DEV Community

Cover image for Build your API, not your boilerplate.
Muhammad Tahir Baloch
Muhammad Tahir Baloch

Posted on

Build your API, not your boilerplate.

🚀 After building backend projects repeatedly, I realized I was solving the same infrastructure problems every time.

Before writing a single business feature, I had to configure:

• TypeScript
• Express
• Prisma
• PostgreSQL
• JWT Authentication
• Email verification
• Password reset
• Two-Factor Authentication (2FA)
• CSRF Protection
• Role-based Authorization
• Rate Limiting
• Security Headers
• Input Validation
• Project Structure

It quickly became repetitive.

So I started building Backend Starter.

A production-ready Express.js starter that lets you focus on building products instead of setting up infrastructure.

What's included?

🔐 Authentication
• JWT Access & Refresh Tokens
• HTTP-only Cookies
• Email Verification
• Password Reset
• Change Email
• Change Password
• Two-Factor Authentication (2FA)

🛡️ Security
• CSRF Protection
• Helmet
• Express Rate Limit
• Zod Validation
• bcrypt Password Hashing
• Refresh Token Rotation

👥 User Management
• Registration
• Profile Management
• Device Sessions
• Login History
• Account Deletion

👨‍💼 Admin Features
• User Management
• Role Management
• Account Status Management
• Login History

Developer Experience
• TypeScript
• Prisma ORM
• PostgreSQL
• Biome
• Husky Git Hooks
• Environment Example Generator
• Postman Collection
• Clean Project Structure

This is only the beginning.

Next on the roadmap

• OAuth (Google & GitHub)
• Redis
• Docker Compose
• Swagger / OpenAPI
• Background Jobs
• File Upload Module

The project is completely open source, and I'd genuinely appreciate feedback from the community.

⭐ If you find it useful, consider giving it a star or contributing.

GitHub:
https://github.com/setahirbaloch/backend-starter

Linkedin:
https://linkedin.com/in/setahirbaloch

What feature do you think every production-ready backend starter should include?

Top comments (4)

Collapse
 
nazar-boyko profile image
Nazar Boyko

Does it ship with tests for the security paths, things like the refresh token rotation, CSRF, and the 2FA flow? For an auth starter that's the part I'd trust least without seeing it proven, since those are exactly the bits that break quietly when a dependency updates.

Collapse
 
setahirbaloch profile image
Muhammad Tahir Baloch

Not yet. At the moment, I've manually tested all authentication and security endpoints using Postman, including sign-in, refresh token flow, CSRF protection, email verification, password reset, 2FA/device verification, and authenticated account operations. I've verified both successful and failure scenarios to ensure the expected behavior.

Automated integration tests are on the roadmap. I agree they're especially valuable for critical security flows like refresh token rotation, CSRF, and 2FA because those are the areas most likely to regress after dependency or implementation changes. Adding a comprehensive test suite is one of the next improvements planned for the starter.

Collapse
 
manolito99 profile image
Lolo

The one thing I'd add to every production backend starter: observability from day one. Error tracking and structured logging before you need them is much easier than adding them after the first production incident.

Sentry + structured logs saved me hours on a recent bug that only appeared in prod.

Collapse
 
setahirbaloch profile image
Muhammad Tahir Baloch

thank you for your suggestion, it's key part.
sure, next I will add this using winston + morgan.