The Nodewood API is an Express server that automatically loads Controllers in enabled features. It connects to a PostgreSQL database server for storage and can be configured to use a variety of mailing services.

To launch the Nodewood API in development mode, connect to the Nodewood development VM (nodewood vm from the root of your project folder), then cd code to switch to the shared code folder, and nodewood dev api to launch the API.

# Configuration

The following files are located in wood/config, but can be overridden by creating identically-named entries in app/config. The options below are not exhaustive, but cover the options in these files that apply to the API.

As these files can be included in the UI as well, no secrets should be kept in them, only configuration details.

# admin.js

This file contains configuration details for the admin panel. There are no fields in here that apply to the API.

# app.js

This file contains general configuration details for your app.

  • name: This is the name that is used by default for the title of your pages and in emails.
  • url: This is the base URL for your app that is used when sending emails that link back to your app.
  • features: This is the list of enabled features. Features appearing in this list and located in the app/features folder will be examined for Controllers and have their routes automatically added. Note that this is split into app features (ones that you create) andwood` features (once that come bundled with Nodewood). This allows you to disable Nodewood features should you need or want to.
  • defaultErrorMessage: This is the default error message displayed in situations where a more-specific error message has not been provided.

# email.js

  • transportConfig: The configuration values for your email transport. See the Services -> Email section for more information.
  • fromEmail: The email address that transactional emails will be sent from.
  • supportEmail: The email address you receive customer support emails at.

# geography.js:

  • countries: The list of countries that will populate the Country dropdown in the subscription signup form.
  • states: A list of states that will populate the State dropdown in the subscription signup form. Any countries without a list here will have a textbox displayed instead.

# security.js

This file contains security configuration details for your app. This file should only contain configuration, not any actual secrets.

  • redactedLoggingPaths: Fields matching this array will be redacted when logging, so things like passwords, security tokens won't be stored in your logs.
  • shouldLogBody: If the body of requests should be logged. This can increase the size of your logs significantly, but can be useful in debugging. Make sure to redact fields you don't want saved in your logs.
  • emailFloodProtectionMinutes: How many minutes to wait between emails that can be triggered from public URLs (password reset, etc) to prevent malicious attackers from flooding a user's inbox.
  • failedLoginMaxAttempts: Maximum number of failed login attempts before a user must enter a cooldown period.
  • failedLoginCooldown: The amount of time a user must "cool down" for before they can attempt to log in again.
  • jwt.issuer: The issuing party for this JWT. This is set by default to your app's project name.
  • jwt.expiryDays: The number of days the JWT is valid for before it expires and the user must log in again.
  • jwt.hashidsMinLength: The user ID in the JWT is hashed using Hashids so that users can't examine your JWT and enumerate your user count. This sets the minimum length of that hash.

# subscriptions.js

This file contains settings that affect your subscriptions.

  • prorateOnCancel: If set to true, users will have their final invoice prorated when canceling, issuing them a refund for unused time.
  • trialDays: The number of days a user's trial period lasts for, before they are first charged for use.
  • defaultCurrency: The default currency to set for users. Users cannot see prices that are not in their currency and cannot see products that have no prices in their currency.

For more information about how these settings are used, see Subscriptions.

# ui.js

This file contains configuration details for the UI of your application. There are no fields in here that apply to the API.

# .env

This file is actually located in the root of your project and is where secrets should be kept.

  • DB_HOST: The IP address or URL of the database server. (e.g. '')
  • DB_PORT: The port of the database server. (e.g. '5432')
  • DB_DB: The name of your database. (e.g. 'nodewood')
  • DB_USER: The username that is authenticated to connect to your database. (e.g. 'nodewood_user')
  • DB_PASS: The password for the provided username. (e.g. 'god')
  • LOG_LEVEL: The minimum logging level to trigger logs to be written. (e.g. 'info')
  • JWT_SECRET: The secret used to create JWTs for users. (e.g. 'jwtSecret')
  • JWT_HASHID_SALT: The salt to use to hash the user ID contained in the JWT. (e.g. 'jwtHashidSalt')
  • JWT_GLOBAL_SERIES: The global JWT series. Increment this number to invalidate all JWTs for every user. (e.g. '1')
  • PASSWORD_SALT_ROUNDS: The number of rounds used to salt the user's password hash. Higher numbers are more secure, but take longer.