DEV Community: SATYA SOOTAR The latest articles on DEV Community by SATYA SOOTAR (@satyasootar). https://dev.to/satyasootar https://media2.dev.to/dynamic/image/width=90,height=90,fit=cover,gravity=auto,format=auto/https:%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Fuser%2Fprofile_image%2F3682982%2F06c7f09f-b260-4b90-9d89-dedbc07fd2d3.png DEV Community: SATYA SOOTAR https://dev.to/satyasootar en Sessions vs JWT vs Cookies: Understanding Authentication Approaches SATYA SOOTAR Sun, 10 May 2026 14:15:37 +0000 https://dev.to/satyasootar/sessions-vs-jwt-vs-cookies-understanding-authentication-approaches-1ojo https://dev.to/satyasootar/sessions-vs-jwt-vs-cookies-understanding-authentication-approaches-1ojo <p>Hello readers 👋, welcome to the 15th blog in our Node.js series!</p> <p>In our previous posts, we built a REST API, learned how to protect routes with JWT, and explored middleware and file uploads. Authentication has come up several times, but today we’re going to take a step back and look at the bigger picture. We’ll compare three pillars of authentication in web applications: <strong>sessions</strong>, <strong>JSON Web Tokens (JWT)</strong>, and <strong>cookies</strong>.</p> <p>If you’ve ever been confused about when to use a session-based login, when to reach for a JWT, or where cookies fit into all this, this post will clear things up. We’ll keep it practical, avoid deep security rabbit holes, and end with a decision framework you can apply to your next project.</p> <p>Let’s get started.</p> <h2> What are cookies? </h2> <p>Cookies are small pieces of data stored on the client (browser) by the server via the <code>Set-Cookie</code> header. They are automatically sent back to the server with every subsequent request to the same domain. That’s their superpower: they travel with every request without the client having to do anything extra.</p> <p>A cookie looks something like this:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight http"><code><span class="err">Set-Cookie: sessionId=abc123; HttpOnly; Secure; SameSite=Strict </span></code></pre> </div> <p>The browser then dutifully sends <code>Cookie: sessionId=abc123</code> with each request.</p> <p>Cookies alone are not an authentication method; they are a <strong>transport mechanism</strong>. They can carry a session ID, a JWT, or just a simple preference. But because sessions almost always rely on cookies, the two are often mentioned together.</p> <p>Key properties you can set on cookies:</p> <ul> <li> <strong>HttpOnly</strong> – the cookie cannot be accessed via JavaScript (<code>document.cookie</code>), which helps prevent XSS attacks.</li> <li> <strong>Secure</strong> – the cookie is only sent over HTTPS.</li> <li> <strong>SameSite</strong> – controls whether the cookie is sent on cross‑site requests, mitigating CSRF.</li> </ul> <p>In a traditional session‑based authentication, the server sets a cookie containing a unique session ID, and all further requests carry that cookie to identify the user.</p> <h2> What are sessions? </h2> <p>Session‑based authentication is the classic approach. After the user logs in with valid credentials, the server creates a <strong>session</strong> – a record in a database, in‑memory store, or cache (like Redis) that contains the user’s identity and any other relevant data. The server then sends back a cookie holding only the session ID.</p> <p>Every subsequent request comes with that cookie. The server reads the session ID, looks up the session data (often from a store), and knows who the user is without them sending the password again.</p> <p>Let’s see a simplified Express example using <code>express-session</code>:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="kd">const</span> <span class="nx">session</span> <span class="o">=</span> <span class="nf">require</span><span class="p">(</span><span class="dl">'</span><span class="s1">express-session</span><span class="dl">'</span><span class="p">);</span> <span class="nx">app</span><span class="p">.</span><span class="nf">use</span><span class="p">(</span><span class="nf">session</span><span class="p">({</span> <span class="na">secret</span><span class="p">:</span> <span class="dl">'</span><span class="s1">your-secret-key</span><span class="dl">'</span><span class="p">,</span> <span class="na">resave</span><span class="p">:</span> <span class="kc">false</span><span class="p">,</span> <span class="na">saveUninitialized</span><span class="p">:</span> <span class="kc">true</span><span class="p">,</span> <span class="na">cookie</span><span class="p">:</span> <span class="p">{</span> <span class="na">secure</span><span class="p">:</span> <span class="kc">true</span><span class="p">,</span> <span class="na">httpOnly</span><span class="p">:</span> <span class="kc">true</span><span class="p">,</span> <span class="na">maxAge</span><span class="p">:</span> <span class="mi">3600000</span> <span class="p">}</span> <span class="c1">// 1 hour</span> <span class="p">}));</span> <span class="nx">app</span><span class="p">.</span><span class="nf">post</span><span class="p">(</span><span class="dl">'</span><span class="s1">/login</span><span class="dl">'</span><span class="p">,</span> <span class="p">(</span><span class="nx">req</span><span class="p">,</span> <span class="nx">res</span><span class="p">)</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="c1">// authenticate user</span> <span class="nx">req</span><span class="p">.</span><span class="nx">session</span><span class="p">.</span><span class="nx">userId</span> <span class="o">=</span> <span class="nx">user</span><span class="p">.</span><span class="nx">id</span><span class="p">;</span> <span class="c1">// stored on server</span> <span class="nx">res</span><span class="p">.</span><span class="nf">send</span><span class="p">(</span><span class="dl">'</span><span class="s1">Logged in</span><span class="dl">'</span><span class="p">);</span> <span class="p">});</span> <span class="nx">app</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="dl">'</span><span class="s1">/dashboard</span><span class="dl">'</span><span class="p">,</span> <span class="p">(</span><span class="nx">req</span><span class="p">,</span> <span class="nx">res</span><span class="p">)</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="k">if </span><span class="p">(</span><span class="o">!</span><span class="nx">req</span><span class="p">.</span><span class="nx">session</span><span class="p">.</span><span class="nx">userId</span><span class="p">)</span> <span class="k">return</span> <span class="nx">res</span><span class="p">.</span><span class="nf">status</span><span class="p">(</span><span class="mi">401</span><span class="p">).</span><span class="nf">send</span><span class="p">(</span><span class="dl">'</span><span class="s1">Unauthorized</span><span class="dl">'</span><span class="p">);</span> <span class="c1">// fetch user data using session.userId</span> <span class="nx">res</span><span class="p">.</span><span class="nf">send</span><span class="p">(</span><span class="s2">`Hello user </span><span class="p">${</span><span class="nx">req</span><span class="p">.</span><span class="nx">session</span><span class="p">.</span><span class="nx">userId</span><span class="p">}</span><span class="s2">`</span><span class="p">);</span> <span class="p">});</span> </code></pre> </div> <p>Sessions are <strong>stateful</strong>: the server must maintain a session store (memory, database, Redis). When you scale to multiple server instances, the session store must be shared, which adds complexity.</p> <h2> What are JWT tokens? </h2> <p>JSON Web Tokens (JWT) are a <strong>stateless</strong> authentication method. After a successful login, the server generates a token containing a payload (like the user’s ID and role) and signs it with a secret key. The token is sent to the client, which stores it. For each subsequent request, the client sends the token, usually in the <code>Authorization</code> header as a Bearer token, or sometimes in an HttpOnly cookie. The server verifies the signature, extracts the payload, and trusts that the user is who the token claims.</p> <p>We’ve already implemented JWT authentication in an earlier blog. Here’s a quick recap:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="kd">const</span> <span class="nx">jwt</span> <span class="o">=</span> <span class="nf">require</span><span class="p">(</span><span class="dl">'</span><span class="s1">jsonwebtoken</span><span class="dl">'</span><span class="p">);</span> <span class="nx">app</span><span class="p">.</span><span class="nf">post</span><span class="p">(</span><span class="dl">'</span><span class="s1">/login</span><span class="dl">'</span><span class="p">,</span> <span class="p">(</span><span class="nx">req</span><span class="p">,</span> <span class="nx">res</span><span class="p">)</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="c1">// authenticate user</span> <span class="kd">const</span> <span class="nx">token</span> <span class="o">=</span> <span class="nx">jwt</span><span class="p">.</span><span class="nf">sign</span><span class="p">({</span> <span class="na">userId</span><span class="p">:</span> <span class="nx">user</span><span class="p">.</span><span class="nx">id</span> <span class="p">},</span> <span class="dl">'</span><span class="s1">secret</span><span class="dl">'</span><span class="p">,</span> <span class="p">{</span> <span class="na">expiresIn</span><span class="p">:</span> <span class="dl">'</span><span class="s1">1h</span><span class="dl">'</span> <span class="p">});</span> <span class="nx">res</span><span class="p">.</span><span class="nf">json</span><span class="p">({</span> <span class="nx">token</span> <span class="p">});</span> <span class="p">});</span> <span class="nx">app</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="dl">'</span><span class="s1">/profile</span><span class="dl">'</span><span class="p">,</span> <span class="p">(</span><span class="nx">req</span><span class="p">,</span> <span class="nx">res</span><span class="p">)</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">token</span> <span class="o">=</span> <span class="nx">req</span><span class="p">.</span><span class="nx">headers</span><span class="p">.</span><span class="nx">authorization</span><span class="p">?.</span><span class="nf">split</span><span class="p">(</span><span class="dl">'</span><span class="s1"> </span><span class="dl">'</span><span class="p">)[</span><span class="mi">1</span><span class="p">];</span> <span class="k">if </span><span class="p">(</span><span class="o">!</span><span class="nx">token</span><span class="p">)</span> <span class="k">return</span> <span class="nx">res</span><span class="p">.</span><span class="nf">status</span><span class="p">(</span><span class="mi">401</span><span class="p">).</span><span class="nf">send</span><span class="p">(</span><span class="dl">'</span><span class="s1">No token</span><span class="dl">'</span><span class="p">);</span> <span class="k">try</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">decoded</span> <span class="o">=</span> <span class="nx">jwt</span><span class="p">.</span><span class="nf">verify</span><span class="p">(</span><span class="nx">token</span><span class="p">,</span> <span class="dl">'</span><span class="s1">secret</span><span class="dl">'</span><span class="p">);</span> <span class="nx">req</span><span class="p">.</span><span class="nx">user</span> <span class="o">=</span> <span class="nx">decoded</span><span class="p">;</span> <span class="nx">res</span><span class="p">.</span><span class="nf">send</span><span class="p">(</span><span class="s2">`Profile of user </span><span class="p">${</span><span class="nx">req</span><span class="p">.</span><span class="nx">user</span><span class="p">.</span><span class="nx">userId</span><span class="p">}</span><span class="s2">`</span><span class="p">);</span> <span class="p">}</span> <span class="k">catch </span><span class="p">(</span><span class="nx">err</span><span class="p">)</span> <span class="p">{</span> <span class="nx">res</span><span class="p">.</span><span class="nf">status</span><span class="p">(</span><span class="mi">403</span><span class="p">).</span><span class="nf">send</span><span class="p">(</span><span class="dl">'</span><span class="s1">Invalid token</span><span class="dl">'</span><span class="p">);</span> <span class="p">}</span> <span class="p">});</span> </code></pre> </div> <p>Because JWT contains all the info needed (in the payload), the server doesn’t need to look up a session. That’s the stateless magic.</p> <h2> Stateful vs stateless authentication </h2> <p>This is the key distinction.</p> <ul> <li> <strong>Stateful (sessions)</strong>: The server keeps track of authenticated users. Each request requires a session lookup. This works great for traditional multi‑page apps because scaling requires a shared session store. Logout is easy: just destroy the session on the server.</li> <li> <strong>Stateless (JWT)</strong>: The server doesn’t store anything. It trusts the token after verifying the signature. This makes horizontal scaling a breeze. Logout is trickier: since the server doesn’t remember the token, you can’t invalidate it without a blacklist (bringing back some state). Usually, you set short expiration and rely on the client removing the token.</li> </ul> <p>Think of sessions as a coat-check ticket: you give the clerk your coat, get a ticket, and later hand the ticket back to retrieve your coat. The clerk (server) remembers you. JWT is like a digital passport: the passport says who you are, and the border official (server) verifies its authenticity without calling home. Both have their place.</p> <h2> Sessions vs JWT: detailed comparison </h2> <div class="table-wrapper-paragraph"><table> <thead> <tr> <th>Feature</th> <th>Session‑based</th> <th>JWT</th> </tr> </thead> <tbody> <tr> <td><strong>State</strong></td> <td>Stateful (server stores session data)</td> <td>Stateless (server only verifies token)</td> </tr> <tr> <td><strong>Storage</strong></td> <td>Session ID stored in a cookie; session data stored server‑side (memory, DB, Redis)</td> <td>Token stored client‑side: browser (localStorage, sessionStorage) or HttpOnly cookie; no server‑side storage</td> </tr> <tr> <td><strong>Scalability</strong></td> <td>Requires shared session store across instances (e.g., Redis)</td> <td>Easy to scale horizontally; no server‑side data sharing needed</td> </tr> <tr> <td><strong>Logout</strong></td> <td>Server deletes session – immediate effect</td> <td>No server‑side record; token can’t be invalidated instantly unless a blacklist is used. Short expiry &amp; client removal are typical</td> </tr> <tr> <td><strong>Security typical risks</strong></td> <td>Session hijacking (if cookie stolen), CSRF (mitigated with SameSite, tokens)</td> <td>Token theft (if stored in non‑HttpOnly cookie or localStorage), XSS (if accessible via JS), token size</td> </tr> <tr> <td><strong>Payload visibility</strong></td> <td>Server‑side, opaque to client</td> <td>Payload is Base64‑encoded (not encrypted); everyone can read it, but signature ensures integrity. Never put secrets in payload</td> </tr> <tr> <td><strong>Typical use case</strong></td> <td>Traditional server‑rendered web apps, multi‑page apps, apps with centralized user management</td> <td>APIs, single‑page applications (SPAs), mobile apps, microservices, third‑party integrations</td> </tr> </tbody> </table></div> <p>Note that you <em>can</em> store a JWT inside an HttpOnly cookie, blending some benefits: you get automatic cookie sending (no need to attach header manually) and protection from XSS, while still being stateless. The choice of where to store the token is separate from the choice of session vs JWT.</p> <h2> When to use each method </h2> <p><strong>Use sessions when:</strong></p> <ul> <li>You have a traditional server‑rendered application (EJS, Pug, etc.).</li> <li>You need fine‑grained control over active session invalidation (e.g., force logout, revoke access instantly).</li> <li>You’re comfortable managing a session store (or don’t mind the overhead for a simple app).</li> <li>You want to keep sensitive data on the server.</li> </ul> <p><strong>Use JWT when:</strong></p> <ul> <li>You are building a REST API that serves multiple frontends (web, mobile, desktop).</li> <li>You want to scale horizontally without worrying about a shared data store.</li> <li>You need to pass authorization across multiple independent services (microservices).</li> <li>Your client is a SPA where the frontend handles presentation and stores the token (e.g., in memory or localStorage, though HttpOnly cookie is safer).</li> </ul> <p><strong>A hybrid approach</strong>: store a short‑lived JWT inside an HttpOnly, Secure, SameSite cookie. That way you get automatic cookie handling, XSS protection, and still remain stateless on the server. This is increasingly popular in modern frameworks.</p> <h2> Conclusion </h2> <p>Sessions, cookies, and JWT aren’t mutually exclusive; they’re pieces of the authentication puzzle. Cookies transport data (session IDs or JWTs) seamlessly. Sessions give you server‑side control at the cost of state. JWT gives you stateless scalability at the cost of instant invalidation. Choosing between them depends on your application architecture, scalability needs, and security priorities.</p> <p>To recap:</p> <ul> <li> <strong>Cookies</strong> are a transport mechanism, automatically sent with every request, and can be secured with HttpOnly, Secure, and SameSite flags.</li> <li> <strong>Sessions</strong> store user state on the server and use a cookie holding a session ID. They are stateful and great for traditional web apps.</li> <li> <strong>JWT</strong> embeds user information in a signed token; the server doesn’t need a lookup. They are stateless and ideal for APIs, SPAs, and microservices.</li> <li>The decision often hinges on stateful vs stateless needs and where you want to store sensitive data.</li> </ul> <p>In the next post, we’ll start connecting Express to databases; building a full‑stack authentication flow with registration and login that persists real data. See you then!</p> <p>Hope you found this helpful! If you spot any mistakes or have suggestions, let me know. You can find me on <a href="https://www.linkedin.com/in/satyaprangyasootar" rel="noopener noreferrer">LinkedIn</a> and <a href="https://x.com/satyasootar" rel="noopener noreferrer">X</a>, where I post more about web development.</p> jwt cookies node URL Parameters vs Query Strings in Express.js SATYA SOOTAR Sun, 10 May 2026 14:09:37 +0000 https://dev.to/satyasootar/url-parameters-vs-query-strings-in-expressjs-154o https://dev.to/satyasootar/url-parameters-vs-query-strings-in-expressjs-154o <p>Hello readers 👋, welcome to the 14th blog in our Node.js series!</p> <p>In the last few posts, we built a complete file upload and serving system using Multer and Express. We learned how to accept files, store them safely, and serve them back via static URLs. Today, we're going to shift focus to something more subtle but equally important: how to extract information from the URL itself. Specifically, we'll talk about <strong>URL parameters</strong> and <strong>query strings</strong> in Express.js.</p> <p>You see these every day: URLs like <code>/users/42</code> or <code>/search?q=express&amp;sort=asc</code>. Knowing when to use a parameter (the <code>42</code>) versus a query string (the <code>?q=express</code>) makes your API design cleaner and more intuitive. Let's break it all down with clear examples.</p> <p>Let's get started.</p> <h2> What URL parameters are </h2> <p>URL parameters (also called route parameters) are segments of the URL path that act as placeholders. They are part of the path itself and are typically used to identify a specific resource. In Express, you define them with a colon (<code>:</code>) prefix in the route path, and Express captures their values into <code>req.params</code>.</p> <p>Think of <code>&lt;name&gt;</code> as a placeholder for something like an ID, a username, or a category. The actual value appears in the URL after the previous segment.</p> <p>Here's a basic route that uses a parameter:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="kd">const</span> <span class="nx">express</span> <span class="o">=</span> <span class="nf">require</span><span class="p">(</span><span class="dl">'</span><span class="s1">express</span><span class="dl">'</span><span class="p">);</span> <span class="kd">const</span> <span class="nx">app</span> <span class="o">=</span> <span class="nf">express</span><span class="p">();</span> <span class="nx">app</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="dl">'</span><span class="s1">/users/:userId</span><span class="dl">'</span><span class="p">,</span> <span class="p">(</span><span class="nx">req</span><span class="p">,</span> <span class="nx">res</span><span class="p">)</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">userId</span> <span class="o">=</span> <span class="nx">req</span><span class="p">.</span><span class="nx">params</span><span class="p">.</span><span class="nx">userId</span><span class="p">;</span> <span class="nx">res</span><span class="p">.</span><span class="nf">send</span><span class="p">(</span><span class="s2">`User profile for ID: </span><span class="p">${</span><span class="nx">userId</span><span class="p">}</span><span class="s2">`</span><span class="p">);</span> <span class="p">});</span> </code></pre> </div> <p>If you visit <code>http://localhost:3000/users/123</code>, <code>req.params.userId</code> will be <code>"123"</code>. Notice that the parameter is part of the path. It's not optional; the route wouldn't match <code>/users/</code> alone (without an ID).</p> <p>You can have multiple parameters in a single route:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="nx">app</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="dl">'</span><span class="s1">/posts/:postId/comments/:commentId</span><span class="dl">'</span><span class="p">,</span> <span class="p">(</span><span class="nx">req</span><span class="p">,</span> <span class="nx">res</span><span class="p">)</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="kd">const</span> <span class="p">{</span> <span class="nx">postId</span><span class="p">,</span> <span class="nx">commentId</span> <span class="p">}</span> <span class="o">=</span> <span class="nx">req</span><span class="p">.</span><span class="nx">params</span><span class="p">;</span> <span class="nx">res</span><span class="p">.</span><span class="nf">json</span><span class="p">({</span> <span class="nx">postId</span><span class="p">,</span> <span class="nx">commentId</span> <span class="p">});</span> <span class="p">});</span> </code></pre> </div> <p>The values are always strings, so you may need to parse them into numbers if needed (<code>parseInt</code>). Express doesn't do any type conversion automatically.</p> <h2> What query strings (query parameters) are </h2> <p>Query strings are key-value pairs that come after a question mark (<code>?</code>) in a URL. They are used to send additional data that is often optional, like filters, sorting options, pagination, or search terms. They are not part of the route path itself. In Express, you access them via <code>req.query</code>.</p> <p>For example, a search URL might look like this:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>/search?q=express&amp;page=2&amp;limit=10 </code></pre> </div> <p>Here, <code>q</code>, <code>page</code>, and <code>limit</code> are query parameters. Express parses them and makes them available in <code>req.query</code> as an object.</p> <p>Example route:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="nx">app</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="dl">'</span><span class="s1">/search</span><span class="dl">'</span><span class="p">,</span> <span class="p">(</span><span class="nx">req</span><span class="p">,</span> <span class="nx">res</span><span class="p">)</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">query</span> <span class="o">=</span> <span class="nx">req</span><span class="p">.</span><span class="nx">query</span><span class="p">.</span><span class="nx">q</span><span class="p">;</span> <span class="kd">const</span> <span class="nx">page</span> <span class="o">=</span> <span class="nx">req</span><span class="p">.</span><span class="nx">query</span><span class="p">.</span><span class="nx">page</span> <span class="o">||</span> <span class="mi">1</span><span class="p">;</span> <span class="kd">const</span> <span class="nx">limit</span> <span class="o">=</span> <span class="nx">req</span><span class="p">.</span><span class="nx">query</span><span class="p">.</span><span class="nx">limit</span> <span class="o">||</span> <span class="mi">10</span><span class="p">;</span> <span class="nx">res</span><span class="p">.</span><span class="nf">json</span><span class="p">({</span> <span class="nx">query</span><span class="p">,</span> <span class="nx">page</span><span class="p">,</span> <span class="nx">limit</span> <span class="p">});</span> <span class="p">});</span> </code></pre> </div> <p>A request to <code>/search?q=node&amp;page=3</code> gives:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight json"><code><span class="p">{</span><span class="w"> </span><span class="nl">"query"</span><span class="p">:</span><span class="w"> </span><span class="s2">"node"</span><span class="p">,</span><span class="w"> </span><span class="nl">"page"</span><span class="p">:</span><span class="w"> </span><span class="s2">"3"</span><span class="p">,</span><span class="w"> </span><span class="nl">"limit"</span><span class="p">:</span><span class="w"> </span><span class="mi">10</span><span class="w"> </span><span class="p">}</span><span class="w"> </span></code></pre> </div> <p>Query strings are extremely flexible because they don't affect route matching directly; any number of them can be added to a URL without breaking the route pattern.</p> <h2> Differences between URL parameters and query strings </h2> <p>The core difference lies in their <strong>purpose</strong> and <strong>placement</strong>.</p> <div class="table-wrapper-paragraph"><table> <thead> <tr> <th>Aspect</th> <th>URL Parameters (Route params)</th> <th>Query Strings</th> </tr> </thead> <tbody> <tr> <td><strong>Appearance in URL</strong></td> <td>Part of the path: <code>/users/42</code> </td> <td>After <code>?</code> in the URL: <code>/users?role=admin</code> </td> </tr> <tr> <td><strong>Purpose</strong></td> <td>Identify a specific resource (required)</td> <td>Provide additional instructions or filters (optional)</td> </tr> <tr> <td><strong>Route matching</strong></td> <td>Must be defined in route path with <code>:param</code> </td> <td>Does not affect which route is matched</td> </tr> <tr> <td><strong>Express access</strong></td> <td> <code>req.params</code> (object)</td> <td> <code>req.query</code> (object)</td> </tr> <tr> <td><strong>Typical use cases</strong></td> <td>Entity ID, username, category, blog post slug</td> <td>Search, pagination, sorting, filtering, API keys</td> </tr> <tr> <td><strong>Order in URL</strong></td> <td>Fixed position in the path</td> <td>Unordered, can be combined arbitrarily</td> </tr> <tr> <td><strong>Optionality</strong></td> <td>Usually required for the resource to make sense</td> <td>Often optional with defaults</td> </tr> </tbody> </table></div> <p>A good mental model: <strong>parameters point to a specific "noun" (the resource)</strong>; <strong>query strings describe "how" or "what to do" with that resource</strong>, like filtering or sorting.</p> <h2> Accessing params in Express </h2> <p>As shown earlier, you define placeholders in the route string using <code>:paramName</code>. Then inside the handler, you read <code>req.params</code>. All values are strings.</p> <p>If you need to make a parameter optional and still match the base route, you can use a <code>?</code> after the parameter name (like <code>:userId?</code>), but then you'd need to handle the case where it's undefined. Alternatively, define two routes: one with and one without the parameter.</p> <p>Here's an example of an optional parameter:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="nx">app</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="dl">'</span><span class="s1">/articles/:year?/:month?</span><span class="dl">'</span><span class="p">,</span> <span class="p">(</span><span class="nx">req</span><span class="p">,</span> <span class="nx">res</span><span class="p">)</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="kd">const</span> <span class="p">{</span> <span class="nx">year</span><span class="p">,</span> <span class="nx">month</span> <span class="p">}</span> <span class="o">=</span> <span class="nx">req</span><span class="p">.</span><span class="nx">params</span><span class="p">;</span> <span class="nx">res</span><span class="p">.</span><span class="nf">send</span><span class="p">(</span><span class="s2">`Articles </span><span class="p">${</span><span class="nx">year</span> <span class="p">?</span> <span class="dl">'</span><span class="s1">for </span><span class="dl">'</span> <span class="o">+</span> <span class="nx">year</span> <span class="p">:</span> <span class="dl">''</span><span class="p">}</span><span class="s2"> </span><span class="p">${</span><span class="nx">month</span> <span class="p">?</span> <span class="dl">'</span><span class="s1">/</span><span class="dl">'</span> <span class="o">+</span> <span class="nx">month</span> <span class="p">:</span> <span class="dl">''</span><span class="p">}</span><span class="s2">`</span><span class="p">);</span> <span class="p">});</span> </code></pre> </div> <p>But be careful, <code>req.params</code> will contain strings for whatever segments exist.</p> <h2> Accessing query strings in Express </h2> <p>Query strings don't need to be declared. Any <code>key=value</code> pair after the <code>?</code> will appear in <code>req.query</code>. If a key appears multiple times (e.g., <code>?tag=js&amp;tag=node</code>), Express by default gives you an array (only if you use a certain parsing library; the built-in <code>qs</code> library parses arrays with repeated keys). So <code>req.query.tag</code> might be <code>['js', 'node']</code>.</p> <p>Example with arrays:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="nx">app</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="dl">'</span><span class="s1">/items</span><span class="dl">'</span><span class="p">,</span> <span class="p">(</span><span class="nx">req</span><span class="p">,</span> <span class="nx">res</span><span class="p">)</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">tags</span> <span class="o">=</span> <span class="nx">req</span><span class="p">.</span><span class="nx">query</span><span class="p">.</span><span class="nx">tags</span><span class="p">;</span> <span class="c1">// tags could be a string or an array if multiple</span> <span class="kd">const</span> <span class="nx">tagsArray</span> <span class="o">=</span> <span class="nb">Array</span><span class="p">.</span><span class="nf">isArray</span><span class="p">(</span><span class="nx">tags</span><span class="p">)</span> <span class="p">?</span> <span class="nx">tags</span> <span class="p">:</span> <span class="p">[</span><span class="nx">tags</span><span class="p">].</span><span class="nf">filter</span><span class="p">(</span><span class="nb">Boolean</span><span class="p">);</span> <span class="nx">res</span><span class="p">.</span><span class="nf">json</span><span class="p">({</span> <span class="na">tags</span><span class="p">:</span> <span class="nx">tagsArray</span> <span class="p">});</span> <span class="p">});</span> </code></pre> </div> <h2> When to use params vs query: practical examples </h2> <h3> User profile ID (use params) </h3> <p>You want to get a specific user by ID. The ID is the identifier of the resource, so it belongs in the path.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="nx">app</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="dl">'</span><span class="s1">/users/:id</span><span class="dl">'</span><span class="p">,</span> <span class="p">(</span><span class="nx">req</span><span class="p">,</span> <span class="nx">res</span><span class="p">)</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">user</span> <span class="o">=</span> <span class="nx">users</span><span class="p">.</span><span class="nf">find</span><span class="p">(</span><span class="nx">u</span> <span class="o">=&gt;</span> <span class="nx">u</span><span class="p">.</span><span class="nx">id</span> <span class="o">===</span> <span class="nf">parseInt</span><span class="p">(</span><span class="nx">req</span><span class="p">.</span><span class="nx">params</span><span class="p">.</span><span class="nx">id</span><span class="p">));</span> <span class="k">if </span><span class="p">(</span><span class="o">!</span><span class="nx">user</span><span class="p">)</span> <span class="k">return</span> <span class="nx">res</span><span class="p">.</span><span class="nf">status</span><span class="p">(</span><span class="mi">404</span><span class="p">).</span><span class="nf">json</span><span class="p">({</span> <span class="na">error</span><span class="p">:</span> <span class="dl">'</span><span class="s1">User not found</span><span class="dl">'</span> <span class="p">});</span> <span class="nx">res</span><span class="p">.</span><span class="nf">json</span><span class="p">(</span><span class="nx">user</span><span class="p">);</span> <span class="p">});</span> </code></pre> </div> <p>This makes the URL clean: <code>/users/5</code>. Without the ID, the route doesn't make sense. So a parameter is the right choice.</p> <h3> Search filters (use query strings) </h3> <p>You want to filter a list of products by category, price range, and sort order. None of these are "the resource identifier". They are optional, descriptive modifiers. So they go in the query string.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="nx">app</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="dl">'</span><span class="s1">/products</span><span class="dl">'</span><span class="p">,</span> <span class="p">(</span><span class="nx">req</span><span class="p">,</span> <span class="nx">res</span><span class="p">)</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="kd">const</span> <span class="p">{</span> <span class="nx">category</span><span class="p">,</span> <span class="nx">minPrice</span><span class="p">,</span> <span class="nx">sort</span> <span class="p">}</span> <span class="o">=</span> <span class="nx">req</span><span class="p">.</span><span class="nx">query</span><span class="p">;</span> <span class="kd">let</span> <span class="nx">results</span> <span class="o">=</span> <span class="p">[...</span><span class="nx">products</span><span class="p">];</span> <span class="k">if </span><span class="p">(</span><span class="nx">category</span><span class="p">)</span> <span class="nx">results</span> <span class="o">=</span> <span class="nx">results</span><span class="p">.</span><span class="nf">filter</span><span class="p">(</span><span class="nx">p</span> <span class="o">=&gt;</span> <span class="nx">p</span><span class="p">.</span><span class="nx">category</span> <span class="o">===</span> <span class="nx">category</span><span class="p">);</span> <span class="k">if </span><span class="p">(</span><span class="nx">minPrice</span><span class="p">)</span> <span class="nx">results</span> <span class="o">=</span> <span class="nx">results</span><span class="p">.</span><span class="nf">filter</span><span class="p">(</span><span class="nx">p</span> <span class="o">=&gt;</span> <span class="nx">p</span><span class="p">.</span><span class="nx">price</span> <span class="o">&gt;=</span> <span class="nc">Number</span><span class="p">(</span><span class="nx">minPrice</span><span class="p">));</span> <span class="k">if </span><span class="p">(</span><span class="nx">sort</span> <span class="o">===</span> <span class="dl">'</span><span class="s1">asc</span><span class="dl">'</span><span class="p">)</span> <span class="nx">results</span><span class="p">.</span><span class="nf">sort</span><span class="p">((</span><span class="nx">a</span><span class="p">,</span> <span class="nx">b</span><span class="p">)</span> <span class="o">=&gt;</span> <span class="nx">a</span><span class="p">.</span><span class="nx">price</span> <span class="o">-</span> <span class="nx">b</span><span class="p">.</span><span class="nx">price</span><span class="p">);</span> <span class="k">else</span> <span class="k">if </span><span class="p">(</span><span class="nx">sort</span> <span class="o">===</span> <span class="dl">'</span><span class="s1">desc</span><span class="dl">'</span><span class="p">)</span> <span class="nx">results</span><span class="p">.</span><span class="nf">sort</span><span class="p">((</span><span class="nx">a</span><span class="p">,</span> <span class="nx">b</span><span class="p">)</span> <span class="o">=&gt;</span> <span class="nx">b</span><span class="p">.</span><span class="nx">price</span> <span class="o">-</span> <span class="nx">a</span><span class="p">.</span><span class="nx">price</span><span class="p">);</span> <span class="nx">res</span><span class="p">.</span><span class="nf">json</span><span class="p">(</span><span class="nx">results</span><span class="p">);</span> <span class="p">});</span> </code></pre> </div> <p>A request URL like <code>/products?category=electronics&amp;minPrice=100&amp;sort=asc</code> clearly communicates that we're viewing the products collection but with specific filters.</p> <h3> Mixed usage </h3> <p>Often, you'll combine both. For example, fetching comments for a specific post, with pagination:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight http"><code><span class="err">GET /posts/:postId/comments?page=2&amp;limit=10 </span></code></pre> </div> <p>Here, <code>:postId</code> identifies the post (required), while <code>page</code> and <code>limit</code> control how many comments are returned (optional with defaults).</p> <h2> Visualizing the URL structure </h2> <p>Every URL can be broken down into parts. Let's disassemble an example:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>https://api.example.com/users/42?include=posts&amp;limit=5 </code></pre> </div> <ul> <li> <strong>Protocol &amp; domain</strong>: <code>https://api.example.com</code> </li> <li> <strong>Path</strong>: <code>/users/42</code> <ul> <li>Segment <code>users</code> (static)</li> <li>Segment <code>42</code> (dynamic, captured by <code>:userId</code>)</li> </ul> </li> <li> <strong>Query string</strong>: <code>?include=posts&amp;limit=5</code> <ul> <li><code>include=posts</code></li> <li><code>limit=5</code></li> </ul> </li> </ul> <p>Express routes match against the path (ignoring the query string). So you'd define:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="nx">app</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="dl">'</span><span class="s1">/users/:userId</span><span class="dl">'</span><span class="p">,</span> <span class="p">(</span><span class="nx">req</span><span class="p">,</span> <span class="nx">res</span><span class="p">)</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="p">...</span> <span class="p">});</span> </code></pre> </div> <p>And then inside, <code>req.params.userId</code> gives <code>"42"</code>, <code>req.query.include</code> gives <code>"posts"</code>, and <code>req.query.limit</code> gives <code>"5"</code>.</p> <p>This separation allows the same route to respond differently based on what the client asks for, without defining countless different URL patterns.</p> <h2> Conclusion </h2> <p>Understanding URL parameters versus query strings is essential for designing clean, predictable REST APIs. URL parameters are used to identify a specific resource (like a user or a post) and appear as dynamic segments in the path. Query strings are used to modify the request, provide filters, pagination, or any optional data, and appear after the <code>?</code> in the URL. Express makes both accessible with <code>req.params</code> and <code>req.query</code>.</p> <p>Let's quickly recap:</p> <ul> <li> <strong>URL parameters</strong> (<code>:param</code>) are parts of the path used for required resource identifiers. Accessed via <code>req.params</code>.</li> <li> <strong>Query strings</strong> (<code>?key=value</code>) are optional key‑value pairs used for filtering, sorting, searching, and other modifiers. Accessed via <code>req.query</code>.</li> <li>Route matching ignores query strings, so they are flexible and don't affect which handler runs.</li> <li>Use parameters when the URL would be incomplete without that piece of data; use query strings for everything else that's optional or descriptive.</li> <li>In Express, both are available as simple JavaScript objects, making it easy to extract and use them.</li> </ul> <p>Armed with this understanding, your routes will become more intuitive and your APIs more predictable. See you in the next post!</p> <p>Hope you found this helpful! If you spot any mistakes or have suggestions, let me know. You can find me on <a href="https://www.linkedin.com/in/satyaprangyasootar" rel="noopener noreferrer">LinkedIn</a> and <a href="https://x.com/satyasootar" rel="noopener noreferrer">X</a>, where I post more about web development.</p> express node url query Storing Uploaded Files and Serving Them in Express SATYA SOOTAR Sun, 10 May 2026 14:05:18 +0000 https://dev.to/satyasootar/storing-uploaded-files-and-serving-them-in-express-ob4 https://dev.to/satyasootar/storing-uploaded-files-and-serving-them-in-express-ob4 <p>Hello readers 👋, welcome to the 13th blog in our Node.js series!</p> <p>In the last post, we learned how Multer helps us accept file uploads in Express, whether single files or multiple files. We configured a disk storage engine and saw how <code>req.file</code> and <code>req.files</code> give us all the details about what arrived. But one question remained unanswered: <strong>where do the uploaded files actually live, and how do clients get them back?</strong></p> <p>Today we're going to close that loop. We'll talk about storage choices, how to serve uploaded files so they're accessible via a URL, and crucial security practices that keep your application safe. By the end, you'll have a complete picture of the upload‑serve lifecycle.</p> <p>Let's jump in.</p> <h2> Where uploaded files are stored </h2> <p>When Multer saves a file on the server, it places it into a folder that you specify via the <code>destination</code> callback. In our previous example, we used an <code>uploads</code> folder at the root of our project. After a few uploads, the folder might look something like this:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>project/ ├── uploads/ │ ├── avatar-1680000000-123456789.png │ ├── avatar-1680000010-987654321.jpg │ └── cover-1680000020-456789123.jpeg ├── server.js └── package.json </code></pre> </div> <p>The actual filenames are generated by the <code>filename</code> callback (often using a timestamp and a random number to avoid collisions). The original name is still available inside <code>req.file.originalname</code>, but on disk we keep a sanitized, unique name.</p> <h2> Local storage vs external storage concept </h2> <p>In development and small applications, storing files on the local filesystem is perfectly fine. It's simple and needs no extra setup. But as your application grows, you'll often hear about external storage services like Amazon S3, Google Cloud Storage, or Cloudinary. These services store files separately from your Node.js server, which brings several benefits:</p> <ul> <li>Your server's disk space isn't used by user files.</li> <li>The files can be served to clients directly from a CDN, reducing load on your application server.</li> <li>Scaling becomes easier because the storage layer is independent.</li> </ul> <p>For this post, we'll focus entirely on local storage because that's where most people start. We'll mention how to serve those local files directly to clients. Later, when you move to cloud storage, the ideas of URLs and security transfer easily.</p> <h2> Serving static files in Express </h2> <p>After a file is uploaded and stored on disk, you typically want to make it accessible through a URL so that a client (browser, mobile app) can download or display it. Express provides a built‑in middleware called <code>express.static</code> exactly for this purpose.</p> <p><code>express.static</code> takes a folder path and serves all files inside it as static assets. For example:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="kd">const</span> <span class="nx">express</span> <span class="o">=</span> <span class="nf">require</span><span class="p">(</span><span class="dl">'</span><span class="s1">express</span><span class="dl">'</span><span class="p">);</span> <span class="kd">const</span> <span class="nx">app</span> <span class="o">=</span> <span class="nf">express</span><span class="p">();</span> <span class="c1">// Serve files from the 'uploads' folder at the '/files' URL path</span> <span class="nx">app</span><span class="p">.</span><span class="nf">use</span><span class="p">(</span><span class="dl">'</span><span class="s1">/files</span><span class="dl">'</span><span class="p">,</span> <span class="nx">express</span><span class="p">.</span><span class="nf">static</span><span class="p">(</span><span class="dl">'</span><span class="s1">uploads</span><span class="dl">'</span><span class="p">));</span> </code></pre> </div> <p>Now, if there is a file <code>uploads/avatar-123456.png</code>, it becomes available at <code>http://localhost:3000/files/avatar-123456.png</code>. The URL path you choose (<code>/files</code>) can be anything; it doesn't have to match the folder name.</p> <p>A common practice is to serve the uploads folder under a dedicated path like <code>/uploads</code> or <code>/files</code> to keep the URL structure clear.</p> <h2> Setting up the complete flow </h2> <p>Let's combine Multer and static serving into a single Express app to see the full picture:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="kd">const</span> <span class="nx">express</span> <span class="o">=</span> <span class="nf">require</span><span class="p">(</span><span class="dl">'</span><span class="s1">express</span><span class="dl">'</span><span class="p">);</span> <span class="kd">const</span> <span class="nx">multer</span> <span class="o">=</span> <span class="nf">require</span><span class="p">(</span><span class="dl">'</span><span class="s1">multer</span><span class="dl">'</span><span class="p">);</span> <span class="kd">const</span> <span class="nx">path</span> <span class="o">=</span> <span class="nf">require</span><span class="p">(</span><span class="dl">'</span><span class="s1">path</span><span class="dl">'</span><span class="p">);</span> <span class="kd">const</span> <span class="nx">fs</span> <span class="o">=</span> <span class="nf">require</span><span class="p">(</span><span class="dl">'</span><span class="s1">fs</span><span class="dl">'</span><span class="p">);</span> <span class="kd">const</span> <span class="nx">app</span> <span class="o">=</span> <span class="nf">express</span><span class="p">();</span> <span class="kd">const</span> <span class="nx">port</span> <span class="o">=</span> <span class="mi">3000</span><span class="p">;</span> <span class="c1">// Ensure uploads folder exists</span> <span class="kd">const</span> <span class="nx">uploadsDir</span> <span class="o">=</span> <span class="nx">path</span><span class="p">.</span><span class="nf">join</span><span class="p">(</span><span class="nx">__dirname</span><span class="p">,</span> <span class="dl">'</span><span class="s1">uploads</span><span class="dl">'</span><span class="p">);</span> <span class="k">if </span><span class="p">(</span><span class="o">!</span><span class="nx">fs</span><span class="p">.</span><span class="nf">existsSync</span><span class="p">(</span><span class="nx">uploadsDir</span><span class="p">))</span> <span class="p">{</span> <span class="nx">fs</span><span class="p">.</span><span class="nf">mkdirSync</span><span class="p">(</span><span class="nx">uploadsDir</span><span class="p">);</span> <span class="p">}</span> <span class="c1">// Multer configuration</span> <span class="kd">const</span> <span class="nx">storage</span> <span class="o">=</span> <span class="nx">multer</span><span class="p">.</span><span class="nf">diskStorage</span><span class="p">({</span> <span class="na">destination</span><span class="p">:</span> <span class="p">(</span><span class="nx">req</span><span class="p">,</span> <span class="nx">file</span><span class="p">,</span> <span class="nx">cb</span><span class="p">)</span> <span class="o">=&gt;</span> <span class="nf">cb</span><span class="p">(</span><span class="kc">null</span><span class="p">,</span> <span class="dl">'</span><span class="s1">uploads/</span><span class="dl">'</span><span class="p">),</span> <span class="na">filename</span><span class="p">:</span> <span class="p">(</span><span class="nx">req</span><span class="p">,</span> <span class="nx">file</span><span class="p">,</span> <span class="nx">cb</span><span class="p">)</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">uniqueSuffix</span> <span class="o">=</span> <span class="nb">Date</span><span class="p">.</span><span class="nf">now</span><span class="p">()</span> <span class="o">+</span> <span class="dl">'</span><span class="s1">-</span><span class="dl">'</span> <span class="o">+</span> <span class="nb">Math</span><span class="p">.</span><span class="nf">round</span><span class="p">(</span><span class="nb">Math</span><span class="p">.</span><span class="nf">random</span><span class="p">()</span> <span class="o">*</span> <span class="mi">1</span><span class="nx">E9</span><span class="p">);</span> <span class="kd">const</span> <span class="nx">ext</span> <span class="o">=</span> <span class="nx">path</span><span class="p">.</span><span class="nf">extname</span><span class="p">(</span><span class="nx">file</span><span class="p">.</span><span class="nx">originalname</span><span class="p">);</span> <span class="nf">cb</span><span class="p">(</span><span class="kc">null</span><span class="p">,</span> <span class="nx">file</span><span class="p">.</span><span class="nx">fieldname</span> <span class="o">+</span> <span class="dl">'</span><span class="s1">-</span><span class="dl">'</span> <span class="o">+</span> <span class="nx">uniqueSuffix</span> <span class="o">+</span> <span class="nx">ext</span><span class="p">);</span> <span class="p">}</span> <span class="p">});</span> <span class="kd">const</span> <span class="nx">upload</span> <span class="o">=</span> <span class="nf">multer</span><span class="p">({</span> <span class="nx">storage</span> <span class="p">});</span> <span class="c1">// Serve uploaded files statically</span> <span class="nx">app</span><span class="p">.</span><span class="nf">use</span><span class="p">(</span><span class="dl">'</span><span class="s1">/files</span><span class="dl">'</span><span class="p">,</span> <span class="nx">express</span><span class="p">.</span><span class="nf">static</span><span class="p">(</span><span class="dl">'</span><span class="s1">uploads</span><span class="dl">'</span><span class="p">));</span> <span class="c1">// Upload route</span> <span class="nx">app</span><span class="p">.</span><span class="nf">post</span><span class="p">(</span><span class="dl">'</span><span class="s1">/upload</span><span class="dl">'</span><span class="p">,</span> <span class="nx">upload</span><span class="p">.</span><span class="nf">single</span><span class="p">(</span><span class="dl">'</span><span class="s1">photo</span><span class="dl">'</span><span class="p">),</span> <span class="p">(</span><span class="nx">req</span><span class="p">,</span> <span class="nx">res</span><span class="p">)</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="k">if </span><span class="p">(</span><span class="o">!</span><span class="nx">req</span><span class="p">.</span><span class="nx">file</span><span class="p">)</span> <span class="p">{</span> <span class="k">return</span> <span class="nx">res</span><span class="p">.</span><span class="nf">status</span><span class="p">(</span><span class="mi">400</span><span class="p">).</span><span class="nf">json</span><span class="p">({</span> <span class="na">error</span><span class="p">:</span> <span class="dl">'</span><span class="s1">No file uploaded</span><span class="dl">'</span> <span class="p">});</span> <span class="p">}</span> <span class="c1">// Build the public URL</span> <span class="kd">const</span> <span class="nx">fileUrl</span> <span class="o">=</span> <span class="s2">`http://localhost:</span><span class="p">${</span><span class="nx">port</span><span class="p">}</span><span class="s2">/files/</span><span class="p">${</span><span class="nx">req</span><span class="p">.</span><span class="nx">file</span><span class="p">.</span><span class="nx">filename</span><span class="p">}</span><span class="s2">`</span><span class="p">;</span> <span class="nx">res</span><span class="p">.</span><span class="nf">json</span><span class="p">({</span> <span class="na">message</span><span class="p">:</span> <span class="dl">'</span><span class="s1">File uploaded successfully</span><span class="dl">'</span><span class="p">,</span> <span class="na">url</span><span class="p">:</span> <span class="nx">fileUrl</span> <span class="p">});</span> <span class="p">});</span> <span class="nx">app</span><span class="p">.</span><span class="nf">listen</span><span class="p">(</span><span class="nx">port</span><span class="p">,</span> <span class="p">()</span> <span class="o">=&gt;</span> <span class="nx">console</span><span class="p">.</span><span class="nf">log</span><span class="p">(</span><span class="s2">`Server running on port </span><span class="p">${</span><span class="nx">port</span><span class="p">}</span><span class="s2">`</span><span class="p">));</span> </code></pre> </div> <p>After uploading, the client receives a JSON response containing the direct URL. It can then use that URL to display an image, download a document, or simply check the file.</p> <h2> Accessing uploaded files via URL </h2> <p>The key insight is that the public URL is built from three parts:</p> <ul> <li> <strong>Base URL</strong> of your server (e.g., <code>http://localhost:3000</code>)</li> <li> <strong>Static serving path</strong> (e.g., <code>/files</code>)</li> <li> <strong>Filename on disk</strong> (the unique name generated by Multer)</li> </ul> <p>In the route handler, <code>req.file.filename</code> gives us the exact name stored on disk. Concatenating these pieces gives a valid URL that Express will serve from the <code>uploads</code> folder.</p> <p>For a more production‑ready approach, you'd likely construct the URL from a configuration setting, not hardcode <code>localhost</code>. For example:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="kd">const</span> <span class="nx">baseUrl</span> <span class="o">=</span> <span class="nx">process</span><span class="p">.</span><span class="nx">env</span><span class="p">.</span><span class="nx">BASE_URL</span> <span class="o">||</span> <span class="s2">`http://localhost:</span><span class="p">${</span><span class="nx">port</span><span class="p">}</span><span class="s2">`</span><span class="p">;</span> <span class="kd">const</span> <span class="nx">fileUrl</span> <span class="o">=</span> <span class="s2">`</span><span class="p">${</span><span class="nx">baseUrl</span><span class="p">}</span><span class="s2">/files/</span><span class="p">${</span><span class="nx">req</span><span class="p">.</span><span class="nx">file</span><span class="p">.</span><span class="nx">filename</span><span class="p">}</span><span class="s2">`</span><span class="p">;</span> </code></pre> </div> <p>Now clients always get the correct URL regardless of the environment.</p> <h2> Security considerations for uploads </h2> <p>File uploads are powerful but also a potential attack vector if not handled carefully. Here are some essential safe‑handling practices that every developer should follow.</p> <h3> 1. Limit allowed file types </h3> <p>Never accept arbitrary file types. Use Multer's <code>fileFilter</code> to check the MIME type or file extension before writing to disk. For example, if you expect images:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="kd">const</span> <span class="nx">upload</span> <span class="o">=</span> <span class="nf">multer</span><span class="p">({</span> <span class="nx">storage</span><span class="p">,</span> <span class="na">fileFilter</span><span class="p">:</span> <span class="p">(</span><span class="nx">req</span><span class="p">,</span> <span class="nx">file</span><span class="p">,</span> <span class="nx">cb</span><span class="p">)</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">allowedTypes</span> <span class="o">=</span> <span class="sr">/jpeg|jpg|png|gif/</span><span class="p">;</span> <span class="kd">const</span> <span class="nx">mimeType</span> <span class="o">=</span> <span class="nx">allowedTypes</span><span class="p">.</span><span class="nf">test</span><span class="p">(</span><span class="nx">file</span><span class="p">.</span><span class="nx">mimetype</span><span class="p">);</span> <span class="kd">const</span> <span class="nx">extName</span> <span class="o">=</span> <span class="nx">allowedTypes</span><span class="p">.</span><span class="nf">test</span><span class="p">(</span><span class="nx">path</span><span class="p">.</span><span class="nf">extname</span><span class="p">(</span><span class="nx">file</span><span class="p">.</span><span class="nx">originalname</span><span class="p">).</span><span class="nf">toLowerCase</span><span class="p">());</span> <span class="k">if </span><span class="p">(</span><span class="nx">mimeType</span> <span class="o">&amp;&amp;</span> <span class="nx">extName</span><span class="p">)</span> <span class="p">{</span> <span class="k">return</span> <span class="nf">cb</span><span class="p">(</span><span class="kc">null</span><span class="p">,</span> <span class="kc">true</span><span class="p">);</span> <span class="p">}</span> <span class="nf">cb</span><span class="p">(</span><span class="k">new</span> <span class="nc">Error</span><span class="p">(</span><span class="dl">'</span><span class="s1">Only image files are allowed</span><span class="dl">'</span><span class="p">));</span> <span class="p">}</span> <span class="p">});</span> </code></pre> </div> <h3> 2. Restrict file size </h3> <p>You can set a <code>limits</code> object on the Multer instance to reject files that are too large:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="kd">const</span> <span class="nx">upload</span> <span class="o">=</span> <span class="nf">multer</span><span class="p">({</span> <span class="nx">storage</span><span class="p">,</span> <span class="na">limits</span><span class="p">:</span> <span class="p">{</span> <span class="na">fileSize</span><span class="p">:</span> <span class="mi">5</span> <span class="o">*</span> <span class="mi">1024</span> <span class="o">*</span> <span class="mi">1024</span> <span class="p">}</span> <span class="c1">// 5 MB</span> <span class="p">});</span> </code></pre> </div> <p>This prevents someone from filling up your server's disk with a single request.</p> <h3> 3. Rename files to avoid path traversal </h3> <p>Never trust the original filename directly in the storage path. Always generate a new name, as we did with the <code>filename</code> callback. Using <code>Date.now()</code> and a random number makes it nearly impossible for an attacker to guess the filename. Also avoid including user‑supplied strings in the path to prevent directory traversal attacks (e.g., <code>../../../etc/passwd</code>).</p> <h3> 4. Store uploaded files outside the public web root </h3> <p>If possible, keep the uploads folder outside the main Express static folder that is openly served. In our setup, we used <code>/files</code> explicitly, but the <code>uploads</code> folder itself is not automatically exposed except through that route. Still, it's a good idea to store uploads in a directory that is not directly under the static root, and then use <code>express.static</code> with an absolute path to serve it under a specific URL prefix. This prevents direct access via path guessing.</p> <h3> 5. Do not execute uploaded files </h3> <p>Make sure your static file serving middleware only serves files with safe content types. For example, if someone uploads a <code>.php</code> or <code>.js</code> file and you serve it via <code>express.static</code>, a browser might try to interpret it as code, especially if served with the wrong <code>Content-Type</code>. Express/Node.js static middleware sends files with an appropriate MIME type based on the extension, which usually prevents execution. Still, it's wise to limit accepted extensions and avoid storing executable scripts in the uploads folder.</p> <h3> 6. Scan for malware (advanced) </h3> <p>For high‑security applications, you can integrate virus scanning tools that inspect uploaded files before they're stored. This is beyond the scope of this post, but keep it in mind for production systems.</p> <h2> Conclusion </h2> <p>Storing and serving uploaded files completes the file upload puzzle. By using Multer's disk storage and Express's static middleware, you can quickly give your users the ability to upload content and retrieve it via clean URLs. Add a few security precautions, and you have a robust foundation that works for development and small production apps.</p> <p>Let's quickly recap:</p> <ul> <li>Uploaded files can be stored locally in a project folder (e.g., <code>uploads/</code>) or externally on cloud services for scalability.</li> <li> <code>express.static</code> lets you serve the files under a URL prefix, making them accessible to clients.</li> <li>Building a file URL combines the base URL, the static serving path, and the unique filename stored on disk.</li> <li>Security is essential: limit file types and sizes, rename files, avoid executable files, and store uploads outside the main public root if possible.</li> <li>A clear folder structure and the static middleware together create an intuitive upload‑serve flow.</li> </ul> <p>Now you have the full cycle: receiving files and giving them back. In the next post, we'll explore something new, maybe working with databases or error handling. See you then!</p> <p>Hope you found this helpful! If you spot any mistakes or have suggestions, let me know. You can find me on <a href="https://www.linkedin.com/in/satyaprangyasootar" rel="noopener noreferrer">LinkedIn</a> and <a href="https://x.com/satyasootar" rel="noopener noreferrer">X</a>, where I post more about web development.</p> express multer node Handling File Uploads in Express with Multer SATYA SOOTAR Sun, 10 May 2026 14:00:30 +0000 https://dev.to/satyasootar/handling-file-uploads-in-express-with-multer-56bf https://dev.to/satyasootar/handling-file-uploads-in-express-with-multer-56bf <p>Hello readers 👋, welcome to the 12th blog in our Node.js series!</p> <p>In the last post, we learned how Express simplifies route handling and request processing. Today, we're going to tackle a common real‑world requirement that every backend developer faces: <strong>handling file uploads</strong>. Whether it's a profile picture, a PDF invoice, or a batch of images, users need to send files to your server, and you need a clean way to receive and store them.</p> <p>Express itself doesn't handle file uploads out of the box. That's where a specialized middleware called <strong>Multer</strong> comes in. We'll understand why file uploads need special handling, how Multer works, and then build practical examples for single and multiple file uploads. By the end, you'll be able to accept files, store them on disk, and serve them back to clients.</p> <p>Let's jump right in.</p> <h2> Why file uploads need middleware </h2> <p>When a browser sends a file, it uses a special encoding called <strong>multipart/form-data</strong>. This encoding splits the request body into multiple parts, each representing a form field or a file. A regular JSON body parser like <code>express.json()</code> cannot parse multipart data. If you try, <code>req.body</code> will be empty, and the file data will be lost.</p> <p>To handle multipart/form-data, we need a parser that knows how to extract files from the request stream and make them available to our code. Multer is precisely that parser.</p> <h2> What Multer is </h2> <p>Multer is a Node.js middleware for handling <code>multipart/form-data</code>, which is primarily used for uploading files. It is designed to work with Express and sits as a middleware in the request pipeline. When a request with a file arrives, Multer processes the incoming stream, saves the file(s) to a location you specify (disk or memory), and attaches a <code>file</code> (or <code>files</code>) object to the <code>req</code> object. The rest of your route handler can then access the file details.</p> <p>Multer adds a <code>file</code> or <code>files</code> property to the request object. A single file upload sets <code>req.file</code>, while multiple files set <code>req.files</code> (an array or an object, depending on configuration). Each file object contains fields like <code>originalname</code>, <code>mimetype</code>, <code>size</code>, and <code>path</code> (if stored on disk).</p> <h2> The multipart/form-data concept simply </h2> <p>Imagine you want to mail a letter along with a small gift. You can't just stuff the gift into a regular envelope; you need a special package with compartments. Similarly, when a browser sends form data that includes a file, it can't just put everything into a single JSON object. It uses <code>multipart/form-data</code>, which creates boundaries (think of them as separators) that tell the server where each field or file begins and ends.</p> <p>When you set <code>enctype="multipart/form-data"</code> on a form, the browser encodes the data using this format. Multer is the tool on the server side that understands these compartments and extracts the file from the correct part.</p> <h2> Setting up Multer </h2> <p>First, install Multer in your project:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>npm <span class="nb">install </span>multer </code></pre> </div> <p>Then, require it and configure a storage engine. We'll start with disk storage, which saves files directly to a folder on your server.</p> <h3> Minimal storage configuration </h3> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="kd">const</span> <span class="nx">multer</span> <span class="o">=</span> <span class="nf">require</span><span class="p">(</span><span class="dl">'</span><span class="s1">multer</span><span class="dl">'</span><span class="p">);</span> <span class="c1">// Define where to store files and how to name them</span> <span class="kd">const</span> <span class="nx">storage</span> <span class="o">=</span> <span class="nx">multer</span><span class="p">.</span><span class="nf">diskStorage</span><span class="p">({</span> <span class="na">destination</span><span class="p">:</span> <span class="nf">function </span><span class="p">(</span><span class="nx">req</span><span class="p">,</span> <span class="nx">file</span><span class="p">,</span> <span class="nx">cb</span><span class="p">)</span> <span class="p">{</span> <span class="c1">// Specify the upload folder</span> <span class="nf">cb</span><span class="p">(</span><span class="kc">null</span><span class="p">,</span> <span class="dl">'</span><span class="s1">uploads/</span><span class="dl">'</span><span class="p">);</span> <span class="p">},</span> <span class="na">filename</span><span class="p">:</span> <span class="nf">function </span><span class="p">(</span><span class="nx">req</span><span class="p">,</span> <span class="nx">file</span><span class="p">,</span> <span class="nx">cb</span><span class="p">)</span> <span class="p">{</span> <span class="c1">// Give the file a unique name, preserving the extension</span> <span class="kd">const</span> <span class="nx">uniqueSuffix</span> <span class="o">=</span> <span class="nb">Date</span><span class="p">.</span><span class="nf">now</span><span class="p">()</span> <span class="o">+</span> <span class="dl">'</span><span class="s1">-</span><span class="dl">'</span> <span class="o">+</span> <span class="nb">Math</span><span class="p">.</span><span class="nf">round</span><span class="p">(</span><span class="nb">Math</span><span class="p">.</span><span class="nf">random</span><span class="p">()</span> <span class="o">*</span> <span class="mi">1</span><span class="nx">E9</span><span class="p">);</span> <span class="kd">const</span> <span class="nx">extension</span> <span class="o">=</span> <span class="nx">file</span><span class="p">.</span><span class="nx">originalname</span><span class="p">.</span><span class="nf">split</span><span class="p">(</span><span class="dl">'</span><span class="s1">.</span><span class="dl">'</span><span class="p">).</span><span class="nf">pop</span><span class="p">();</span> <span class="nf">cb</span><span class="p">(</span><span class="kc">null</span><span class="p">,</span> <span class="nx">file</span><span class="p">.</span><span class="nx">fieldname</span> <span class="o">+</span> <span class="dl">'</span><span class="s1">-</span><span class="dl">'</span> <span class="o">+</span> <span class="nx">uniqueSuffix</span> <span class="o">+</span> <span class="dl">'</span><span class="s1">.</span><span class="dl">'</span> <span class="o">+</span> <span class="nx">extension</span><span class="p">);</span> <span class="p">}</span> <span class="p">});</span> <span class="kd">const</span> <span class="nx">upload</span> <span class="o">=</span> <span class="nf">multer</span><span class="p">({</span> <span class="na">storage</span><span class="p">:</span> <span class="nx">storage</span> <span class="p">});</span> </code></pre> </div> <p>Here, <code>multer.diskStorage</code> lets you control the destination folder and filename. The callback <code>cb</code> is used to pass the final path or error. We generate a semi‑unique filename to avoid collisions.</p> <h2> Handling a single file upload </h2> <p>Let's create an Express route that accepts a single file, for example, a profile picture. The client sends the file under a field name, say <code>avatar</code>.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="kd">const</span> <span class="nx">express</span> <span class="o">=</span> <span class="nf">require</span><span class="p">(</span><span class="dl">'</span><span class="s1">express</span><span class="dl">'</span><span class="p">);</span> <span class="kd">const</span> <span class="nx">app</span> <span class="o">=</span> <span class="nf">express</span><span class="p">();</span> <span class="kd">const</span> <span class="nx">port</span> <span class="o">=</span> <span class="mi">3000</span><span class="p">;</span> <span class="c1">// Ensure the "uploads" folder exists, or Multer will error</span> <span class="kd">const</span> <span class="nx">fs</span> <span class="o">=</span> <span class="nf">require</span><span class="p">(</span><span class="dl">'</span><span class="s1">fs</span><span class="dl">'</span><span class="p">);</span> <span class="kd">const</span> <span class="nx">path</span> <span class="o">=</span> <span class="nf">require</span><span class="p">(</span><span class="dl">'</span><span class="s1">path</span><span class="dl">'</span><span class="p">);</span> <span class="kd">const</span> <span class="nx">uploadsDir</span> <span class="o">=</span> <span class="nx">path</span><span class="p">.</span><span class="nf">join</span><span class="p">(</span><span class="nx">__dirname</span><span class="p">,</span> <span class="dl">'</span><span class="s1">uploads</span><span class="dl">'</span><span class="p">);</span> <span class="k">if </span><span class="p">(</span><span class="o">!</span><span class="nx">fs</span><span class="p">.</span><span class="nf">existsSync</span><span class="p">(</span><span class="nx">uploadsDir</span><span class="p">)){</span> <span class="nx">fs</span><span class="p">.</span><span class="nf">mkdirSync</span><span class="p">(</span><span class="nx">uploadsDir</span><span class="p">);</span> <span class="p">}</span> <span class="c1">// Single file upload middleware</span> <span class="nx">app</span><span class="p">.</span><span class="nf">post</span><span class="p">(</span><span class="dl">'</span><span class="s1">/profile</span><span class="dl">'</span><span class="p">,</span> <span class="nx">upload</span><span class="p">.</span><span class="nf">single</span><span class="p">(</span><span class="dl">'</span><span class="s1">avatar</span><span class="dl">'</span><span class="p">),</span> <span class="p">(</span><span class="nx">req</span><span class="p">,</span> <span class="nx">res</span><span class="p">)</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="c1">// req.file contains information about the uploaded file</span> <span class="k">if </span><span class="p">(</span><span class="o">!</span><span class="nx">req</span><span class="p">.</span><span class="nx">file</span><span class="p">)</span> <span class="p">{</span> <span class="k">return</span> <span class="nx">res</span><span class="p">.</span><span class="nf">status</span><span class="p">(</span><span class="mi">400</span><span class="p">).</span><span class="nf">json</span><span class="p">({</span> <span class="na">message</span><span class="p">:</span> <span class="dl">'</span><span class="s1">No file uploaded</span><span class="dl">'</span> <span class="p">});</span> <span class="p">}</span> <span class="nx">console</span><span class="p">.</span><span class="nf">log</span><span class="p">(</span><span class="nx">req</span><span class="p">.</span><span class="nx">file</span><span class="p">);</span> <span class="nx">res</span><span class="p">.</span><span class="nf">json</span><span class="p">({</span> <span class="na">message</span><span class="p">:</span> <span class="dl">'</span><span class="s1">File uploaded successfully</span><span class="dl">'</span><span class="p">,</span> <span class="na">file</span><span class="p">:</span> <span class="p">{</span> <span class="na">originalName</span><span class="p">:</span> <span class="nx">req</span><span class="p">.</span><span class="nx">file</span><span class="p">.</span><span class="nx">originalname</span><span class="p">,</span> <span class="na">size</span><span class="p">:</span> <span class="nx">req</span><span class="p">.</span><span class="nx">file</span><span class="p">.</span><span class="nx">size</span><span class="p">,</span> <span class="na">path</span><span class="p">:</span> <span class="nx">req</span><span class="p">.</span><span class="nx">file</span><span class="p">.</span><span class="nx">path</span> <span class="p">}</span> <span class="p">});</span> <span class="p">});</span> <span class="nx">app</span><span class="p">.</span><span class="nf">listen</span><span class="p">(</span><span class="nx">port</span><span class="p">,</span> <span class="p">()</span> <span class="o">=&gt;</span> <span class="nx">console</span><span class="p">.</span><span class="nf">log</span><span class="p">(</span><span class="s2">`Server running on port </span><span class="p">${</span><span class="nx">port</span><span class="p">}</span><span class="s2">`</span><span class="p">));</span> </code></pre> </div> <p><code>upload.single('avatar')</code> is the Multer middleware. It expects the file to be sent in the form field named <code>avatar</code>. After successful upload, <code>req.file</code> contains:</p> <ul> <li> <code>fieldname</code> – the name of the form field</li> <li> <code>originalname</code> – the original name on the user's computer</li> <li> <code>mimetype</code> – e.g., <code>image/png</code> </li> <li> <code>size</code> – file size in bytes</li> <li> <code>destination</code> – the folder where the file was saved</li> <li> <code>filename</code> – the generated filename on disk</li> <li> <code>path</code> – the full path to the uploaded file</li> </ul> <h2> Handling multiple file uploads </h2> <p>Multer provides several ways to accept multiple files.</p> <h3> 1. Multiple files with the same field name (array of files) </h3> <p>Use <code>upload.array('photos', 5)</code> to accept up to 5 files in the field <code>photos</code>.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="nx">app</span><span class="p">.</span><span class="nf">post</span><span class="p">(</span><span class="dl">'</span><span class="s1">/gallery</span><span class="dl">'</span><span class="p">,</span> <span class="nx">upload</span><span class="p">.</span><span class="nf">array</span><span class="p">(</span><span class="dl">'</span><span class="s1">photos</span><span class="dl">'</span><span class="p">,</span> <span class="mi">5</span><span class="p">),</span> <span class="p">(</span><span class="nx">req</span><span class="p">,</span> <span class="nx">res</span><span class="p">)</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="k">if </span><span class="p">(</span><span class="o">!</span><span class="nx">req</span><span class="p">.</span><span class="nx">files</span> <span class="o">||</span> <span class="nx">req</span><span class="p">.</span><span class="nx">files</span><span class="p">.</span><span class="nx">length</span> <span class="o">===</span> <span class="mi">0</span><span class="p">)</span> <span class="p">{</span> <span class="k">return</span> <span class="nx">res</span><span class="p">.</span><span class="nf">status</span><span class="p">(</span><span class="mi">400</span><span class="p">).</span><span class="nf">json</span><span class="p">({</span> <span class="na">message</span><span class="p">:</span> <span class="dl">'</span><span class="s1">No files uploaded</span><span class="dl">'</span> <span class="p">});</span> <span class="p">}</span> <span class="kd">const</span> <span class="nx">fileDetails</span> <span class="o">=</span> <span class="nx">req</span><span class="p">.</span><span class="nx">files</span><span class="p">.</span><span class="nf">map</span><span class="p">(</span><span class="nx">f</span> <span class="o">=&gt;</span> <span class="p">({</span> <span class="na">name</span><span class="p">:</span> <span class="nx">f</span><span class="p">.</span><span class="nx">originalname</span><span class="p">,</span> <span class="na">size</span><span class="p">:</span> <span class="nx">f</span><span class="p">.</span><span class="nx">size</span> <span class="p">}));</span> <span class="nx">res</span><span class="p">.</span><span class="nf">json</span><span class="p">({</span> <span class="na">message</span><span class="p">:</span> <span class="dl">'</span><span class="s1">Files uploaded</span><span class="dl">'</span><span class="p">,</span> <span class="na">files</span><span class="p">:</span> <span class="nx">fileDetails</span> <span class="p">});</span> <span class="p">});</span> </code></pre> </div> <p><code>req.files</code> is an array of file objects, each similar to <code>req.file</code>.</p> <h3> 2. Multiple fields with different names </h3> <p>Use <code>upload.fields([...])</code> when you have several distinct file fields, like <code>avatar</code> and <code>cover</code>.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="kd">const</span> <span class="nx">cpUpload</span> <span class="o">=</span> <span class="nx">upload</span><span class="p">.</span><span class="nf">fields</span><span class="p">([</span> <span class="p">{</span> <span class="na">name</span><span class="p">:</span> <span class="dl">'</span><span class="s1">avatar</span><span class="dl">'</span><span class="p">,</span> <span class="na">maxCount</span><span class="p">:</span> <span class="mi">1</span> <span class="p">},</span> <span class="p">{</span> <span class="na">name</span><span class="p">:</span> <span class="dl">'</span><span class="s1">cover</span><span class="dl">'</span><span class="p">,</span> <span class="na">maxCount</span><span class="p">:</span> <span class="mi">1</span> <span class="p">}</span> <span class="p">]);</span> <span class="nx">app</span><span class="p">.</span><span class="nf">post</span><span class="p">(</span><span class="dl">'</span><span class="s1">/complete-profile</span><span class="dl">'</span><span class="p">,</span> <span class="nx">cpUpload</span><span class="p">,</span> <span class="p">(</span><span class="nx">req</span><span class="p">,</span> <span class="nx">res</span><span class="p">)</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="c1">// req.files is an object with keys 'avatar' and 'cover', each an array of files</span> <span class="kd">const</span> <span class="nx">avatar</span> <span class="o">=</span> <span class="nx">req</span><span class="p">.</span><span class="nx">files</span><span class="p">[</span><span class="dl">'</span><span class="s1">avatar</span><span class="dl">'</span><span class="p">]</span> <span class="p">?</span> <span class="nx">req</span><span class="p">.</span><span class="nx">files</span><span class="p">[</span><span class="dl">'</span><span class="s1">avatar</span><span class="dl">'</span><span class="p">][</span><span class="mi">0</span><span class="p">]</span> <span class="p">:</span> <span class="kc">null</span><span class="p">;</span> <span class="kd">const</span> <span class="nx">cover</span> <span class="o">=</span> <span class="nx">req</span><span class="p">.</span><span class="nx">files</span><span class="p">[</span><span class="dl">'</span><span class="s1">cover</span><span class="dl">'</span><span class="p">]</span> <span class="p">?</span> <span class="nx">req</span><span class="p">.</span><span class="nx">files</span><span class="p">[</span><span class="dl">'</span><span class="s1">cover</span><span class="dl">'</span><span class="p">][</span><span class="mi">0</span><span class="p">]</span> <span class="p">:</span> <span class="kc">null</span><span class="p">;</span> <span class="nx">res</span><span class="p">.</span><span class="nf">json</span><span class="p">({</span> <span class="na">avatar</span><span class="p">:</span> <span class="nx">avatar</span><span class="p">?.</span><span class="nx">originalname</span><span class="p">,</span> <span class="na">cover</span><span class="p">:</span> <span class="nx">cover</span><span class="p">?.</span><span class="nx">originalname</span> <span class="p">});</span> <span class="p">});</span> </code></pre> </div> <h2> Serving uploaded files </h2> <p>After uploading, you often need to serve the files back to the client (e.g., to display an image). Express has a built‑in middleware <code>express.static</code> for serving static files from a directory.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="c1">// Serve files from the 'uploads' folder at the '/files' URL path</span> <span class="nx">app</span><span class="p">.</span><span class="nf">use</span><span class="p">(</span><span class="dl">'</span><span class="s1">/files</span><span class="dl">'</span><span class="p">,</span> <span class="nx">express</span><span class="p">.</span><span class="nf">static</span><span class="p">(</span><span class="nx">path</span><span class="p">.</span><span class="nf">join</span><span class="p">(</span><span class="nx">__dirname</span><span class="p">,</span> <span class="dl">'</span><span class="s1">uploads</span><span class="dl">'</span><span class="p">)));</span> </code></pre> </div> <p>Now, if a file was saved as <code>uploads/avatar-123456789.png</code>, the client can access it at <code>http://localhost:3000/files/avatar-123456789.png</code>. You can use the relative path to build the URL.</p> <h2> Visualizing the upload flow </h2> <p><strong>Client → Server → Storage flow:</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>Client (browser) │ ├── Sends POST /profile with multipart/form-data (file in field "avatar") │ ▼ Express Server │ ├── Multer middleware (upload.single('avatar')) │ ├── Parses multipart data │ ├── Streams file to disk (or memory) │ └── Attaches req.file │ ▼ Route Handler │ ├── Accesses req.file details ├── Saves metadata to database (if needed) └── Sends response (e.g., file URL) </code></pre> </div> <p><strong>Multer middleware execution:</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>Request │ ▼ Multer middleware (configured with storage engine) │ ├── Read stream → Identify boundaries │ ├── For each file field: │ ├── Extract filename, MIME type │ ├── Call storage._handleFile (disk or memory) │ │ └── Write to disk / buffer │ └── Emit 'file' event or push to array │ ├── Calls next() when all fields and files processed │ ▼ Next middleware / route handler (receives req.file or req.files) </code></pre> </div> <p>That summarizes the lifecycle.</p> <h2> Conclusion </h2> <p>Multer makes handling file uploads in Express straightforward. By plugging it as a middleware, you can accept single or multiple files, control where they are saved, and then serve them back easily. Understanding multipart/form-data and Multer's role is key to building applications that accept user‑generated content.</p> <p>Let's quickly recap:</p> <ul> <li>File uploads use <code>multipart/form-data</code>; regular body parsers can't handle them.</li> <li>Multer is an Express middleware that parses multipart data and gives you <code>req.file</code> or <code>req.files</code>.</li> <li>Configure storage using <code>multer.diskStorage</code> to define destination and filename.</li> <li> <code>upload.single()</code>, <code>upload.array()</code>, and <code>upload.fields()</code> cover most use cases.</li> <li>Serve uploaded files with <code>express.static</code> for easy access.</li> <li>The upload lifecycle flows from client to Multer to disk, then to your route handler.</li> </ul> <p>Now you can confidently add file upload capabilities to your Node.js APIs. In the next post, we might explore error handling in Multer or move on to database integration. See you then!</p> <p>Hope you found this helpful! If you spot any mistakes or have suggestions, let me know. You can find me on <a href="https://www.linkedin.com/in/satyaprangyasootar" rel="noopener noreferrer">LinkedIn</a> and <a href="https://x.com/satyasootar" rel="noopener noreferrer">X</a>, where I post more about web development.</p> express node multer Creating Routes and Handling Requests with Express SATYA SOOTAR Sun, 10 May 2026 13:52:33 +0000 https://dev.to/satyasootar/creating-routes-and-handling-requests-with-express-ibm https://dev.to/satyasootar/creating-routes-and-handling-requests-with-express-ibm <p>Hello readers 👋, welcome to the 11th blog in our Node.js series!</p> <p>We've come a long way. We started by setting up Node.js, understood its event loop, explored blocking vs non‑blocking code, handled async operations with promises, secured routes with JWT, designed a REST API, and even dove into middleware. But to build those APIs and middleware, we used Express.js. Now it's time to shine a focused light on exactly how Express helps us create routes and handle requests so effortlessly.</p> <p>In this post, we'll take a step back and talk about what Express.js is, why it makes Node.js development so much smoother, and how to create clean, readable routes for <code>GET</code> and <code>POST</code> requests. By the end, you'll see why Express has become the go‑to framework for building web servers with Node.js.</p> <p>Let's jump in.</p> <h2> What is Express.js? </h2> <p>Express.js is a minimal and flexible web application framework for Node.js. It provides a thin layer of fundamental web application features, without obscuring Node.js features that you know and love. In simpler words, it's a set of tools that makes it ridiculously easy to handle HTTP requests, define routes, work with middleware, and send responses.</p> <p>At its core, Express is just a function that returns an application object. You attach route handlers to it, and it efficiently maps incoming requests to the right handlers.</p> <h2> Why Express simplifies Node.js development </h2> <p>To appreciate Express, let's quickly compare it with building an HTTP server using Node.js's built‑in <code>http</code> module.</p> <p><strong>Raw Node.js HTTP server example:</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="kd">const</span> <span class="nx">http</span> <span class="o">=</span> <span class="nf">require</span><span class="p">(</span><span class="dl">'</span><span class="s1">http</span><span class="dl">'</span><span class="p">);</span> <span class="kd">const</span> <span class="nx">server</span> <span class="o">=</span> <span class="nx">http</span><span class="p">.</span><span class="nf">createServer</span><span class="p">((</span><span class="nx">req</span><span class="p">,</span> <span class="nx">res</span><span class="p">)</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="k">if </span><span class="p">(</span><span class="nx">req</span><span class="p">.</span><span class="nx">method</span> <span class="o">===</span> <span class="dl">'</span><span class="s1">GET</span><span class="dl">'</span> <span class="o">&amp;&amp;</span> <span class="nx">req</span><span class="p">.</span><span class="nx">url</span> <span class="o">===</span> <span class="dl">'</span><span class="s1">/users</span><span class="dl">'</span><span class="p">)</span> <span class="p">{</span> <span class="nx">res</span><span class="p">.</span><span class="nf">writeHead</span><span class="p">(</span><span class="mi">200</span><span class="p">,</span> <span class="p">{</span> <span class="dl">'</span><span class="s1">Content-Type</span><span class="dl">'</span><span class="p">:</span> <span class="dl">'</span><span class="s1">application/json</span><span class="dl">'</span> <span class="p">});</span> <span class="nx">res</span><span class="p">.</span><span class="nf">end</span><span class="p">(</span><span class="nx">JSON</span><span class="p">.</span><span class="nf">stringify</span><span class="p">([{</span> <span class="na">id</span><span class="p">:</span> <span class="mi">1</span><span class="p">,</span> <span class="na">name</span><span class="p">:</span> <span class="dl">'</span><span class="s1">Satya</span><span class="dl">'</span> <span class="p">}]));</span> <span class="p">}</span> <span class="k">else</span> <span class="k">if </span><span class="p">(</span><span class="nx">req</span><span class="p">.</span><span class="nx">method</span> <span class="o">===</span> <span class="dl">'</span><span class="s1">GET</span><span class="dl">'</span> <span class="o">&amp;&amp;</span> <span class="nx">req</span><span class="p">.</span><span class="nx">url</span><span class="p">.</span><span class="nf">startsWith</span><span class="p">(</span><span class="dl">'</span><span class="s1">/users/</span><span class="dl">'</span><span class="p">))</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">id</span> <span class="o">=</span> <span class="nx">req</span><span class="p">.</span><span class="nx">url</span><span class="p">.</span><span class="nf">split</span><span class="p">(</span><span class="dl">'</span><span class="s1">/</span><span class="dl">'</span><span class="p">)[</span><span class="mi">2</span><span class="p">];</span> <span class="nx">res</span><span class="p">.</span><span class="nf">writeHead</span><span class="p">(</span><span class="mi">200</span><span class="p">,</span> <span class="p">{</span> <span class="dl">'</span><span class="s1">Content-Type</span><span class="dl">'</span><span class="p">:</span> <span class="dl">'</span><span class="s1">application/json</span><span class="dl">'</span> <span class="p">});</span> <span class="nx">res</span><span class="p">.</span><span class="nf">end</span><span class="p">(</span><span class="nx">JSON</span><span class="p">.</span><span class="nf">stringify</span><span class="p">({</span> <span class="nx">id</span><span class="p">,</span> <span class="na">name</span><span class="p">:</span> <span class="dl">'</span><span class="s1">Satya</span><span class="dl">'</span> <span class="p">}));</span> <span class="p">}</span> <span class="k">else</span> <span class="k">if </span><span class="p">(</span><span class="nx">req</span><span class="p">.</span><span class="nx">method</span> <span class="o">===</span> <span class="dl">'</span><span class="s1">POST</span><span class="dl">'</span> <span class="o">&amp;&amp;</span> <span class="nx">req</span><span class="p">.</span><span class="nx">url</span> <span class="o">===</span> <span class="dl">'</span><span class="s1">/users</span><span class="dl">'</span><span class="p">)</span> <span class="p">{</span> <span class="kd">let</span> <span class="nx">body</span> <span class="o">=</span> <span class="dl">''</span><span class="p">;</span> <span class="nx">req</span><span class="p">.</span><span class="nf">on</span><span class="p">(</span><span class="dl">'</span><span class="s1">data</span><span class="dl">'</span><span class="p">,</span> <span class="nx">chunk</span> <span class="o">=&gt;</span> <span class="nx">body</span> <span class="o">+=</span> <span class="nx">chunk</span><span class="p">);</span> <span class="nx">req</span><span class="p">.</span><span class="nf">on</span><span class="p">(</span><span class="dl">'</span><span class="s1">end</span><span class="dl">'</span><span class="p">,</span> <span class="p">()</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">user</span> <span class="o">=</span> <span class="nx">JSON</span><span class="p">.</span><span class="nf">parse</span><span class="p">(</span><span class="nx">body</span><span class="p">);</span> <span class="nx">res</span><span class="p">.</span><span class="nf">writeHead</span><span class="p">(</span><span class="mi">201</span><span class="p">,</span> <span class="p">{</span> <span class="dl">'</span><span class="s1">Content-Type</span><span class="dl">'</span><span class="p">:</span> <span class="dl">'</span><span class="s1">application/json</span><span class="dl">'</span> <span class="p">});</span> <span class="nx">res</span><span class="p">.</span><span class="nf">end</span><span class="p">(</span><span class="nx">JSON</span><span class="p">.</span><span class="nf">stringify</span><span class="p">(</span><span class="nx">user</span><span class="p">));</span> <span class="p">});</span> <span class="p">}</span> <span class="k">else</span> <span class="p">{</span> <span class="nx">res</span><span class="p">.</span><span class="nf">writeHead</span><span class="p">(</span><span class="mi">404</span><span class="p">);</span> <span class="nx">res</span><span class="p">.</span><span class="nf">end</span><span class="p">(</span><span class="dl">'</span><span class="s1">Not found</span><span class="dl">'</span><span class="p">);</span> <span class="p">}</span> <span class="p">});</span> <span class="nx">server</span><span class="p">.</span><span class="nf">listen</span><span class="p">(</span><span class="mi">3000</span><span class="p">);</span> </code></pre> </div> <p>That works, but as your application grows, the code becomes a mess of <code>if‑else</code> statements, manual body parsing, and repetitive header writing.</p> <p>Now look at the same logic with Express:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="kd">const</span> <span class="nx">express</span> <span class="o">=</span> <span class="nf">require</span><span class="p">(</span><span class="dl">'</span><span class="s1">express</span><span class="dl">'</span><span class="p">);</span> <span class="kd">const</span> <span class="nx">app</span> <span class="o">=</span> <span class="nf">express</span><span class="p">();</span> <span class="nx">app</span><span class="p">.</span><span class="nf">use</span><span class="p">(</span><span class="nx">express</span><span class="p">.</span><span class="nf">json</span><span class="p">());</span> <span class="nx">app</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="dl">'</span><span class="s1">/users</span><span class="dl">'</span><span class="p">,</span> <span class="p">(</span><span class="nx">req</span><span class="p">,</span> <span class="nx">res</span><span class="p">)</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="nx">res</span><span class="p">.</span><span class="nf">json</span><span class="p">([{</span> <span class="na">id</span><span class="p">:</span> <span class="mi">1</span><span class="p">,</span> <span class="na">name</span><span class="p">:</span> <span class="dl">'</span><span class="s1">Satya</span><span class="dl">'</span> <span class="p">}]);</span> <span class="p">});</span> <span class="nx">app</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="dl">'</span><span class="s1">/users/:id</span><span class="dl">'</span><span class="p">,</span> <span class="p">(</span><span class="nx">req</span><span class="p">,</span> <span class="nx">res</span><span class="p">)</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">id</span> <span class="o">=</span> <span class="nx">req</span><span class="p">.</span><span class="nx">params</span><span class="p">.</span><span class="nx">id</span><span class="p">;</span> <span class="nx">res</span><span class="p">.</span><span class="nf">json</span><span class="p">({</span> <span class="nx">id</span><span class="p">,</span> <span class="na">name</span><span class="p">:</span> <span class="dl">'</span><span class="s1">Satya</span><span class="dl">'</span> <span class="p">});</span> <span class="p">});</span> <span class="nx">app</span><span class="p">.</span><span class="nf">post</span><span class="p">(</span><span class="dl">'</span><span class="s1">/users</span><span class="dl">'</span><span class="p">,</span> <span class="p">(</span><span class="nx">req</span><span class="p">,</span> <span class="nx">res</span><span class="p">)</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">user</span> <span class="o">=</span> <span class="nx">req</span><span class="p">.</span><span class="nx">body</span><span class="p">;</span> <span class="nx">res</span><span class="p">.</span><span class="nf">status</span><span class="p">(</span><span class="mi">201</span><span class="p">).</span><span class="nf">json</span><span class="p">(</span><span class="nx">user</span><span class="p">);</span> <span class="p">});</span> <span class="nx">app</span><span class="p">.</span><span class="nf">listen</span><span class="p">(</span><span class="mi">3000</span><span class="p">);</span> </code></pre> </div> <p>Here's what Express gives you:</p> <ul> <li> <strong>Clean routing</strong>: You directly map HTTP methods and URL patterns to handler functions. No need to manually parse <code>req.url</code> or check <code>req.method</code>.</li> <li> <strong>Automatic body parsing</strong>: With <code>express.json()</code> middleware, the body is parsed and available at <code>req.body</code>.</li> <li> <strong>Easy response helpers</strong>: <code>res.json()</code> automatically sets the content type and stringifies the object.</li> <li> <strong>Route parameters</strong>: Express extracts <code>:id</code> from the URL and places it in <code>req.params</code>.</li> <li> <strong>Middleware support</strong>: You can chain functions (like we explored in the previous blog) to handle logging, auth, validation.</li> </ul> <p>Express takes away the boilerplate so you can focus on your application logic.</p> <h2> Creating your first Express server </h2> <p>Let's start from zero. First, initialize a project and install Express:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>npm init <span class="nt">-y</span> npm <span class="nb">install </span>express </code></pre> </div> <p>Then create a file, say <code>server.js</code>:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="kd">const</span> <span class="nx">express</span> <span class="o">=</span> <span class="nf">require</span><span class="p">(</span><span class="dl">'</span><span class="s1">express</span><span class="dl">'</span><span class="p">);</span> <span class="kd">const</span> <span class="nx">app</span> <span class="o">=</span> <span class="nf">express</span><span class="p">();</span> <span class="kd">const</span> <span class="nx">PORT</span> <span class="o">=</span> <span class="mi">3000</span><span class="p">;</span> <span class="nx">app</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="dl">'</span><span class="s1">/</span><span class="dl">'</span><span class="p">,</span> <span class="p">(</span><span class="nx">req</span><span class="p">,</span> <span class="nx">res</span><span class="p">)</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="nx">res</span><span class="p">.</span><span class="nf">send</span><span class="p">(</span><span class="dl">'</span><span class="s1">Hello from Express!</span><span class="dl">'</span><span class="p">);</span> <span class="p">});</span> <span class="nx">app</span><span class="p">.</span><span class="nf">listen</span><span class="p">(</span><span class="nx">PORT</span><span class="p">,</span> <span class="p">()</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="nx">console</span><span class="p">.</span><span class="nf">log</span><span class="p">(</span><span class="s2">`Server is running on http://localhost:</span><span class="p">${</span><span class="nx">PORT</span><span class="p">}</span><span class="s2">`</span><span class="p">);</span> <span class="p">});</span> </code></pre> </div> <p>Run it with <code>node server.js</code>, and open <code>http://localhost:3000</code>. You'll see the greeting. This is the absolute minimal Express server.</p> <h2> Handling GET requests </h2> <p><code>GET</code> requests are used to fetch data. Express makes it very intuitive.</p> <h3> 1. Simple GET route </h3> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="nx">app</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="dl">'</span><span class="s1">/hello</span><span class="dl">'</span><span class="p">,</span> <span class="p">(</span><span class="nx">req</span><span class="p">,</span> <span class="nx">res</span><span class="p">)</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="nx">res</span><span class="p">.</span><span class="nf">send</span><span class="p">(</span><span class="dl">'</span><span class="s1">Hello World</span><span class="dl">'</span><span class="p">);</span> <span class="p">});</span> </code></pre> </div> <h3> 2. Using route parameters </h3> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="nx">app</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="dl">'</span><span class="s1">/users/:id</span><span class="dl">'</span><span class="p">,</span> <span class="p">(</span><span class="nx">req</span><span class="p">,</span> <span class="nx">res</span><span class="p">)</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">userId</span> <span class="o">=</span> <span class="nx">req</span><span class="p">.</span><span class="nx">params</span><span class="p">.</span><span class="nx">id</span><span class="p">;</span> <span class="nx">res</span><span class="p">.</span><span class="nf">send</span><span class="p">(</span><span class="s2">`User ID: </span><span class="p">${</span><span class="nx">userId</span><span class="p">}</span><span class="s2">`</span><span class="p">);</span> <span class="p">});</span> </code></pre> </div> <p>A request to <code>/users/42</code> returns <code>User ID: 42</code>. Express automatically parses the <code>:id</code> segment.</p> <h3> 3. Query string parameters </h3> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="nx">app</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="dl">'</span><span class="s1">/search</span><span class="dl">'</span><span class="p">,</span> <span class="p">(</span><span class="nx">req</span><span class="p">,</span> <span class="nx">res</span><span class="p">)</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">query</span> <span class="o">=</span> <span class="nx">req</span><span class="p">.</span><span class="nx">query</span><span class="p">.</span><span class="nx">q</span><span class="p">;</span> <span class="kd">const</span> <span class="nx">page</span> <span class="o">=</span> <span class="nx">req</span><span class="p">.</span><span class="nx">query</span><span class="p">.</span><span class="nx">page</span> <span class="o">||</span> <span class="mi">1</span><span class="p">;</span> <span class="nx">res</span><span class="p">.</span><span class="nf">json</span><span class="p">({</span> <span class="nx">query</span><span class="p">,</span> <span class="nx">page</span> <span class="p">});</span> <span class="p">});</span> </code></pre> </div> <p>A request to <code>/search?q=express&amp;page=2</code> gives <code>{ "query": "express", "page": "2" }</code>.</p> <h3> 4. Returning JSON data </h3> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="nx">app</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="dl">'</span><span class="s1">/api/users</span><span class="dl">'</span><span class="p">,</span> <span class="p">(</span><span class="nx">req</span><span class="p">,</span> <span class="nx">res</span><span class="p">)</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">users</span> <span class="o">=</span> <span class="p">[</span> <span class="p">{</span> <span class="na">id</span><span class="p">:</span> <span class="mi">1</span><span class="p">,</span> <span class="na">name</span><span class="p">:</span> <span class="dl">'</span><span class="s1">Satya</span><span class="dl">'</span> <span class="p">},</span> <span class="p">{</span> <span class="na">id</span><span class="p">:</span> <span class="mi">2</span><span class="p">,</span> <span class="na">name</span><span class="p">:</span> <span class="dl">'</span><span class="s1">Priya</span><span class="dl">'</span> <span class="p">}</span> <span class="p">];</span> <span class="nx">res</span><span class="p">.</span><span class="nf">json</span><span class="p">(</span><span class="nx">users</span><span class="p">);</span> <span class="c1">// sets Content-Type to application/json automatically</span> <span class="p">});</span> </code></pre> </div> <p><code>res.json()</code> is the go‑to for API responses.</p> <h2> Handling POST requests </h2> <p><code>POST</code> requests typically create new resources. To process them, you need to read the request body. Express's built-in middleware <code>express.json()</code> does exactly that.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="nx">app</span><span class="p">.</span><span class="nf">use</span><span class="p">(</span><span class="nx">express</span><span class="p">.</span><span class="nf">json</span><span class="p">());</span> <span class="c1">// parse JSON bodies</span> <span class="nx">app</span><span class="p">.</span><span class="nf">post</span><span class="p">(</span><span class="dl">'</span><span class="s1">/api/users</span><span class="dl">'</span><span class="p">,</span> <span class="p">(</span><span class="nx">req</span><span class="p">,</span> <span class="nx">res</span><span class="p">)</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="kd">const</span> <span class="p">{</span> <span class="nx">name</span><span class="p">,</span> <span class="nx">email</span> <span class="p">}</span> <span class="o">=</span> <span class="nx">req</span><span class="p">.</span><span class="nx">body</span><span class="p">;</span> <span class="c1">// In a real app, you'd save to a database</span> <span class="kd">const</span> <span class="nx">newUser</span> <span class="o">=</span> <span class="p">{</span> <span class="na">id</span><span class="p">:</span> <span class="nb">Date</span><span class="p">.</span><span class="nf">now</span><span class="p">(),</span> <span class="nx">name</span><span class="p">,</span> <span class="nx">email</span> <span class="p">};</span> <span class="nx">res</span><span class="p">.</span><span class="nf">status</span><span class="p">(</span><span class="mi">201</span><span class="p">).</span><span class="nf">json</span><span class="p">(</span><span class="nx">newUser</span><span class="p">);</span> <span class="p">});</span> </code></pre> </div> <p>Test it with a client that sends JSON:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight json"><code><span class="p">{</span><span class="w"> </span><span class="nl">"name"</span><span class="p">:</span><span class="w"> </span><span class="s2">"Rahul"</span><span class="p">,</span><span class="w"> </span><span class="nl">"email"</span><span class="p">:</span><span class="w"> </span><span class="s2">"rahul@example.com"</span><span class="w"> </span><span class="p">}</span><span class="w"> </span></code></pre> </div> <p>The response will be <code>201 Created</code> with the new user object.</p> <p>You can also handle form submissions using <code>express.urlencoded({ extended: true })</code> if you're dealing with traditional HTML forms.</p> <h2> Sending responses </h2> <p>Express provides multiple methods to send responses, each suitable for different scenarios:</p> <ul> <li> <code>res.send(string)</code> – sends a plain text or HTML string; sets <code>Content-Type</code> accordingly.</li> <li> <code>res.json(object)</code> – sends a JSON object with proper header.</li> <li> <code>res.status(code).json(object)</code> – sets the status code and sends JSON.</li> <li> <code>res.sendFile(path)</code> – streams a file from disk.</li> <li> <code>res.redirect(url)</code> – redirects to another URL.</li> <li> <code>res.download(path)</code> – prompts the browser to download a file.</li> </ul> <p>You can also chain status codes: <code>res.status(404).send('Not Found')</code>.</p> <p>Example:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="nx">app</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="dl">'</span><span class="s1">/file</span><span class="dl">'</span><span class="p">,</span> <span class="p">(</span><span class="nx">req</span><span class="p">,</span> <span class="nx">res</span><span class="p">)</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="nx">res</span><span class="p">.</span><span class="nf">sendFile</span><span class="p">(</span><span class="nx">__dirname</span> <span class="o">+</span> <span class="dl">'</span><span class="s1">/sample.pdf</span><span class="dl">'</span><span class="p">);</span> <span class="p">});</span> </code></pre> </div> <p>Express is flexible and doesn't force one way of responding.</p> <h2> Conclusion </h2> <p>Express.js strips away the repetitive plumbing of raw Node.js HTTP servers and lets you define routes declaratively, making your code cleaner and faster to write. With just a few lines, you can set up a server, handle GET and POST requests, parse inputs, and send proper responses. This is the foundation of every Node.js backend I've built.</p> <p>Let's recap:</p> <ul> <li>Express is a minimal framework that simplifies creating HTTP servers in Node.js.</li> <li>It offers clean routing with methods like <code>app.get</code>, <code>app.post</code>, <code>app.put</code>, etc.</li> <li>Route parameters (<code>req.params</code>), query strings (<code>req.query</code>), and body parsing (<code>req.body</code>) are built in.</li> <li>Response helpers (<code>res.json</code>, <code>res.send</code>, <code>res.status</code>) make sending data back straightforward.</li> <li>Compared to raw Node, Express eliminates boilerplate and reduces developer friction.</li> </ul> <p>Now that you're comfortable with routes and request handling, the next step is to build more complex applications, connect to databases, and structure larger codebases. We'll continue that journey in the next post.</p> <p>Hope you found this helpful! If you spot any mistakes or have suggestions, let me know. You can find me on <a href="https://www.linkedin.com/in/satyaprangyasootar" rel="noopener noreferrer">LinkedIn</a> and <a href="https://x.com/satyasootar" rel="noopener noreferrer">X</a>, where I post more about web development.</p> express routes node What is Middleware in Express and How It Works SATYA SOOTAR Sun, 10 May 2026 13:50:59 +0000 https://dev.to/satyasootar/what-is-middleware-in-express-and-how-it-works-47an https://dev.to/satyasootar/what-is-middleware-in-express-and-how-it-works-47an <p>Hello readers 👋, welcome to the 10th blog in our Node.js series!</p> <p>In the last post, we built a clean REST API using Express.js for a users resource. We defined routes and handled different HTTP methods. Today, we are going to explore a concept that sits quietly at the heart of every Express application: <strong>middleware</strong>.</p> <p>If you have ever wanted to log every request, check authentication tokens, or validate incoming data before it hits your route handler, you have needed middleware. Let's understand what middleware is, how it fits into the request lifecycle, the different types, and how to chain multiple middleware to build powerful, reusable pipelines.</p> <p>Let's get started.</p> <h2> What middleware is in Express </h2> <p>Middleware, in Express, are functions that have access to the request object (<code>req</code>), the response object (<code>res</code>), and the next middleware function in the application's request-response cycle. The next middleware function is conventionally denoted by a variable named <code>next</code>.</p> <p>Think of middleware as a series of checkpoints or processing stations that every incoming request passes through before reaching the final route handler. At each checkpoint, you can:</p> <ul> <li>Inspect or modify the request (e.g., add properties, parse the body).</li> <li>Perform some logic (e.g., log the request time, check authentication).</li> <li>Send an early response (e.g., return an error if the user is not authenticated) and stop the chain.</li> <li>Call <code>next()</code> to pass control to the next middleware in line.</li> </ul> <p>Middleware functions are executed in the order they are defined. That order is crucial and we'll explore it soon.</p> <h2> Where middleware sits in the request lifecycle </h2> <p>In a typical Express app, an incoming HTTP request flows through a pipeline:</p> <ol> <li>The request arrives at the server.</li> <li>It passes through each middleware function registered (both application-level and router-level) in the order they were added.</li> <li>Finally, it reaches the route handler that matches the path and method.</li> <li>The route handler sends a response.</li> <li>If no middleware or route sends a response, the request hangs; Express doesn't automatically respond.</li> </ol> <p>The middleware chain can be visualized as:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>Request → [Middleware 1] → [Middleware 2] → [Route Handler] → Response </code></pre> </div> <p>Each arrow is a <code>next()</code> call. If a middleware function does not call <code>next()</code>, the request stalls and never reaches the next middleware or route handler (unless you send a response and end the request). This pipeline concept is the backbone of Express.</p> <h2> The role of <code>next()</code> </h2> <p>The <code>next</code> function is a callback that tells Express "I'm done, move on to the next middleware or route handler." If the currently executing middleware function does not end the request-response cycle, it must call <code>next()</code>.</p> <p>There are two important variations:</p> <ul> <li> <code>next()</code> – proceed to the next middleware in the stack.</li> <li> <code>next('route')</code> – skip to the next route handler (only works in router-level middleware).</li> </ul> <p>If you pass an error to <code>next(err)</code>, Express skips all remaining non-error middleware and goes directly to an error-handling middleware, which has four parameters: <code>(err, req, res, next)</code>. We'll keep error handling middleware for another post.</p> <h2> Application-level middleware </h2> <p>Application-level middleware are bound to an instance of the <code>app</code> object using <code>app.use()</code> or <code>app.METHOD()</code>. They run for every request (if no path is specified) or for requests that match a specific path prefix.</p> <p><strong>Example: logging middleware for every request</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="kd">const</span> <span class="nx">express</span> <span class="o">=</span> <span class="nf">require</span><span class="p">(</span><span class="dl">'</span><span class="s1">express</span><span class="dl">'</span><span class="p">);</span> <span class="kd">const</span> <span class="nx">app</span> <span class="o">=</span> <span class="nf">express</span><span class="p">();</span> <span class="c1">// Application-level middleware (no path, runs on every request)</span> <span class="nx">app</span><span class="p">.</span><span class="nf">use</span><span class="p">((</span><span class="nx">req</span><span class="p">,</span> <span class="nx">res</span><span class="p">,</span> <span class="nx">next</span><span class="p">)</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="nx">console</span><span class="p">.</span><span class="nf">log</span><span class="p">(</span><span class="s2">`</span><span class="p">${</span><span class="nx">req</span><span class="p">.</span><span class="nx">method</span><span class="p">}</span><span class="s2"> </span><span class="p">${</span><span class="nx">req</span><span class="p">.</span><span class="nx">url</span><span class="p">}</span><span class="s2"> - </span><span class="p">${</span><span class="k">new</span> <span class="nc">Date</span><span class="p">().</span><span class="nf">toISOString</span><span class="p">()}</span><span class="s2">`</span><span class="p">);</span> <span class="nf">next</span><span class="p">();</span> <span class="p">});</span> </code></pre> </div> <p>Here, we log the HTTP method, URL, and timestamp for every request. We then call <code>next()</code> so the request continues down the pipeline.</p> <p><strong>Example: middleware for a specific path</strong></p> <p>You can limit middleware to a path prefix:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="nx">app</span><span class="p">.</span><span class="nf">use</span><span class="p">(</span><span class="dl">'</span><span class="s1">/admin</span><span class="dl">'</span><span class="p">,</span> <span class="p">(</span><span class="nx">req</span><span class="p">,</span> <span class="nx">res</span><span class="p">,</span> <span class="nx">next</span><span class="p">)</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="nx">console</span><span class="p">.</span><span class="nf">log</span><span class="p">(</span><span class="dl">'</span><span class="s1">Admin route accessed</span><span class="dl">'</span><span class="p">);</span> <span class="nf">next</span><span class="p">();</span> <span class="p">});</span> </code></pre> </div> <p>Middleware added this way will run for any route starting with <code>/admin</code>.</p> <h2> Router-level middleware </h2> <p>Router-level middleware works exactly like application-level middleware, except it is bound to an instance of <code>express.Router()</code>. It's used to organize route-specific middleware, especially when you have modular route files.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="kd">const</span> <span class="nx">router</span> <span class="o">=</span> <span class="nx">express</span><span class="p">.</span><span class="nc">Router</span><span class="p">();</span> <span class="c1">// Router-level middleware: runs for every request handled by this router</span> <span class="nx">router</span><span class="p">.</span><span class="nf">use</span><span class="p">((</span><span class="nx">req</span><span class="p">,</span> <span class="nx">res</span><span class="p">,</span> <span class="nx">next</span><span class="p">)</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="nx">console</span><span class="p">.</span><span class="nf">log</span><span class="p">(</span><span class="dl">'</span><span class="s1">Inside user router</span><span class="dl">'</span><span class="p">);</span> <span class="nf">next</span><span class="p">();</span> <span class="p">});</span> <span class="nx">router</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="dl">'</span><span class="s1">/profile</span><span class="dl">'</span><span class="p">,</span> <span class="p">(</span><span class="nx">req</span><span class="p">,</span> <span class="nx">res</span><span class="p">)</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="nx">res</span><span class="p">.</span><span class="nf">send</span><span class="p">(</span><span class="dl">'</span><span class="s1">User profile</span><span class="dl">'</span><span class="p">);</span> <span class="p">});</span> <span class="nx">app</span><span class="p">.</span><span class="nf">use</span><span class="p">(</span><span class="dl">'</span><span class="s1">/users</span><span class="dl">'</span><span class="p">,</span> <span class="nx">router</span><span class="p">);</span> </code></pre> </div> <p>Now, any request starting with <code>/users</code> will first go through the router-level middleware before hitting the specific route handler.</p> <h2> Built-in middleware </h2> <p>Express has some built-in middleware functions that solve common tasks. You've already seen one: <code>express.json()</code>. These are middleware functions that come with Express and are used via <code>app.use()</code>.</p> <ul> <li> <code>express.json()</code> – parses incoming JSON payloads and populates <code>req.body</code>.</li> <li> <code>express.urlencoded({ extended: true })</code> – parses URL-encoded payloads (from HTML forms).</li> <li> <code>express.static('public')</code> – serves static files (images, CSS, JS) from a directory.</li> </ul> <p>Example:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="nx">app</span><span class="p">.</span><span class="nf">use</span><span class="p">(</span><span class="nx">express</span><span class="p">.</span><span class="nf">json</span><span class="p">());</span> <span class="nx">app</span><span class="p">.</span><span class="nf">use</span><span class="p">(</span><span class="nx">express</span><span class="p">.</span><span class="nf">static</span><span class="p">(</span><span class="dl">'</span><span class="s1">public</span><span class="dl">'</span><span class="p">));</span> </code></pre> </div> <p>These are middleware too! They process the request and call <code>next()</code> for the next piece in the pipeline.</p> <h2> Execution order of middleware </h2> <p>The order in which you declare middleware matters immensely. Express executes them sequentially, top to bottom. If you place a middleware that sends a response before your route handler, the route handler will never run.</p> <p>Consider this incorrect example:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="nx">app</span><span class="p">.</span><span class="nf">use</span><span class="p">((</span><span class="nx">req</span><span class="p">,</span> <span class="nx">res</span><span class="p">,</span> <span class="nx">next</span><span class="p">)</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="nx">res</span><span class="p">.</span><span class="nf">send</span><span class="p">(</span><span class="dl">'</span><span class="s1">This ends the request</span><span class="dl">'</span><span class="p">);</span> <span class="nf">next</span><span class="p">();</span> <span class="c1">// This will still be called but no further middleware can modify the response after send</span> <span class="p">});</span> <span class="nx">app</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="dl">'</span><span class="s1">/</span><span class="dl">'</span><span class="p">,</span> <span class="p">(</span><span class="nx">req</span><span class="p">,</span> <span class="nx">res</span><span class="p">)</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="nx">res</span><span class="p">.</span><span class="nf">send</span><span class="p">(</span><span class="dl">'</span><span class="s1">Hello world</span><span class="dl">'</span><span class="p">);</span> <span class="p">});</span> </code></pre> </div> <p>Here, the first middleware sends a response, and unless you call <code>next()</code> before <code>send()</code>, the <code>get</code> handler never sees the request. More importantly, even if you call <code>next()</code> after <code>send()</code>, Express will not allow you to send another response; you'd get an error because headers are already sent. So, typically you either call <code>next()</code> without sending a response, or you end the request inside the middleware.</p> <p>The correct pattern:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="nx">app</span><span class="p">.</span><span class="nf">use</span><span class="p">((</span><span class="nx">req</span><span class="p">,</span> <span class="nx">res</span><span class="p">,</span> <span class="nx">next</span><span class="p">)</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="nx">console</span><span class="p">.</span><span class="nf">log</span><span class="p">(</span><span class="dl">'</span><span class="s1">Logging</span><span class="dl">'</span><span class="p">);</span> <span class="nf">next</span><span class="p">();</span> <span class="c1">// pass control</span> <span class="p">});</span> <span class="nx">app</span><span class="p">.</span><span class="nf">use</span><span class="p">((</span><span class="nx">req</span><span class="p">,</span> <span class="nx">res</span><span class="p">,</span> <span class="nx">next</span><span class="p">)</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="c1">// maybe add timestamp to req</span> <span class="nx">req</span><span class="p">.</span><span class="nx">requestTime</span> <span class="o">=</span> <span class="nb">Date</span><span class="p">.</span><span class="nf">now</span><span class="p">();</span> <span class="nf">next</span><span class="p">();</span> <span class="p">});</span> <span class="nx">app</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="dl">'</span><span class="s1">/</span><span class="dl">'</span><span class="p">,</span> <span class="p">(</span><span class="nx">req</span><span class="p">,</span> <span class="nx">res</span><span class="p">)</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="nx">res</span><span class="p">.</span><span class="nf">send</span><span class="p">(</span><span class="s2">`Hello world, request at </span><span class="p">${</span><span class="nx">req</span><span class="p">.</span><span class="nx">requestTime</span><span class="p">}</span><span class="s2">`</span><span class="p">);</span> <span class="p">});</span> </code></pre> </div> <p>Each middleware adds something and passes control. The route handler runs at the end.</p> <h2> Real-world examples </h2> <p>Let's see three practical middleware: logging, authentication, and request validation.</p> <h3> Logging middleware </h3> <p>You've already seen a basic logger. Let's write a slightly cleaner one:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="kd">function</span> <span class="nf">logger</span><span class="p">(</span><span class="nx">req</span><span class="p">,</span> <span class="nx">res</span><span class="p">,</span> <span class="nx">next</span><span class="p">)</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">start</span> <span class="o">=</span> <span class="nb">Date</span><span class="p">.</span><span class="nf">now</span><span class="p">();</span> <span class="nx">res</span><span class="p">.</span><span class="nf">on</span><span class="p">(</span><span class="dl">'</span><span class="s1">finish</span><span class="dl">'</span><span class="p">,</span> <span class="p">()</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">duration</span> <span class="o">=</span> <span class="nb">Date</span><span class="p">.</span><span class="nf">now</span><span class="p">()</span> <span class="o">-</span> <span class="nx">start</span><span class="p">;</span> <span class="nx">console</span><span class="p">.</span><span class="nf">log</span><span class="p">(</span><span class="s2">`</span><span class="p">${</span><span class="nx">req</span><span class="p">.</span><span class="nx">method</span><span class="p">}</span><span class="s2"> </span><span class="p">${</span><span class="nx">req</span><span class="p">.</span><span class="nx">originalUrl</span><span class="p">}</span><span class="s2"> </span><span class="p">${</span><span class="nx">res</span><span class="p">.</span><span class="nx">statusCode</span><span class="p">}</span><span class="s2"> - </span><span class="p">${</span><span class="nx">duration</span><span class="p">}</span><span class="s2">ms`</span><span class="p">);</span> <span class="p">});</span> <span class="nf">next</span><span class="p">();</span> <span class="p">}</span> <span class="nx">app</span><span class="p">.</span><span class="nf">use</span><span class="p">(</span><span class="nx">logger</span><span class="p">);</span> </code></pre> </div> <p>This logs the method, URL, status code, and response time. It uses the <code>finish</code> event on the response to know when the response is sent.</p> <h3> Authentication middleware </h3> <p>This one checks for a valid JWT token (similar to our earlier JWT blog). If invalid, it stops the request with a 401 error. Otherwise, it attaches the user and continues.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="kd">function</span> <span class="nf">authenticate</span><span class="p">(</span><span class="nx">req</span><span class="p">,</span> <span class="nx">res</span><span class="p">,</span> <span class="nx">next</span><span class="p">)</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">authHeader</span> <span class="o">=</span> <span class="nx">req</span><span class="p">.</span><span class="nx">headers</span><span class="p">[</span><span class="dl">'</span><span class="s1">authorization</span><span class="dl">'</span><span class="p">];</span> <span class="kd">const</span> <span class="nx">token</span> <span class="o">=</span> <span class="nx">authHeader</span> <span class="o">&amp;&amp;</span> <span class="nx">authHeader</span><span class="p">.</span><span class="nf">split</span><span class="p">(</span><span class="dl">'</span><span class="s1"> </span><span class="dl">'</span><span class="p">)[</span><span class="mi">1</span><span class="p">];</span> <span class="k">if </span><span class="p">(</span><span class="o">!</span><span class="nx">token</span><span class="p">)</span> <span class="p">{</span> <span class="k">return</span> <span class="nx">res</span><span class="p">.</span><span class="nf">status</span><span class="p">(</span><span class="mi">401</span><span class="p">).</span><span class="nf">json</span><span class="p">({</span> <span class="na">message</span><span class="p">:</span> <span class="dl">'</span><span class="s1">Access token missing</span><span class="dl">'</span> <span class="p">});</span> <span class="p">}</span> <span class="k">try</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">decoded</span> <span class="o">=</span> <span class="nx">jwt</span><span class="p">.</span><span class="nf">verify</span><span class="p">(</span><span class="nx">token</span><span class="p">,</span> <span class="nx">process</span><span class="p">.</span><span class="nx">env</span><span class="p">.</span><span class="nx">JWT_SECRET</span><span class="p">);</span> <span class="nx">req</span><span class="p">.</span><span class="nx">user</span> <span class="o">=</span> <span class="nx">decoded</span><span class="p">;</span> <span class="nf">next</span><span class="p">();</span> <span class="p">}</span> <span class="k">catch </span><span class="p">(</span><span class="nx">err</span><span class="p">)</span> <span class="p">{</span> <span class="k">return</span> <span class="nx">res</span><span class="p">.</span><span class="nf">status</span><span class="p">(</span><span class="mi">403</span><span class="p">).</span><span class="nf">json</span><span class="p">({</span> <span class="na">message</span><span class="p">:</span> <span class="dl">'</span><span class="s1">Invalid token</span><span class="dl">'</span> <span class="p">});</span> <span class="p">}</span> <span class="p">}</span> <span class="c1">// Protect a route</span> <span class="nx">app</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="dl">'</span><span class="s1">/profile</span><span class="dl">'</span><span class="p">,</span> <span class="nx">authenticate</span><span class="p">,</span> <span class="p">(</span><span class="nx">req</span><span class="p">,</span> <span class="nx">res</span><span class="p">)</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="nx">res</span><span class="p">.</span><span class="nf">send</span><span class="p">(</span><span class="s2">`User profile for </span><span class="p">${</span><span class="nx">req</span><span class="p">.</span><span class="nx">user</span><span class="p">.</span><span class="nx">userId</span><span class="p">}</span><span class="s2">`</span><span class="p">);</span> <span class="p">});</span> </code></pre> </div> <p>Notice how the middleware stops the request (by returning a response) when authentication fails, so the route handler never executes.</p> <h3> Request validation middleware </h3> <p>You can validate input before it reaches business logic. This keeps your route handlers clean. Here's a simple one for creating a user:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="kd">function</span> <span class="nf">validateUserInput</span><span class="p">(</span><span class="nx">req</span><span class="p">,</span> <span class="nx">res</span><span class="p">,</span> <span class="nx">next</span><span class="p">)</span> <span class="p">{</span> <span class="kd">const</span> <span class="p">{</span> <span class="nx">name</span><span class="p">,</span> <span class="nx">email</span> <span class="p">}</span> <span class="o">=</span> <span class="nx">req</span><span class="p">.</span><span class="nx">body</span><span class="p">;</span> <span class="k">if </span><span class="p">(</span><span class="o">!</span><span class="nx">name</span> <span class="o">||</span> <span class="o">!</span><span class="nx">email</span><span class="p">)</span> <span class="p">{</span> <span class="k">return</span> <span class="nx">res</span><span class="p">.</span><span class="nf">status</span><span class="p">(</span><span class="mi">400</span><span class="p">).</span><span class="nf">json</span><span class="p">({</span> <span class="na">message</span><span class="p">:</span> <span class="dl">'</span><span class="s1">Name and email are required</span><span class="dl">'</span> <span class="p">});</span> <span class="p">}</span> <span class="k">if </span><span class="p">(</span><span class="k">typeof</span> <span class="nx">email</span> <span class="o">!==</span> <span class="dl">'</span><span class="s1">string</span><span class="dl">'</span> <span class="o">||</span> <span class="o">!</span><span class="nx">email</span><span class="p">.</span><span class="nf">includes</span><span class="p">(</span><span class="dl">'</span><span class="s1">@</span><span class="dl">'</span><span class="p">))</span> <span class="p">{</span> <span class="k">return</span> <span class="nx">res</span><span class="p">.</span><span class="nf">status</span><span class="p">(</span><span class="mi">400</span><span class="p">).</span><span class="nf">json</span><span class="p">({</span> <span class="na">message</span><span class="p">:</span> <span class="dl">'</span><span class="s1">Invalid email</span><span class="dl">'</span> <span class="p">});</span> <span class="p">}</span> <span class="nf">next</span><span class="p">();</span> <span class="p">}</span> <span class="nx">app</span><span class="p">.</span><span class="nf">post</span><span class="p">(</span><span class="dl">'</span><span class="s1">/users</span><span class="dl">'</span><span class="p">,</span> <span class="nx">validateUserInput</span><span class="p">,</span> <span class="p">(</span><span class="nx">req</span><span class="p">,</span> <span class="nx">res</span><span class="p">)</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="c1">// create user logic...</span> <span class="p">});</span> </code></pre> </div> <p>When validation fails, we respond immediately with <code>400 Bad Request</code>. Otherwise, <code>next()</code> passes control to the actual handler. This separation improves readability and reusability.</p> <h2> Middleware pipeline </h2> <p>Imagine a physical pipeline with several inspection stations. A request arrives, gets stamped at the logging station, then passes through a security gate (authentication), then a quality check (validation), and finally reaches the desired destination (route handler). At any point, if it fails inspection, it gets turned away with a response.</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fyoqyfrgrdt4xx4edno2i.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fyoqyfrgrdt4xx4edno2i.png" alt="Middleware pipeline"></a></p> <h2> Conclusion </h2> <p>Middleware is one of those concepts that, once you understand it, Express becomes transparent. It's just a sequence of functions that have access to <code>req</code> and <code>res</code> and can either pass the request along with <code>next()</code> or end the cycle by sending a response. By chaining middleware, you can separate concerns like logging, authentication, and validation, making your code cleaner and more maintainable.</p> <p>Let's quickly recap:</p> <ul> <li>Middleware functions sit between the incoming request and the final route handler.</li> <li>They can modify the request/response, run code, or end the request early.</li> <li>The <code>next()</code> function passes control to the next middleware in the stack; without it, the request stalls.</li> <li>Application-level middleware (<code>app.use()</code>) runs for all requests or a specific path.</li> <li>Router-level middleware (<code>router.use()</code>) works for a specific router.</li> <li>Built-in middleware like <code>express.json()</code> are just prepackaged middleware.</li> <li>Execution order is top-to-bottom, so declare middleware before routes they should affect.</li> <li>Real-world uses include logging, authentication, and input validation, which keep route handlers focused.</li> </ul> <p>Now that you understand middleware, you can structure Express apps that are modular, secure, and easy to scale. In the next post, we'll continue building more practical features. See you there!</p> <p>Hope you found this helpful! If you spot any mistakes or have suggestions, let me know. You can find me on <a href="https://www.linkedin.com/in/satyaprangyasootar" rel="noopener noreferrer">LinkedIn</a> and <a href="https://x.com/satyasootar" rel="noopener noreferrer">X</a>, where I post more about web development.</p> express node REST API Design Made Simple with Express.js SATYA SOOTAR Sat, 09 May 2026 13:18:27 +0000 https://dev.to/satyasootar/rest-api-design-made-simple-with-expressjs-3o2g https://dev.to/satyasootar/rest-api-design-made-simple-with-expressjs-3o2g <p>Hello readers 👋, welcome to the 9th blog in our Node.js series!</p> <p>In our last post, we learned how JWT authentication keeps your application secure without the need for server-side sessions. Today, we're going to focus on something equally essential: how to design a clean, predictable, and intuitive API using Express.js following <strong>REST</strong> principles.</p> <p>Whether you're building a mobile app, a frontend in React, or just exposing data to the world, you'll need an API that clients can understand and use easily. REST gives us a set of conventions that make APIs feel natural. We'll break down what a REST API is, map out HTTP methods, introduce status codes, and design routes for a simple <strong>users</strong> resource. By the end, you'll be able to structure your own Express.js APIs clearly.</p> <p>Let's jump right in.</p> <h2> What is a REST API? </h2> <p>First, let's define <strong>API</strong>. An API (Application Programming Interface) is a set of rules that allows two pieces of software to talk to each other. When you use any app on your phone, it likely talks to a server using an API. The API is the contract between the client and the server: "you send me a request in this format, and I'll give you a response in that format."</p> <p><strong>REST</strong> stands for <strong>Representational State Transfer</strong>. It's an architectural style that uses the standard HTTP methods (GET, POST, PUT, DELETE) and follows a few guiding principles:</p> <ul> <li>Everything is a <strong>resource</strong> (like a user, a product, an article).</li> <li>Each resource is accessed via a unique <strong>URL</strong> (endpoint), like <code>/users</code> or <code>/users/1</code>.</li> <li>The client and server are <strong>stateless</strong>: each request must contain all the information the server needs to process it, and the server doesn't keep any session state between requests.</li> <li>Operations on resources are performed using the standard HTTP methods.</li> </ul> <p>That's it. No magic, just a disciplined way of using URLs and HTTP verbs.</p> <h2> Resources in REST architecture </h2> <p>A resource is the core concept. In our example, we'll have a <strong>users</strong> resource. Think of a user as an object that the API can create, read, update, or delete. The endpoints (URLs) for this resource follow a convention:</p> <ul> <li> <code>/users</code> – the collection of users.</li> <li> <code>/users/:id</code> – a single user identified by a unique ID.</li> </ul> <p>This consistent naming makes APIs intuitive. Even before you read the documentation, you can guess that <code>GET /users</code> returns all users, and <code>GET /users/5</code> returns user #5.</p> <h2> HTTP methods and what they do </h2> <p>REST maps the basic CRUD operations (Create, Read, Update, Delete) to the following HTTP methods:</p> <div class="table-wrapper-paragraph"><table> <thead> <tr> <th>HTTP Method</th> <th>Operation</th> <th>Example Endpoint</th> <th>Meaning</th> </tr> </thead> <tbody> <tr> <td><strong>GET</strong></td> <td>Read</td> <td><code>GET /users</code></td> <td>Retrieve all users</td> </tr> <tr> <td><strong>GET</strong></td> <td>Read</td> <td><code>GET /users/1</code></td> <td>Retrieve a single user with ID 1</td> </tr> <tr> <td><strong>POST</strong></td> <td>Create</td> <td><code>POST /users</code></td> <td>Create a new user</td> </tr> <tr> <td><strong>PUT</strong></td> <td>Update (replace)</td> <td><code>PUT /users/1</code></td> <td>Replace the entire user with ID 1</td> </tr> <tr> <td><strong>PATCH</strong></td> <td>Update (partial)</td> <td><code>PATCH /users/1</code></td> <td>Modify only some fields of user 1</td> </tr> <tr> <td><strong>DELETE</strong></td> <td>Delete</td> <td><code>DELETE /users/1</code></td> <td>Remove user with ID 1</td> </tr> </tbody> </table></div> <p>We'll focus on the most commonly used: GET, POST, PUT, and DELETE. Think of them as the verbs of your API.</p> <h2> Setting up the Express.js server </h2> <p>Let's quickly spin up a minimal Express server. If you haven't installed Express, run <code>npm install express</code> in your project folder.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="kd">const</span> <span class="nx">express</span> <span class="o">=</span> <span class="nf">require</span><span class="p">(</span><span class="dl">'</span><span class="s1">express</span><span class="dl">'</span><span class="p">);</span> <span class="kd">const</span> <span class="nx">app</span> <span class="o">=</span> <span class="nf">express</span><span class="p">();</span> <span class="nx">app</span><span class="p">.</span><span class="nf">use</span><span class="p">(</span><span class="nx">express</span><span class="p">.</span><span class="nf">json</span><span class="p">());</span> <span class="c1">// to parse JSON request bodies</span> <span class="kd">const</span> <span class="nx">PORT</span> <span class="o">=</span> <span class="mi">3000</span><span class="p">;</span> <span class="nx">app</span><span class="p">.</span><span class="nf">listen</span><span class="p">(</span><span class="nx">PORT</span><span class="p">,</span> <span class="p">()</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="nx">console</span><span class="p">.</span><span class="nf">log</span><span class="p">(</span><span class="s2">`Server running on http://localhost:</span><span class="p">${</span><span class="nx">PORT</span><span class="p">}</span><span class="s2">`</span><span class="p">);</span> <span class="p">});</span> </code></pre> </div> <p>We'll add routes to this server.</p> <h2> Designing routes for the "users" resource </h2> <p>We'll create an in-memory array to hold user objects. Remember, in a real application you'd use a database, but the principles remain the same.</p> <h3> In-memory data store </h3> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="kd">let</span> <span class="nx">users</span> <span class="o">=</span> <span class="p">[</span> <span class="p">{</span> <span class="na">id</span><span class="p">:</span> <span class="mi">1</span><span class="p">,</span> <span class="na">name</span><span class="p">:</span> <span class="dl">'</span><span class="s1">Satya</span><span class="dl">'</span><span class="p">,</span> <span class="na">email</span><span class="p">:</span> <span class="dl">'</span><span class="s1">satya@example.com</span><span class="dl">'</span> <span class="p">},</span> <span class="p">{</span> <span class="na">id</span><span class="p">:</span> <span class="mi">2</span><span class="p">,</span> <span class="na">name</span><span class="p">:</span> <span class="dl">'</span><span class="s1">Priya</span><span class="dl">'</span><span class="p">,</span> <span class="na">email</span><span class="p">:</span> <span class="dl">'</span><span class="s1">priya@example.com</span><span class="dl">'</span> <span class="p">}</span> <span class="p">];</span> <span class="kd">let</span> <span class="nx">nextId</span> <span class="o">=</span> <span class="mi">3</span><span class="p">;</span> <span class="c1">// to assign unique IDs</span> </code></pre> </div> <p>Now, let's implement each route following REST conventions.</p> <h3> 1. GET /users – fetch all users </h3> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="nx">app</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="dl">'</span><span class="s1">/users</span><span class="dl">'</span><span class="p">,</span> <span class="p">(</span><span class="nx">req</span><span class="p">,</span> <span class="nx">res</span><span class="p">)</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="nx">res</span><span class="p">.</span><span class="nf">json</span><span class="p">(</span><span class="nx">users</span><span class="p">);</span> <span class="p">});</span> </code></pre> </div> <p>A simple <code>GET</code> request returns the entire users array with status <code>200</code> (OK, but it's implied in <code>res.json</code>).</p> <h3> 2. GET /users/:id – fetch a single user </h3> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="nx">app</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="dl">'</span><span class="s1">/users/:id</span><span class="dl">'</span><span class="p">,</span> <span class="p">(</span><span class="nx">req</span><span class="p">,</span> <span class="nx">res</span><span class="p">)</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">id</span> <span class="o">=</span> <span class="nf">parseInt</span><span class="p">(</span><span class="nx">req</span><span class="p">.</span><span class="nx">params</span><span class="p">.</span><span class="nx">id</span><span class="p">);</span> <span class="kd">const</span> <span class="nx">user</span> <span class="o">=</span> <span class="nx">users</span><span class="p">.</span><span class="nf">find</span><span class="p">(</span><span class="nx">u</span> <span class="o">=&gt;</span> <span class="nx">u</span><span class="p">.</span><span class="nx">id</span> <span class="o">===</span> <span class="nx">id</span><span class="p">);</span> <span class="k">if </span><span class="p">(</span><span class="o">!</span><span class="nx">user</span><span class="p">)</span> <span class="p">{</span> <span class="k">return</span> <span class="nx">res</span><span class="p">.</span><span class="nf">status</span><span class="p">(</span><span class="mi">404</span><span class="p">).</span><span class="nf">json</span><span class="p">({</span> <span class="na">message</span><span class="p">:</span> <span class="dl">'</span><span class="s1">User not found</span><span class="dl">'</span> <span class="p">});</span> <span class="p">}</span> <span class="nx">res</span><span class="p">.</span><span class="nf">json</span><span class="p">(</span><span class="nx">user</span><span class="p">);</span> <span class="p">});</span> </code></pre> </div> <p>Here, <code>:id</code> is a route parameter. If the user doesn't exist, we return a <code>404 Not Found</code> status code.</p> <h3> 3. POST /users – create a new user </h3> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="nx">app</span><span class="p">.</span><span class="nf">post</span><span class="p">(</span><span class="dl">'</span><span class="s1">/users</span><span class="dl">'</span><span class="p">,</span> <span class="p">(</span><span class="nx">req</span><span class="p">,</span> <span class="nx">res</span><span class="p">)</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="kd">const</span> <span class="p">{</span> <span class="nx">name</span><span class="p">,</span> <span class="nx">email</span> <span class="p">}</span> <span class="o">=</span> <span class="nx">req</span><span class="p">.</span><span class="nx">body</span><span class="p">;</span> <span class="k">if </span><span class="p">(</span><span class="o">!</span><span class="nx">name</span> <span class="o">||</span> <span class="o">!</span><span class="nx">email</span><span class="p">)</span> <span class="p">{</span> <span class="k">return</span> <span class="nx">res</span><span class="p">.</span><span class="nf">status</span><span class="p">(</span><span class="mi">400</span><span class="p">).</span><span class="nf">json</span><span class="p">({</span> <span class="na">message</span><span class="p">:</span> <span class="dl">'</span><span class="s1">Name and email are required</span><span class="dl">'</span> <span class="p">});</span> <span class="p">}</span> <span class="kd">const</span> <span class="nx">newUser</span> <span class="o">=</span> <span class="p">{</span> <span class="na">id</span><span class="p">:</span> <span class="nx">nextId</span><span class="o">++</span><span class="p">,</span> <span class="nx">name</span><span class="p">,</span> <span class="nx">email</span> <span class="p">};</span> <span class="nx">users</span><span class="p">.</span><span class="nf">push</span><span class="p">(</span><span class="nx">newUser</span><span class="p">);</span> <span class="nx">res</span><span class="p">.</span><span class="nf">status</span><span class="p">(</span><span class="mi">201</span><span class="p">).</span><span class="nf">json</span><span class="p">(</span><span class="nx">newUser</span><span class="p">);</span> <span class="p">});</span> </code></pre> </div> <p>A <code>POST</code> request creates a new resource. We send a <code>201 Created</code> status code, along with the newly created object. We also validate input: if <code>name</code> or <code>email</code> is missing, we respond with <code>400 Bad Request</code>.</p> <h3> 4. PUT /users/:id – replace a user entirely </h3> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="nx">app</span><span class="p">.</span><span class="nf">put</span><span class="p">(</span><span class="dl">'</span><span class="s1">/users/:id</span><span class="dl">'</span><span class="p">,</span> <span class="p">(</span><span class="nx">req</span><span class="p">,</span> <span class="nx">res</span><span class="p">)</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">id</span> <span class="o">=</span> <span class="nf">parseInt</span><span class="p">(</span><span class="nx">req</span><span class="p">.</span><span class="nx">params</span><span class="p">.</span><span class="nx">id</span><span class="p">);</span> <span class="kd">const</span> <span class="p">{</span> <span class="nx">name</span><span class="p">,</span> <span class="nx">email</span> <span class="p">}</span> <span class="o">=</span> <span class="nx">req</span><span class="p">.</span><span class="nx">body</span><span class="p">;</span> <span class="k">if </span><span class="p">(</span><span class="o">!</span><span class="nx">name</span> <span class="o">||</span> <span class="o">!</span><span class="nx">email</span><span class="p">)</span> <span class="p">{</span> <span class="k">return</span> <span class="nx">res</span><span class="p">.</span><span class="nf">status</span><span class="p">(</span><span class="mi">400</span><span class="p">).</span><span class="nf">json</span><span class="p">({</span> <span class="na">message</span><span class="p">:</span> <span class="dl">'</span><span class="s1">Name and email are required</span><span class="dl">'</span> <span class="p">});</span> <span class="p">}</span> <span class="kd">const</span> <span class="nx">index</span> <span class="o">=</span> <span class="nx">users</span><span class="p">.</span><span class="nf">findIndex</span><span class="p">(</span><span class="nx">u</span> <span class="o">=&gt;</span> <span class="nx">u</span><span class="p">.</span><span class="nx">id</span> <span class="o">===</span> <span class="nx">id</span><span class="p">);</span> <span class="k">if </span><span class="p">(</span><span class="nx">index</span> <span class="o">===</span> <span class="o">-</span><span class="mi">1</span><span class="p">)</span> <span class="p">{</span> <span class="k">return</span> <span class="nx">res</span><span class="p">.</span><span class="nf">status</span><span class="p">(</span><span class="mi">404</span><span class="p">).</span><span class="nf">json</span><span class="p">({</span> <span class="na">message</span><span class="p">:</span> <span class="dl">'</span><span class="s1">User not found</span><span class="dl">'</span> <span class="p">});</span> <span class="p">}</span> <span class="c1">// Replace the entire object</span> <span class="nx">users</span><span class="p">[</span><span class="nx">index</span><span class="p">]</span> <span class="o">=</span> <span class="p">{</span> <span class="nx">id</span><span class="p">,</span> <span class="nx">name</span><span class="p">,</span> <span class="nx">email</span> <span class="p">};</span> <span class="nx">res</span><span class="p">.</span><span class="nf">json</span><span class="p">(</span><span class="nx">users</span><span class="p">[</span><span class="nx">index</span><span class="p">]);</span> <span class="p">});</span> </code></pre> </div> <p><code>PUT</code> typically expects a complete replacement. If the user doesn't exist, we return <code>404</code>. On success, we return the updated user with <code>200</code>.</p> <h3> 5. DELETE /users/:id – remove a user </h3> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="nx">app</span><span class="p">.</span><span class="k">delete</span><span class="p">(</span><span class="dl">'</span><span class="s1">/users/:id</span><span class="dl">'</span><span class="p">,</span> <span class="p">(</span><span class="nx">req</span><span class="p">,</span> <span class="nx">res</span><span class="p">)</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">id</span> <span class="o">=</span> <span class="nf">parseInt</span><span class="p">(</span><span class="nx">req</span><span class="p">.</span><span class="nx">params</span><span class="p">.</span><span class="nx">id</span><span class="p">);</span> <span class="kd">const</span> <span class="nx">index</span> <span class="o">=</span> <span class="nx">users</span><span class="p">.</span><span class="nf">findIndex</span><span class="p">(</span><span class="nx">u</span> <span class="o">=&gt;</span> <span class="nx">u</span><span class="p">.</span><span class="nx">id</span> <span class="o">===</span> <span class="nx">id</span><span class="p">);</span> <span class="k">if </span><span class="p">(</span><span class="nx">index</span> <span class="o">===</span> <span class="o">-</span><span class="mi">1</span><span class="p">)</span> <span class="p">{</span> <span class="k">return</span> <span class="nx">res</span><span class="p">.</span><span class="nf">status</span><span class="p">(</span><span class="mi">404</span><span class="p">).</span><span class="nf">json</span><span class="p">({</span> <span class="na">message</span><span class="p">:</span> <span class="dl">'</span><span class="s1">User not found</span><span class="dl">'</span> <span class="p">});</span> <span class="p">}</span> <span class="nx">users</span><span class="p">.</span><span class="nf">splice</span><span class="p">(</span><span class="nx">index</span><span class="p">,</span> <span class="mi">1</span><span class="p">);</span> <span class="nx">res</span><span class="p">.</span><span class="nf">status</span><span class="p">(</span><span class="mi">204</span><span class="p">).</span><span class="nf">send</span><span class="p">();</span> <span class="c1">// No Content</span> <span class="p">});</span> </code></pre> </div> <p><code>DELETE</code> successfully returns a <code>204 No Content</code> status with an empty body, indicating that the operation was successful and there's nothing else to send.</p> <h2> Status codes basics </h2> <p>HTTP status codes tell the client what happened. Here are the basics:</p> <div class="table-wrapper-paragraph"><table> <thead> <tr> <th>Code</th> <th>Meaning</th> <th>When to use</th> </tr> </thead> <tbody> <tr> <td><strong>200</strong></td> <td>OK</td> <td>Successful GET or PUT request</td> </tr> <tr> <td><strong>201</strong></td> <td>Created</td> <td>Resource created successfully (POST)</td> </tr> <tr> <td><strong>204</strong></td> <td>No Content</td> <td>Successful DELETE, nothing to return</td> </tr> <tr> <td><strong>400</strong></td> <td>Bad Request</td> <td>Client sent invalid data (missing fields, wrong format)</td> </tr> <tr> <td><strong>401</strong></td> <td>Unauthorized</td> <td>Authentication is missing or has failed</td> </tr> <tr> <td><strong>404</strong></td> <td>Not Found</td> <td>Requested resource doesn't exist</td> </tr> <tr> <td><strong>500</strong></td> <td>Internal Server Error</td> <td>Something went wrong on the server side</td> </tr> </tbody> </table></div> <p>Always return the appropriate status code so the client can handle the response correctly. It's part of the contract.</p> <h2> The request-response lifecycle </h2> <p>When a client makes a request, here's what happens:</p> <ol> <li>The client sends an HTTP request to a specific <strong>endpoint</strong> with a method, headers, and optionally a body.</li> <li>The Express server receives the request and matches it to the defined route.</li> <li>The route handler reads parameters, query strings, and body; performs business logic; and sends back a response with a status code and data.</li> <li>The client receives the response and updates its UI or state.</li> </ol> <p>For example, a <code>POST /users</code> with <code>{ "name": "Rahul", "email": "rahul@example.com" }</code> triggers the creation of a new user and the <code>201</code> response.</p> <h2> Clean route naming conventions </h2> <p>When designing a REST API:</p> <ul> <li>Use <strong>plural nouns</strong> for collections: <code>/users</code>, <code>/posts</code>, <code>/products</code>. This is conventional and predictable.</li> <li>Use <strong>hierarchical routes</strong> for nested resources: <code>/users/1/posts</code> to get posts of user #1. But don't over-nest; keep it flat if possible.</li> <li>Use <strong>query parameters</strong> for filtering, sorting, and pagination: <code>GET /users?role=admin&amp;limit=10</code>.</li> <li>Prefer <strong>kebab-case</strong> or <strong>lowercase</strong>: <code>/user-profiles</code> (though many prefer just nouns and sub-resources).</li> </ul> <h2> Putting it all together: a complete Express API for users </h2> <p>Here's the full code for a simple, working REST API:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="kd">const</span> <span class="nx">express</span> <span class="o">=</span> <span class="nf">require</span><span class="p">(</span><span class="dl">'</span><span class="s1">express</span><span class="dl">'</span><span class="p">);</span> <span class="kd">const</span> <span class="nx">app</span> <span class="o">=</span> <span class="nf">express</span><span class="p">();</span> <span class="nx">app</span><span class="p">.</span><span class="nf">use</span><span class="p">(</span><span class="nx">express</span><span class="p">.</span><span class="nf">json</span><span class="p">());</span> <span class="kd">let</span> <span class="nx">users</span> <span class="o">=</span> <span class="p">[</span> <span class="p">{</span> <span class="na">id</span><span class="p">:</span> <span class="mi">1</span><span class="p">,</span> <span class="na">name</span><span class="p">:</span> <span class="dl">'</span><span class="s1">Satya</span><span class="dl">'</span><span class="p">,</span> <span class="na">email</span><span class="p">:</span> <span class="dl">'</span><span class="s1">satya@example.com</span><span class="dl">'</span> <span class="p">},</span> <span class="p">{</span> <span class="na">id</span><span class="p">:</span> <span class="mi">2</span><span class="p">,</span> <span class="na">name</span><span class="p">:</span> <span class="dl">'</span><span class="s1">Priya</span><span class="dl">'</span><span class="p">,</span> <span class="na">email</span><span class="p">:</span> <span class="dl">'</span><span class="s1">priya@example.com</span><span class="dl">'</span> <span class="p">}</span> <span class="p">];</span> <span class="kd">let</span> <span class="nx">nextId</span> <span class="o">=</span> <span class="mi">3</span><span class="p">;</span> <span class="c1">// GET all users</span> <span class="nx">app</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="dl">'</span><span class="s1">/users</span><span class="dl">'</span><span class="p">,</span> <span class="p">(</span><span class="nx">req</span><span class="p">,</span> <span class="nx">res</span><span class="p">)</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="nx">res</span><span class="p">.</span><span class="nf">json</span><span class="p">(</span><span class="nx">users</span><span class="p">);</span> <span class="p">});</span> <span class="c1">// GET single user</span> <span class="nx">app</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="dl">'</span><span class="s1">/users/:id</span><span class="dl">'</span><span class="p">,</span> <span class="p">(</span><span class="nx">req</span><span class="p">,</span> <span class="nx">res</span><span class="p">)</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">user</span> <span class="o">=</span> <span class="nx">users</span><span class="p">.</span><span class="nf">find</span><span class="p">(</span><span class="nx">u</span> <span class="o">=&gt;</span> <span class="nx">u</span><span class="p">.</span><span class="nx">id</span> <span class="o">===</span> <span class="nf">parseInt</span><span class="p">(</span><span class="nx">req</span><span class="p">.</span><span class="nx">params</span><span class="p">.</span><span class="nx">id</span><span class="p">));</span> <span class="k">if </span><span class="p">(</span><span class="o">!</span><span class="nx">user</span><span class="p">)</span> <span class="k">return</span> <span class="nx">res</span><span class="p">.</span><span class="nf">status</span><span class="p">(</span><span class="mi">404</span><span class="p">).</span><span class="nf">json</span><span class="p">({</span> <span class="na">message</span><span class="p">:</span> <span class="dl">'</span><span class="s1">User not found</span><span class="dl">'</span> <span class="p">});</span> <span class="nx">res</span><span class="p">.</span><span class="nf">json</span><span class="p">(</span><span class="nx">user</span><span class="p">);</span> <span class="p">});</span> <span class="c1">// POST create user</span> <span class="nx">app</span><span class="p">.</span><span class="nf">post</span><span class="p">(</span><span class="dl">'</span><span class="s1">/users</span><span class="dl">'</span><span class="p">,</span> <span class="p">(</span><span class="nx">req</span><span class="p">,</span> <span class="nx">res</span><span class="p">)</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="kd">const</span> <span class="p">{</span> <span class="nx">name</span><span class="p">,</span> <span class="nx">email</span> <span class="p">}</span> <span class="o">=</span> <span class="nx">req</span><span class="p">.</span><span class="nx">body</span><span class="p">;</span> <span class="k">if </span><span class="p">(</span><span class="o">!</span><span class="nx">name</span> <span class="o">||</span> <span class="o">!</span><span class="nx">email</span><span class="p">)</span> <span class="k">return</span> <span class="nx">res</span><span class="p">.</span><span class="nf">status</span><span class="p">(</span><span class="mi">400</span><span class="p">).</span><span class="nf">json</span><span class="p">({</span> <span class="na">message</span><span class="p">:</span> <span class="dl">'</span><span class="s1">Name and email required</span><span class="dl">'</span> <span class="p">});</span> <span class="kd">const</span> <span class="nx">newUser</span> <span class="o">=</span> <span class="p">{</span> <span class="na">id</span><span class="p">:</span> <span class="nx">nextId</span><span class="o">++</span><span class="p">,</span> <span class="nx">name</span><span class="p">,</span> <span class="nx">email</span> <span class="p">};</span> <span class="nx">users</span><span class="p">.</span><span class="nf">push</span><span class="p">(</span><span class="nx">newUser</span><span class="p">);</span> <span class="nx">res</span><span class="p">.</span><span class="nf">status</span><span class="p">(</span><span class="mi">201</span><span class="p">).</span><span class="nf">json</span><span class="p">(</span><span class="nx">newUser</span><span class="p">);</span> <span class="p">});</span> <span class="c1">// PUT replace user</span> <span class="nx">app</span><span class="p">.</span><span class="nf">put</span><span class="p">(</span><span class="dl">'</span><span class="s1">/users/:id</span><span class="dl">'</span><span class="p">,</span> <span class="p">(</span><span class="nx">req</span><span class="p">,</span> <span class="nx">res</span><span class="p">)</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">id</span> <span class="o">=</span> <span class="nf">parseInt</span><span class="p">(</span><span class="nx">req</span><span class="p">.</span><span class="nx">params</span><span class="p">.</span><span class="nx">id</span><span class="p">);</span> <span class="kd">const</span> <span class="p">{</span> <span class="nx">name</span><span class="p">,</span> <span class="nx">email</span> <span class="p">}</span> <span class="o">=</span> <span class="nx">req</span><span class="p">.</span><span class="nx">body</span><span class="p">;</span> <span class="k">if </span><span class="p">(</span><span class="o">!</span><span class="nx">name</span> <span class="o">||</span> <span class="o">!</span><span class="nx">email</span><span class="p">)</span> <span class="k">return</span> <span class="nx">res</span><span class="p">.</span><span class="nf">status</span><span class="p">(</span><span class="mi">400</span><span class="p">).</span><span class="nf">json</span><span class="p">({</span> <span class="na">message</span><span class="p">:</span> <span class="dl">'</span><span class="s1">Name and email required</span><span class="dl">'</span> <span class="p">});</span> <span class="kd">const</span> <span class="nx">index</span> <span class="o">=</span> <span class="nx">users</span><span class="p">.</span><span class="nf">findIndex</span><span class="p">(</span><span class="nx">u</span> <span class="o">=&gt;</span> <span class="nx">u</span><span class="p">.</span><span class="nx">id</span> <span class="o">===</span> <span class="nx">id</span><span class="p">);</span> <span class="k">if </span><span class="p">(</span><span class="nx">index</span> <span class="o">===</span> <span class="o">-</span><span class="mi">1</span><span class="p">)</span> <span class="k">return</span> <span class="nx">res</span><span class="p">.</span><span class="nf">status</span><span class="p">(</span><span class="mi">404</span><span class="p">).</span><span class="nf">json</span><span class="p">({</span> <span class="na">message</span><span class="p">:</span> <span class="dl">'</span><span class="s1">User not found</span><span class="dl">'</span> <span class="p">});</span> <span class="nx">users</span><span class="p">[</span><span class="nx">index</span><span class="p">]</span> <span class="o">=</span> <span class="p">{</span> <span class="nx">id</span><span class="p">,</span> <span class="nx">name</span><span class="p">,</span> <span class="nx">email</span> <span class="p">};</span> <span class="nx">res</span><span class="p">.</span><span class="nf">json</span><span class="p">(</span><span class="nx">users</span><span class="p">[</span><span class="nx">index</span><span class="p">]);</span> <span class="p">});</span> <span class="c1">// DELETE user</span> <span class="nx">app</span><span class="p">.</span><span class="k">delete</span><span class="p">(</span><span class="dl">'</span><span class="s1">/users/:id</span><span class="dl">'</span><span class="p">,</span> <span class="p">(</span><span class="nx">req</span><span class="p">,</span> <span class="nx">res</span><span class="p">)</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">id</span> <span class="o">=</span> <span class="nf">parseInt</span><span class="p">(</span><span class="nx">req</span><span class="p">.</span><span class="nx">params</span><span class="p">.</span><span class="nx">id</span><span class="p">);</span> <span class="kd">const</span> <span class="nx">index</span> <span class="o">=</span> <span class="nx">users</span><span class="p">.</span><span class="nf">findIndex</span><span class="p">(</span><span class="nx">u</span> <span class="o">=&gt;</span> <span class="nx">u</span><span class="p">.</span><span class="nx">id</span> <span class="o">===</span> <span class="nx">id</span><span class="p">);</span> <span class="k">if </span><span class="p">(</span><span class="nx">index</span> <span class="o">===</span> <span class="o">-</span><span class="mi">1</span><span class="p">)</span> <span class="k">return</span> <span class="nx">res</span><span class="p">.</span><span class="nf">status</span><span class="p">(</span><span class="mi">404</span><span class="p">).</span><span class="nf">json</span><span class="p">({</span> <span class="na">message</span><span class="p">:</span> <span class="dl">'</span><span class="s1">User not found</span><span class="dl">'</span> <span class="p">});</span> <span class="nx">users</span><span class="p">.</span><span class="nf">splice</span><span class="p">(</span><span class="nx">index</span><span class="p">,</span> <span class="mi">1</span><span class="p">);</span> <span class="nx">res</span><span class="p">.</span><span class="nf">status</span><span class="p">(</span><span class="mi">204</span><span class="p">).</span><span class="nf">send</span><span class="p">();</span> <span class="p">});</span> <span class="nx">app</span><span class="p">.</span><span class="nf">listen</span><span class="p">(</span><span class="mi">3000</span><span class="p">,</span> <span class="p">()</span> <span class="o">=&gt;</span> <span class="nx">console</span><span class="p">.</span><span class="nf">log</span><span class="p">(</span><span class="dl">'</span><span class="s1">Server running on port 3000</span><span class="dl">'</span><span class="p">));</span> </code></pre> </div> <p>You can test these endpoints with Postman, curl, or your browser (for GET requests). The API is self-descriptive and follows REST conventions.</p> <h2> Here's a quick reference table: </h2> <div class="table-wrapper-paragraph"><table> <thead> <tr> <th>CRUD Operation</th> <th>HTTP Method</th> <th>Endpoint</th> <th>Example</th> </tr> </thead> <tbody> <tr> <td>Create</td> <td>POST</td> <td><code>/users</code></td> <td> <code>POST /users</code> (with body)</td> </tr> <tr> <td>Read (all)</td> <td>GET</td> <td><code>/users</code></td> <td><code>GET /users</code></td> </tr> <tr> <td>Read (one)</td> <td>GET</td> <td><code>/users/:id</code></td> <td><code>GET /users/1</code></td> </tr> <tr> <td>Update</td> <td>PUT</td> <td><code>/users/:id</code></td> <td> <code>PUT /users/1</code> (with body)</td> </tr> <tr> <td>Delete</td> <td>DELETE</td> <td><code>/users/:id</code></td> <td><code>DELETE /users/1</code></td> </tr> </tbody> </table></div> <h2> Conclusion </h2> <p>A well-designed REST API makes your backend predictable and easy for any client to consume. Using Express.js, you can quickly map HTTP methods to resource actions, keep your routes clean, and respond with proper status codes. This forms the foundation of any full-stack application.</p> <p>To recap the key points:</p> <ul> <li>A REST API uses standard HTTP methods to perform operations on resources identified by URLs.</li> <li>Resources are nouns; endpoints like <code>/users</code> represent collections, and <code>/users/:id</code> represent individual items.</li> <li>GET retrieves data, POST creates, PUT replaces, and DELETE removes resources.</li> <li>Status codes (200, 201, 204, 400, 404, etc.) communicate the result clearly.</li> <li>Clean route naming and appropriate status codes make your API intuitive and easy to maintain.</li> <li>Express.js provides a minimal and flexible way to build such APIs.</li> </ul> <p>Now you're equipped to design your own RESTful APIs from scratch. In the next blog, we'll continue building on this foundation, perhaps adding real database storage or authentication to protect routes. See you there!</p> <p>Hope you found this helpful! If you spot any mistakes or have suggestions, let me know. You can find me on <a href="https://www.linkedin.com/in/satyaprangyasootar" rel="noopener noreferrer">LinkedIn</a> and <a href="https://x.com/satyasootar" rel="noopener noreferrer">X</a>, where I post more about web development.</p> express node JWT Authentication in Node.js Explained Simply SATYA SOOTAR Sat, 09 May 2026 13:11:39 +0000 https://dev.to/satyasootar/jwt-authentication-in-nodejs-explained-simply-49p3 https://dev.to/satyasootar/jwt-authentication-in-nodejs-explained-simply-49p3 <p>Hello readers 👋, welcome to the 8th blog of our Node.js journey!</p> <p>So far, we've covered how Node.js works under the hood, its event loop, non-blocking code, and how to handle async operations. Now we're going to build something practical that almost every real-world application needs: <strong>user authentication using JSON Web Tokens (JWT)</strong>.</p> <p>Authentication is how an application knows who you are. You see it every day: logging into a website, accessing private messages, or making a purchase. Today, we'll understand what JWT is, how it works (without diving into complex cryptography), and how to implement a simple, secure login flow in Node.js.</p> <p>Let's get started.</p> <h2> What authentication means </h2> <p>Authentication is the process of verifying a user's identity. When you log in with a username and password, the server checks those credentials and, if they match, it should remember that you are authenticated for subsequent requests. Without authentication, anyone could pretend to be anyone, and there would be no security.</p> <p>In traditional web applications, once logged in, the server creates a session and stores it in memory or a database. The client gets a session ID stored in a cookie. Each request sends that cookie, and the server looks up the session. This works, but it's <strong>stateful</strong>: the server must store session data, which can be a scalability bottleneck if you have multiple servers.</p> <p>JWT offers a <strong>stateless</strong> approach. The server doesn't need to remember anything. Instead, after a successful login, the server creates a token that contains user information and signs it. The client stores this token and sends it with every request. The server simply verifies the signature and reads the user data directly from the token. No database lookups for sessions. This makes scaling much easier.</p> <h2> What JWT is </h2> <p>JWT stands for <strong>JSON Web Token</strong>. It's an open standard (RFC 7519) that defines a compact, self-contained way to transmit information between parties as a JSON object. The information can be trusted because it's digitally signed.</p> <p>JWT is perfect for authentication. After a user logs in, the server generates a JWT containing their user ID (and maybe role) and sends it to the client. The client sends the token in the <code>Authorization</code> header of every subsequent request. The server checks the signature and extracts the user ID, thus identifying the user without a database session lookup.</p> <p>Because the token itself contains the user information, it's self-contained. That's the "stateless" magic.</p> <h2> Structure of a JWT </h2> <p>A JWT looks like a long random string of characters with two dots:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJ1c2VySWQiOjEsInJvbGUiOiJhZG1pbiJ9.4x9MMbKd7P3qW7Y8lQZ2VcDhFfR1jNzOyU5wTkXy </code></pre> </div> <p>This string is actually three parts, each Base64URL-encoded, separated by dots. Let's decode each part conceptually (not deep crypto, just the idea).</p> <h3> Header </h3> <p>The first part is the <strong>header</strong>. It typically contains two fields: the type of token (<code>JWT</code>) and the signing algorithm used (<code>HS256</code> or <code>RS256</code>). After Base64 decoding, it looks like:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight json"><code><span class="p">{</span><span class="w"> </span><span class="nl">"alg"</span><span class="p">:</span><span class="w"> </span><span class="s2">"HS256"</span><span class="p">,</span><span class="w"> </span><span class="nl">"typ"</span><span class="p">:</span><span class="w"> </span><span class="s2">"JWT"</span><span class="w"> </span><span class="p">}</span><span class="w"> </span></code></pre> </div> <h3> Payload </h3> <p>The second part is the <strong>payload</strong>. This is where the actual data (claims) about the user lives. The server puts information like user ID, username, role, and expiration time here. For example:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight json"><code><span class="p">{</span><span class="w"> </span><span class="nl">"userId"</span><span class="p">:</span><span class="w"> </span><span class="mi">1</span><span class="p">,</span><span class="w"> </span><span class="nl">"username"</span><span class="p">:</span><span class="w"> </span><span class="s2">"satya"</span><span class="p">,</span><span class="w"> </span><span class="nl">"role"</span><span class="p">:</span><span class="w"> </span><span class="s2">"admin"</span><span class="p">,</span><span class="w"> </span><span class="nl">"iat"</span><span class="p">:</span><span class="w"> </span><span class="mi">1680000000</span><span class="p">,</span><span class="w"> </span><span class="nl">"exp"</span><span class="p">:</span><span class="w"> </span><span class="mi">1680003600</span><span class="w"> </span><span class="p">}</span><span class="w"> </span></code></pre> </div> <p>The <code>iat</code> (issued at) and <code>exp</code> (expiration) claims are standard. You can add custom data too. Remember: the payload is <strong>not encrypted</strong>, just Base64-encoded. Anyone can decode it, so never put sensitive info like passwords in it.</p> <h3> Signature </h3> <p>The third part is the <strong>signature</strong>. This is what makes the token trustworthy. To create the signature, the server takes the encoded header, the encoded payload, and a secret key, then applies the algorithm specified in the header (e.g., HMAC SHA256). The result is a cryptographic hash that ensures the token hasn't been tampered with.</p> <p>If a malicious user tries to change the payload (e.g., change <code>userId</code> from 1 to 2), the signature will no longer match when the server recalculates it using the secret key. The server detects tampering and rejects the token. That's the core security.</p> <h2> Login flow using JWT </h2> <p>Let's walk through a typical login flow step by step, with code snippets using Node.js, the <code>express</code> web framework (for routing convenience), and the <code>jsonwebtoken</code> library.</p> <p><strong>1. Install required packages:</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>npm <span class="nb">install </span>express jsonwebtoken </code></pre> </div> <p><strong>2. Create a simple server with a login endpoint.</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="kd">const</span> <span class="nx">express</span> <span class="o">=</span> <span class="nf">require</span><span class="p">(</span><span class="dl">'</span><span class="s1">express</span><span class="dl">'</span><span class="p">);</span> <span class="kd">const</span> <span class="nx">jwt</span> <span class="o">=</span> <span class="nf">require</span><span class="p">(</span><span class="dl">'</span><span class="s1">jsonwebtoken</span><span class="dl">'</span><span class="p">);</span> <span class="kd">const</span> <span class="nx">app</span> <span class="o">=</span> <span class="nf">express</span><span class="p">();</span> <span class="nx">app</span><span class="p">.</span><span class="nf">use</span><span class="p">(</span><span class="nx">express</span><span class="p">.</span><span class="nf">json</span><span class="p">());</span> <span class="c1">// to parse JSON request body</span> <span class="kd">const</span> <span class="nx">SECRET_KEY</span> <span class="o">=</span> <span class="dl">'</span><span class="s1">your-secret-key-change-this</span><span class="dl">'</span><span class="p">;</span> <span class="c1">// in production, use an env var</span> <span class="c1">// In-memory user store (for demo)</span> <span class="kd">const</span> <span class="nx">users</span> <span class="o">=</span> <span class="p">[</span> <span class="p">{</span> <span class="na">id</span><span class="p">:</span> <span class="mi">1</span><span class="p">,</span> <span class="na">username</span><span class="p">:</span> <span class="dl">'</span><span class="s1">satya</span><span class="dl">'</span><span class="p">,</span> <span class="na">password</span><span class="p">:</span> <span class="dl">'</span><span class="s1">password123</span><span class="dl">'</span><span class="p">,</span> <span class="na">role</span><span class="p">:</span> <span class="dl">'</span><span class="s1">admin</span><span class="dl">'</span> <span class="p">}</span> <span class="p">];</span> <span class="nx">app</span><span class="p">.</span><span class="nf">post</span><span class="p">(</span><span class="dl">'</span><span class="s1">/login</span><span class="dl">'</span><span class="p">,</span> <span class="p">(</span><span class="nx">req</span><span class="p">,</span> <span class="nx">res</span><span class="p">)</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="kd">const</span> <span class="p">{</span> <span class="nx">username</span><span class="p">,</span> <span class="nx">password</span> <span class="p">}</span> <span class="o">=</span> <span class="nx">req</span><span class="p">.</span><span class="nx">body</span><span class="p">;</span> <span class="kd">const</span> <span class="nx">user</span> <span class="o">=</span> <span class="nx">users</span><span class="p">.</span><span class="nf">find</span><span class="p">(</span><span class="nx">u</span> <span class="o">=&gt;</span> <span class="nx">u</span><span class="p">.</span><span class="nx">username</span> <span class="o">===</span> <span class="nx">username</span> <span class="o">&amp;&amp;</span> <span class="nx">u</span><span class="p">.</span><span class="nx">password</span> <span class="o">===</span> <span class="nx">password</span><span class="p">);</span> <span class="k">if </span><span class="p">(</span><span class="o">!</span><span class="nx">user</span><span class="p">)</span> <span class="p">{</span> <span class="k">return</span> <span class="nx">res</span><span class="p">.</span><span class="nf">status</span><span class="p">(</span><span class="mi">401</span><span class="p">).</span><span class="nf">json</span><span class="p">({</span> <span class="na">message</span><span class="p">:</span> <span class="dl">'</span><span class="s1">Invalid credentials</span><span class="dl">'</span> <span class="p">});</span> <span class="p">}</span> <span class="c1">// Create a token. The payload includes the user's id and role.</span> <span class="c1">// Don't include the password!</span> <span class="kd">const</span> <span class="nx">token</span> <span class="o">=</span> <span class="nx">jwt</span><span class="p">.</span><span class="nf">sign</span><span class="p">(</span> <span class="p">{</span> <span class="na">userId</span><span class="p">:</span> <span class="nx">user</span><span class="p">.</span><span class="nx">id</span><span class="p">,</span> <span class="na">role</span><span class="p">:</span> <span class="nx">user</span><span class="p">.</span><span class="nx">role</span> <span class="p">},</span> <span class="nx">SECRET_KEY</span><span class="p">,</span> <span class="p">{</span> <span class="na">expiresIn</span><span class="p">:</span> <span class="dl">'</span><span class="s1">1h</span><span class="dl">'</span> <span class="p">}</span> <span class="c1">// token expires in 1 hour</span> <span class="p">);</span> <span class="nx">res</span><span class="p">.</span><span class="nf">json</span><span class="p">({</span> <span class="nx">token</span> <span class="p">});</span> <span class="p">});</span> <span class="nx">app</span><span class="p">.</span><span class="nf">listen</span><span class="p">(</span><span class="mi">3000</span><span class="p">,</span> <span class="p">()</span> <span class="o">=&gt;</span> <span class="nx">console</span><span class="p">.</span><span class="nf">log</span><span class="p">(</span><span class="dl">'</span><span class="s1">Server running on port 3000</span><span class="dl">'</span><span class="p">));</span> </code></pre> </div> <p><strong>What's happening here:</strong></p> <ul> <li>We receive username and password.</li> <li>We check against a hardcoded list (in reality, you'd check a database with hashed passwords).</li> <li>If valid, we use <code>jwt.sign()</code> to create a token with a payload containing the user ID and role. The token is signed with our secret key and set to expire in 1 hour.</li> <li>We send the token back to the client as JSON.</li> </ul> <p><strong>3. Client stores the token and sends it with requests.</strong></p> <p>After login, the client (browser or mobile app) stores the token. In a web app, you might use <code>localStorage</code> or a secure HTTP-only cookie. For simplicity, we'll use the <code>Authorization</code> header with the Bearer scheme.</p> <p>A subsequent request to a protected route would include the header:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight http"><code><span class="err">Authorization: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9... </span></code></pre> </div> <h2> Protecting routes using tokens </h2> <p>Now we need to protect certain API routes so that only authenticated users can access them. We'll create a middleware that checks the token.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="c1">// Middleware to verify JWT</span> <span class="kd">function</span> <span class="nf">authenticateToken</span><span class="p">(</span><span class="nx">req</span><span class="p">,</span> <span class="nx">res</span><span class="p">,</span> <span class="nx">next</span><span class="p">)</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">authHeader</span> <span class="o">=</span> <span class="nx">req</span><span class="p">.</span><span class="nx">headers</span><span class="p">[</span><span class="dl">'</span><span class="s1">authorization</span><span class="dl">'</span><span class="p">];</span> <span class="kd">const</span> <span class="nx">token</span> <span class="o">=</span> <span class="nx">authHeader</span> <span class="o">&amp;&amp;</span> <span class="nx">authHeader</span><span class="p">.</span><span class="nf">split</span><span class="p">(</span><span class="dl">'</span><span class="s1"> </span><span class="dl">'</span><span class="p">)[</span><span class="mi">1</span><span class="p">];</span> <span class="c1">// Bearer TOKEN</span> <span class="k">if </span><span class="p">(</span><span class="o">!</span><span class="nx">token</span><span class="p">)</span> <span class="p">{</span> <span class="k">return</span> <span class="nx">res</span><span class="p">.</span><span class="nf">status</span><span class="p">(</span><span class="mi">401</span><span class="p">).</span><span class="nf">json</span><span class="p">({</span> <span class="na">message</span><span class="p">:</span> <span class="dl">'</span><span class="s1">Access token missing</span><span class="dl">'</span> <span class="p">});</span> <span class="p">}</span> <span class="nx">jwt</span><span class="p">.</span><span class="nf">verify</span><span class="p">(</span><span class="nx">token</span><span class="p">,</span> <span class="nx">SECRET_KEY</span><span class="p">,</span> <span class="p">(</span><span class="nx">err</span><span class="p">,</span> <span class="nx">decoded</span><span class="p">)</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="k">if </span><span class="p">(</span><span class="nx">err</span><span class="p">)</span> <span class="p">{</span> <span class="k">return</span> <span class="nx">res</span><span class="p">.</span><span class="nf">status</span><span class="p">(</span><span class="mi">403</span><span class="p">).</span><span class="nf">json</span><span class="p">({</span> <span class="na">message</span><span class="p">:</span> <span class="dl">'</span><span class="s1">Invalid or expired token</span><span class="dl">'</span> <span class="p">});</span> <span class="p">}</span> <span class="c1">// decoded contains the payload, e.g., { userId: 1, role: 'admin', iat: ..., exp: ... }</span> <span class="nx">req</span><span class="p">.</span><span class="nx">user</span> <span class="o">=</span> <span class="nx">decoded</span><span class="p">;</span> <span class="nf">next</span><span class="p">();</span> <span class="c1">// proceed to the next middleware/route handler</span> <span class="p">});</span> <span class="p">}</span> </code></pre> </div> <p>Then we can protect any route by adding this middleware:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="nx">app</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="dl">'</span><span class="s1">/profile</span><span class="dl">'</span><span class="p">,</span> <span class="nx">authenticateToken</span><span class="p">,</span> <span class="p">(</span><span class="nx">req</span><span class="p">,</span> <span class="nx">res</span><span class="p">)</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="c1">// req.user is available from the token</span> <span class="nx">res</span><span class="p">.</span><span class="nf">json</span><span class="p">({</span> <span class="na">message</span><span class="p">:</span> <span class="s2">`Hello user </span><span class="p">${</span><span class="nx">req</span><span class="p">.</span><span class="nx">user</span><span class="p">.</span><span class="nx">userId</span><span class="p">}</span><span class="s2">, your role is </span><span class="p">${</span><span class="nx">req</span><span class="p">.</span><span class="nx">user</span><span class="p">.</span><span class="nx">role</span><span class="p">}</span><span class="s2">`</span> <span class="p">});</span> <span class="p">});</span> <span class="nx">app</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="dl">'</span><span class="s1">/admin</span><span class="dl">'</span><span class="p">,</span> <span class="nx">authenticateToken</span><span class="p">,</span> <span class="p">(</span><span class="nx">req</span><span class="p">,</span> <span class="nx">res</span><span class="p">)</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="k">if </span><span class="p">(</span><span class="nx">req</span><span class="p">.</span><span class="nx">user</span><span class="p">.</span><span class="nx">role</span> <span class="o">!==</span> <span class="dl">'</span><span class="s1">admin</span><span class="dl">'</span><span class="p">)</span> <span class="p">{</span> <span class="k">return</span> <span class="nx">res</span><span class="p">.</span><span class="nf">status</span><span class="p">(</span><span class="mi">403</span><span class="p">).</span><span class="nf">json</span><span class="p">({</span> <span class="na">message</span><span class="p">:</span> <span class="dl">'</span><span class="s1">Admin access required</span><span class="dl">'</span> <span class="p">});</span> <span class="p">}</span> <span class="nx">res</span><span class="p">.</span><span class="nf">json</span><span class="p">({</span> <span class="na">message</span><span class="p">:</span> <span class="dl">'</span><span class="s1">Welcome to admin panel</span><span class="dl">'</span> <span class="p">});</span> <span class="p">});</span> </code></pre> </div> <p><strong>How it works:</strong></p> <ol> <li>The client sends a request to <code>/profile</code> with the token.</li> <li>The <code>authenticateToken</code> middleware extracts the token, calls <code>jwt.verify()</code> with the secret key.</li> <li>If valid, it attaches the decoded payload to <code>req.user</code> and passes control to the actual route handler.</li> <li>The handler can use <code>req.user.userId</code> or any custom claim.</li> <li>If the token is invalid (bad signature, expired), the middleware sends a 403 response.</li> </ol> <h2> Sending token with requests: from client side </h2> <p>In a Node.js client (or frontend JS), you'd include the token after login:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="c1">// After login, store token</span> <span class="kd">const</span> <span class="nx">tokenResponse</span> <span class="o">=</span> <span class="k">await</span> <span class="nf">fetch</span><span class="p">(</span><span class="dl">'</span><span class="s1">/login</span><span class="dl">'</span><span class="p">,</span> <span class="p">{</span> <span class="na">method</span><span class="p">:</span> <span class="dl">'</span><span class="s1">POST</span><span class="dl">'</span><span class="p">,</span> <span class="na">headers</span><span class="p">:</span> <span class="p">{</span> <span class="dl">'</span><span class="s1">Content-Type</span><span class="dl">'</span><span class="p">:</span> <span class="dl">'</span><span class="s1">application/json</span><span class="dl">'</span> <span class="p">},</span> <span class="na">body</span><span class="p">:</span> <span class="nx">JSON</span><span class="p">.</span><span class="nf">stringify</span><span class="p">({</span> <span class="na">username</span><span class="p">:</span> <span class="dl">'</span><span class="s1">satya</span><span class="dl">'</span><span class="p">,</span> <span class="na">password</span><span class="p">:</span> <span class="dl">'</span><span class="s1">password123</span><span class="dl">'</span> <span class="p">})</span> <span class="p">});</span> <span class="kd">const</span> <span class="p">{</span> <span class="nx">token</span> <span class="p">}</span> <span class="o">=</span> <span class="k">await</span> <span class="nx">tokenResponse</span><span class="p">.</span><span class="nf">json</span><span class="p">();</span> <span class="c1">// Store token (e.g., in localStorage)</span> <span class="nx">localStorage</span><span class="p">.</span><span class="nf">setItem</span><span class="p">(</span><span class="dl">'</span><span class="s1">token</span><span class="dl">'</span><span class="p">,</span> <span class="nx">token</span><span class="p">);</span> <span class="c1">// Later, for protected requests:</span> <span class="kd">const</span> <span class="nx">token</span> <span class="o">=</span> <span class="nx">localStorage</span><span class="p">.</span><span class="nf">getItem</span><span class="p">(</span><span class="dl">'</span><span class="s1">token</span><span class="dl">'</span><span class="p">);</span> <span class="kd">const</span> <span class="nx">profileResponse</span> <span class="o">=</span> <span class="k">await</span> <span class="nf">fetch</span><span class="p">(</span><span class="dl">'</span><span class="s1">/profile</span><span class="dl">'</span><span class="p">,</span> <span class="p">{</span> <span class="na">headers</span><span class="p">:</span> <span class="p">{</span> <span class="dl">'</span><span class="s1">Authorization</span><span class="dl">'</span><span class="p">:</span> <span class="s2">`Bearer </span><span class="p">${</span><span class="nx">token</span><span class="p">}</span><span class="s2">`</span> <span class="p">}</span> <span class="p">});</span> </code></pre> </div> <p>In a pure HTTP context (like Postman), you'd manually set the header.</p> <h2> The token validation lifecycle </h2> <p>From the moment the server issues a token to its eventual expiry or logout, the lifecycle is:</p> <ol> <li> <strong>Issuance</strong>: Server creates and signs token on successful login.</li> <li> <strong>Storage</strong>: Client stores token (memory, localStorage, cookie).</li> <li> <strong>Transmission</strong>: Client sends token in <code>Authorization</code> header with each request.</li> <li> <strong>Verification</strong>: Server middleware verifies signature and expiration. If valid, request proceeds; if invalid, 403.</li> <li> <strong>Expiration</strong>: After the <code>exp</code> claim time, the token is rejected even if the signature is correct. This forces the user to re-login.</li> <li> <strong>Logout (optional)</strong>: Since JWTs are stateless, there's no server-side invalidation. To "logout", you simply remove the token from the client. For added security, you can maintain a token blacklist (stateful), but the stateless beauty is lost.</li> </ol> <h2> Visualizing the flow </h2> <p><strong>JWT login authentication flow:</strong></p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F3iyz3c2h58jsnkqica2k.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F3iyz3c2h58jsnkqica2k.png" alt="JWT authentication flow"></a></p> <h2> A note on security </h2> <ul> <li> <strong>Always use HTTPS</strong>: JWTs are transmitted in headers; without TLS, an attacker could steal the token.</li> <li> <strong>Keep the secret key secret</strong>: Store it in environment variables, never in code.</li> <li> <strong>Set a short expiration time</strong>: 15 minutes to 1 hour is typical. Use refresh tokens for longer sessions (beyond this article).</li> <li> <strong>Don't put sensitive data in the payload</strong>: It's only Base64-encoded, not encrypted.</li> <li> <strong>Consider token storage</strong>: <code>localStorage</code> is vulnerable to XSS attacks; HttpOnly cookies are more secure but require CSRF protection. The best approach depends on your application.</li> </ul> <h2> Conclusion </h2> <p>JWT authentication is a clean, stateless way to secure Node.js APIs. It eliminates server-side session storage, simplifies scaling, and gives you a self-contained token that carries user identity. By understanding the header, payload, and signature, you now know exactly why JWTs are secure and how to implement the full login and route protection flow.</p> <p>Let's quickly recap:</p> <ul> <li>Authentication verifies identity; JWT provides a stateless method by issuing a signed token.</li> <li>A JWT consists of three Base64-encoded parts: header (algorithm), payload (user data), and signature (tamper-proof).</li> <li>The login endpoint validates credentials and returns a JWT made with <code>jsonwebtoken.sign()</code>.</li> <li>The client sends the token in the <code>Authorization: Bearer &lt;token&gt;</code> header for subsequent requests.</li> <li>Middleware verifies the token with <code>jwt.verify()</code>, extracts the user payload, and protects routes.</li> <li>This flow is scalable, simple, and widely adopted.</li> </ul> <p>With JWT authentication in your toolbox, you can now build secure, stateless Node.js backends. In the next post, we'll continue building practical features. See you then!</p> <p>Hope you found this helpful! If you spot any mistakes or have suggestions, let me know. You can find me on <a href="https://www.linkedin.com/in/satyaprangyasootar" rel="noopener noreferrer">LinkedIn</a> and <a href="https://x.com/satyasootar" rel="noopener noreferrer">X</a>, where I post more about web development.</p> jwt node authentication Async Code in Node.js: Callbacks and Promises SATYA SOOTAR Sat, 09 May 2026 12:58:26 +0000 https://dev.to/satyasootar/async-code-in-nodejs-callbacks-and-promises-54g3 https://dev.to/satyasootar/async-code-in-nodejs-callbacks-and-promises-54g3 <p>Hello readers 👋, welcome to the 7th of our Node.js journey!</p> <p>Last time, we explored how a single-threaded Node.js process magically handles thousands of requests at once. We saw that non-blocking I/O is the secret, and the event loop keeps everything spinning. But we left one critical question unanswered: <strong>how do we actually write the code that starts an async operation and then does something with the result?</strong></p> <p>Today, we are going to dive into the two most fundamental ways to handle asynchronous code in Node.js: <strong>callbacks</strong> and <strong>promises</strong>. We'll see how callbacks work, why they can become messy, and how promises rescue us with cleaner, more readable code.</p> <p>Let's get into it.</p> <h2> Why async code exists in Node.js </h2> <p>We already know that Node.js uses a non-blocking model. When you call something like <code>fs.readFile</code>, you don't wait for the file to be fully loaded. Instead, you pass a function (a callback) that the event loop will run later, once the file content is ready.</p> <p>This pattern allows the main thread to stay responsive. But it also means you cannot simply write:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="kd">const</span> <span class="nx">data</span> <span class="o">=</span> <span class="nf">readFile</span><span class="p">(</span><span class="dl">"</span><span class="s2">file.txt</span><span class="dl">"</span><span class="p">);</span> <span class="nx">console</span><span class="p">.</span><span class="nf">log</span><span class="p">(</span><span class="nx">data</span><span class="p">);</span> </code></pre> </div> <p>Because that would either block the thread (if the function is synchronous) or give you <code>undefined</code> (if it's asynchronous and returns immediately). You need a way to tell Node.js: "Here's what I want you to do, and here's the function to call when you're done."</p> <p>That's the heart of async code: scheduling a future action.</p> <h2> Callback-based async execution </h2> <p>A callback is simply a function passed as an argument to another function. The outer function performs an operation and then, when the operation finishes, it "calls back" the inner function with the result.</p> <p>In Node.js, many core modules follow a callback convention: the callback is the last argument, and the first parameter of the callback is an error object (if any), followed by the data. This is often called an <strong>error-first callback</strong>.</p> <p>Let's start with a concrete file reading example:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="kd">const</span> <span class="nx">fs</span> <span class="o">=</span> <span class="nf">require</span><span class="p">(</span><span class="dl">"</span><span class="s2">fs</span><span class="dl">"</span><span class="p">);</span> <span class="nx">console</span><span class="p">.</span><span class="nf">log</span><span class="p">(</span><span class="dl">"</span><span class="s2">Start reading file...</span><span class="dl">"</span><span class="p">);</span> <span class="nx">fs</span><span class="p">.</span><span class="nf">readFile</span><span class="p">(</span><span class="dl">"</span><span class="s2">example.txt</span><span class="dl">"</span><span class="p">,</span> <span class="dl">"</span><span class="s2">utf8</span><span class="dl">"</span><span class="p">,</span> <span class="p">(</span><span class="nx">err</span><span class="p">,</span> <span class="nx">data</span><span class="p">)</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="k">if </span><span class="p">(</span><span class="nx">err</span><span class="p">)</span> <span class="p">{</span> <span class="nx">console</span><span class="p">.</span><span class="nf">error</span><span class="p">(</span><span class="dl">"</span><span class="s2">Failed to read file:</span><span class="dl">"</span><span class="p">,</span> <span class="nx">err</span><span class="p">.</span><span class="nx">message</span><span class="p">);</span> <span class="k">return</span><span class="p">;</span> <span class="p">}</span> <span class="nx">console</span><span class="p">.</span><span class="nf">log</span><span class="p">(</span><span class="dl">"</span><span class="s2">File content:</span><span class="dl">"</span><span class="p">,</span> <span class="nx">data</span><span class="p">);</span> <span class="p">});</span> <span class="nx">console</span><span class="p">.</span><span class="nf">log</span><span class="p">(</span><span class="dl">"</span><span class="s2">This runs before the file content is logged.</span><span class="dl">"</span><span class="p">);</span> </code></pre> </div> <p>The output:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>Start reading file... This runs before the file content is logged. File content: (the actual content) </code></pre> </div> <p>Step by step, here's how the callback flow works:</p> <ol> <li> <code>fs.readFile</code> is called with the filename, encoding, and a callback function. Node.js hands the file read operation to the OS (or the libuv thread pool).</li> <li> <code>fs.readFile</code> returns immediately. The main thread moves to the next line: <code>console.log("This runs before...")</code>.</li> <li>Sometime later, the file read completes. The callback is placed into the event loop's task queue.</li> <li>When the call stack is empty, the event loop picks up the callback and executes it on the main thread.</li> <li>Inside the callback, we check for errors first. If there's an error, we handle it; otherwise, we use the data.</li> </ol> <p>This pattern works, and it's the core of many Node.js applications. But it has a well-known downside.</p> <h2> Problems with nested callbacks (callback hell) </h2> <p>Real applications rarely do just one async operation. Often, one operation depends on the result of another. For example: read a configuration file, then connect to a database, then fetch a user by ID, then load the user's orders.</p> <p>With callbacks, each step nests inside the previous one. This leads to the infamous "pyramid of doom" or "callback hell":<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="nx">fs</span><span class="p">.</span><span class="nf">readFile</span><span class="p">(</span><span class="dl">"</span><span class="s2">config.json</span><span class="dl">"</span><span class="p">,</span> <span class="dl">"</span><span class="s2">utf8</span><span class="dl">"</span><span class="p">,</span> <span class="p">(</span><span class="nx">err</span><span class="p">,</span> <span class="nx">config</span><span class="p">)</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="k">if </span><span class="p">(</span><span class="nx">err</span><span class="p">)</span> <span class="nf">handleError</span><span class="p">(</span><span class="nx">err</span><span class="p">);</span> <span class="k">else</span> <span class="p">{</span> <span class="nf">connectDB</span><span class="p">(</span><span class="nx">config</span><span class="p">.</span><span class="nx">dbUrl</span><span class="p">,</span> <span class="p">(</span><span class="nx">err</span><span class="p">,</span> <span class="nx">db</span><span class="p">)</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="k">if </span><span class="p">(</span><span class="nx">err</span><span class="p">)</span> <span class="nf">handleError</span><span class="p">(</span><span class="nx">err</span><span class="p">);</span> <span class="k">else</span> <span class="p">{</span> <span class="nx">db</span><span class="p">.</span><span class="nf">findUser</span><span class="p">(</span><span class="dl">"</span><span class="s2">satya</span><span class="dl">"</span><span class="p">,</span> <span class="p">(</span><span class="nx">err</span><span class="p">,</span> <span class="nx">user</span><span class="p">)</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="k">if </span><span class="p">(</span><span class="nx">err</span><span class="p">)</span> <span class="nf">handleError</span><span class="p">(</span><span class="nx">err</span><span class="p">);</span> <span class="k">else</span> <span class="p">{</span> <span class="nx">user</span><span class="p">.</span><span class="nf">loadOrders</span><span class="p">((</span><span class="nx">err</span><span class="p">,</span> <span class="nx">orders</span><span class="p">)</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="k">if </span><span class="p">(</span><span class="nx">err</span><span class="p">)</span> <span class="nf">handleError</span><span class="p">(</span><span class="nx">err</span><span class="p">);</span> <span class="k">else</span> <span class="p">{</span> <span class="nx">console</span><span class="p">.</span><span class="nf">log</span><span class="p">(</span><span class="nx">orders</span><span class="p">);</span> <span class="p">}</span> <span class="p">});</span> <span class="p">}</span> <span class="p">});</span> <span class="p">}</span> <span class="p">});</span> <span class="p">}</span> <span class="p">});</span> </code></pre> </div> <p>The problems are clear:</p> <ul> <li>The code indents deeper and deeper, making it hard to read.</li> <li>Error handling is repetitive and scattered across each callback.</li> <li>Adding another step to the chain means adding another level of indentation.</li> <li>The flow of logic is buried under syntax noise.</li> </ul> <p>This style of code is brittle and difficult to maintain. It's especially painful when you need to coordinate multiple independent async operations.</p> <h2> Promise-based async handling </h2> <p>Promises were introduced to flatten this pyramid. A promise is an object that represents the eventual result of an asynchronous operation. It can be in one of three states: pending, fulfilled, or rejected. Once settled, it never changes.</p> <p>Node.js core modules now provide promise-based alternatives. For the file system, you can use <code>fs.promises</code> (added in Node.js 10). For older modules, you can use <code>util.promisify</code> to convert callback-based functions into promise-returning ones.</p> <p>Let's rewrite the file reading example using promises:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="kd">const</span> <span class="nx">fs</span> <span class="o">=</span> <span class="nf">require</span><span class="p">(</span><span class="dl">"</span><span class="s2">fs</span><span class="dl">"</span><span class="p">).</span><span class="nx">promises</span><span class="p">;</span> <span class="nx">console</span><span class="p">.</span><span class="nf">log</span><span class="p">(</span><span class="dl">"</span><span class="s2">Start reading file...</span><span class="dl">"</span><span class="p">);</span> <span class="nx">fs</span><span class="p">.</span><span class="nf">readFile</span><span class="p">(</span><span class="dl">"</span><span class="s2">example.txt</span><span class="dl">"</span><span class="p">,</span> <span class="dl">"</span><span class="s2">utf8</span><span class="dl">"</span><span class="p">)</span> <span class="p">.</span><span class="nf">then</span><span class="p">((</span><span class="nx">data</span><span class="p">)</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="nx">console</span><span class="p">.</span><span class="nf">log</span><span class="p">(</span><span class="dl">"</span><span class="s2">File content:</span><span class="dl">"</span><span class="p">,</span> <span class="nx">data</span><span class="p">);</span> <span class="p">})</span> <span class="p">.</span><span class="k">catch</span><span class="p">((</span><span class="nx">err</span><span class="p">)</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="nx">console</span><span class="p">.</span><span class="nf">error</span><span class="p">(</span><span class="dl">"</span><span class="s2">Failed to read file:</span><span class="dl">"</span><span class="p">,</span> <span class="nx">err</span><span class="p">.</span><span class="nx">message</span><span class="p">);</span> <span class="p">});</span> <span class="nx">console</span><span class="p">.</span><span class="nf">log</span><span class="p">(</span><span class="dl">"</span><span class="s2">This runs before the file content is logged.</span><span class="dl">"</span><span class="p">);</span> </code></pre> </div> <p>The output is identical in order, but the structure is different. We call <code>fs.readFile</code>, which returns a promise. We then attach a <code>.then()</code> for the success case and a <code>.catch()</code> for errors. The promise handles the scheduling internally; we just react to the result.</p> <h2> How promises improve the chain </h2> <p>The real power becomes evident when we have multiple sequential operations. Because <code>.then()</code> itself always returns a new promise, we can chain further <code>.then()</code> calls without nesting. Error handling with <code>.catch()</code> works for the entire chain.</p> <p>Let's reimagine the nested callback scenario with promises:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="kd">const</span> <span class="nx">fs</span> <span class="o">=</span> <span class="nf">require</span><span class="p">(</span><span class="dl">"</span><span class="s2">fs</span><span class="dl">"</span><span class="p">).</span><span class="nx">promises</span><span class="p">;</span> <span class="kd">function</span> <span class="nf">connectDB</span><span class="p">(</span><span class="nx">config</span><span class="p">)</span> <span class="p">{</span> <span class="cm">/* returns a promise */</span> <span class="p">}</span> <span class="kd">function</span> <span class="nf">findUser</span><span class="p">(</span><span class="nx">db</span><span class="p">,</span> <span class="nx">name</span><span class="p">)</span> <span class="p">{</span> <span class="cm">/* returns a promise */</span> <span class="p">}</span> <span class="kd">function</span> <span class="nf">loadOrders</span><span class="p">(</span><span class="nx">user</span><span class="p">)</span> <span class="p">{</span> <span class="cm">/* returns a promise */</span> <span class="p">}</span> <span class="nx">fs</span><span class="p">.</span><span class="nf">readFile</span><span class="p">(</span><span class="dl">"</span><span class="s2">config.json</span><span class="dl">"</span><span class="p">,</span> <span class="dl">"</span><span class="s2">utf8</span><span class="dl">"</span><span class="p">)</span> <span class="p">.</span><span class="nf">then</span><span class="p">(</span><span class="nx">config</span> <span class="o">=&gt;</span> <span class="nf">connectDB</span><span class="p">(</span><span class="nx">JSON</span><span class="p">.</span><span class="nf">parse</span><span class="p">(</span><span class="nx">config</span><span class="p">).</span><span class="nx">dbUrl</span><span class="p">))</span> <span class="p">.</span><span class="nf">then</span><span class="p">(</span><span class="nx">db</span> <span class="o">=&gt;</span> <span class="nf">findUser</span><span class="p">(</span><span class="nx">db</span><span class="p">,</span> <span class="dl">"</span><span class="s2">satya</span><span class="dl">"</span><span class="p">))</span> <span class="p">.</span><span class="nf">then</span><span class="p">(</span><span class="nx">user</span> <span class="o">=&gt;</span> <span class="nf">loadOrders</span><span class="p">(</span><span class="nx">user</span><span class="p">))</span> <span class="p">.</span><span class="nf">then</span><span class="p">(</span><span class="nx">orders</span> <span class="o">=&gt;</span> <span class="nx">console</span><span class="p">.</span><span class="nf">log</span><span class="p">(</span><span class="nx">orders</span><span class="p">))</span> <span class="p">.</span><span class="k">catch</span><span class="p">(</span><span class="nx">err</span> <span class="o">=&gt;</span> <span class="nx">console</span><span class="p">.</span><span class="nf">error</span><span class="p">(</span><span class="dl">"</span><span class="s2">Something failed:</span><span class="dl">"</span><span class="p">,</span> <span class="nx">err</span><span class="p">.</span><span class="nx">message</span><span class="p">));</span> </code></pre> </div> <p>Notice the difference:</p> <ul> <li>Every operation is at the same indentation level.</li> <li>The code reads top to bottom, matching the natural sequence.</li> <li>A single <code>.catch()</code> at the end handles errors from any step in the chain.</li> <li>You can easily insert a new step by adding another <code>.then()</code> without altering existing logic.</li> </ul> <p>This flat, readable flow is the primary reason promises became the standard for async code.</p> <h2> Benefits of promises beyond readability </h2> <p>Promises offer more than just a clean syntax:</p> <ul> <li> <strong>Reliable error propagation</strong>: If any <code>.then()</code> throws an error or returns a rejected promise, the error cascades down to the nearest <code>.catch()</code>. No more forgotten error checks in every callback.</li> <li> <strong>Composability</strong>: You can run multiple promises in parallel using <code>Promise.all</code>, race them with <code>Promise.race</code>, or wait for all settled with <code>Promise.allSettled</code>. This is cumbersome with raw callbacks.</li> <li> <strong>Return a value and move on</strong>: In a <code>.then()</code>, you can return a plain value (which becomes the resolved value of the next promise) or return another promise (the chain will wait for it). This allows dynamic decision making without extra nesting.</li> <li> <strong>Unified interface</strong>: Any async operation can be wrapped in a promise, providing a consistent <code>.then/.catch</code> pattern across different modules and libraries.</li> </ul> <h2> Visualizing the difference: callback vs promise flow </h2> <p><strong>Callback chain (conceptual):</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>readFile └─ callback(err, config) └─ connectDB(config) └─ callback(err, db) └─ findUser(db, name) └─ callback(err, user) └─ loadOrders(user) └─ callback(err, orders) </code></pre> </div> <p>Each step is physically nested inside the previous one.</p> <p><strong>Promise chain:</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>readFile .then(config) -&gt; connectDB .then(db) -&gt; findUser .then(user) -&gt; loadOrders .then(orders) -&gt; console.log .catch(handleError) </code></pre> </div> <p>Each step is a link in a linear chain, with a single error exit point.</p> <h2> A gentle note: what about async/await? </h2> <p>You might have heard about <code>async/await</code>, which makes asynchronous code look even more synchronous. In our next post, we'll explore how <code>async/await</code> is just syntactic sugar over promises, and how it takes readability to an even higher level. For now, mastering promises is essential because <code>async/await</code> relies on them completely.</p> <h2> Conclusion </h2> <p>Asynchronous code in Node.js is unavoidable, but it doesn't have to be painful. Callbacks are the low-level foundation, but they can lead to messy, deeply nested code. Promises provide a clean, chainable, and more manageable way to handle asynchronous operations.</p> <p>Let's recap what we covered:</p> <ul> <li>Async code exists because Node.js performs non-blocking I/O, and we need a way to handle the results after they arrive.</li> <li>Callbacks are functions passed to async operations and invoked upon completion, following an error-first convention.</li> <li>Nested callbacks create the pyramid of doom, making code hard to read and maintain, with repetitive error handling.</li> <li>Promises represent a future value and offer a flat <code>.then/.catch</code> pattern that drastically improves readability and simplifies error handling.</li> <li>Promise chaining allows sequential async steps without nesting, and promises can be composed with <code>Promise.all</code> and others.</li> <li>Understanding promises is the gateway to modern Node.js asynchronous patterns, including async/await.</li> </ul> <p>With promises in your toolkit, you're ready to write cleaner, more robust Node.js code. Next time, we'll take the final step and see how async/await makes async code feel like synchronous code while keeping all the non-blocking benefits.</p> <p>Hope you found this helpful! If you spot any mistakes or have suggestions, let me know. You can find me on <a href="https://www.linkedin.com/in/satyaprangyasootar" rel="noopener noreferrer">LinkedIn</a> and <a href="https://x.com/satyasootar" rel="noopener noreferrer">X</a>, where I post more about web development.</p> node How Node.js Handles Multiple Requests with a Single Thread SATYA SOOTAR Sat, 09 May 2026 12:53:42 +0000 https://dev.to/satyasootar/how-nodejs-handles-multiple-requests-with-a-single-thread-2kj3 https://dev.to/satyasootar/how-nodejs-handles-multiple-requests-with-a-single-thread-2kj3 <p>Hello readers 👋, welcome to the 6th blog of our Node.js journey!</p> <p>In the last post, we explored the crucial difference between blocking and non-blocking code. We saw that a single blocking call can freeze an entire server, while non-blocking code keeps it responsive. Today, we tackle the question that naturally follows: if Node.js runs JavaScript on just one thread, how on earth does it handle thousands of requests at the same time without falling apart?</p> <p>It sounds impossible. A single checkout line in a supermarket can only process one customer at a time. Yet Node.js servers routinely manage tens of thousands of concurrent connections. The answer lies in a brilliant combination of the event loop, non-blocking I/O, and background workers. Let's break it down.</p> <h2> The single-threaded nature of Node.js </h2> <p>First, let's be clear: Node.js executes your JavaScript code in a single main thread. That means when you write:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="nx">console</span><span class="p">.</span><span class="nf">log</span><span class="p">(</span><span class="dl">"</span><span class="s2">Step 1</span><span class="dl">"</span><span class="p">);</span> <span class="nx">console</span><span class="p">.</span><span class="nf">log</span><span class="p">(</span><span class="dl">"</span><span class="s2">Step 2</span><span class="dl">"</span><span class="p">);</span> </code></pre> </div> <p>These two lines never run simultaneously. Step 1 finishes before Step 2 starts. This single-threaded design simplifies your code because you don't have to worry about two pieces of code modifying the same variable at the same time.</p> <p>But a traditional server that uses one thread per request (like many Java or PHP setups) would quickly run out of threads under high load. Each thread consumes memory, and context switching between hundreds of threads wastes CPU. Node.js takes a totally different path. It keeps the single thread but never lets it sit idle.</p> <p>The magic comes from how it delegates work outside that thread. The main thread is like a project manager who never does heavy lifting; they hand tasks off to specialists and only get involved when results are ready.</p> <h2> The event loop: the master coordinator </h2> <p>The event loop is the core mechanism that enables this pattern. It's a continuously running loop that watches two things: the call stack (where functions execute) and the task queue (where callbacks wait). When the stack is empty, the loop picks the next callback from the queue and pushes it onto the stack for execution.</p> <p>Think of the event loop as a restaurant's head chef. She can only cook one dish at a time (single thread). But she doesn't peel potatoes or wait for water to boil. She delegates those tasks to assistants (background workers). While they work, she moves on to the next order. When an assistant finishes, they call out "Done!" and the chef briefly pauses, plates the component, and continues.</p> <p>In Node.js, this "delegation" happens whenever you call an asynchronous function like <code>fs.readFile</code>, <code>http.get</code>, or a database query. The main thread dispatches the I/O operation, registers a callback, and moves on to process the next request immediately.</p> <h2> Delegating tasks to background workers </h2> <p>Where does the actual I/O happen? Node.js uses two main mechanisms:</p> <ol> <li><p><strong>Operating system kernel</strong>: For network I/O, the OS provides non-blocking system calls (like epoll on Linux, kqueue on macOS). The main thread registers a socket with the kernel and asks to be notified when data arrives. The kernel handles the waiting, and the main thread carries on with other work. When data is ready, a callback is queued.</p></li> <li><p><strong>The libuv thread pool</strong>: For operations that don't have non-blocking OS support (like file system calls or some DNS lookups), libuv, the library that powers the event loop, maintains a pool of background threads. When you call <code>fs.readFile</code>, libuv grabs a thread from the pool, reads the file content on that thread, and then, once done, pushes the callback into the event loop's queue to be executed on the main thread.</p></li> </ol> <p>In both cases, the main thread never blocks. It just schedules work and handles results. The heavy I/O happens elsewhere.</p> <h2> Handling multiple client requests: a step-by-step view </h2> <p>Imagine a Node.js HTTP server that logs the request, then responds after a short delay (simulating a database lookup). Here's the code:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="kd">const</span> <span class="nx">http</span> <span class="o">=</span> <span class="nf">require</span><span class="p">(</span><span class="dl">"</span><span class="s2">http</span><span class="dl">"</span><span class="p">);</span> <span class="nx">http</span><span class="p">.</span><span class="nf">createServer</span><span class="p">((</span><span class="nx">req</span><span class="p">,</span> <span class="nx">res</span><span class="p">)</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="nx">console</span><span class="p">.</span><span class="nf">log</span><span class="p">(</span><span class="dl">"</span><span class="s2">Request received:</span><span class="dl">"</span><span class="p">,</span> <span class="nx">req</span><span class="p">.</span><span class="nx">url</span><span class="p">);</span> <span class="nf">setTimeout</span><span class="p">(()</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="nx">res</span><span class="p">.</span><span class="nf">writeHead</span><span class="p">(</span><span class="mi">200</span><span class="p">,</span> <span class="p">{</span> <span class="dl">"</span><span class="s2">Content-Type</span><span class="dl">"</span><span class="p">:</span> <span class="dl">"</span><span class="s2">text/plain</span><span class="dl">"</span> <span class="p">});</span> <span class="nx">res</span><span class="p">.</span><span class="nf">end</span><span class="p">(</span><span class="dl">"</span><span class="s2">Response for </span><span class="dl">"</span> <span class="o">+</span> <span class="nx">req</span><span class="p">.</span><span class="nx">url</span><span class="p">);</span> <span class="nx">console</span><span class="p">.</span><span class="nf">log</span><span class="p">(</span><span class="dl">"</span><span class="s2">Response sent:</span><span class="dl">"</span><span class="p">,</span> <span class="nx">req</span><span class="p">.</span><span class="nx">url</span><span class="p">);</span> <span class="p">},</span> <span class="mi">100</span><span class="p">);</span> <span class="p">}).</span><span class="nf">listen</span><span class="p">(</span><span class="mi">3000</span><span class="p">,</span> <span class="p">()</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="nx">console</span><span class="p">.</span><span class="nf">log</span><span class="p">(</span><span class="dl">"</span><span class="s2">Server running on port 3000</span><span class="dl">"</span><span class="p">);</span> <span class="p">});</span> </code></pre> </div> <p>Now, open three tabs and quickly hit the server with different URLs. If Node.js were single-threaded in a blocking way, each request would need to finish before the next one even starts. But what actually happens is:</p> <ol> <li>Request A arrives. The main thread logs "Request received: /a" and calls <code>setTimeout</code>. This schedules a timer in libuv and immediately returns.</li> <li>The main thread is free. Request B arrives instantly. It logs "Request received: /b", sets another timer, and returns.</li> <li>Request C arrives, logs, sets a timer.</li> <li>After about 100ms, the timers start firing. Libuv queues the callbacks. The event loop picks them up one by one, and the main thread sends responses: "Response sent: /a", then "Response sent: /b", then "Response sent: /c".</li> </ol> <p>All three requests were accepted and processed concurrently, using a single JavaScript thread that never waited for the 100ms delay. The 100ms was spent in the background, not on the main thread.</p> <p>This is concurrency without parallelism.</p> <h2> Why Node.js scales so well </h2> <p>The secret to Node.js's scalability is that it doesn't dedicate a thread to each connection. In a traditional threaded server, if you have 10,000 concurrent connections, you might have 10,000 threads. Each thread consumes roughly 1 MB of stack space, so that's 10 GB of memory just for thread stacks. Plus, the OS scheduler wastes CPU switching among them.</p> <p>In Node.js, the memory footprint per connection is minimal: a small amount of state to remember the request, and a callback function. The event loop efficiently manages all of them on a single thread. This allows a Node.js process to comfortably handle tens of thousands of open connections (like WebSocket sessions) on modest hardware.</p> <p>Moreover, the event loop model naturally matches I/O heavy workloads. Most web servers spend the majority of their time waiting for the database, filesystem, or external APIs. Node.js turns that waiting into an opportunity to serve other requests.</p> <h2> Concurrency vs parallelism: a crucial distinction </h2> <p>It's vital to understand that Node.js provides <strong>concurrency</strong>, not <strong>parallelism</strong>, within a single process.</p> <ul> <li> <strong>Concurrency</strong>: Multiple tasks are in progress at the same time, but not necessarily executing simultaneously. The single thread switches between them so fast that it looks like they run together.</li> <li> <strong>Parallelism</strong>: Multiple tasks literally run at the same instant on different CPU cores.</li> </ul> <p>Node.js is concurrent through the event loop. But you can achieve parallelism by running multiple Node.js processes (clustering) or using worker threads for CPU-intensive tasks. However, the default model, and the one we're discussing, is single-threaded concurrency.</p> <p>The head chef analogy makes this clear. The chef is concurrent: she manages several dishes at once, keeping them all moving forward. But she only has two hands; she cannot physically chop and stir at the same instant. She is not parallel. If she needs to chop fifty onions (a CPU-heavy task), she would block the whole kitchen. So she hires an assistant (a worker thread) to do that in parallel. For most server tasks (I/O), the assistants are already built in (the OS and libuv).</p> <h2> Visualizing the single thread handling multiple requests </h2> <p>Here's a mental picture of the flow:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>Time 0ms: Request A arrives → main thread logs, starts async I/O, moves on Time 1ms: Request B arrives → main thread logs, starts async I/O, moves on Time 2ms: Request C arrives → main thread logs, starts async I/O, moves on ... Time 100ms: I/O for Request A completes → callback queued I/O for Request B completes → callback queued Time 101ms: Event loop picks A's callback → main thread sends response A Time 102ms: Event loop picks B's callback → main thread sends response B ... </code></pre> </div> <p>The main thread was blocked for only a tiny fraction of the total time (the logging and response sending). The actual waiting happened in the background, concurrently, for all requests.</p> <h2> Conclusion </h2> <p>Node.js handles multiple requests with a single thread by never waiting. It delegates I/O tasks to the OS kernel or a background thread pool, uses an event loop to manage callbacks, and keeps its main thread free to accept new work. This is a radical departure from the thread-per-connection model and is the reason Node.js excels at building fast, scalable network applications.</p> <p>To recap:</p> <ul> <li>Node.js JavaScript runs on one thread, ensuring simplicity and avoiding synchronization bugs.</li> <li>The event loop orchestrates concurrency by continuously dispatching callbacks when the stack is empty.</li> <li>Time-consuming I/O is handed off to the OS (non-blocking) or to a libuv thread pool, never blocking the main thread.</li> <li>Multiple client requests are handled by interleaving their short, non-blocking pieces, giving the illusion of simultaneous processing.</li> <li>This model scales well because memory per connection is tiny, and CPU time isn't wasted on thread management.</li> <li>Node.js provides concurrency, not parallelism, on a single process. For true parallel computation, you can use clustering or worker threads.</li> </ul> <p>Now that you understand this foundational concept, you're ready to build applications that can handle massive concurrency with ease. In the next post, we'll explore some of the most commonly used built-in modules that Node.js provides to make all this power accessible.</p> <p>Hope you found this helpful! If you spot any mistakes or have suggestions, let me know. You can find me on <a href="https://www.linkedin.com/in/satyaprangyasootar" rel="noopener noreferrer">LinkedIn</a> and <a href="https://x.com/satyasootar" rel="noopener noreferrer">X</a>, where I post more about web development.</p> node Blocking vs Non-Blocking Code in Node.js SATYA SOOTAR Sat, 09 May 2026 12:50:09 +0000 https://dev.to/satyasootar/blocking-vs-non-blocking-code-in-nodejs-5dlj https://dev.to/satyasootar/blocking-vs-non-blocking-code-in-nodejs-5dlj <p>Hello readers 👋, welcome to the 5th blog of our Node.js Series!</p> <p>In the last post, we unpacked the event loop and saw how it keeps Node.js responsive by juggling callbacks. Today we are going to look at a concept that directly affects performance: <strong>blocking vs non-blocking code</strong>. Understanding this difference is the key to writing fast, scalable Node.js applications. It's not just academic; it shows up every time you read a file or query a database.</p> <p>We'll start with simple definitions, use everyday analogies, and then look at real Node.js examples that show exactly how blocking code can bring a server to its knees while non-blocking code lets it fly.</p> <h2> What blocking code means </h2> <p>Blocking code is code that stops the execution of the rest of your program until a particular operation finishes. When the main thread encounters a blocking operation, it sits there and waits. Nothing else happens during that wait: no new requests are processed, no timers fire, no callbacks run. The entire Node.js process is frozen until that operation completes.</p> <p>In synchronous programming, blocking is the default. For example, consider this synchronous file read:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="kd">const</span> <span class="nx">fs</span> <span class="o">=</span> <span class="nf">require</span><span class="p">(</span><span class="dl">"</span><span class="s2">fs</span><span class="dl">"</span><span class="p">);</span> <span class="nx">console</span><span class="p">.</span><span class="nf">log</span><span class="p">(</span><span class="dl">"</span><span class="s2">Start reading file</span><span class="dl">"</span><span class="p">);</span> <span class="kd">const</span> <span class="nx">data</span> <span class="o">=</span> <span class="nx">fs</span><span class="p">.</span><span class="nf">readFileSync</span><span class="p">(</span><span class="dl">"</span><span class="s2">big-file.txt</span><span class="dl">"</span><span class="p">,</span> <span class="dl">"</span><span class="s2">utf8</span><span class="dl">"</span><span class="p">);</span> <span class="nx">console</span><span class="p">.</span><span class="nf">log</span><span class="p">(</span><span class="dl">"</span><span class="s2">File content length:</span><span class="dl">"</span><span class="p">,</span> <span class="nx">data</span><span class="p">.</span><span class="nx">length</span><span class="p">);</span> <span class="nx">console</span><span class="p">.</span><span class="nf">log</span><span class="p">(</span><span class="dl">"</span><span class="s2">This runs after the file is read</span><span class="dl">"</span><span class="p">);</span> </code></pre> </div> <p>The output is predictable:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>Start reading file File content length: 12345 This runs after the file is read </code></pre> </div> <p>The second <code>console.log</code> does not execute until the file is completely read into <code>data</code>. While the file is being read (maybe 50ms or more), the thread is blocked. In a script that does one thing, that's fine. But in a server handling hundreds of requests, it's a disaster.</p> <h2> What non-blocking code means </h2> <p>Non-blocking code, as we saw with the event loop, initiates an operation and then immediately moves on to the next line without waiting for the operation to finish. A callback, a promise, or an <code>await</code> expression later handles the result, but the main thread is never stuck.</p> <p>The asynchronous version of the file read looks like this:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="kd">const</span> <span class="nx">fs</span> <span class="o">=</span> <span class="nf">require</span><span class="p">(</span><span class="dl">"</span><span class="s2">fs</span><span class="dl">"</span><span class="p">);</span> <span class="nx">console</span><span class="p">.</span><span class="nf">log</span><span class="p">(</span><span class="dl">"</span><span class="s2">Start reading file</span><span class="dl">"</span><span class="p">);</span> <span class="nx">fs</span><span class="p">.</span><span class="nf">readFile</span><span class="p">(</span><span class="dl">"</span><span class="s2">big-file.txt</span><span class="dl">"</span><span class="p">,</span> <span class="dl">"</span><span class="s2">utf8</span><span class="dl">"</span><span class="p">,</span> <span class="p">(</span><span class="nx">err</span><span class="p">,</span> <span class="nx">data</span><span class="p">)</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="k">if </span><span class="p">(</span><span class="nx">err</span><span class="p">)</span> <span class="k">throw</span> <span class="nx">err</span><span class="p">;</span> <span class="nx">console</span><span class="p">.</span><span class="nf">log</span><span class="p">(</span><span class="dl">"</span><span class="s2">File content length:</span><span class="dl">"</span><span class="p">,</span> <span class="nx">data</span><span class="p">.</span><span class="nx">length</span><span class="p">);</span> <span class="p">});</span> <span class="nx">console</span><span class="p">.</span><span class="nf">log</span><span class="p">(</span><span class="dl">"</span><span class="s2">This runs immediately, before the file is read</span><span class="dl">"</span><span class="p">);</span> </code></pre> </div> <p>The output order is:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>Start reading file This runs immediately, before the file is read File content length: 12345 </code></pre> </div> <p>The main thread registers the read operation, attaches a callback, and keeps going. It never waits. When the data is ready, the event loop pushes the callback onto the stack, and the file content length is logged.</p> <h2> An analogy: waiting in line vs taking a buzzer </h2> <p>Imagine a busy food truck. There are two ways orders can be handled:</p> <p><strong>Blocking (synchronous):</strong> You place your order, and then you stand at the counter, waiting until the cook finishes your meal. The line behind you doesn't move. Only one person can be "in service" at a time. If the cook takes 3 minutes per order, 20 people will take an hour, and most of that time is spent staring at the cook.</p> <p><strong>Non-blocking (asynchronous):</strong> You place your order, pay, and receive a buzzer. You step aside and let the next person order. When your food is ready, the buzzer beeps, and you pick it up. The food truck can take orders from many people rapidly, and the cook works in parallel, while the cashier (the main thread) never gets stuck.</p> <p>Blocking code is standing at the counter. Non-blocking code is taking the buzzer. In a server, every blocked request is a person stuck at the counter, and the whole queue grinds to a halt.</p> <h2> Why blocking slows servers </h2> <p>Node.js shines when it's non-blocking because its single thread can handle many concurrent connections. But if you introduce a blocking operation, that single thread is completely occupied for the duration of that operation. While it's blocked, zero other work gets done. Timers don't fire. Incoming HTTP requests wait. The entire server freezes.</p> <p>Let's see a tiny HTTP server with a blocking call:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="kd">const</span> <span class="nx">http</span> <span class="o">=</span> <span class="nf">require</span><span class="p">(</span><span class="dl">"</span><span class="s2">http</span><span class="dl">"</span><span class="p">);</span> <span class="kd">const</span> <span class="nx">fs</span> <span class="o">=</span> <span class="nf">require</span><span class="p">(</span><span class="dl">"</span><span class="s2">fs</span><span class="dl">"</span><span class="p">);</span> <span class="nx">http</span><span class="p">.</span><span class="nf">createServer</span><span class="p">((</span><span class="nx">req</span><span class="p">,</span> <span class="nx">res</span><span class="p">)</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="k">if </span><span class="p">(</span><span class="nx">req</span><span class="p">.</span><span class="nx">url</span> <span class="o">===</span> <span class="dl">"</span><span class="s2">/slow</span><span class="dl">"</span><span class="p">)</span> <span class="p">{</span> <span class="c1">// Blocking file read</span> <span class="kd">const</span> <span class="nx">data</span> <span class="o">=</span> <span class="nx">fs</span><span class="p">.</span><span class="nf">readFileSync</span><span class="p">(</span><span class="dl">"</span><span class="s2">huge-file.txt</span><span class="dl">"</span><span class="p">,</span> <span class="dl">"</span><span class="s2">utf8</span><span class="dl">"</span><span class="p">);</span> <span class="nx">res</span><span class="p">.</span><span class="nf">writeHead</span><span class="p">(</span><span class="mi">200</span><span class="p">,</span> <span class="p">{</span> <span class="dl">"</span><span class="s2">Content-Type</span><span class="dl">"</span><span class="p">:</span> <span class="dl">"</span><span class="s2">text/plain</span><span class="dl">"</span> <span class="p">});</span> <span class="nx">res</span><span class="p">.</span><span class="nf">end</span><span class="p">(</span><span class="dl">"</span><span class="s2">File size: </span><span class="dl">"</span> <span class="o">+</span> <span class="nx">data</span><span class="p">.</span><span class="nx">length</span><span class="p">);</span> <span class="p">}</span> <span class="k">else</span> <span class="p">{</span> <span class="nx">res</span><span class="p">.</span><span class="nf">writeHead</span><span class="p">(</span><span class="mi">200</span><span class="p">,</span> <span class="p">{</span> <span class="dl">"</span><span class="s2">Content-Type</span><span class="dl">"</span><span class="p">:</span> <span class="dl">"</span><span class="s2">text/plain</span><span class="dl">"</span> <span class="p">});</span> <span class="nx">res</span><span class="p">.</span><span class="nf">end</span><span class="p">(</span><span class="dl">"</span><span class="s2">Fast response</span><span class="dl">"</span><span class="p">);</span> <span class="p">}</span> <span class="p">}).</span><span class="nf">listen</span><span class="p">(</span><span class="mi">3000</span><span class="p">,</span> <span class="p">()</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="nx">console</span><span class="p">.</span><span class="nf">log</span><span class="p">(</span><span class="dl">"</span><span class="s2">Server running at http://localhost:3000</span><span class="dl">"</span><span class="p">);</span> <span class="p">});</span> </code></pre> </div> <p>If you open <code>/slow</code> in your browser, it will take a few hundred milliseconds (depending on file size). During that time, if you open a new tab and hit the root <code>/</code>, you'll get no response until the <code>/slow</code> request finishes. The second request is sitting in the queue, waiting for the event loop, which is stuck in <code>readFileSync</code>. The whole server experiences a pause.</p> <p>Now replace <code>readFileSync</code> with <code>fs.readFile</code> (asynchronous):<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="nx">http</span><span class="p">.</span><span class="nf">createServer</span><span class="p">((</span><span class="nx">req</span><span class="p">,</span> <span class="nx">res</span><span class="p">)</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="k">if </span><span class="p">(</span><span class="nx">req</span><span class="p">.</span><span class="nx">url</span> <span class="o">===</span> <span class="dl">"</span><span class="s2">/slow</span><span class="dl">"</span><span class="p">)</span> <span class="p">{</span> <span class="nx">fs</span><span class="p">.</span><span class="nf">readFile</span><span class="p">(</span><span class="dl">"</span><span class="s2">huge-file.txt</span><span class="dl">"</span><span class="p">,</span> <span class="dl">"</span><span class="s2">utf8</span><span class="dl">"</span><span class="p">,</span> <span class="p">(</span><span class="nx">err</span><span class="p">,</span> <span class="nx">data</span><span class="p">)</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="k">if </span><span class="p">(</span><span class="nx">err</span><span class="p">)</span> <span class="p">{</span> <span class="nx">res</span><span class="p">.</span><span class="nf">writeHead</span><span class="p">(</span><span class="mi">500</span><span class="p">);</span> <span class="k">return</span> <span class="nx">res</span><span class="p">.</span><span class="nf">end</span><span class="p">(</span><span class="dl">"</span><span class="s2">Error</span><span class="dl">"</span><span class="p">);</span> <span class="p">}</span> <span class="nx">res</span><span class="p">.</span><span class="nf">writeHead</span><span class="p">(</span><span class="mi">200</span><span class="p">,</span> <span class="p">{</span> <span class="dl">"</span><span class="s2">Content-Type</span><span class="dl">"</span><span class="p">:</span> <span class="dl">"</span><span class="s2">text/plain</span><span class="dl">"</span> <span class="p">});</span> <span class="nx">res</span><span class="p">.</span><span class="nf">end</span><span class="p">(</span><span class="dl">"</span><span class="s2">File size: </span><span class="dl">"</span> <span class="o">+</span> <span class="nx">data</span><span class="p">.</span><span class="nx">length</span><span class="p">);</span> <span class="p">});</span> <span class="p">}</span> <span class="k">else</span> <span class="p">{</span> <span class="nx">res</span><span class="p">.</span><span class="nf">writeHead</span><span class="p">(</span><span class="mi">200</span><span class="p">,</span> <span class="p">{</span> <span class="dl">"</span><span class="s2">Content-Type</span><span class="dl">"</span><span class="p">:</span> <span class="dl">"</span><span class="s2">text/plain</span><span class="dl">"</span> <span class="p">});</span> <span class="nx">res</span><span class="p">.</span><span class="nf">end</span><span class="p">(</span><span class="dl">"</span><span class="s2">Fast response</span><span class="dl">"</span><span class="p">);</span> <span class="p">}</span> <span class="p">}).</span><span class="nf">listen</span><span class="p">(</span><span class="mi">3000</span><span class="p">);</span> </code></pre> </div> <p>Now, hitting <code>/slow</code> still takes time to read the file, but the server is not blocked. Requests to <code>/</code> get immediate responses, even while the file is being read in the background. The event loop continues to spin, serving other clients.</p> <h2> Real-world examples: file operations and database calls </h2> <p>Blocking isn't limited to <code>fs.readFileSync</code>. Any synchronous I/O or CPU-heavy work that hangs on the main thread is blocking. Real-world culprits include:</p> <ul> <li> <strong>Synchronous file operations</strong>: <code>fs.readFileSync</code>, <code>fs.writeFileSync</code>, <code>fs.existsSync</code>.</li> <li> <strong>CPU-intensive computations</strong>: huge loops, cryptography, image processing done on the main thread.</li> <li> <strong>Synchronous database queries</strong>: some database drivers offer sync methods (like <code>db.execSync()</code>), though most Node.js drivers are async by default.</li> </ul> <p>For databases, a typical non-blocking call uses callbacks, promises, or async/await. For example, with a MySQL driver:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="c1">// Non-blocking (callback-based)</span> <span class="nx">connection</span><span class="p">.</span><span class="nf">query</span><span class="p">(</span><span class="dl">"</span><span class="s2">SELECT * FROM users</span><span class="dl">"</span><span class="p">,</span> <span class="p">(</span><span class="nx">err</span><span class="p">,</span> <span class="nx">results</span><span class="p">)</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="k">if </span><span class="p">(</span><span class="nx">err</span><span class="p">)</span> <span class="k">throw</span> <span class="nx">err</span><span class="p">;</span> <span class="nx">console</span><span class="p">.</span><span class="nf">log</span><span class="p">(</span><span class="nx">results</span><span class="p">);</span> <span class="p">});</span> <span class="c1">// The line below runs immediately after the query is sent, not after it returns</span> <span class="nx">console</span><span class="p">.</span><span class="nf">log</span><span class="p">(</span><span class="dl">"</span><span class="s2">Query sent</span><span class="dl">"</span><span class="p">);</span> </code></pre> </div> <p>Using async/await (still non-blocking):<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="k">async</span> <span class="kd">function</span> <span class="nf">getUsers</span><span class="p">()</span> <span class="p">{</span> <span class="kd">const</span> <span class="p">[</span><span class="nx">rows</span><span class="p">]</span> <span class="o">=</span> <span class="k">await</span> <span class="nx">connection</span><span class="p">.</span><span class="nf">promise</span><span class="p">().</span><span class="nf">query</span><span class="p">(</span><span class="dl">"</span><span class="s2">SELECT * FROM users</span><span class="dl">"</span><span class="p">);</span> <span class="nx">console</span><span class="p">.</span><span class="nf">log</span><span class="p">(</span><span class="nx">rows</span><span class="p">);</span> <span class="p">}</span> <span class="c1">// The function suspends at await, but the main thread is free to handle other requests.</span> </code></pre> </div> <p>Note: <code>await</code> looks synchronous, but under the hood it's non-blocking. It pauses the async function, not the entire thread. That's the beauty.</p> <h2> How to keep your Node.js code non-blocking </h2> <ol> <li> <strong>Prefer asynchronous versions of modules</strong>: <code>fs.readFile</code> over <code>fs.readFileSync</code>, <code>crypto.pbkdf2</code> over <code>crypto.pbkdf2Sync</code>.</li> <li> <strong>For CPU-heavy tasks, use worker threads or offload</strong>: Node.js provides <code>worker_threads</code> for parallelism, or you can spawn child processes, use message queues, or delegate to external services. Don't do heavy math on the main event loop.</li> <li> <strong>Be careful with large synchronous loops</strong>: Even a simple loop over a million items can block the thread for a noticeable time. Split work into chunks and yield control with <code>setImmediate</code> or <code>setTimeout</code> if needed.</li> <li> <strong>Use async/await with Promises, not sync variants</strong>: Always check if a library offers a promise-based API and use it.</li> </ol> <h2> Conclusion </h2> <p>Understanding blocking vs non-blocking code is foundational for building performant Node.js applications. The main thread is a precious resource; keep it moving. If you block it, your whole server stops. If you keep things async, the event loop can handle vast numbers of concurrent connections effortlessly.</p> <p>Let's quickly recap:</p> <ul> <li> <strong>Blocking code</strong> stops the execution of the entire program until the current operation finishes. It freezes the single thread.</li> <li> <strong>Non-blocking code</strong> initiates an operation and immediately proceeds, handling the result later via callbacks, promises, or async/await.</li> <li>Blocking the main thread in a server causes all other requests to queue up and wait, destroying responsiveness.</li> <li>Real-world blocking sources include synchronous file I/O, heavy computation, and synchronous database calls.</li> <li>Use asynchronous methods, worker threads for CPU work, and always think about the event loop.</li> </ul> <p>Now that you can distinguish between blocking and non-blocking patterns, you are equipped to write Node.js code that is fast and responsive under load. In the next post, we'll explore the built-in global objects and utilities that Node.js offers to make development smoother.</p> <p>Hope you found this helpful! If you spot any mistakes or have suggestions, let me know. You can find me on <a href="https://www.linkedin.com/in/satyaprangyasootar" rel="noopener noreferrer">LinkedIn</a> and <a href="https://x.com/satyasootar" rel="noopener noreferrer">X</a>, where I post more about web development.</p> node The Node.js Event Loop Explained SATYA SOOTAR Sat, 09 May 2026 12:45:37 +0000 https://dev.to/satyasootar/the-nodejs-event-loop-explained-5bgh https://dev.to/satyasootar/the-nodejs-event-loop-explained-5bgh <p>Hello readers 👋, welcome to the 4th blog in our Node.js journey!</p> <p>In the last few posts, we installed Node.js, explored what it is, and uncovered why it's so fast for web applications. We kept mentioning the <strong>event loop</strong> as the secret sauce behind Node.js's non-blocking superpower. Today, we are going to shine a light directly on it and understand what the event loop actually does, how it manages async operations, and why it makes Node.js incredibly scalable.</p> <p>Think of this as meeting the conductor of the orchestra. Let's get started.</p> <h2> The single-threaded reality </h2> <p>Before we dive into the event loop, we need a clear reminder: Node.js runs your JavaScript code on a <strong>single thread</strong>. That means only one piece of JavaScript can execute at any given moment. This might sound like a limitation, but Node.js turns it into a strength by never letting that single thread sit idle while waiting for something to finish.</p> <p>In a traditional server, we saw that waiting (blocking) ties up a thread. If you have only one thread and it blocks, your entire application freezes. So, how does Node.js keep things moving? It uses the event loop to stay busy with ready tasks while I/O operations happen in the background.</p> <h2> What the event loop is </h2> <p>At its core, the event loop is a <strong>task manager</strong> that continuously checks if there is any work to do and executes it. It follows a simple, never-ending cycle: check for pending tasks, pick the next one, run it, repeat.</p> <p>In Node.js, almost everything is delegated to the operating system's asynchronous capabilities through the libuv library. When you initiate an I/O operation (like reading a file, making a network request, or waiting for a timer), Node.js hands it off, registers a callback, and moves on. The event loop's job is to bring those callbacks back to the main thread at the right time.</p> <p>You can imagine the event loop as a conveyor belt. Your JavaScript code places orders (I/O requests) onto the belt, each with a callback attached. Workers in the background (the operating system kernel or a thread pool) process these orders. When a job completes, the callback is placed into a <strong>task queue</strong>. The event loop constantly watches this queue; whenever the main thread is free (the call stack is empty), it grabs the next callback from the queue and pushes it onto the call stack for execution.</p> <h2> Call stack and task queue: the dynamic duo </h2> <p>To understand the event loop, we need two concepts: the <strong>call stack</strong> and the <strong>task queue</strong>.</p> <ul> <li><p><strong>Call stack</strong>: a LIFO (Last In, First Out) structure where the currently executing function lives. When you call a function, it's pushed onto the stack; when it returns, it's popped off. Synchronous code runs directly on the stack.</p></li> <li><p><strong>Task queue</strong> (often called the callback queue or macrotask queue): a FIFO (First In, First Out) queue where callbacks from completed asynchronous operations wait to be executed. When the call stack is empty, the event loop takes the oldest callback from the task queue and pushes it onto the stack.</p></li> </ul> <p>A tiny example will make this concrete:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="nx">console</span><span class="p">.</span><span class="nf">log</span><span class="p">(</span><span class="dl">"</span><span class="s2">Start</span><span class="dl">"</span><span class="p">);</span> <span class="nf">setTimeout</span><span class="p">(()</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="nx">console</span><span class="p">.</span><span class="nf">log</span><span class="p">(</span><span class="dl">"</span><span class="s2">Timeout callback</span><span class="dl">"</span><span class="p">);</span> <span class="p">},</span> <span class="mi">0</span><span class="p">);</span> <span class="nx">console</span><span class="p">.</span><span class="nf">log</span><span class="p">(</span><span class="dl">"</span><span class="s2">End</span><span class="dl">"</span><span class="p">);</span> </code></pre> </div> <p>The output is:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>Start End Timeout callback </code></pre> </div> <p>Here's what happened:</p> <ol> <li> <code>console.log("Start")</code> is pushed onto the stack, executed, popped off.</li> <li> <code>setTimeout</code> is called. The timer is registered with the system; the callback is scheduled. Node.js doesn't wait. <code>setTimeout</code> returns.</li> <li> <code>console.log("End")</code> runs.</li> <li>The call stack is now empty. The event loop checks the task queue and finds the timer callback ready (even with 0ms delay, it was queued). It pushes the callback onto the stack, which logs "Timeout callback".</li> </ol> <p>This demonstrates the fundamental dance between the call stack, the event loop, and the task queue.</p> <h2> How async operations are handled </h2> <p>Let's follow a more realistic async operation, like reading a file:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="kd">const</span> <span class="nx">fs</span> <span class="o">=</span> <span class="nf">require</span><span class="p">(</span><span class="dl">"</span><span class="s2">fs</span><span class="dl">"</span><span class="p">);</span> <span class="nx">console</span><span class="p">.</span><span class="nf">log</span><span class="p">(</span><span class="dl">"</span><span class="s2">Before read</span><span class="dl">"</span><span class="p">);</span> <span class="nx">fs</span><span class="p">.</span><span class="nf">readFile</span><span class="p">(</span><span class="dl">"</span><span class="s2">example.txt</span><span class="dl">"</span><span class="p">,</span> <span class="dl">"</span><span class="s2">utf8</span><span class="dl">"</span><span class="p">,</span> <span class="p">(</span><span class="nx">err</span><span class="p">,</span> <span class="nx">data</span><span class="p">)</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="k">if </span><span class="p">(</span><span class="nx">err</span><span class="p">)</span> <span class="k">throw</span> <span class="nx">err</span><span class="p">;</span> <span class="nx">console</span><span class="p">.</span><span class="nf">log</span><span class="p">(</span><span class="dl">"</span><span class="s2">File content:</span><span class="dl">"</span><span class="p">,</span> <span class="nx">data</span><span class="p">);</span> <span class="p">});</span> <span class="nx">console</span><span class="p">.</span><span class="nf">log</span><span class="p">(</span><span class="dl">"</span><span class="s2">After read</span><span class="dl">"</span><span class="p">);</span> </code></pre> </div> <p>Output:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>Before read After read File content: (actual content) </code></pre> </div> <p>Step by step:</p> <ol> <li> <code>console.log("Before read")</code> runs on the stack.</li> <li> <code>fs.readFile</code> is called. Node.js hands the operation to libuv and the operating system. A callback is registered. The main thread does <strong>not</strong> wait; it immediately moves to the next line.</li> <li> <code>console.log("After read")</code> runs.</li> <li>Meanwhile, the operating system reads the file in the background. When done, the callback is placed into the task queue.</li> <li>The event loop, seeing an empty call stack, picks the callback from the queue and runs it, logging the file content.</li> </ol> <p>Notice how the non-blocking behavior keeps the thread free between the read call and the callback execution. This is how Node.js can handle thousands of concurrent requests: the event loop keeps picking up callbacks, while I/O happens in parallel in the OS.</p> <h2> Timers vs I/O callbacks (high level) </h2> <p>You might wonder: do timer callbacks and I/O callbacks wait in the same queue? The event loop has multiple phases, each with its own queue of callbacks. But for now, we can think of them as different types of events that the loop processes in a specific order.</p> <ul> <li><p><strong>Timer callbacks</strong>: scheduled by <code>setTimeout</code> and <code>setInterval</code>. They are executed only after the specified minimum delay has passed. However, they are not guaranteed to run exactly after that time; they wait until the event loop reaches the timers phase and no other script is blocking the thread.</p></li> <li><p><strong>I/O callbacks</strong>: these are callbacks from file system operations, network requests, and other asynchronous I/O. They are processed in the "poll" phase of the event loop, after timers and some other internal checks.</p></li> </ul> <p>In practice, this means that a long-running synchronous operation can delay both timer and I/O callbacks. The event loop will simply not get a chance to push them from the queue until the call stack clears. This is why we avoid heavy synchronous code in Node.js.</p> <p>The key takeaway: both timer and I/O callbacks are scheduled by the event loop, and the loop ensures they are executed in a fair, orderly manner. The exact order of phases isn't critical for everyday use, but knowing that the loop processes callbacks in batches (timers first, then I/O) helps you avoid surprises.</p> <h2> The event loop's role in scalability </h2> <p>The event loop is the engine behind Node.js's ability to handle massive concurrency with a single thread. Because the main thread never blocks on I/O, the event loop can continuously accept new connections and schedule their work. The operating system handles the actual parallel I/O, and the event loop merely dispatches results when they arrive.</p> <p>This model scales extremely well for I/O-bound applications. A single Node.js process can maintain tens of thousands of open connections (like WebSocket sessions) because the memory cost is minimal: each connection is just a small amount of state and a callback, not a whole thread.</p> <p>The event loop also encourages developers to write asynchronous code that doesn't block the thread. This mindset leads to applications that are inherently more responsive under load.</p> <h2> Visualizing the event loop execution cycle </h2> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fb0kto3wcidg5c02p90pp.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fb0kto3wcidg5c02p90pp.png" alt="Event loop" width="800" height="400"></a></p> <h2> Common misconceptions </h2> <p><strong>"Node.js is single-threaded, so it can't handle multiple requests at once."</strong><br><br> False. It handles many requests concurrently by interleaving their asynchronous operations. The main thread never gets stuck on one request; it quickly cycles through them, thanks to the event loop.</p> <p><strong>"<code>setTimeout(fn, 0)</code> runs immediately."</strong><br><br> Not quite. It schedules the callback to run after 0 milliseconds, but the event loop still has to wait for the current call stack to empty. It's a common trick to defer code execution until after the current synchronous block finishes.</p> <p><strong>"All callbacks go into the same queue."</strong><br><br> Not precisely. The event loop has distinct phases (timers, I/O, check, close) with separate queues. But conceptually, they all funnel into the same serial execution flow on the main thread.</p> <h2> Conclusion </h2> <p>The event loop is the heartbeat of Node.js. It takes the inherent single-threadedness of JavaScript and turns it into a powerful asynchronous dispatcher that never sleeps. By understanding how the call stack, task queue, and event loop work together, you gain insight into why your code executes in the order it does and how to write truly non-blocking applications.</p> <p>Let's quickly recap:</p> <ul> <li>Node.js runs JavaScript on a single thread, but uses an event loop to avoid blocking.</li> <li>The event loop is a task manager that continuously picks callbacks from the task queue and runs them when the stack is empty.</li> <li>The call stack handles synchronous code; the task queue holds callbacks waiting their turn.</li> <li>Async operations like file reads are handed off to the OS; upon completion, their callbacks enter the queue and are later executed by the loop.</li> <li>Timer callbacks (<code>setTimeout</code>) and I/O callbacks are handled in separate phases of the loop, but the core idea is the same: they only run after the current stack finishes.</li> <li>This design allows Node.js to scale massively for I/O-heavy workloads while using minimal resources.</li> </ul> <p>With the event loop now demystified, you have the foundation to write robust, high-performance Node.js applications. In the next post, we'll start exploring the built-in modules that make Node.js so powerful right out of the box.</p> <p>Hope you found this helpful! If you spot any mistakes or have suggestions, let me know. You can find me on <a href="https://www.linkedin.com/in/satyaprangyasootar" rel="noopener noreferrer">LinkedIn</a> and <a href="https://x.com/satyasootar" rel="noopener noreferrer">X</a>, where I post more about web development.</p> node