareApiGateway(req: NextRequest): Promise<NextResponse> {
const clientIp = req.ip || "unknown-ip";
// 1. Protection against brute-force attacks (Rate Limiting)
if (isRateLimited(clientIp)) {
return new NextResponse(
JSON.stringify({ error: "Too many requests. Please try again later." }),
{ status: 429, headers: { "Content-Type": "application/json" } }
);
}
// 2. Verification of client JWT token from secure HTTP-Only cookie
const authHeader = req.headers.get("authorization");
if (!authHeader || !authHeader.startsWith("Bearer ")) {
return new NextResponse(
JSON.stringify({ error: "Unauthorized access. Token missing." }),
{ status: 401, headers: { "Content-Type": "application/json" } }
);
}
const token = authHeader.split(" ")[1];
try {
// Securely verify the token signature using a symmetric key
const { payload } = await jwtVerify(token, GATEWAY_JWT_SECRET);
console.log(`[GATEWAY PROXY] User ${payload.sub} successfully verified.`);
// 3. Secure forwarding (proxying) of request to internal enterprise API
const targetPath = req.nextUrl.pathname.replace(/^\/api\/gateway/, "");
const targetUrl = `${ENTERPRISE_SERVICE_URL}${targetPath}${req.nextUrl.search}`;
// Clean headers and add secure system verification for internal services
const modifiedHeaders = new Headers();
modifiedHeaders.set("Content-Type", "application/json");
modifiedHeaders.set("X-Gateway-Auth-Key", process.env.INTERNAL_SERVICE_SECRET || "internalSecret");
modifiedHeaders.set("X-User-Id", String(payload.sub));
const response = await fetch(targetUrl, {
method: req.method,
headers: modifiedHeaders,
body: req.method !== "GET" ? await req.text() : undefined,
});
const responseData = await response.json();
return new NextResponse(JSON.stringify(responseData), {
status: response.status,
headers: { "Content-Type": "application/json" },
});
} catch (error) {
console.error("[GATEWAY ERROR] Invalid JWT token signature:", error);
return new NextResponse(
JSON.stringify({ error: "Invalid or expired security token." }),
{ status: 403, headers: { "Content-Type": "application/json" } }
);
}
}
4. Our Technological Value Stack for Agencies
We are engineers, not marketers. We design our systems to survive any load, remain secure, and be easy to maintain.
What we bring to your projects:
- TypeScript & Node.js / Rust: No slow and bloated PHP code. We write fully typed, modular backends that handle common operations efficiently and keep memory usage low.
- Custom Database Architecture: Carefully designed PostgreSQL databases with Row Level Security (RLS) implementation for SaaS applications and multi-tenant systems, where individual clients' data is isolated.
- Integrations to Local Systems (ERPs): We have extensive experience connecting e-shops and portals to enterprise ERP systems (like QuickBooks, Xero, SAP, NetSuite, or Microsoft Dynamics) via stable, asynchronous middleware solutions.
- Contractual SLA (Service Level Agreement): We take responsibility for operations. We offer SLA support, 24/7 server monitoring, and response times as low as 2 hours for critical outages, depending on scope and contract terms.
5. The Trap of Cheap Freelancers and Visual Click-Tools
Many creative agencies try to bypass the shortage of backend developers in two ways, which often ends badly:
5.1. Gluing Logic via No-Code (Make.com, Zapier)
Visual click-tools are great for quickly connecting a contact form to a Google Sheet. However, if you build the core of an e-shop or synchronize thousands of orders on them, you will hit hard limits:
- Extremely High Operational Costs: With tens of thousands of transactions per month, scenario costs can become significant.
- Security Gaps: Your clients' sensitive data passes through third-party servers, which reduces control over the data flow.
- Fragility: A change to a single parameter in a third-party API can break the workflow, and you may spend days tracking down the issue in a visual editor without the ability to write a unit test.
5.2. Hiring Unverified Freelancers
Freelancers are great for small template tweaks, but they are a huge risk for enterprise projects:
- Unavailability: A freelancer can disappear in the middle of a project, stop answering calls, or prioritize another client.
- Lack of Documentation: They may write code quickly and without rules. If they leave, no one can take over the system, and you may need to start a rewrite.
Conclusion: Do What You Do Best. Leave the Rest to Engineers
Creative and UX agencies often grow fastest when they focus on what makes them exceptional: design, strategy, brand building, and client care. Trying to manage complex technical development, maintain database clusters, and keep servers running at night only drains your energy and holds back your business.
At nolimeo, we are a programming group of senior developers. We do not learn on your projects, we do not glue complex backends with no-code tools, and we do not sell overpriced templates. We deliver every code component with full typing and documentation. We are a reliable backend partner in the background, helping your designs run on secure infrastructure.
Want to expand your UX agency's services to include complex custom software development, need a reliable backend partner for a large client project, or want to review an upcoming technology tender? Contact us and we’ll review your scope, risks, and delivery model.
