Create API with Expressive?

Hi all,

I would like to use Expressive for my new REST API services. I tested Apigility (1.4.1) and is a really good product but it miss “in my case” some default features like ACL or RBAC by example (i know we can add some module like zfc-rbac but is not necessary easy to implement).

I read that Expressive (Middleware) is the future and don’t want start a new big project with Apigility (1.4.1) if i know that Expressive is ready for this task (i have more then 100 API services to create…). And Apigility 2 will be based on Expressive if i understand well. I saw that many components is in active dev (zend-expressive-authorization, authentication, rbac, acl, oauth2, …) and that Expressive v3 is in preview state. It move a lot and i’m little lost…

So below my questions:

  • Can i start with the Enrico Tutorial for my base API? (
  • Is exist a complete and working example/doc of API with Expressive (2 or 3)? (including roles, authentication)
  • Is there a release date for v3 and components? (approximately)

Thanks for your help!


Here is a ACL implementation for Doctrine in Apigility:

This book may help if you’re interested in using Doctrine:

I haven’t seen anyone create an RBAC identity although it is coded into the Doctrine required identity currently.

1 Like

There is no ETA yet. The waiting is for the PSR-15 release.

I haven’t seen that api-tutorial but there is a blogpost which uses RBAC: Authorize users using Middleware - Blog - Zend Framework

Some of the related proposals with more info:

1 Like

We have most of the pieces in place at this time, though in “pre-release” states:

  • zend-expressive-session: session middleware, in case you want to store credentials via a session. Storage is adapter-based, and we currently have a single adapter, supporting ext-session.
  • zend-expressive-authentication: adapter-based authentication middleware; we have HTTP Basic, OAuth2 (server), session-based login/password, and zend-authentication adapters currently.
  • zend-expressive-authorization: adapter-based authorization middleware, using the authenticated user as provided by zend-expressive-authentication. We have zend-permissions-acl and zend-permissions-rbac adapters currently.
  • zend-expressive-hal
  • zend-problem-details

The only “engine” piece that Apigility currently provides that we are missing at this time is validation; this can be fairly easily achieved, however, using zend-inputfilter within your handlers or domain layer. It’s the next major milestone we have before we can present a comprehensive API solution with Expressive, however. Unfortunately, that milestone is after the migration to PSR-15… so, let’s talk about that.

In terms of Expressive v3, the main change with the new major version is that we will be explicitly supporting only PSR-15 for middleware and delegates/handlers (vs callables and the interim http-interop project which served as the proving grounds for PSR-15). PSR-15 is currently in its Review phase, and we’re finishing up a few clarifications to the proposal this week. After those are in place, we’ll be doing an acceptance vote, which can take up to two weeks. This means Expressive v3 will drop at the end of this month at the earliest, and potentially not until sometime in February.

In terms of the various API modules, we will likely mark each of those as stable along with the Expressive v3 release, even if we do not have the validation piece in place. The validation piece will happen either at the same time, or within a month following Expressive v3.

You can definitely use Enrico’s tutorial as a starting point. However, be aware that it was developed against early revisions of zend-expressive-authorization and zend-expressive-session and zend-expressive-authentication, so some things may have changed in those libraries since; read their CHANGELOG files for details so you know how to upgrade.

In terms of upgrading from v2 to v3, we will be providing both tutorials and tooling to assist users. So go ahead and get started now!


Thanks a lot @matthew for all this clarifications. So like you said is time to go ahead! I will start my API project with Expressive v2 and will see in February for v3 upgrade… For validation, i already used InputFilter in some ZF2 projects, so is ok. I will see now how OAuth2 server middleware and RBAC works… :wink:

Thanks for this informations!

Hi @matthew
Zend Expressive v3 is officially out. I would like to hear your recommendation about having an API implementation with Expressive. I’m kind of not sure if Expressive is a valid alternative to Apigility


Expressive 3 and its direct related packages have been released. Also zend-expressive-session, zend-expressive-hal and zend-problem-details are released as stable packages.

zend-expressive-authentication, zend-expressive-authorization and related packages got new alpha releases. So they didn’t make it yet as stable releases and I expect a lot more changes to come for those packages.

And @matthew talked about changes for zend-validator, that doesn’t have any related PR’s yet.

So can you build api’s with Expressive 3? Yes.
Can it replace all functionality of Apigility? Not yet.
ETA? Not any time soon. But you could start building your API with the componentes there are with Expressive 3 and give feedback and open PR’s. The more feedback and help, the faster stable releases can be tagged.


Middleware architectures in general are definitely valid alternatives to Apigility. The difference, however, is that you need to do more manual work at this stage: creating custom middleware pipelines to enable the features you need (such as authentication, authorization, etc.), and wiring the various services.

Additionally, while we’re still working on a number of API-enabling packages (nit-pick, @xtreamwayz: zend-expressive-session is tagged v1!), you are not limited to what we offer. There are quite a number of PSR-15 compatible middleware packages in the ecosystem. Look on packagist for a list, and refine the search for specific needs (e.g., validation, content negotiation, etc.).

We recognize that the admin UI for Apigility is a big part of its approachability, and are evaluating if/when we can make that happen with an Expressive-based offering. However, there are a number of key differences that make such an offering far more complex (ability to provide route-based pipelines, for example), and we will have to weigh whether the benefits of a UI outweigh its limitations (we may or may not be able to expose everything we want via one).

I will repeat, though: middleware architectures are eminently suited to API development, and Expressive 3 is no exception. It’s one of their primary use cases.

1 Like

@MichaelB you can start from my zendcon 2017 tutorial but this is based on Expressive 2. I need to rewrite it for Expressive 3! In the meantime, if you need any assistance let me know.

Ah yeah, my bad. Updated my reply.