In modern web development, APIs form the backbone of digital ecosystems. Whether you\u2019re powering a mobile app, a front-end dashboard, or integrating with third-party systems, a well-structured RESTful API is essential.<\/p>\n
CodeIgniter 4 (CI4)<\/strong>, being lightweight, fast, and modular, provides an excellent framework for building secure and scalable APIs. In this article, we\u2019ll go beyond the basics and explore how to design a robust RESTful API in CI4 \u2014 complete with JWT authentication<\/strong>, rate limiting<\/strong>, and activity logging<\/strong>.<\/p>\n This guide is for developers who already know the fundamentals of CodeIgniter and want to implement production-grade API practices.<\/strong><\/p>\n Start with a clean CodeIgniter 4 installation: This modular separation allows you to extend API versions easily, such as \/api\/v1\/ and \/api\/v2\/ later.<\/p>\n Define your API routes inside app\/Config\/Routes.php: We\u2019re defining a versioned API group (api\/v1) to future-proof the design. Let\u2019s create our first controller at app\/Controllers\/Api\/V1\/Users.php:<\/p>\n This simple REST controller lists and retrieves users \u2014 a good foundation before we layer in authentication and security.<\/p>\n JWT (JSON Web Token) is ideal for stateless authentication. Now, add your secret key to .env:<\/p>\n Finally, create the AuthFilter in app\/Filters\/AuthFilter.php<\/p>\n Add this filter in app\/Config\/Filters.php:<\/p>\n Now your protected routes can only be accessed with a valid JWT.<\/p>\n To prevent abuse and DoS attacks, let\u2019s implement rate limiting.<\/p>\n Create app\/Filters\/RateLimitFilter.php:<\/p>\n Then enable this filter in routes where appropriate:<\/p>\n This way, each IP is restricted to 100 requests per hour.<\/p>\n Logging is critical for debugging and analytics.<\/p>\n Create a simple logger class at app\/Libraries\/ActivityLogger.php:<\/p>\n Use it in your controller:<\/p>\n You\u2019ll now have a detailed record of API actions for analysis and debugging.<\/p>\n Use Postman<\/strong> or cURL<\/strong> to test:<\/p>\n You should receive a secure JSON response.<\/p>\n To make your API production-ready:<\/p>\n Building a RESTful API in CodeIgniter 4 goes far beyond CRUD endpoints. This modular architecture allows future expansion \u2014 for example, integrating with mobile apps, third-party systems, or React-based dashboards \u2014 while keeping your backend stable and secure.<\/p>\n If you\u2019re a developer looking to master backend design, CodeIgniter 4 offers a clean, flexible, and powerful foundation for professional-grade APIs.<\/p>\n","protected":false},"excerpt":{"rendered":" In modern web development, APIs form the backbone of digital ecosystems. Whether you\u2019re powering a mobile app, a front-end dashboard, or integrating with third-party systems, a well-structured RESTful API is essential. CodeIgniter 4 (CI4), being lightweight, fast, and modular, provides an excellent framework for building secure and scalable APIs. In this article, we\u2019ll go beyond […]<\/p>\n","protected":false},"author":1,"featured_media":428,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[6],"tags":[],"class_list":["post-413","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-custom-development"],"yoast_head":"\n1. Setting Up the Project Structure<\/h3>\n
\n
\ncomposer create-project codeigniter4\/appstarter ci4-api
\ncd ci4-api
\nphp spark serve
\n<\/code>
\nCI4\u2019s directory structure is ideal for REST API organization. However, to make things modular and scalable, it\u2019s best to follow this structure:
\n
\napp\/
\n\u251c\u2500\u2500 Controllers\/
\n\u2502 \u251c\u2500\u2500 Api\/
\n\u2502 \u2502 \u2514\u2500\u2500 V1\/
\n\u2502 \u2502 \u2514\u2500\u2500 Users.php
\n\u251c\u2500\u2500 Models\/
\n\u2502 \u2514\u2500\u2500 UserModel.php
\n\u251c\u2500\u2500 Filters\/
\n\u2502 \u251c\u2500\u2500 AuthFilter.php
\n\u2502 \u251c\u2500\u2500 RateLimitFilter.php
\n\u251c\u2500\u2500 Helpers\/
\n\u2502 \u2514\u2500\u2500 jwt_helper.php
\n\u251c\u2500\u2500 Libraries\/
\n\u2502 \u2514\u2500\u2500 ActivityLogger.php
\n<\/code><\/p>\n2. Creating RESTful Routes<\/h3>\n
\n
\n$routes->group('api\/v1', ['namespace' => 'App\\Controllers\\Api\\V1'], static function ($routes) {
\n$routes->post('login', 'Auth::login');
\n$routes->post('register', 'Auth::register');
\n$routes->get('users', 'Users::index', ['filter' => 'authfilter']);
\n$routes->get('users\/(:num)', 'Users::show\/$1', ['filter' => 'authfilter']);
\n});
\n<\/code><\/p>\n
\nNotice the use of authfilter \u2014 this will handle JWT authentication for protected routes.<\/p>\n3. Building the User Controller<\/h3>\n
namespace App\\Controllers\\Api\\V1;\r\n
\r\nuse App\\Controllers\\BaseController;\r\nuse App\\Models\\UserModel;\r\n\r\nclass Users extends BaseController\r\n{\r\nprotected $userModel;\r\n\r\npublic function __construct()\r\n{\r\n$this->userModel = new UserModel();\r\n}\r\n\r\npublic function index()\r\n{\r\n$users = $this->userModel->findAll();\r\nreturn $this->response->setJSON(['status' => 'success', 'data' => $users]);\r\n}\r\n\r\npublic function show($id)\r\n{\r\n$user = $this->userModel->find($id);\r\nif (!$user) {\r\nreturn $this->response->setJSON(['status' => 'error', 'message' => 'User not found'])->setStatusCode(404);\r\n}\r\nreturn $this->response->setJSON(['status' => 'success', 'data' => $user]);\r\n}\r\n}\r\n<\/code><\/pre>\n4. Implementing JWT Authentication<\/h3>\n
\nLet\u2019s create a helper file at app\/Helpers\/jwt_helper.php:<\/p>\n\r\nuse Firebase\\JWT\\JWT;\r\nuse Firebase\\JWT\\Key;\r\n\r\nfunction generate_jwt($payload)\r\n{\r\n $key = getenv('JWT_SECRET');\r\n $payload['iat'] = time();\r\n $payload['exp'] = time() + 3600; \/\/ 1 hour\r\n return JWT::encode($payload, $key, 'HS256');\r\n}\r\n\r\nfunction verify_jwt($token)\r\n{\r\n try {\r\n $key = getenv('JWT_SECRET');\r\n return JWT::decode($token, new Key($key, 'HS256'));\r\n } catch (Exception $e) {\r\n return null;\r\n }\r\n}\r\n<\/code><\/pre>\n\r\nJWT_SECRET = \"YOUR_SUPER_SECRET_KEY\"\r\n<\/code><\/pre>\n\r\nnamespace App\\Filters;\r\n\r\nuse CodeIgniter\\HTTP\\RequestInterface;\r\nuse CodeIgniter\\HTTP\\ResponseInterface;\r\nuse CodeIgniter\\Filters\\FilterInterface;\r\n\r\nclass AuthFilter implements FilterInterface\r\n{\r\n public function before(RequestInterface $request, $arguments = null)\r\n {\r\n $authHeader = $request->getHeaderLine('Authorization');\r\n if (!$authHeader || !str_starts_with($authHeader, 'Bearer ')) {\r\n return Services::response()->setJSON(['message' => 'Unauthorized'])->setStatusCode(401);\r\n }\r\n\r\n $token = substr($authHeader, 7);\r\n $decoded = verify_jwt($token);\r\n if (!$decoded) {\r\n return Services::response()->setJSON(['message' => 'Invalid or expired token'])->setStatusCode(401);\r\n }\r\n\r\n $request->user = $decoded;\r\n }\r\n\r\n public function after(RequestInterface $request, ResponseInterface $response, $arguments = null)\r\n {\r\n \/\/ nothing here\r\n }\r\n}\r\n<\/code><\/pre>\n\r\npublic array $aliases = [\r\n 'authfilter' => \\App\\Filters\\AuthFilter::class,\r\n];\r\n<\/code><\/pre>\n5. Adding Rate Limiting<\/h3>\n
\r\nnamespace App\\Filters;\r\n\r\nuse CodeIgniter\\Filters\\FilterInterface;\r\nuse CodeIgniter\\HTTP\\RequestInterface;\r\nuse CodeIgniter\\HTTP\\ResponseInterface;\r\nuse Config\\Services;\r\n\r\nclass RateLimitFilter implements FilterInterface\r\n{\r\n private $maxRequests = 100;\r\n private $window = 3600; \/\/ 1 hour\r\n\r\n public function before(RequestInterface $request, $arguments = null)\r\n {\r\n $ip = $request->getIPAddress();\r\n $cache = cache(\"ratelimit_$ip\") ?? ['count' => 0, 'time' => time()];\r\n\r\n if (time() - $cache['time'] > $this->window) {\r\n $cache = ['count' => 1, 'time' => time()];\r\n } else {\r\n $cache['count']++;\r\n }\r\n\r\n cache()->save(\"ratelimit_$ip\", $cache, $this->window);\r\n\r\n if ($cache['count'] > $this->maxRequests) {\r\n return Services::response()\r\n ->setJSON(['error' => 'Too many requests'])\r\n ->setStatusCode(429);\r\n }\r\n }\r\n\r\n public function after(RequestInterface $request, ResponseInterface $response, $arguments = null) {}\r\n}\r\n<\/code><\/pre>\n\r\n$routes->get('users', 'Users::index', ['filter' => 'authfilter, ratelimit']);\r\n<\/code><\/pre>\n6. Logging API Activity<\/h3>\n
\r\nnamespace App\\Libraries;\r\n\r\nclass ActivityLogger\r\n{\r\n public static function log($action, $details)\r\n {\r\n $data = [\r\n 'action' => $action,\r\n 'details' => json_encode($details),\r\n 'ip' => $_SERVER['REMOTE_ADDR'],\r\n 'created_at' => date('Y-m-d H:i:s'),\r\n ];\r\n\r\n file_put_contents(WRITEPATH . 'logs\/api_activity.log', json_encode($data) . PHP_EOL, FILE_APPEND);\r\n }\r\n}\r\n<\/code><\/pre>\n\r\nuse App\\Libraries\\ActivityLogger;\r\n\r\npublic function index()\r\n{\r\n ActivityLogger::log('User Fetch', ['endpoint' => 'users']);\r\n $users = $this->userModel->findAll();\r\n return $this->response->setJSON(['status' => 'success', 'data' => $users]);\r\n}\r\n<\/code><\/pre>\n7. Testing the API<\/h3>\n
\n
\nAuthorization: Bearer your_jwt_token_here<\/li>\n<\/ol>\n8. Security Best Practices<\/h3>\n
\n
Conclusion<\/h3>\n
\nBy implementing JWT authentication, rate limiting, and activity logging, you can deliver a secure, scalable, and production-grade API that meets modern standards.<\/p>\n