backend-api-guide.md

cat article_metadata.json

"title": "Backend API Development from Zero to Production",

"date": "2025-01-19",

"reading_time": "16 minutes",

"category": "Backend"


   ╔════════════════════════════════════════════╗
   ║  BACKEND API DEVELOPMENT GUIDE v2.0.0     ║
   ║  ----------------------------------------  ║
   ║  [■■■■■■■■■■■■■■■■■■■■] 100% Complete     ║
   ║  Status: PRODUCTION READY                  ║
   ╚════════════════════════════════════════════╝

> Backend API Development
From Zero to Production _

Complete AI Guide

16 min read

|Jan 19, 2025

Ship production-ready REST and GraphQL APIs 6x faster using AI agents. Complete guide covering authentication, database design, error handling, testing, and deployment with TypeScript, Node.js, and PostgreSQL.

Faster Dev

50min

Avg Build

87%

Less Code

92%

Test Coverage

#node.js#typescript#postgresql#rest-api#ai-tools

$ ./intro.sh --execute

Backend development in 2025 has fundamentally changed. What used to take senior engineers 40+ hours—authentication systems, database schemas, API endpoints, test suites—now takes 50 minutes with AI agents. Not by compromising quality, but by encoding decades of best practices into models that generate production-ready code.

Marcus Chen, Engineering Lead at a 50-person SaaS company, rebuilt their entire API layer in 3 days. "Our legacy API had 12,000 lines of untyped JavaScript," he explains. "The backend-pro agent generated a TypeScript API with proper authentication, rate limiting, and 92% test coverage. We deployed it without a single production bug."

3 days

Complete API Rebuild

12K → 4K

Lines of Code

0 bugs

Production Issues

> API ARCHITECTURE LAYERS

Time comparison: AI-generated vs. traditional development

Authentication

12 min with AI

4-6 hours

JWT + refresh tokens + role-based access control

Database Schema

8 min with AI

3-5 hours

Normalized schema + migrations + indexes

CRUD Endpoints

15 min with AI

6-8 hours

RESTful routes + validation + error handling

Testing Suite

10 min with AI

4-6 hours

Unit + integration + e2e test coverage

API Documentation

5 min with AI

2-3 hours

OpenAPI/Swagger specs + example requests

TOTAL BUILD TIME

50 min

23-28 hours

85% faster

01_AUTHENTICATION

JWT Authentication + RBAC _

Every production API needs authentication. The pattern is well-established: JWT tokens for stateless auth, refresh tokens for security, role-based access control (RBAC) for permissions. The challenge is implementation—dozens of edge cases, security considerations, and TypeScript types to get right.

AI agents generate complete auth systems that handle token rotation, secure password hashing with bcrypt, HTTP-only cookies, CSRF protection, and proper error messages. In 12 minutes instead of 4-6 hours.

src/auth/jwt.service.ts

AI-GENERATED

import jwt from "jsonwebtoken";
import bcrypt from "bcryptjs";
import { db } from "@/lib/database";
import { users } from "@/db/schema";
import { eq } from "drizzle-orm";

const JWT_SECRET = process.env.JWT_SECRET!;
const JWT_REFRESH_SECRET = process.env.JWT_REFRESH_SECRET!;
const ACCESS_TOKEN_EXPIRY = "15m";
const REFRESH_TOKEN_EXPIRY = "7d";

export interface JWTPayload {
  userId: string;
  email: string;
  role: "admin" | "user" | "viewer";
}

export class AuthService {
  /**
   * Generate access and refresh token pair
   */
  static generateTokens(payload: JWTPayload) {
    const accessToken = jwt.sign(payload, JWT_SECRET, {
      expiresIn: ACCESS_TOKEN_EXPIRY,
    });

    const refreshToken = jwt.sign(
      { userId: payload.userId },
      JWT_REFRESH_SECRET,
      { expiresIn: REFRESH_TOKEN_EXPIRY }
    );

    return { accessToken, refreshToken };
  }

  /**
   * Verify and decode access token
   */
  static verifyAccessToken(token: string): JWTPayload | null {
    try {
      return jwt.verify(token, JWT_SECRET) as JWTPayload;
    } catch (error) {
      return null;
    }
  }

  /**
   * Verify refresh token and rotate tokens
   */
  static async refreshTokens(
    refreshToken: string
  ): Promise<{ accessToken: string; refreshToken: string } | null> {
    try {
      const decoded = jwt.verify(refreshToken, JWT_REFRESH_SECRET) as {
        userId: string;
      };

      // Fetch user with current role
      const [user] = await db
        .select()
        .from(users)
        .where(eq(users.id, decoded.userId))
        .limit(1);

      if (!user) return null;

      // Generate new token pair
      return this.generateTokens({
        userId: user.id,
        email: user.email,
        role: user.role as "admin" | "user" | "viewer",
      });
    } catch (error) {
      return null;
    }
  }

  /**
   * Hash password with bcrypt (10 rounds)
   */
  static async hashPassword(password: string): Promise<string> {
    return bcrypt.hash(password, 10);
  }

  /**
   * Compare password with hash
   */
  static async comparePassword(
    password: string,
    hash: string
  ): Promise<boolean> {
    return bcrypt.compare(password, hash);
  }

  /**
   * Authenticate user and return tokens
   */
  static async login(
    email: string,
    password: string
  ): Promise<{ accessToken: string; refreshToken: string } | null> {
    // Find user by email
    const [user] = await db
      .select()
      .from(users)
      .where(eq(users.email, email))
      .limit(1);

    if (!user) return null;

    // Verify password
    const isValidPassword = await this.comparePassword(
      password,
      user.passwordHash
    );
    if (!isValidPassword) return null;

    // Generate tokens
    return this.generateTokens({
      userId: user.id,
      email: user.email,
      role: user.role as "admin" | "user" | "viewer",
    });
  }
}

// Middleware for protecting routes
export function requireAuth(requiredRole?: "admin" | "user") {
  return (req: Request, res: Response, next: NextFunction) => {
    const token = req.headers.authorization?.replace("Bearer ", "");

    if (!token) {
      return res.status(401).json({ error: "Authentication required" });
    }

    const payload = AuthService.verifyAccessToken(token);
    if (!payload) {
      return res.status(401).json({ error: "Invalid or expired token" });
    }

    // Check role if required
    if (requiredRole && payload.role !== "admin" && payload.role !== requiredRole) {
      return res.status(403).json({ error: "Insufficient permissions" });
    }

    req.user = payload;
    next();
  };
}

SECURITY FEATURES

Bcrypt password hashing (10 rounds)
Separate secrets for access/refresh tokens
Short-lived access tokens (15min)
Role-based access control (RBAC)
Token rotation on refresh

PROMPT TEMPLATE

"Generate JWT authentication service with TypeScript. Include: access tokens (15min), refresh tokens (7d), bcrypt password hashing, RBAC middleware with admin/user roles, token rotation, proper error handling. Use Drizzle ORM with PostgreSQL."

02_DATABASE_SCHEMA

Normalized Schema Design _

Database schema design is where most backend projects slow down. Getting normalization right, choosing correct indexes, setting up foreign keys with proper cascading—these decisions compound over time. Make the wrong choice early and you'll pay for it in migrations later.

AI agents trained on millions of production schemas generate normalized designs with proper indexes from day one. They understand query patterns and create schemas that perform well at scale.

E-COMMERCE DATABASE SCHEMA (AI-GENERATED)

users

id: UUID (PK)

email: VARCHAR(255)

password_hash: VARCHAR(255)

role: ENUM

created_at: TIMESTAMP

INDEX: email (unique)

products

id: UUID (PK)

name: VARCHAR(255)

description: TEXT

price: DECIMAL(10,2)

stock: INTEGER

INDEX: name (fulltext)

orders

id: UUID (PK)

user_id: UUID (FK)

status: ENUM

total: DECIMAL(10,2)

created_at: TIMESTAMP

INDEX: user_id, status

RELATIONSHIPS

usersorders(1:N, CASCADE DELETE)

PERFORMANCE OPTIMIZATIONS

✓ INDEXES ADDED

• Unique index on user emails
• Composite index on orders (user_id, status)
• Full-text index on product names

✓ RELATIONSHIPS

• Foreign keys with CASCADE DELETE
• Proper normalization (3NF)
• Junction tables for M:N relations

> RECOMMENDED TECH STACK

Node.js 20+

Runtime

TypeScript

Type Safety

Express/Fastify

Framework

Prisma/Drizzle

ORM

PostgreSQL

Database

Redis

Caching

Jest/Vitest

Testing

Docker

Containerization

> QUICK START GUIDE

Choose Your Backend Agent

Use backend-pro for complete API generation or database-architect for schema design.

Define Your Requirements

Specify: authentication type, database (PostgreSQL, MySQL), ORM preference, required endpoints, testing framework.

Generate & Deploy

Review generated code, run tests, set environment variables, deploy to your preferred platform (Vercel, Railway, Fly.io).

> SUMMARY & NEXT STEPS

Backend API development with AI agents isn't about replacing engineers—it's about eliminating repetitive architecture work so you can focus on business logic. The patterns we've covered (authentication, database design, CRUD endpoints, testing) are well-established. AI agents simply implement them faster and more consistently than manual coding.

Start with authentication. Generate a complete JWT system in 12 minutes, test it thoroughly, deploy it. Once you experience shipping production-ready code in under an hour, you'll never go back to manual API development.

The future of backend development is here. It's typed, tested, and ships 6x faster.