Many companies today face a similar starting point: a grown domain application (often Delphi/VCL) models central processes but suddenly must serve new channels. A customer portal needs data and workflows, mobile users expect secure access, and third-party systems (ERP, DMS, CRM, BI) demand integrations. In this situation a REST API appears to be the obvious step. In practice, however, API initiatives rarely fail because of HTTP or JSON — they fail because of unclear responsibility distribution between client, server, and data persistence.
A sustainable REST server architecture with Delphi does not emerge by simply placing “a few endpoints” over existing database tables. It emerges when the company jointly considers business rules, security requirements, data ownership, transaction boundaries, and operational concepts. The REST server thus becomes the stable contract layer between business logic and consumers: desktop client, portal, services, integration partners. This is exactly where Delphi plays to its strengths: rapid development, robust runtime, high-performance native code, good database connectivity (e.g. via BDE replacement with native connectivity) and the ability to encapsulate domain logic in libraries or server modules in a controlled way.
This article describes how companies can plan REST servers with Delphi so they remain consistent from a business perspective, fit into existing system landscapes, and do not become an operational failure point. The focus is on architectural principles, typical pitfalls in modernization projects, and concrete building blocks for security, data access, versioning, and observability.
Why a REST API is an architectural decision for the company
In a classic client-server world many rules were implicitly distributed in the desktop client: validations, state transitions, calculations, sometimes even authorizations. As long as only one client existed, this was uncritical — ugly from a business perspective, but manageable. Once multiple consumers access the same business objects, the model breaks down:
- A portal cannot “reuse” client-side validations.
- Mobile apps should be able to work offline but must not duplicate domain rules.
- Integrations need stable, versioned contracts and clear error semantics.
- Compliance requires traceable accesses, role models, and auditability.
The API becomes the place where business logic, rights, and data access converge. Its architecture therefore decides whether your system remains extensible in the long term — or whether you only create new technical debt.
Delphi as a platform for REST servers: strengths and typical use cases
Delphi is often associated with desktop applications in companies. For REST servers, however, Delphi is also very well suited, especially when it comes to reusing existing domain logic or to performant services. Typical use cases in B2B environments:
- API layer for legacy software: Existing Delphi domain application remains as the UI, while the REST server encapsulates data access and rules for new consumers.
- Backend for portal/customer area: Web portal uses REST endpoints that share the same rule core as internal processes.
- Integration and interface server: ERP/DMS/CRM connectivity, import/export, event processing, scheduled jobs.
- Linux services or Windows services: long-running processes, queue workers, schedulers, document workflows.
What matters less is the framework label and more the discipline in layering, concurrency, error handling, and deployment. Delphi permits both: quickly deliverable iterations and at the same time clean, modular architecture — if you plan deliberately.
Layer model: Layer-3 architecture as a foundation for durable APIs
For enterprise software a clear, lean layer model has proven effective. In the Delphi environment this is often described as Layer-3 architecture. The terms vary, but responsibilities should be unambiguous:
1) API/transport layer (HTTP, serialization, routing)
This layer handles HTTP, protocol-level authentication, request/response formats, routing, status codes, content type, compression. No business rules belong here. Goal: interchangeability and testability. If you later extend from a REST API to additional protocols (e.g. WebSocket, gRPC-like patterns, Server-Sent Events), the domain core must remain stable.
2) Domain/service layer (business logic, use cases, rights, transactions)
This is where the business truth lives: state machines, calculations, plausibility checks, tenant rules, business-level authorization checks. This layer should be UI-independent and ideally unaware of HTTP. Preferably implement use cases like “approve order”, “close ticket”, “generate invoice” instead of just CRUD on tables.
3) Data-access layer (repositories, SQL, FireDAC, mapping)
This layer encapsulates persistence: SQL, stored procedures, transaction control, locking concepts, connection pooling, DB-specific peculiarities. In Delphi BDE-Ablosung mit nativer Anbindung is often the pragmatic choice, particularly for migrations (BDE replacement) and heterogeneous databases (SQL Server, PostgreSQL, MariaDB, Firebird). It is important that the data-access layer has no HTTP knowledge and makes no business decisions.
This model reduces coupling: changes to the data model do not force an API rewrite, and new clients automatically inherit the same logic. Especially in Delphi modernization this is the basis for decoupling grown desktop applications step by step without interrupting operations.
API design for domain software: not CRUD, but business contracts
Many APIs start with endpoints like /customers, /orders, /documents and implement CRUD. That may be sufficient for internal tools, but in domain software it quickly becomes too shallow. Business processes consist of state changes, rules, side effects, and permissions.
Model resources, actions and states cleanly
A better pattern is the combination of resources and clear actions, e.g.:
- Read resource: GET /orders/{id}
- Trigger action: POST /orders/{id}/release
- Create document: POST /orders/{id}/documents/invoice
- Check status: GET /orders/{id}/status
This makes it visible in the API contract that “release” is not simply a field update. The server can centrally implement validations, rights, transactions, audit and side processes.
Error semantics and validation: make them predictable for clients
Enterprise clients must be able to distinguish errors: validation errors (400), missing permission (403), conflict due to concurrent modification (409), business rejection (often 409 or 422), temporary backend issues (503). What matters is a consistent error structure, e.g. with an error code, message, optional field hints and a correlation ID. This allows a portal to display understandable messages while support and operations can efficiently trace issues.
Security: authentication is not the same as authorization
In B2B contexts security rarely fails because of lack of encryption but rather because of missing separation between identity, roles and business authorizations. A REST server architecture must therefore distinguish two levels:
Authentication (who is it?)
Common approaches are token-based schemes (e.g. JWT or opaque tokens), combined with TLS and a clear session strategy. Crucial are: token lifetime, refresh mechanism, revocation on role changes, and whether you have different identity providers for portals and internal systems. Delphi servers can act as resource servers and — depending on setup — also issue tokens. In many enterprise landscapes integration with existing identity systems (e.g. AD/LDAP, SSO solutions) is a core requirement.
Authorization (is it allowed?)
Authorization belongs in the domain/service layer. Roles and rights are rarely purely technical; they depend on tenant, location, organizational unit, contract status or process phase. Good practices:
- Role model (e.g. admin, case worker, auditor) as a basis
- Domain policies (“may only generate an invoice in status X”, “may only see own tickets”)
- Multi-tenancy as a standard: every request needs tenant context
- Auditing: who triggered which action and when
The API should not only return “access allowed/denied” but must consistently prevent the server from exposing other tenants’ data via parameter tricks. That sounds obvious but in grown systems it is one of the most common architectural errors when people hurry to put “tables on HTTP”.
Data access with FireDAC: transactions, pooling and database strategy
In enterprise applications data access is the stability factor: load peaks, deadlocks, long reports, concurrent updates, batch imports. FireDAC is a proven component in the Delphi ecosystem to serve various databases with a unified access. For a REST server architecture the following points are especially important:
Transaction boundaries per use case
A REST API is typically request-based. This fits well with “one transaction per use case”: within a request a transaction is opened, business operations are performed, then commit/rollback. Important: don’t automatically wrap every endpoint in a transaction, but be consistent for write actions. Read endpoints may also require transactions depending on isolation levels if consistent views matter.
Connection strategy and concurrency
Server concurrency means many simultaneous requests, each with DB access. Plan therefore for:
- limited, monitored pool sizes
- timeouts for queries and connections
- clear rules for long-running operations (offload into jobs/workers)
A common mistake is running expensive reports or mass data exports synchronously through the same API instance that serves interactive portal requests. Better is to separate interactive vs. batch/async.
Database modernization as part of API planning
If legacy data accesses still exist (e.g. BDE), the API becomes the catalyst: it forces clear data access boundaries. A controlled migration to FireDAC reduces risks and increases portability (PostgreSQL, MariaDB, SQL Server). Important: don’t plan it as a big bang, but stepwise: new server use cases already use the new data-access layer while legacy parts follow.
Versioning and backward compatibility: protect API contracts
Companies often underestimate how costly breaking changes are. Once a customer portal, a partner system or a Windows service depends on your API, you can no longer “quickly” rename fields. A clean versioning strategy is therefore mandatory.
Pragmatic rules for versioning
- No breaking changes without a version: don’t rename/remove fields, don’t reinterpret endpoints.
- Extend rather than change: add new fields, mark old ones as deprecated.
- Compatible defaults: avoid new required fields or derive them server-side.
- Explicit versioning: e.g. /v1/… or via header; more important than the method is consistency.
For Delphi teams this also means: keep DTOs (Data Transfer Objects) stable and design mapping consciously instead of serializing domain objects 1:1. This increases initial effort but reduces long-term support costs.
Observability: plan logs, metrics and traces from the start
In a productive enterprise operation “works on my machine” is worthless if errors cannot be reproduced. REST servers that serve many consumers need a minimum of observability:
Structured logging with correlation ID
Each request should carry a correlation ID (adopt incoming or generate one) and it should appear in logs. Log entries should be structured (e.g. JSON log) so they can be ingested into central systems. At minimum include:
- request method, route, status code, duration
- user/tenant context (pseudonymized/compliant)
- DB duration and error class
- correlation ID for support
Metrics for capacity and error trends
For scaling and stability you need metrics: requests per minute, p95/p99 latencies, error rates per endpoint, DB pool utilization, queue lengths. This need not be “cloud-native overkill”, but without numbers performance discussions become matters of opinion.
Error and exception handling as an architectural building block
Delphi exceptions must not leak uncontrolled to the outside. A central exception middleware (or a global handler) should translate exceptions into consistent error responses, including a support ID and sensible HTTP codes. Internally, stack traces belong in secure logs, not in client responses.
Synchron vs. asynchronous: remove long-runners from the REST response
Many enterprise processes are not “request/response in 200 ms”: PDF generation, data import, interface runs, reconciliations, mass updates, archiving. These workloads rarely belong in a synchronous REST endpoint because they tie up threads, provoke timeouts and block users.
Job pattern
Proven approach: an endpoint starts a job and the server immediately returns a job ID. Another endpoint provides status/result. Optionally a callback/webhook can notify. In Delphi this can be implemented with worker services, a job table and a clear state machine. Benefit: stability and predictable scaling.
Queues and services
Depending on the environment a message queue can make sense, but it is not mandatory. The important principle is: interactive APIs remain responsive, batch processes run in a controlled, repeatable and observable way — as Windows services or Linux services depending on deployment.
Deployment in companies: Windows, Linux, containers, on-prem
A REST server architecture is only “complete” when it is operable. Companies differ widely: classic Windows servers, virtualized Linux hosts, container platforms, strict network zones, proxy and certificate requirements. Delphi is flexible here, provided dependencies are managed cleanly.
Configuration and secrets
Configuration must be environment-specific (Dev/Test/Prod). Credentials do not belong in the EXE or repository. Use secure storage (e.g. the platform’s secrets management) and separate configuration values from code releases. Also plan rotations (DB password, API keys) without rebuilding the system.
Release and rollback strategies
When multiple consumers rely on an API you need controlled releases: migration scripts for DB changes, feature toggles for gradual activation, clear rollback paths. In particular, database changes must be backward-compatible if a server version rollback should remain possible.
Integration with legacy software: iterative modernization instead of big bang
In many Delphi landscapes the business core is valuable but technically “glued together”: UI-close data accesses, global states, mixed responsibilities. A REST API can be both a risk and an opportunity here. The goal should be a path that delivers measurable improvements with reasonable effort.
Strangler approach for APIs
Instead of rebuilding everything, define business touchpoints that deliver real value: e.g. “order status and documents for the customer portal”, “master data lookup for mobile users”, “interface for ERP postings”. These use cases are implemented as new API functions including domain layer and data access. The legacy client can gradually switch to the same server use cases without the UI needing an immediate rebuild.
Shared domain logic: useful but controlled
Delphi allows domain libraries to be used both in the server and in existing applications. That can be a bridge but carries risks: if UI dependencies seep into the shared logic you lose decoupling. A clear rule helps: shared logic may only be logic without UI, without global state, with clear interfaces and testable units. Everything else stays separate.
Typical mistakes in REST server projects — and how to avoid them
“We’ll just publish tables”
If endpoints mirror tables directly, an unstable system emerges: every DB refactoring becomes an API breaking change, business rules are duplicated in clients, and security holes from unchecked parameters become more likely. Better: domain use cases and DTOs that stabilize the contract.
Business authorizations only in the client
Clients are replaceable and manipulable. Authorization belongs on the server and must consider business rules, not only technical roles.
No clear strategy for concurrency
Concurrent updates happen: two case workers, portal and internal client, or an import job. Without optimistic locking (e.g. RowVersion/Timestamp), conflict codes (409) and clear merge rules, data loss or “last write wins” errors occur.
Long-runners block interactive endpoints
Synchronous PDF generation or exports lead to timeouts and “hang” experiences. The job pattern with status endpoints is better.
Observability added as an afterthought
Without correlation ID, structured logs and metrics every incident becomes a search. Observability is not a luxury but an operational prerequisite.
Concrete checklist for your REST server architecture with Delphi
- Separate layers clearly: transport (HTTP), domain (use cases), data access (FireDAC/SQL).
- Understand the API as a contract: keep DTOs stable, plan versioning, avoid breaking changes.
- Two-step security: authentication (tokens) plus authorization (domain policies, tenant).
- Set transactions consciously: per use case, timeouts, conflict strategy.
- Long-runners asynchronous: jobs/workers, Windows or Linux services.
- Build in observability: correlation ID, structured logs, metrics, centralized error handling.
- Plan deployment realistically: configuration/secrets, rollback, database migrations.
- Modernize iteratively: prioritize valuable use cases, decouple legacy parts step by step.
Conclusion: REST servers unfold their value only as an operational and domain architecture
A REST server architecture with Delphi is particularly effective for companies when it is not understood as a “technical surface” but as the connecting core between processes, data and channels. Key are clean layers (Layer-3 architecture), domain-modeled endpoints, consistent security and tenancy logic, and an operational model with versioning, monitoring and controlled concurrency. This makes the API a stable platform: for portals, integrations, services and stepwise Delphi modernization — without risking the business substance of a grown system.
If you want to check how a robust REST API can be set up for your existing Delphi landscape (including database strategy, FireDAC, services and operations), reach us here: https://net-base-software-gmbh.de/kontakt/