REST API Development: Beginner to Production

How HTTP request-response cycle works

HTTP protocol, request structure, response structure, status codes, headers, stateless communication

What makes an API RESTful — the 6 constraints

REST architectural style, statelessness, uniform interface, client-server separation, cacheability, layered system, code on demand

HTTP methods — GET POST PUT PATCH DELETE explained

GET semantics, POST semantics, PUT vs PATCH, DELETE, idempotency, safe methods, method choosing rules

REST resource naming and URL design best practices

resource naming, nouns vs verbs, plural vs singular, nested resources, URL hierarchy, query parameters, filtering

HTTP status codes — which code to return and when

2xx success codes, 3xx redirects, 4xx client errors, 5xx server errors, 201 vs 200, 400 vs 422, 401 vs 403, 404 vs 410

Setting up Express.js for REST API development

Node.js setup, Express installation, app initialization, listen method, port configuration, nodemon, package.json scripts

Express routing — defining GET POST PUT DELETE routes

app.get, app.post, app.put, app.delete, route parameters, req.params, req.body, req.query, res.json, res.status

Express Router — organizing routes into separate files

express.Router, router files, app.use with prefix, modular routing, separation of concerns, route mounting

Express middleware — what it is and how to use it

middleware concept, next() function, request pipeline, global middleware, route-level middleware, error-handling middleware, middleware order

Project folder structure for a scalable Express API

MVC folder structure, routes folder, controllers folder, middleware folder, models folder, config folder, environment variables, dotenv

Input validation in Express with Zod

Zod schema, z.object, z.string, z.number, safeParse, validation middleware, error formatting, required vs optional fields

Consistent API error response format design

error response envelope, error codes, error messages, stack traces in development, AppError class, centralized error handler, RFC 7807

API pagination — cursor-based vs offset-based

offset pagination, cursor pagination, page and limit params, total count, next/prev links, cursor encoding, performance tradeoffs

API filtering and sorting with query parameters

query parameter parsing, dynamic WHERE clauses, whitelist approach, sort direction, multi-field sorting, injection prevention

API versioning strategies — URL vs header versioning

URL versioning, header versioning, Accept header, version deprecation, breaking vs non-breaking changes, versioning tradeoffs

JWT authentication — how JSON Web Tokens work

JWT structure, header, payload, signature, base64url encoding, signing algorithms, HS256 vs RS256, token expiry, stateless auth

Implementing login and JWT auth middleware in Express

password hashing with bcrypt, login endpoint, issuing JWTs, Authorization header, Bearer token, auth middleware, protecting routes

Refresh tokens — implementing secure token rotation

access token vs refresh token, token rotation, httpOnly cookies, refresh endpoint, token families, revocation, sliding sessions

Role-based access control (RBAC) in Express APIs

roles in JWT payload, authorize middleware, role hierarchy, permission checking, admin vs user routes, least privilege principle

Securing passwords — bcrypt hashing and common mistakes

bcrypt algorithm, salt rounds, genSalt, hash, compare, timing attacks, never store plaintext, never log passwords, rate limiting login

Connecting Express to PostgreSQL with Prisma ORM

Prisma setup, DATABASE_URL, prisma init, schema.prisma, prisma generate, PrismaClient, singleton pattern, connection pooling

Prisma CRUD — create, read, update, delete with real queries

create, findUnique, findMany, update, delete, upsert, select, where clause, include relations, orderBy, take and skip

Database transactions in Prisma — when and how to use them

ACID transactions, prisma.$transaction, sequential vs interactive transactions, rollback on error, use cases, avoiding partial updates

N+1 query problem in APIs and how to fix it with Prisma

N+1 query problem, eager loading, include, select with nested relations, query count, dataloader pattern, performance impact

Prisma migrations — managing database schema changes safely

prisma migrate dev, prisma migrate deploy, migration files, schema drift, rolling back, adding columns, prisma db push, production workflow

Integration testing Express APIs with Jest and Supertest

Jest setup, Supertest, describe and it blocks, beforeAll and afterAll, HTTP assertions, testing status codes and response bodies, test database, teardown

OpenAPI documentation — generating docs from your Express API

OpenAPI 3.0, swagger-ui-express, swagger-jsdoc, JSDoc annotations, paths and schemas, request body definition, response schemas, live documentation UI

Rate limiting and security headers for production APIs

express-rate-limit, helmet, CORS with cors package, rate limit headers, trust proxy, X-RateLimit headers, brute force protection, Content-Security-Policy

Environment variables and config management for APIs

dotenv, .env.example, config module, environment-specific settings, secrets management, never commit secrets, validation with envalid

Deploying a Node.js API to production — Railway and Render

production checklist, NODE_ENV production, process managers, health check endpoint, zero-downtime deploys, Railway deployment, Render deployment, build command, start command