Important: This news article covers an old version of Javalin (v3.7.0). The current version is v6.1.3.
See the documentation page for up-to-date information.

Rate limiting

A very simple util class for rate limiting has been added. You can call it in the beginning of your endpoint Handler functions:

app.get("/") { ctx ->
    RateLimit(ctx).requestPerTimeUnit(5, TimeUnit.MINUTES) // throws if rate limit is exceeded
    ctx.status("Hello, rate-limited World!")

Every rate limiter is independent (IP and Handler based), so different endpoints can have different rate limits. It works as follows:

  • A map of maps holds one IP/counter map per method/path combination (Handler).
  • On each request the counter for that IP is incremented.
  • If the counter exceeds the number of requests specified, an exception is thrown.
  • All counters are cleared periodically on every timeunit that you specified.

Case insensitive path matching

There is a new plugin, RedirectToLowercasePathPlugin, which fills the void left by removing case-insensitive matching that was present in Javalin 2.X.

The plugin redirects requests with uppercase/mixcase paths to lowercase paths. For example, /Users/John redirects to /users/John (if endpoint is /users/:userId). It does not affect the casing of path-params and query-params, only static URL fragments (Users becomes users above, but John remains John).
When using this plugin, you can only add paths with lowercase URL fragments.

It can be added like any other plugin:


Misc new features

  • Added a basicAuthCredentialsExists() method to Context (thanks to @mikexliu).
  • Added option to specify host (start(port, host) overload) to Javalin (thanks to @rbygrave).
  • Added support for dynamic single page handlers (thanks to @pgross41).
  • Added support for anyOf/oneOf to OpenAPI plugin (thanks to @sealedtx).
  • Added a Path overload to JavalinVue#rootDirectory method


  • Fixed Instant serialization in OpenAPI plugin (thanks to @TobiasWalle).
  • Fixed bug where endpointHandlerPath() method would throw if called in after/requestLogger on 404s.
  • Fixed bug in config.enforceSsl (now takes load balancers into account)
  • Fixed bug in content decoding, will now try specified charset instead of always UTF-8 (thanks to @thibaultmeyer).