DEV Community: Pratik Kumar Ghosh The latest articles on DEV Community by Pratik Kumar Ghosh (@pratik-k-ghosh). https://dev.to/pratik-k-ghosh https://media2.dev.to/dynamic/image/width=90,height=90,fit=cover,gravity=auto,format=auto/https:%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Fuser%2Fprofile_image%2F3844938%2F7ec2046e-b96c-447c-aef2-46a76bc6e1d5.jpg DEV Community: Pratik Kumar Ghosh https://dev.to/pratik-k-ghosh en How I Set Up Nodemailer with Gmail OAuth2 in My Node.js Project Pratik Kumar Ghosh Sun, 12 Apr 2026 07:31:13 +0000 https://dev.to/pratik-k-ghosh/how-i-set-up-nodemailer-with-gmail-oauth2-in-my-nodejs-project-2fli https://dev.to/pratik-k-ghosh/how-i-set-up-nodemailer-with-gmail-oauth2-in-my-nodejs-project-2fli <p>For a long time, I thought sending emails from a Node.js project would be simple.<br> Install Nodemailer, write a few lines, done.</p> <p>Not really.</p> <p>While adding email sending functionality to my project, I ran into configuration issues, especially with <code>dotenv</code>, Gmail authentication, and OAuth2. After some debugging, I finally got it working.</p> <p>So in this post, I want to explain <strong>how to set up Nodemailer with Gmail OAuth2</strong> in a simple way, and also share the <strong>exact problems I faced and how I fixed them</strong>.</p> <h2> Why I used OAuth2 instead of password login </h2> <p>Earlier, many people used Gmail with just email and password. But that is not the recommended way now.</p> <p>A better setup is:</p> <ul> <li>Gmail API enabled</li> <li>OAuth2 credentials from Google Cloud</li> <li>Refresh token from OAuth Playground</li> <li>Nodemailer configured with those values</li> </ul> <p>That is also the method used in the guide I followed.</p> <h2> Step 1: Install packages </h2> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>npm <span class="nb">install </span>nodemailer dotenv </code></pre> </div> <h2> Step 2: Create OAuth2 credentials </h2> <p>Go to <a href="https://console.developers.google.com/" rel="noopener noreferrer">Google Cloud Console</a> and do these things:</p> <ul> <li>Create a project</li> <li>Enable <strong>Gmail API</strong> </li> <li>Create <strong>OAuth 2.0 Client ID</strong> </li> <li>Choose <strong>Web Application</strong> </li> <li>Add redirect URI: <ul> <li><code>http://localhost</code></li> <li><code>https://developers.google.com/oauthplayground</code></li> </ul> </li> </ul> <p>After that, you will get:</p> <ul> <li><code>CLIENT_ID</code></li> <li><code>CLIENT_SECRET</code></li> </ul> <h2> Step 3: Generate refresh token </h2> <p>Open <a href="https://developers.google.com/oauthplayground" rel="noopener noreferrer">OAuth 2.0 Playground</a> and:</p> <ul> <li>Click the settings icon</li> <li>Enable <strong>Use your own OAuth credentials</strong> </li> <li>Paste your <code>CLIENT_ID</code> and <code>CLIENT_SECRET</code> </li> <li>Set access type to Offline</li> <li>Select the Gmail scope: </li> </ul> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>https://mail.google.com/ </code></pre> </div> <ul> <li>Authorize APIs</li> <li>Exchange authorization code for tokens</li> </ul> <p>Now copy the <strong>refresh token</strong>.</p> <h2> Step 4: Create your <code>.env</code> file </h2> <div class="highlight js-code-highlight"> <pre class="highlight properties"><code><span class="py">GOOGLE_USER</span><span class="p">=</span><span class="s">yourgmail@gmail.com</span> <span class="py">GOOGLE_CLIENT_ID</span><span class="p">=</span><span class="s">your_client_id</span> <span class="py">GOOGLE_CLIENT_SECRET</span><span class="p">=</span><span class="s">your_client_secret</span> <span class="py">GOOGLE_REFRESH_TOKEN</span><span class="p">=</span><span class="s">your_refresh_token</span> </code></pre> </div> <p>Make sure the variable names match exactly with your code.</p> <h2> Step 5: Configure Nodemailer </h2> <p>Here is a clean setup:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="k">import</span> <span class="nx">dotenv</span> <span class="k">from</span> <span class="dl">"</span><span class="s2">dotenv</span><span class="dl">"</span><span class="p">;</span> <span class="k">import</span> <span class="nx">nodemailer</span> <span class="k">from</span> <span class="dl">"</span><span class="s2">nodemailer</span><span class="dl">"</span><span class="p">;</span> <span class="nx">dotenv</span><span class="p">.</span><span class="nf">config</span><span class="p">();</span> <span class="kd">const</span> <span class="nx">transporter</span> <span class="o">=</span> <span class="nx">nodemailer</span><span class="p">.</span><span class="nf">createTransport</span><span class="p">({</span> <span class="na">service</span><span class="p">:</span> <span class="dl">"</span><span class="s2">gmail</span><span class="dl">"</span><span class="p">,</span> <span class="na">auth</span><span class="p">:</span> <span class="p">{</span> <span class="na">type</span><span class="p">:</span> <span class="dl">"</span><span class="s2">OAuth2</span><span class="dl">"</span><span class="p">,</span> <span class="na">user</span><span class="p">:</span> <span class="nx">process</span><span class="p">.</span><span class="nx">env</span><span class="p">.</span><span class="nx">GOOGLE_USER</span><span class="p">,</span> <span class="na">clientId</span><span class="p">:</span> <span class="nx">process</span><span class="p">.</span><span class="nx">env</span><span class="p">.</span><span class="nx">GOOGLE_CLIENT_ID</span><span class="p">,</span> <span class="na">clientSecret</span><span class="p">:</span> <span class="nx">process</span><span class="p">.</span><span class="nx">env</span><span class="p">.</span><span class="nx">GOOGLE_CLIENT_SECRET</span><span class="p">,</span> <span class="na">refreshToken</span><span class="p">:</span> <span class="nx">process</span><span class="p">.</span><span class="nx">env</span><span class="p">.</span><span class="nx">GOOGLE_REFRESH_TOKEN</span><span class="p">,</span> <span class="p">},</span> <span class="p">});</span> <span class="c1">// Verify the connection configuration</span> <span class="nx">transporter</span><span class="p">.</span><span class="nf">verify</span><span class="p">((</span><span class="nx">error</span><span class="p">,</span> <span class="nx">success</span><span class="p">)</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="k">if </span><span class="p">(</span><span class="nx">error</span><span class="p">)</span> <span class="p">{</span> <span class="k">throw</span> <span class="k">new</span> <span class="nc">Error</span><span class="p">(</span><span class="s2">`Error connecting to email server: </span><span class="p">${</span><span class="nx">error</span><span class="p">.</span><span class="nx">message</span><span class="p">}</span><span class="s2">`</span><span class="p">);</span> <span class="p">}</span> <span class="k">else</span> <span class="p">{</span> <span class="nx">console</span><span class="p">.</span><span class="nf">log</span><span class="p">(</span><span class="dl">"</span><span class="s2">Email server is ready to send messages</span><span class="dl">"</span><span class="p">);</span> <span class="p">}</span> <span class="p">});</span> <span class="c1">// Function to send email</span> <span class="k">export</span> <span class="kd">const</span> <span class="nx">sendEmail</span> <span class="o">=</span> <span class="k">async </span><span class="p">({</span> <span class="nx">to</span><span class="p">,</span> <span class="nx">subject</span><span class="p">,</span> <span class="nx">text</span><span class="p">,</span> <span class="nx">html</span> <span class="p">})</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="k">try</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">info</span> <span class="o">=</span> <span class="k">await</span> <span class="nx">transporter</span><span class="p">.</span><span class="nf">sendMail</span><span class="p">({</span> <span class="na">from</span><span class="p">:</span> <span class="s2">`"Your Name" &lt;</span><span class="p">${</span><span class="nx">process</span><span class="p">.</span><span class="nx">env</span><span class="p">.</span><span class="nx">Gmail_User</span><span class="p">}</span><span class="s2">&gt;`</span><span class="p">,</span> <span class="c1">// sender address</span> <span class="nx">to</span><span class="p">,</span> <span class="c1">// list of receivers</span> <span class="nx">subject</span><span class="p">,</span> <span class="c1">// Subject line</span> <span class="nx">text</span><span class="p">,</span> <span class="c1">// plain text body</span> <span class="nx">html</span><span class="p">,</span> <span class="c1">// html body</span> <span class="p">});</span> <span class="nx">console</span><span class="p">.</span><span class="nf">log</span><span class="p">(</span><span class="dl">'</span><span class="s1">Message sent: %s</span><span class="dl">'</span><span class="p">,</span> <span class="nx">info</span><span class="p">.</span><span class="nx">messageId</span><span class="p">);</span> <span class="nx">console</span><span class="p">.</span><span class="nf">log</span><span class="p">(</span><span class="dl">'</span><span class="s1">Preview URL: %s</span><span class="dl">'</span><span class="p">,</span> <span class="nx">nodemailer</span><span class="p">.</span><span class="nf">getTestMessageUrl</span><span class="p">(</span><span class="nx">info</span><span class="p">));</span> <span class="p">}</span> <span class="k">catch </span><span class="p">(</span><span class="nx">error</span><span class="p">)</span> <span class="p">{</span> <span class="k">throw</span> <span class="k">new</span> <span class="nc">Error</span><span class="p">(</span><span class="s2">`Error sending email: </span><span class="p">${</span><span class="nx">error</span><span class="p">.</span><span class="nx">message</span><span class="p">}</span><span class="s2">`</span><span class="p">);</span> <span class="p">}</span> <span class="p">};</span> </code></pre> </div> <h2> Step 6: Use it in your project </h2> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="k">await</span> <span class="nf">sendEmail</span><span class="p">({</span> <span class="na">to</span><span class="p">:</span> <span class="dl">"</span><span class="s2">recipient@example.com</span><span class="dl">"</span><span class="p">,</span> <span class="na">subject</span><span class="p">:</span> <span class="dl">"</span><span class="s2">Test Mail</span><span class="dl">"</span><span class="p">,</span> <span class="na">text</span><span class="p">:</span> <span class="dl">"</span><span class="s2">This is a test email</span><span class="dl">"</span><span class="p">,</span> <span class="na">html</span><span class="p">:</span> <span class="dl">"</span><span class="s2">&lt;p&gt;This is a test email&lt;/p&gt;</span><span class="dl">"</span><span class="p">,</span> <span class="p">});</span> </code></pre> </div> <p>If everything is correct, your mail should be sent successfully.</p> <h2> What I learned </h2> <p>Setting up Nodemailer is not just about writing <code>sendMail()</code>.</p> <p>You also need to understand:</p> <ul> <li>how Gmail authentication works</li> <li>why OAuth2 is needed</li> <li>why environment variables must load properly</li> <li>why even small config mistakes can break everything</li> </ul> <p>This was one of those features that looked small from outside, but taught me a lot while implementing it.</p> <h2> Problems I faced and how I solved them </h2> <h3> 1. My <code>dotenv</code> configuration was done afterwards </h3> <p>This was my main mistake.</p> <p>I had set up the email functionality, but the environment variables were not being loaded properly at the right time. Because of that, values like client ID, client secret, refresh token, or email user were not available when Nodemailer needed them.</p> <p><strong>Fix</strong></p> <p>I made sure to call:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="nx">dotenv</span><span class="p">.</span><span class="nf">config</span><span class="p">();</span> </code></pre> </div> <p>at the top, before using <code>process.env</code> values.</p> <p>That small order issue was enough to break the whole setup.</p> <h3> 2. Gmail authentication error </h3> <p>I got an error like:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>530-5.7.0 Authentication Required </code></pre> </div> <p>This happened because Gmail was not accepting the request as properly authenticated.</p> <p><strong>Fix</strong></p> <p>I stopped treating it like a simple email-password login and used the correct OAuth2 setup:</p> <ul> <li>Gmail API enabled</li> <li>correct client ID</li> <li>correct client secret</li> <li>correct refresh token</li> <li>correct Gmail account in <code>GOOGLE_USER</code> </li> <li>add same Gmail account as a test user in Google Cloud Console</li> </ul> <h3> 3. Following the guide was not enough without matching my own project structure </h3> <p>The guide I followed was helpful, but I still had to adjust it to my own project setup.</p> <p>For example:</p> <ul> <li>I was using my own environment variable names</li> <li>my project used <code>import</code> syntax</li> <li>my file structure was different from the guide</li> </ul> <p><strong>Fix</strong></p> <p>I kept the logic the same, but adapted the code to my own project.</p> <p>That made me realize an important thing:</p> <blockquote> <p>Tutorials and README files give the path, but you still need to fit that path into your own project properly.</p> </blockquote> <h3> 4. Small config mistakes can waste a lot of time </h3> <p>Even when the code looks correct, things can still fail because of:</p> <ul> <li>wrong variable names</li> <li>wrong refresh token</li> <li>wrong Google account</li> <li>missing <code>.env</code> </li> <li> <code>dotenv</code> loading too late</li> </ul> <p><strong>Fix</strong></p> <p>I checked everything one by one instead of changing random things.</p> <p>That made debugging much easier.</p> <h2> Final thoughts </h2> <p>This feature looked small, but it taught me a very useful lesson:</p> <p><strong>Backend development is not only about writing logic. A lot of real work is in configuration, authentication, environment setup, and debugging.</strong></p> <p>Getting Nodemailer working with Gmail OAuth2 was frustrating at first, but once it worked, I understood the setup much better.</p> <p>And honestly, that is the good part of building projects:<br> you do not just learn the feature, you learn the mistakes around the feature too.</p> node javascript backend nodemailer Why Hashing Refresh Tokens Broke My Auth Flow — and How I Fixed It Pratik Kumar Ghosh Tue, 31 Mar 2026 20:15:27 +0000 https://dev.to/pratik-k-ghosh/why-hashing-refresh-tokens-broke-my-auth-flow-and-how-i-fixed-it-1hog https://dev.to/pratik-k-ghosh/why-hashing-refresh-tokens-broke-my-auth-flow-and-how-i-fixed-it-1hog <p>When I first decided to hash refresh tokens before storing them in the database, it felt like a straightforward security improvement.</p> <p>But the moment I did that, my refresh-token flow broke.</p> <p>Not because hashing itself was wrong. The real issue was that hashing changed how I had to design the lookup and verification flow.</p> <p>This post is about that problem, the first working fix I used, and the more optimal version I reached after understanding the flow properly.</p> <h2> What I was trying to do </h2> <p>My auth setup was simple in principle:</p> <ul> <li>access tokens for short-lived authentication</li> <li>refresh tokens for issuing new access tokens</li> <li>sessions stored in the database</li> <li>refresh token rotation for better security</li> </ul> <p>The part I wanted to improve was storage.</p> <p>Instead of saving the refresh token directly in the session collection, I wanted to hash it with Argon2 before saving it, just like we hash passwords.</p> <p>That part was easy enough.</p> <p>A simplified schema method looked like this:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="nx">sessionSchema</span><span class="p">.</span><span class="nx">methods</span><span class="p">.</span><span class="nx">verifyRefreshToken</span> <span class="o">=</span> <span class="k">async</span> <span class="nf">function </span><span class="p">(</span><span class="nx">token</span><span class="p">)</span> <span class="p">{</span> <span class="k">if </span><span class="p">(</span><span class="o">!</span><span class="k">this</span><span class="p">.</span><span class="nx">refreshToken</span><span class="p">)</span> <span class="k">return</span> <span class="kc">false</span><span class="p">;</span> <span class="k">return</span> <span class="nx">argon2</span><span class="p">.</span><span class="nf">verify</span><span class="p">(</span><span class="k">this</span><span class="p">.</span><span class="nx">refreshToken</span><span class="p">,</span> <span class="nx">token</span><span class="p">);</span> <span class="p">};</span> </code></pre> </div> <p>And the pre-save hashing idea was also straightforward:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="nx">sessionSchema</span><span class="p">.</span><span class="nf">pre</span><span class="p">(</span><span class="dl">"</span><span class="s2">save</span><span class="dl">"</span><span class="p">,</span> <span class="k">async</span> <span class="nf">function </span><span class="p">()</span> <span class="p">{</span> <span class="k">if </span><span class="p">(</span><span class="o">!</span><span class="k">this</span><span class="p">.</span><span class="nf">isModified</span><span class="p">(</span><span class="dl">"</span><span class="s2">refreshToken</span><span class="dl">"</span><span class="p">))</span> <span class="k">return</span><span class="p">;</span> <span class="k">if </span><span class="p">(</span><span class="o">!</span><span class="k">this</span><span class="p">.</span><span class="nx">refreshToken</span><span class="p">)</span> <span class="k">return</span><span class="p">;</span> <span class="k">this</span><span class="p">.</span><span class="nx">refreshToken</span> <span class="o">=</span> <span class="k">await</span> <span class="nx">argon2</span><span class="p">.</span><span class="nf">hash</span><span class="p">(</span><span class="k">this</span><span class="p">.</span><span class="nx">refreshToken</span><span class="p">);</span> <span class="p">});</span> </code></pre> </div> <p>So far, so good.</p> <p>Then the refresh flow broke.</p> <h2> Why hashing refresh tokens broke the flow </h2> <p>Before hashing, finding the correct session was easy.</p> <p>I could do something like this:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="kd">const</span> <span class="nx">existingSession</span> <span class="o">=</span> <span class="k">await</span> <span class="nx">session</span><span class="p">.</span><span class="nf">findOne</span><span class="p">({</span> <span class="nx">refreshToken</span><span class="p">,</span> <span class="na">valid</span><span class="p">:</span> <span class="kc">true</span><span class="p">,</span> <span class="p">});</span> </code></pre> </div> <p>That works only when the database stores the raw refresh token.</p> <p>Once I started hashing the refresh token before saving it, this approach stopped working.</p> <p>Why?</p> <p>Because a hashed value is not something I can directly query with the raw token anymore.</p> <p>The important lesson here is this:</p> <p>hash verification and database lookup are two different problems.</p> <p>Hashing solved storage security, but it removed my ability to locate the session by the raw token itself.</p> <h2> Why verification alone was not enough </h2> <p>At first, this felt confusing because <code>argon2.verify()</code> still exists.</p> <p>So I thought:</p> <blockquote> <p>No problem. I will just verify the token against the hash.</p> </blockquote> <p>But that was only half the story.</p> <p><code>argon2.verify()</code> needs two things:</p> <ol> <li>the raw token coming from the cookie</li> <li>the stored hash from the correct session document</li> </ol> <p>And that second part is where the real design issue appeared.</p> <p>I could verify the hash only after I had already found the right session document.</p> <p>But if I could no longer find the session by refresh token, then what exactly was I verifying against?</p> <p>That was the missing piece.</p> <h2> My first working fix </h2> <p>My first working solution was simple:</p> <h3> Create the session first, then generate the refresh token </h3> <p>The flow looked like this:</p> <ol> <li>Create a session document first</li> <li>Let MongoDB generate the session <code>_id</code> </li> <li>Use <code>userId</code> and <code>sessionId</code> inside the refresh token payload</li> <li>Save the real refresh token back into that session</li> <li>Later, during refresh, verify the JWT, extract <code>sessionId</code>, find the session by that id, and only then verify the hashed token</li> </ol> <h3> Login flow </h3> <p>This was the idea in simplified form:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="kd">const</span> <span class="nx">sessionDoc</span> <span class="o">=</span> <span class="k">await</span> <span class="nx">session</span><span class="p">.</span><span class="nf">create</span><span class="p">({</span> <span class="na">userId</span><span class="p">:</span> <span class="nx">user</span><span class="p">.</span><span class="nx">_id</span><span class="p">,</span> <span class="na">refreshToken</span><span class="p">:</span> <span class="dl">"</span><span class="s2">demo</span><span class="dl">"</span><span class="p">,</span> <span class="na">valid</span><span class="p">:</span> <span class="kc">true</span><span class="p">,</span> <span class="na">ip</span><span class="p">:</span> <span class="nx">req</span><span class="p">.</span><span class="nx">ip</span><span class="p">,</span> <span class="na">userAgent</span><span class="p">:</span> <span class="nx">req</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="dl">"</span><span class="s2">User-Agent</span><span class="dl">"</span><span class="p">),</span> <span class="p">});</span> <span class="kd">const</span> <span class="nx">refreshToken</span> <span class="o">=</span> <span class="nx">jwt</span><span class="p">.</span><span class="nf">sign</span><span class="p">(</span> <span class="p">{</span> <span class="na">userId</span><span class="p">:</span> <span class="nx">user</span><span class="p">.</span><span class="nx">_id</span><span class="p">,</span> <span class="na">sessionId</span><span class="p">:</span> <span class="nx">sessionDoc</span><span class="p">.</span><span class="nx">_id</span><span class="p">.</span><span class="nf">toString</span><span class="p">(),</span> <span class="p">},</span> <span class="nx">process</span><span class="p">.</span><span class="nx">env</span><span class="p">.</span><span class="nx">JWT_REFRESH_SECRET</span><span class="p">,</span> <span class="p">{</span> <span class="na">expiresIn</span><span class="p">:</span> <span class="dl">"</span><span class="s2">15d</span><span class="dl">"</span> <span class="p">}</span> <span class="p">);</span> <span class="nx">sessionDoc</span><span class="p">.</span><span class="nx">refreshToken</span> <span class="o">=</span> <span class="nx">refreshToken</span><span class="p">;</span> <span class="k">await</span> <span class="nx">sessionDoc</span><span class="p">.</span><span class="nf">save</span><span class="p">();</span> </code></pre> </div> <p>The reason this worked was simple:</p> <p>I stopped trying to locate the session by raw refresh token.</p> <p>Instead, I used a stable identifier: <code>sessionId</code>.</p> <p>Later, in the refresh flow, I could do this:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="kd">const</span> <span class="nx">decoded</span> <span class="o">=</span> <span class="nx">jwt</span><span class="p">.</span><span class="nf">verify</span><span class="p">(</span><span class="nx">refreshTokenCookie</span><span class="p">,</span> <span class="nx">process</span><span class="p">.</span><span class="nx">env</span><span class="p">.</span><span class="nx">JWT_REFRESH_SECRET</span><span class="p">);</span> <span class="kd">const</span> <span class="nx">existingSession</span> <span class="o">=</span> <span class="k">await</span> <span class="nx">session</span> <span class="p">.</span><span class="nf">findOne</span><span class="p">({</span> <span class="na">_id</span><span class="p">:</span> <span class="nx">decoded</span><span class="p">.</span><span class="nx">sessionId</span><span class="p">,</span> <span class="na">userId</span><span class="p">:</span> <span class="nx">decoded</span><span class="p">.</span><span class="nx">userId</span><span class="p">,</span> <span class="na">valid</span><span class="p">:</span> <span class="kc">true</span><span class="p">,</span> <span class="p">})</span> <span class="p">.</span><span class="nf">select</span><span class="p">(</span><span class="dl">"</span><span class="s2">+refreshToken</span><span class="dl">"</span><span class="p">);</span> <span class="kd">const</span> <span class="nx">isValid</span> <span class="o">=</span> <span class="k">await</span> <span class="nx">existingSession</span><span class="p">.</span><span class="nf">verifyRefreshToken</span><span class="p">(</span><span class="nx">refreshTokenCookie</span><span class="p">);</span> <span class="k">if </span><span class="p">(</span><span class="o">!</span><span class="nx">isValid</span><span class="p">)</span> <span class="p">{</span> <span class="k">return</span> <span class="nx">res</span><span class="p">.</span><span class="nf">status</span><span class="p">(</span><span class="mi">401</span><span class="p">).</span><span class="nf">json</span><span class="p">({</span> <span class="na">error</span><span class="p">:</span> <span class="dl">"</span><span class="s2">Invalid refresh token</span><span class="dl">"</span> <span class="p">});</span> <span class="p">}</span> </code></pre> </div> <p>This was the moment the whole design started making sense.</p> <h2> Why that first fix was not optimal </h2> <p>It worked, but it had two problems.</p> <h3> 1. It needed two database writes </h3> <p>First I created the session. Then I updated it with the real refresh token.</p> <p>That is acceptable, but not ideal.</p> <h3> 2. I used a placeholder value first </h3> <p>Because <code>refreshToken</code> was required in the model, I temporarily stored an Empty String "" and then replaced it with the real token.</p> <p>That was not elegant.</p> <p>It worked as a practical fix, but it clearly felt like an implementation workaround rather than a clean design.</p> <h2> The better fix </h2> <p>After that, I moved to a cleaner approach.</p> <h3> Generate the Mongo ObjectId first, then create everything in one go </h3> <p>Instead of letting Mongo create the session id during insert, I generated the ObjectId beforehand.</p> <p>That allowed me to:</p> <ol> <li>generate the session id first</li> <li>sign the refresh token using <code>userId</code> and <code>sessionId</code> </li> <li>create the session once with the real refresh token</li> <li>let the schema middleware hash it before saving</li> </ol> <p>Here is the cleaner version:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="kd">const</span> <span class="nx">sessionId</span> <span class="o">=</span> <span class="k">new</span> <span class="nx">mongoose</span><span class="p">.</span><span class="nx">Types</span><span class="p">.</span><span class="nc">ObjectId</span><span class="p">();</span> <span class="kd">const</span> <span class="nx">refreshToken</span> <span class="o">=</span> <span class="nx">jwt</span><span class="p">.</span><span class="nf">sign</span><span class="p">(</span> <span class="p">{</span> <span class="na">userId</span><span class="p">:</span> <span class="nx">user</span><span class="p">.</span><span class="nx">_id</span><span class="p">,</span> <span class="na">sessionId</span><span class="p">:</span> <span class="nx">sessionId</span><span class="p">.</span><span class="nf">toString</span><span class="p">(),</span> <span class="p">},</span> <span class="nx">process</span><span class="p">.</span><span class="nx">env</span><span class="p">.</span><span class="nx">JWT_REFRESH_SECRET</span><span class="p">,</span> <span class="p">{</span> <span class="na">expiresIn</span><span class="p">:</span> <span class="dl">"</span><span class="s2">15d</span><span class="dl">"</span> <span class="p">}</span> <span class="p">);</span> <span class="k">await</span> <span class="nx">session</span><span class="p">.</span><span class="nf">create</span><span class="p">({</span> <span class="na">_id</span><span class="p">:</span> <span class="nx">sessionId</span><span class="p">,</span> <span class="na">userId</span><span class="p">:</span> <span class="nx">user</span><span class="p">.</span><span class="nx">_id</span><span class="p">,</span> <span class="nx">refreshToken</span><span class="p">,</span> <span class="na">valid</span><span class="p">:</span> <span class="kc">true</span><span class="p">,</span> <span class="na">ip</span><span class="p">:</span> <span class="nx">req</span><span class="p">.</span><span class="nx">ip</span><span class="p">,</span> <span class="na">userAgent</span><span class="p">:</span> <span class="nx">req</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="dl">"</span><span class="s2">User-Agent</span><span class="dl">"</span><span class="p">),</span> <span class="p">});</span> </code></pre> </div> <p>This solved both earlier drawbacks:</p> <ul> <li>no placeholder token</li> <li>only one database write</li> </ul> <p>It also kept the refresh flow clean, because the token still carried the <code>sessionId</code>.</p> <h2> Comparing both approaches </h2> <h3> Approach 1: create session first, then update </h3> <p><strong>Pros</strong></p> <ul> <li>easy to understand</li> <li>easy to implement</li> <li>works reliably</li> </ul> <p><strong>Cons</strong></p> <ul> <li>needs two DB operations</li> <li>temporary placeholder value feels awkward</li> </ul> <h3> Approach 2: generate ObjectId first, then create once </h3> <p><strong>Pros</strong></p> <ul> <li>cleaner design</li> <li>one DB write</li> <li>no placeholder token</li> <li>easier to reason about long-term</li> </ul> <p><strong>Cons</strong></p> <ul> <li>slightly more thought required upfront</li> </ul> <p>For me, the second version was the better engineering decision.</p> <h2> The final refresh flow </h2> <p>Once I moved to the <code>sessionId</code>-based design, the full flow became much clearer.</p> <h3> During login </h3> <ul> <li>create an access token</li> <li>generate a session id</li> <li>create a refresh token containing <code>userId</code> and <code>sessionId</code> </li> <li>save the session with the refresh token</li> <li>let Mongoose hash the token before saving</li> <li>send both tokens in cookies</li> </ul> <p>A simplified login controller looked like this:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="k">export</span> <span class="kd">const</span> <span class="nx">login</span> <span class="o">=</span> <span class="k">async </span><span class="p">(</span><span class="nx">req</span><span class="p">,</span> <span class="nx">res</span><span class="p">)</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="k">try</span> <span class="p">{</span> <span class="kd">const</span> <span class="p">{</span> <span class="nx">identifier</span><span class="p">,</span> <span class="nx">password</span> <span class="p">}</span> <span class="o">=</span> <span class="nx">req</span><span class="p">.</span><span class="nx">body</span> <span class="o">||</span> <span class="p">{};</span> <span class="k">if </span><span class="p">(</span><span class="o">!</span><span class="nx">identifier</span> <span class="o">||</span> <span class="o">!</span><span class="nx">password</span><span class="p">)</span> <span class="p">{</span> <span class="k">return</span> <span class="nx">res</span><span class="p">.</span><span class="nf">status</span><span class="p">(</span><span class="mi">400</span><span class="p">).</span><span class="nf">json</span><span class="p">({</span> <span class="na">error</span><span class="p">:</span> <span class="dl">"</span><span class="s2">All fields are required</span><span class="dl">"</span> <span class="p">});</span> <span class="p">}</span> <span class="kd">const</span> <span class="nx">existingUser</span> <span class="o">=</span> <span class="k">await</span> <span class="nx">user</span><span class="p">.</span><span class="nf">findOne</span><span class="p">({</span> <span class="na">$or</span><span class="p">:</span> <span class="p">[{</span> <span class="na">email</span><span class="p">:</span> <span class="nx">identifier</span> <span class="p">},</span> <span class="p">{</span> <span class="na">userName</span><span class="p">:</span> <span class="nx">identifier</span> <span class="p">}],</span> <span class="p">}).</span><span class="nf">select</span><span class="p">(</span><span class="dl">"</span><span class="s2">+password</span><span class="dl">"</span><span class="p">);</span> <span class="k">if </span><span class="p">(</span><span class="o">!</span><span class="nx">existingUser</span><span class="p">)</span> <span class="p">{</span> <span class="k">return</span> <span class="nx">res</span><span class="p">.</span><span class="nf">status</span><span class="p">(</span><span class="mi">401</span><span class="p">).</span><span class="nf">json</span><span class="p">({</span> <span class="na">error</span><span class="p">:</span> <span class="dl">"</span><span class="s2">Invalid credentials</span><span class="dl">"</span> <span class="p">});</span> <span class="p">}</span> <span class="kd">const</span> <span class="nx">isPasswordValid</span> <span class="o">=</span> <span class="k">await</span> <span class="nx">existingUser</span><span class="p">.</span><span class="nf">verifyPassword</span><span class="p">(</span><span class="nx">password</span><span class="p">);</span> <span class="k">if </span><span class="p">(</span><span class="o">!</span><span class="nx">isPasswordValid</span><span class="p">)</span> <span class="p">{</span> <span class="k">return</span> <span class="nx">res</span><span class="p">.</span><span class="nf">status</span><span class="p">(</span><span class="mi">401</span><span class="p">).</span><span class="nf">json</span><span class="p">({</span> <span class="na">error</span><span class="p">:</span> <span class="dl">"</span><span class="s2">Invalid credentials</span><span class="dl">"</span> <span class="p">});</span> <span class="p">}</span> <span class="kd">const</span> <span class="nx">accessToken</span> <span class="o">=</span> <span class="nx">jwt</span><span class="p">.</span><span class="nf">sign</span><span class="p">(</span> <span class="p">{</span> <span class="na">userId</span><span class="p">:</span> <span class="nx">existingUser</span><span class="p">.</span><span class="nx">_id</span> <span class="p">},</span> <span class="nx">process</span><span class="p">.</span><span class="nx">env</span><span class="p">.</span><span class="nx">JWT_ACCESS_SECRET</span><span class="p">,</span> <span class="p">{</span> <span class="na">expiresIn</span><span class="p">:</span> <span class="dl">"</span><span class="s2">15m</span><span class="dl">"</span> <span class="p">}</span> <span class="p">);</span> <span class="kd">const</span> <span class="nx">sessionId</span> <span class="o">=</span> <span class="k">new</span> <span class="nx">mongoose</span><span class="p">.</span><span class="nx">Types</span><span class="p">.</span><span class="nc">ObjectId</span><span class="p">();</span> <span class="kd">const</span> <span class="nx">refreshToken</span> <span class="o">=</span> <span class="nx">jwt</span><span class="p">.</span><span class="nf">sign</span><span class="p">(</span> <span class="p">{</span> <span class="na">userId</span><span class="p">:</span> <span class="nx">existingUser</span><span class="p">.</span><span class="nx">_id</span><span class="p">,</span> <span class="na">sessionId</span><span class="p">:</span> <span class="nx">sessionId</span><span class="p">.</span><span class="nf">toString</span><span class="p">(),</span> <span class="p">},</span> <span class="nx">process</span><span class="p">.</span><span class="nx">env</span><span class="p">.</span><span class="nx">JWT_REFRESH_SECRET</span><span class="p">,</span> <span class="p">{</span> <span class="na">expiresIn</span><span class="p">:</span> <span class="dl">"</span><span class="s2">15d</span><span class="dl">"</span> <span class="p">}</span> <span class="p">);</span> <span class="k">await</span> <span class="nx">session</span><span class="p">.</span><span class="nf">create</span><span class="p">({</span> <span class="na">_id</span><span class="p">:</span> <span class="nx">sessionId</span><span class="p">,</span> <span class="na">userId</span><span class="p">:</span> <span class="nx">existingUser</span><span class="p">.</span><span class="nx">_id</span><span class="p">,</span> <span class="nx">refreshToken</span><span class="p">,</span> <span class="na">valid</span><span class="p">:</span> <span class="kc">true</span><span class="p">,</span> <span class="na">ip</span><span class="p">:</span> <span class="nx">req</span><span class="p">.</span><span class="nx">ip</span><span class="p">,</span> <span class="na">userAgent</span><span class="p">:</span> <span class="nx">req</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="dl">"</span><span class="s2">User-Agent</span><span class="dl">"</span><span class="p">),</span> <span class="p">});</span> <span class="nx">res</span><span class="p">.</span><span class="nf">cookie</span><span class="p">(</span><span class="dl">"</span><span class="s2">accessToken</span><span class="dl">"</span><span class="p">,</span> <span class="nx">accessToken</span><span class="p">,</span> <span class="p">{</span> <span class="na">httpOnly</span><span class="p">:</span> <span class="kc">true</span><span class="p">,</span> <span class="na">secure</span><span class="p">:</span> <span class="nx">process</span><span class="p">.</span><span class="nx">env</span><span class="p">.</span><span class="nx">NODE_ENV</span> <span class="o">===</span> <span class="dl">"</span><span class="s2">production</span><span class="dl">"</span><span class="p">,</span> <span class="na">sameSite</span><span class="p">:</span> <span class="dl">"</span><span class="s2">strict</span><span class="dl">"</span><span class="p">,</span> <span class="na">maxAge</span><span class="p">:</span> <span class="mi">15</span> <span class="o">*</span> <span class="mi">60</span> <span class="o">*</span> <span class="mi">1000</span><span class="p">,</span> <span class="p">});</span> <span class="nx">res</span><span class="p">.</span><span class="nf">cookie</span><span class="p">(</span><span class="dl">"</span><span class="s2">refreshToken</span><span class="dl">"</span><span class="p">,</span> <span class="nx">refreshToken</span><span class="p">,</span> <span class="p">{</span> <span class="na">httpOnly</span><span class="p">:</span> <span class="kc">true</span><span class="p">,</span> <span class="na">secure</span><span class="p">:</span> <span class="nx">process</span><span class="p">.</span><span class="nx">env</span><span class="p">.</span><span class="nx">NODE_ENV</span> <span class="o">===</span> <span class="dl">"</span><span class="s2">production</span><span class="dl">"</span><span class="p">,</span> <span class="na">sameSite</span><span class="p">:</span> <span class="dl">"</span><span class="s2">strict</span><span class="dl">"</span><span class="p">,</span> <span class="na">maxAge</span><span class="p">:</span> <span class="mi">15</span> <span class="o">*</span> <span class="mi">24</span> <span class="o">*</span> <span class="mi">60</span> <span class="o">*</span> <span class="mi">60</span> <span class="o">*</span> <span class="mi">1000</span><span class="p">,</span> <span class="p">});</span> <span class="k">return</span> <span class="nx">res</span><span class="p">.</span><span class="nf">status</span><span class="p">(</span><span class="mi">200</span><span class="p">).</span><span class="nf">json</span><span class="p">({</span> <span class="na">message</span><span class="p">:</span> <span class="dl">"</span><span class="s2">Login successful</span><span class="dl">"</span><span class="p">,</span> <span class="na">user</span><span class="p">:</span> <span class="nx">existingUser</span><span class="p">,</span> <span class="p">});</span> <span class="p">}</span> <span class="k">catch </span><span class="p">(</span><span class="nx">error</span><span class="p">)</span> <span class="p">{</span> <span class="k">return</span> <span class="nx">res</span><span class="p">.</span><span class="nf">status</span><span class="p">(</span><span class="mi">500</span><span class="p">).</span><span class="nf">json</span><span class="p">({</span> <span class="na">error</span><span class="p">:</span> <span class="dl">"</span><span class="s2">Internal server error</span><span class="dl">"</span> <span class="p">});</span> <span class="p">}</span> <span class="p">};</span> </code></pre> </div> <h3> During refresh </h3> <ul> <li>read refresh token from cookie</li> <li>verify JWT</li> <li>extract <code>sessionId</code> </li> <li>find the session by <code>_id</code> </li> <li>verify raw token against stored hash</li> <li>rotate tokens if valid</li> </ul> <p>A simplified refresh flow looked like this:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="k">export</span> <span class="kd">const</span> <span class="nx">refreshToken</span> <span class="o">=</span> <span class="k">async </span><span class="p">(</span><span class="nx">req</span><span class="p">,</span> <span class="nx">res</span><span class="p">)</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="k">try</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">refreshTokenCookie</span> <span class="o">=</span> <span class="nx">req</span><span class="p">.</span><span class="nx">cookies</span><span class="p">?.</span><span class="nx">refreshToken</span><span class="p">;</span> <span class="k">if </span><span class="p">(</span><span class="o">!</span><span class="nx">refreshTokenCookie</span><span class="p">)</span> <span class="p">{</span> <span class="k">return</span> <span class="nx">res</span><span class="p">.</span><span class="nf">status</span><span class="p">(</span><span class="mi">401</span><span class="p">).</span><span class="nf">json</span><span class="p">({</span> <span class="na">error</span><span class="p">:</span> <span class="dl">"</span><span class="s2">Missing refresh token</span><span class="dl">"</span> <span class="p">});</span> <span class="p">}</span> <span class="kd">const</span> <span class="nx">decoded</span> <span class="o">=</span> <span class="nx">jwt</span><span class="p">.</span><span class="nf">verify</span><span class="p">(</span> <span class="nx">refreshTokenCookie</span><span class="p">,</span> <span class="nx">process</span><span class="p">.</span><span class="nx">env</span><span class="p">.</span><span class="nx">JWT_REFRESH_SECRET</span> <span class="p">);</span> <span class="kd">const</span> <span class="nx">existingSession</span> <span class="o">=</span> <span class="k">await</span> <span class="nx">session</span> <span class="p">.</span><span class="nf">findOne</span><span class="p">({</span> <span class="na">_id</span><span class="p">:</span> <span class="nx">decoded</span><span class="p">.</span><span class="nx">sessionId</span><span class="p">,</span> <span class="na">userId</span><span class="p">:</span> <span class="nx">decoded</span><span class="p">.</span><span class="nx">userId</span><span class="p">,</span> <span class="na">valid</span><span class="p">:</span> <span class="kc">true</span><span class="p">,</span> <span class="p">})</span> <span class="p">.</span><span class="nf">select</span><span class="p">(</span><span class="dl">"</span><span class="s2">+refreshToken</span><span class="dl">"</span><span class="p">);</span> <span class="k">if </span><span class="p">(</span><span class="o">!</span><span class="nx">existingSession</span><span class="p">)</span> <span class="p">{</span> <span class="k">return</span> <span class="nx">res</span><span class="p">.</span><span class="nf">status</span><span class="p">(</span><span class="mi">401</span><span class="p">).</span><span class="nf">json</span><span class="p">({</span> <span class="na">error</span><span class="p">:</span> <span class="dl">"</span><span class="s2">Invalid refresh token</span><span class="dl">"</span> <span class="p">});</span> <span class="p">}</span> <span class="kd">const</span> <span class="nx">isValid</span> <span class="o">=</span> <span class="k">await</span> <span class="nx">existingSession</span><span class="p">.</span><span class="nf">verifyRefreshToken</span><span class="p">(</span> <span class="nx">refreshTokenCookie</span> <span class="p">);</span> <span class="k">if </span><span class="p">(</span><span class="o">!</span><span class="nx">isValid</span><span class="p">)</span> <span class="p">{</span> <span class="k">return</span> <span class="nx">res</span><span class="p">.</span><span class="nf">status</span><span class="p">(</span><span class="mi">401</span><span class="p">).</span><span class="nf">json</span><span class="p">({</span> <span class="na">error</span><span class="p">:</span> <span class="dl">"</span><span class="s2">Invalid refresh token</span><span class="dl">"</span> <span class="p">});</span> <span class="p">}</span> <span class="k">return</span> <span class="nx">res</span><span class="p">.</span><span class="nf">status</span><span class="p">(</span><span class="mi">200</span><span class="p">).</span><span class="nf">json</span><span class="p">({</span> <span class="na">message</span><span class="p">:</span> <span class="dl">"</span><span class="s2">Token verified successfully</span><span class="dl">"</span> <span class="p">});</span> <span class="p">}</span> <span class="k">catch </span><span class="p">(</span><span class="nx">error</span><span class="p">)</span> <span class="p">{</span> <span class="k">return</span> <span class="nx">res</span><span class="p">.</span><span class="nf">status</span><span class="p">(</span><span class="mi">500</span><span class="p">).</span><span class="nf">json</span><span class="p">({</span> <span class="na">error</span><span class="p">:</span> <span class="dl">"</span><span class="s2">Internal server error</span><span class="dl">"</span> <span class="p">});</span> <span class="p">}</span> <span class="p">};</span> </code></pre> </div> <h2> What this taught me </h2> <p>This problem taught me something important:</p> <p><strong>security improvements often change architecture, not just storage.</strong></p> <p>At first, I treated hashed refresh token storage as a simple replacement:</p> <ul> <li>store token</li> <li>hash token</li> <li>done</li> </ul> <p>But hashing a refresh token changes the lookup strategy completely.</p> <p>Once the token is hashed, it should no longer be treated as the thing used to find the session document.</p> <p>Instead:</p> <ul> <li>use a stable identifier like <code>sessionId</code> to find the session</li> <li>use hash verification only to validate the token</li> </ul> <p>That separation made the whole flow much cleaner.</p> <h2> Key takeaways </h2> <ul> <li>Hashing refresh tokens is safer than storing them in plain text</li> <li>But once you hash them, direct database lookup by raw token no longer works</li> <li> <code>argon2.verify()</code> helps with validation, not identification</li> <li>You still need a stable way to find the correct session first</li> <li>Including <code>sessionId</code> inside the refresh token is a clean solution</li> <li>Generating the Mongo ObjectId beforehand is a better version because it removes the extra DB update</li> </ul> <h2> Closing thought </h2> <p>This was a small bug, but it changed the way I think about authentication design.</p> <p>I started with a storage problem and ended up learning a flow-design problem.</p> <p>And that was the real lesson.</p> <p>Sometimes the hard part in auth is not generating or verifying the token itself.</p> <p>It is designing the path that lets you verify the right thing, in the right place, for the right reason.</p> backend authentication node mongodb I Thought I Knew What an API Was. I Was Wrong. Pratik Kumar Ghosh Thu, 26 Mar 2026 17:08:13 +0000 https://dev.to/pratik-k-ghosh/i-thought-i-knew-what-an-api-was-i-was-wrong-4526 https://dev.to/pratik-k-ghosh/i-thought-i-knew-what-an-api-was-i-was-wrong-4526 <p>For a long time, I had this feeling that I basically knew what an API was.</p> <p>I mean, I’ve used APIs before.</p> <p>In frontend projects, I used things like a weather API and got JSON data.<br> In backend, I created routes and heard people call them REST APIs.<br> Sometimes an API looked like a URL.<br> Sometimes it looked like a function.<br> Sometimes it looked like just a JSON response.</p> <p>So I was honestly confused:</p> <p><strong>What is an API actually?</strong><br> Is the weather JSON file the API?<br> Is an Express route the API?<br> Is an API just a way to fetch data?</p> <p>Today I properly studied it, and finally the confusion became much smaller.</p> <p>So this post is basically me sharing what I understood in simple words.</p> <h2> what is an API, really? </h2> <p><strong>API</strong> stands for <strong>Application Programming Interface</strong>.</p> <p>That sounds fancy, but the simple meaning is:</p> <blockquote> <p>An API is a way for one software to talk to another software using defined rules.<br> That’s it.</p> </blockquote> <p>Think of it like this:</p> <ul> <li>your frontend wants data</li> <li>your backend has that data</li> <li>the API is the way they communicate</li> </ul> <p>Or:</p> <ul> <li>your app wants weather data</li> <li>some weather service has that data</li> <li>the API is the bridge between them</li> </ul> <p><strong>Real-life analogy</strong></p> <p>Imagine you are in a restaurant:</p> <ul> <li>You = client</li> <li>Kitchen = server</li> <li>Waiter = API</li> </ul> <p>You don’t go inside the kitchen and cook by yourself.<br> You tell the waiter what you want.<br> The waiter takes the request to the kitchen.<br> Then the waiter brings the response back.</p> <p>That waiter-like role is what an API does.</p> <h2> Then what was I misunderstanding in the weather app? </h2> <p>This was one of my biggest confusions.</p> <p>When I make a weather app, I often do something like this:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="nf">fetch</span><span class="p">(</span><span class="dl">"</span><span class="s2">https://api.example.com/weather?city=Kolkata</span><span class="dl">"</span><span class="p">)</span> <span class="p">.</span><span class="nf">then</span><span class="p">(</span><span class="nx">res</span> <span class="o">=&gt;</span> <span class="nx">res</span><span class="p">.</span><span class="nf">json</span><span class="p">())</span> <span class="p">.</span><span class="nf">then</span><span class="p">(</span><span class="nx">data</span> <span class="o">=&gt;</span> <span class="nx">console</span><span class="p">.</span><span class="nf">log</span><span class="p">(</span><span class="nx">data</span><span class="p">));</span> </code></pre> </div> <p>And then I get something like:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight json"><code><span class="p">{</span><span class="w"> </span><span class="nl">"city"</span><span class="p">:</span><span class="w"> </span><span class="s2">"Kolkata"</span><span class="p">,</span><span class="w"> </span><span class="nl">"temperature"</span><span class="p">:</span><span class="w"> </span><span class="mi">31</span><span class="p">,</span><span class="w"> </span><span class="nl">"condition"</span><span class="p">:</span><span class="w"> </span><span class="s2">"Cloudy"</span><span class="w"> </span><span class="p">}</span><span class="w"> </span></code></pre> </div> <p>Earlier, I used to think:</p> <p><strong>“This JSON is the API.”</strong></p> <p>But that is not exactly correct.</p> <h3> What is actually happening? </h3> <ul> <li>The API is the system/interface/endpoints/rules that let my app request data</li> <li>The JSON is the response format returned by the API</li> </ul> <p>So the JSON is <strong>not the API itself</strong>.<br> It is the <strong>data sent back by the API</strong>.</p> <p>That cleared up a lot for me.</p> <h3> Easy way to remember it </h3> <ul> <li>API = the communication system</li> <li>JSON = one common format of the response data</li> </ul> <p>So in a weather app, the API is not “a JSON file.”<br> The JSON is just the reply you get after using the API.</p> <h2> A backend route also feels like an API. Why? </h2> <p>Because it usually is.</p> <p>For example:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="nx">app</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="dl">"</span><span class="s2">/users</span><span class="dl">"</span><span class="p">,</span> <span class="p">(</span><span class="nx">req</span><span class="p">,</span> <span class="nx">res</span><span class="p">)</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="nx">res</span><span class="p">.</span><span class="nf">json</span><span class="p">([</span> <span class="p">{</span> <span class="na">id</span><span class="p">:</span> <span class="mi">1</span><span class="p">,</span> <span class="na">name</span><span class="p">:</span> <span class="dl">"</span><span class="s2">Pratik</span><span class="dl">"</span> <span class="p">},</span> <span class="p">{</span> <span class="na">id</span><span class="p">:</span> <span class="mi">2</span><span class="p">,</span> <span class="na">name</span><span class="p">:</span> <span class="dl">"</span><span class="s2">Aman</span><span class="dl">"</span> <span class="p">}</span> <span class="p">]);</span> <span class="p">});</span> </code></pre> </div> <p>This route allows a client to request user data.</p> <p>If a frontend sends a request to <code>/users</code>, the backend sends a response.</p> <p>That route becomes part of your API.</p> <p>So yes, when I build backend routes, I am often building an API.</p> <h3> So what is the simplest definition I should remember? </h3> <p>Here’s the definition I’ll remember from now on:</p> <blockquote> <p>An API is a set of rules and endpoints that allows one software system to communicate with another.</p> </blockquote> <p>And in web development:</p> <blockquote> <p>An API usually lets a client send a request and receive a response.</p> </blockquote> <h2> Types of API </h2> <p>This part also confused me because people say “types of API” in different ways.</p> <p>Sometimes they mean <strong>who can use the API</strong>.<br> Sometimes they mean <strong>how the API works</strong>.</p> <p>So I’ll keep both simple.</p> <h3> 1) Public API </h3> <p>A public API is available for external developers to use.</p> <h4> Example </h4> <p>A weather service giving data to developers.</p> <h4> Use case </h4> <p>You are building a weather app and want live temperature data.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="nf">fetch</span><span class="p">(</span><span class="dl">"</span><span class="s2">https://api.weather-service.com/current?city=Delhi</span><span class="dl">"</span><span class="p">)</span> </code></pre> </div> <p>You are using someone else’s public API.</p> <h3> 2) Private API </h3> <p>A private API is used only inside an organization or company.</p> <h4> Example </h4> <p>An admin dashboard talking to the company’s internal backend.</p> <h4> Use case </h4> <p>A company has internal employee data, sales data, analytics, etc.<br> That API is not open for the whole world.</p> <h3> 3) Partner API </h3> <p>A partner API is shared only with selected business partners.</p> <h4> Example </h4> <p>A payment company allowing trusted partner apps to connect to its services.</p> <h4> Use case </h4> <p>An e-commerce platform integrating a shipping provider’s partner API.</p> <h3> 4) REST API </h3> <p>This is the type I hear the most in backend development.</p> <p>A REST API is a web API that uses HTTP methods like:</p> <ul> <li>GET</li> <li>POST</li> <li>PUT</li> <li>PATCH</li> <li>DELETE</li> </ul> <h4> Example </h4> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="nx">app</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="dl">"</span><span class="s2">/products</span><span class="dl">"</span><span class="p">,</span> <span class="p">(</span><span class="nx">req</span><span class="p">,</span> <span class="nx">res</span><span class="p">)</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="nx">res</span><span class="p">.</span><span class="nf">json</span><span class="p">([{</span> <span class="na">id</span><span class="p">:</span> <span class="mi">1</span><span class="p">,</span> <span class="na">name</span><span class="p">:</span> <span class="dl">"</span><span class="s2">Laptop</span><span class="dl">"</span> <span class="p">}]);</span> <span class="p">});</span> <span class="nx">app</span><span class="p">.</span><span class="nf">post</span><span class="p">(</span><span class="dl">"</span><span class="s2">/products</span><span class="dl">"</span><span class="p">,</span> <span class="p">(</span><span class="nx">req</span><span class="p">,</span> <span class="nx">res</span><span class="p">)</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="nx">res</span><span class="p">.</span><span class="nf">status</span><span class="p">(</span><span class="mi">201</span><span class="p">).</span><span class="nf">json</span><span class="p">({</span> <span class="na">message</span><span class="p">:</span> <span class="dl">"</span><span class="s2">Product created</span><span class="dl">"</span> <span class="p">});</span> <span class="p">});</span> </code></pre> </div> <h4> Use case </h4> <p>Most CRUD apps:</p> <ul> <li>users</li> <li>posts</li> <li>products</li> <li>comments</li> <li>tasks</li> </ul> <p>REST is common because it is simple and structured.</p> <h3> 5) SOAP API </h3> <p>SOAP is older and more strict than REST.</p> <p>It often uses XML instead of JSON and follows stricter rules.</p> <h4> Example use case </h4> <p>Banking systems, enterprise systems, older business software</p> <p>SOAP is less beginner-friendly, but it still exists in some places where strict standards matter.</p> <h3> 6) GraphQL API </h3> <p>With GraphQL, the client can ask for exactly the data it needs.</p> <h4> Example </h4> <p>Instead of getting a big object, you can request only specific fields.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight graphql"><code><span class="p">{</span><span class="w"> </span><span class="n">user</span><span class="p">(</span><span class="n">id</span><span class="p">:</span><span class="w"> </span><span class="mi">1</span><span class="p">)</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="n">name</span><span class="w"> </span><span class="n">email</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="p">}</span><span class="w"> </span></code></pre> </div> <h4> Use case </h4> <p>Apps where over-fetching or under-fetching data is a problem</p> <p>For example, if you only want <code>name</code> and <code>email</code>, GraphQL helps you avoid receiving unnecessary data.</p> <h3> 7) WebSocket API </h3> <p>This is useful when you want real-time, two-way communication.</p> <h4> Example use case </h4> <ul> <li>chat apps</li> <li>live notifications</li> <li>multiplayer games</li> <li>stock price updates</li> </ul> <p>Unlike normal request-response flow, WebSockets keep the connection open.</p> <h3> The easiest way I now think about it </h3> <p>If someone asks me about API types, I’ll think like this:</p> <h4> Based on access </h4> <ul> <li>Public</li> <li>Private</li> <li>Partner</li> </ul> <h4> Based on style/communication </h4> <ul> <li>REST</li> <li>SOAP</li> <li>GraphQL</li> <li>WebSocket</li> </ul> <p>That makes the topic much less messy in my head.</p> <h2> A little about status codes </h2> <p>When a client sends a request to a server, the server responds with not just data, but also a status code.</p> <p>That code tells us what happened.</p> <p>Example:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="nx">app</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="dl">"</span><span class="s2">/profile</span><span class="dl">"</span><span class="p">,</span> <span class="p">(</span><span class="nx">req</span><span class="p">,</span> <span class="nx">res</span><span class="p">)</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="nx">res</span><span class="p">.</span><span class="nf">status</span><span class="p">(</span><span class="mi">200</span><span class="p">).</span><span class="nf">json</span><span class="p">({</span> <span class="na">name</span><span class="p">:</span> <span class="dl">"</span><span class="s2">Pratik</span><span class="dl">"</span> <span class="p">});</span> <span class="p">});</span> </code></pre> </div> <p>Here, <code>200</code> means the request worked successfully.</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fhbebyqmxqgzssjs8jas8.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fhbebyqmxqgzssjs8jas8.png" alt=" " width="800" height="436"></a></p> <p>Status codes are super useful because they quickly tell us whether:</p> <ul> <li>the request succeeded</li> <li>something was missing</li> <li>access was denied</li> <li>the server crashed</li> </ul> <h2> Tiny example: request + response + status code together </h2> <p>Here’s a super small Express example:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="nx">app</span><span class="p">.</span><span class="nf">post</span><span class="p">(</span><span class="dl">"</span><span class="s2">/login</span><span class="dl">"</span><span class="p">,</span> <span class="p">(</span><span class="nx">req</span><span class="p">,</span> <span class="nx">res</span><span class="p">)</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="kd">const</span> <span class="p">{</span> <span class="nx">email</span><span class="p">,</span> <span class="nx">password</span> <span class="p">}</span> <span class="o">=</span> <span class="nx">req</span><span class="p">.</span><span class="nx">body</span><span class="p">;</span> <span class="k">if </span><span class="p">(</span><span class="o">!</span><span class="nx">email</span> <span class="o">||</span> <span class="o">!</span><span class="nx">password</span><span class="p">)</span> <span class="p">{</span> <span class="k">return</span> <span class="nx">res</span><span class="p">.</span><span class="nf">status</span><span class="p">(</span><span class="mi">400</span><span class="p">).</span><span class="nf">json</span><span class="p">({</span> <span class="na">error</span><span class="p">:</span> <span class="dl">"</span><span class="s2">Email and password are required</span><span class="dl">"</span> <span class="p">});</span> <span class="p">}</span> <span class="k">if </span><span class="p">(</span><span class="nx">email</span> <span class="o">!==</span> <span class="dl">"</span><span class="s2">test@example.com</span><span class="dl">"</span> <span class="o">||</span> <span class="nx">password</span> <span class="o">!==</span> <span class="dl">"</span><span class="s2">1234</span><span class="dl">"</span><span class="p">)</span> <span class="p">{</span> <span class="k">return</span> <span class="nx">res</span><span class="p">.</span><span class="nf">status</span><span class="p">(</span><span class="mi">401</span><span class="p">).</span><span class="nf">json</span><span class="p">({</span> <span class="na">error</span><span class="p">:</span> <span class="dl">"</span><span class="s2">Invalid credentials</span><span class="dl">"</span> <span class="p">});</span> <span class="p">}</span> <span class="k">return</span> <span class="nx">res</span><span class="p">.</span><span class="nf">status</span><span class="p">(</span><span class="mi">200</span><span class="p">).</span><span class="nf">json</span><span class="p">({</span> <span class="na">message</span><span class="p">:</span> <span class="dl">"</span><span class="s2">Login successful</span><span class="dl">"</span> <span class="p">});</span> <span class="p">});</span> </code></pre> </div> <p>This one route already shows a lot:</p> <ul> <li>400 if input is missing</li> <li>401 if credentials are wrong</li> <li>200 if login works</li> </ul> <p>That made status codes feel much more practical to me.</p> <h2> What I finally understood today </h2> <p>If I explain it to my old confused self, I’d say:</p> <ul> <li>API is not just JSON</li> <li>API is not just a backend function</li> <li>API is not just a URL</li> <li>API is the communication bridge with defined rules</li> </ul> <p>And the JSON in apps like weather apps is usually just the response data returned by the API.</p> <p>That one difference cleared up a lot of confusion for me.</p> <h2> Final summary </h2> <p>Today I finally stopped treating “API” like a vague buzzword.</p> <p>What I learned is:</p> <ul> <li>an API lets one software communicate with another</li> <li>in web development, APIs usually work through request and response</li> <li>the JSON we get is usually the response, not the API itself</li> <li>backend routes often become part of our API</li> <li>APIs can be public, private, partner-based, or different in style like REST, SOAP, GraphQL, and WebSocket</li> <li>status codes help us quickly understand what happened after a request</li> </ul> <p>This was one of those topics I thought I already understood, but actually needed to sit down and study properly.</p> <p>And honestly, now it feels way less scary.</p> api backend webdev beginners