Translation last updated: 17 Nov 2015.
This documentation is for LoopBack 2.x.
For the latest information, see the LoopBack documentation in English.
Skip to end of metadata
Go to start of metadata


LoopBack models automaticaly have a standard set of HTTP endpoints that provide REST APIs for create, read, update, and delete (CRUD) operations on model data.  The public property in model-config.json specifies whether to expose the model's REST APIs, for example:


To "hide" the model's REST API, simply change public to false.

REST paths

By default, the REST APIs are mounted to the plural of the model name; specifically:

  • Model.settings.http.path
  • plural, if defined in the Model definition JSON file.
  • Automatically-pluralized model name (the default). For example, if you have a location model, by default it is mounted to /locations

Using the REST Router

By default, scaffolded applications expose models over REST using the router.


If your application is scaffolded using slc loopback, LoopBack will automatically set up REST middleware and register public models. You don't need to do anything additional.

To manually expose a model over REST with the router, use the following code, for example:


After this, the Product model will have create, read, update, and delete (CRUD) functions working remotely from mobile. At this point, the model is schema-less and the data are not checked.

You can then view generated REST documentation at http://localhost:3000/explorer.

LoopBack provides a number of built-in models that have REST APIs.  See Built-in models REST API for more information.

Request format

For POST and PUT requests, the request body can be JSON, XML or urlencoded format, with the Content-Type header set to application/json, application/xml, or application/x-www-form-urlencoded. The Accept header indicates its preference for the response format.


Setting the request's Accept header to application/vnd.api+json will result in the response's Content-Type header being automatically set to application/vnd.api+json if application/vnd.api+json is in the array of supported types. Set the supported types with the property in config.json.

Passing JSON object or array using HTTP query string

Some REST APIs take a JSON object or array from the query string. LoopBack supports two styles to encode the object/array value as query parameters.

  • Syntax from node-querystring (qs)
  • Stringified JSON

For example,

The table below illustrates how to encode the JSON object/array can be encoded in different styles:

JSON object/array for the filter objectqs styleStringified JSON
{ where: 
{ username: 'john', 
email: '' } }
{ where: 
{ username: {inq: ['john', 'mary']} } }
{ include: ['a', 'b'] }

Response format

The response format for all requests is typically a JSON object/array or XML in the body and a set of headers. Some responses have an empty body. For example,

The HTTP status code indicates whether a request succeeded:

  • Status code 2xx indicates success
  • Status code 4xx indicates request related issues.
  • Status code 5xx indicates server-side problems

The response for an error is in the following JSON format:

  • message: String error message.
  • stack: String stack trace.
  • statusCode: Integer HTTP status code.

For example,

Disabling API Explorer

LoopBack API Explorer is great when you're developing your application, but for security reasons you may not want to expose it in production.  

For an application using loopback-component-explorer, to disable explorer in production:

  • Set the NODE_ENV environment variable to "production".
  • Then in server/component-config.production.json:

For an application using the old loopback-explorer (prior to version 2.0), disable API Explorer by deleting or renaming server/boot/explorer.js

Predefined remote methods

By default, for a model backed by a data source that supports it, LoopBack exposes a REST API that provides all the standard create, read, update, and delete (CRUD) operations.

As an example, consider a simple model called Location (that provides business locations) to illustrate the REST API exposed by LoopBack.  LoopBack automatically creates a number of Node methods with corresponding REST endpoints, including:

Model (Node) APIHTTP MethodExample Path
destroyById() or deleteById()DELETE/locations/:id

The above table provides a partial list of methods and REST endpoints. See the API documentation for a complete list of all the Node API methods. See PersistedModel REST API for details on the REST API.

Exposing and hiding models, methods, and endpoints

To expose a model over REST, set the public property to true in /server/model-config.json:

Hiding methods and REST endpoints

If you don't want to expose certain CRUD operations, you can easily hide them by calling disableRemoteMethod() on the model. For example, following the previous example, by convention custom model code would go in the file common/models/location.js.  You would add the following lines to "hide" one of the predefined remote methods:


Now the deleteById() operation and the corresponding REST endpoint will not be publicly available.

For a method on the prototype object, such as updateAttributes():


Here's an example of hiding all methods of the MyUser model, except for login and logout:

Read-Only endpoints example

You may want to only expose read-only operations on your model hiding all POST, PUT, DELETE verbs



Hiding endpoints for related models

To disable a REST endpoints for related model methods, use disableRemoteMethod().  


For more information, see Accessing related models.

For example, if there are post and tag models, where a post hasMany tags, add the following code to /common/models/post.js to disable the remote methods for the related model and the corresponding REST endpoints: 


Hiding properties

To hide a property of a model exposed over REST, define a hidden property.  See Model definition JSON file (Hidden properties).