Best Express.js Boilerplates 2026: API Starters
Express.js: Still the Node.js Standard
Express.js downloads exceed 100 million per week in 2026. Despite newer alternatives like Fastify, Hono, and Elysia, Express remains the default choice for Node.js APIs because of its simplicity, middleware ecosystem, and the sheer number of tutorials, Stack Overflow answers, and examples available.
For most developers, the question isn't whether to use Express — it's which boilerplate to start from.
Quick Comparison
| Starter | Price | Auth | DB | Testing | TypeScript | Best For |
|---|---|---|---|---|---|---|
| express-generator | Free | ❌ | ❌ | ❌ | ❌ | Official minimal scaffold |
| MERN Boilerplate | Free | JWT | MongoDB | Jest | ✅ Optional | Full-stack MERN apps |
| node-express-boilerplate | Free | JWT | PostgreSQL | Jest | ✅ | Production REST APIs |
| Hackathon Starter | Free | 10+ OAuth | MongoDB | Mocha | ❌ | Rapid prototyping |
| express-typescript | Free | JWT | PostgreSQL | Vitest | ✅ | TypeScript APIs |
The Starters
express-generator — Official Scaffold
Price: Free | Creator: Express team
The official Express application generator. Generates routing, middleware, view engine (Pug/EJS/Handlebars), and directory structure. No auth, no database, no testing — just a clean Express foundation.
npx express-generator --view=ejs myapp
cd myapp && npm install && npm start
Choose if: You want the absolute minimum Express starting point.
node-express-boilerplate — Best Production REST API
Price: Free (MIT) | Creator: hagopj13
A production-ready Node.js REST API boilerplate with Express, MongoDB/Mongoose, JWT authentication, validation (Joi), logging (Winston), Docker, GitHub Actions, and comprehensive testing (Jest + Supertest). Well-structured with service/controller/model pattern.
src/
├── config/ # Environment, DB config
├── controllers/ # Request handlers
├── middlewares/ # Auth, validation, error handling
├── models/ # Mongoose models
├── routes/ # Route definitions
├── services/ # Business logic
├── utils/ # Helpers, logger
└── validations/ # Joi schemas
Choose if: You need a well-organized production REST API on Express.
Hackathon Starter — Best for Prototyping
Price: Free | Creator: Sahat Yalkabov
The classic Node.js prototyping starter. 10+ OAuth providers, 10+ API integrations (Stripe, Twilio, SendGrid, Mailgun, etc.), MongoDB, Bootstrap UI, and account management. Not for production use — for getting a prototype running in an hour.
Choose if: You're at a hackathon or need to demo something fast.
MERN Stack Boilerplate — Best Full-Stack
Price: Free | Creator: Community
MongoDB + Express + React + Node.js monolith. JWT authentication, Redux state management, protected routes, and deployment configs. The traditional full-stack JavaScript starting point.
Choose if: You want a complete MERN stack with frontend and backend in one project.
express-typescript — Best TypeScript API
Price: Free | Creator: Community variants
Express configured for TypeScript with path aliases, ESM modules, Zod validation, Vitest testing, and PostgreSQL via Prisma. More opinionated than plain Express but catches type errors before they reach production.
Choose if: TypeScript is a requirement and you want Express with modern tooling.
Why Express Still Wins
In 2026, Express faces competition from faster alternatives:
- Fastify is 2-3x faster at high throughput
- Hono runs on edge runtimes (Cloudflare Workers)
- Elysia is the Bun-native winner in benchmarks
But Express wins on ecosystem. Every Node.js library has Express middleware. Every tutorial covers Express first. When you Google a problem, Express has 10x more answers.
Use Express when: Ecosystem compatibility and team familiarity matter more than raw performance.
Consider Fastify/Hono when: You need maximum throughput, edge runtime support, or a greenfield project with a TypeScript-first team.
Minimal Production Setup
What a production Express API needs (beyond the boilerplate):
import express from 'express';
import helmet from 'helmet'; // Security headers
import rateLimit from 'express-rate-limit'; // Rate limiting
import cors from 'cors'; // CORS handling
import compression from 'compression'; // Gzip responses
import morgan from 'morgan'; // Request logging
const app = express();
app.use(helmet());
app.use(cors({ origin: process.env.ALLOWED_ORIGIN }));
app.use(compression());
app.use(express.json({ limit: '10kb' }));
app.use(rateLimit({ windowMs: 15 * 60 * 1000, max: 100 }));
app.use(morgan('combined'));
Most boilerplates include some of these — check which ones before using in production.
Setting Up a TypeScript Express API from Scratch
The boilerplates above give you structure; here's the core TypeScript Express setup they're built on:
npm init -y
npm install express
npm install -D typescript ts-node @types/express @types/node nodemon
npx tsc --init
// src/app.ts — Express with TypeScript
import express, { Application, Request, Response, NextFunction } from 'express';
import helmet from 'helmet';
import cors from 'cors';
import rateLimit from 'express-rate-limit';
export function createApp(): Application {
const app = express();
// Security middleware
app.use(helmet());
app.use(cors({
origin: process.env.ALLOWED_ORIGINS?.split(',') || ['http://localhost:3000'],
credentials: true,
}));
app.use(rateLimit({
windowMs: 15 * 60 * 1000, // 15 minutes
max: 100,
standardHeaders: true,
}));
// Request parsing
app.use(express.json({ limit: '10kb' }));
app.use(express.urlencoded({ extended: true }));
// Routes
app.use('/api/v1/users', userRouter);
app.use('/api/v1/posts', postRouter);
// Global error handler — must be last
app.use((err: Error, req: Request, res: Response, _next: NextFunction) => {
console.error(err.stack);
res.status(500).json({ error: 'Internal server error' });
});
return app;
}
// src/index.ts — start server
import { createApp } from './app';
const app = createApp();
const port = process.env.PORT || 4000;
app.listen(port, () => {
console.log(`Server running on port ${port}`);
});
Error Handling Patterns
Production Express APIs need consistent error handling. The pattern used by most quality boilerplates:
// utils/AppError.ts — custom error class
export class AppError extends Error {
constructor(
public message: string,
public statusCode: number = 500,
public code?: string
) {
super(message);
this.name = 'AppError';
}
}
// middleware/errorHandler.ts
import { Request, Response, NextFunction } from 'express';
import { AppError } from '../utils/AppError';
export function errorHandler(
err: Error,
req: Request,
res: Response,
next: NextFunction
) {
if (err instanceof AppError) {
return res.status(err.statusCode).json({
error: err.message,
code: err.code,
});
}
// Prisma/ORM errors
if (err.name === 'PrismaClientKnownRequestError') {
return res.status(400).json({ error: 'Database constraint violation' });
}
// Unknown errors — don't expose internals
console.error('Unhandled error:', err);
res.status(500).json({ error: 'Internal server error' });
}
The node-express-boilerplate uses a similar pattern. Hackathon Starter does not — add this before deploying to production.
Express vs Fastify: The Migration Decision
Teams considering migrating from Express to Fastify for performance should weigh the actual numbers:
- Express: ~15,000-20,000 req/sec (typical production workload with middleware)
- Fastify: ~40,000-60,000 req/sec under the same conditions
For a SaaS API handling 100 requests/second (8.6M requests/day), Express is fine — you're nowhere near these limits. At 10,000+ req/sec sustained, the difference matters.
The real migration cost: Every Express middleware (passport.js, express-rate-limit, express-session) needs a Fastify equivalent. Not all have direct equivalents — some require wrapping. Estimate 3-5 days to migrate a mature Express API to Fastify.
When to start with Fastify instead: If your team is new to the codebase and performance is a stated requirement from the start, Fastify is worth the slightly steeper initial learning curve. For legacy Express codebases: migrate only when you've profiled and confirmed Express is the bottleneck.
Key Takeaways
- node-express-boilerplate is the best free production REST API starter — service/controller/model architecture, Jest tests, Docker
- Hackathon Starter is for prototyping only — not production-ready, but unmatched for getting something demo-able fast
- MERN Boilerplate is the right choice if you want React frontend and Express backend in one repo
- Express's ecosystem advantage over Fastify/Hono is real at lower scale — choose Fastify only when you've validated performance requirements
- All production Express APIs need: helmet (security headers), rate limiting, a custom error handler, and input validation (Joi or Zod)
Docker and Deployment Setup
Every production Express API should run in Docker. The node-express-boilerplate includes a Dockerfile; here's the pattern:
# Dockerfile — multi-stage for small production image
FROM node:20-alpine AS deps
WORKDIR /app
COPY package*.json ./
RUN npm ci --only=production
FROM node:20-alpine AS builder
WORKDIR /app
COPY package*.json ./
RUN npm ci
COPY . .
RUN npm run build # Compiles TypeScript
FROM node:20-alpine AS runner
WORKDIR /app
COPY --from=deps /app/node_modules ./node_modules
COPY --from=builder /app/dist ./dist
COPY --from=builder /app/package.json ./
USER node
EXPOSE 4000
CMD ["node", "dist/index.js"]
# docker-compose.yml — local dev with Postgres
version: '3.8'
services:
api:
build: .
ports: ["4000:4000"]
environment:
- DATABASE_URL=postgresql://postgres:postgres@db:5432/myapp
- NODE_ENV=development
volumes:
- ./src:/app/src # Hot reload in dev
depends_on: [db]
db:
image: postgres:16-alpine
environment:
- POSTGRES_DB=myapp
- POSTGRES_PASSWORD=postgres
volumes:
- postgres_data:/var/lib/postgresql/data
volumes:
postgres_data:
This compose setup gives you local development with a real PostgreSQL database. For deployment, use Railway (push to GitHub, auto-deploys Docker), Render (similar), or ECS for AWS teams.
The Middleware Stack Decision
The packages you choose for middleware affect every request your API handles. The standard production stack in 2026:
| Package | Purpose | Alternative |
|---|---|---|
helmet | Security headers (CSP, HSTS, etc.) | None — use it |
cors | CORS handling | None |
express-rate-limit | Rate limiting | @upstash/ratelimit (Redis-backed) |
compression | Gzip responses | @fastify/compress if using Fastify |
morgan | Request logging | pino-http (structured JSON logs) |
express-validator | Input validation | zod with a middleware wrapper |
node-express-boilerplate includes all of these. Hackathon Starter includes some but not all. Verify your production checklist against this list before deploying.
Authentication Patterns for Express REST APIs
Express doesn't ship with authentication — you choose the strategy. The three common patterns:
JWT (stateless): Generate a signed JWT on login, validate it on every request via middleware. No database lookup per request — scales well. Logout requires token blocklisting (Redis) or short expiry + refresh tokens.
Session-based (stateful): Store session data server-side (Redis or DB), send a session ID cookie. Supports instant revocation. Requires session store; more complex with multiple API instances.
API keys (for B2B): Generate long-lived keys per user/team, store hashed in the database, validate on each request. Best for programmatic API access — Zapier integrations, CLI tools, third-party apps.
// middleware/auth.middleware.ts — JWT strategy
import jwt from 'jsonwebtoken';
export function requireAuth(req: Request, res: Response, next: NextFunction) {
const token = req.headers.authorization?.replace('Bearer ', '');
if (!token) return res.status(401).json({ error: 'Unauthorized' });
try {
const payload = jwt.verify(token, process.env.JWT_SECRET!) as JWTPayload;
req.userId = payload.sub;
next();
} catch {
res.status(401).json({ error: 'Invalid token' });
}
}
node-express-boilerplate uses JWT; Hackathon Starter uses Passport.js with sessions. Choose based on whether you need instant session revocation (stateful) or stateless horizontal scaling (JWT).
Testing Express APIs: What the Boilerplates Get Right
node-express-boilerplate and express-typescript both include testing setup. The standard pattern is Jest with Supertest for integration tests — tests that make HTTP requests to your API and assert on the responses, without mocking individual functions.
// tests/routes/users.test.ts
import request from 'supertest';
import app from '../../src/app';
import { prisma } from '../../src/db';
beforeEach(async () => {
await prisma.user.deleteMany(); // Clean slate per test
});
describe('POST /api/users/register', () => {
it('creates a user and returns 201', async () => {
const response = await request(app)
.post('/api/users/register')
.send({ email: 'test@example.com', password: 'password123' })
.expect(201);
expect(response.body.user.email).toBe('test@example.com');
expect(response.body.token).toBeDefined();
});
it('returns 400 for duplicate email', async () => {
await prisma.user.create({ data: { email: 'test@example.com', passwordHash: '...' } });
await request(app)
.post('/api/users/register')
.send({ email: 'test@example.com', password: 'password123' })
.expect(400);
});
});
This integration test pattern hits a real database (test database), making it slower than unit tests but far more reliable for catching real bugs. node-express-boilerplate's test setup wires this up correctly — the test database connection, cleanup between tests, and helper utilities for creating authenticated test users.
Express vs Fastify: Should You Switch?
Fastify is Express's main competitor in the Node.js ecosystem. It's roughly 2-3x faster on benchmarks, ships with built-in TypeScript support and schema validation (JSON Schema via Ajv), and has a comparable plugin ecosystem. The question is whether that speed difference matters for your use case.
For most SaaS APIs, Express's performance ceiling isn't the bottleneck. Database query time, external API calls, and application logic dominate response time — the difference between Express and Fastify in the HTTP layer is microseconds that don't affect user experience. Express's larger community (tutorials, Stack Overflow answers, middleware packages) is a meaningful productivity advantage that offsets Fastify's raw speed.
The case for Fastify: you're building a high-throughput API (thousands of requests per second per instance), the built-in schema validation reduces a layer of custom code, or you're starting a greenfield project with no Express muscle memory on the team. For those scenarios, the boilerplates at fastify.dev and the community Fastify starters are worth evaluating.
For the typical product starting from an Express boilerplate: Express is the right choice. The performance difference doesn't matter at the traffic levels you'll see for the first 12-18 months of a new product.
Production Checklist: Before Your Express API Goes Live
Beyond the middleware and auth setup, production readiness for an Express API requires:
Rate limiting: express-rate-limit at the Express layer plus Redis-backed rate limiting (Upstash) for distributed deployments. Protecting /api/auth/login from brute force is non-negotiable.
Input validation: Zod schema validation on every route handler that accepts user input. Trust no client data. node-express-boilerplate uses Joi; the pattern is equivalent with Zod.
Error handling: A global error middleware that catches unhandled exceptions and returns consistent error response shapes. Never let process.on('uncaughtException') handle API errors — that's for truly unexpected crashes, not application-level errors.
Request logging: morgan or pino-http for structured request logs. Structured JSON logging (pino) is preferable to string-based logging (morgan) for log aggregation services (Datadog, Axiom, Logtail).
Graceful shutdown: Handle SIGTERM by stopping new connections and waiting for in-flight requests to complete before exiting. Docker and Kubernetes send SIGTERM before killing the process — without graceful shutdown, in-flight requests are dropped.
Express in 2026: Is It Still Worth Learning?
The "is Express still relevant?" question comes up regularly. The practical answer: Express runs over 100 million production deployments. The npm download trajectory is flat, not declining. The alternatives (Fastify, Hono, Elysia) have advantages but haven't achieved Express-level ubiquity.
For developers choosing a framework for a new project: Express is the safe default. The breadth of tutorials, the depth of Stack Overflow answers, and the library ecosystem have no equivalent in newer frameworks. If you hit a problem with Express, someone has solved it and written about it. If you hit an equivalent problem with Hono or Elysia, you may be the first person to encounter that exact combination of factors.
For teams with performance-sensitive workloads: benchmark your specific use case with your specific middleware stack before optimizing prematurely. Most Express APIs don't need Fastify's 2-3x performance advantage. The cases where they do are real (gaming servers, high-frequency IoT data ingestion, real-time bid systems), but they're not the typical SaaS API use case.
The trend to watch: Next.js and Nuxt are absorbing API routes that might otherwise be standalone Express servers. For full-stack web applications, the backend API living inside the Next.js project eliminates a deployment and reduces cognitive overhead. Express remains the right choice for dedicated API services (microservices, separate mobile backends, public REST APIs), but its role in full-stack web apps is narrowing as metaframeworks mature. For teams building standalone REST APIs that will serve multiple clients (web app, mobile app, third-party integrations), Express remains the most practical and well-supported choice in 2026. The node-express-boilerplate and express-typescript starters give you the production patterns without the setup overhead — the right starting point for most backend API projects. Express 5's stable release in 2024 resolved long-standing async error handling limitations, and most production boilerplates have now migrated to Express 5's app.use() async handler support — meaning the boilerplate quality bar for error handling has improved across the board.
The boilerplate and tool choices covered here represent the most actively maintained options in their category as of 2026. Evaluate each against your specific requirements: team expertise, deployment infrastructure, budget, and the features your product requires on day one versus those you can add incrementally. The best starting point is the one that lets your team ship the first version of your product fastest, with the least architectural debt.
Compare all Express and Node.js boilerplates in our best open-source SaaS boilerplates guide.
See our guide to best FastAPI boilerplates for the Python REST API equivalent.
Browse best full-stack TypeScript boilerplates for Next.js-based alternatives to the MERN stack.
Check out this boilerplate
View express-generatoron StarterPick →