The Simple, Secure Framework
Developers Trust
Build powerful, scalable applications, with minimal overhead and full out-of-the-box functionality - your code, your way
Get started with hapi
Originally developed to handle Walmart’s Black Friday scale,
hapi continues to be the proven choice for enterprise-grade backend needs.
"At Brave, developing web services with hapi allows us to focus on the many problems to be solved, not on the details of the tool being used. hapi provides the right set of core APIs and extensible plugins to support the requirements of a modern service - session management, security, connectivity, and testing."
- Brendan Eich
Creator of JavaScript & CEO, Brave
brave-logo

Trusted for Simplicity, Security, and Satisfaction

83% of developers* are concerned with the security of open-source code. You’re probably among that 83%.
* npm Inc. 2019 Trends in JavaScript report

You’ve got nothing to worry about with hapi.

securty helmet When you npm install @hapi/hapi, every single line of code you get has been verified. You never have to worry about some deep dependency being poorly maintained (or handed over to someone sketchy). hapi is the only leading node framework without any external code dependencies. None.

How do we keep hapi secure?

  • End-to-end Code Hygiene — hapi requires the most secure settings to manage, control, and distribute code, including 2FA for all contributors.
  • Secure Defaults, Updated Regularly — every hapi component comes with the most secure defaults out-of-the-box. Along with protecting server load with payload limits and request timeouts, hapi blocks error messages that could leak information or echo back exploits.
  • Integrated Authorization and Authentication Architecture — the most comprehensive authorization and authentication API available in a Node framework.
  • Advanced Features — with encrypted and signed cookies, secret or key rotation, and HTTP security headers, there are no excuses for building insecure applications.
  • Reliable, Predictable Ownership – when something goes wrong, you know who to contact. Security updates are handled under a strict, well-defined protocol.
  • Rich ecosystem – hapi’s extensive set of official plugins means no more blindly trusting some middleware you found for critical functionality just because it has a high count on npm.
  • In-house Security Expertise – created by Eran Hammer, the author of the OAuth specifications and other identity protocols.
"We love hapi’s clear structure. In particular, its plugin system and request lifecycle - they make it easy for us to separate cross-cutting concerns from our API business logic. It allows us to add features and fix bugs at a fast pace. The hapi ecosystem provides a consistent and secure building block to develop HTTP services at scale."
- Damian Schenkelman
Director of Engineering, Auth0
auth0-logo

Recognized for Industry Leading Quality Standards

securty helmet hapi has been pushing the envelope on quality from day one. It was the first node framework to require and achieve 100% code coverage across every dependency – when everyone thought it was crazy.
When quality and performance are in conflict, most frameworks choose wrongly and sacrifice quality for performance. It might save them a millisecond, but it will cost you days. hapi always chooses readability. Machines keep getting faster and cheaper. Humans only get slower and more expensive.
On practically every measurable quality metric, hapi scores at the very top:
  • Code Readability — if you cannot open the source code of your framework and understand how it works, sooner or later you are going to be in trouble.
  • Coverage and Style — 100% code coverage using strict coverage rules and a coding style optimized to reduce bugs and increase comprehension – always end-to-end.
  • Open Issues — hapi and its official plugins are actively kept with only a handful of open issues or pull requests. Few other ecosystems can claim this low level of outstanding issues end-to-end across every single dependency.
“With a well-planned interface and selection of patterns, hapi has allowed us to get started on business logic on day one of each new project, knowing that we have a solid, yet extendable code base with great test coverage to build off of.”
- Johnny Megahan
Beats Music

Relied on for Friction-Free Development and Intuitive Internals

The question we care most about is, “Are you happy?”
hapi is developer-first — so you can spend your brainpower on the places that matter.
developer's first helmet Every hapi feature is designed to make the platform easier and more intuitive to use. That means there’s no need to hack things together, experiment to see what *might* work, or try to figure out hidden internals. There is no “magic” – the code does what you expect with easy to follow internal logic.
hapi's a clean and easy-to-learn interface doesn’t take up too much space. It is designed for a small surface area, allowing you to build your applications as you see fit, using your style and the technologies of your choosing.
And hapi users certainly are. In survey after survey, hapi scores at the very top for developer satisfaction.
"hapi allows us to develop loosely coupled capabilities in a distributed development environment. It is easy to test and has excellent documentation. hapi is the enterprise grade foundation that drives our next generation web applications."
- Patrick Ritchie
Director of Engineering, Vrbo
vrbo-logo

Keeps Large Distributed Teams on the Same Page

hapi was designed from the group-up to support large, distributed, and remote teams – allowing them to effectively work together on common code. No more toe stepping.

Say goodbye to middleware hell

predictability helmet hapi was the first node framework (and in some ways, still the only) to provide strong guarantees . The order in which parallel or unrelated components are configured should never produce unexpected results.
  • Plugin dependencies — plugins can safely rely on other plugins, including the order in which they must be execute, no matter the order in which you register them.
  • Extension priorities — request lifecycle extensions can specify their relative order so future extensions won’t disrupt the existing balance.
  • Namespace protection — caches, plugins, decorators, and server methods are all protected and cannot be implicitly overridden.
  • Zero routing conflicts — paths will never conflict, and will always result in the same priority order — no matter what order they’re added in.
"hapi's extensive plugin system allows us to quickly build, extend, and compose brand-specific features on top of its rock-solid architecture. It has become our secret weapon for powerful API services."
- Paul Fryzel
Principal Engineer, Condé Nast
conde-nast-logo

Provides True Extensibility and Customization,
Safely and Predictably

extensibility helmet hapi comes pretty loaded out-of-the-box, but it also has the most mature and complete set of extension points at every step — including authentication, authorization, and validation.

Middleware is just another name for bad design.

hapi doesn’t use middleware, because it’s a bad pattern. Instead of a generic, one-size-fits-all approach taken by almost every other framework, hapi provides a rich, laser-focused extensibility model that puts security and predictability first.

Make it Yours.

hapi has always led the way with tools to make the server yours. It was the first to introduce these (often imitated but poorly executed) features:
  • Framework plugins — a truly composable way of breaking your application into logical components with a super-thin abstraction layer.
  • Request lifecycle — the exact order in which “stuff happens,” allowing you to choose the specific spot to extend or modify how your application operates.
  • Server methods — reusable, cacheable functions accessible throughout the application.
  • API Decorations — user-defined API that lives, safely, side-by-side the official API.
Plus, everything is properly namespaced, which makes extensions safe and easy to use. You’ll never have to worry about your application failing in production because of a runtime conflict between two extensions or plugins. Everything is validated in load-time so you can easily identify conflicts during development.
Get started with hapi