The document provides an introduction to HATEOAS (Hypermedia as the Engine of Application State), which is one of the constraints of REST. It defines HATEOAS as using hypermedia links in responses to drive application state, rather than through out-of-band information. Popular web APIs often violate HATEOAS by not including these links, unlike web user interfaces which adhere to it. While including links in API responses may be helpful for developers, it does not truly implement HATEOAS unless the links drive the client application state at runtime, rather than the developer deciding application flow. A true HATEOAS client would handle generic RESTful APIs similar to how a feed reader handles synd

1. HATEOAS 101
An Opinionated Introduction
Brian Mulloy Apigee
@landlessness @apigee

2. groups.google.com/group/api-craft

3. youtube.com/apigee

4. New!
IRC Channel
#api-craft
on freenode

5. WARNING: The author may betray a bias against
the application of REST constraints to web APIs.

6. What is HATEOAS?

8. Hypermedia As The Engine Of Application State

9. Let’s put HATEOAS in the full context of REST.

10. The Constraints of REST
1. Client-server
2. Stateless server
3. Cache
4. Uniform interface
a. Identification of resources
b. Manipulation of resources through representations
c. Self-descriptive messages
d. Hypermedia as the engine of application state
5. Layered System
6. Code-On-Demand (optional)

11. Let’s break it down.

12. The first three constraints…

13. 1. Client-server
2. Stateless server
3. Cache

14. …give us the client-cache-stateless-server web architecture.

15. client
cache
Each request
must contain
all information. No stored
context on the stateless
server. server
Client has the
right to reuse
client response data.
cache

16. (we’ll come back to the 4th constraint)

17. The 5th constraint, Layered System, lets us add
features like a gateway, load balancer and firewall.

18. Each layer Layers can encapsulate
provides services legacy services & protect
new services from legacy stateless
to it’s neighbors.
clients. server
load stateless
client firewall gateway
balancer server
Each layer cannot stateless
"see" beyond it’s server
immediate neighbor.

19. The optional 6th constraint, Code-on-Demand, allows the
client to request code from the server & execute it.

20. Add features to a
deployed client, which
provides for improved
extensibility and
configurability
client
stateless
server
code
Better user-perceived
performance and
efficiency

21. Now lets tackle the 4 parts of the 4th constraint,
Uniform Interface

22. With help from the Twitter UI.

23. a. Resource Identifier identifies the particular resource
involved in an interaction between components.

24. http://twitter.com/#!/jack/status/20

25. b. Resource Representation represents the state of a
resource for transfer between components.

26. <!DOCTYPE html>
<html data-nav-highlight-class-name="highlight-global-nav-home">
<head>
<title>Twitter</title>
<meta http-equiv="X-UA-Compatible" content="IE=edge">
<meta charset="utf-8" />
<meta name="description" content="Instantly connect to what&#39;s most important to
you. Follow your friends, experts, favorite celebrities, and breaking news." />
<link rel="dns-prefetch" href="http://a0.twimg.com"/>
<link rel="dns-prefetch" href="http://api.twitter.com"/>
<script type="text/javascript" charset="utf-8">
document.domain = 'twitter.com';
// this will be copied to twttr.appStartTime once our JS has started up
document.startTime = new Date().getTime();
var twttr = {};
twttr.versionName = 'phoenix';
twttr.isT1 = true;
twttr.didPingKeynote = false;
twttr.keynoteTTFTPing = function() {
if (!twttr.didPingKeynote && window.location.href.indexOf('keynoteTest') > 0) {
var image = document.createElement('img');
image.src = '/images/keynote.gif';
twttr.didPingKeynote = true;
}
}
window.console||function(){var
a=["log","debug","info","warn","error","assert","dir","dirxml","group","groupEnd","time","t
imeEnd","count","trace","profile","profileEnd"];window.console={};for(var
b=0;b<a.length;++b)window.console[a[b]]=function(){}}();
</script>
…

27. c. Self-descriptive messages contains all the information
necessary to complete transformations.

28. GET /#!/jack/status/20 HTTP/1.1
User-Agent: Chrome/18.0.1025.11
Host: twitter.com
Accept: text/html

29. d. Hypermedia as the engine of application state

31. state state
transition transition
state
transition transition
state state

32. “ The name „Representational State Transfer‟ is intended
to evoke an image of how a well-designed Web
application behaves: a network of web pages (a virtual
state-machine), where the user progresses through the
application by selecting links (state transitions),
resulting in the next page (representing the next state of
the application) being transferred to the user and
rendered for their use.
-Roy Fielding
Architectural Styles and the
Design of Network-based Software Architectures
Chapter 6

33. States are web pages.

34. Transitions are hyperlinks.

35. The key to implementing HATEOAS is pretty simple

36. In each response message include the links for the next
request message.

37. REST Interface
App Browser App
UI Server
User App Developer

39. home connect discover search my profile direct messages
google: lists
jack‟s first favorite about
tweet
help
retweet
reply to keyboard
@jack shortcuts
turn off
retweets settings
report @jack
for spam sign out
add or remove
block @jack tweet to @jack Follow @jack @jack new tweet
from lists

40. 1 transition in, 32 transitions out

41. A quick aside

42. The three greatest inventions of all time are:

43. Bicycles

44. Beer

45. The Hyperlink

46. With a browser I can start at http://twitter.com

47. And navigate my way through every state of the entire
Twitter application.

48. It’s amazing!

49. HATEOAS is not scary.

51. HATEOAS is the key constraint that makes surfing the
web with a browser possible.

52. Let’s look at HATEOAS and APIs

53. With help from the Twitter API.

54. GET /1/statuses/show/20.json
HTTP/1.1
Host: api.twitter.com

55. {
"created_at": "Tue Mar 21 20:50:14 +0000 2006",
"id": 20,
"id_str": "20",
"text": "just setting up my twttr",
"source": "web",
"truncated": false,
"in_reply_to_status_id": null,
"in_reply_to_status_id_str": null,
"in_reply_to_user_id": null,
"in_reply_to_user_id_str": null,
"in_reply_to_screen_name": null,
"user": {
"id": 12,
"id_str": "12",
"name": "Jack Dorsey",
"screen_name": "jack",
"location": "San Francisco",
"description": "Executive Chairman of Twitter, CEO of Square, a founder of both.",
"url": null,
"protected": false,
"followers_count": 1935426,
"friends_count": 1148,
"listed_count": 17312,
"created_at": "Tue Mar 21 20:50:14 +0000 2006",
"favourites_count": 988,
"utc_offset": -28800,
"time_zone": "Pacific Time (US & Canada)",
"geo_enabled": true,
"verified": true,
"statuses_count": 10894,
"lang": "en",
"contributors_enabled": true,
"is_translator": false,
"profile_background_color": "EBEBEB",
"profile_background_image_url": "http://a0.twimg.com/images/themes/theme7/bg.gif",
"profile_background_image_url_https": "https://si0.twimg.com/images/themes/theme7/bg.gif",
"profile_background_tile": false,
"profile_image_url": "http://a0.twimg.com/profile_images/1563216547/image_normal.jpg",
"profile_image_url_https": "https://si0.twimg.com/profile_images/1563216547/image_normal.jpg",
"profile_link_color": "990000",
"profile_sidebar_border_color": "DFDFDF",
"profile_sidebar_fill_color": "F3F3F3",
"profile_text_color": "333333",
"profile_use_background_image": true,
"show_all_inline_media": true,
"default_profile": false,
"default_profile_image": false,
"following": null,
"follow_request_sent": null,
"notifications": null
},
"geo": null,
"coordinates": null,
"place": null,
"contributors": null,
"retweet_count": 5973,
"favorited": false,
"retweeted": false
}

56. Uh oh. There are zero hyperlinks.

57. How many should there be to respect the HATEOAS
constraint?

58. At least one.

59. {
"created_at": "Tue Mar 21 20:50:14 +0000 2006",
"id": 20,
"id_str": "20",
"text": "just setting up my twttr",
"source": "web",
"truncated": false,
"in_reply_to_status_id": null,
"in_reply_to_status_id_str": null,
"in_reply_to_user_id": null,
"in_reply_to_user_id_str": null,
"in_reply_to_screen_name": null,
"user": {
"id": 12,
"link": ”http://api.twitter.com/1/users/show.json?user_id=12",
"id_str": "12",
"name": "Jack Dorsey",
"screen_name": "jack",
"location": "San Francisco",
"description": "Executive Chairman of Twitter, CEO of Square, a founder of both.",
"url": null,
"protected": false,
"followers_count": 1935426,
"friends_count": 1148,
"listed_count": 17312,
"created_at": "Tue Mar 21 20:50:14 +0000 2006",
"favourites_count": 988,
"utc_offset": -28800,
"time_zone": "Pacific Time (US & Canada)",
"geo_enabled": true,
"verified": true,
"statuses_count": 10894,
"lang": "en",
"contributors_enabled": true,
"is_translator": false,
"profile_background_color": "EBEBEB",
"profile_background_image_url": "http://a0.twimg.com/images/themes/theme7/bg.gif",
"profile_background_image_url_https": "https://si0.twimg.com/images/themes/theme7/bg.gif",
"profile_background_tile": false,
"profile_image_url": "http://a0.twimg.com/profile_images/1563216547/image_normal.jpg",
"profile_image_url_https": "https://si0.twimg.com/profile_images/1563216547/image_normal.jpg",
"profile_link_color": "990000",
"profile_sidebar_border_color": "DFDFDF",
"profile_sidebar_fill_color": "F3F3F3",
"profile_text_color": "333333",
"profile_use_background_image": true,
"show_all_inline_media": true,
"default_profile": false,
"default_profile_image": false,
"following": null,
"follow_request_sent": null,
"notifications": null
},
"geo": null,
"coordinates": null,
"place": null,
"contributors": null,
"retweet_count": 5973,
"favorited": false,
"retweeted": false
}

60. A few questions.

61. Now are we HATEOAS compliant?

62. If we add another link does it change the consuming
application’s state machine?

63. Is it ok for the developer to ignore included links?

64. Can the developer add out-of-band links to her app?

65. What happens when an app relies on multiple APIs?
Where is the state machine?

66. If the Twitter API had complied with HATEOAS

67. When Loren Brichter

69. Created Tweetie

71. Would he have been able to decide which user actions to
include in his design?

73. Or would those decisions have been driven by the links in
the response from the Twitter API?

76. Nearly all popular web UIs adhere to HATEOAS.

77. Nearly all popular web APIs violate HATEOAS.

78. Why?

79. Let’s examine the two worlds.

80. I guarantee
hypermedia is
engine of app
I decide where state I craft the user
to click, aka experience, aka
change state. state diagram.
REST Interface
App Browser App
UI Server
User App Developer

81. The person who crafts the experience (state diagram)
and the app user have the REST interface between them.

82. And the hypermedia links are given directly to the app
user at runtime.

83. So the hypermedia in each response message is
genuinely the engine of application state.

84. This pattern is not limited to user interfaces.

85. We see the same pattern for syndication feeds.

86. I guarantee
hypermedia is
engine of app
state I craft stories,
I decide where
categories & related
to click, aka
media, aka state
change state.
diagram.
REST Interface
App Feed Reader Feed Content
User App Server Publisher

87. But the world of apps and web APIs seems different.

88. Interface
App
App 1
Developer 1
App API Server
App
User App 2
Developer 2
App
App 3
Developer 3

89. Interface
I craft the user experience,
I get no
aka state diagram.
App HATEOAS
App 1
I decide where Developer 1 respect.
to click, aka
change state.
App API Server
App
User App 2
Developer 2
App
App 3
Developer 3

90. The person who crafts the experience (state machine)
and the app user do not have the REST interface
between them.

91. And the hypermedia links are not given directly to the
app user at runtime.

92. Instead, the hypermedia are given to the developer at
design time.

93. And the developer decides which states are possible for
the app user at runtime.

94. We need a Yoda moment.

96. “ You must unlearn what you have learned.
-Yoda

97. I used to call the world of popular, non-HATEOAS, non-
SOAP web APIs, Pragmatic REST.

98. Oops.

99. How do we answer the questions many API teams are
asking

100. 1. Should we go down the HATEOAS path?

101. As a practical matter, for many teams that previous
question is the same as the next question.

102. 2. Should we include links in our responses?

103. But they have different answers.

104. 1. For an API to be HATEOAS-compliant it requires a
client app that is also HATEOAS-compliant.

105. A user-interface app driven by web APIs would be akin to
a feed reader for syndicated content.

106. But designed to handle generic web APIs.

107. I guarantee
hypermedia is
engine of app
I decide where state I craft a system of
to click, aka interrelated resources,
change state. aka state diagram.
REST Interface
App RESTful API API
API Server
User Client App Developer
?

108. Special thanks to @elasticpath for this metaphor.

109. There are interesting non-UI applications as well.

110. “ However, the style does not assume that all applications
are browsers. In fact, the application details are hidden
from the server by the generic connector interface, and
thus a user agent could equally be an automated robot
performing information retrieval for an indexing service,
a personal agent looking for data that matches certain
criteria, or a maintenance spider busy patrolling the
information for broken references or modified content
[39].
-Roy Fielding
Architectural Styles and the
Design of Network-based Software Architectures
Chapter 5

111. If you’re not going down the HATEOAS client path, should
you include links anyway?

112. 2. If you think including links in the API response will be
helpful for developers at design time, then go for it.

114. But I wouldn’t call it HATEOAS because those links are
probably not the engine of application state for the app
user at run time.

115. “ If the engine of application state (and hence the
API) is not being driven by hypertext, then it
cannot be RESTful and cannot be a REST API.
Period. Is there some broken manual
somewhere that needs to be fixed?
-Roy Fielding
“REST APIs must be hypertext-driven”
Untangled: Musings of Roy T. Fielding

117. Here’s a call to action

118. We know what REST with the HATEOAS constraint
is and isn’t.

119. We know what SOAP is and isn’t.

120. But we don’t have an intellectual framework for
the way so many popular apps and web APIs work
today.

121. We need a really smart person

122. Who cares about web APIs

123. To examine the constraints of REST

124. The Constraints of REST
1. Client-server
2. Stateless server
3. Cache
4. Uniform interface
a. Identification of resources
b. Manipulation of resources through representations
c. Self-descriptive messages
d. Hypermedia as the engine of application state
5. Layered System
6. Code-On-Demand (optional)

125. While keeping in mind how custom apps are built
by people using web APIs

126. Interface
App
App 1
Developer 1
App API Server
App
User App 2
Developer 2
App
App 3
Developer 3

127. To give us a new foundation

128. The Constraints of ____
1. ???
2. ???
3. ???
4. ???
5. ???
6. ???

129. So that we will have a better shared idea of what
we’re really doing

130. We will be able to communicate more effectively

131. And we will be able to create more value for the
planet and the people on it.

133. But please choose a nice, pronounceable acronym.

135. Further Exploring
• http://steveklabnik.com/
• http://pinboard.in/u:earth2marsh/t:hateoas/
• http://www.ics.uci.edu/~fielding/pubs/dissert
ation/top.htm
• http://martinfowler.com/articles/richardsonM
aturityModel.html
• http://timelessrepo.com/haters-gonna-
hateoas

136. Questions?

137. THANK YOU
Subscribe to API webinars at:
youtube.com/apigee

138. THANK YOU
IRC
#api-craft
on freenode

139. THANK YOU
Questions and ideas to:
groups.google.com/group/api-craft

140. THANK YOU
Contact me at:
@landlessness
brian@apigee.com