Kotlin

You have built a complete Ktor backend with authentication, database, WebSockets, Docker, and CI/CD. Now it is time to connect everything — a Kotlin backend and a Kotlin client sharing the same data models. In this final tutorial, you will create shared data models, build a Ktor Client that consumes your API, and see how a KMP mobile app connects to your backend. The Full-Stack Kotlin Vision Most full-stack projects look like this: ...

You have a tested, Dockerized Ktor application. The next step is automating everything. When you push code, tests should run automatically. When tests pass on the main branch, the application should deploy automatically. In this tutorial, you will set up a GitHub Actions CI/CD pipeline. You will also add Prometheus metrics for production monitoring. What is CI/CD? CI (Continuous Integration) means running tests automatically when you push code. If tests fail, you know immediately — not after deploying to production. ...

Your Ktor application runs on your machine. But “it works on my machine” is not a deployment strategy. Docker packages your application with everything it needs — the JVM, dependencies, and configuration — into a single image that runs anywhere. In this tutorial, you will create a Dockerfile for your Ktor application. You will use multi-stage builds for smaller images, configure Docker Compose with PostgreSQL, and tune the JVM for containers. ...

A REST API without tests is a ticking time bomb. You change one route, and three others break. You add a new feature, and authentication stops working. In this tutorial, you will write tests for your Ktor application. You will test authentication flows, CRUD operations, WebSocket endpoints, and input validation — all using Ktor’s built-in test engine. Test Setup Ktor provides a test engine that runs your application in memory. No real HTTP server starts. This makes tests fast and isolated. ...

As your Ktor application grows, you create more repositories, services, and routes. Without dependency injection, you end up passing objects manually through every function. This makes your code hard to test and hard to change. In this tutorial, you will add Koin to your Ktor application. You will create a service layer, define dependency modules, and inject dependencies into your routes. What is Dependency Injection? Dependency injection (DI) means your classes receive their dependencies from the outside instead of creating them. ...

Not every application needs a JavaScript frontend. For admin dashboards, internal tools, and simple web apps, server-side rendering with HTMX is faster to build and easier to maintain. In this tutorial, you will build an HTMX-powered admin dashboard. You will create, list, and delete notes with dynamic updates — no page reloads, no JavaScript framework. What is HTMX? HTMX lets you add dynamic behavior to HTML using attributes. Instead of writing JavaScript, you add attributes like hx-get, hx-post, and hx-delete to HTML elements. ...

Your API has many endpoints. Other developers need to know how to use them. They need to know the request format, response format, required headers, and possible error codes. Writing documentation by hand is tedious and quickly becomes outdated. In this tutorial, you will add OpenAPI documentation and Swagger UI to your Ktor API. Developers can browse your API at /docs and try out endpoints directly from the browser. What is OpenAPI? OpenAPI (formerly Swagger) is a standard format for describing REST APIs. It is a YAML or JSON file that lists all endpoints, request bodies, response schemas, authentication, and more. ...

HTTP is a request-response protocol. The client sends a request, the server responds, and the connection closes. For real-time features like chat, notifications, or live updates, you need WebSockets. In this tutorial, you will build a chat server with rooms, broadcasting, and heartbeat/ping-pong. You will learn how WebSockets work in Ktor and how to manage connections. What Are WebSockets? WebSockets provide a persistent, two-way connection between client and server. Both sides can send messages at any time without waiting for a request. ...

Your API has authentication, but that is only one layer of security. Without rate limiting, attackers can brute-force passwords. Without CORS, any website can call your API. Without security headers, your application is vulnerable to clickjacking and XSS attacks. In this tutorial, you will add three essential security features: CORS configuration, rate limiting, and security headers. These are requirements for any production API. Why These Security Features Matter CORS → Controls which websites can call your API Rate Limiting → Prevents brute-force attacks and abuse Security Headers → Prevents clickjacking, XSS, and MIME sniffing Dependencies Add the Ktor security plugins: ...

Your API has registration and login with email and password. But many users prefer to sign in with their Google account. It is faster and they do not need to remember another password. In this tutorial, you will add Google Sign-In using OAuth 2.0. You will learn how the OAuth flow works, how to handle the callback, and how to link OAuth accounts with existing email accounts. How OAuth 2.0 Works OAuth 2.0 is a protocol that lets users sign in with a third-party provider (Google, GitHub, etc.) without sharing their password with your application. ...