Hono.js Tutorial: REST API with Zod, JWT & Cloudflare Workers

Scaffold a new project with the official CLI. It asks which runtime you're targeting and sets up the right config and dependencies for that target automatically.

You'll be prompted to pick a template. For this guide, choose cloudflare-workers. Other options include bun, deno, nodejs, aws-lambda, and vercel, all sharing the same core API.

npm run dev starts a local dev server (powered by Wrangler) at http://localhost:8787. The generated starter looks like this:

c is the context object, and it's the only argument every handler receives. It wraps the incoming request (c.req), gives you response helpers (c.json(), c.text(), c.html()), and on Cloudflare Workers exposes bindings and environment variables through c.env. Almost everything you do in a Hono handler goes through c.

Hono's routing API will feel immediately familiar if you've used Express, but every handler runs through the same (c) => ... shape. Here's a small set of routes covering the three most common inputs: a path parameter, a query string, and a JSON body.

That's enough to build a working CRUD API. The next steps add the pieces that turn it into something you'd actually ship: middleware, validation, and authentication.

Middleware in Hono is a function that runs before (and optionally after) a route handler. Hono ships several built-in middleware for common needs, and writing your own is just a function with a next() call.

app.use(logger()) runs on every route, app-wide. app.use('/api/*', cors()) is scoped: it only runs for paths matching /api/*. This route-level scoping is how you apply different middleware to different parts of the API without nesting routers.

Custom middleware follows the same shape: a function that takes c and a next callback, does something, then calls await next() to hand off to the next middleware or the route handler.

c.set() and c.get() store values in the request's context, so a value set in one middleware is available in later middleware and in the route handler itself. Code before await next() runs on the way in; code after it runs on the way out, once the response is ready.

Manually checking if (!body.email) for every field gets unmaintainable fast, and it's easy to miss a case. Hono's official Zod integration validates the request and gives you a fully-typed result in one step.

If the request body fails validation, the handler never runs. @hono/zod-validator automatically returns a 400 Bad Request with Zod's error details in the response body, so there's no manual try/catch around schema.parse() to write.

Hono includes JWT signing and verification as a built-in middleware under hono/jwt, so there's no extra package to install for basic JWT auth.

Reading c.env.JWT_SECRET means the secret comes from the runtime environment, not a hardcoded string in your source. Step 7 covers how to set JWT_SECRET as an encrypted Cloudflare secret so it never ends up in your repo.

A single src/index.ts file works for a demo, but a real API with users, posts, and comments needs to be split up. app.route() mounts a separate Hono instance at a path prefix, and each sub-app keeps its own routes, middleware, and types.

Every route defined on the users sub-app gets prefixed with /users automatically: users.get('/:id', ...) becomes GET /users/:id once mounted. This pattern scales cleanly to 5, 10, or 50 routes, with each resource living in its own file and the top-level src/index.ts staying a short list of mount points.

If you used the cloudflare-workers template in Step 1, Wrangler (Cloudflare's CLI) is already installed. Log in once, then deploy with a single command.

wrangler login opens a browser to authorize the CLI against your Cloudflare account. wrangler deploy bundles src/index.ts and uploads it as a Worker. Your API is live at https://my-api.<your-subdomain>.workers.dev within seconds.

Configuration lives in wrangler.toml. This is where you define the Worker's name, compatibility settings, and any bindings to KV, D1, or R2:

For secrets like JWT_SECRET, never put the value in wrangler.toml (it's checked into git). Use wrangler secret put instead, which stores the value encrypted on Cloudflare's side:

This prompts for the value interactively and never writes it to disk. Both secrets and bindings show up on the same c.env object inside your handlers. Type them with a Bindings type so c.env.JWT_SECRET and c.env.DB are fully typed:

For local development, npx wrangler dev runs the same Worker runtime locally, including bindings and secrets pulled from a local .dev.vars file, so what you test locally matches production behavior closely.

The same app you built works on Node.js with one extra package: @hono/node-server adapts Hono's Fetch-API-based handler to Node's http module.

Notice that app itself doesn't change at all, only the entry point does. Every route, middleware, and validator from the earlier steps works identically.

There's no urgency to choose one forever. Because the routing and middleware layer is identical, moving a Hono API from Node.js to Workers later (or the reverse) is mostly a change to the entry file, not a rewrite.

If you're starting a new API that will run on an edge runtime (Cloudflare Workers, Vercel Edge, Deno Deploy), Hono is the better default. Its small size and Fetch-API foundation mean it actually works in those environments, while Express assumes Node's http module and doesn't run on most edge runtimes without a compatibility shim.

If you already have a working Express API on traditional Node.js infrastructure, there's no urgent reason to rewrite it. Express's ecosystem of middleware is larger and more mature simply because it's been around since 2010. Migrate when you're building something new for the edge, not because Hono is newer.