Building REST APIs with ColdFusion 2025: JWT Auth, Rate Limiting, and CORS Best Practices

ColdFusion has had first-class REST support for years — you expose a CFC as a REST resource with rest="true" and restpath, mark methods access="remote" with an httpmethod, and register the app with restInitApplication(). For the three hard parts of a production API: JWT auth uses ColdFusion's native CreateSignedJWT() and VerifySignedJWT() functions (new in the ColdFusion 2023 release, carried into 2025 — not present in older versions); rate limiting comes either from the ColdFusion API Manager (built-in SLA-based throttling that returns HTTP 429) or a custom token-bucket using cacheGet/cachePut, because the core server has no built-in per-endpoint limiter; and CORS is handled by setting Access-Control-* headers and correctly answering the browser's preflight OPTIONS request — including on error responses, which is the detail most teams miss. This guide covers all three with verified code.
Read More