Production-ready Node.js API build framework — opinionated, layered, and ready to ship. A pnpm monorepo of eight composable packages covering everything from structured logging and typed HTTP clients to JWT auth, Fastify plugins, and feature flags.
CC API Framework gives Node.js teams a consistent, production-hardened baseline for every API they ship. Instead of wiring up logging, auth, HTTP clients, and config from scratch on each service, you pull in the packages you need and start with best practices already in place.
The framework ships as eight independently versioned pnpm packages. Two example services — a public-facing user API and an internal order service — demonstrate the full stack end-to-end, including JWT verification, service-to-service auth, rate limiting, OpenAPI docs, feature flags, and graceful shutdown.
Pino-based JSON logging with AsyncLocalStorage correlation ID propagation. Every log line across the entire async call chain carries the same request ID.
Built on undici with full-jitter retry, circuit breaker, OAuth bearer injection, and a typed ApiResponse discriminated union so errors are always handled.
JWT verification supporting HS256, RS256, and JWKS auto-fetch with caching. API key plugin. OAuth 2.0 client credentials and refresh token store out of the box.
Correlation ID, request logger, error handler, CORS, rate limiter, graceful shutdown, OpenAPI 3.1 + Swagger UI, internal service auth, and named external API clients.
Zod-validated defineConfig() validates process.env at startup and throws a human-readable error — never fails silently at request time.
NotFoundError, UnauthorizedError, ValidationError, and more. All map cleanly to HTTP status codes and are handled uniformly by the error handler plugin.
| Package | Description |
|---|---|
| @cc-api-framework/errors | Typed HTTP error hierarchy that maps cleanly to status codes |
| @cc-api-framework/logger | Structured JSON logging via Pino with correlation ID propagation |
| @cc-api-framework/networking | undici HTTP client — retry, circuit breaker, OAuth injection |
| @cc-api-framework/config | Zod-validated defineConfig() — fail-fast env validation at startup |
| @cc-api-framework/auth | JWT (HS256, RS256, JWKS), API key, OAuth 2.0 token store |
| @cc-api-framework/fastify-plugins | Full production Fastify plugin suite (CORS, rate limit, OpenAPI, …) |
| @cc-api-framework/feature-config | Remote feature flags from JSON endpoint with local fallback |
| @cc-api-framework/testing | MockNetworkingClient, withCorrelationContext(), buildTestApp() |
Browser / External Client
│ JWT Bearer token
▼
user-api :3000 ← front-end-services tier
(JWT auth, CORS, rate-limit, OpenAPI docs)
│ Service token (x-service-auth)
▼
order-service :3001 ← core-services tier
(internal only — no CORS, no public JWT)
Front-end services handle all public-facing concerns: JWT verification, CORS, rate limiting, and OpenAPI documentation. Core services are internal-only — security is enforced at the front-end tier, keeping core services simple and fast.
All packages extend a shared tsconfig.base.json that enforces a strict compiler configuration — exactOptionalPropertyTypes, noUncheckedIndexedAccess, noImplicitOverride, and the full strict suite. Target: ES2022, module system: NodeNext (native ESM).
This framework was designed, directed, and shipped using Vibe Coding — organized thinking and 32 years of experience translated into production software by AI.
Learn About Our Process