Node.js REST API with Express: Complete Guide 2026

Express in 2026: Still the Go-To for Node.js APIs

Express remains the most widely used Node.js web framework in 2026 despite the emergence of alternatives (Fastify, Hono, Elysia). Its simplicity, ecosystem breadth, and the enormous body of existing knowledge and tooling make it the lowest-friction choice for building REST APIs. Fastify is the correct choice when raw performance is the primary concern — it's significantly faster than Express. But for the majority of API projects where developer productivity and ecosystem access matter more than nanosecond-level throughput, Express provides the best starting point.

Project Structure for Production APIs

Organize Express applications by feature rather than by type. Instead of routes/, controllers/, models/ at the top level, use features/users/, features/products/, features/orders/ — each containing the route definition, controller logic, validation, and types for that feature. This structure scales better than the traditional MVC layout because all code related to a feature lives together. Keep middleware in a shared middleware/ directory and utilities in lib/.

Authentication with JWT

Implement JWT authentication as Express middleware. The middleware extracts the Authorization header, verifies the token signature with jsonwebtoken, and attaches the decoded user payload to req.user. Apply the middleware to protected routes using router.use(authMiddleware) or individually. Store JWT secrets in environment variables, use RS256 for APIs that need multiple verification endpoints, and implement refresh tokens with short-lived access tokens (15 minutes) and longer-lived refresh tokens (7 days) stored in httpOnly cookies.

Request Validation with Zod

Never trust incoming request data. Validate all request bodies, query parameters, and URL parameters against a schema before processing. Zod provides TypeScript-native schema validation with excellent error messages. Define a schema for each request type, run validation in middleware before the controller, and return 422 with field-level error details when validation fails. Zod schemas double as TypeScript types — parse the request body with z.parse() and the result is fully typed throughout the controller function.

Error Handling

Express error handling uses four-argument middleware: (err, req, res, next). Register the error handler after all routes. Create a custom AppError class with statusCode and isOperational properties to distinguish operational errors (invalid input, not found) from programming errors (null pointer, database connection failure). The error handler returns structured JSON error responses for operational errors and logs programming errors without exposing details to the client. Use express-async-errors or wrap all async route handlers in a try-catch utility to ensure async errors reach the error handler. Download our Node.js Express API starter template at proofmatcher.com.

Originally published at https://proofmatcher.com/blogs/nodejs-express-rest-api-2026