Development

As your Ktor application grows, you create more repositories, services, and routes. Without dependency injection, you end up passing objects manually through every function. This makes your code hard to test and hard to change. In this tutorial, you will add Koin to your Ktor application. You will create a service layer, define dependency modules, and inject dependencies into your routes. What is Dependency Injection? Dependency injection (DI) means your classes receive their dependencies from the outside instead of creating them. ...

Not every application needs a JavaScript frontend. For admin dashboards, internal tools, and simple web apps, server-side rendering with HTMX is faster to build and easier to maintain. In this tutorial, you will build an HTMX-powered admin dashboard. You will create, list, and delete notes with dynamic updates — no page reloads, no JavaScript framework. What is HTMX? HTMX lets you add dynamic behavior to HTML using attributes. Instead of writing JavaScript, you add attributes like hx-get, hx-post, and hx-delete to HTML elements. ...

Your API has many endpoints. Other developers need to know how to use them. They need to know the request format, response format, required headers, and possible error codes. Writing documentation by hand is tedious and quickly becomes outdated. In this tutorial, you will add OpenAPI documentation and Swagger UI to your Ktor API. Developers can browse your API at /docs and try out endpoints directly from the browser. What is OpenAPI? OpenAPI (formerly Swagger) is a standard format for describing REST APIs. It is a YAML or JSON file that lists all endpoints, request bodies, response schemas, authentication, and more. ...

HTTP is a request-response protocol. The client sends a request, the server responds, and the connection closes. For real-time features like chat, notifications, or live updates, you need WebSockets. In this tutorial, you will build a chat server with rooms, broadcasting, and heartbeat/ping-pong. You will learn how WebSockets work in Ktor and how to manage connections. What Are WebSockets? WebSockets provide a persistent, two-way connection between client and server. Both sides can send messages at any time without waiting for a request. ...

Your API has authentication, but that is only one layer of security. Without rate limiting, attackers can brute-force passwords. Without CORS, any website can call your API. Without security headers, your application is vulnerable to clickjacking and XSS attacks. In this tutorial, you will add three essential security features: CORS configuration, rate limiting, and security headers. These are requirements for any production API. Why These Security Features Matter CORS → Controls which websites can call your API Rate Limiting → Prevents brute-force attacks and abuse Security Headers → Prevents clickjacking, XSS, and MIME sniffing Dependencies Add the Ktor security plugins: ...

Your API has registration and login with email and password. But many users prefer to sign in with their Google account. It is faster and they do not need to remember another password. In this tutorial, you will add Google Sign-In using OAuth 2.0. You will learn how the OAuth flow works, how to handle the callback, and how to link OAuth accounts with existing email accounts. How OAuth 2.0 Works OAuth 2.0 is a protocol that lets users sign in with a third-party provider (Google, GitHub, etc.) without sharing their password with your application. ...

In the previous tutorial, you added JWT authentication. Users can register, login, and access protected routes. But the implementation was basic. There were no refresh tokens, no password validation, and no logout. In this tutorial, you will build a complete authentication flow. You will add refresh tokens with rotation, strong password validation, email validation, and a logout endpoint that revokes tokens. What We Will Build Here is the complete auth flow: ...

Your API works. It has routes, a database, file uploads, and migrations. But anyone can access any endpoint. There is no authentication. In this tutorial, you will add JWT (JSON Web Token) authentication. Users will register, login, get a token, and use that token to access protected routes. How JWT Authentication Works JWT authentication follows this flow: 1. Client sends email + password → POST /api/auth/login 2. Server verifies credentials 3. Server generates a JWT token 4. Server sends token to client 5. Client stores token 6. Client sends token with every request → Authorization: Bearer <token> 7. Server verifies token and processes request The token contains encoded information (claims) about the user. The server can verify the token without a database query. ...

In the previous tutorials, we used SchemaUtils.create() to create database tables. This works for development, but it has a big problem: it cannot handle schema changes. What happens when you need to add a column? Rename a table? Change a data type? You cannot just drop the database and recreate it — production data would be lost. This is where database migrations come in. Why Migrations Matter Without migrations, you have these problems: ...

Most APIs need to handle files. Profile pictures, document uploads, image galleries — file handling is a common requirement. In this tutorial, you will learn how to serve static files, handle file uploads via multipart form data, validate uploads, and protect against common security issues. Serving Static Files Ktor can serve static files from your resources directory or from the filesystem. From Resources Put files in src/main/resources/static/: src/main/resources/static/ ├── index.html ├── style.css └── logo.png Then configure the route: ...