By ApiNest Team • Last updated Aug 24, 2025
Plan the API
Define resources, operations, and error model. We’ll build a todo API with users and JWT auth.
Scaffold
npm create next-app@latest my-api --ts cd my-api
Endpoints
GET /api/todos POST /api/todos GET /api/todos/:id PATCH /api/todos/:id DELETE /api/todos/:id
Validation
// zod example
import { z } from 'zod'
const TodoInput = z.object({ title: z.string().min(1), done: z.boolean().optional() })Auth
Use a bearer token or key header. For browser apps, keep the key on the server and proxy calls.
// Simple JWT issue (pseudo)
import jwt from 'jsonwebtoken'
const token = jwt.sign({ sub: user.id, scope: ['todo:read','todo:write'] }, process.env.JWT_SECRET, { expiresIn: '15m' })Rate limits
Start 60 rpm per user; 5 rps burst. Return 429 with Retry-After. Cache reads for 30–60s.
if (tooManyRequests(user)) {
res.setHeader('Retry-After', '30')
return res.status(429).json({ error: 'RATE_LIMIT_MINUTE', message: 'Rate limit exceeded', retryAfter: 30 })
}Deploy & observe
- Deploy to Vercel or similar. Add logging (status, latency, user).
- Set alerts for error rate and p95 latency.
Postman collection & examples
GET /api/todos
Auth: Bearer <token>
POST /api/todos
{ "title": "Ship API" }FAQ
How do I version?
Path-based /v1 is simplest. Keep old versions until clients migrate.
Should I use REST or GraphQL?
REST is quicker for small teams; GraphQL helps when clients need selective fields.