Build a REST API with Claude Code
Create a production-ready REST API with authentication, validation, and database persistence. Deploy it and use it from any frontend.
Choosing your stack: Next.js API routes vs Express vs Hono
This guide uses Next.js API routes because they deploy to Vercel with zero configuration and you can add a frontend later without a separate project. But the principles apply to any backend. Claude Code is equally proficient with Express, Fastify, Hono, and other Node.js frameworks. Ask Claude Code to scaffold: "Create a Next.js project with API routes for a task management app. I need CRUD endpoints: GET /api/tasks, GET /api/tasks/[id], POST /api/tasks, PUT /api/tasks/[id], DELETE /api/tasks/[id]. Use Zod for request validation and return proper HTTP status codes. Start with an in-memory store — we will add a database next."
Adding a real database with Drizzle and SQLite
In-memory data disappears on restart. Let us add persistence. Say: "Replace the in-memory store with a SQLite database using Drizzle ORM. Create a schema for tasks with id, title, description, status (todo/in-progress/done), createdAt, and updatedAt. Write a migration script." Claude Code will install drizzle-orm and better-sqlite3, create the schema file, write the migration, and update all your API routes to use database queries instead of array operations. Test every endpoint with curl or a tool like Insomnia. The API should persist data across server restarts.
Authentication with API keys and JWT
Production APIs need authentication. Ask Claude Code: "Add API key authentication. Create a /api/auth/register endpoint that accepts an email and returns an API key. Create a /api/auth/login endpoint that accepts an API key and returns a JWT. Protect all /api/tasks endpoints — they should require a valid JWT in the Authorization header. Return 401 for missing tokens and 403 for invalid ones." Claude Code will implement the full auth flow with proper token signing, verification, and error handling. Test the flow: register, get your key, login, get your JWT, use it to access tasks.
Input validation, error handling, and rate limiting
Hardening the API for production. Say: "Add comprehensive error handling: catch all unhandled errors and return a consistent error format with status, message, and details fields. Add rate limiting — 100 requests per minute per API key. Add input validation that returns helpful error messages when requests are malformed, like specifying which fields are invalid and why." Claude Code adds middleware for error handling and rate limiting, and enhances the Zod schemas with descriptive error messages. The result is an API that is safe to expose to the internet.
Auto-generating API documentation
Ask Claude Code: "Generate an OpenAPI 3.0 specification for all API endpoints. Include request and response schemas, authentication requirements, and example values. Create a /api/docs page that renders the spec with Swagger UI." Claude Code will create the OpenAPI spec matching your actual endpoints and mount Swagger UI at /api/docs. This gives you interactive API documentation that stays in sync with your code. Clients can try endpoints directly from the docs page.
Deploying and testing in production
Deploy the same way as the blog: push to GitHub, connect to Vercel. For SQLite in production, you will need Turso (a hosted SQLite) or switch to PostgreSQL with Neon. Ask Claude Code: "Switch the database from local SQLite to Turso. Use their libsql client. Configure environment variables for the database URL and auth token." After deploying, test every endpoint against the production URL. You now have a production REST API that any frontend, mobile app, or integration can use.
APIs and Backend Development
This guide is hands-on and practical. The full curriculum covers the conceptual foundations in depth with structured lessons and quizzes.
Go to lesson