SlideShare a Scribd company logo

Fundamental essentials for api design

Download as DOCX, PDF
M
Michael James Cyrus

Many of the API design opinions found on the web are academic discussions revolving around interpretations of uncertain standards as opposed to what makes sense in the real world. The aim of this presentation is to describe the best common practices for a practical API design for the web applications.

Technology
1 of 22
Fundamental essentials for (RESTful) API design and configurations K s a t h r a S y s t e m s L i m i t e d 7 / 2 9 / 2 0 1 6 Michael Cyrus Many of the API design opinions found on the web are academic discussions revolving around interpretations of uncertain standards as opposed to what makes sense in the real world. The aim of this presentation is to describe the best common practices for a practical API design for the web applications
1 Why JSON?............................................................................................................................................................................3 RESTful design difficulties..........................................................................................................................................3 Use RESTful URLs and actions..................................................................................................................................4 HTTP methods clarified...............................................................................................................................................4 Singularor plural endpoints.....................................................................................................................................6 How to deal with relations.........................................................................................................................................6 Actions that do not fit into CRUD operations...................................................................................................6 SSL at all times...................................................................................................................................................................7 Documentation is the way forward.......................................................................................................................7 Versioningis always best............................................................................................................................................8 Result filtering, sorting & searching.....................................................................................................................8 1. Filtering:...................................................................................................................................................................9 2. Sorting:......................................................................................................................................................................9 3. Searching:................................................................................................................................................................9 Aliases for common queries...................................................................................................................................10 Limiting which fields are returned by the API.............................................................................................10 Updates & creation should always return a resource representation..........................................10 Always HATEOAS...........................................................................................................................................................10 JSON only responses....................................................................................................................................................11 Using media type change based on Accept headersor based on the URL ...................................12 Use snake_case vs CamelCase for field names...............................................................................................12 Pretty print by default & make sure gzip is supported...........................................................................12 Extra data transfer.......................................................................................................................................................13 Make using an envelope by default possible when required...............................................................13 Envelope to be used in some exceptional cases..........................................................................................14 JSON encoded POST, PUT & PATCH bodies....................................................................................................14 Pagination.........................................................................................................................................................................15
2 Auto loading related resource representations.........................................................................................15 Overriding the HTTP method................................................................................................................................16 Rate limiting.....................................................................................................................................................................16 Why TimeStamp...........................................................................................................................................................17 Bad practice to use a UNIX timestamp for X-Rate-Limit-Reset..........................................................17 Authentication................................................................................................................................................................17 Caching................................................................................................................................................................................18 1. ETag:........................................................................................................................................................................18 2. Last-Modified:.......................................................................................................................................................18 Errors...................................................................................................................................................................................19 HTTP status codes........................................................................................................................................................20 Last thoughts...................................................................................................................................................................21
3 Fundamental essentials for “RESTful” API design and configurations Many of the API design opinions have found that on the web are academic discussions revolving around interpretations of uncertain standards as opposed to what makes sense in the real world. The aim of this presentation is to describe the best common practices in the IT industry for a practical API design for all the web applications Requirements that make RESTful APIs as appealing as per Dr Roy Fielding’s proposition are:  Scalability – not necessarily its performance, yet rather how easy it is for RESTful APIs to adapt and grow and be plugged into other systems.  Use of HTTP protocols– being able to use HTTP methods to manage resources makes RESTful APIs easy to plug into other applications.  Independency – with a RESTful API you can deploy or scale down specific parts of the application, without having to shut down the entire application or an entire web server form.  Reduced latency due to caching – REST APIs prioritize caching, which helps to improve latency. So always keep caching top of mind when you’re developing your REST API.  Security – HTTP specification lets you spot security via certain HTTP headers, so you can leverage this to make your API more secure.  Encapsulation – there are parts of the application that don’t need to be exposed to a REST caller, and REST as an architectural style allows you to encapsulate those gritty details and only show things that you need to show. Why JSON?  Ubiquity – over 57% of all web-based applications that have JSON are built on JavaScript, or have JavaScript components.  Human readable – it uses very simple grammar and language, so a human can easily read it, including the new developers who just starting to get into software development.  Fields: It’s easy to change or add new fields. RESTful designdifficulties RESTful APIs are difficult to design because REST is an architectural style, and not a specification. It has no standard governing body and therefore has no hard and fast
4 design rules. What REST does have is an interpretation of how HTTP protocol works, which allows for different approaches for designing a REST API. While use of HTTP methods is a core advantage of the REST approach, it also means that there are lots of different RESTful API designs. I am going to focus on some of the best guidelines that I have come up with in designing the RESTful API. Use RESTful URLs and actions The key principles of REST involve separating your API into logical resources. These resources are manipulated using HTTP requests where the methods GET, POST, PUT, and DELETE have specific meanings. HTTP methods clarified The HTTP protocol defines a number of methods that assign semantic meaning to a request. The common HTTP methods used by most RESTful web APIs are:  GET - to retrieve a copy of the resource at the specified URI. The body of the response message contains the details of the requested resource.  POST - to create a new resource at the specified URI. The body of the request message provides the details of the new resource. Note that POST can also be used to trigger operations that don't actually create resources.  PUT - to replace or update the resource at the specified URI. The body of the request message specifies the resource to be modified and the values to be applied.  DELETE - to remove the resource at the specified URI. Note: The HTTP protocol also defines other less commonly-used methods, such as PATCH which is used to request selective updates to a resource, HEAD which is used to request a description of a resource, OPTIONS which enables a client information to obtain information about the communication options supported by the server, and TRACE which allows a client to request information that it can use for testing and diagnostics purposes. The effect of a specific request should depend on whether the resource to which it is applied is a collection or an individual item. The following table below summarizes the common conventions adopted by most RESTful implementations using the ecommerce example:
5 The purpose of GET and DELETE requests are relatively straightforward, but there is scope for confusion concerning the purpose and effects of POST and PUT requests. A POST request should create a new resource with data provided in the body of the request. In the REST model, you frequently apply POST requests to resources that are collections; the new resource is added to the collection. Note: You can also define POST requests that trigger some functionality (and that don't necessarily return data), and these types of request can be applied to collections. For example you could use a POST request to pass a timesheet to a payroll processing service and get the calculated taxes back as a response. A PUT request is intended to modify an existing resource. If the specified resource does not exist, the PUT request could return an error (in some cases, it might actually create the resource). PUT requests are most frequently applied to resources that are individual items (such as a specific customer or order), although they can be applied to collections, although this is less-commonly implemented. Note that PUT requests are idempotent whereas POST requests are not; if an application submits the same PUT request multiple times the results should always be the same (the same resource will be modified with the same values), but if an application repeats the same POST request the result will be the creation of multiple resources. Note: Strictly speaking, an HTTP PUT request replaces an existing resource with the resource specified in the body of the request. If the intention is to modify a selection of properties in a
6 resource but leave other properties unchanged, then this should be implemented by using an HTTP PATCH request. However, many RESTful implementations relax this rule and use PUT for both situations. Singular or plural endpoints Although a true grammar language tells you it's wrong to describe a single instance of a resource using a plural, the pragmatic answer is to keep the URL format consistent and always use a plural. Not having to deal with odd pluralization (person/people, goose/geese) makes the life of the API consumer better and is easier for the API provider to implement (as most modern frameworks will natively handle /coupons and /coupons/12 under a common controller). Howto deal withrelations If a relation can only exist within another resource, RESTful principles provide useful guidance. Let's look at this with an example. A coupon consisting of a number of messages. These messages can be logically mapped to the /coupons endpoint as bellow:  GET /coupons/12/messages - Retrieves list of messages for coupon #12  GET /coupons/12/messages/5 - Retrieves message #5 for coupon #12  POST /coupons/12/messages - Creates a new message in coupon #12  PUT /coupons/12/messages/5 - Updates message #5 for coupon #12  PATCH /coupons/12/messages/5 - Partially updates message #5 for coupon #12  DELETE /coupons/12/messages/5 - Deletes message #5 for coupon #12 Alternatively, if a relation can exist independently of the resource, it makes sense to just include an identifier for it within the output representation of the resource. The API consumer would then have to hit the relation's endpoint. However, if the relation is commonly requested alongside the resource, the API could offer functionality to automatically embed the relation's representation and avoid the second hit to the API. Actions that do not fit into CRUDoperations This is where things can get a little bit confusing. There are a number of approaches:
7  Restructure the action to appear like a field of a resource. This works if the action doesn't take parameters. For example an activate action could be mapped to a boolean activated field and updated via a PATCH to the resource.  Treat it like a sub-resource with RESTful principles. For instance, GitHub's API lets you star a gist with PUT /gists/:id/star and unstar with DELETE /gists/:id/star.  Sometimes you really have no way to map the action to a sensible RESTful structure. For example, a multi-resource search doesn't really make sense to be applied to a specific resource's endpoint. In this case, /search would make the most sense even though it isn't a resource. This is OK - just do what's right from the perspective of the API consumer and make sure it's documented clearly to avoid confusion. SSL at all times Always use SSL. APIs can get accessed from anywhere there is internet (like libraries, coffee shops, airports, etc.). Not all of these are secure. Many don't encrypt communications at all, allowing for easy eavesdropping or impersonation if authentication credentials are hijacked. Another advantage of always using SSL is that guaranteed encrypted communications simplifies authentication efforts - you can get away with simple access tokens instead of having to sign each API request. One thing to watch out for is non-SSL access to API URLs. Do not redirect these to their SSL counterparts. Throw a hard error instead! The last thing you want is for poorly configured clients to send requests to an unencrypted endpoint, just to be silently redirected to the actual encrypted endpoint. Documentationis the way forward An API is only as good as its documentation. The docs should be easy to find and publically accessible. Most developers will check out the docs before attempting any integration effort. When the docs are hidden inside a PDF file or require signing in, they're not only difficult to find but also not easy to search. The docs should show examples of complete request/response cycles. Preferably, the requests should be passable examples - either links that can be pasted into a browser or curl examples that can be pasted into a terminal. GitHub and Stripe do a great job with this.
8 Once you release a public API, you've committed to not breaking things without notice. The documentation must include any depreciation schedules and details surrounding externally visible API updates. Updates should be delivered via a blog or a mailing list (preferably both!). Versioning is always best Always version your API. Versioning helps you iterate faster and prevents invalid requests from hitting updated endpoints. It also helps smooth over any major API version transitions as you can continue to offer old API versions for a period of time. There are mixed opinions around whether an API version should be included in the URL or in a header. Academically speaking, it should probably be in a header. However, the version needs to be in the URL to ensure browser exportability of the resources across versions. Be a big fan of the approach that Stripe has taken to API versioning - the URL has a major version number (v1), but the API has date based sub-versions which can be chosen using a custom HTTP request header. In this case, the major version provides structural stability of the API as a whole while the sub-versions accounts for smaller changes (field deprecations, endpoint changes, etc.). An API is never going to be completely stable. Change is inevitable. What's important is how that change is managed. Well documented and announced multi-month depreciation schedules can be an acceptable practice for many APIs. It comes down to what is reasonable given the industry and possible consumers of the API. Result filtering,sorting & searching It's best to keep the base resource URLs as lean as possible. Complex result filters, sorting requirements and advanced searching (when restricted to a single type of resource) can all be easily implemented as query parameters on top of the base URL.
9 Let's look at these in more detail: 1. Filtering: Use a unique query parameter for each field that implements filtering. For instance, when requesting a list of tickets from the /coupons endpoint, you may want to limit these to only those in the open state. This could be accomplished with a request like GET /coupons?state=open. In here,state is a query parameter that implements a filter. 2. Sorting: Similar to filtering, a generic parameter sort can be used to describe sorting rules. Accommodate complex sorting requirements by letting the sort parameter take in list of comma separated fields, each with a possible unary negative to imply descending sort order. Some examples:  GET /coupons?sort=-priority - Retrieves a list of tickets in descending order of priority  GET /coupons?sort=-priority,created_at - Retrieves a list of tickets in descending order of priority. Within a specific priority, older tickets are ordered first 3. Searching: Sometimes basic filters aren't enough and you need the power of full text search. Perhaps you're already using ElasticSearch or another Lucene based search technology. When full text search is used as a mechanism of retrieving resource instances for a specific type of resource, it can be exposed on the API as a query parameter on the resource's endpoint. Let's say q. Search queries should be passed straight to the search engine and API output should be in the same format as a normal list result. Combining these together, we can build queries like:  GET /coupons?sort=-updated_at - Retrieve recently updated coupons.  GET /coupons?state=closed&sort=-updated_at - Retrieve recently closed coupons.  GET /coupons?q=return&state=open&sort=-priority,created_at - Retrieve the highest priority open coupons.mentioning the word 'return'
10 Aliases for commonqueries To make the API experience more pleasant for the average consumer, consider packaging up sets of conditions into easily accessible RESTful paths. For example, the recently closed coupons query could be packaged up as GET /coupons/recently_closed Limiting which fields are returned by the API The API consumer doesn't always need the full representation of a resource. The ability select and chose returned fields goes a long way in letting the API consumer minimize network traffic and speed up their own usage of the API. Use a fields query parameter that takes a comma separated list of fields to include. For example, the following request would retrieve just enough information to display a sorted listing of open tickets: GET /coupons?fields=id,subject,customer_name,updated_at&state=open&sort=-updated_at Updates & creationshould always return a resource representation A PUT, POST or PATCH call may make modifications to fields of the underlying resource that weren't part of the provided parameters (for example: created_at or updated_at timestamps). To prevent an API consumer from having to hit the API again for an updated representation, have the API return the updated (or created) representation as part of the response. In case of a POST that resulted in a creation, use a HTTP 201 status code and include a Location header that points to the URL of the new resource. Always HATEOAS There are a lot of mixed opinions as to whether the API consumer should create links or whether links should be provided to the API. RESTful design principles specify HATEOAS which roughly states that interaction with an endpoint should be defined
11 within metadata that comes with the output representation and not based on out-of-band information. Although the web generally works on HATEOAS type principles, I don't think we're ready for HATEOAS on APIs just yet. When browsing a website, decisions on what links will be clicked are made at run time. However, with an API, decisions as to what requests will be sent are made when the API integration code is written, not at run time. Could the decisions be deferred to run time? Sure, however, there isn't much to gain going down that route as code would still not be able to handle significant API changes without breaking. That said, I think HATEOAS is promising. Some more effort has to be put in to define standards and tooling around these principles for its potential to be fully realized. For now, it's best to assume the user has access to the documentation & include resource identifiers in the output representation which the API consumer will use when crafting links. There are a couple of advantages of sticking to identifiers - data flowing over the network is minimized and the data stored by API consumers is also minimized (as they are storing small identifiers as opposed to URLs that contain identifiers). Furthermore, given this post advocates version numbers in the URL, it makes more sense in the long term for the API consumer to store resource identifiers as opposed to URLs. After all, the identifier is stable across versions but the URL representing is not! JSON only responses It's time to leave XML behind in APIs. It's hard to parse, it's hard to read, its data model isn't compatible with how most programming languages model data and its extendibility advantages are irrelevant when your output representation's primary needs are serialization from an internal representation. However, if your customer base consists of a large number of enterprise customers, you may find yourself having to support XML anyway. If you must do this, you'll find yourself with a whole set of new questions.
12 Using media type change basedon Accept headers or based on the URL To ensure browser exportability, it should be in the URL. The most sensible option here would be to append a .json or.xml extension to the endpoint URL. Use snake_case vs CamelCase for field names If you're using JSON (JavaScript Object Notation) as your primary representation format, the "right" thing to do is to follow JavaScript naming conventions - and that means CamelCase for field names! If you then go the route of building client libraries in various languages, it's best to use idiomatic naming conventions in them - camelCase for C# & Java, snake_case for python & ruby. Food for thought: I've always felt that snake_case is easier to read than JavaScript's convention of camelCase. I just didn't have any evidence to back up my gut feelings, until now. Based on an eye tracking study on camelCase and snake_case (PDF) from 2010, snake_case is 20% easier to read than CamelCase! That impact on readability would affect API exportability and examples in documentation. Many popular JSON APIs use snake_case. I suspect this is due to serialization libraries following naming conventions of the underlying language they are using. Perhaps we need to have JSON serialization libraries handle naming convention transformations. Pretty print by default & make sure gzip is supported An API that provides white-space compressed output isn't very fun to look at from a browser. Although some sort of query parameter (like ?pretty=true) could be provided to enable pretty printing, an API that pretty prints by default is much more approachable. The cost of the extra data transfer is negligible, especially when you compare to the cost of not implementing gzip. Consider some use cases: What if an API consumer is debugging and has their code print out data it received from the API - It will be readable by default. Or if the consumer grabbed the URL their code was generating and hit it directly from the browser - it will be readable by default. These are small things.
13 Extradata transfer Let's look at this with a real world example. Some data from GitHub's API, which uses pretty print by default. I'll also be doing some gzip comparisons: $ curl https://api.github.com/users/veesahni > with-whitespace.txt $ ruby -r json -e 'puts JSON JSON.parse(STDIN.read)' < with-whitespace.txt > without- whitespace.txt $ gzip -c with-whitespace.txt > with-whitespace.txt.gz $ gzip -c without-whitespace.txt > without-whitespace.txt.gz The output files have the following sizes:  without-whitespace.txt - 1252 bytes  with-whitespace.txt - 1369 bytes  without-whitespace.txt.gz - 496 bytes  with-whitespace.txt.gz - 509 bytes In this example, the whitespace increased the output size by 8.5% when gzip is not in play and 2.6% when gzip is in play. On the other hand, the act of gzipping in itself provided over 60% in bandwidth savings. Since the cost of pretty printing is relatively small, it's best to pretty print by default and ensure gzip compression is supported! Additionally, Twitter found that there was an 80% savings (in some cases) when enabling gzip compression on their Streaming API. Stack Exchange went as far as to never return a response that's not compressed! Make using an envelope by default possible when required Many APIs wrap their responses in envelopes like this: { "data" : { "id" : 345, "name" : "Michael" } }
14 There are a couple of justifications for doing this - it makes it easy to include additional metadata or pagination information, some REST clients don't allow easy access to HTTP headers & JSONP requests have no access to HTTP headers. However, with standards that are being rapidly adopted like CORS and the Link header from RFC 5988, enveloping is starting to become unnecessary. Envelope to be used in some exceptional cases There are 2 situations where an envelope is really needed - if the API needs to support cross domain requests over JSONP or if the client is incapable of working with HTTP headers. JSONP requests come with an additional query parameter (usually named callback or jsonp) representing the name of the callback function. If this parameter is present, the API should switch to a full envelope mode where it always responds with a 200 HTTP status code and passes the real status code in the JSON payload. Any additional HTTP headers that would have been passed alongside the response should be mapped to JSON fields, like so: callback_function({ status_code: 400, next_page: "https://..", response: { ... actual JSON response body ... } }) Similarly, to support limited HTTP clients, allow for a special query parameter ?envelope=true that would trigger full enveloping (without the JSONP callback function). JSON encoded POST,PUT& PATCH bodies If you're following the approach in this presentation, then you have embraced JSON for all API output. Considering JSON for API input: Many APIs use URL encoding in their API request bodies. URL encoding is exactly what it sounds like - request bodies where key value pairs are encoded using the same conventions as one would use to encode data in URL query parameters. This is simple, widely supported and
15 gets the job done. However, URL encoding has a few issues that make it problematic. It has no concept of data types. This forces the API to parse integers and Booleans out of strings. Furthermore, it has no real concept of hierarchical structure. Although there are some conventions that can build some structure out of key value pairs (like appending [ ] to a key to represent an array), this is no comparison to the native hierarchical structure of JSON. If the API is simple, URL encoding may suffice. However, complex APIs should stick to JSON for their API input. Either way, pick one and be consistent throughout the API. An API that accepts JSON encoded POST, PUT & PATCH requests should also require the Content- Type header be set to application/ json or throw a 415 Unsupported Media Type HTTP status code. Pagination Envelope loving APIs typically include pagination data in the envelope itself. The right way to include pagination details today is using the Link header introduced by RFC 5988. An API that uses the Link header can return a set of ready-made links so the API consumer doesn't have to construct links themselves. This is especially important when pagination is cursor based. Here is an example of a Link header used properly, grabbed from GitHub's documentation: Link: <https://api.github.com/user/repos?page=3&per_page=100>; rel="next", <https://api.github.com/user/repos?page=50&per_page=100>; rel="last" But this isn't a complete solution as many APIs do like to return the additional pagination information, like a count of the total number of available results. An API that requires sending a count can use a custom HTTP header like X-Total-Count. Auto loading related resource representations There are many cases where an API consumer needs to load data related to (or referenced) from the resource being requested. Rather than requiring the consumer to hit the API repeatedly for this information, there would be a significant efficiency gain from allowing related data to be returned and loaded alongside the original resource on demand.
16 However, as this does go against some RESTful principles, we can minimize our deviation by only doing so based on an embed (or expand) query parameter. In this case, embed would be a comma separated list of fields to be embedded. Dot-notation could be used to refer to sub- fields. For example: GET /coupons/12?embed=customer.name,assigned_user This would return a coupon with additional details embedded, like below: { "id" : 14, "subject" : "I have a question!", "summary" : "Hi, ....", "customer" : { "name" : "Michael" }, assigned_user: { "id" : 42, "name" : "Jack", } } Of course, ability to implement something like this really depends on internal complexity. This kind of embedding can easily result in an N+1 select issue. Overriding the HTTP method Some HTTP clients can only work with simple GET and POST requests. To increase accessibility to these limited clients, the API needs a way to override the HTTP method. Although there aren't any hard standards here, the popular convention is to accept a request header X-HTTP-Method-Override with a string value containing one of PUT, PATCH or DELETE. Note that the override header should only be accepted on POST requests. GET requests should never change data on the server! Rate limiting To prevent abuse, it is standard practice to add some sort of rate limiting to an API. RFC 6585 introduced a HTTP status code 429 Too Many Requests to accommodate this. However, it can be very useful to notify the consumer of their limits before they actually hit
17 it. This is an area that currently lacks standards but has a number of popular conventions using HTTP response headers. At a minimum, include the following headers (using Twitter's naming conventions as headers typically don't have mid-word capitalization):  X-Rate-Limit-Limit - The number of allowed requests in the current period  X-Rate-Limit-Remaining - The number of remaining requests in the current period  X-Rate-Limit-Reset - The number of seconds left in the current period Why Time Stamp A timestamp contains all sorts of useful but unnecessary information like the date and possibly the time-zone. An API consumer really just wants to know when they can send the request again & the number of seconds answers this question with minimal additional processing on their end. It also avoids issues related to clock skew. Some APIs use a UNIX timestamp for X-Rate-Limit-Reset. Don't do this! Bad practice to use a UNIX timestampfor X-Rate-Limit-Reset The HTTP spec already specifies using RFC 1123 date formats (currently being used in Date, If-Modified-Since & Last-Modified HTTP headers). If we were to specify a new HTTP header that takes a timestamp of some sort, it should follow RFC 1123 conventions instead of using UNIX timestamps. Authentication A RESTful API should be stateless. This means that request authentication should not depend on cookies or sessions. Instead, each request should come with some sort authentication credentials. By always using SSL, the authentication credentials can be simplified to a randomly generated access token that is delivered in the user name field of HTTP Basic Auth. The great thing about this is that it's completely browser explorable - the browser will just popup a prompt asking for credentials if it receives a 401 Unauthorized status code from the server.
18 However, this token-over-basic-auth method of authentication is only acceptable in cases where it's practical to have the user copy a token from an administration interface to the API consumer environment. In cases where this isn't possible, OAuth 2 should be used to provide secure token transfer to a third party. OAuth 2 uses Bearer tokens & also depends on SSL for its underlying transport encryption. An API that needs to support JSONP will need a third method of authentication, as JSONP requests cannot send HTTP Basic Auth credentials or Bearer tokens. In this case, a special query parameter access_token can be used. Note: There is an inherit security issue in using a query parameter for a Token, as most web servers store quarry parameters in server logs. For what it's worth, all three methods above are just ways to transport the token across the API boundary. The actual underlying token itself could be identical. Caching HTTP provides a built-in caching framework. All you have to do is include some additional outbound response headers and do a little validation when you receive some inbound request headers. There are 2 approaches: ETag and Last-Modified 1. ETag: When generating a request, include a HTTP header ETag containing a hash or checksum of the representation. This value should change whenever the output representation changes. Now, if an inbound HTTP requests contains an If-None-Match header with a matching ETag value, the API should return a 304 Not Modified status code instead of the output representation of the resource. 2. Last-Modified: This basically works like to ETag, except that it uses timestamps. The response header Last- Modified contains a timestamp in RFC 1123 format which is validated against If-Modified- Since.
19 Note: The HTTP spec has had 3 different acceptable date formats and therefore the server should be prepared to accept any one of them. Errors Just like an HTML error page shows a useful error message to a visitor, an API should provide a useful error message in a known consumable format. The representation of an error should be no different than the representation of any resource, just with its own set of fields. The API should always return sensible HTTP status codes. API errors typically break down into 2 types: 400 series status codes for client issues & 500 series status codes for server issues. At a minimum, the API should standardize that all 400 series errors come with consumable JSON error representation. If possible, this should extend to 500 series status codes. A JSON error body should provide a few things for the developer:  A useful error message  A unique error code (that can be looked up for more details in the docs)  A detailed description. JSON output representation for something like this would look like below: { "code" : 400, "message" : "Something bad happened :(", "description" : "More details will follow soon" } Validation errors for PUT, PATCH and POST requests will need a field breakdown. This is best modelled by using a fixed top-level error code for validation failures and providing the detailed errors in an additional errors field, like so: { "code" : 1024, "message" : "Validation Failed", "errors" : [ {
20 "code" : 5432, "field" : "last_name", "message" : "Last name cannot have small characters" }, { "code" : 5622, "field" : "password", "message" : "Password cannot be left empty" } ] } HTTP status codes HTTP defines a bunch of meaningful status codes that can be returned from your API. These can be leveraged to help the API consumers route their responses accordingly. I have created a short list of the ones that you definitely should be using below:  200 OK - Response to a successful GET, PUT, PATCH or DELETE. Can also be used for a POST that doesn't result in a creation.  201 Created - Response to a POST that results in a creation. Should be combined with allocation pointing to the location of the new resource  204 No Content - Response to a successful request that won't be returning a body (like a DELETE request)  304 Not Modified - Used when HTTP caching headers are in play  400 Bad Request - The request is malformed, such as if the body does not parse  401 Unauthorized - When no or invalid authentication details are provided. Also useful to trigger an Auth popup if the API is used from a browser  403 Forbidden - When authentication succeeded but authenticated user doesn't have access to the resource  404 Not Found - When a non-existent resource is requested  405 Method Not Allowed - When an HTTP method is being requested that isn't allowed for the authenticated user  410 Gone - Indicates that the resource at this end point is no longer available. Useful as a blanket response for old API versions  415 Unsupported Media Type - If incorrect content type was provided as part of the request
21  422 Unprocessable Entity - Used for validation errors  429 Too Many Requests - When a request is rejected due to rate limiting  501 Not Implemented - The server either does not recognize the request method  502 Bad Gateway - The server was acting as a gateway or proxy and received an invalid response  503 Service Not Available - The server is currently unavailable Last thoughts An API is a UI for developers as well as many different people who use them and know their construction and usability. Put the effort in to ensure it's not just functional but pleasant to use. Compiled by: Michael Cyrus of Ksathra Systems.

Recommended

REST API Doc Best Practices
REST API Doc Best PracticesREST API Doc Best Practices
REST API Doc Best PracticesMarta Rauch
 
LAJUG Napster REST API
LAJUG Napster REST APILAJUG Napster REST API
LAJUG Napster REST APIstephenbhadran
 
Extend soa with api management Sangam18
Extend soa with api management Sangam18Extend soa with api management Sangam18
Extend soa with api management Sangam18Vinay Kumar
 
Rest API Automation with REST Assured
Rest API Automation with REST AssuredRest API Automation with REST Assured
Rest API Automation with REST AssuredTO THE NEW Pvt. Ltd.
 
Designing Good API & Its Importance
Designing Good API & Its ImportanceDesigning Good API & Its Importance
Designing Good API & Its ImportanceImran M Yousuf
 
Dilip_SOA_OIM_Resume
Dilip_SOA_OIM_ResumeDilip_SOA_OIM_Resume
Dilip_SOA_OIM_ResumeDilip Chaudhari
 
The Business Value for Internal APIs in the Enterprise
The Business Value for Internal APIs in the EnterpriseThe Business Value for Internal APIs in the Enterprise
The Business Value for Internal APIs in the EnterpriseAkana
 
Getting started-with-oracle-so a-vi
Getting started-with-oracle-so a-viGetting started-with-oracle-so a-vi
Getting started-with-oracle-so a-viAmit Sharma
 

Recommended

REST API Doc Best Practices
REST API Doc Best PracticesREST API Doc Best Practices
REST API Doc Best PracticesMarta Rauch
 
LAJUG Napster REST API
LAJUG Napster REST APILAJUG Napster REST API
LAJUG Napster REST APIstephenbhadran
 
Extend soa with api management Sangam18
Extend soa with api management Sangam18Extend soa with api management Sangam18
Extend soa with api management Sangam18Vinay Kumar
 
Rest API Automation with REST Assured
Rest API Automation with REST AssuredRest API Automation with REST Assured
Rest API Automation with REST AssuredTO THE NEW Pvt. Ltd.
 
Designing Good API & Its Importance
Designing Good API & Its ImportanceDesigning Good API & Its Importance
Designing Good API & Its ImportanceImran M Yousuf
 
Dilip_SOA_OIM_Resume
Dilip_SOA_OIM_ResumeDilip_SOA_OIM_Resume
Dilip_SOA_OIM_ResumeDilip Chaudhari
 
The Business Value for Internal APIs in the Enterprise
The Business Value for Internal APIs in the EnterpriseThe Business Value for Internal APIs in the Enterprise
The Business Value for Internal APIs in the EnterpriseAkana
 
Getting started-with-oracle-so a-vi
Getting started-with-oracle-so a-viGetting started-with-oracle-so a-vi
Getting started-with-oracle-so a-viAmit Sharma
 
BIM機電系統整合套繪實例
BIM機電系統整合套繪實例BIM機電系統整合套繪實例
BIM機電系統整合套繪實例heyyo789
 
Cẩm nang hỗ trợ người lao động Việt Nam làm việc tại Malaysia
Cẩm nang hỗ trợ người lao động Việt Nam làm việc tại MalaysiaCẩm nang hỗ trợ người lao động Việt Nam làm việc tại Malaysia
Cẩm nang hỗ trợ người lao động Việt Nam làm việc tại Malaysianguyenhung84vn
 
El chucu chu del tren
El chucu chu del tren El chucu chu del tren
El chucu chu del tren Natalia Simón
 
5 prezoge
5 prezoge5 prezoge
5 prezogeZinaida Alexandrova
 
Pdf nota mp3 1
Pdf nota mp3 1Pdf nota mp3 1
Pdf nota mp3 1rodolfo baksys
 
A comparative analysis of strategies for design in Finland and Brazil
A comparative analysis of strategies for design in Finland and BrazilA comparative analysis of strategies for design in Finland and Brazil
A comparative analysis of strategies for design in Finland and BrazilDUCO
 
여성용 비아그라 "EVO.OW.TO" 카톡:DDF11 여성용비아그라 구입,레비트라 정품처방방법,비아그라 10mg정품구입처,비아그라 정품복제...
여성용 비아그라 "EVO.OW.TO" 카톡:DDF11 여성용비아그라 구입,레비트라 정품처방방법,비아그라 10mg정품구입처,비아그라 정품복제...여성용 비아그라 "EVO.OW.TO" 카톡:DDF11 여성용비아그라 구입,레비트라 정품처방방법,비아그라 10mg정품구입처,비아그라 정품복제...
여성용 비아그라 "EVO.OW.TO" 카톡:DDF11 여성용비아그라 구입,레비트라 정품처방방법,비아그라 10mg정품구입처,비아그라 정품복제...kuuyr loot
 
Fundamental Essentials for API Design
Fundamental Essentials for API DesignFundamental Essentials for API Design
Fundamental Essentials for API DesignMichael James Cyrus
 
luat lao dong
luat lao dongluat lao dong
luat lao dongSâu Con
 
adaptive-reuse-architecture-documentation-and-analysis-2168-9717-1000172
adaptive-reuse-architecture-documentation-and-analysis-2168-9717-1000172adaptive-reuse-architecture-documentation-and-analysis-2168-9717-1000172
adaptive-reuse-architecture-documentation-and-analysis-2168-9717-1000172Yael C.Agmon
 
Calificaciones y asistencia taller 2 2016 def (1)
Calificaciones y asistencia taller 2 2016 def (1)Calificaciones y asistencia taller 2 2016 def (1)
Calificaciones y asistencia taller 2 2016 def (1)rodolfo baksys
 
Меноніти в Олександрівську – Запоріжжі
Меноніти в Олександрівську – ЗапоріжжіМеноніти в Олександрівську – Запоріжжі
Меноніти в Олександрівську – ЗапоріжжіОлена Семенець
 
Rest api best practices – comprehensive handbook
Rest api best practices – comprehensive handbookRest api best practices – comprehensive handbook
Rest api best practices – comprehensive handbookKaty Slemon
 
Unerstanding and Using RESTful APIs
Unerstanding and Using RESTful APIsUnerstanding and Using RESTful APIs
Unerstanding and Using RESTful APIsSocialDevCamp Chicago
 
Understanding and Using Rest APIs (SocialDevCamp Chicago 2009)
Understanding and Using Rest APIs (SocialDevCamp Chicago 2009)Understanding and Using Rest APIs (SocialDevCamp Chicago 2009)
Understanding and Using Rest APIs (SocialDevCamp Chicago 2009)Pete Morano
 
REST API Guidelines.pdf
REST API Guidelines.pdfREST API Guidelines.pdf
REST API Guidelines.pdfNickNack8
 
zendframework2 restful
zendframework2 restfulzendframework2 restful
zendframework2 restfultom_li
 
REST full API Design
REST full API DesignREST full API Design
REST full API DesignChristian Guenther
 
Best practices and advantages of REST APIs
Best practices and advantages of REST APIsBest practices and advantages of REST APIs
Best practices and advantages of REST APIsAparna Sharma
 
Api design part 1
Api design part 1Api design part 1
Api design part 1Ibrahim Elsawaf
 
Practical guide to building public APIs
Practical guide to building public APIsPractical guide to building public APIs
Practical guide to building public APIsReda Hmeid MBCS
 
IRJET- Rest API for E-Commerce Site
IRJET- Rest API for E-Commerce SiteIRJET- Rest API for E-Commerce Site
IRJET- Rest API for E-Commerce SiteIRJET Journal
 

More Related Content

Viewers also liked

BIM機電系統整合套繪實例
BIM機電系統整合套繪實例BIM機電系統整合套繪實例
BIM機電系統整合套繪實例heyyo789
 
Cẩm nang hỗ trợ người lao động Việt Nam làm việc tại Malaysia
Cẩm nang hỗ trợ người lao động Việt Nam làm việc tại MalaysiaCẩm nang hỗ trợ người lao động Việt Nam làm việc tại Malaysia
Cẩm nang hỗ trợ người lao động Việt Nam làm việc tại Malaysianguyenhung84vn
 
El chucu chu del tren
El chucu chu del tren El chucu chu del tren
El chucu chu del tren Natalia Simón
 
A comparative analysis of strategies for design in Finland and Brazil
A comparative analysis of strategies for design in Finland and BrazilA comparative analysis of strategies for design in Finland and Brazil
A comparative analysis of strategies for design in Finland and BrazilDUCO
 
여성용 비아그라 "EVO.OW.TO" 카톡:DDF11 여성용비아그라 구입,레비트라 정품처방방법,비아그라 10mg정품구입처,비아그라 정품복제...
여성용 비아그라 "EVO.OW.TO" 카톡:DDF11 여성용비아그라 구입,레비트라 정품처방방법,비아그라 10mg정품구입처,비아그라 정품복제...여성용 비아그라 "EVO.OW.TO" 카톡:DDF11 여성용비아그라 구입,레비트라 정품처방방법,비아그라 10mg정품구입처,비아그라 정품복제...
여성용 비아그라 "EVO.OW.TO" 카톡:DDF11 여성용비아그라 구입,레비트라 정품처방방법,비아그라 10mg정품구입처,비아그라 정품복제...kuuyr loot
 
Fundamental Essentials for API Design
Fundamental Essentials for API DesignFundamental Essentials for API Design
Fundamental Essentials for API DesignMichael James Cyrus
 
luat lao dong
luat lao dongluat lao dong
luat lao dongSâu Con
 
adaptive-reuse-architecture-documentation-and-analysis-2168-9717-1000172
adaptive-reuse-architecture-documentation-and-analysis-2168-9717-1000172adaptive-reuse-architecture-documentation-and-analysis-2168-9717-1000172
adaptive-reuse-architecture-documentation-and-analysis-2168-9717-1000172Yael C.Agmon
 
Calificaciones y asistencia taller 2 2016 def (1)
Calificaciones y asistencia taller 2 2016 def (1)Calificaciones y asistencia taller 2 2016 def (1)
Calificaciones y asistencia taller 2 2016 def (1)rodolfo baksys
 
Меноніти в Олександрівську – Запоріжжі
Меноніти в Олександрівську – ЗапоріжжіМеноніти в Олександрівську – Запоріжжі
Меноніти в Олександрівську – ЗапоріжжіОлена Семенець
 

Viewers also liked (12)

BIM機電系統整合套繪實例
BIM機電系統整合套繪實例BIM機電系統整合套繪實例
BIM機電系統整合套繪實例
 
Cẩm nang hỗ trợ người lao động Việt Nam làm việc tại Malaysia
Cẩm nang hỗ trợ người lao động Việt Nam làm việc tại MalaysiaCẩm nang hỗ trợ người lao động Việt Nam làm việc tại Malaysia
Cẩm nang hỗ trợ người lao động Việt Nam làm việc tại Malaysia
 
El chucu chu del tren
El chucu chu del tren El chucu chu del tren
El chucu chu del tren
 
5 prezoge
5 prezoge5 prezoge
5 prezoge
 
Pdf nota mp3 1
Pdf nota mp3 1Pdf nota mp3 1
Pdf nota mp3 1
 
A comparative analysis of strategies for design in Finland and Brazil
A comparative analysis of strategies for design in Finland and BrazilA comparative analysis of strategies for design in Finland and Brazil
A comparative analysis of strategies for design in Finland and Brazil
 
여성용 비아그라 "EVO.OW.TO" 카톡:DDF11 여성용비아그라 구입,레비트라 정품처방방법,비아그라 10mg정품구입처,비아그라 정품복제...
여성용 비아그라 "EVO.OW.TO" 카톡:DDF11 여성용비아그라 구입,레비트라 정품처방방법,비아그라 10mg정품구입처,비아그라 정품복제...여성용 비아그라 "EVO.OW.TO" 카톡:DDF11 여성용비아그라 구입,레비트라 정품처방방법,비아그라 10mg정품구입처,비아그라 정품복제...
여성용 비아그라 "EVO.OW.TO" 카톡:DDF11 여성용비아그라 구입,레비트라 정품처방방법,비아그라 10mg정품구입처,비아그라 정품복제...
 
Fundamental Essentials for API Design
Fundamental Essentials for API DesignFundamental Essentials for API Design
Fundamental Essentials for API Design
 
luat lao dong
luat lao dongluat lao dong
luat lao dong
 
adaptive-reuse-architecture-documentation-and-analysis-2168-9717-1000172
adaptive-reuse-architecture-documentation-and-analysis-2168-9717-1000172adaptive-reuse-architecture-documentation-and-analysis-2168-9717-1000172
adaptive-reuse-architecture-documentation-and-analysis-2168-9717-1000172
 
Calificaciones y asistencia taller 2 2016 def (1)
Calificaciones y asistencia taller 2 2016 def (1)Calificaciones y asistencia taller 2 2016 def (1)
Calificaciones y asistencia taller 2 2016 def (1)
 
Меноніти в Олександрівську – Запоріжжі
Меноніти в Олександрівську – ЗапоріжжіМеноніти в Олександрівську – Запоріжжі
Меноніти в Олександрівську – Запоріжжі
 

Similar to Fundamental essentials for api design

Rest api best practices – comprehensive handbook
Rest api best practices – comprehensive handbookRest api best practices – comprehensive handbook
Rest api best practices – comprehensive handbookKaty Slemon
 
Understanding and Using Rest APIs (SocialDevCamp Chicago 2009)
Understanding and Using Rest APIs (SocialDevCamp Chicago 2009)Understanding and Using Rest APIs (SocialDevCamp Chicago 2009)
Understanding and Using Rest APIs (SocialDevCamp Chicago 2009)Pete Morano
 
REST API Guidelines.pdf
REST API Guidelines.pdfREST API Guidelines.pdf
REST API Guidelines.pdfNickNack8
 
zendframework2 restful
zendframework2 restfulzendframework2 restful
zendframework2 restfultom_li
 
Best practices and advantages of REST APIs
Best practices and advantages of REST APIsBest practices and advantages of REST APIs
Best practices and advantages of REST APIsAparna Sharma
 
Practical guide to building public APIs
Practical guide to building public APIsPractical guide to building public APIs
Practical guide to building public APIsReda Hmeid MBCS
 
IRJET- Rest API for E-Commerce Site
IRJET- Rest API for E-Commerce SiteIRJET- Rest API for E-Commerce Site
IRJET- Rest API for E-Commerce SiteIRJET Journal
 
REST based API
REST based APIREST based API
REST based APIijtsrd
 
REST & RESTful APIs: The State of Confusion
REST & RESTful APIs: The State of ConfusionREST & RESTful APIs: The State of Confusion
REST & RESTful APIs: The State of ConfusionGlenn Antoine
 
RESTful applications: The why and how by Maikel Mardjan
RESTful applications: The why and how by Maikel MardjanRESTful applications: The why and how by Maikel Mardjan
RESTful applications: The why and how by Maikel MardjanJexia
 
Secc tutorials development and deployment of rest web services in java_v2.0
Secc tutorials development and deployment of rest web services in java_v2.0Secc tutorials development and deployment of rest web services in java_v2.0
Secc tutorials development and deployment of rest web services in java_v2.0Aravindharamanan S
 
REST-API's for architects and managers
REST-API's for architects and managersREST-API's for architects and managers
REST-API's for architects and managersPatrick Savalle
 
Web API Design: Crafting Interfaces that Developers Love
Web API Design: Crafting Interfaces that Developers LoveWeb API Design: Crafting Interfaces that Developers Love
Web API Design: Crafting Interfaces that Developers LoveJamison K. Bell | OvenPOP 360
 
Introduction to Open Services for Lifecycle Collaboration (OSLC)
Introduction to Open Services for Lifecycle Collaboration (OSLC)Introduction to Open Services for Lifecycle Collaboration (OSLC)
Introduction to Open Services for Lifecycle Collaboration (OSLC)Axel Reichwein
 

Similar to Fundamental essentials for api design (20)

Rest api best practices – comprehensive handbook
Rest api best practices – comprehensive handbookRest api best practices – comprehensive handbook
Rest api best practices – comprehensive handbook
 
Unerstanding and Using RESTful APIs
Unerstanding and Using RESTful APIsUnerstanding and Using RESTful APIs
Unerstanding and Using RESTful APIs
 
Understanding and Using Rest APIs (SocialDevCamp Chicago 2009)
Understanding and Using Rest APIs (SocialDevCamp Chicago 2009)Understanding and Using Rest APIs (SocialDevCamp Chicago 2009)
Understanding and Using Rest APIs (SocialDevCamp Chicago 2009)
 
REST API Guidelines.pdf
REST API Guidelines.pdfREST API Guidelines.pdf
REST API Guidelines.pdf
 
zendframework2 restful
zendframework2 restfulzendframework2 restful
zendframework2 restful
 
REST full API Design
REST full API DesignREST full API Design
REST full API Design
 
Best practices and advantages of REST APIs
Best practices and advantages of REST APIsBest practices and advantages of REST APIs
Best practices and advantages of REST APIs
 
Api design part 1
Api design part 1Api design part 1
Api design part 1
 
Practical guide to building public APIs
Practical guide to building public APIsPractical guide to building public APIs
Practical guide to building public APIs
 
IRJET- Rest API for E-Commerce Site
IRJET- Rest API for E-Commerce SiteIRJET- Rest API for E-Commerce Site
IRJET- Rest API for E-Commerce Site
 
REST based API
REST based APIREST based API
REST based API
 
REST & RESTful APIs: The State of Confusion
REST & RESTful APIs: The State of ConfusionREST & RESTful APIs: The State of Confusion
REST & RESTful APIs: The State of Confusion
 
RESTful applications: The why and how by Maikel Mardjan
RESTful applications: The why and how by Maikel MardjanRESTful applications: The why and how by Maikel Mardjan
RESTful applications: The why and how by Maikel Mardjan
 
REST != WebAPI
REST != WebAPIREST != WebAPI
REST != WebAPI
 
Secc tutorials development and deployment of rest web services in java_v2.0
Secc tutorials development and deployment of rest web services in java_v2.0Secc tutorials development and deployment of rest web services in java_v2.0
Secc tutorials development and deployment of rest web services in java_v2.0
 
REST-API's for architects and managers
REST-API's for architects and managersREST-API's for architects and managers
REST-API's for architects and managers
 
Getting Started with API Management
Getting Started with API ManagementGetting Started with API Management
Getting Started with API Management
 
Web API Design
Web API DesignWeb API Design
Web API Design
 
Web API Design: Crafting Interfaces that Developers Love
Web API Design: Crafting Interfaces that Developers LoveWeb API Design: Crafting Interfaces that Developers Love
Web API Design: Crafting Interfaces that Developers Love
 
Introduction to Open Services for Lifecycle Collaboration (OSLC)
Introduction to Open Services for Lifecycle Collaboration (OSLC)Introduction to Open Services for Lifecycle Collaboration (OSLC)
Introduction to Open Services for Lifecycle Collaboration (OSLC)
 

Recently uploaded

TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024Lonnie McRorey
 
Emixa Mendix Meetup 11 April 2024 about Mendix Native development
Emixa Mendix Meetup 11 April 2024 about Mendix Native developmentEmixa Mendix Meetup 11 April 2024 about Mendix Native development
Emixa Mendix Meetup 11 April 2024 about Mendix Native developmentPim van der Noll
 
Take control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test SuiteTake control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test SuiteDianaGray10
 
Enhancing User Experience - Exploring the Latest Features of Tallyman Axis Lo...
Enhancing User Experience - Exploring the Latest Features of Tallyman Axis Lo...Enhancing User Experience - Exploring the Latest Features of Tallyman Axis Lo...
Enhancing User Experience - Exploring the Latest Features of Tallyman Axis Lo...Scott Andery
 
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptxUse of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptxLoriGlavin3
 
So einfach geht modernes Roaming fuer Notes und Nomad.pdf
So einfach geht modernes Roaming fuer Notes und Nomad.pdfSo einfach geht modernes Roaming fuer Notes und Nomad.pdf
So einfach geht modernes Roaming fuer Notes und Nomad.pdfpanagenda
 
A Framework for Development in the AI Age
A Framework for Development in the AI AgeA Framework for Development in the AI Age
A Framework for Development in the AI AgeCprime
 
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024BookNet Canada
 
Genislab builds better products and faster go-to-market with Lean project man...
Genislab builds better products and faster go-to-market with Lean project man...Genislab builds better products and faster go-to-market with Lean project man...
Genislab builds better products and faster go-to-market with Lean project man...Farhan Tariq
 
What is DBT - The Ultimate Data Build Tool.pdf
What is DBT - The Ultimate Data Build Tool.pdfWhat is DBT - The Ultimate Data Build Tool.pdf
What is DBT - The Ultimate Data Build Tool.pdfMounikaPolabathina
 
The State of Passkeys with FIDO Alliance.pptx
The State of Passkeys with FIDO Alliance.pptxThe State of Passkeys with FIDO Alliance.pptx
The State of Passkeys with FIDO Alliance.pptxLoriGlavin3
 
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptxMerck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptxLoriGlavin3
 
(How to Program) Paul Deitel, Harvey Deitel-Java How to Program, Early Object...
(How to Program) Paul Deitel, Harvey Deitel-Java How to Program, Early Object...(How to Program) Paul Deitel, Harvey Deitel-Java How to Program, Early Object...
(How to Program) Paul Deitel, Harvey Deitel-Java How to Program, Early Object...AliaaTarek5
 
[Webinar] SpiraTest - Setting New Standards in Quality Assurance
[Webinar] SpiraTest - Setting New Standards in Quality Assurance[Webinar] SpiraTest - Setting New Standards in Quality Assurance
[Webinar] SpiraTest - Setting New Standards in Quality AssuranceInflectra
 
From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .Alan Dix
 
Rise of the Machines: Known As Drones...
Rise of the Machines: Known As Drones...Rise of the Machines: Known As Drones...
Rise of the Machines: Known As Drones...Rick Flair
 
Modern Roaming for Notes and Nomad – Cheaper Faster Better Stronger
Modern Roaming for Notes and Nomad – Cheaper Faster Better StrongerModern Roaming for Notes and Nomad – Cheaper Faster Better Stronger
Modern Roaming for Notes and Nomad – Cheaper Faster Better Strongerpanagenda
 
Unleashing Real-time Insights with ClickHouse_ Navigating the Landscape in 20...
Unleashing Real-time Insights with ClickHouse_ Navigating the Landscape in 20...Unleashing Real-time Insights with ClickHouse_ Navigating the Landscape in 20...
Unleashing Real-time Insights with ClickHouse_ Navigating the Landscape in 20...Alkin Tezuysal
 
Generative AI for Technical Writer or Information Developers
Generative AI for Technical Writer or Information DevelopersGenerative AI for Technical Writer or Information Developers
Generative AI for Technical Writer or Information DevelopersRaghuram Pandurangan
 
How to write a Business Continuity Plan
How to write a Business Continuity PlanHow to write a Business Continuity Plan
How to write a Business Continuity PlanDatabarracks
 

Recently uploaded (20)

TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024
 
Emixa Mendix Meetup 11 April 2024 about Mendix Native development
Emixa Mendix Meetup 11 April 2024 about Mendix Native developmentEmixa Mendix Meetup 11 April 2024 about Mendix Native development
Emixa Mendix Meetup 11 April 2024 about Mendix Native development
 
Take control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test SuiteTake control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test Suite
 
Enhancing User Experience - Exploring the Latest Features of Tallyman Axis Lo...
Enhancing User Experience - Exploring the Latest Features of Tallyman Axis Lo...Enhancing User Experience - Exploring the Latest Features of Tallyman Axis Lo...
Enhancing User Experience - Exploring the Latest Features of Tallyman Axis Lo...
 
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptxUse of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
 
So einfach geht modernes Roaming fuer Notes und Nomad.pdf
So einfach geht modernes Roaming fuer Notes und Nomad.pdfSo einfach geht modernes Roaming fuer Notes und Nomad.pdf
So einfach geht modernes Roaming fuer Notes und Nomad.pdf
 
A Framework for Development in the AI Age
A Framework for Development in the AI AgeA Framework for Development in the AI Age
A Framework for Development in the AI Age
 
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
 
Genislab builds better products and faster go-to-market with Lean project man...
Genislab builds better products and faster go-to-market with Lean project man...Genislab builds better products and faster go-to-market with Lean project man...
Genislab builds better products and faster go-to-market with Lean project man...
 
What is DBT - The Ultimate Data Build Tool.pdf
What is DBT - The Ultimate Data Build Tool.pdfWhat is DBT - The Ultimate Data Build Tool.pdf
What is DBT - The Ultimate Data Build Tool.pdf
 
The State of Passkeys with FIDO Alliance.pptx
The State of Passkeys with FIDO Alliance.pptxThe State of Passkeys with FIDO Alliance.pptx
The State of Passkeys with FIDO Alliance.pptx
 
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptxMerck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptx
 
(How to Program) Paul Deitel, Harvey Deitel-Java How to Program, Early Object...
(How to Program) Paul Deitel, Harvey Deitel-Java How to Program, Early Object...(How to Program) Paul Deitel, Harvey Deitel-Java How to Program, Early Object...
(How to Program) Paul Deitel, Harvey Deitel-Java How to Program, Early Object...
 
[Webinar] SpiraTest - Setting New Standards in Quality Assurance
[Webinar] SpiraTest - Setting New Standards in Quality Assurance[Webinar] SpiraTest - Setting New Standards in Quality Assurance
[Webinar] SpiraTest - Setting New Standards in Quality Assurance
 
From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .
 
Rise of the Machines: Known As Drones...
Rise of the Machines: Known As Drones...Rise of the Machines: Known As Drones...
Rise of the Machines: Known As Drones...
 
Modern Roaming for Notes and Nomad – Cheaper Faster Better Stronger
Modern Roaming for Notes and Nomad – Cheaper Faster Better StrongerModern Roaming for Notes and Nomad – Cheaper Faster Better Stronger
Modern Roaming for Notes and Nomad – Cheaper Faster Better Stronger
 
Unleashing Real-time Insights with ClickHouse_ Navigating the Landscape in 20...
Unleashing Real-time Insights with ClickHouse_ Navigating the Landscape in 20...Unleashing Real-time Insights with ClickHouse_ Navigating the Landscape in 20...
Unleashing Real-time Insights with ClickHouse_ Navigating the Landscape in 20...
 
Generative AI for Technical Writer or Information Developers
Generative AI for Technical Writer or Information DevelopersGenerative AI for Technical Writer or Information Developers
Generative AI for Technical Writer or Information Developers
 
How to write a Business Continuity Plan
How to write a Business Continuity PlanHow to write a Business Continuity Plan
How to write a Business Continuity Plan
 

Fundamental essentials for api design

  • 1. Fundamental essentials for (RESTful) API design and configurations K s a t h r a S y s t e m s L i m i t e d 7 / 2 9 / 2 0 1 6 Michael Cyrus Many of the API design opinions found on the web are academic discussions revolving around interpretations of uncertain standards as opposed to what makes sense in the real world. The aim of this presentation is to describe the best common practices for a practical API design for the web applications
  • 2. 1 Why JSON?............................................................................................................................................................................3 RESTful design difficulties..........................................................................................................................................3 Use RESTful URLs and actions..................................................................................................................................4 HTTP methods clarified...............................................................................................................................................4 Singularor plural endpoints.....................................................................................................................................6 How to deal with relations.........................................................................................................................................6 Actions that do not fit into CRUD operations...................................................................................................6 SSL at all times...................................................................................................................................................................7 Documentation is the way forward.......................................................................................................................7 Versioningis always best............................................................................................................................................8 Result filtering, sorting & searching.....................................................................................................................8 1. Filtering:...................................................................................................................................................................9 2. Sorting:......................................................................................................................................................................9 3. Searching:................................................................................................................................................................9 Aliases for common queries...................................................................................................................................10 Limiting which fields are returned by the API.............................................................................................10 Updates & creation should always return a resource representation..........................................10 Always HATEOAS...........................................................................................................................................................10 JSON only responses....................................................................................................................................................11 Using media type change based on Accept headersor based on the URL ...................................12 Use snake_case vs CamelCase for field names...............................................................................................12 Pretty print by default & make sure gzip is supported...........................................................................12 Extra data transfer.......................................................................................................................................................13 Make using an envelope by default possible when required...............................................................13 Envelope to be used in some exceptional cases..........................................................................................14 JSON encoded POST, PUT & PATCH bodies....................................................................................................14 Pagination.........................................................................................................................................................................15
  • 3. 2 Auto loading related resource representations.........................................................................................15 Overriding the HTTP method................................................................................................................................16 Rate limiting.....................................................................................................................................................................16 Why TimeStamp...........................................................................................................................................................17 Bad practice to use a UNIX timestamp for X-Rate-Limit-Reset..........................................................17 Authentication................................................................................................................................................................17 Caching................................................................................................................................................................................18 1. ETag:........................................................................................................................................................................18 2. Last-Modified:.......................................................................................................................................................18 Errors...................................................................................................................................................................................19 HTTP status codes........................................................................................................................................................20 Last thoughts...................................................................................................................................................................21
  • 4. 3 Fundamental essentials for “RESTful” API design and configurations Many of the API design opinions have found that on the web are academic discussions revolving around interpretations of uncertain standards as opposed to what makes sense in the real world. The aim of this presentation is to describe the best common practices in the IT industry for a practical API design for all the web applications Requirements that make RESTful APIs as appealing as per Dr Roy Fielding’s proposition are:  Scalability – not necessarily its performance, yet rather how easy it is for RESTful APIs to adapt and grow and be plugged into other systems.  Use of HTTP protocols– being able to use HTTP methods to manage resources makes RESTful APIs easy to plug into other applications.  Independency – with a RESTful API you can deploy or scale down specific parts of the application, without having to shut down the entire application or an entire web server form.  Reduced latency due to caching – REST APIs prioritize caching, which helps to improve latency. So always keep caching top of mind when you’re developing your REST API.  Security – HTTP specification lets you spot security via certain HTTP headers, so you can leverage this to make your API more secure.  Encapsulation – there are parts of the application that don’t need to be exposed to a REST caller, and REST as an architectural style allows you to encapsulate those gritty details and only show things that you need to show. Why JSON?  Ubiquity – over 57% of all web-based applications that have JSON are built on JavaScript, or have JavaScript components.  Human readable – it uses very simple grammar and language, so a human can easily read it, including the new developers who just starting to get into software development.  Fields: It’s easy to change or add new fields. RESTful designdifficulties RESTful APIs are difficult to design because REST is an architectural style, and not a specification. It has no standard governing body and therefore has no hard and fast
  • 5. 4 design rules. What REST does have is an interpretation of how HTTP protocol works, which allows for different approaches for designing a REST API. While use of HTTP methods is a core advantage of the REST approach, it also means that there are lots of different RESTful API designs. I am going to focus on some of the best guidelines that I have come up with in designing the RESTful API. Use RESTful URLs and actions The key principles of REST involve separating your API into logical resources. These resources are manipulated using HTTP requests where the methods GET, POST, PUT, and DELETE have specific meanings. HTTP methods clarified The HTTP protocol defines a number of methods that assign semantic meaning to a request. The common HTTP methods used by most RESTful web APIs are:  GET - to retrieve a copy of the resource at the specified URI. The body of the response message contains the details of the requested resource.  POST - to create a new resource at the specified URI. The body of the request message provides the details of the new resource. Note that POST can also be used to trigger operations that don't actually create resources.  PUT - to replace or update the resource at the specified URI. The body of the request message specifies the resource to be modified and the values to be applied.  DELETE - to remove the resource at the specified URI. Note: The HTTP protocol also defines other less commonly-used methods, such as PATCH which is used to request selective updates to a resource, HEAD which is used to request a description of a resource, OPTIONS which enables a client information to obtain information about the communication options supported by the server, and TRACE which allows a client to request information that it can use for testing and diagnostics purposes. The effect of a specific request should depend on whether the resource to which it is applied is a collection or an individual item. The following table below summarizes the common conventions adopted by most RESTful implementations using the ecommerce example:
  • 6. 5 The purpose of GET and DELETE requests are relatively straightforward, but there is scope for confusion concerning the purpose and effects of POST and PUT requests. A POST request should create a new resource with data provided in the body of the request. In the REST model, you frequently apply POST requests to resources that are collections; the new resource is added to the collection. Note: You can also define POST requests that trigger some functionality (and that don't necessarily return data), and these types of request can be applied to collections. For example you could use a POST request to pass a timesheet to a payroll processing service and get the calculated taxes back as a response. A PUT request is intended to modify an existing resource. If the specified resource does not exist, the PUT request could return an error (in some cases, it might actually create the resource). PUT requests are most frequently applied to resources that are individual items (such as a specific customer or order), although they can be applied to collections, although this is less-commonly implemented. Note that PUT requests are idempotent whereas POST requests are not; if an application submits the same PUT request multiple times the results should always be the same (the same resource will be modified with the same values), but if an application repeats the same POST request the result will be the creation of multiple resources. Note: Strictly speaking, an HTTP PUT request replaces an existing resource with the resource specified in the body of the request. If the intention is to modify a selection of properties in a
  • 7. 6 resource but leave other properties unchanged, then this should be implemented by using an HTTP PATCH request. However, many RESTful implementations relax this rule and use PUT for both situations. Singular or plural endpoints Although a true grammar language tells you it's wrong to describe a single instance of a resource using a plural, the pragmatic answer is to keep the URL format consistent and always use a plural. Not having to deal with odd pluralization (person/people, goose/geese) makes the life of the API consumer better and is easier for the API provider to implement (as most modern frameworks will natively handle /coupons and /coupons/12 under a common controller). Howto deal withrelations If a relation can only exist within another resource, RESTful principles provide useful guidance. Let's look at this with an example. A coupon consisting of a number of messages. These messages can be logically mapped to the /coupons endpoint as bellow:  GET /coupons/12/messages - Retrieves list of messages for coupon #12  GET /coupons/12/messages/5 - Retrieves message #5 for coupon #12  POST /coupons/12/messages - Creates a new message in coupon #12  PUT /coupons/12/messages/5 - Updates message #5 for coupon #12  PATCH /coupons/12/messages/5 - Partially updates message #5 for coupon #12  DELETE /coupons/12/messages/5 - Deletes message #5 for coupon #12 Alternatively, if a relation can exist independently of the resource, it makes sense to just include an identifier for it within the output representation of the resource. The API consumer would then have to hit the relation's endpoint. However, if the relation is commonly requested alongside the resource, the API could offer functionality to automatically embed the relation's representation and avoid the second hit to the API. Actions that do not fit into CRUDoperations This is where things can get a little bit confusing. There are a number of approaches:
  • 8. 7  Restructure the action to appear like a field of a resource. This works if the action doesn't take parameters. For example an activate action could be mapped to a boolean activated field and updated via a PATCH to the resource.  Treat it like a sub-resource with RESTful principles. For instance, GitHub's API lets you star a gist with PUT /gists/:id/star and unstar with DELETE /gists/:id/star.  Sometimes you really have no way to map the action to a sensible RESTful structure. For example, a multi-resource search doesn't really make sense to be applied to a specific resource's endpoint. In this case, /search would make the most sense even though it isn't a resource. This is OK - just do what's right from the perspective of the API consumer and make sure it's documented clearly to avoid confusion. SSL at all times Always use SSL. APIs can get accessed from anywhere there is internet (like libraries, coffee shops, airports, etc.). Not all of these are secure. Many don't encrypt communications at all, allowing for easy eavesdropping or impersonation if authentication credentials are hijacked. Another advantage of always using SSL is that guaranteed encrypted communications simplifies authentication efforts - you can get away with simple access tokens instead of having to sign each API request. One thing to watch out for is non-SSL access to API URLs. Do not redirect these to their SSL counterparts. Throw a hard error instead! The last thing you want is for poorly configured clients to send requests to an unencrypted endpoint, just to be silently redirected to the actual encrypted endpoint. Documentationis the way forward An API is only as good as its documentation. The docs should be easy to find and publically accessible. Most developers will check out the docs before attempting any integration effort. When the docs are hidden inside a PDF file or require signing in, they're not only difficult to find but also not easy to search. The docs should show examples of complete request/response cycles. Preferably, the requests should be passable examples - either links that can be pasted into a browser or curl examples that can be pasted into a terminal. GitHub and Stripe do a great job with this.
  • 9. 8 Once you release a public API, you've committed to not breaking things without notice. The documentation must include any depreciation schedules and details surrounding externally visible API updates. Updates should be delivered via a blog or a mailing list (preferably both!). Versioning is always best Always version your API. Versioning helps you iterate faster and prevents invalid requests from hitting updated endpoints. It also helps smooth over any major API version transitions as you can continue to offer old API versions for a period of time. There are mixed opinions around whether an API version should be included in the URL or in a header. Academically speaking, it should probably be in a header. However, the version needs to be in the URL to ensure browser exportability of the resources across versions. Be a big fan of the approach that Stripe has taken to API versioning - the URL has a major version number (v1), but the API has date based sub-versions which can be chosen using a custom HTTP request header. In this case, the major version provides structural stability of the API as a whole while the sub-versions accounts for smaller changes (field deprecations, endpoint changes, etc.). An API is never going to be completely stable. Change is inevitable. What's important is how that change is managed. Well documented and announced multi-month depreciation schedules can be an acceptable practice for many APIs. It comes down to what is reasonable given the industry and possible consumers of the API. Result filtering,sorting & searching It's best to keep the base resource URLs as lean as possible. Complex result filters, sorting requirements and advanced searching (when restricted to a single type of resource) can all be easily implemented as query parameters on top of the base URL.
  • 10. 9 Let's look at these in more detail: 1. Filtering: Use a unique query parameter for each field that implements filtering. For instance, when requesting a list of tickets from the /coupons endpoint, you may want to limit these to only those in the open state. This could be accomplished with a request like GET /coupons?state=open. In here,state is a query parameter that implements a filter. 2. Sorting: Similar to filtering, a generic parameter sort can be used to describe sorting rules. Accommodate complex sorting requirements by letting the sort parameter take in list of comma separated fields, each with a possible unary negative to imply descending sort order. Some examples:  GET /coupons?sort=-priority - Retrieves a list of tickets in descending order of priority  GET /coupons?sort=-priority,created_at - Retrieves a list of tickets in descending order of priority. Within a specific priority, older tickets are ordered first 3. Searching: Sometimes basic filters aren't enough and you need the power of full text search. Perhaps you're already using ElasticSearch or another Lucene based search technology. When full text search is used as a mechanism of retrieving resource instances for a specific type of resource, it can be exposed on the API as a query parameter on the resource's endpoint. Let's say q. Search queries should be passed straight to the search engine and API output should be in the same format as a normal list result. Combining these together, we can build queries like:  GET /coupons?sort=-updated_at - Retrieve recently updated coupons.  GET /coupons?state=closed&sort=-updated_at - Retrieve recently closed coupons.  GET /coupons?q=return&state=open&sort=-priority,created_at - Retrieve the highest priority open coupons.mentioning the word 'return'
  • 11. 10 Aliases for commonqueries To make the API experience more pleasant for the average consumer, consider packaging up sets of conditions into easily accessible RESTful paths. For example, the recently closed coupons query could be packaged up as GET /coupons/recently_closed Limiting which fields are returned by the API The API consumer doesn't always need the full representation of a resource. The ability select and chose returned fields goes a long way in letting the API consumer minimize network traffic and speed up their own usage of the API. Use a fields query parameter that takes a comma separated list of fields to include. For example, the following request would retrieve just enough information to display a sorted listing of open tickets: GET /coupons?fields=id,subject,customer_name,updated_at&state=open&sort=-updated_at Updates & creationshould always return a resource representation A PUT, POST or PATCH call may make modifications to fields of the underlying resource that weren't part of the provided parameters (for example: created_at or updated_at timestamps). To prevent an API consumer from having to hit the API again for an updated representation, have the API return the updated (or created) representation as part of the response. In case of a POST that resulted in a creation, use a HTTP 201 status code and include a Location header that points to the URL of the new resource. Always HATEOAS There are a lot of mixed opinions as to whether the API consumer should create links or whether links should be provided to the API. RESTful design principles specify HATEOAS which roughly states that interaction with an endpoint should be defined
  • 12. 11 within metadata that comes with the output representation and not based on out-of-band information. Although the web generally works on HATEOAS type principles, I don't think we're ready for HATEOAS on APIs just yet. When browsing a website, decisions on what links will be clicked are made at run time. However, with an API, decisions as to what requests will be sent are made when the API integration code is written, not at run time. Could the decisions be deferred to run time? Sure, however, there isn't much to gain going down that route as code would still not be able to handle significant API changes without breaking. That said, I think HATEOAS is promising. Some more effort has to be put in to define standards and tooling around these principles for its potential to be fully realized. For now, it's best to assume the user has access to the documentation & include resource identifiers in the output representation which the API consumer will use when crafting links. There are a couple of advantages of sticking to identifiers - data flowing over the network is minimized and the data stored by API consumers is also minimized (as they are storing small identifiers as opposed to URLs that contain identifiers). Furthermore, given this post advocates version numbers in the URL, it makes more sense in the long term for the API consumer to store resource identifiers as opposed to URLs. After all, the identifier is stable across versions but the URL representing is not! JSON only responses It's time to leave XML behind in APIs. It's hard to parse, it's hard to read, its data model isn't compatible with how most programming languages model data and its extendibility advantages are irrelevant when your output representation's primary needs are serialization from an internal representation. However, if your customer base consists of a large number of enterprise customers, you may find yourself having to support XML anyway. If you must do this, you'll find yourself with a whole set of new questions.
  • 13. 12 Using media type change basedon Accept headers or based on the URL To ensure browser exportability, it should be in the URL. The most sensible option here would be to append a .json or.xml extension to the endpoint URL. Use snake_case vs CamelCase for field names If you're using JSON (JavaScript Object Notation) as your primary representation format, the "right" thing to do is to follow JavaScript naming conventions - and that means CamelCase for field names! If you then go the route of building client libraries in various languages, it's best to use idiomatic naming conventions in them - camelCase for C# & Java, snake_case for python & ruby. Food for thought: I've always felt that snake_case is easier to read than JavaScript's convention of camelCase. I just didn't have any evidence to back up my gut feelings, until now. Based on an eye tracking study on camelCase and snake_case (PDF) from 2010, snake_case is 20% easier to read than CamelCase! That impact on readability would affect API exportability and examples in documentation. Many popular JSON APIs use snake_case. I suspect this is due to serialization libraries following naming conventions of the underlying language they are using. Perhaps we need to have JSON serialization libraries handle naming convention transformations. Pretty print by default & make sure gzip is supported An API that provides white-space compressed output isn't very fun to look at from a browser. Although some sort of query parameter (like ?pretty=true) could be provided to enable pretty printing, an API that pretty prints by default is much more approachable. The cost of the extra data transfer is negligible, especially when you compare to the cost of not implementing gzip. Consider some use cases: What if an API consumer is debugging and has their code print out data it received from the API - It will be readable by default. Or if the consumer grabbed the URL their code was generating and hit it directly from the browser - it will be readable by default. These are small things.
  • 14. 13 Extradata transfer Let's look at this with a real world example. Some data from GitHub's API, which uses pretty print by default. I'll also be doing some gzip comparisons: $ curl https://api.github.com/users/veesahni > with-whitespace.txt $ ruby -r json -e 'puts JSON JSON.parse(STDIN.read)' < with-whitespace.txt > without- whitespace.txt $ gzip -c with-whitespace.txt > with-whitespace.txt.gz $ gzip -c without-whitespace.txt > without-whitespace.txt.gz The output files have the following sizes:  without-whitespace.txt - 1252 bytes  with-whitespace.txt - 1369 bytes  without-whitespace.txt.gz - 496 bytes  with-whitespace.txt.gz - 509 bytes In this example, the whitespace increased the output size by 8.5% when gzip is not in play and 2.6% when gzip is in play. On the other hand, the act of gzipping in itself provided over 60% in bandwidth savings. Since the cost of pretty printing is relatively small, it's best to pretty print by default and ensure gzip compression is supported! Additionally, Twitter found that there was an 80% savings (in some cases) when enabling gzip compression on their Streaming API. Stack Exchange went as far as to never return a response that's not compressed! Make using an envelope by default possible when required Many APIs wrap their responses in envelopes like this: { "data" : { "id" : 345, "name" : "Michael" } }
  • 15. 14 There are a couple of justifications for doing this - it makes it easy to include additional metadata or pagination information, some REST clients don't allow easy access to HTTP headers & JSONP requests have no access to HTTP headers. However, with standards that are being rapidly adopted like CORS and the Link header from RFC 5988, enveloping is starting to become unnecessary. Envelope to be used in some exceptional cases There are 2 situations where an envelope is really needed - if the API needs to support cross domain requests over JSONP or if the client is incapable of working with HTTP headers. JSONP requests come with an additional query parameter (usually named callback or jsonp) representing the name of the callback function. If this parameter is present, the API should switch to a full envelope mode where it always responds with a 200 HTTP status code and passes the real status code in the JSON payload. Any additional HTTP headers that would have been passed alongside the response should be mapped to JSON fields, like so: callback_function({ status_code: 400, next_page: "https://..", response: { ... actual JSON response body ... } }) Similarly, to support limited HTTP clients, allow for a special query parameter ?envelope=true that would trigger full enveloping (without the JSONP callback function). JSON encoded POST,PUT& PATCH bodies If you're following the approach in this presentation, then you have embraced JSON for all API output. Considering JSON for API input: Many APIs use URL encoding in their API request bodies. URL encoding is exactly what it sounds like - request bodies where key value pairs are encoded using the same conventions as one would use to encode data in URL query parameters. This is simple, widely supported and
  • 16. 15 gets the job done. However, URL encoding has a few issues that make it problematic. It has no concept of data types. This forces the API to parse integers and Booleans out of strings. Furthermore, it has no real concept of hierarchical structure. Although there are some conventions that can build some structure out of key value pairs (like appending [ ] to a key to represent an array), this is no comparison to the native hierarchical structure of JSON. If the API is simple, URL encoding may suffice. However, complex APIs should stick to JSON for their API input. Either way, pick one and be consistent throughout the API. An API that accepts JSON encoded POST, PUT & PATCH requests should also require the Content- Type header be set to application/ json or throw a 415 Unsupported Media Type HTTP status code. Pagination Envelope loving APIs typically include pagination data in the envelope itself. The right way to include pagination details today is using the Link header introduced by RFC 5988. An API that uses the Link header can return a set of ready-made links so the API consumer doesn't have to construct links themselves. This is especially important when pagination is cursor based. Here is an example of a Link header used properly, grabbed from GitHub's documentation: Link: <https://api.github.com/user/repos?page=3&per_page=100>; rel="next", <https://api.github.com/user/repos?page=50&per_page=100>; rel="last" But this isn't a complete solution as many APIs do like to return the additional pagination information, like a count of the total number of available results. An API that requires sending a count can use a custom HTTP header like X-Total-Count. Auto loading related resource representations There are many cases where an API consumer needs to load data related to (or referenced) from the resource being requested. Rather than requiring the consumer to hit the API repeatedly for this information, there would be a significant efficiency gain from allowing related data to be returned and loaded alongside the original resource on demand.
  • 17. 16 However, as this does go against some RESTful principles, we can minimize our deviation by only doing so based on an embed (or expand) query parameter. In this case, embed would be a comma separated list of fields to be embedded. Dot-notation could be used to refer to sub- fields. For example: GET /coupons/12?embed=customer.name,assigned_user This would return a coupon with additional details embedded, like below: { "id" : 14, "subject" : "I have a question!", "summary" : "Hi, ....", "customer" : { "name" : "Michael" }, assigned_user: { "id" : 42, "name" : "Jack", } } Of course, ability to implement something like this really depends on internal complexity. This kind of embedding can easily result in an N+1 select issue. Overriding the HTTP method Some HTTP clients can only work with simple GET and POST requests. To increase accessibility to these limited clients, the API needs a way to override the HTTP method. Although there aren't any hard standards here, the popular convention is to accept a request header X-HTTP-Method-Override with a string value containing one of PUT, PATCH or DELETE. Note that the override header should only be accepted on POST requests. GET requests should never change data on the server! Rate limiting To prevent abuse, it is standard practice to add some sort of rate limiting to an API. RFC 6585 introduced a HTTP status code 429 Too Many Requests to accommodate this. However, it can be very useful to notify the consumer of their limits before they actually hit
  • 18. 17 it. This is an area that currently lacks standards but has a number of popular conventions using HTTP response headers. At a minimum, include the following headers (using Twitter's naming conventions as headers typically don't have mid-word capitalization):  X-Rate-Limit-Limit - The number of allowed requests in the current period  X-Rate-Limit-Remaining - The number of remaining requests in the current period  X-Rate-Limit-Reset - The number of seconds left in the current period Why Time Stamp A timestamp contains all sorts of useful but unnecessary information like the date and possibly the time-zone. An API consumer really just wants to know when they can send the request again & the number of seconds answers this question with minimal additional processing on their end. It also avoids issues related to clock skew. Some APIs use a UNIX timestamp for X-Rate-Limit-Reset. Don't do this! Bad practice to use a UNIX timestampfor X-Rate-Limit-Reset The HTTP spec already specifies using RFC 1123 date formats (currently being used in Date, If-Modified-Since & Last-Modified HTTP headers). If we were to specify a new HTTP header that takes a timestamp of some sort, it should follow RFC 1123 conventions instead of using UNIX timestamps. Authentication A RESTful API should be stateless. This means that request authentication should not depend on cookies or sessions. Instead, each request should come with some sort authentication credentials. By always using SSL, the authentication credentials can be simplified to a randomly generated access token that is delivered in the user name field of HTTP Basic Auth. The great thing about this is that it's completely browser explorable - the browser will just popup a prompt asking for credentials if it receives a 401 Unauthorized status code from the server.
  • 19. 18 However, this token-over-basic-auth method of authentication is only acceptable in cases where it's practical to have the user copy a token from an administration interface to the API consumer environment. In cases where this isn't possible, OAuth 2 should be used to provide secure token transfer to a third party. OAuth 2 uses Bearer tokens & also depends on SSL for its underlying transport encryption. An API that needs to support JSONP will need a third method of authentication, as JSONP requests cannot send HTTP Basic Auth credentials or Bearer tokens. In this case, a special query parameter access_token can be used. Note: There is an inherit security issue in using a query parameter for a Token, as most web servers store quarry parameters in server logs. For what it's worth, all three methods above are just ways to transport the token across the API boundary. The actual underlying token itself could be identical. Caching HTTP provides a built-in caching framework. All you have to do is include some additional outbound response headers and do a little validation when you receive some inbound request headers. There are 2 approaches: ETag and Last-Modified 1. ETag: When generating a request, include a HTTP header ETag containing a hash or checksum of the representation. This value should change whenever the output representation changes. Now, if an inbound HTTP requests contains an If-None-Match header with a matching ETag value, the API should return a 304 Not Modified status code instead of the output representation of the resource. 2. Last-Modified: This basically works like to ETag, except that it uses timestamps. The response header Last- Modified contains a timestamp in RFC 1123 format which is validated against If-Modified- Since.
  • 20. 19 Note: The HTTP spec has had 3 different acceptable date formats and therefore the server should be prepared to accept any one of them. Errors Just like an HTML error page shows a useful error message to a visitor, an API should provide a useful error message in a known consumable format. The representation of an error should be no different than the representation of any resource, just with its own set of fields. The API should always return sensible HTTP status codes. API errors typically break down into 2 types: 400 series status codes for client issues & 500 series status codes for server issues. At a minimum, the API should standardize that all 400 series errors come with consumable JSON error representation. If possible, this should extend to 500 series status codes. A JSON error body should provide a few things for the developer:  A useful error message  A unique error code (that can be looked up for more details in the docs)  A detailed description. JSON output representation for something like this would look like below: { "code" : 400, "message" : "Something bad happened :(", "description" : "More details will follow soon" } Validation errors for PUT, PATCH and POST requests will need a field breakdown. This is best modelled by using a fixed top-level error code for validation failures and providing the detailed errors in an additional errors field, like so: { "code" : 1024, "message" : "Validation Failed", "errors" : [ {
  • 21. 20 "code" : 5432, "field" : "last_name", "message" : "Last name cannot have small characters" }, { "code" : 5622, "field" : "password", "message" : "Password cannot be left empty" } ] } HTTP status codes HTTP defines a bunch of meaningful status codes that can be returned from your API. These can be leveraged to help the API consumers route their responses accordingly. I have created a short list of the ones that you definitely should be using below:  200 OK - Response to a successful GET, PUT, PATCH or DELETE. Can also be used for a POST that doesn't result in a creation.  201 Created - Response to a POST that results in a creation. Should be combined with allocation pointing to the location of the new resource  204 No Content - Response to a successful request that won't be returning a body (like a DELETE request)  304 Not Modified - Used when HTTP caching headers are in play  400 Bad Request - The request is malformed, such as if the body does not parse  401 Unauthorized - When no or invalid authentication details are provided. Also useful to trigger an Auth popup if the API is used from a browser  403 Forbidden - When authentication succeeded but authenticated user doesn't have access to the resource  404 Not Found - When a non-existent resource is requested  405 Method Not Allowed - When an HTTP method is being requested that isn't allowed for the authenticated user  410 Gone - Indicates that the resource at this end point is no longer available. Useful as a blanket response for old API versions  415 Unsupported Media Type - If incorrect content type was provided as part of the request
  • 22. 21  422 Unprocessable Entity - Used for validation errors  429 Too Many Requests - When a request is rejected due to rate limiting  501 Not Implemented - The server either does not recognize the request method  502 Bad Gateway - The server was acting as a gateway or proxy and received an invalid response  503 Service Not Available - The server is currently unavailable Last thoughts An API is a UI for developers as well as many different people who use them and know their construction and usability. Put the effort in to ensure it's not just functional but pleasant to use. Compiled by: Michael Cyrus of Ksathra Systems.