Chapter 3

Backend — The Kitchen You Never See

You walk into a restaurant. The lighting is warm, the menu is printed on thick card stock, and a smiling host walks you to your table. You sit down, choose the paneer tikka, and tell the waiter. Twelve minutes later, a plate arrives — golden, fragrant, plated beautifully.

At no point did you see the kitchen.

You didn't see the chef julienne the peppers. You didn't watch the tandoor reach 480°C. You didn't hear the sous chef call out "fire table seven." You didn't notice the dishwasher running a three-compartment sink in the back corner. The restaurant deliberately hid all of that from you — not to deceive you, but because your job is to eat, and their job is to make eating feel effortless.

Software works the same way.

Every time you open Zomato and search for "biryani near me," a beautiful screen appears with photos, ratings, delivery times, and prices. That's the frontend — the dining room. It's the part you touch, see, and interact with. Chapter 2 covered this.

But the moment you type "biryani" and press search, something happens behind the scenes. Your phone sends a request over the internet to a computer sitting in a data center — probably in Mumbai or Hyderabad. That computer receives your request, figures out which restaurants near you serve biryani, checks their ratings, calculates estimated delivery times based on real-time traffic and kitchen capacity, sorts the results, and sends back a neatly organized package of data. Your phone's frontend then takes that data and paints the pretty screen you see.

That computer in the data center? That's the backend — the kitchen you never see. And this chapter is about how it works.

The Restaurant Model of Software

Let's extend the restaurant analogy further, because it maps to software architecture with surprising precision.

Restaurant	Software	Role
Dining room	Frontend	What the customer sees and touches
Kitchen	Backend / Server	Where the work happens, hidden from view
Waiter	API	Carries requests from dining room to kitchen, carries responses back
Walk-in fridge	Database	Where ingredients (data) are stored long-term
Menu	API documentation	What the customer is allowed to order
Head chef	Business logic	Makes decisions about how to prepare things
Health inspector	Authentication & authorization	Verifies who's allowed in and what they can do

This table is worth returning to as you read this chapter. Each section ahead maps to a specific row.

Analogy

The reason restaurants have a wall between the kitchen and the dining room isn't laziness — it's separation of concerns. The dining room is optimized for the customer's experience. The kitchen is optimized for speed, safety, and consistency. Mixing them would make both worse. Software separates frontend and backend for the same reason.

What a Server Actually Does

The word server sounds imposing, like it requires a room full of blinking lights and cables. In reality, a server is a computer — often indistinguishable from your laptop — that's been given one job: wait for requests from the internet and respond to them.

That's it. A server serves. It sits there, awake, listening. When a request arrives — "Hey, give me the list of biryani restaurants near MG Road" — the server wakes up, does some work, and sends back an answer.

Real-Life Example

When you open the Swiggy app and pull down to refresh, your phone sends a request to Swiggy's servers. Those servers are physical computers — thousands of them — sitting in data centers run by Amazon Web Services (AWS) in Mumbai. Each one is a metal box about the size of a pizza box, mounted on a rack with hundreds of others, connected to the internet via fiber optic cables. They're the kitchens that never close.

Here's what a server does when your request arrives, broken into four steps:

Step 1: Receive the request. The server gets a message over the internet. This message includes: what you're asking for (search results? a user profile? a payment confirmation?), who you are (are you logged in? what's your account?), and any details you're sending along (the search term "biryani," your location coordinates, your payment amount).

Step 2: Process the logic. This is where the chef works. The server runs code — written by engineers — that decides what to do with your request. This code is called business logic, because it encodes the business rules. "Show restaurants within 5km." "Sort by rating, then delivery time." "Apply the 20% discount if this is the user's first order." "Reject the payment if the card is expired." This is the thinking part.

Step 3: Talk to the database. Almost every request involves looking something up or saving something. The server reaches into the database (the walk-in fridge) to find the data it needs or store new data you've created. "Find all restaurants within 5km of these coordinates." "Save this new order with order ID #4589." "Update the user's address to the new one they entered." We'll cover databases deeply in Chapter 4 — for now, think of the database as a massive, organized filing cabinet that the server can query in milliseconds.

Step 4: Send the response. The server packages up the answer — the list of restaurants, the order confirmation, the error message — and sends it back over the internet to your phone. Your phone's frontend receives this package and displays it.

Why This Exists

This four-step cycle — receive, process, query, respond — happens every single time you interact with any app or website. Tapping "like" on Instagram? Request to the server, server updates the like count in the database, server sends back the new count. Sending a UPI payment on PhonePe? Request to the server, server validates the transaction, talks to the banking database, sends back success or failure. Opening your email? Request, logic, database query, response. Every digital interaction you have follows this rhythm.

Here's what this looks like as a flow:

┌─────────────────────────────────────────────────────────────────┐
│                    THE CLIENT-SERVER-DATABASE FLOW               │
│                                                                   │
│  ┌──────────┐         ┌──────────────┐         ┌──────────────┐  │
│  │          │  ──①──▶ │              │  ──③──▶ │              │  │
│  │  CLIENT  │         │    SERVER    │         │   DATABASE   │  │
│  │ (Your    │         │  (Backend)   │         │  (Storage)   │  │
│  │  Phone)  │  ◀──④── │              │  ◀──── │              │  │
│  │          │         │              │         │              │  │
│  └──────────┘         └──────────────┘         └──────────────┘  │
│                                                                   │
│  ① Request: "Show me biryani restaurants near MG Road"           │
│  ② Server runs business logic (filter, sort, apply discounts)    │
│  ③ Server queries database: "SELECT restaurants WHERE..."        │
│  ④ Response: JSON data with restaurant names, ratings, images    │
│                                                                   │
│  Total time: 50-200 milliseconds                                 │
└─────────────────────────────────────────────────────────────────┘

That diagram represents perhaps 90% of everything that happens on the internet. Variations exist — caching layers, message queues, microservices — but the fundamental shape is: client asks, server thinks, database stores, server answers.

The Waiter Between the Dining Room and the Kitchen: APIs

Now we reach one of the most important concepts in modern software, and one of the most misunderstood: the API (Application Programming Interface).

If the frontend is the dining room and the backend is the kitchen, the API is the waiter. More precisely, the API is the system — the protocol, the rules, the menu — that governs how the dining room communicates with the kitchen.

Let's explain APIs three different ways. One of them will click for you.

Explanation 1: The Waiter

You don't walk into the kitchen and start yelling at the chef. You don't reach over the counter and grab ingredients. You talk to the waiter. The waiter knows how to translate your request — "I'll have the paneer tikka, no onions, extra spicy" — into kitchen language. And the waiter brings back the food, plated and presentable, without you ever hearing the chaos behind the doors.

An API works identically. Your phone (the customer) doesn't talk directly to the database (the ingredients). It talks to the API (the waiter), which carries the request to the server (the kitchen), and brings back the response.

The menu in this analogy is the API documentation — it tells you what you can order, what format to order it in, and what you'll get back. You can't order sushi at a pizza restaurant, and you can't request data from an API endpoint that doesn't exist.

Explanation 2: The Electrical Outlet

Every country has a standard electrical outlet. In India, it's a three-pin round socket. In the US, it's a two-flat-pin socket. The outlet doesn't care what you plug into it — a phone charger, a lamp, a refrigerator. It provides power in a standard format, and anything built to that standard can use it.

An API is a standard interface between two systems. It says: "If you send me a request in this format, I'll send you a response in that format." The two systems don't need to know how each other works internally. They only need to agree on the interface.

Real-Life Example

This is why Uber can show you a Google Map inside the Uber app. Google publishes a Maps API — a standard interface — and Uber plugs into it. Google doesn't know or care that Uber is using their maps. Uber doesn't know or care how Google renders map tiles. They communicate through the API, like two people speaking through an interpreter.

Explanation 3: The Contract

An API is a contract between two pieces of software. The contract says:

"If you send me a GET request to /api/restaurants?city=bengaluru, I promise to send back a list of restaurants in Bengaluru, formatted as JSON."
"If you send me a POST request to /api/orders with a restaurant ID and a list of items, I promise to create a new order and send back an order confirmation."
"If you send me something I don't understand, I promise to send back an error message explaining what went wrong."

This contract-based thinking is foundational. Martin Fowler, one of the most influential software architects of the past three decades, writes extensively about APIs as contracts because it captures the essential truth: an API is a promise between systems about how they'll communicate.^[1]

Why This Exists

Why do APIs matter so much? Because they allow division of labor at scale. The team building the Zomato mobile app doesn't need to understand database architecture. The team building the recommendation engine doesn't need to know about the app's color scheme. Each team builds their piece and exposes it through an API. APIs are the seams where large software systems are stitched together — and like seams in clothing, they're where things rip if they're poorly made.

Now let's look at the two dominant styles for building APIs in 2026.

REST (Representational State Transfer) is the most common API style on the internet. It was described by Roy Fielding in his doctoral dissertation at UC Irvine in 2000, and it has become so ubiquitous that when most people say "API," they mean "REST API."

Analogy

REST is a fixed menu at a restaurant. The items are listed. Each has a name. You order by pointing to one. The kitchen knows exactly how to prepare each item because the menu hasn't changed since opening day. You get predictability, reliability, and speed — at the cost of flexibility. You can't ask for "half the pasta with the sauce from the curry." You get what's listed.

REST has four key ideas:

1. Everything is a Resource with a URL

In REST, every piece of data has an address — a URL (Uniform Resource Locator). These URLs are predictable and hierarchical, like a filing system.

GET  /api/restaurants                    → List all restaurants
GET  /api/restaurants/42                 → Get restaurant #42
GET  /api/restaurants/42/menu            → Get the menu for restaurant #42
GET  /api/restaurants/42/menu/7          → Get menu item #7 from restaurant #42
GET  /api/restaurants/42/reviews         → Get reviews for restaurant #42

See the pattern? The URL tells you what you're asking for. /restaurants/42/menu reads almost like English: "Give me the menu for restaurant 42."

2. Standard Methods (Verbs)

REST uses a fixed set of HTTP methods (the action words of the internet) to specify what you want to do with a resource:

Method	Action	Restaurant Equivalent
`GET`	Read / retrieve data	"Can I see the menu?"
`POST`	Create new data	"I'd like to place a new order"
`PUT`	Update existing data (replace entirely)	"Actually, change my entire order to this"
`PATCH`	Update existing data (partial change)	"Change my drink from Coke to Pepsi"
`DELETE`	Remove data	"Cancel my order"

Combining URLs and methods gives you powerful, readable instructions:

GET    /api/orders/123        → "Show me order 123"
POST   /api/orders            → "Create a new order" (with order details in the body)
PATCH  /api/orders/123        → "Update order 123" (with changes in the body)
DELETE /api/orders/123        → "Cancel order 123"

3. Stateless: Every Request Stands Alone

Here's a key principle that trips up beginners. REST is stateless, meaning the server doesn't remember you between requests. Every request must carry all the information the server needs to process it.

Analogy

Imagine a restaurant where the waiter has amnesia. Every time you call them over, they don't remember who you are or what you ordered five minutes ago. So every time you talk to them, you have to re-introduce yourself and re-state the full context: "I'm Shravan, table 7, I ordered the paneer tikka 10 minutes ago, and I'd like to add a naan."

This sounds inefficient, but it's actually a brilliant design choice. Because the server doesn't store any information about your session, any server can handle any request. If the restaurant has 100 waiters, any one of them can serve you, because your request includes everything they need. This is how companies like Netflix handle billions of requests — they have thousands of servers, and any request can go to any server.

4. JSON: The Response Format

When a REST API sends data back, it almost always uses JSON (JavaScript Object Notation) — a lightweight format that both humans and computers can read. Here's what a restaurant response might look like:

{
  "id": 42,
  "name": "Meghana Foods",
  "cuisine": "Biryani, Andhra",
  "rating": 4.5,
  "delivery_time_minutes": 35,
  "is_open": true,
  "location": {
    "area": "Koramangala",
    "city": "Bengaluru"
  }
}

Even without technical knowledge, you can read this. It's a collection of labeled values — names and their corresponding data, organized with curly braces and commas. JSON is the universal language of APIs, and you'll encounter it constantly.

Real-Life Example

Stripe, the payments company valued at $65 billion, is legendary in the engineering world for having the best API documentation ever written.^[2] Their REST API is considered the gold standard — every URL is predictable, every response is consistent, every error message is helpful, and the documentation includes working examples in 8 programming languages. When people say "build an API like Stripe," they mean: make it so predictable and well-documented that a developer can integrate it in an afternoon.

GraphQL: The Build-Your-Own Bowl

REST has a problem. Imagine you're building the Zomato restaurant page. You need:

The restaurant name, rating, and photo
The first 5 menu items with prices
The 3 most recent reviews with reviewer names

With REST, you might need three separate requests:

GET /api/restaurants/42
GET /api/restaurants/42/menu?limit=5
GET /api/restaurants/42/reviews?limit=3

Each request goes over the network, which takes time — especially on a slow mobile connection in Tier 3 India. And each response might include data you don't need. The restaurant endpoint might return 40 fields when you only need 3. This is called over-fetching — getting more data than you asked for.

In 2012, a Facebook engineer named Lee Byron faced this exact problem. Facebook's mobile app was slow, and the REST APIs were returning massive payloads of data that the app didn't need. Byron, along with Dan Schafer and Nick Schrock, created GraphQL — a new way to query APIs where the client specifies exactly what data it wants.

Analogy

If REST is a fixed menu, GraphQL is a build-your-own bowl. You walk up to the counter and say: "I want rice, dal, one scoop of paneer, and raita — nothing else." You get exactly what you asked for, no more, no less. At a fixed-menu restaurant, ordering the thali means you get everything on the plate whether you want it or not.

With GraphQL, that three-request REST scenario becomes a single request:

query {
  restaurant(id: 42) {
    name
    rating
    photo_url
    menu(limit: 5) {
      item_name
      price
    }
    reviews(limit: 3) {
      text
      reviewer {
        name
      }
    }
  }
}

One request. One response. Containing exactly the fields you asked for and nothing else.

Here's a direct comparison:

┌─────────────────────────────────────────────────────────────────┐
│                      REST vs GraphQL                             │
│                                                                   │
│  REST (Fixed Menu)                GraphQL (Build-Your-Own)       │
│  ─────────────────                ─────────────────────────      │
│                                                                   │
│  Multiple endpoints:              Single endpoint:               │
│  /restaurants/42                  /graphql                       │
│  /restaurants/42/menu                                            │
│  /restaurants/42/reviews          Client specifies the shape     │
│                                   of the response in the query   │
│  Server decides what to                                          │
│  include in the response          Client decides what to         │
│                                   include in the response        │
│                                                                   │
│  Over-fetching common             No over-fetching               │
│  Under-fetching common            No under-fetching              │
│  (need multiple requests)         (one request gets everything)  │
│                                                                   │
│  Easier to cache                  Harder to cache                │
│  Simpler to learn                 Steeper learning curve         │
│  Better for simple APIs           Better for complex, nested     │
│                                   data with many relationships   │
│                                                                   │
│  Used by: Stripe, Twitter/X,      Used by: Facebook, GitHub,     │
│  most public APIs                 Shopify, Airbnb                │
└─────────────────────────────────────────────────────────────────┘

So which one wins? Neither. They solve different problems.

REST excels when you have well-defined, predictable resources and want maximum simplicity. Most public APIs — payment gateways, weather services, government data — use REST.

GraphQL excels when you have complex, interconnected data and multiple client types (web, iOS, Android) that each need different slices of data. Facebook, GitHub, and Shopify use GraphQL because their data models are deeply nested and their clients are diverse.

Why This Exists

The real insight isn't "REST vs GraphQL" — it's that how you design the interface between systems determines how fast you can move. A bad API, regardless of style, slows every team that depends on it. A good API accelerates everyone. This is why companies like Stripe and Twilio, whose entire product is an API, obsess over design. Their API isn't a technical detail — it's the product itself.

Authentication: How the System Knows You're You

You open the Razorpay dashboard to check your payment settlements. You type in your email and password. A moment later, you're in — seeing your transaction history, your bank account details, your business's revenue.

How did Razorpay know it was really you? How did it know it wasn't someone else typing your email? And how does it keep knowing it's you as you click from page to page?

This is the problem of authentication (often shortened to auth) — verifying the identity of a user. "Who are you?"

Authentication has evolved through several eras, each solving problems the previous one created.

Era 1: Passwords (The Key to Your House)

The oldest and most familiar method. You create a password, the server stores it, and when you log in, you prove your identity by providing the password.

Analogy

A password is a key to your house. If you have the right key, the door opens. The problem? Keys can be copied. People use the same key for every door. People write the key's shape on a Post-it note and stick it to the door frame.

What the server actually stores isn't your password — it's a hash of your password. A hash is a one-way mathematical transformation that turns "MyPassword123" into something like "a3f2b8c9d1e4f5a6b7c8d9e0f1a2b3c4." The transformation can't be reversed. When you type your password, the server hashes what you typed and compares it to the stored hash. If they match, you're in.

This matters because even if a hacker steals the database, they get hashes — not passwords. They'd have to guess billions of passwords and hash each one to find a match (called a brute-force attack).

Era 2: Sessions (The Wristband)

Here's the problem with passwords: the server is stateless. It doesn't remember you between requests. If you send your password with every single click, that's both slow and dangerous — your password crossing the internet hundreds of times per session.

The solution: sessions. After you log in with your password, the server creates a session — a temporary record that says "User #4589 logged in at 2:30 PM." The server gives you a session ID — a random, unique string — and your browser stores it in a cookie (a small piece of data stored in your browser).

Analogy

Think of a music festival. You show your ticket (password) at the entrance. They give you a wristband (session ID). For the rest of the day, you show the wristband to get into stages, buy food, and access VIP areas — without showing your ticket again. The wristband proves you already showed your ticket.

Sessions work well but have a scaling problem. The server has to store every active session in memory. If you have 10 million users logged in simultaneously, that's 10 million sessions to track. And if you have multiple servers (which every large application does), they all need to share session data — or a user might log in on Server A and then get routed to Server B, which doesn't know about them.

Era 3: JWTs (The Self-Contained Badge)

JWT (JSON Web Token, pronounced "jot") solves the session scaling problem elegantly. Instead of the server storing your session, the server gives you a self-contained token that carries all the information about you.

┌─────────────────────────────────────────────────────────────────┐
│                    JWT AUTHENTICATION FLOW                        │
│                                                                   │
│  ┌──────────┐                          ┌──────────────┐          │
│  │          │  ──① Login ───────────▶  │              │          │
│  │  CLIENT  │     (email + password)   │    SERVER    │          │
│  │          │                          │              │          │
│  │          │  ◀── ② JWT Token ──────  │   Verifies   │          │
│  │          │     (signed, encoded)    │   password   │          │
│  │          │                          │   Creates    │          │
│  │ Stores   │                          │   JWT with   │          │
│  │ JWT in   │  ──③ Request + JWT ──▶   │   user data  │          │
│  │ browser  │     (Authorization       │              │          │
│  │          │      header)             │   Decodes    │          │
│  │          │                          │   JWT,       │          │
│  │          │  ◀── ④ Response ───────  │   verifies   │          │
│  │          │     (protected data)     │   signature  │          │
│  └──────────┘                          └──────────────┘          │
│                                                                   │
│  The JWT contains:                                               │
│  ┌─────────────────────────────────────────────────────┐         │
│  │ HEADER: { algorithm, token type }                   │         │
│  │ PAYLOAD: { user_id: 4589, role: "admin",            │         │
│  │           name: "Shravan", exp: 1711929600 }        │         │
│  │ SIGNATURE: HMAC(header + payload, secret_key)       │         │
│  └─────────────────────────────────────────────────────┘         │
│                                                                   │
│  The signature ensures the token hasn't been tampered with.      │
│  The server never stores the token — it verifies the signature   │
│  on each request using its secret key.                           │
└─────────────────────────────────────────────────────────────────┘

Analogy

A JWT is like a government-issued ID card. Your Aadhaar card has your name, photo, and ID number printed on it, along with a QR code that the government signed. When someone scans the QR code, they can verify it's genuine — without calling the government to check. The information is in the card. The verification is in the signature.

A JWT has three parts:

Header: What type of token it is and what algorithm was used to sign it
Payload: Your actual data — user ID, name, role, expiration time
Signature: A cryptographic seal created by combining the header, payload, and a secret key only the server knows

The beauty of JWTs: the server doesn't store anything. When a request arrives with a JWT, the server decodes the token, checks the signature (using its secret key), and if the signature is valid, trusts the data inside. No database lookup. No session storage. Any server can verify any JWT. This is how systems scale to millions of simultaneous users.

Era 4: OAuth (The Valet Key)

You've seen those "Log in with Google" buttons. That's OAuth (Open Authorization) — a protocol that lets you log into one service using your identity from another.

Analogy

Some luxury cars come with a valet key — a special key that starts the engine but can't open the trunk or the glove compartment. You hand the valet a limited-access key. They can park the car, but they can't access your belongings.

OAuth works the same way. When you click "Log in with Google" on Notion:

Notion redirects you to Google
Google asks: "Notion wants to know your name and email. Allow?"
You click Allow
Google sends Notion a token — like a valet key — that lets Notion see your name and email, but nothing else. Not your Gmail. Not your Drive files. Not your search history. Only what you explicitly permitted.

This solves two problems: users don't need to create yet another password, and services like Notion never handle your actual credentials. Google manages the identity; Notion trusts Google's verification.

Authorization: You're In, But Can You Go There?

Authentication answers "Who are you?" Authorization answers "What are you allowed to do?"

They're different questions, and confusing them is one of the most common security mistakes in software.

Analogy

Authentication is showing your ID at the airport entrance. Authorization is your boarding pass — it determines which gate you can enter. Your ID proves who you are. Your boarding pass determines what you have access to. You need both to fly, but they serve different purposes.

Here's a concrete example. You work at a company that uses an internal dashboard. When you log in, authentication verifies your identity. But what you see depends on your role:

Role	Can View Reports	Can Edit Reports	Can Manage Users	Can Access Billing
Viewer	✅	❌	❌	❌
Editor	✅	✅	❌	❌
Admin	✅	✅	✅	✅

This is role-based access control (RBAC) — the most common authorization model. Each user gets a role, and each role has a set of permissions (specific actions they're allowed to take).

More sophisticated systems use attribute-based access control (ABAC), where permissions depend on multiple factors: your role, the time of day, your location, the sensitivity of the data. A bank might allow fund transfers up to ₹10 lakh during business hours but require additional verification for late-night transfers above ₹1 lakh.

Real-Life Example

In 2019, a Capital One engineer discovered that a misconfigured server had no proper authorization checks — anyone who could reach a specific internal API could access data from any customer account. The breach exposed 100 million customer records. The server had authentication (you had to be "someone"), but broken authorization (you could access "everything"). The distinction between auth and authz isn't academic — it's the difference between a secure system and a headline-making breach.

Serverless: When You Don't Manage the Kitchen

So far, we've talked about servers as computers you (or your company) manage. But what if you didn't have to?

Imagine opening a restaurant where you don't build or maintain the kitchen. You write recipes, and a magic kitchen appears only when someone places an order. Between orders, the kitchen doesn't exist. You pay only for the minutes the kitchen is active, not for the hours it sits idle.

This is serverless computing. The name is misleading — servers still exist. You don't manage them. A cloud provider like AWS, Google Cloud, or Vercel handles all the infrastructure: the hardware, the operating system, the networking, the scaling. You write functions — small pieces of business logic — and the cloud runs them on demand.

Analogy

Think about electricity. A hundred years ago, factories had to build and maintain their own power plants. They hired engineers, bought generators, managed fuel supply. Then the electrical grid appeared. Now a factory plugs into the wall and pays for what it uses. The power plant still exists — the factory stopped worrying about it. Serverless is the electrical grid for computing.

How Serverless Works

In a traditional server setup, your application runs 24/7 on a server, whether anyone is using it or not. Like keeping the restaurant kitchen fully staffed at 3 AM when no one is ordering.

In a serverless setup:

You write a function: "When someone requests /api/search, run this code"
You deploy it to a cloud provider (Vercel, AWS Lambda, Google Cloud Functions)
When a request arrives, the cloud provider spins up a tiny container, runs your function, sends the response, and destroys the container
You pay only for the milliseconds your function ran

The tradeoff: serverless functions have a cold start — the first request after a period of inactivity takes longer because the container needs to be created. This delay is usually 100-500 milliseconds. For most applications, this is negligible. For real-time trading platforms or competitive gaming servers, it's unacceptable.

Why This Exists

Serverless changes who worries about what. With traditional servers, your team worries about uptime, security patches, scaling, load balancing, and hardware failures. With serverless, the cloud provider worries about all of that — your team worries only about the business logic. This is a profound shift in how software companies allocate engineering time. A startup with 2 engineers can serve millions of users on serverless infrastructure, because the infrastructure is someone else's problem.

Vercel and the Rise of the "Full Stack Cloud"

If you're building a web application with Next.js (the React framework we mentioned in Chapter 2), Vercel is where most teams deploy it. Vercel takes the serverless concept and extends it: every page of your website becomes a serverless function. The page at /about is a function that runs when someone visits it. The API endpoint at /api/orders is a function that runs when the app calls it.

You write the code. You push it to GitHub. Vercel deploys it globally in under a minute, distributes it across data centers worldwide, handles HTTPS certificates, and scales automatically. The first time you deploy an app to Vercel and access it via a real URL, it feels like witchcraft. It isn't — it's the infrastructure layer becoming invisible, which is the natural direction of all technology.

Real-World: Backends at Scale

Theory becomes real when you see how the largest systems in the world actually work.

Netflix: 2 Billion Requests Per Day

Netflix serves over 260 million subscribers across 190+ countries. Their backend handles over 2 billion API requests daily — everything from loading your personalized homepage to streaming 4K video to updating your watch history.

Netflix uses a microservices architecture — instead of one giant server running everything (a monolith), they have over 1,000 small, independent services. One service handles user profiles. Another handles recommendations. Another handles video encoding. Another handles billing. Each is deployed independently, scaled independently, and can fail independently without bringing down the whole system.^[3]

Why? Because at their scale, a monolith would be impossible to maintain. If one engineer's change to the billing code broke the video streaming service, 260 million people would be affected. With microservices, a billing bug only affects billing. The rest of the system keeps running.

Stripe: The API as Product

Stripe is a payments company, but in a deeper sense, Stripe is an API company. Their entire product is a set of API endpoints that let businesses accept payments. When you pay for something online and the checkout is smooth and invisible — no redirect to a third-party page, no clunky payment form — that's probably Stripe behind the scenes.

What makes Stripe's API legendary among developers:

Predictable URLs: POST /v1/charges creates a charge. GET /v1/charges/ch_123 retrieves it. No surprises.
Consistent error handling: Every error returns a structured JSON object with a type, code, and human-readable message. Developers never have to guess what went wrong.
Versioning: When Stripe changes their API, old versions keep working. You can specify the API version in your request header, so your integration doesn't break when Stripe ships updates.
Idempotency: If a network error occurs during a payment, you can safely retry the request. Stripe guarantees the payment won't be processed twice. This is critical for financial systems.

Stripe's API documentation is an artifact worth studying. Not because you need to use Stripe, but because it demonstrates what excellence looks like when the API is the product.^[2]

PhonePe: 310 Million Transactions Per Day

PhonePe processes over 310 million UPI transactions daily, making it the largest payments platform in India. To put that in perspective: PhonePe handles more daily transactions than Visa and Mastercard combined in India.

Their backend faces a unique challenge — each transaction must complete in under 2 seconds (the UPI mandate), and the system must handle massive spikes during events like IPL matches or flash sales, when transaction volume can surge 5-10x in minutes.

PhonePe uses a combination of microservices, event-driven architecture, and aggressive caching to achieve this. Their backend is a testament to the fact that India's digital infrastructure — UPI, Aadhaar, and the India Stack — represents some of the most sophisticated backend engineering in the world, processing volumes that dwarf many Western counterparts.

What Language Is the Kitchen Using?

A natural question: what programming languages are these backends written in?

The backend can be written in almost any language. Unlike the frontend (which is constrained to JavaScript, HTML, and CSS because browsers only understand those), the backend runs on a server you control — so you can use whatever language you want.

Common backend languages in 2026:

Language	Used By	Known For
JavaScript/Node.js	Netflix, LinkedIn, Uber	Same language as frontend; huge ecosystem
Python	Instagram, Spotify, Dropbox	Readable; dominant in AI/ML
Java	Google, Amazon, most Indian enterprises	Mature, fast, enterprise-standard
Go	Google, Uber, Twitch	Built for concurrency; great for high-traffic systems
Rust	Discord, Cloudflare, Figma	Extremely fast; memory-safe; growing rapidly
TypeScript	Vercel, Stripe, most startups	JavaScript with type safety; increasingly dominant

For this book's exercises, we'll use TypeScript with Node.js — because it's the same language used on the frontend, meaning you learn one language for both sides. This is the stack used by most startups and indie builders in 2026.

Bringing It All Together

Let's trace a real request through every concept in this chapter. You open Zomato and tap "Reorder" on your last biryani order.

Frontend (Chapter 2): The app shows a loading spinner and sends a request
API (waiter): The request goes to POST /api/orders with your previous order details
Authentication (JWT): The request includes your JWT token in the header. The server decodes it, checks the signature, and confirms you're user #4589
Authorization (RBAC): The server checks — can this user create orders? Yes, all authenticated users can order
Business logic (the chef): The server checks restaurant availability, calculates delivery time, applies any applicable coupons, and computes the total price
Database (walk-in fridge): The server creates a new order record, reserves the items, and debits your wallet balance
Response: The server sends back { "order_id": 78234, "status": "confirmed", "eta_minutes": 32 }
Frontend renders a confirmation screen with the order details and a live tracking map

Every piece of this chapter — servers, APIs, REST, authentication, authorization, databases — participated in that one tap. And it happened in under 400 milliseconds.

Exercise: Build Your First API

Let's build something real. You're going to create a simple API that stores and returns your favorite books — using Claude Code to write the backend for you.

What you'll build: An API with two endpoints:

GET /api/books — returns all your favorite books
POST /api/books — adds a new book

Step 1: Set up the project

Open your terminal and run:

mkdir favorite-books-api
cd favorite-books-api

Step 2: Ask Claude Code to build it

Open Claude Code in this directory and type:

"Build me a simple Node.js API using Express that stores favorite books in memory (no database needed). I need two endpoints: GET /api/books that returns all books as JSON, and POST /api/books that accepts a JSON body with 'title' and 'author' fields and adds the book to the list. Include 3 starter books. Add a root endpoint at / that returns a welcome message. Include clear comments explaining every line."

Claude Code will generate a file (likely index.js or server.js) with around 40-60 lines of code. Read every line and every comment.

Step 3: Run it

npm install express
node server.js

You'll see something like: Server running on http://localhost:3000

Step 4: Test it

Open a new terminal tab and try:

# Get all books
curl http://localhost:3000/api/books
 
# Add a new book
curl -X POST http://localhost:3000/api/books \
  -H "Content-Type: application/json" \
  -d '{"title": "Sapiens", "author": "Yuval Noah Harari"}'
 
# Get all books again — your new book should appear
curl http://localhost:3000/api/books

Step 5: Extend it

Ask Claude Code: "Add a DELETE /api/books/:id endpoint that removes a book by its ID."

Then test it:

curl -X DELETE http://localhost:3000/api/books/1
curl http://localhost:3000/api/books

What you accomplished: You built a REST API. You created a server that listens for requests, processes them with business logic, stores data, and sends responses. The "kitchen" you never see? You built one. It has three operations on a menu (GET, POST, DELETE), it serves data in JSON format, and any client — a browser, a mobile app, another server — can talk to it using standard HTTP requests.

What We Covered

This chapter took you behind the wall, into the kitchen. You now understand:

The server receives requests, runs business logic, talks to databases, and sends responses — the four-step rhythm of every internet interaction
APIs are the contracts between systems — the waiter, the electrical outlet, the agreement on how two pieces of software communicate
REST is the fixed menu: predictable URLs, standard methods, stateless design, JSON responses
GraphQL is the build-your-own bowl: one endpoint, flexible queries, client-controlled responses
Authentication is "who are you?" — evolved from passwords to sessions to JWTs to OAuth
Authorization is "what can you do?" — roles and permissions that control access
Serverless means you write the recipes while someone else manages the kitchen
Real systems — Netflix, Stripe, PhonePe — use these exact concepts at extraordinary scale

In the next chapter, we go deeper. The server talks to the database, but what is a database? How does it store millions of records and find one in milliseconds? How do you design one that doesn't collapse under its own weight?

Chapter 4 opens the walk-in fridge.

Chapter endnotes

[1] Martin Fowler's writing on REST, particularly "Richardson Maturity Model" (2010), remains the clearest explanation of REST API design levels. His core insight — that REST is an architectural style with degrees of maturity, not a binary standard — reframes how teams think about API quality. See martinfowler.com/articles/richardsonMaturityModel.html.

[2] Stripe's API reference (stripe.com/docs/api) has been cited by Patrick McKenzie, Guillermo Rauch (CEO of Vercel), and dozens of developer experience leaders as the benchmark for API documentation. The documentation is itself a product — it has its own design team and its own versioning system.

[3] Netflix's technology blog (netflixtechblog.com) is a treasure trove of backend engineering knowledge. Their migration from a monolithic architecture to microservices, documented over a decade of blog posts, is the most referenced case study in distributed systems design. Adrian Cockcroft, then VP of Cloud Architecture at Netflix, led this transition and has spoken extensively about the tradeoffs involved.

[4] PhonePe's scale figures are from their public disclosures and NPCI (National Payments Corporation of India) monthly reports. As of early 2026, PhonePe commands approximately 48% of all UPI transaction volume in India.