Building Scalable APIs with Node.js
Building Scalable APIs with Node.js
Most APIs don't fail because of Node.js. They fail because of us.
We over-abstract too early, under-invest in observability, and treat "scale" as a problem we'll solve later. Then later arrives — at 3 AM, on a Saturday, during a product launch — and the API is returning 502s because a single database query is holding the event loop hostage.
I've spent years building and operating APIs that serve millions of requests across enterprise platforms. The patterns I'm sharing here aren't theoretical — they're scars.
The Uncomfortable Truth About Node.js at Scale
Node.js is single-threaded. You already know this. But do you design for it?
The event loop is your API's heartbeat. Every synchronous operation, every unoptimized query, every forgotten await is a potential cardiac arrest. At scale, the question isn't whether Node.js can handle the load — it's whether your code respects the runtime enough to let it.
Here's what I've learned: the best Node.js APIs aren't fast because of clever tricks. They're fast because they ruthlessly eliminate blocking work.
Architecture: Layers Are Not Optional
When I review failing APIs, they almost always share one trait — everything is in the route handler. Business logic tangled with database calls tangled with validation tangled with error formatting. It works at 100 requests per minute. It's unmaintainable at 100 requests per second.
The Layered Approach That Actually Works
Request → Router → Controller → Service → Repository → Database
↕
Domain Logic
- Routers own HTTP concerns: paths, methods, status codes. Nothing else.
- Controllers orchestrate — they call services, shape responses, handle HTTP-specific errors.
- Services contain business logic. They know nothing about HTTP. They could run in a CLI, a queue worker, or a test harness without a single change.
- Repositories abstract data access. Today it's PostgreSQL. Tomorrow it's a different store. Your service layer shouldn't care.
This isn't over-engineering. It's survival engineering. When your API handles 50 endpoints and 3 developers are pushing changes daily, the alternative is chaos.
The Middleware Pipeline
Cross-cutting concerns — authentication, rate limiting, request logging, correlation IDs — belong in middleware. Not scattered across handlers.
But here's a nuance most teams miss: middleware order matters more than middleware logic. Put your rate limiter before your auth check. Put your request logger before everything. Put your error handler last. Get this wrong and you'll spend days debugging why authenticated users are hitting rate limits they shouldn't, or why errors are swallowed silently.
Error Handling: The Part Everyone Gets Wrong
Here's a pattern I see constantly:
app.get('/users/:id', async (req, res) => {
try {
const user = await db.findUser(req.params.id);
res.json(user);
} catch (err) {
res.status(500).json({ error: 'Something went wrong' });
}
});
This is not error handling. This is error hiding.
Build a Typed Error Hierarchy
class AppError extends Error {
constructor(
public statusCode: number,
public code: string,
message: string,
public isOperational = true
) {
super(message);
}
}
class NotFoundError extends AppError {
constructor(resource: string, id: string) {
super(404, 'RESOURCE_NOT_FOUND', `${resource} with id '${id}' not found`);
}
}
class RateLimitError extends AppError {
constructor(retryAfter: number) {
super(429, 'RATE_LIMIT_EXCEEDED', `Rate limit exceeded. Retry after ${retryAfter}s`);
}
}
The Global Error Handler
function errorHandler(err: Error, req: Request, res: Response, next: NextFunction) {
if (err instanceof AppError && err.isOperational) {
return res.status(err.statusCode).json({
error: { code: err.code, message: err.message }
});
}
// This is a programmer error — log it, alert on it, don't expose it
logger.error('Unhandled error', {
error: err.message,
stack: err.stack,
path: req.path,
correlationId: req.headers['x-correlation-id']
});
res.status(500).json({
error: { code: 'INTERNAL_ERROR', message: 'An unexpected error occurred' }
});
}
The distinction between operational errors (bad input, missing resources, rate limits) and programmer errors (null references, type mismatches) is critical. Operational errors are expected — handle them gracefully. Programmer errors are bugs — log them loudly, fix them immediately.
Performance: What Actually Moves the Needle
I've profiled dozens of Node.js APIs in production. Here's what matters, ranked by impact:
1. Database Query Optimization (Biggest Impact)
Your API is almost certainly I/O-bound, not CPU-bound. The single biggest performance gain comes from fixing your queries.
- Use connection pooling. Creating a new database connection per request is a silent performance killer. A pool of 10–20 connections will outperform 1,000 on-demand connections every time.
- Add indexes deliberately. Don't index everything. Index the fields you actually filter and sort on. Use
EXPLAIN ANALYZEregularly. - Paginate everything. If an endpoint can return unbounded results, it will — and it'll take the database down with it.
- N+1 queries are the #1 API performance bug. If you're fetching a list of users and then querying each user's orders individually, you've already lost.
2. Caching Strategy
Not all caching is equal. Be intentional:
- Application-level cache (Redis/Memcached): For frequently-read, rarely-changed data. User profiles, configuration, feature flags.
- HTTP caching (Cache-Control headers): Let CDNs and browsers do the work. Most teams under-use this.
- Query result caching: Cache expensive aggregations, not simple lookups. The overhead of cache management should be less than the cost of the query.
Cache invalidation is hard. Accept this. Use TTL-based expiration for most things. Use event-driven invalidation only when staleness is genuinely unacceptable.
3. Streaming and Backpressure
For large payloads — file exports, bulk data transfers, log streaming — never buffer the entire response in memory.
app.get('/export/users', async (req, res) => {
res.setHeader('Content-Type', 'application/json');
res.write('[');
const cursor = db.collection('users').find().stream();
let first = true;
cursor.on('data', (doc) => {
if (!first) res.write(',');
res.write(JSON.stringify(doc));
first = false;
});
cursor.on('end', () => {
res.write(']');
res.end();
});
});
This handles millions of records with constant memory usage. Buffering would crash the process.
4. Concurrency Control
Node.js handles concurrency beautifully — until you accidentally serialize everything:
// ❌ Sequential — takes 3 seconds
const users = await getUsers();
const orders = await getOrders();
const analytics = await getAnalytics();
// ✅ Concurrent — takes 1 second
const [users, orders, analytics] = await Promise.all([
getUsers(),
getOrders(),
getAnalytics()
]);
Use Promise.all for independent operations. Use Promise.allSettled when you need partial results even if some calls fail. Use p-limit or semaphores when you need to cap concurrency to avoid overwhelming downstream services.
Observability: You Can't Scale What You Can't See
Logging alone isn't observability. You need three pillars:
- Structured logging — JSON logs with correlation IDs, request metadata, and timing. Not
console.log('here'). - Metrics — Request rate, error rate, latency percentiles (p50, p95, p99). Not averages — averages lie.
- Distributed tracing — When a request touches 5 services, you need to see the full picture. OpenTelemetry is the standard. Use it.
The Health Check That Actually Helps
app.get('/health', async (req, res) => {
const checks = await Promise.allSettled([
db.ping().then(() => ({ db: 'ok' })),
redis.ping().then(() => ({ cache: 'ok' })),
]);
const status = checks.every(c => c.status === 'fulfilled') ? 200 : 503;
const details = Object.assign({}, ...checks.map(c =>
c.status === 'fulfilled' ? c.value : { [c.reason?.service]: 'degraded' }
));
res.status(status).json({ status: status === 200 ? 'healthy' : 'degraded', ...details });
});
A health check that always returns 200 is worse than no health check at all. It gives you false confidence while your database is on fire.
Security: The Non-Negotiables
Scalable doesn't mean anything if it's not secure:
- Rate limit aggressively. Per-IP, per-user, per-endpoint. Use sliding windows, not fixed.
- Validate all input. Use schemas (Zod, Joi) at the boundary. Trust nothing from the client.
- Use helmet. It sets security headers in one line. There's no excuse not to.
- Never log sensitive data. Mask tokens, passwords, PII in your structured logs.
- Use parameterized queries. SQL injection is a solved problem. Don't re-introduce it.
The Architecture Decision That Changes Everything
Here's the most important thing I've learned: the best API architecture is the one your team can operate at 2 AM.
It's not about microservices vs. monolith. It's not about GraphQL vs. REST. It's about whether your team can deploy with confidence, diagnose issues quickly, and recover from failures gracefully.
Start with a well-structured monolith. Measure everything. Extract services only when you have evidence that a specific bounded context needs independent scaling or deployment. Most teams extract too early, creating distributed monoliths that are harder to operate than the monolith they replaced.
Conclusion
Building scalable Node.js APIs isn't about knowing the latest framework or the most clever optimization trick. It's about discipline:
- Separate concerns so your codebase can evolve without breaking.
- Handle errors explicitly so failures are visible and recoverable.
- Optimize with data so you're solving real bottlenecks, not imagined ones.
- Observe everything so you know what's happening before your users tell you.
The best APIs I've worked on weren't impressive because of their technology choices. They were impressive because they were boring — predictable, well-structured, easy to debug, and quietly handling millions of requests while the team slept soundly.
That's the goal. Build boring APIs that scale.