惯性聚合 高效追踪和阅读你感兴趣的博客、新闻、科技资讯
阅读原文 在惯性聚合中打开

推荐订阅源

小众软件
小众软件
IT之家
IT之家
博客园 - 聂微东
www.infosecurity-magazine.com
www.infosecurity-magazine.com
P
Privacy International News Feed
人人都是产品经理
人人都是产品经理
PCI Perspectives
PCI Perspectives
OSCHINA 社区最新新闻
OSCHINA 社区最新新闻
博客园 - 叶小钗
V
Vulnerabilities – Threatpost
美团技术团队
S
Secure Thoughts
N
News | PayPal Newsroom
L
LINUX DO - 最新话题
腾讯CDC
Application and Cybersecurity Blog
Application and Cybersecurity Blog
雷峰网
雷峰网
B
Blog
MyScale Blog
MyScale Blog
T
The Blog of Author Tim Ferriss
TaoSecurity Blog
TaoSecurity Blog
N
News and Events Feed by Topic
Blog — PlanetScale
Blog — PlanetScale
C
Check Point Blog
T
Tailwind CSS Blog
月光博客
月光博客
Simon Willison's Weblog
Simon Willison's Weblog
Hacker News: Ask HN
Hacker News: Ask HN
The Last Watchdog
The Last Watchdog
Google DeepMind News
Google DeepMind News
cs.CV updates on arXiv.org
cs.CV updates on arXiv.org
MongoDB | Blog
MongoDB | Blog
S
Security @ Cisco Blogs
Jina AI
Jina AI
Engineering at Meta
Engineering at Meta
S
Security Affairs
Forbes - Security
Forbes - Security
P
Palo Alto Networks Blog
cs.CL updates on arXiv.org
cs.CL updates on arXiv.org
博客园 - 司徒正美
博客园 - 三生石上(FineUI控件)
T
Tor Project blog
O
OpenAI News
L
Lohrmann on Cybersecurity
Security Archives - TechRepublic
Security Archives - TechRepublic
P
Proofpoint News Feed
Cyber Security Advisories - MS-ISAC
Cyber Security Advisories - MS-ISAC
L
LangChain Blog
B
Blog RSS Feed
H
Hackread – Cybersecurity News, Data Breaches, AI and More

DEV Community

Authentication Security Deep Dive: From Brute Force to Salted Hashing (With Java Examples) Why AI Systems Don’t Fail — They Drift Spilling beans for how i learn for exam😁"Reinforcement Learning Cheat Sheet" I Replaced Chrome with Safari for AI Browser Automation. Here's What Broke (and What Finally Worked) How Python Borrows Other People's Work The $40 Architecture: Processing 1 Billion API Requests with 99.99% Uptime Vibe Coding: A Workflow Guide (From Zero to SaaS) Most webhook security guides protect the wrong side. The scary part is delivery. Headless CMS for TanStack Start: Build a Blog with Cosmic EU Age Verification App "Hacked in 2 Minutes" — What Actually Happened Comfy Cloud’s delete function does not actually remove files Running AI Models on GPU Cloud Servers: A Beginner Guide Event-driven media intelligence with AWS Step Functions and Bedrock I scored 500 AI prompts across 8 quality dimensions — here's what broke How to Call Google Gemini API from Next.js (Free Tier, No Backend Needed) The Portal Protocol: Reclaiming Human Connection in the Age of AI How to Fix Your Team's Scattered Knowledge Problem With a Self-Hosted Forum Intro to tc Cloud Functors: A Graph-First Mental Model for the Modern Cloud Designing Multi-Tenant Backends With Both Ownership and Team Access I Built a Neumorphic CSS Library with 77+ Components — Here's What I Learned PostgreSQL Performance Optimization: Why Connection Pooling Is Critical at Scale Cómo construí un SaaS multi-rubro para gestionar expensas en Argentina con FastAPI + Vue 3 🚀 I Built an Ethical Hacking Scanner Tool – Open Source Project I Replaced /usage and /context in Claude Code With a Single Statusline A Pythonic Way to Handle Emails (IMAP/SMTP) with Auto-Discovery and AI-Ready Design I Collected 8.9 Million Polymarket Price Points — Here's What I Found About How Markets Really Move EcoTrack AI — Carbon Footprint Tracker & Dashboard Everyone's Using AI. No One Agrees How. 5 self-hosted ebook managers worth trying in 2026 Building Your First AI Agent with LangChain: From Chatbot to Autonomous Assistant Common SOC 2 Failures (Real World) Stop Vibe-Checking Your AI App: A Practical Guide to Evals How to Use SonarQube and SonarScanner Locally to Level Up Your Code Quality Your Next To-Do App Is Dead — I Replaced Mine with an OpenClaw AI Sign a Nostr event in 60 lines of Python using coincurve — no nostr-sdk, no nbxplorer, no rust toolchain ITGC Audit Explained Like You’re in Big 4 Patch Tuesday abril 2026: Microsoft parcha 163 vulnerabilidades y un zero-day en SharePoint Stop scraping everything: a better way to track competitor price changes Listing on MCPize + the Official MCP Registry while routing payments OUTSIDE the marketplace — how I kept 100% of my x402 revenue Building an AI-Powered Risk Intelligence System Using Serverless Architecture Why We Ripped Function Overloading Out of Our AI Toolchain Testing AI-Generated Code: How to Actually Know If It Works SaaS Churn Is Killing Your Business. Here Is What to Do About It (Without a Support Team) The Speed of AI Is No Longer Linear - And Self-Improving Models Are Why How to Implement RBAC for MCP Tools: A Practical Guide for Engineering Teams From Standard Quote to Persuasive Proposal: AI Automation for Arborists I built a CLI that scaffolds complete multi-tenant SaaS apps Axios CVE-2025–62718: The Silent SSRF Bug That Could Be Hiding in Your Node.js App Right Now The dashboard that ended our friendship Data Pipelines Explained Simply (and How to Build Them with Python) The Hidden Cost of AI Systems Nobody Talks About. undefined vs undeclared, and how typeof behaves Switching from file-based jobs to NATS/Kafka in Rust without changing code io_uring Adventures: Rust Servers That Love Syscalls Why Agentic AI is Killing the Traditional Database The POUR principles of web accessibility for developers and designers Quantum Neural Network 3D — A Deep Dive into Interactive WebGL Visualization How To Install Caveman In Codex On macOS And Windows Automation Pipeline Reliability: Why Your Workflow Breaks When Nobody Is Watching I Built an 'Open World' AI Coding Agent — It Works From ANY Folder From Freelancing to Product: A Tech Service Company's SaaS Transformation China's AI Giants: Adding Tencent Hunyuan & ByteDance Doubao to AI University (74 Providers) On the Vibe Coders and Their Lies clerk: Auto-Summarize Your Claude Code Sessions AI Weekly — 2026/04/10–04/17 | The Model Lockdown Is Here, but the Toolchain Is the Real Battleground AI 週報 — 2026/04/10–2026/04/17 模型封鎖潮來了,但工具鏈才是真戰場 Maybe this is how Open-Source apps are born... 🚀 Fine-Tune LLMs with LoRA and QLoRA: 2026 Guide tRPC v11 + Next.js App Router: End-to-End Type Safety Without the Boilerplate ShadCN UI in 2026: Why I Stopped Installing Component Libraries and Started Owning My Components SaaS Billing in React Server Components: Stripe + Supabase Without a Single `useEffect` Join our DEV Weekend Challenge — $1,000 in Prizes Across TEN winners! Submissions Due April 20 at 6:59 AM UTC. Implementing FSRS Spaced Repetition in Flutter + Supabase — Adding Memory Science to an AI Learning App "I Texted My Localhost From the Train — Claude Code Fixed the Bug Before I Got Home" I Built a Sales Prep AI and It Went Deeper Than Expected Design to Code #2: One JSON, Eleven Outputs Solving the 100M-Row Problem: A Summary Table Pattern for High-Volume Push Notification Logs Flutter Web With Wasm: What Actually Changes For Developers I Built 50 Royalty-Free Soundtracks for My Side Project in a Weekend Using AI Music Generation The Vibe Coding Security Checklist: 7 Things to Check Before You Ship Stop Letting Googlebot Guess Fix Your React App's SEO Right Desconstruindo o Streaming do LinkedIn: Como Criar um Engine de Extração de Vídeo de Alta Performance com HLS e FFmpeg (EDA Part-1) EDA (Exploratory Data Analysis) Explained With Real Life — Why Looking at Your Data Is the Most Important Step in Machine Learning Brand Relationship Management at Scale: Our 4-Touch Outreach System for 200+ Brands Why String.fromEnvironment() Might Return an Empty String in Dart JGuardrails 1.0.0 — Hardening Java LLM Apps Against Jailbreaks, Toxicity, and Prompt Injection Plan and Schedule a Full Week of Threads Content From One Claude Conversation Coding Cat Oran Ep3, Five Tables Changed Everything Updated: BFF Pattern I'm done watching freelancers get buried by 200 proposals. So I'm building the alternative. This is my first post BFS Algorithm in Java Step by Step Tutorial with Examples Tracking LLM Pricing Monthly: An Open Dataset for 22 AI Models How We Measure Content ROI on a Comparison Site: Revenue Attribution Without Perfect Data Introducing Nova AI Ops: The AI-Native Operating System for SRE Teams I built a free desktop video downloader for Windows — Grabbit How Talkie OCR Helps Vision-Impaired & Dyslexic Users Read the World Around Them VRCFaceTracking安装和iPhone面捕配置教程,有bug Even CrowdStrike Can't See Your Agents The Automation Gold Rush: What n8n Workflows and Claude Are Opening Up for Developers Right Now
API Calls Done Right: From Messy Fetch to Clean Data Layer
Gavin Cettol · 2026-05-19 · via DEV Community

I've seen this file in almost every frontend project I've ever touched.

It's usually called api.js or utils.js or sometimes just helpers.ts.

It starts small. One function. Two functions.

Then, six months later, it's 800 lines long, nobody fully understands it, and everyone is afraid to change it.

It looks something like this:

// Somewhere in a React component, at 3pm on a sprint deadline
const res = await fetch(`/api/users/${id}`, {
  headers: { Authorization: `Bearer ${localStorage.getItem('token')}` }
})
const data = await res.json()
setUser(data)

Enter fullscreen mode Exit fullscreen mode

No error handling. No type safety. Auth logic scattered across components. The token read inline from localStorage every single time.

It works, until it doesn't.

This article is about building something better. We'll start from that messy fetch call and work our way up to a clean, typed, maintainable data layer, step by step.


TL;DR

  • A raw fetch call inside a component is the beginning of a maintenance problem, not a solution.
  • A clean data layer separates concerns: one apiClient handles transport and auth, individual service modules handle domain logic.
  • TypeScript + structured error handling + automatic token refresh gives you a production-grade setup that scales without becoming a second job to maintain.

Table of Contents


What We're Building (and Why)

Before writing any code, let's define what "clean data layer" actually means.

It's not a framework. It's not a library. It's a set of responsibilities, each living in the right place:

Responsibility Where it lives
HTTP transport (headers, base URL, timeouts) apiClient
Auth token management apiClient + tokenService
Domain-specific calls (fetch user, update product) Service modules
Server state, caching, loading/error UI state TanStack Query
Business logic and rendering React components

A React component that directly calls fetch is doing two jobs at once: fetching data and rendering UI. That coupling is the root cause of most of the problems we're trying to solve.

The goal is simple: each layer does one thing, and only one thing.


Step 1: The apiClient - One Place for Transport Logic

The first thing we need is a single, shared HTTP client. Every API call in the application goes through it. No exceptions.

This gives us one place to configure:

  • the base URL
  • default headers
  • timeout behavior
  • future interceptors
// src/lib/apiClient.ts

const BASE_URL = import.meta.env.VITE_API_BASE_URL ?? 'https://api.example.com'
const DEFAULT_TIMEOUT_MS = 10_000

interface RequestOptions extends RequestInit {
  timeout?: number
}

async function request<T>(
  endpoint: string,
  options: RequestOptions = {}
): Promise<T> {
  const { timeout = DEFAULT_TIMEOUT_MS, ...fetchOptions } = options

  const controller = new AbortController()
  const timeoutId = setTimeout(() => controller.abort(), timeout)

  const url = `${BASE_URL}${endpoint}`

  try {
    const response = await fetch(url, {
      ...fetchOptions,
      signal: controller.signal,
      headers: {
        'Content-Type': 'application/json',
        ...fetchOptions.headers,
      },
    })

    if (!response.ok) {
      throw new ApiError(response.status, await response.text())
    }

    // Handle 204 No Content
    if (response.status === 204) {
      return undefined as T
    }

    return response.json() as Promise<T>
  } finally {
    clearTimeout(timeoutId)
  }
}

export const apiClient = {
  get: <T>(endpoint: string, options?: RequestOptions) =>
    request<T>(endpoint, { ...options, method: 'GET' }),

  post: <T>(endpoint: string, body: unknown, options?: RequestOptions) =>
    request<T>(endpoint, {
      ...options,
      method: 'POST',
      body: JSON.stringify(body),
    }),

  put: <T>(endpoint: string, body: unknown, options?: RequestOptions) =>
    request<T>(endpoint, {
      ...options,
      method: 'PUT',
      body: JSON.stringify(body),
    }),

  patch: <T>(endpoint: string, body: unknown, options?: RequestOptions) =>
    request<T>(endpoint, {
      ...options,
      method: 'PATCH',
      body: JSON.stringify(body),
    }),

  delete: <T>(endpoint: string, options?: RequestOptions) =>
    request<T>(endpoint, { ...options, method: 'DELETE' }),
}

Enter fullscreen mode Exit fullscreen mode

A few things worth noting here:

The AbortController + timeout pattern ensures that hanging requests don't freeze the UI indefinitely. After DEFAULT_TIMEOUT_MS, the request is automatically cancelled.

The if (!response.ok) check is something the native fetch API does not do for you. A fetch call to an endpoint that returns 404 or 500 will not throw, it resolves successfully, with response.ok set to false. If you don't check this, you'll silently pass error responses to your state as if they were valid data.

The 204 No Content guard prevents response.json() from throwing on empty responses, which is a surprisingly common gotcha with DELETE endpoints.


Step 2: Typed Responses and Structured Error Handling

The apiClient above throws an ApiError. Let's define it.

// src/lib/errors.ts

export class ApiError extends Error {
  constructor(
    public readonly status: number,
    public readonly body: string,
    message?: string
  ) {
    super(message ?? `API error: ${status}`)
    this.name = 'ApiError'
  }

  get isUnauthorized(): boolean {
    return this.status === 401
  }

  get isForbidden(): boolean {
    return this.status === 403
  }

  get isNotFound(): boolean {
    return this.status === 404
  }

  get isServerError(): boolean {
    return this.status >= 500
  }
}

export class NetworkError extends Error {
  constructor(message = 'Network request failed') {
    super(message)
    this.name = 'NetworkError'
  }
}

Enter fullscreen mode Exit fullscreen mode

Having a typed error class instead of a generic Error is what makes downstream error handling clean. In your components or TanStack Query callbacks, you can now write:

if (error instanceof ApiError && error.isUnauthorized) {
  // redirect to login
}

Enter fullscreen mode Exit fullscreen mode

Instead of:

// ❌ What most codebases end up with
if (error.message.includes('401') || error.message.includes('Unauthorized')) {
  // fragile, brittle, and a maintenance nightmare
}

Enter fullscreen mode Exit fullscreen mode


Step 3: Service Modules — Organizing by Domain

Now that we have a shared client and typed errors, we can build service modules on top of it.

A service module groups all API calls related to a single domain. One file per domain. No mixing.

// src/services/userService.ts

import { apiClient } from '@/lib/apiClient'

export interface User {
  id: string
  email: string
  firstName: string
  lastName: string
  role: 'admin' | 'user'
  createdAt: string
}

export interface UpdateUserPayload {
  firstName?: string
  lastName?: string
  email?: string
}

export interface PaginatedResponse<T> {
  data: T[]
  total: number
  page: number
  pageSize: number
}

export const userService = {
  getById: (id: string) =>
    apiClient.get<User>(`/users/${id}`),

  getAll: (page = 1, pageSize = 20) =>
    apiClient.get<PaginatedResponse<User>>(
      `/users?page=${page}&pageSize=${pageSize}`
    ),

  update: (id: string, payload: UpdateUserPayload) =>
    apiClient.patch<User>(`/users/${id}`, payload),

  delete: (id: string) =>
    apiClient.delete<void>(`/users/${id}`),
}

Enter fullscreen mode Exit fullscreen mode

// src/services/productService.ts

import { apiClient } from '@/lib/apiClient'

export interface Product {
  id: string
  name: string
  price: number
  stock: number
  categoryId: string
}

export interface CreateProductPayload {
  name: string
  price: number
  stock: number
  categoryId: string
}

export const productService = {
  getById: (id: string) =>
    apiClient.get<Product>(`/products/${id}`),

  create: (payload: CreateProductPayload) =>
    apiClient.post<Product>('/products', payload),

  updateStock: (id: string, stock: number) =>
    apiClient.patch<Product>(`/products/${id}`, { stock }),
}

Enter fullscreen mode Exit fullscreen mode

This pattern scales cleanly. When a new developer joins and needs to find where user-related API calls live, the answer is always the same: src/services/userService.ts.

No archaeology. No searching for fetch('/api/users' across twelve components.


Step 4: Authentication - Bearer Tokens Done Right

Right now, the apiClient doesn't know anything about authentication. Let's fix that.

The wrong way to handle this is what we saw at the start: reading localStorage.getItem('token') inline inside every component. The token management logic is scattered, untestable, and fragile.

The right way is a dedicated tokenService that the apiClient calls when it needs to attach credentials.

// src/lib/tokenService.ts

const ACCESS_TOKEN_KEY = 'access_token'
const REFRESH_TOKEN_KEY = 'refresh_token'

export const tokenService = {
  getAccessToken: (): string | null =>
    localStorage.getItem(ACCESS_TOKEN_KEY),

  getRefreshToken: (): string | null =>
    localStorage.getItem(REFRESH_TOKEN_KEY),

  setTokens: (accessToken: string, refreshToken: string): void => {
    localStorage.setItem(ACCESS_TOKEN_KEY, accessToken)
    localStorage.setItem(REFRESH_TOKEN_KEY, refreshToken)
  },

  clearTokens: (): void => {
    localStorage.removeItem(ACCESS_TOKEN_KEY)
    localStorage.removeItem(REFRESH_TOKEN_KEY)
  },

  hasValidToken: (): boolean =>
    tokenService.getAccessToken() !== null,
}

Enter fullscreen mode Exit fullscreen mode

Now we update apiClient to attach the token automatically:

// src/lib/apiClient.ts - updated request function

async function request<T>(
  endpoint: string,
  options: RequestOptions = {}
): Promise<T> {
  const { timeout = DEFAULT_TIMEOUT_MS, ...fetchOptions } = options

  const controller = new AbortController()
  const timeoutId = setTimeout(() => controller.abort(), timeout)

  // Attach auth header automatically if token exists
  const accessToken = tokenService.getAccessToken()
  const authHeader = accessToken
    ? { Authorization: `Bearer ${accessToken}` }
    : {}

  const url = `${BASE_URL}${endpoint}`

  try {
    const response = await fetch(url, {
      ...fetchOptions,
      signal: controller.signal,
      headers: {
        'Content-Type': 'application/json',
        ...authHeader,           // injected here - not in components
        ...fetchOptions.headers, // allow per-request overrides
      },
    })

    if (!response.ok) {
      throw new ApiError(response.status, await response.text())
    }

    if (response.status === 204) {
      return undefined as T
    }

    return response.json() as Promise<T>
  } finally {
    clearTimeout(timeoutId)
  }
}

Enter fullscreen mode Exit fullscreen mode

Now every call made through apiClient automatically includes the auth header. Components don't know that auth exists. They just call userService.getById(id) and get back a typed User.


Step 5: Automatic Token Refresh

The Bearer token setup works - but in production, access tokens expire. Usually after 15–60 minutes.

Without automatic refresh, the user gets a 401 error and is silently logged out, even though their session is still valid. That's a frustrating experience and it's entirely avoidable.

The pattern is:

  1. Request fails with 401.
  2. Intercept the error before it reaches the component.
  3. Use the refresh token to get a new access token.
  4. Retry the original request with the new token.
  5. If the refresh also fails, clear tokens and redirect to login.
// src/lib/apiClient.ts - with refresh logic

let isRefreshing = false
let pendingRequests: Array<(token: string) => void> = []

async function refreshAccessToken(): Promise<string> {
  const refreshToken = tokenService.getRefreshToken()

  if (!refreshToken) {
    throw new Error('No refresh token available')
  }

  // Note: this call bypasses the main request() to avoid infinite loops
  const response = await fetch(`${BASE_URL}/auth/refresh`, {
    method: 'POST',
    headers: { 'Content-Type': 'application/json' },
    body: JSON.stringify({ refreshToken }),
  })

  if (!response.ok) {
    throw new ApiError(response.status, await response.text())
  }

  const { accessToken, refreshToken: newRefreshToken } = await response.json()
  tokenService.setTokens(accessToken, newRefreshToken)

  return accessToken
}

async function request<T>(
  endpoint: string,
  options: RequestOptions = {}
): Promise<T> {
  const { timeout = DEFAULT_TIMEOUT_MS, ...fetchOptions } = options

  const controller = new AbortController()
  const timeoutId = setTimeout(() => controller.abort(), timeout)

  const accessToken = tokenService.getAccessToken()
  const authHeader = accessToken
    ? { Authorization: `Bearer ${accessToken}` }
    : {}

  const url = `${BASE_URL}${endpoint}`

  try {
    const response = await fetch(url, {
      ...fetchOptions,
      signal: controller.signal,
      headers: {
        'Content-Type': 'application/json',
        ...authHeader,
        ...fetchOptions.headers,
      },
    })

    // Token expired - attempt refresh
    if (response.status === 401 && tokenService.getRefreshToken()) {
      // If a refresh is already in flight, queue this request
      if (isRefreshing) {
        return new Promise<T>((resolve, reject) => {
          pendingRequests.push((newToken: string) => {
            fetchOptions.headers = {
              ...fetchOptions.headers,
              Authorization: `Bearer ${newToken}`,
            }
            request<T>(endpoint, options).then(resolve).catch(reject)
          })
        })
      }

      isRefreshing = true

      try {
        const newToken = await refreshAccessToken()

        // Flush queued requests with the new token
        pendingRequests.forEach(callback => callback(newToken))
        pendingRequests = []

        // Retry the original request
        return request<T>(endpoint, options)
      } catch {
        // Refresh failed - session is truly expired
        tokenService.clearTokens()
        pendingRequests = []
        window.location.href = '/login'
        throw new Error('Session expired')
      } finally {
        isRefreshing = false
      }
    }

    if (!response.ok) {
      throw new ApiError(response.status, await response.text())
    }

    if (response.status === 204) {
      return undefined as T
    }

    return response.json() as Promise<T>
  } finally {
    clearTimeout(timeoutId)
  }
}

Enter fullscreen mode Exit fullscreen mode

The isRefreshing flag and pendingRequests queue are important. Without them, if five requests fire simultaneously and all get a 401, you'd fire five parallel refresh calls - a race condition that corrupts your token storage. With the queue, only one refresh happens, and all pending requests retry with the new token once it's available.


Step 6: Connecting the Data Layer to React with TanStack Query

The data layer we've built is framework-agnostic. It's just TypeScript functions. You can use it anywhere.

But in a React app, you'll want to connect it to your component state in a structured way. That's where TanStack Query comes in - and it pairs with this data layer perfectly.

// src/hooks/useUser.ts

import { useQuery, useMutation, useQueryClient } from '@tanstack/react-query'
import { userService, UpdateUserPayload } from '@/services/userService'

export function useUser(userId: string) {
  return useQuery({
    queryKey: ['users', userId],
    queryFn: () => userService.getById(userId),
    staleTime: 1000 * 60 * 5, // 5 minutes
  })
}

export function useUsers(page: number, pageSize: number) {
  return useQuery({
    queryKey: ['users', { page, pageSize }],
    queryFn: () => userService.getAll(page, pageSize),
    placeholderData: previousData => previousData, // smooth pagination
  })
}

export function useUpdateUser(userId: string) {
  const queryClient = useQueryClient()

  return useMutation({
    mutationFn: (payload: UpdateUserPayload) =>
      userService.update(userId, payload),
    onSuccess: updatedUser => {
      // Update the cached user immediately - no refetch needed
      queryClient.setQueryData(['users', userId], updatedUser)
    },
  })
}

Enter fullscreen mode Exit fullscreen mode

And in the component, it's now completely clean:

// src/components/UserProfile.tsx

import { useUser, useUpdateUser } from '@/hooks/useUser'
import { ApiError } from '@/lib/errors'

interface Props {
  userId: string
}

export function UserProfile({ userId }: Props) {
  const { data: user, isLoading, error } = useUser(userId)
  const { mutate: updateUser, isPending } = useUpdateUser(userId)

  if (isLoading) return <Spinner />

  if (error) {
    if (error instanceof ApiError && error.isNotFound) {
      return <p>User not found.</p>
    }
    return <p>Something went wrong. Please try again.</p>
  }

  if (!user) return null

  const fullName = `${user.firstName} ${user.lastName}`

  return (
    <div>
      <h1>{fullName}</h1>
      <p>{user.email}</p>
      <button
        onClick={() => updateUser({ firstName: 'Updated' })}
        disabled={isPending}
      >
        Update
      </button>
    </div>
  )
}

Enter fullscreen mode Exit fullscreen mode

The component knows nothing about:

  • how HTTP requests are made
  • where tokens come from
  • how errors are structured at the network level
  • what happens on a 401

It just asks for data and renders it. That's the goal.

If you want to go deeper on TanStack Query and why the queryKey matters, I covered it in detail in Stop Using useEffect Like This.

TanStack Query

Powerful asynchronous state management, server-state utilities and data fetching. Fetch, cache, update, and wrangle all forms of async data in your TS/JS, React, Vue, Solid, Svelte, Angular & Lit applications all without touching any "global state"

favicon tanstack.com


The Final Folder Structure

After all six steps, here's what the data layer looks like on disk:

src/
├── lib/
│   ├── apiClient.ts       # HTTP transport, auth headers, token refresh
│   ├── tokenService.ts    # Token read/write/clear
│   └── errors.ts          # ApiError, NetworkError
│
├── services/
│   ├── userService.ts     # All user-related API calls + types
│   ├── productService.ts  # All product-related API calls + types
│   └── authService.ts     # Login, logout, register
│
└── hooks/
    ├── useUser.ts         # TanStack Query hooks for user data
    └── useProducts.ts     # TanStack Query hooks for product data

Enter fullscreen mode Exit fullscreen mode

Three layers, three responsibilities:

  • lib/ - infrastructure. Doesn't know about your business domain.
  • services/ - domain. Knows about users, products, orders. Doesn't know about React.
  • hooks/ - React integration. Bridges the service layer with component state.

A component that needs user data goes through hooks/. A non-React module (a utility, a test) can call services/ directly. Nothing ever touches lib/ directly except services/.


Final Thoughts

We started with a fetch call inside a component, reading a token from localStorage inline.

We ended with a layered system where:

  • HTTP logic lives in one place
  • Auth is automatic and transparent
  • Every API call is typed
  • Token refresh happens without the user noticing
  • React components have no idea how any of this works

None of these steps are complicated individually. The value comes from doing all of them, and doing them in order.

You don't have to build this in one day. Start with the apiClient and the service modules. Add auth when you need it. Add token refresh when access tokens start expiring. Add TanStack Query when you need caching.

Each step is independently useful. The full stack is production-grade.


This article is part of the **Modern Frontend* series.*
If you missed the first article: Stop Using useEffect Like This - 5 Patterns That Break Your React App.


What does your current API layer look like?

Are you still writing fetch calls directly in components, or have you already built something like this? Drop your setup in the comments - I'm curious how different teams solve this problem.

If this was useful, a ❤️ or a 🦄 means a lot.
And if you want the next article in the series when it drops, hit follow.