API Design Principles
A well-designed REST API is intuitive, consistent, and predictable. Use nouns for resources (not verbs), HTTP methods for actions (GET for read, POST for create, PUT/PATCH for update, DELETE for remove), and appropriate status codes for every response.
Project Structure
Separate concerns from the start: routes handle request routing, controllers contain business logic, services handle data access, and middleware handles cross-cutting concerns (auth, validation, logging). This structure scales to large codebases.
Authentication with JWT
Generate JWTs using jsonwebtoken. Store the secret in environment variables, never in code. Set appropriate expiration times. Use our JWT Decoder to inspect tokens during development. Implement refresh token rotation for long-lived sessions.
Input Validation
Validate all input on the server — never trust client-side validation alone. Libraries like Joi, Zod, or express-validator provide schema-based validation with clear error messages. Return 400 with specific field errors, not generic "Invalid input".
