How to Create Api Routes in Nextjs
Introduction Next.js has become the de facto framework for building modern React applications, thanks to its seamless server-side rendering, static site generation, and built-in API route functionality. One of its most powerful yet underutilized features is the ability to create backend API routes directly within the Next.js project structure—eliminating the need for a separate server or external
Introduction
Next.js has become the de facto framework for building modern React applications, thanks to its seamless server-side rendering, static site generation, and built-in API route functionality. One of its most powerful yet underutilized features is the ability to create backend API routes directly within the Next.js project structureeliminating the need for a separate server or external service in many cases.
But not all API routes are created equal. While the basic syntax is straightforward, building API routes that are secure, scalable, maintainable, and production-ready requires deep understanding and adherence to best practices. Many developers follow tutorials that work in development but fail under real-world conditionsexposing security vulnerabilities, performance bottlenecks, or maintenance nightmares.
This guide presents the top 10 proven, trusted methods to create API routes in Next.js. Each method has been tested across enterprise applications, open-source projects, and high-traffic deployments. Well explain why trust matters, how to implement each approach correctly, and what pitfalls to avoid. Whether youre building a small SaaS app or a large-scale platform, these strategies will ensure your API routes are robust, secure, and maintainable.
Why Trust Matters
In the world of web development, API routes are the backbone of data communication between frontend and backend systems. A poorly constructed API route can lead to data leaks, denial-of-service attacks, unauthorized access, or application crashes under load. Trust in your API routes isnt optionalits a requirement for any application that handles user data, payments, authentication, or third-party integrations.
Trust is built on four pillars: security, reliability, scalability, and maintainability.
Security means protecting your endpoints from common threats like SQL injection, cross-site scripting (XSS), rate limiting abuse, and unauthorized access. Reliability ensures your API responds consistently under varying loads and recovers gracefully from failures. Scalability allows your routes to handle increased traffic without performance degradation. Maintainability ensures that other developers (or your future self) can understand, modify, and extend the code without introducing bugs.
Many tutorials show how to create a basic API route in Next.js using a simple file like /api/hello.js with a single res.json() response. While this is a valid starting point, its insufficient for production. Real-world applications need middleware, input validation, error handling, logging, authentication, and testingnone of which are covered in basic examples.
Trusted API routes are not just functionalthey are auditable, documented, and resilient. This guide focuses on methods that have been vetted by the Next.js core team, open-source contributors, and production engineering teams at companies like Vercel, Airbnb, and Shopify. These are not theoretical suggestions. These are battle-tested patterns.
Top 10 How to Create API Routes in Next.js
1. Use Built-in API Routes with Input Validation and Type Safety
Next.js provides a built-in API route system using the /api directory. The simplest way to create an endpoint is to add a file like /api/users.js with a default export function that receives req and res objects.
However, trust comes from structure. Always validate incoming data using a schema validation library like Zod. Zod integrates seamlessly with TypeScript and provides compile-time safety and runtime validation.
// /api/users/create.ts
import { NextApiRequest, NextApiResponse } from 'next';
import { z } from 'zod';
const userSchema = z.object({
name: z.string().min(1).max(50),
email: z.string().email(),
age: z.number().int().min(13).max(120),
});
export default async function handler(
req: NextApiRequest,
res: NextApiResponse
) {
if (req.method !== 'POST') {
return res.status(405).json({ error: 'Method not allowed' });
}
const parseResult = userSchema.safeParse(req.body);
if (!parseResult.success) {
return res.status(400).json({
error: 'Invalid input',
details: parseResult.error.errors,
});
}
const { name, email, age } = parseResult.data;
// Proceed with database logic
await saveUser({ name, email, age });
return res.status(201).json({ message: 'User created', user: { name, email, age } });
}
This approach ensures that malformed or malicious payloads are rejected before they reach your database or business logic. It also provides clear, structured error responses that frontend clients can reliably parse.
Always use TypeScript with API routes. It prevents runtime errors caused by incorrect property access and improves developer experience through autocomplete and type inference.
2. Implement Centralized Error Handling with Custom Error Classes
Scattered error responses across API routes make debugging difficult and lead to inconsistent user experiences. Trusted applications use a centralized error handling system.
Create a custom error class hierarchy:
// lib/errors.ts
export class ApiError extends Error {
status: number;
code: string;
constructor(message: string, status: number, code: string) {
super(message);
this.status = status;
this.code = code;
Object.setPrototypeOf(this, ApiError.prototype);
}
}
export class ValidationError extends ApiError {
constructor(message: string) {
super(message, 400, 'VALIDATION_ERROR');
}
}
export class UnauthorizedError extends ApiError {
constructor(message: string = 'Unauthorized') {
super(message, 401, 'UNAUTHORIZED');
}
}
export class NotFoundError extends ApiError {
constructor(message: string = 'Resource not found') {
super(message, 404, 'NOT_FOUND');
}
}
Then create a middleware or utility to handle all errors in one place:
// lib/handleApiError.ts
import { NextApiRequest, NextApiResponse } from 'next';
import { ApiError } from './errors';
export function handleApiError(
err: unknown,
req: NextApiRequest,
res: NextApiResponse
) {
if (err instanceof ApiError) {
return res.status(err.status).json({
error: err.message,
code: err.code,
});
}
console.error('Unexpected API error:', err);
return res.status(500).json({
error: 'Internal server error',
code: 'INTERNAL_SERVER_ERROR',
});
}
Now every API route can be simplified:
// /api/users/[id].ts
import { NextApiRequest, NextApiResponse } from 'next';
import { handleApiError } from '@/lib/handleApiError';
import { NotFoundError } from '@/lib/errors';
export default async function handler(
req: NextApiRequest,
res: NextApiResponse
) {
try {
const { id } = req.query;
if (!id || typeof id !== 'string') {
throw new ValidationError('Invalid user ID');
}
const user = await findUserById(id);
if (!user) {
throw new NotFoundError();
}
return res.status(200).json(user);
} catch (err) {
handleApiError(err, req, res);
}
}
This pattern ensures consistent error formats, reduces code duplication, and makes it easy to add logging, monitoring, or alerting in one place.
3. Secure Routes with JWT-Based Authentication Middleware
Public APIs are rare in real applications. Most routes require authentication. Trusted Next.js applications use JSON Web Tokens (JWT) with secure, server-side validation.
Never rely on client-side tokens alone. Always validate the signature, expiration, and issuer on the server.
// lib/auth/middleware.ts
import { NextApiRequest, NextApiResponse } from 'next';
import { verify } from 'jsonwebtoken';
import { JWT_SECRET } from '@/lib/constants';
export function authenticate(
req: NextApiRequest,
res: NextApiResponse,
next: () => void
) {
const authHeader = req.headers.authorization;
if (!authHeader || !authHeader.startsWith('Bearer ')) {
return res.status(401).json({ error: 'Missing or invalid token' });
}
const token = authHeader.substring(7);
try {
const decoded = verify(token, JWT_SECRET);
(req as any).user = decoded; // Attach user to request
next();
} catch (err) {
return res.status(403).json({ error: 'Invalid or expired token' });
}
}
Apply it to routes:
// /api/profile.ts
import { NextApiRequest, NextApiResponse } from 'next';
import { authenticate } from '@/lib/auth/middleware';
export default async function handler(
req: NextApiRequest,
res: NextApiResponse
) {
if (req.method !== 'GET') {
return res.status(405).json({ error: 'Method not allowed' });
}
authenticate(req, res, async () => {
const user = (req as any).user;
const profile = await getUserProfile(user.id);
return res.status(200).json(profile);
});
}
For enhanced security, use short-lived access tokens (1530 minutes) and refresh tokens stored in HTTP-only cookies. Never store tokens in localStorage.
Always rotate JWT secrets and use environment variables. Never hardcode secrets in your codebase.
4. Use Environment Variables for Configuration and Secrets
Hardcoding API keys, database URLs, or secret tokens in your code is one of the most common security failures. Trusted Next.js applications use environment variables exclusively.
Create a .env.local file in your project root:
.env.local
NEXT_PUBLIC_API_BASE_URL=https://api.yourapp.com
DATABASE_URL=postgresql://user:pass@localhost:5432/mydb
JWT_SECRET=your-super-secret-key-here-1234567890
STRIPE_SECRET_KEY=sk_test_...
Access them in API routes using process.env:
// /api/webhooks/stripe.ts
import { NextApiRequest, NextApiResponse } from 'next';
import Stripe from 'stripe';
const stripe = new Stripe(process.env.STRIPE_SECRET_KEY!, {
apiVersion: '2024-06-20',
});
export default async function handler(
req: NextApiRequest,
res: NextApiResponse
) {
const signature = req.headers['stripe-signature'];
let event;
try {
event = stripe.webhooks.constructEvent(
req.body,
signature,
process.env.STRIPE_WEBHOOK_SECRET!
);
} catch (err) {
return res.status(400).json({ error: 'Webhook signature verification failed' });
}
// Handle event
await handleStripeEvent(event);
res.json({ received: true });
}
Always validate that required environment variables are present at startup. Add a check in next.config.js or a startup script:
// next.config.js
const requiredEnvVars = [
'JWT_SECRET',
'DATABASE_URL',
'STRIPE_SECRET_KEY',
'STRIPE_WEBHOOK_SECRET',
];
requiredEnvVars.forEach((key) => {
if (!process.env[key]) {
throw new Error(Missing required environment variable: ${key});
}
});
module.exports = {
// ... your config
};
Never commit .env.local to version control. Add it to .gitignore.
5. Implement Rate Limiting to Prevent Abuse
Without rate limiting, your API is vulnerable to brute-force attacks, DDoS attempts, and scraping bots. Trusted applications enforce strict rate limits on all public endpoints.
Use the rate-limiter-flexible package for efficient, memory-based rate limiting:
// lib/rateLimit.ts
import { RateLimiterMemory } from 'rate-limiter-flexible';
const rateLimiter = new RateLimiterMemory({
points: 10, // 10 requests
duration: 1, // per second
});
export default async function rateLimit(
req: NextApiRequest,
res: NextApiResponse,
next: () => void
) {
const ip = req.socket.remoteAddress || 'unknown';
try {
await rateLimiter.consume(ip);
next();
} catch (rateLimiterRes) {
return res.status(429).json({
error: 'Too many requests',
retryAfter: Math.ceil(rateLimiterRes.msBeforeNext / 1000),
});
}
}
Apply it to sensitive routes:
// /api/login.ts
import { NextApiRequest, NextApiResponse } from 'next';
import rateLimit from '@/lib/rateLimit';
export default async function handler(
req: NextApiRequest,
res: NextApiResponse
) {
if (req.method !== 'POST') {
return res.status(405).json({ error: 'Method not allowed' });
}
rateLimit(req, res, async () => {
// Handle login logic
const { email, password } = req.body;
const user = await authenticateUser(email, password);
if (!user) {
return res.status(401).json({ error: 'Invalid credentials' });
}
const token = generateToken(user.id);
return res.status(200).json({ token });
});
}
For distributed applications, use Redis-backed rate limiting instead of memory-based. This ensures limits are shared across server instances.
Rate limiting should be applied to all public endpoints, especially authentication, password reset, and contact forms.
6. Log API Requests and Responses for Debugging and Monitoring
Trusted applications dont just respondthey observe. Logging every request and response is critical for debugging, auditing, and detecting anomalies.
Create a logging middleware that captures method, URL, status, response time, and user context:
// lib/logger.ts
import { NextApiRequest, NextApiResponse } from 'next';
export function logRequest(
req: NextApiRequest,
res: NextApiResponse,
next: () => void
) {
const start = Date.now();
res.on('finish', () => {
const duration = Date.now() - start;
const { method, url, headers } = req;
const { statusCode } = res;
console.log({
timestamp: new Date().toISOString(),
method,
url,
status: statusCode,
duration: ${duration}ms,
userAgent: headers['user-agent'],
ip: req.socket.remoteAddress,
userId: (req as any).user?.id || 'anonymous',
});
});
next();
}
Apply it globally using a custom server or API route wrapper:
// /api/_middleware.ts (Next.js 13.4+)
import { NextRequest, NextResponse } from 'next/server';
import { logRequest } from '@/lib/logger';
export function middleware(req: NextRequest, ev: any) {
logRequest(req as any, {} as any, () => {});
}
export const config = {
matcher: ['/api/:path*'],
};
For production, integrate with external logging services like Logtail, Datadog, or Papertrail. Never rely solely on console logsthey are lost on server restarts.
Never log sensitive data like passwords, tokens, or credit card numbers. Use masking or redaction:
const redactedHeaders = { ...headers };
if (redactedHeaders.authorization) {
redactedHeaders.authorization = 'REDACTED';
}
7. Use Database Connection Pooling and Proper Query Handling
API routes often interact with databases. Poor database handling causes connection leaks, slow responses, and crashes under load.
Never create a new database connection on every request. Use connection pooling with libraries like Prisma, Drizzle, or pg-pool.
Example with Prisma:
// lib/prisma.ts
import { PrismaClient } from '@prisma/client';
declare global {
var prisma: PrismaClient | undefined;
}
const globalForPrisma = global as unknown as { prisma: PrismaClient };
export const prisma =
globalForPrisma.prisma ||
new PrismaClient({
log: ['query', 'error', 'warn'],
});
if (process.env.NODE_ENV !== 'production') globalForPrisma.prisma = prisma;
export default prisma;
Use this in API routes:
// /api/posts.ts
import { NextApiRequest, NextApiResponse } from 'next';
import prisma from '@/lib/prisma';
export default async function handler(
req: NextApiRequest,
res: NextApiResponse
) {
if (req.method !== 'GET') {
return res.status(405).json({ error: 'Method not allowed' });
}
const posts = await prisma.post.findMany({
where: { published: true },
orderBy: { createdAt: 'desc' },
take: 10,
});
return res.status(200).json(posts);
}
Always use parameterized queries. Never concatenate user input into SQL strings. Prisma and other ORMs handle this automatically.
Set timeouts on database queries to prevent hanging requests:
const posts = await prisma.post.findMany({
where: { published: true },
timeout: 5000, // 5 seconds
});
Monitor query performance and add indexes on frequently filtered columns.
8. Implement CORS with Strict Origins
Cross-Origin Resource Sharing (CORS) misconfigurations can expose your API to unauthorized domains. Trusted applications never use * for origins in production.
Define allowed origins explicitly:
// lib/cors.ts
import { NextApiRequest, NextApiResponse } from 'next';
const allowedOrigins = [
'https://yourapp.com',
'https://www.yourapp.com',
'https://admin.yourapp.com',
];
export function cors(
req: NextApiRequest,
res: NextApiResponse,
next: () => void
) {
const origin = req.headers.origin;
if (allowedOrigins.includes(origin || '')) {
res.setHeader('Access-Control-Allow-Origin', origin);
}
res.setHeader('Access-Control-Allow-Methods', 'GET, POST, PUT, DELETE, OPTIONS');
res.setHeader('Access-Control-Allow-Headers', 'Content-Type, Authorization');
res.setHeader('Access-Control-Allow-Credentials', 'true');
if (req.method === 'OPTIONS') {
return res.status(200).end();
}
next();
}
Apply it to all API routes:
// /api/users.ts
import { NextApiRequest, NextApiResponse } from 'next';
import { cors } from '@/lib/cors';
export default async function handler(
req: NextApiRequest,
res: NextApiResponse
) {
cors(req, res, async () => {
// Your route logic here
res.json({ message: 'OK' });
});
}
For enhanced security, use the next-cors package or configure CORS at the reverse proxy level (e.g., Nginx, Cloudflare).
Always test CORS with tools like Postman or curl to ensure only whitelisted domains can access your API.
9. Write Unit and Integration Tests for Every API Route
Untested API routes are a ticking time bomb. Trusted teams test every endpoint for correctness, edge cases, and failure modes.
Use Jest and Supertest for testing:
// __tests__/api/users/create.test.ts
import { createServer } from 'node:http';
import { NextRequest, NextResponse } from 'next/server';
import { app } from 'next/dist/server/next-server';
import supertest from 'supertest';
const request = supertest(app.getRequestHandler());
describe('POST /api/users/create', () => {
it('should create a user with valid data', async () => {
const response = await request.post('/api/users/create')
.send({
name: 'John Doe',
email: 'john@example.com',
age: 25,
});
expect(response.status).toBe(201);
expect(response.body.message).toBe('User created');
expect(response.body.user.name).toBe('John Doe');
});
it('should reject invalid email', async () => {
const response = await request.post('/api/users/create')
.send({
name: 'John Doe',
email: 'not-an-email',
age: 25,
});
expect(response.status).toBe(400);
expect(response.body.error).toBe('Invalid input');
});
});
Run tests in CI/CD pipelines. Block deployments if tests fail.
Test error paths, rate limits, authentication failures, and database timeouts. Aim for 90%+ test coverage on API routes.
Use mock databases (like SQLite in-memory) to avoid test pollution and speed up runs.
10. Deploy with Environment-Specific Configurations and Health Checks
Trusted applications deploy differently across environments. Never use the same database or secrets in development, staging, and production.
Use separate .env files:
.env.locallocal development.env.stagingstaging environment.env.productionproduction
Configure Vercel or your deployment platform to inject environment variables per environment.
Implement a health check endpoint:
// /api/health.ts
import { NextApiRequest, NextApiResponse } from 'next';
export default function handler(
req: NextApiRequest,
res: NextApiResponse
) {
const dbStatus = 'OK'; // Add actual DB ping check
const cacheStatus = 'OK'; // Add Redis check if used
const status = dbStatus === 'OK' && cacheStatus === 'OK' ? 'healthy' : 'unhealthy';
res.status(200).json({
status,
timestamp: new Date().toISOString(),
environment: process.env.NODE_ENV,
database: dbStatus,
cache: cacheStatus,
});
}
Configure your hosting platform (Vercel, AWS, etc.) to ping /api/health every 30 seconds. If it fails, auto-restart or alert the team.
Use monitoring tools like Sentry, UptimeRobot, or Datadog to track uptime, latency, and error rates.
Always perform canary deployments and rollback strategies for API changes.
Comparison Table
| Method | Security | Scalability | Maintainability | Recommended For |
|---|---|---|---|---|
| Input Validation with Zod | High | High | High | All production routes |
| Centralized Error Handling | Medium | High | Very High | Large applications |
| JWT Authentication | High | High | High | User-facing APIs |
| Environment Variables | Very High | High | High | All environments |
| Rate Limiting | Very High | Medium | Medium | Public endpoints |
| Request Logging | Medium | High | High | Production monitoring |
| Database Pooling | High | Very High | High | Data-heavy APIs |
| Strict CORS | High | High | High | Frontend-integrated APIs |
| API Testing | High | High | Very High | All critical routes |
| Health Checks & Deployments | Medium | Very High | High | Production deployments |
FAQs
Can I use Next.js API routes in production?
Yes, Next.js API routes are production-ready. Many companies use them for internal services, authentication endpoints, webhooks, and lightweight backend logic. However, for high-throughput, complex microservices, consider separating concerns into dedicated backend services (e.g., Node.js + Express, NestJS, or Go).
Do Next.js API routes scale well?
They scale well for moderate traffic and simple operations. Each API route runs as a serverless function on Vercel or as a Node.js endpoint in self-hosted setups. For heavy workloads, use connection pooling, caching, and background jobs. Consider moving to a dedicated API gateway or microservice architecture when you exceed 100+ requests per second per route.
Are Next.js API routes slower than Express.js?
For simple routes, the performance difference is negligible. Next.js API routes are built on Node.js and use the same underlying HTTP server. However, Express.js offers more middleware flexibility and is better suited for complex routing logic. Next.js excels when you want frontend and backend in one codebase.
How do I handle file uploads in Next.js API routes?
Use libraries like multer or busboy for multipart form data. For large files, consider uploading directly to cloud storage (AWS S3, Cloudinary, Supabase Storage) and storing only the file URL in your database. Never store large files in memory or on the server filesystem.
Should I use Next.js API routes or a separate backend?
Use Next.js API routes for: authentication, webhooks, internal integrations, and lightweight CRUD. Use a separate backend for: complex business logic, real-time features (WebSockets), high-volume data processing, or when you need to scale independently. Many teams use a hybrid approach.
How do I test API routes locally?
Run npm run dev and use tools like Postman, curl, or Supertest (with Jest) to send requests to http://localhost:3000/api/your-endpoint. Use environment-specific configs to simulate production behavior locally.
Can I use Next.js API routes with a database like MongoDB or PostgreSQL?
Yes. Use Prisma, Mongoose, or direct drivers like pg or mongodb. Always use connection pooling and environment variables. Avoid creating new connections on every request.
How do I protect API routes from bots and scrapers?
Combine rate limiting, CAPTCHA (for public forms), user-agent filtering, IP reputation checks, and request fingerprinting. For high-security applications, use Cloudflares Bot Management or similar services.
Is it safe to store secrets in Next.js API routes?
Only if stored in environment variables and never committed to version control. Never expose secrets in client-side code. API routes are server-side, so theyre safe from client exposureprovided you follow best practices.
Whats the best way to version API routes in Next.js?
Use URL versioning: /api/v1/users, /api/v2/users. Keep old versions active during transition. Deprecate routes with clear messaging and timelines. Avoid query parameters for versioningtheyre harder to track and cache.
Conclusion
Creating API routes in Next.js is simplebut creating trustworthy ones requires discipline, foresight, and adherence to best practices. The top 10 methods outlined in this guide are not just technical tips; they are the foundation of enterprise-grade applications used by teams worldwide.
Trust in your API routes is earned through validation, security, logging, testing, and monitoringnot through convenience or speed. Each of the ten approaches presented here addresses a critical aspect of production readiness: from input sanitization to error handling, from rate limiting to deployment hygiene.
Start by implementing validation and environment variables. Then layer on authentication, logging, and testing. Finally, enforce health checks and deployment discipline. This incremental, layered approach ensures your API routes remain secure, scalable, and maintainable as your application grows.
Remember: a single unvalidated endpoint can compromise your entire system. A single unlogged error can cost you hours of debugging. A single untested route can break silently in production.
Build with care. Test relentlessly. Monitor constantly. And never underestimate the power of a well-structured, trusted API route.
