How to properly handle middleware order in Slim 4?

Hello

I am building a small API using Slim 4 and ran into some confusion about how middleware is executed. I understand that Slim processes middleware in a stack but when I combine global middleware (like error handling or authentication) with route-specific middleware; the execution order isn’t always what I expect.

For eg; my authentication middleware sometimes runs after logging middleware; even though I thought it would go first.

I tried registering middleware at both the app level and the route group level but I am still not 100% sure what the correct best practice is for ensuring consistent order. This becomes even trickier when I need certain middleware (like CORS or JSON parsing) to always run before route-specific checks. Checked Middleware - Slim Framework for reference. This confusion feels a bit like when I first tried to understand what is devops, because the order of steps really matters to get the expected results.

Can someone explain clearly how Slim 4 decides middleware order, and what’s the safest way to structure global vs. route middleware to avoid unexpected behavior?

A practical example / diagram of the middleware flow would be really helpful for beginners like me.

Thank you !!

As well as the order you load middleware in, how your middleware is implemented also matters.

In the process function you need to pay attention to where the $handler->handle($request); call is, do you directly return its result from the process function, or do you assign it to a variable $response = $handler->handle($request); and have code after it? In the first case the middleware runs before the route handler, in the second case it runs after.

Look out for forking logic in your middleware as this may cause it to run before, after or both or neither and potentially not always depending on the conditions.

Further, route or route group middleware is only executed if the route matches. And I believe that app middleware runs before route middleware. And the stack is last in first out (LIFO), so the last one you load runs first.

Also, I’d say logging should be a dependency rather than middleware, since I’d assume you might want to log things from your auth middleware, which means its constructor would need a LoggerInterface instance as one of its parameters.