Server Actions vs API Routes in Next.js: When to Use Each
nextjs#nextjs#server-actions#api-routes#react+3 more
Server Actions vs API Routes in Next.js: When to Use Each
Both work on the server, but smart usage of each makes your work clean, fast, and secure. Learn when to use Server Actions and when to stick with API Routes.
Mohammad Alhabil
Author
December 10, 2024
5 min read
~1000 words
Server Actions vs API Routes in Next.js: When to Use Each
Both actually work "on the server"... But smart usage of each? That's what makes your work look clean, fast, and secure.
A Real-World Analogy: Restaurant Kitchen ๐ณ
| Approach | Analogy |
|---|---|
| API Route | Like an order-taking employee. You give them the order, they go to the kitchen, verify, and bring back the response after a while... |
| Server Action | You're talking directly to the chef. You order, they execute immediately, everything happens in the moment without a middleman. |
The Core Difference
API Routes
// app/api/posts/route.ts
export async function POST(request: Request) {
const data = await request.json();
// Validate, process, save to DB
const post = await db.posts.create({ data });
return Response.json(post);
}
Characteristics:
- ๐ Write files in
/api/*, each file is an endpoint - ๐ Receives request from client, runs on server, returns JSON
- โ ๏ธ Exposed and needs extra protection (CSRF, rate limiting)
- ๐ Network round-trip between client and server
- ๐ง Focus: Flexibility, clear separation of concerns
Server Actions
// app/actions.ts
'use server'
export async function createPost(formData: FormData) {
const title = formData.get('title');
// Direct DB access, no endpoint needed
const post = await db.posts.create({
data: { title }
});
revalidatePath('/posts');
return post;
}
Characteristics:
- ๐ฏ Functions inside Server Components
- ๐ Call directly from UI without fetch or JSON
- ๐ No visible API endpoint = higher security
- โก Higher performance (no network round-trip)
- ๐ช Direct access to cookies, headers, session, DB
Side-by-Side Comparison
| Feature | API Routes | Server Actions |
|---|---|---|
| Location | /api/* folder | Any server file |
| Call Method | fetch() | Direct function call |
| Response | JSON | Any value |
| Security | Needs CSRF protection | Built-in security |
| Performance | Network round-trip | Direct execution |
| External Access | โ Yes | โ No |
| Best For | Webhooks, external APIs | Mutations, forms |
When to Use Each?
โ Use Server Actions When:
- Working with App Router (Next.js 13+)
- Doing Mutations (create, update, delete)
- Form submissions directly from UI
- Performance matters (no round-trip)
- Security is priority (no exposed endpoint)
โ Use API Routes When:
- External webhooks (Stripe, GitHub, etc.)
- Mobile app backend needs endpoints
- Third-party integrations sending requests
- Legacy projects without Server Actions
- Complex debugging needs clear endpoints
Practical Examples
Example 1: Form Submission โ Server Action โ
// app/actions.ts
'use server'
export async function registerUser(formData: FormData) {
const email = formData.get('email') as string;
const password = formData.get('password') as string;
// Validate
if (!email || !password) {
return { error: 'Missing fields' };
}
// Create user
const user = await db.users.create({
data: { email, password: await hash(password) }
});
return { success: true, user };
}
// app/register/page.tsx
import { registerUser } from './actions';
export default function RegisterPage() {
return (
<form action={registerUser}>
<input name="email" type="email" required />
<input name="password" type="password" required />
<button type="submit">Register</button>
</form>
);
}
Example 2: Stripe Webhook โ API Route โ
// app/api/webhooks/stripe/route.ts
import { headers } from 'next/headers';
import Stripe from 'stripe';
export async function POST(request: Request) {
const body = await request.text();
const signature = headers().get('stripe-signature')!;
const event = stripe.webhooks.constructEvent(
body,
signature,
process.env.STRIPE_WEBHOOK_SECRET!
);
switch (event.type) {
case 'payment_intent.succeeded':
await handlePaymentSuccess(event.data.object);
break;
}
return Response.json({ received: true });
}
Quick Decision Guide
| Use Case | Choice |
|---|---|
| ๐ User registration form | Server Action |
| ๐๏ธ Delete post from dashboard | Server Action |
| ๐ฌ Add comment | Server Action |
| ๐ณ Stripe webhook | API Route |
| ๐ฑ Mobile app endpoint | API Route |
| ๐ GitHub webhook | API Route |
| โค๏ธ Like/unlike button | Server Action |
| ๐ค File upload | Either (depends) |
Important Notes
๐ Security
Server Actions are safer from CSRF attacks because there's no exposed endpoint. But always validate and authenticate inside your functions:
'use server'
export async function deletePost(postId: string) {
const session = await getSession();
if (!session) {
throw new Error('Unauthorized');
}
// Check ownership
const post = await db.posts.findUnique({ where: { id: postId } });
if (post.authorId !== session.userId) {
throw new Error('Forbidden');
}
await db.posts.delete({ where: { id: postId } });
}
๐ Data Fetching
Server Actions are NOT primarily for data fetching โ they're for mutations. Data fetching belongs to:
- Server Components (direct DB/API calls)
- React Query / SWR (client-side)
โก Performance
Server Actions are faster because they skip the full HTTP request-response cycle. The function runs directly on the server and returns the result.
Start understanding the UI... and the backend that powers it.
Interfaces you love, code you understand. ๐ก
Topics covered
#nextjs#server-actions#api-routes#react#backend#security#performance
Found this article helpful?
Share it with your network and help others learn too!
Written by Mohammad Alhabil
Frontend Developer & Software Engineer passionate about building beautiful and functional web experiences. I write about React, Next.js, and modern web development.
