It’s 2025, and while we’ve seen the rise of GraphQL, tRPC, and Server Actions, the RESTful API remains the absolute backbone of the internet. It is the universal language that allows microservices to talk to each other, mobile apps to sync data, and third-party integrations to function securely.
However, writing app.get('/users', (req, res) => { ... }) in a single server.js file doesn’t cut it anymore. Not for senior developers, and certainly not for production environments handling real traffic.
In this guide, we are going to move beyond the “Hello World” tutorials. We will build a production-grade REST API skeleton using Node.js (v22+). We will focus on the Service-Controller-Data layered architecture, centralized error handling, input validation with Zod, and security best practices that every senior engineer needs to know.
Prerequisites and Environment Setup #
Before we dive into the architecture, ensure your development environment is up to speed. In 2025, we rely on stable LTS versions and modern package management.
- Node.js: v20.x or v22.x (LTS)
- Package Manager:
npm(v10+) orpnpm(preferred for speed) - Database: We will use MongoDB (via Mongoose) for this example, but the architectural patterns apply to SQL (Postgres/Sequelize/TypeORM) as well.
- Testing Tool: Postman, Insomnia, or VS Code Thunder Client.
Project Initialization #
Let’s set up a project that uses ES Modules (import/export), which is the standard standard for Node.js today.
mkdir node-rest-pro
cd node-rest-pro
npm init -yNow, open your package.json and add "type": "module" to enable ES Modules natively.
Next, install the essential dependencies. We aren’t just installing express; we are installing the tools required for a robust ecosystem.
npm install express mongoose dotenv cors helmet morgan zod http-status
npm install --save-dev nodemonBrief explanation of the stack:
- Helmet: Secure HTTP headers.
- Morgan: HTTP request logger.
- Zod: The current industry standard for schema validation (replacing Joi/Yup).
- Http-Status: For readable status codes (e.g.,
httpStatus.CREATEDinstead of201).
The Architecture: Separation of Concerns #
The biggest mistake mid-level developers make is putting business logic inside the Controller (or worse, the route definition). This makes testing impossible and refactoring a nightmare.
We will use a 3-Layer Architecture:
- Controller Layer: Handles HTTP requests, parses parameters, sends responses. No logic here.
- Service Layer: Contains the business logic (e.g., “Check if user exists,” “Calculate discount,” “Hash password”).
- Data Access Layer (DAO/Model): Talks directly to the database.
Visualizing the Request Flow #
Before writing code, look at how data flows through our application. This separation ensures that if you switch from MongoDB to Postgres, you only change the Data Layer, not your Controllers.
Step 1: The Entry Point and Server Configuration #
We need a clean entry point. Create a src folder. Inside, create app.js and server.js.
src/app.js — This configures the Express application, middleware, and routes.
import express from 'express';
import helmet from 'helmet';
import cors from 'cors';
import morgan from 'morgan';
import routes from './routes/index.js';
import { errorConverter, errorHandler } from './middlewares/error.js';
import ApiError from './utils/ApiError.js';
import httpStatus from 'http-status';
const app = express();
// 1. Security Headers
app.use(helmet());
// 2. CORS (Allow all for dev, restrict in production)
app.use(cors());
// 3. Logging
app.use(morgan('dev'));
// 4. Body Parser
app.use(express.json());
// 5. API Routes
app.use('/api/v1', routes);
// 6. 404 Handler for unknown API endpoints
app.use((req, res, next) => {
next(new ApiError(httpStatus.NOT_FOUND, 'Not found'));
});
// 7. Global Error Handler
app.use(errorConverter);
app.use(errorHandler);
export default app;src/server.js — This handles the network execution and database connection.
import mongoose from 'mongoose';
import app from './app.js';
import dotenv from 'dotenv';
dotenv.config();
const PORT = process.env.PORT || 3000;
const MONGO_URI = process.env.MONGO_URI || 'mongodb://localhost:27017/node-pro-demo';
let server;
mongoose.connect(MONGO_URI).then(() => {
console.log('Connected to MongoDB');
server = app.listen(PORT, () => {
console.log(`Server listening on port ${PORT}`);
});
});
// Graceful Shutdown
const exitHandler = () => {
if (server) {
server.close(() => {
console.log('Server closed');
process.exit(1);
});
} else {
process.exit(1);
}
};
process.on('uncaughtException', exitHandler);
process.on('unhandledRejection', exitHandler);Step 2: Centralized Error Handling #
Stop using res.status(500).send('error') everywhere. Professional APIs need a customized Error class so you can throw errors from deep within services and catch them in one place.
src/utils/ApiError.js
class ApiError extends Error {
constructor(statusCode, message, isOperational = true, stack = '') {
super(message);
this.statusCode = statusCode;
this.isOperational = isOperational; // True if it's a known error (e.g., bad input), False if system break
if (stack) {
this.stack = stack;
} else {
Error.captureStackTrace(this, this.constructor);
}
}
}
export default ApiError;src/middlewares/error.js
import mongoose from 'mongoose';
import httpStatus from 'http-status';
import ApiError from '../utils/ApiError.js';
// Convert non-ApiErrors (like Mongoose errors) into ApiError
export const errorConverter = (err, req, res, next) => {
let error = err;
if (!(error instanceof ApiError)) {
const statusCode =
error.statusCode || error instanceof mongoose.Error ? httpStatus.BAD_REQUEST : httpStatus.INTERNAL_SERVER_ERROR;
const message = error.message || httpStatus[statusCode];
error = new ApiError(statusCode, message, false, err.stack);
}
next(error);
};
// Final response sender
export const errorHandler = (err, req, res, next) => {
let { statusCode, message } = err;
// In production, don't expose stack traces to the client
const response = {
code: statusCode,
message,
...(process.env.NODE_ENV === 'development' && { stack: err.stack }),
};
res.status(statusCode).send(response);
};Step 3: Validation with Zod #
Validation should happen before the controller. If the data is bad, the controller shouldn’t even run. Zod is excellent for this because it allows for schema definition and type inference (if you use TS).
src/middlewares/validate.js
import httpStatus from 'http-status';
import { z } from 'zod';
import ApiError from '../utils/ApiError.js';
const validate: (schema) => (req, res, next) => {
try {
// Validate request body, query, and params against the schema
const validData = schema.parse({
body: req.body,
query: req.query,
params: req.params,
});
// Assign validated data back to req to ensure type safety
Object.assign(req, validData);
next();
} catch (error) {
if (error instanceof z.ZodError) {
const errorMessage = error.errors.map((e) => `${e.path.join('.')}: ${e.message}`).join(', ');
next(new ApiError(httpStatus.BAD_REQUEST, errorMessage));
} else {
next(error);
}
}
};
export default validate;Step 4: Implementing the Business Logic #
Let’s build a simple User feature to demonstrate the Service vs. Controller pattern.
1. The Validation Schema (src/validations/user.validation.js)
#
import { z } from 'zod';
export const createUser = z.object({
body: z.object({
email: z.string().email(),
password: z.string().min(8),
name: z.string().min(2),
}),
});2. The Service (src/services/user.service.js)
#
This is where the magic happens. Note that the service returns data or throws errors. It does not know about req or res.
import User from '../models/user.model.js'; // Assume standard Mongoose model
import ApiError from '../utils/ApiError.js';
import httpStatus from 'http-status';
const createUser = async (userBody) => {
if (await User.isEmailTaken(userBody.email)) {
throw new ApiError(httpStatus.CONFLICT, 'Email already taken');
}
const user = await User.create(userBody);
return user;
};
const getUserById = async (id) => {
const user = await User.findById(id);
if (!user) {
throw new ApiError(httpStatus.NOT_FOUND, 'User not found');
}
return user;
};
export default {
createUser,
getUserById,
};3. The Controller (src/controllers/user.controller.js)
#
The controller is now incredibly thin. It just orchestrates the HTTP side.
import httpStatus from 'http-status';
import userService from '../services/user.service.js';
// Higher order function to avoid try/catch blocks in every controller
const catchAsync = (fn) => (req, res, next) => {
Promise.resolve(fn(req, res, next)).catch((err) => next(err));
};
export const createUser = catchAsync(async (req, res) => {
const user = await userService.createUser(req.body);
res.status(httpStatus.CREATED).send({
status: 'success',
data: user
});
});
export const getUser = catchAsync(async (req, res) => {
const user = await userService.getUserById(req.params.userId);
res.send({
status: 'success',
data: user
});
});Performance and Framework Selection #
You might be asking, “Is Express still the right choice in 2025?”
While Fastify has gained massive popularity due to its speed, Express remains the dominant ecosystem. However, for high-performance microservices, you should verify your needs.
Here is a quick comparison of the top Node.js frameworks for REST APIs:
| Feature | Express.js | Fastify | NestJS |
|---|---|---|---|
| Architecture | Unopinionated (DIY) | Unopinionated | Highly Opinionated (Angular-style) |
| Performance | Standard | High (up to 2x faster) | Depends on underlying adapter |
| Learning Curve | Low | Low/Medium | High |
| Ecosystem | Massive | Growing rapidly | Large (Built-in modules) |
| Best For | General purpose, MVP, legacy | High-load microservices | Enterprise, large teams |
If you are building a new high-load system, consider swapping Express for Fastify in the example above. The logic layers remain exactly the same!
Standardizing Responses #
One hallmark of a professional API is consistency. Your API should always return JSON in a predictable format.
Success Response:
{
"status": "success",
"data": {
"id": "123",
"email": "dev@example.com"
}
}Error Response:
{
"code": 400,
"message": "body.email: Invalid email address"
}By enforcing this structure (as we did in our controller and error handler), your frontend developers will love you. They can set up global interceptors in React/Vue/Angular to handle success and error states uniformly.
Security Checklist for 2025 #
Simply getting the code to work isn’t enough. You must secure it.
- Rate Limiting: Prevent DDoS and brute force. Use
express-rate-limit.import rateLimit from 'express-rate-limit'; const limiter = rateLimit({ windowMs: 15 * 60 * 1000, // 15 minutes max: 100 // limit each IP to 100 requests per windowMs }); app.use('/api', limiter); - Sanitization: Use
mongo-sanitizeto prevent NoSQL injection attacks where attackers send{"$gt": ""}as a password to log in without credentials. - Environment Variables: Never commit
.envfiles. Ensure yourMONGO_URIandJWT_SECRETare injected at runtime.
Conclusion #
Building a REST API in Node.js is easy. Building a maintainable, secure, and scalable REST API requires discipline and structure.
By adopting the Controller-Service-Model pattern, implementing centralized error handling, and validating inputs strictly with Zod, you elevate your code from “hobbyist” to “professional.”
Key Takeaways:
- Keep Controllers “thin” and Services “fat”.
- Validate data before it touches your business logic.
- Centralize your error handling to avoid code duplication.
- Use standard HTTP status codes and response formats.
The ecosystem is always evolving. While tools like NestJS enforce these patterns out of the box, understanding how to build this architecture from scratch in raw Node/Express makes you a far more versatile developer.