REST API with Express.js

REST is acronym for REpresentational State Transfer. REST API is an application which communicates with the clients using HTTP-protocol. The client can be a web-application, or Mobile application or any application which is able to use http. The REST API will handle the connection to the database.

REST allows different messaging formats, such as HTML, JSON, and XML. This tutorial is focused on JSON (JavaScript Object Notation).

REST API image

REST API uses HTTP requests to GET, PUT, POST and DELETE data.
You can read more about it from:

You can create the REST API example with Java, PHP, Node.js, Python ect. This tutorial is made for using Node.js and Express framework.


Can we use MVC in REST API? Yes, partly. We can implement the Model and the Controller to the REST API and then the View-part will be a separate application. The View can be a mobile application, or a web-application, or a desktop-application.

CRUD operations

Within computer programming, the acronym CRUD stands for create, read, update and delete.

The acronym CRUD refers to the major operations which are implemented by databases. Each letter in the acronym can be mapped to a standard Structured Query Language (SQL) statement.



HTTP(Hypertext Transfer Protocol) is a protocol which is used to transfer files over the ip-network. You can read more about http from

HTTP messages

HTTP messages means the data that is exchanged between a server and a client. There are two types of messages:

  1. requests: sent by the client to trigger an action on the server
  2. responses: the answer from the server to the client

Http message includes allways headers and it can also include a body. You can find a list of http headers from

HTTP methods

In REST API we can use these HTTP methods:

  • POST (to add data)
  • GET (to show data)
  • PUT (to update data)
  • DELETE (to remove data)

When you are using GET and DELETE you can add data only inside header. When you are using POST you can add data only inside body. When you are using POST you can add data to header and to body.

Example if you want to send a variable named fname, with a value Jim using GET-method, then the url will be something like
But if you are using POST-method then, the url is just like this

When we are using DELETE, we will add the id to the url on the same way as in GET-method. And when we are using PUT, we will add the id to the url and the update data to the body.

A common way to build a REST API is that, you don't have to include the variable names in your GET-requests. So that instead of this kind of url
you can just type

You can read more about those methods from:

HTTP status codes

The http response includes status code, which gives information about the response. The most important classes of the codes are:

  • 200 - 299 : Success
  • 400 - 499 : Client errors
  • 500 - 599 : Server error

You can read about the status codes from:


HTTPS(Hypertext Transfer Protocol Secure) is an extension for the HTTP. If you use HTTP, all the information will be transfered in plain text format. But if you use HTTPS, the information will be encrypted.

JSON Objects

JSON objects are written inside curly brackets. Example like this

	"id_book": 11,
	"name": "javascript",
	"author": "Mike Jones",
	"isbn": "9780030604577"

JSON Arrays

JSON arrays are written inside square brackets. The array can contain several objects. Like this

		"id_book": 11,
		"name": "New Book",
		"author": "Mike",
		"isbn": "22"
		"id_book": 7,
		"name": "Signal Slot",
		"author": "Jim Bim",
		"isbn": "2345-66"


CORS allows web applications from one domain to access resources from another domain. Without CORS, browsers restrict cross-origin HTTP requests initiated by scripts, which could prevent your API from being accessed by clients running on different domains.


Authentication and authorization are two vital information security processes that administrators use to protect systems and information. Authentication verifies the identity of a user or service, and authorization determines their access rights.


The purpose of authentication is to verify that someone or something is who or what they claim to be.


Authorization is the security process that determines a user or service's level of access. In technology, we use authorization to give users or services permission to access some data or perform a particular action.

HTTP Basic authentication

In the context of an HTTP transaction, basic access authentication is a method for an HTTP user agent (e.g. a web browser) to provide a username and password when making a request. In basic HTTP authentication, a request contains a header field in the form of Authorization: Basic <credentials>, where credentials is the Base64 encoding of ID and password joined by a single colon.

JSON Web Token (JWT)

JWTs or JSON Web Tokens are most commonly used to identify an authenticated user. JWT authentication follows a 4 step process:

  1. Client sends post request with credentials to auth server to authenticate themselves.
  2. Server authenticates user credential and generates a JWT. Server does not store anything and sends the token to the client to save. It allows users to authenticate without their credentials in the future.
  3. Then for every request the client sends the JWT in the authorization header. Validation happens using token introspection with the server.
  4. Once validated, server sends the necessary data to the client.
jwt image

Toggle Menu