Building Modern REST APIs with Node.js 23 and Express 5.0

Introduction

The landscape of backend development has undergone a tectonic shift over the last two years. For nearly a decade, Express 4.x remained the industry standard, requiring developers to rely on third-party libraries for basic tasks like handling asynchronous errors or making HTTP requests. However, with the arrival of Express 5.0 and Node.js 22/23 LTS, the ecosystem has matured into a more streamlined, performant, and secure environment.

Building a REST API in 2025 is no longer just about routing; it’s about type safety, contract-first design, and leveraging native runtime capabilities that were previously unavailable. This guide explores how to build professional-grade REST APIs using the latest features of Node.js and Express, moving from foundational setup to advanced architectural patterns.

The Modern Foundation: Node.js 22 and Express 5.0

Before writing a single line of code, it is essential to understand the modern environment. Node.js 22 has introduced features that significantly reduce dependency fatigue.

Embracing ES Modules (ESM)

CommonJS (require) is effectively a legacy format in the modern Node.js ecosystem. By setting "type": "module" in your package.json, you gain access to top-level await and better static analysis for bundling tools.

{
  "name": "modern-express-api",
  "version": "1.0.0",
  "type": "module",
  "dependencies": {
    "express": "^5.0.0",
    "zod": "^3.23.0"
  }
}

Express 5.0: Native Async Support

The most significant update in Express 5.0 is the native handling of Promises. In Express 4, an unhandled rejection in an async route would hang the request or crash the process unless wrapped in a try-catch block or a helper like express-async-handler. Express 5.0 automatically catches these errors and passes them to your global error-handling middleware.

Native Fetch and WebSockets

Node.js 22 stabilizes the native fetch API. This means your REST API can now communicate with other microservices without the overhead of axios or node-fetch. Additionally, the inclusion of node:ws provides a native path for adding real-time capabilities to your RESTful endpoints.

Architectural Excellence: The Three-Layer Pattern

A common mistake in Express development is the "Fat Controller" syndrome, where all business logic, database queries, and validation reside within the route handler. To build a scalable API, we implement a Modular Three-Layer Architecture.

1. The Controller Layer

The controller's sole responsibility is to handle the HTTP "interface." It parses the request, calls the appropriate service, and returns a formatted response. It should never interact with the database directly.

2. The Service Layer

This is the heart of your application. The service layer contains the core business logic. If you need to calculate a discount, send an email, or check a user's eligibility, it happens here. This layer is framework-agnostic, making it easy to test or move to a different framework later.

3. The Data Access Layer (DAL)

The DAL interacts with your database. Using an ORM like Prisma or an ODM like Mongoose, this layer abstracts queries. By isolating data access, you can switch from PostgreSQL to MongoDB with minimal impact on your business logic.

Implementing CRUD with Type Safety and Validation

In 2025, trusting client input is a critical security risk. We use Zod for runtime validation and TypeScript for compile-time safety.

Defining the Schema

Zod allows you to define a schema that validates the req.body and simultaneously generates a TypeScript type.

import { z } from 'zod';
 
export const CreateUserSchema = z.object({
  email: z.string().email(),
  password: z.string().min(8),
  role: z.enum(['USER', 'ADMIN']).default('USER'),
});
 
type CreateUserDto = z.infer<typeof CreateUserSchema>;

The Express 5.0 Route Handler

Notice how clean the route becomes when we leverage Express 5.0's native promise handling and a centralized validation middleware.

import express from 'express';
import { userService } from '../services/user.service.js';
import { validate } from '../middleware/validate.js';
import { CreateUserSchema } from '../schemas/user.schema.js';
 
const router = express.Router();
 
router.post('/', validate(CreateUserSchema), async (req, res) => {
  // Logic only runs if validation succeeds
  const newUser = await userService.createUser(req.body);
  res.status(201).json(newUser);
});
 
export default router;

Centralized Error Handling

Instead of scattered res.status(500) calls, we use a global error handler. Express 5.0 makes this more powerful by capturing thrown errors from async functions automatically.

// middleware/errorHandler.js
export const errorHandler = (err, req, res, next) => {
  const statusCode = err.statusCode || 500;
  const message = err.message || 'Internal Server Error';
 
  console.error(`[Error] ${req.method} ${req.url}:`, err);
 
  res.status(statusCode).json({
    status: 'error',
    code: err.code || 'INTERNAL_ERROR',
    message,
    ...(process.env.NODE_ENV === 'development' && { stack: err.stack })
  });
};

Advanced Techniques: Security and Performance

A production-ready API requires more than just CRUD operations. It requires a robust security posture and an understanding of the Node.js event loop.

The Node.js Permission Model

One of the most exciting additions in Node.js 22 is the experimental permission model. You can now restrict your API's access to the environment. For example: node --experimental-permission --allow-fs-read=/tmp/ --allow-net=api.stripe.com server.js This ensures that even if a dependency is compromised, the attacker cannot read your /etc/passwd file or send data to a malicious domain.

Handling Heavy Computation

Node.js is single-threaded. If your API needs to process large images or generate complex PDFs, it will block the event loop, preventing other requests from being handled.

• Solution: Use Worker Threads for CPU-bound tasks or offload them to a background worker like BullMQ using Redis. This keeps your REST API responsive.

Security Headers and Sanitization

Always use Helmet.js to set secure HTTP headers. It protects against common vulnerabilities like Cross-Site Scripting (XSS) and clickjacking by default.

import helmet from 'helmet';
const app = express();
app.use(helmet()); // Sets 15+ security headers

Real-World Scenario: Implementing Advanced Filtering

Modern APIs often need to support complex querying. Instead of writing custom logic for every route, we can build a reusable "Query Features" utility.

class APIFeatures {
  constructor(query, queryString) {
    this.query = query; // The Prisma or Mongoose query
    this.queryString = queryString; // req.query
  }
 
  filter() {
    const queryObj = { ...this.queryString };
    const excludedFields = ['page', 'sort', 'limit', 'fields'];
    excludedFields.forEach(el => delete queryObj[el]);
 
    // Advanced filtering (e.g., price[gte]=500)
    let queryStr = JSON.stringify(queryObj);
    queryStr = queryStr.replace(/\b(gte|gt|lte|lt)\b/g, match => `$${match}`);
 
    this.query = this.query.find(JSON.parse(queryStr));
    return this;
  }
 
  paginate() {
    const page = this.queryString.page * 1 || 1;
    const limit = this.queryString.limit * 1 || 100;
    const skip = (page - 1) * limit;
    this.query = this.query.skip(skip).limit(limit);
    return this;
  }
}

This allows you to handle requests like GET /api/products?price[gte]=100&page=2&limit=20 with just a few lines of code in your service layer.

Essential Tooling for 2025

Frequently Asked Questions

How do I build a RESTful API with Node.js and Express from scratch?

To build an API from scratch, initialize a Node.js project with npm init, install Express, and create an entry point file. You then define routes using app.get(), app.post(), etc., and use middleware to parse JSON and handle errors.

What is the difference between Node.js and Express.js in API development?

Node.js is the JavaScript runtime environment that allows you to run code on the server, while Express.js is a minimal web framework built on top of Node.js. Node.js provides the core networking capabilities, whereas Express simplifies routing, middleware integration, and request handling.

How to handle authentication and authorization in a Node.js REST API?

Authentication is typically handled using JSON Web Tokens (JWT) or session cookies through middleware like Passport.js or custom logic. Authorization is implemented by checking the user's role or permissions (extracted from the token) against the requirements of the specific route.

What are the best practices for structuring a Node.js Express project?

A best-practice structure uses a layered architecture, separating code into folders for Controllers, Services, Models (DAL), and Middleware. This separation of concerns ensures that business logic is isolated from the HTTP transport layer, making the codebase easier to test and maintain.

How do you connect a Node.js REST API to a MongoDB database?

You connect to MongoDB using the official MongoDB driver or an ODM like Mongoose. You establish a connection string in your environment variables and use a singleton pattern to ensure the database connection is shared across your application's service layer.

Conclusion

Building REST APIs with Node.js and Express has matured into a sophisticated discipline. The release of Express 5.0 marks a turning point where asynchronous patterns are finally first-class citizens, significantly reducing boilerplate and error-prone code. By combining this with Node.js 22’s native features—like the permission model and fetch API—and a strict three-layer architecture, developers can build systems that are not only performant but also resilient and secure.

As you move forward, prioritize contract-first design with OpenAPI and runtime validation with Zod. These tools ensure that as your API grows, it remains a reliable contract for your frontend and mobile consumers. The "Express way" in 2025 is about doing more with less: fewer dependencies, more native features, and cleaner, type-safe code.