Create API with Expressive?



Hi all,

I would like to use Expressive for my new REST API services. I tested Apigility (1.4.1) and is a really good product but it miss “in my case” some default features like ACL or RBAC by example (i know we can add some module like zfc-rbac but is not necessary easy to implement).

I read that Expressive (Middleware) is the future and don’t want start a new big project with Apigility (1.4.1) if i know that Expressive is ready for this task (i have more then 100 API services to create…). And Apigility 2 will be based on Expressive if i understand well. I saw that many components is in active dev (zend-expressive-authorization, authentication, rbac, acl, oauth2, …) and that Expressive v3 is in preview state. It move a lot and i’m little lost…

So below my questions:

  • Can i start with the Enrico Tutorial for my base API? (
  • Is exist a complete and working example/doc of API with Expressive (2 or 3)? (including roles, authentication)
  • Is there a release date for v3 and components? (approximately)

Thanks for your help!


Here is a ACL implementation for Doctrine in Apigility:

This book may help if you’re interested in using Doctrine:

I haven’t seen anyone create an RBAC identity although it is coded into the Doctrine required identity currently.


There is no ETA yet. The waiting is for the PSR-15 release.

I haven’t seen that api-tutorial but there is a blogpost which uses RBAC:

Some of the related proposals with more info:


We have most of the pieces in place at this time, though in “pre-release” states:

  • zend-expressive-session: session middleware, in case you want to store credentials via a session. Storage is adapter-based, and we currently have a single adapter, supporting ext-session.
  • zend-expressive-authentication: adapter-based authentication middleware; we have HTTP Basic, OAuth2 (server), session-based login/password, and zend-authentication adapters currently.
  • zend-expressive-authorization: adapter-based authorization middleware, using the authenticated user as provided by zend-expressive-authentication. We have zend-permissions-acl and zend-permissions-rbac adapters currently.
  • zend-expressive-hal
  • zend-problem-details

The only “engine” piece that Apigility currently provides that we are missing at this time is validation; this can be fairly easily achieved, however, using zend-inputfilter within your handlers or domain layer. It’s the next major milestone we have before we can present a comprehensive API solution with Expressive, however. Unfortunately, that milestone is after the migration to PSR-15… so, let’s talk about that.

In terms of Expressive v3, the main change with the new major version is that we will be explicitly supporting only PSR-15 for middleware and delegates/handlers (vs callables and the interim http-interop project which served as the proving grounds for PSR-15). PSR-15 is currently in its Review phase, and we’re finishing up a few clarifications to the proposal this week. After those are in place, we’ll be doing an acceptance vote, which can take up to two weeks. This means Expressive v3 will drop at the end of this month at the earliest, and potentially not until sometime in February.

In terms of the various API modules, we will likely mark each of those as stable along with the Expressive v3 release, even if we do not have the validation piece in place. The validation piece will happen either at the same time, or within a month following Expressive v3.

You can definitely use Enrico’s tutorial as a starting point. However, be aware that it was developed against early revisions of zend-expressive-authorization and zend-expressive-session and zend-expressive-authentication, so some things may have changed in those libraries since; read their CHANGELOG files for details so you know how to upgrade.

In terms of upgrading from v2 to v3, we will be providing both tutorials and tooling to assist users. So go ahead and get started now!


Thanks a lot @matthew for all this clarifications. So like you said is time to go ahead! I will start my API project with Expressive v2 and will see in February for v3 upgrade… For validation, i already used InputFilter in some ZF2 projects, so is ok. I will see now how OAuth2 server middleware and RBAC works… :wink:


Thanks for this informations!