REST API with Express.js

REST is acronym for REpresentational State Transfer. And REST API is an application which communicates with the clients using http-protocol. The client can be a web-application, or Mobile application or any application which is abel to use http. The REST API will handle the connection to the database.
REST API image

A REST API or a RESTful API is an application program interface (API) that uses HTTP requests to GET, PUT, POST and DELETE data.
You can read more about it from:

You can create the REST API example with Java, PHP, NodeJs, Python ect. In this course we are going to use PHP and CodeIgniter to make a REST API.


Can we use MVC in REST API? Yes, partly. We can implement the Model and the Controller to the REST API and then the View-part will be a separate application. The View can be a mobile application, or a web-application, or a desktop-application.

CRUD operations

Within computer programming, the acronym CRUD stands for create, read, update and delete. These are the four basic functions of persistent storage. Also, each letter in the acronym can refer to all functions executed in relational database applications and mapped to a standard HTTP method, SQL statement or DDS operation.

Quite often we implement all CRUD operations to the REST API.


HTTP(Hypertext Transfer Protocol) is a protocol which is used to transfer files over the ip-network. Here is a good tutorial about http

HTTP messages

HTTP messages means the data that is exchanged between a server and a client. There are two types of messages:

  1. requests: sent by the client to trigger an action on the server
  2. responses: the answer from the server to the client

Http message includes allways headers and it can also include a body. You can find a list of http headers from

HTTP methods

In REST API we can use these Http methods:

  • POST (to add data)
  • GET (to show data)
  • PUT (to update data)
  • DELETE (to remove data)

When you are making a REST API, it is important to know that when you are using GET-method, you have to insert the data inside the header and when you are using POST-method, you have to insert the data inside the body.

Example if you want to send a variable named fname, with a value Jim using GET-method, then the url will be something like
But if you are using POST-method then, the url is just like this

When we are using DELETE, we will add the id to the url on the same way as in GET-method. And when we are using PUT, we will add the id to the url and the update data to the body.

A common way to build a REST API is that, you don't have to include the variable names in your GET-requests. So that instead of this kind of url
you can just type

You can read more about those methods from:

HTTP status codes

The http response includes status code, which gives information about the response. The most important classes of the codes are:

  • 200 - 299 : Success
  • 400 - 499 : Client errors
  • 500 - 599 : Server error

You can read about the status codes from:


HTTPS(Hypertext Transfer Protocol Secure) is an extension for the HTTP. If you use HTTP, all the information will be transfered in plain text format. But if you use HTTPS, the information will be encrypted.


Authorization is one of the fields in http headers. There are several authorization types and in the examples of this website I am describing http Basic-authorization and Webtoken-authorization.

Using authorization means that we will protect our REST API (or some routes in the API) with username and password. And then the client will have to send the right credentials: username and password inside the http headers. If the client don't send valid the credentials, the server will response 401 Unathorized.


REST allows different messaging formats, such as HTML, JSON, and XML. This tutorial is focused on JSON (JavaScript Object Notation). JSON is very lightweigth format.

JSON Objects

JSON objects are written inside curly brackets. Example like this

	"id_book": 11,
	"name": "New Book",
	"author": "Mike",
	"isbn": "22"

JSON Arrays

JSON arrays are written inside square brackets. And the array can contain objects. Like this

		"id_book": 11,
		"name": "New Book",
		"author": "Mike",
		"isbn": "22"
		"id_book": 7,
		"name": "Signal Slot",
		"author": "Jim Bim",
		"isbn": "2345-66"


Quite often the serverside and clientside code are separated, so that they will have different URL's. So we have to allow the http requests, which comes from different URL. And this we can manage with a system called CORS (cross-origin resource sharing).


Authentication and authorization are two vital information security processes that administrators use to protect systems and information. Authentication verifies the identity of a user or service, and authorization determines their access rights.


The purpose of authentication is to verify that someone or something is who or what they claim to be.


Authorization is the security process that determines a user or service's level of access. In technology, we use authorization to give users or services permission to access some data or perform a particular action.

HTTP Basic authentication

In the context of an HTTP transaction, basic access authentication is a method for an HTTP user agent (e.g. a web browser) to provide a username and password when making a request. In basic HTTP authentication, a request contains a header field in the form of Authorization: Basic <credentials>, where credentials is the Base64 encoding of ID and password joined by a single colon :.

JSON Web Token (JWT)

JWTs or JSON Web Tokens are most commonly used to identify an authenticated user. JWT authentication follows a 4 step process:

  1. Client sends post request with credentials to auth server to authenticate themselves
  2. Server authenticates user credential and generates a JWT. Server does not store anything and sends the token to the browser to save. It allows users to authenticate without their credentials in the future
  3. Then for every request the client sends the JWT in the authorization header. Validation happens using token introspection with the server.
  4. Once validated, server sends the necessary data to the client.
jwt image

Toggle Menu