SlideShare a Scribd company logo

How to design a good REST API: Tools, techniques and best practices

WSO2
WSO2

Presentation from the roundtable discussion at INTERFACE by apidays

1 of 48
Download to read offline
How to design a good REST API: Tools, techniques and best practices July 01, 2020
Hello! Nuwan Dias Kavishka Fernando kavishka@wso2.com nuwand@wso2.com Presenter Moderator
● Data Model ● Resource Model ● Resource URIs ● Proper naming ● Versioning ● HTTP Methods ● Pagination ● Security ● REST API Specification formats ● Tools ● Async APIs AGENDA 3
The following major steps should be followed to create a RESTful API. 4
● The data model is an important source to determine an appropriate resource model. ● It is used to specify the properties of the resources manipulated by an API in an abstract manner. Data Model 5
The resource model specifies the resources that are processed by the API Resource Model 6 Atomic Resources The entities of the data model that are exchanged as a whole via the API. Eg: Customer details Collection Resources When atomic resources of the same type are grouped into a set. Eg: Collection of Products Collection of items Collection of customers Composite Resources Instances of groups of different entity types that are manipulated as a whole . Eg: Shopping cart Controller Resources If multiple resources have to be manipulated in a single API call in order to maintain data consistency. Eg: Deleting an individual item from the shopping cart one after the other
● The complete URI of an API complies to the following structure: {scheme}://{host}/{base-path}/{path}[?{query-string}] "https://petstore.swagger.io/v2/pet/1" ● scheme : the transport protocol supported by the API ● host: the domain of the API ● base path: the base-path of an API follows the structure, /{feature-code}/[ {sub-code}/ ]/{version} Resource URIs 7
● Atomic resources, collection resources and composite resources should be named as nouns because they represent "things", not "actions" ● Processing function resources and controller resources should be named as verbs because they in fact represent "actions". ● Processing function resources and controller resources should not be sub-resources of individual other resources. ⦿ They should not be named by means of a URI template ⦿ Individual resources become parameters. ● Lower case characters should be used in names only because the rules about which URI element names are case sensitive and which are not may cause confusion. Proper naming 8
● If multiple words are used to name a resource, these words should be separated by dashes (i.e. "-"). ⦿ Especially, no underscore (i.e. "_") should be used. ⦿ Similarly, camel case or other programming language related naming should be avoided. ● Singular nouns should be used for naming atomic resources. ● Names of collections should be "pluralized". ● Use forward slashes (i.e. "/") to specify hierarchical relations between resources. A forward slash will separate the names of the hierarchically structured resources. The parent name will immediately precede the name of its immediate children. Proper naming 9
● The version is specified as a pair of integers (separated by a dot) referred to as the major and the minor number of the version, preceded by the lower case letter "v". E.g: v2.1 Versioning 10 - a bug fix - a minor internal modification - newly added optional parameters - completely new request - new mandatory parameters have been added - former parameters have been dropped - complete former requests are no longer available.
● Best practice is to support the current major version as well as at least one major version back. ● When a client is using an API's URI with a version number no longer supported, the server has to respond with a response message that contains a Location header field with the URI of the latest version of the API: HTTP/1.1 301 Moved Permanently Location: Versioning 11
● A URI template is an element which contains strings in curly brackets. These strings are variables that must be substituted by values when such a URI template is used by a client. /shopping-carts/{shopping-cart-id}/{item-id}/product ● An optional query string is a part of the URI contributing to the unique identification of a resource {scheme}://{host}/{base-path}/{path}?{query-string} ● The query string consists of a sequence of name/value pairs that are separated by an "&" ● The name-string and the value-string are separated by a "=". https://petstore.swagger.io/v2/pet/find-by-status?status=available URI Templates 12
HTTP Methods 13
HTTP Methods 14 HTTP Method Usage GET Retrieving an atomic resource or a composite resource is done by performing a GET on the URI identifying the resource to be retrieved. PUT The body of the corresponding PUT message provides the modified but complete representation of a resource that will completely substitute the existing resource: Parts of the resource that have not changed must be included in the modified resource of the message body. POST The creation of new resource, and the initiation of functions, to interact with processing function resources as well as controller resource. DELETE A resource is deleted by means of the DELETE request on the URI of the resource.
Status Codes 15 Status code Message 200 OK The request has been performed successfully. 400 Bad Request The request is invalid. syntax errors in expressions passed with the request are found, values are out of range, required data is missing etc. 401 Unauthorized The request requires client authorization or the passed credentials are not accepted. The response must include a WWW-Authenticate header. 403 Forbidden The server understood the request but refused to perform it. 404 Not Found The requested entity does not exist. 406 Not Acceptable The requested media type is not supported. https://wso2.com/whitepapers/wso2-rest-apis-design-guidelines/#09
● It is often convenient to retrieve the large result sets in smaller chunks. ● The retrieval request specifies a query string containing an "offset" field as well as a "limit" field;. ⦿ offset - the position number of a qualified resource where the retrieval should start ⦿ limit - the maximum number of resources to be returned. ● The response message with the subset of the qualified resource returned should specify, ⦿ total number of all qualified resources ("count" field) ⦿ a link to the next chunk of qualified resources ("next" field) ⦿ a link to the previous chunk of qualified resources ("previous" field) Pagination 16
Example: GET /products?offset=42&limit=3 Response: HTTP/1.1 200 OK count=119 next={link-to-next-subset} previous={link-to-previous-subset} P42-details P43-details P44-details Pagination 17
● Resources should be accessible based on a properly designed permission model to prevent misuse of APIs. ● Different resources are protected by different permissions and these permissions may change. ● To support this, REST APIs need to support extensible security mechanisms like ⦿ Authentication (who are you) ⦾ HTTP Basic Authentication ⧁ Username/password auth. More suitable for internal/B2B APIs. ⦾ API Keys ⧁ One time API Key. More suitable for B2B APIs. ⦾ OAuth2.0 (Open Authentication) ⧁ The de-facto security for REST APIs. Supports a wide range of grant types covering many application types. ⦿ Authorization (what can you do) ⦾ OAuth2.0 scopes ⦾ XACML (eXtensible Access Control Markup Language). ⦾ OPA (Open Policy Agent) Security 18
● Open API Specification - JSON with YAML compatibility (best for request/response model) ● RAML - is strictly YAML in representation ● WADL - uses XML ● API Blueprint - uses Markdown as it’s format ● Slate REST API Specification Formats 19
● Swagger API tools https://swagger.io/tools/ ● Stoplight https://stoplight.io/ ● OData Open API https://github.com/oasis-tcs/odata-openapi ● Oas-tools https://github.com/isa-group/oas-tools ● OAS RAML Converter https://mulesoft.github.io/oas-raml-converter/ For more Tools check : https://openapi.tools/ Tools 20
● Event-driven APIs enable apps to integrate many products and services based on equivalence around event-driven interactions. ● AsyncAPI specification is used to design and develop event driven APIs like Kafka, WebSockets, etc. ● It was created to serve as a common unifying language for the diverse formats, protocols, and specifications, allowing for standardized communication in the message-driven system. Event-driven APIs - Async APIs 21
REST API Design Guidelines Fore more information on how to design a good REST API, see https://wso2.com/whitepapers/wso2-rest-apis-design-guidelines/
Thanks!
APPENDIX July 01, 2020
Status Codes 25 Status code Message 200 OK The request has been performed successfully. 201 Created The request has been performed successfully. The URL of the newly created entity is contained in the Location header of the response. An ETag header should be returned with the current entity tag of the resource just created 202 Accepted The processing of the request has started but will take some time. The body of the response message should provide information about the current state of the processing,as well as information about where the client can request updated status information at a later point in time 303 See Other The response of the request is available at a different URL; this URL is given as value of the Location header of the response message 304 Not Modified The requesting client has already received the latest version of the requested resource.
Status Codes 26 Status code Message 400 Bad Request The request is invalid. syntax errors in expressions passed with the request are found, values are out of range, required data is missing etc. 401 Unauthorized The request requires client authorization or the passed credentials are not accepted. The response must include a WWW-Authenticate header. 403 Forbidden The server understood the request but refused to perform it. 404 Not Found The requested entity does not exist. 406 Not Acceptable The requested media type is not supported. 412 Precondition Failed The request has not been performed because one of the preconditions has not been met. 415 Unsupported Media Type The entity passed by the request was in a format that is not supported.
● A query on a collection resource consists of three artifacts: ⦿ a mandatory filter condition ⦿ an optional sort expression ⦿ an optional projection ● Filter condition ⦿ Is a boolean expression of attributes ⦿ The spectrum of filter conditions is from simple (supporting to specify a single attribute name with a value being compared for equality) to complex (arbitrary conditions and arbitrary comparison operators). Example of a complex query: filter=((price > 1000 AND status = on-stock) OR (price < 200 AND NOT(status = on-stock))) Queries 27
● Sort expression ⦿ consists of a list of attribute names together with the indication for each attribute name whether the result is to be sorted ascending or descending. ⦿ The order in which the result is sorted is implied by the order of the list of attribute names. Example: sort=(price ASC, delivery-date DESC) ● Projection ⦿ A list of attribute names that have to be used to create each item in the result set. ⦿ Each specified attribute name is used to extract the corresponding information from each resource and compile a corresponding item in the result set. Example: projection=price,color,status Queries 28
● There are two ways to enable queries on collections: ⦿ part of the query string of the URI used by a GET GET /products?status=on-stock&sortAsc=price&projection=price,color,status HTTP/1.1 This is preferred because a GET is used with this URI, clearly expressing the semantics of the request namely retrieving a subset of the collection ⦿ the query is passed in the body of a POST request of a special processing function resource. POST /product-search HTTP/1.1 filter=((price > 1000 AND status = on-stock) OR (price < 200 AND NOT(status = on-stock))) sort=(price ASC, delivery-date DESC) projection=price,color,status When queries may become complex where the maximum length may be exceeded, the use of a POST request that contains the (complex) query in the request body is enforced Queries 29
● Requests may take too long to return the response synchronously, Long Running Requests 30 ● "202 Accepted" status code specifies that the request is accepted but will be processed asynchronously. ● The task resource says that the request is running and gives an estimated completion time. ● In succeeding requests, the client will retrieve the actual task resource via the URI value of the Content-Location header field: GET /apply/tasks/1 HTTP/1.1 Host: www.shark-credits.com
"200 OK" - means that the retrieval of the task resource was successful note especially that this does not indicate that the long running request completed successfully: Long Running Requests 31
● "303 See Other" specifies that a new resource has been created with the URI with the value of the Location header field. ● This is the URI of the result of the long running request. ● The task resource now reports in its state field that the long request succeeded successfully. Long Running Requests 32 After some time, the long running request will have completed, i.e. the GET request above will receive the following response:
● the retrieval of the task resource will succeed with a "200 OK" status code, ● the task resource's status will report that the long running request completed but was not successful. ● Note: the status code of the response of the retrieval of the task resource is not related to the status of the long running request at all. Long Running Requests 33 If the long running request fails,
● It assumes that a server processing a request determines the representation best suited to the requesting client. ● The server is dependent on the requesting client to specify information about its processing capabilities or requirements. ● It is done by means of header fields of the request message like Accept, AcceptEncoding etc. Server-driven Content Negotiation 34 Advantage Disadvantage Avoiding a second request to be made by the client Potentially responding a representation to the client that is not ideally suited
● The server detects that it has more than one representation of a resource available that may serve the client's needs. ● The server responds to the request with a "300 Multiple Choices" message that carries information about the representations available, ● The client finally selects one of these representations and explicitly requests it in a following request. Client-driven Content Negotiation 35 Advantage Disadvantage The client gets the representation that is best suited for it. Two round-trips.
● The client specifies that it is able to process JSON, XML as well as plain text, but that it prefers JSON. ● The preferences in media types is specified by weighting a media type by a quality value q. ● The server will determine which of the representations it has available and will return the one with the highest quality value. ● Example: GET /products/27182 Accept: application/json;q=0.9, application/xml;q=0.6, text/plain;q=0.1 ● In case the server does not have a client specified representation, it will respond with a message returning a corresponding status code: HTTP/1.1 406 Not acceptable 36
● Multiple clients interacting with the same resource may cause concurrency conflicts like lost updates. ● Pessimistic concurrency control mechanisms ⦿ avoid conflicts in advance by locking resources ⦿ used if the probability for conflicts is high ● Optimistic concurrency control ⦿ avoids conflicts by detecting conflicts and signaling them to clients that may retry their requests ⦿ used if the probability for conflicts is low. ● Many concurrent interactions in REST-based APIs can be handled by optimistic concurrency control. Concurrency Control 37
● For this purpose, requests are sent as conditional requests. ● A conditional request specifies the If-Match or If-Unmodified-Since header in the request. ● When performing the conditional request, the API implementation has to compare the value(s) passed by the client in the request with the corresponding values of the current resource as stored by the origin server. ● If the values have been changed, the request is rejected (response code "412 Precondition Failed"); otherwise, the request is executed. Example: PUT /products/31415 If-Match: "42049dcaf450987cffd" If-Unmodified-Since: Thu, 7 Jan 2016 17:41 CET Response: HTTP/1.1 412 Precondition Failed Concurrency Control 38
● Even with PATCH, special care must be taken with respect to lost updates: ⦿ If concurrent PATCHes are to be supported, concurrency control must be implemented as a conditional request. ● Following pattern may be used to realize partial updates without using processing function resources: ⦿ a client has to GET the resource to be updated ⦿ apply the partial updates locally ⦿ then send a conditional PUT with the complete resource to the server. Concurrency Control 39
● A client may cache resources as well as header fields of resources to reduce transfer of data that has not been changed since its last retrieval. ● For this purpose, a client uses a conditional request to retrieve data. ● Such a conditional request specifies the If-None-Match or the If-Modified-Since headers in the request. ⦿ If-None-Match - the value of the ETag header of the resource as retrieved last time by the requesting client. ⦿ If-Modified-Since - the value of the Last-Modified header of the resource as retrieved last time by the requesting client. ● When performing the conditional request, the API implementation has to compare the value(s) passed by the client in the request with the corresponding values of the current resource as stored by the server. Client-Side Caching 40
● If the values have not changed, the resource is not returned (response code "304 Not Modified"); otherwise, the resource is returned. Example: GET /products/31415 If-None-Match: "42049dcaf450987cffd" If-Modified-Since: Thu, 7 Jan 2016 17:41 CET Response: HTTP/1.1 304 Not Modified Client-Side Caching 41
● When a 4xx status code is returned, a client error has been detected. ● Detailed error information should be returned in the body of the response message. Reporting Errors 42
● If more than one error occurred, each error is reported as an element of the following array that is part of the error object before. Reporting Errors 43
● HTTP Basic Authentication is unsecure. (credentials are in clear text, i.e. it is Base64 encoded, which can be immediately translated into clear text) ● HTTP Basic Authentication is only viable over HTTPS. ● HTTP Digest encoding is more secure but is subject to a "man-in-the-middle-attack". ● By using HTTPS, this is avoided. ● HTTP security mechanisms are only acceptable for non-critical APIs, for requests that generate more secure access tokens. Basic Authentication 44
● A unique generated value is assigned to each first time user, signifying that the user is known. ● If an API is limited specifically in functionality where “read” is the only possible command, an API Key can be an adequate solution. ● API Key is not very secure because anyone who makes a request transmits their key. This key can be picked up just as easy as any network transmission, and if any point in the entire network is insecure, the entire network is exposed. API Keys 45
● OAuth is the best choice for identifying personal user accounts and granting proper permissions. ● The likelihood of possible attacks of HTTP Basic or Digest Authentication is reduced by using OAuth tokens. ● A set of scopes needs to be designed that protects individual processing function resources, collection resources, or the ability to create or delete resource. ● Although OAuth has been proposed as a mechanism over HTTP, it should be used over HTTPS to increase security. Open Authorization (OAuth) 46
● A more fine-grained control of access to resources is supported by XACML but XACML is considered quite complex in practice ● XACML is an attribute-based access control (ABAC) mechanism. ● Example: If a user is allowed to login to a system during a specific time this requirement can;t be achieved by OAuth alone a policy needs to be enforced. So we can use XACML eXtensible Access Control Markup Language (XACML) 47
● You can use OPA to enforce policies in microservices, Kubernetes, CI/CD pipelines, API gateways, and more. ● OPA generates policy decisions by evaluating the query input and against policies and data. ● Policy decisions are not limited to simple yes/no or allow/deny answers. Like query inputs, your policies can generate arbitrary structured data as output. Open Policy Agent (OPA) 48

Recommended

RESTful API - Best Practices
RESTful API - Best PracticesRESTful API - Best Practices
RESTful API - Best Practices
Tricode (part of Dept)
 
Dynamic components using SPA concepts in AEM
Dynamic components using SPA concepts in AEMDynamic components using SPA concepts in AEM
Dynamic components using SPA concepts in AEM
Bojana Popovska
 
Dynamic Components using Single-Page-Application Concepts in AEM/CQ
Dynamic Components using Single-Page-Application Concepts in AEM/CQDynamic Components using Single-Page-Application Concepts in AEM/CQ
Dynamic Components using Single-Page-Application Concepts in AEM/CQ
Netcetera
 
Saml vs Oauth : Which one should I use?
Saml vs Oauth : Which one should I use?Saml vs Oauth : Which one should I use?
Saml vs Oauth : Which one should I use?Anil Saldanha
 
FIWARE Generic Enablers introduction
FIWARE Generic Enablers introductionFIWARE Generic Enablers introduction
FIWARE Generic Enablers introduction
Miguel García González
 
Rest api and-crud-api
Rest api and-crud-apiRest api and-crud-api
Rest api and-crud-api
F(x) Data Labs Pvt Ltd
 
Session 3 - i4Trust components for Identity Management and Access Control i4T...
Session 3 - i4Trust components for Identity Management and Access Control i4T...Session 3 - i4Trust components for Identity Management and Access Control i4T...
Session 3 - i4Trust components for Identity Management and Access Control i4T...
FIWARE
 
Integrating Fiware Orion, Keyrock and Wilma
Integrating Fiware Orion, Keyrock and WilmaIntegrating Fiware Orion, Keyrock and Wilma
Integrating Fiware Orion, Keyrock and Wilma
Dalton Valadares
 

Recommended

RESTful API - Best Practices
RESTful API - Best PracticesRESTful API - Best Practices
RESTful API - Best Practices
Tricode (part of Dept)
 
Dynamic components using SPA concepts in AEM
Dynamic components using SPA concepts in AEMDynamic components using SPA concepts in AEM
Dynamic components using SPA concepts in AEM
Bojana Popovska
 
Dynamic Components using Single-Page-Application Concepts in AEM/CQ
Dynamic Components using Single-Page-Application Concepts in AEM/CQDynamic Components using Single-Page-Application Concepts in AEM/CQ
Dynamic Components using Single-Page-Application Concepts in AEM/CQ
Netcetera
 
Saml vs Oauth : Which one should I use?
Saml vs Oauth : Which one should I use?Saml vs Oauth : Which one should I use?
Saml vs Oauth : Which one should I use?Anil Saldanha
 
FIWARE Generic Enablers introduction
FIWARE Generic Enablers introductionFIWARE Generic Enablers introduction
FIWARE Generic Enablers introduction
Miguel García González
 
Rest api and-crud-api
Rest api and-crud-apiRest api and-crud-api
Rest api and-crud-api
F(x) Data Labs Pvt Ltd
 
Session 3 - i4Trust components for Identity Management and Access Control i4T...
Session 3 - i4Trust components for Identity Management and Access Control i4T...Session 3 - i4Trust components for Identity Management and Access Control i4T...
Session 3 - i4Trust components for Identity Management and Access Control i4T...
FIWARE
 
Integrating Fiware Orion, Keyrock and Wilma
Integrating Fiware Orion, Keyrock and WilmaIntegrating Fiware Orion, Keyrock and Wilma
Integrating Fiware Orion, Keyrock and Wilma
Dalton Valadares
 
FIWARE Global Summit - NGSI-LD – an Evolution from NGSIv2
FIWARE Global Summit - NGSI-LD – an Evolution from NGSIv2FIWARE Global Summit - NGSI-LD – an Evolution from NGSIv2
FIWARE Global Summit - NGSI-LD – an Evolution from NGSIv2
FIWARE
 
Odoo Web Services
Odoo Web ServicesOdoo Web Services
Odoo Web Services
Celine George
 
INTRODUCTION TO IIS
INTRODUCTION TO IISINTRODUCTION TO IIS
INTRODUCTION TO IIS
sanya6900
 
FIWARE Training: FIWARE Training: i4Trust Marketplace
FIWARE Training: FIWARE Training: i4Trust MarketplaceFIWARE Training: FIWARE Training: i4Trust Marketplace
FIWARE Training: FIWARE Training: i4Trust Marketplace
FIWARE
 
VueJS: The Simple Revolution
VueJS: The Simple RevolutionVueJS: The Simple Revolution
VueJS: The Simple Revolution
Rafael Casuso Romate
 
FIWARE Training: NGSI-LD Advanced Operations
FIWARE Training: NGSI-LD Advanced OperationsFIWARE Training: NGSI-LD Advanced Operations
FIWARE Training: NGSI-LD Advanced Operations
FIWARE
 
[React Native Tutorial] Lecture 7: Navigation - Scene Transition - ListView
[React Native Tutorial] Lecture 7: Navigation - Scene Transition - ListView[React Native Tutorial] Lecture 7: Navigation - Scene Transition - ListView
[React Native Tutorial] Lecture 7: Navigation - Scene Transition - ListView
Kobkrit Viriyayudhakorn
 
Introduction to Kubernetes with demo
Introduction to Kubernetes with demoIntroduction to Kubernetes with demo
Introduction to Kubernetes with demo
Opsta
 
API for Beginners
API for BeginnersAPI for Beginners
API for Beginners
Sébastien Saunier
 
Orion Context Broker 1.15.0
Orion Context Broker 1.15.0Orion Context Broker 1.15.0
Orion Context Broker 1.15.0
Fermin Galan
 
Deployment Patterns of WSO2 Identity Server
Deployment Patterns of WSO2 Identity ServerDeployment Patterns of WSO2 Identity Server
Deployment Patterns of WSO2 Identity Server
MifrazMurthaja
 
Introduction Django
Introduction DjangoIntroduction Django
Introduction Django
Wade Austin
 
FIWARE Global Summit - NGSI-LD - NGSI with Linked Data
FIWARE Global Summit - NGSI-LD - NGSI with Linked DataFIWARE Global Summit - NGSI-LD - NGSI with Linked Data
FIWARE Global Summit - NGSI-LD - NGSI with Linked Data
FIWARE
 
Introduction to REST - API
Introduction to REST - APIIntroduction to REST - API
Introduction to REST - API
Chetan Gadodia
 
Session 5 - NGSI-LD Advanced Operations | Train the Trainers Program
Session 5 - NGSI-LD Advanced Operations | Train the Trainers ProgramSession 5 - NGSI-LD Advanced Operations | Train the Trainers Program
Session 5 - NGSI-LD Advanced Operations | Train the Trainers Program
FIWARE
 
Big Data and Machine Learning with FIWARE
Big Data and Machine Learning with FIWAREBig Data and Machine Learning with FIWARE
Big Data and Machine Learning with FIWARE
Fernando Lopez Aguilar
 
Kong API Gateway
Kong API Gateway Kong API Gateway
Kong API Gateway
Chris Mague
 
Sling models by Justin Edelson
Sling models by Justin Edelson Sling models by Justin Edelson
Sling models by Justin Edelson AEM HUB
 
REST API Design & Development
REST API Design & DevelopmentREST API Design & Development
REST API Design & Development
Ashok Pundit
 
AEM Best Practices for Component Development
AEM Best Practices for Component DevelopmentAEM Best Practices for Component Development
AEM Best Practices for Component Development
Gabriel Walt
 
Best Practices in Api Design
Best Practices in Api DesignBest Practices in Api Design
Best Practices in Api Design
Muhammad Aamir ...
 
Standards of rest api
Standards of rest apiStandards of rest api
Standards of rest api
Maýur Chourasiya
 

More Related Content

What's hot

FIWARE Global Summit - NGSI-LD – an Evolution from NGSIv2
FIWARE Global Summit - NGSI-LD – an Evolution from NGSIv2FIWARE Global Summit - NGSI-LD – an Evolution from NGSIv2
FIWARE Global Summit - NGSI-LD – an Evolution from NGSIv2
FIWARE
 
Odoo Web Services
Odoo Web ServicesOdoo Web Services
Odoo Web Services
Celine George
 
INTRODUCTION TO IIS
INTRODUCTION TO IISINTRODUCTION TO IIS
INTRODUCTION TO IIS
sanya6900
 
FIWARE Training: FIWARE Training: i4Trust Marketplace
FIWARE Training: FIWARE Training: i4Trust MarketplaceFIWARE Training: FIWARE Training: i4Trust Marketplace
FIWARE Training: FIWARE Training: i4Trust Marketplace
FIWARE
 
VueJS: The Simple Revolution
VueJS: The Simple RevolutionVueJS: The Simple Revolution
VueJS: The Simple Revolution
Rafael Casuso Romate
 
FIWARE Training: NGSI-LD Advanced Operations
FIWARE Training: NGSI-LD Advanced OperationsFIWARE Training: NGSI-LD Advanced Operations
FIWARE Training: NGSI-LD Advanced Operations
FIWARE
 
[React Native Tutorial] Lecture 7: Navigation - Scene Transition - ListView
[React Native Tutorial] Lecture 7: Navigation - Scene Transition - ListView[React Native Tutorial] Lecture 7: Navigation - Scene Transition - ListView
[React Native Tutorial] Lecture 7: Navigation - Scene Transition - ListView
Kobkrit Viriyayudhakorn
 
Introduction to Kubernetes with demo
Introduction to Kubernetes with demoIntroduction to Kubernetes with demo
Introduction to Kubernetes with demo
Opsta
 
API for Beginners
API for BeginnersAPI for Beginners
API for Beginners
Sébastien Saunier
 
Orion Context Broker 1.15.0
Orion Context Broker 1.15.0Orion Context Broker 1.15.0
Orion Context Broker 1.15.0
Fermin Galan
 
Deployment Patterns of WSO2 Identity Server
Deployment Patterns of WSO2 Identity ServerDeployment Patterns of WSO2 Identity Server
Deployment Patterns of WSO2 Identity Server
MifrazMurthaja
 
Introduction Django
Introduction DjangoIntroduction Django
Introduction Django
Wade Austin
 
FIWARE Global Summit - NGSI-LD - NGSI with Linked Data
FIWARE Global Summit - NGSI-LD - NGSI with Linked DataFIWARE Global Summit - NGSI-LD - NGSI with Linked Data
FIWARE Global Summit - NGSI-LD - NGSI with Linked Data
FIWARE
 
Introduction to REST - API
Introduction to REST - APIIntroduction to REST - API
Introduction to REST - API
Chetan Gadodia
 
Session 5 - NGSI-LD Advanced Operations | Train the Trainers Program
Session 5 - NGSI-LD Advanced Operations | Train the Trainers ProgramSession 5 - NGSI-LD Advanced Operations | Train the Trainers Program
Session 5 - NGSI-LD Advanced Operations | Train the Trainers Program
FIWARE
 
Big Data and Machine Learning with FIWARE
Big Data and Machine Learning with FIWAREBig Data and Machine Learning with FIWARE
Big Data and Machine Learning with FIWARE
Fernando Lopez Aguilar
 
Kong API Gateway
Kong API Gateway Kong API Gateway
Kong API Gateway
Chris Mague
 
Sling models by Justin Edelson
Sling models by Justin Edelson Sling models by Justin Edelson
Sling models by Justin Edelson AEM HUB
 
REST API Design & Development
REST API Design & DevelopmentREST API Design & Development
REST API Design & Development
Ashok Pundit
 
AEM Best Practices for Component Development
AEM Best Practices for Component DevelopmentAEM Best Practices for Component Development
AEM Best Practices for Component Development
Gabriel Walt
 

What's hot (20)

FIWARE Global Summit - NGSI-LD – an Evolution from NGSIv2
FIWARE Global Summit - NGSI-LD – an Evolution from NGSIv2FIWARE Global Summit - NGSI-LD – an Evolution from NGSIv2
FIWARE Global Summit - NGSI-LD – an Evolution from NGSIv2
 
Odoo Web Services
Odoo Web ServicesOdoo Web Services
Odoo Web Services
 
INTRODUCTION TO IIS
INTRODUCTION TO IISINTRODUCTION TO IIS
INTRODUCTION TO IIS
 
FIWARE Training: FIWARE Training: i4Trust Marketplace
FIWARE Training: FIWARE Training: i4Trust MarketplaceFIWARE Training: FIWARE Training: i4Trust Marketplace
FIWARE Training: FIWARE Training: i4Trust Marketplace
 
VueJS: The Simple Revolution
VueJS: The Simple RevolutionVueJS: The Simple Revolution
VueJS: The Simple Revolution
 
FIWARE Training: NGSI-LD Advanced Operations
FIWARE Training: NGSI-LD Advanced OperationsFIWARE Training: NGSI-LD Advanced Operations
FIWARE Training: NGSI-LD Advanced Operations
 
[React Native Tutorial] Lecture 7: Navigation - Scene Transition - ListView
[React Native Tutorial] Lecture 7: Navigation - Scene Transition - ListView[React Native Tutorial] Lecture 7: Navigation - Scene Transition - ListView
[React Native Tutorial] Lecture 7: Navigation - Scene Transition - ListView
 
Introduction to Kubernetes with demo
Introduction to Kubernetes with demoIntroduction to Kubernetes with demo
Introduction to Kubernetes with demo
 
API for Beginners
API for BeginnersAPI for Beginners
API for Beginners
 
Orion Context Broker 1.15.0
Orion Context Broker 1.15.0Orion Context Broker 1.15.0
Orion Context Broker 1.15.0
 
Deployment Patterns of WSO2 Identity Server
Deployment Patterns of WSO2 Identity ServerDeployment Patterns of WSO2 Identity Server
Deployment Patterns of WSO2 Identity Server
 
Introduction Django
Introduction DjangoIntroduction Django
Introduction Django
 
FIWARE Global Summit - NGSI-LD - NGSI with Linked Data
FIWARE Global Summit - NGSI-LD - NGSI with Linked DataFIWARE Global Summit - NGSI-LD - NGSI with Linked Data
FIWARE Global Summit - NGSI-LD - NGSI with Linked Data
 
Introduction to REST - API
Introduction to REST - APIIntroduction to REST - API
Introduction to REST - API
 
Session 5 - NGSI-LD Advanced Operations | Train the Trainers Program
Session 5 - NGSI-LD Advanced Operations | Train the Trainers ProgramSession 5 - NGSI-LD Advanced Operations | Train the Trainers Program
Session 5 - NGSI-LD Advanced Operations | Train the Trainers Program
 
Big Data and Machine Learning with FIWARE
Big Data and Machine Learning with FIWAREBig Data and Machine Learning with FIWARE
Big Data and Machine Learning with FIWARE
 
Kong API Gateway
Kong API Gateway Kong API Gateway
Kong API Gateway
 
Sling models by Justin Edelson
Sling models by Justin Edelson Sling models by Justin Edelson
Sling models by Justin Edelson
 
REST API Design & Development
REST API Design & DevelopmentREST API Design & Development
REST API Design & Development
 
AEM Best Practices for Component Development
AEM Best Practices for Component DevelopmentAEM Best Practices for Component Development
AEM Best Practices for Component Development
 

Similar to How to design a good REST API: Tools, techniques and best practices

Best Practices in Api Design
Best Practices in Api DesignBest Practices in Api Design
Best Practices in Api Design
Muhammad Aamir ...
 
Standards of rest api
Standards of rest apiStandards of rest api
Standards of rest api
Maýur Chourasiya
 
A Deep Dive into RESTful API Design Part 2
A Deep Dive into RESTful API Design Part 2A Deep Dive into RESTful API Design Part 2
A Deep Dive into RESTful API Design Part 2
VivekKrishna34
 
Restful webservice
Restful webserviceRestful webservice
Restful webservice
Dong Ngoc
 
Best Practices for Architecting a Pragmatic Web API.
Best Practices for Architecting a Pragmatic Web API.Best Practices for Architecting a Pragmatic Web API.
Best Practices for Architecting a Pragmatic Web API.
Mario Cardinal
 
Creating a RESTful api without losing too much sleep
Creating a RESTful api without losing too much sleepCreating a RESTful api without losing too much sleep
Creating a RESTful api without losing too much sleep
Mike Anderson
 
Api design and development
Api design and developmentApi design and development
Api design and development
oquidave
 
JAX-RS. Developing RESTful APIs with Java
JAX-RS. Developing RESTful APIs with JavaJAX-RS. Developing RESTful APIs with Java
JAX-RS. Developing RESTful APIs with Java
Jerry Kurian
 
Modern REST API design principles and rules.pdf
Modern REST API design principles and rules.pdfModern REST API design principles and rules.pdf
Modern REST API design principles and rules.pdf
Aparna Sharma
 
Rest Webservice
Rest WebserviceRest Webservice
Rest Webservice
Viyaan Jhiingade
 
API_Design_Rest_Princple.pdf
API_Design_Rest_Princple.pdfAPI_Design_Rest_Princple.pdf
API_Design_Rest_Princple.pdf
Huan Le Trong
 
6 Months Industrial Training in Spring Framework
6 Months Industrial Training in Spring Framework6 Months Industrial Training in Spring Framework
6 Months Industrial Training in Spring Framework
Arcadian Learning
 
Modern REST API design principles and rules.pdf
Modern REST API design principles and rules.pdfModern REST API design principles and rules.pdf
Modern REST API design principles and rules.pdf
Aparna Sharma
 
Api wiki · git hub
Api wiki · git hubApi wiki · git hub
Api wiki · git hub
Ferry Irawan
 
MuleSoft Surat Virtual Meetup#21 - MuleSoft API and RAML Design Best Practice...
MuleSoft Surat Virtual Meetup#21 - MuleSoft API and RAML Design Best Practice...MuleSoft Surat Virtual Meetup#21 - MuleSoft API and RAML Design Best Practice...
MuleSoft Surat Virtual Meetup#21 - MuleSoft API and RAML Design Best Practice...
Jitendra Bafna
 
Rest and Sling Resolution
Rest and Sling ResolutionRest and Sling Resolution
Rest and Sling ResolutionDEEPAK KHETAWAT
 
Lunacloud's Compute RESTful API - Programmer's Guide
Lunacloud's Compute RESTful API - Programmer's GuideLunacloud's Compute RESTful API - Programmer's Guide
Lunacloud's Compute RESTful API - Programmer's Guide
Lunacloud
 
Building RESTful applications using Spring MVC
Building RESTful applications using Spring MVCBuilding RESTful applications using Spring MVC
Building RESTful applications using Spring MVC
IndicThreads
 

Similar to How to design a good REST API: Tools, techniques and best practices (20)

Best Practices in Api Design
Best Practices in Api DesignBest Practices in Api Design
Best Practices in Api Design
 
Standards of rest api
Standards of rest apiStandards of rest api
Standards of rest api
 
A Deep Dive into RESTful API Design Part 2
A Deep Dive into RESTful API Design Part 2A Deep Dive into RESTful API Design Part 2
A Deep Dive into RESTful API Design Part 2
 
Restful webservice
Restful webserviceRestful webservice
Restful webservice
 
ReSTful API Final
ReSTful API FinalReSTful API Final
ReSTful API Final
 
Best Practices for Architecting a Pragmatic Web API.
Best Practices for Architecting a Pragmatic Web API.Best Practices for Architecting a Pragmatic Web API.
Best Practices for Architecting a Pragmatic Web API.
 
Creating a RESTful api without losing too much sleep
Creating a RESTful api without losing too much sleepCreating a RESTful api without losing too much sleep
Creating a RESTful api without losing too much sleep
 
Api design and development
Api design and developmentApi design and development
Api design and development
 
JAX-RS. Developing RESTful APIs with Java
JAX-RS. Developing RESTful APIs with JavaJAX-RS. Developing RESTful APIs with Java
JAX-RS. Developing RESTful APIs with Java
 
Modern REST API design principles and rules.pdf
Modern REST API design principles and rules.pdfModern REST API design principles and rules.pdf
Modern REST API design principles and rules.pdf
 
Rest Webservice
Rest WebserviceRest Webservice
Rest Webservice
 
API_Design_Rest_Princple.pdf
API_Design_Rest_Princple.pdfAPI_Design_Rest_Princple.pdf
API_Design_Rest_Princple.pdf
 
6 Months Industrial Training in Spring Framework
6 Months Industrial Training in Spring Framework6 Months Industrial Training in Spring Framework
6 Months Industrial Training in Spring Framework
 
Modern REST API design principles and rules.pdf
Modern REST API design principles and rules.pdfModern REST API design principles and rules.pdf
Modern REST API design principles and rules.pdf
 
Api wiki · git hub
Api wiki · git hubApi wiki · git hub
Api wiki · git hub
 
MuleSoft Surat Virtual Meetup#21 - MuleSoft API and RAML Design Best Practice...
MuleSoft Surat Virtual Meetup#21 - MuleSoft API and RAML Design Best Practice...MuleSoft Surat Virtual Meetup#21 - MuleSoft API and RAML Design Best Practice...
MuleSoft Surat Virtual Meetup#21 - MuleSoft API and RAML Design Best Practice...
 
Web Scraping with PHP
Web Scraping with PHPWeb Scraping with PHP
Web Scraping with PHP
 
Rest and Sling Resolution
Rest and Sling ResolutionRest and Sling Resolution
Rest and Sling Resolution
 
Lunacloud's Compute RESTful API - Programmer's Guide
Lunacloud's Compute RESTful API - Programmer's GuideLunacloud's Compute RESTful API - Programmer's Guide
Lunacloud's Compute RESTful API - Programmer's Guide
 
Building RESTful applications using Spring MVC
Building RESTful applications using Spring MVCBuilding RESTful applications using Spring MVC
Building RESTful applications using Spring MVC
 

More from WSO2

Accelerate Enterprise Software Engineering with Platformless
Accelerate Enterprise Software Engineering with PlatformlessAccelerate Enterprise Software Engineering with Platformless
Accelerate Enterprise Software Engineering with Platformless
WSO2
 
WSO2Con2024 - WSO2's IAM Vision: Identity-Led Digital Transformation
WSO2Con2024 - WSO2's IAM Vision: Identity-Led Digital TransformationWSO2Con2024 - WSO2's IAM Vision: Identity-Led Digital Transformation
WSO2Con2024 - WSO2's IAM Vision: Identity-Led Digital Transformation
WSO2
 
architecting-ai-in-the-enterprise-apis-and-applications.pdf
architecting-ai-in-the-enterprise-apis-and-applications.pdfarchitecting-ai-in-the-enterprise-apis-and-applications.pdf
architecting-ai-in-the-enterprise-apis-and-applications.pdf
WSO2
 
Driving Innovation: Scania's API Revolution with WSO2
Driving Innovation: Scania's API Revolution with WSO2Driving Innovation: Scania's API Revolution with WSO2
Driving Innovation: Scania's API Revolution with WSO2
WSO2
 
Less Is More: Utilizing Ballerina to Architect a Cloud Data Platform
Less Is More: Utilizing Ballerina to Architect a Cloud Data PlatformLess Is More: Utilizing Ballerina to Architect a Cloud Data Platform
Less Is More: Utilizing Ballerina to Architect a Cloud Data Platform
WSO2
 
Modernizing Legacy Systems Using Ballerina
Modernizing Legacy Systems Using BallerinaModernizing Legacy Systems Using Ballerina
Modernizing Legacy Systems Using Ballerina
WSO2
 
WSO2CON 2024 - Unlocking the Identity: Embracing CIAM 2.0 for a Competitive A...
WSO2CON 2024 - Unlocking the Identity: Embracing CIAM 2.0 for a Competitive A...WSO2CON 2024 - Unlocking the Identity: Embracing CIAM 2.0 for a Competitive A...
WSO2CON 2024 - Unlocking the Identity: Embracing CIAM 2.0 for a Competitive A...
WSO2
 
WSO2CON 2024 Slides - Unlocking Value with AI
WSO2CON 2024 Slides - Unlocking Value with AIWSO2CON 2024 Slides - Unlocking Value with AI
WSO2CON 2024 Slides - Unlocking Value with AI
WSO2
 
Platformless Horizons for Digital Adaptability
Platformless Horizons for Digital AdaptabilityPlatformless Horizons for Digital Adaptability
Platformless Horizons for Digital Adaptability
WSO2
 
Quantum Leap in Next-Generation Computing
Quantum Leap in Next-Generation ComputingQuantum Leap in Next-Generation Computing
Quantum Leap in Next-Generation Computing
WSO2
 
WSO2CON 2024 - Elevating the Integration Game to the Cloud
WSO2CON 2024 - Elevating the Integration Game to the CloudWSO2CON 2024 - Elevating the Integration Game to the Cloud
WSO2CON 2024 - Elevating the Integration Game to the Cloud
WSO2
 
WSO2CON 2024 - OSU & WSO2: A Decade Journey in Integration & Innovation
WSO2CON 2024 - OSU & WSO2: A Decade Journey in Integration & InnovationWSO2CON 2024 - OSU & WSO2: A Decade Journey in Integration & Innovation
WSO2CON 2024 - OSU & WSO2: A Decade Journey in Integration & Innovation
WSO2
 
WSO2CON 2024 - Freedom First—Unleashing Developer Potential with Open Source
WSO2CON 2024 - Freedom First—Unleashing Developer Potential with Open SourceWSO2CON 2024 - Freedom First—Unleashing Developer Potential with Open Source
WSO2CON 2024 - Freedom First—Unleashing Developer Potential with Open Source
WSO2
 
WSO2CON 2024 Slides - Open Source to SaaS
WSO2CON 2024 Slides - Open Source to SaaSWSO2CON 2024 Slides - Open Source to SaaS
WSO2CON 2024 Slides - Open Source to SaaS
WSO2
 
WSO2CON 2024 - Does Open Source Still Matter?
WSO2CON 2024 - Does Open Source Still Matter?WSO2CON 2024 - Does Open Source Still Matter?
WSO2CON 2024 - Does Open Source Still Matter?
WSO2
 
WSO2CON 2024 - IoT Needs CIAM: The Importance of Centralized IAM in a Growing...
WSO2CON 2024 - IoT Needs CIAM: The Importance of Centralized IAM in a Growing...WSO2CON 2024 - IoT Needs CIAM: The Importance of Centralized IAM in a Growing...
WSO2CON 2024 - IoT Needs CIAM: The Importance of Centralized IAM in a Growing...
WSO2
 
WSO2CON 2024 - WSO2's Digital Transformation Journey with Choreo: A Platforml...
WSO2CON 2024 - WSO2's Digital Transformation Journey with Choreo: A Platforml...WSO2CON 2024 - WSO2's Digital Transformation Journey with Choreo: A Platforml...
WSO2CON 2024 - WSO2's Digital Transformation Journey with Choreo: A Platforml...
WSO2
 
WSO2CON 2024 - Software Engineering for Digital Businesses
WSO2CON 2024 - Software Engineering for Digital BusinessesWSO2CON 2024 - Software Engineering for Digital Businesses
WSO2CON 2024 - Software Engineering for Digital Businesses
WSO2
 
WSO2CON 2024 - Navigating API Complexity: REST, GraphQL, gRPC, Websocket, Web...
WSO2CON 2024 - Navigating API Complexity: REST, GraphQL, gRPC, Websocket, Web...WSO2CON 2024 - Navigating API Complexity: REST, GraphQL, gRPC, Websocket, Web...
WSO2CON 2024 - Navigating API Complexity: REST, GraphQL, gRPC, Websocket, Web...
WSO2
 
WSO2CON 2024 - Designing Event-Driven Enterprises: Stories of Transformation
WSO2CON 2024 - Designing Event-Driven Enterprises: Stories of TransformationWSO2CON 2024 - Designing Event-Driven Enterprises: Stories of Transformation
WSO2CON 2024 - Designing Event-Driven Enterprises: Stories of Transformation
WSO2
 

More from WSO2 (20)

Accelerate Enterprise Software Engineering with Platformless
Accelerate Enterprise Software Engineering with PlatformlessAccelerate Enterprise Software Engineering with Platformless
Accelerate Enterprise Software Engineering with Platformless
 
WSO2Con2024 - WSO2's IAM Vision: Identity-Led Digital Transformation
WSO2Con2024 - WSO2's IAM Vision: Identity-Led Digital TransformationWSO2Con2024 - WSO2's IAM Vision: Identity-Led Digital Transformation
WSO2Con2024 - WSO2's IAM Vision: Identity-Led Digital Transformation
 
architecting-ai-in-the-enterprise-apis-and-applications.pdf
architecting-ai-in-the-enterprise-apis-and-applications.pdfarchitecting-ai-in-the-enterprise-apis-and-applications.pdf
architecting-ai-in-the-enterprise-apis-and-applications.pdf
 
Driving Innovation: Scania's API Revolution with WSO2
Driving Innovation: Scania's API Revolution with WSO2Driving Innovation: Scania's API Revolution with WSO2
Driving Innovation: Scania's API Revolution with WSO2
 
Less Is More: Utilizing Ballerina to Architect a Cloud Data Platform
Less Is More: Utilizing Ballerina to Architect a Cloud Data PlatformLess Is More: Utilizing Ballerina to Architect a Cloud Data Platform
Less Is More: Utilizing Ballerina to Architect a Cloud Data Platform
 
Modernizing Legacy Systems Using Ballerina
Modernizing Legacy Systems Using BallerinaModernizing Legacy Systems Using Ballerina
Modernizing Legacy Systems Using Ballerina
 
WSO2CON 2024 - Unlocking the Identity: Embracing CIAM 2.0 for a Competitive A...
WSO2CON 2024 - Unlocking the Identity: Embracing CIAM 2.0 for a Competitive A...WSO2CON 2024 - Unlocking the Identity: Embracing CIAM 2.0 for a Competitive A...
WSO2CON 2024 - Unlocking the Identity: Embracing CIAM 2.0 for a Competitive A...
 
WSO2CON 2024 Slides - Unlocking Value with AI
WSO2CON 2024 Slides - Unlocking Value with AIWSO2CON 2024 Slides - Unlocking Value with AI
WSO2CON 2024 Slides - Unlocking Value with AI
 
Platformless Horizons for Digital Adaptability
Platformless Horizons for Digital AdaptabilityPlatformless Horizons for Digital Adaptability
Platformless Horizons for Digital Adaptability
 
Quantum Leap in Next-Generation Computing
Quantum Leap in Next-Generation ComputingQuantum Leap in Next-Generation Computing
Quantum Leap in Next-Generation Computing
 
WSO2CON 2024 - Elevating the Integration Game to the Cloud
WSO2CON 2024 - Elevating the Integration Game to the CloudWSO2CON 2024 - Elevating the Integration Game to the Cloud
WSO2CON 2024 - Elevating the Integration Game to the Cloud
 
WSO2CON 2024 - OSU & WSO2: A Decade Journey in Integration & Innovation
WSO2CON 2024 - OSU & WSO2: A Decade Journey in Integration & InnovationWSO2CON 2024 - OSU & WSO2: A Decade Journey in Integration & Innovation
WSO2CON 2024 - OSU & WSO2: A Decade Journey in Integration & Innovation
 
WSO2CON 2024 - Freedom First—Unleashing Developer Potential with Open Source
WSO2CON 2024 - Freedom First—Unleashing Developer Potential with Open SourceWSO2CON 2024 - Freedom First—Unleashing Developer Potential with Open Source
WSO2CON 2024 - Freedom First—Unleashing Developer Potential with Open Source
 
WSO2CON 2024 Slides - Open Source to SaaS
WSO2CON 2024 Slides - Open Source to SaaSWSO2CON 2024 Slides - Open Source to SaaS
WSO2CON 2024 Slides - Open Source to SaaS
 
WSO2CON 2024 - Does Open Source Still Matter?
WSO2CON 2024 - Does Open Source Still Matter?WSO2CON 2024 - Does Open Source Still Matter?
WSO2CON 2024 - Does Open Source Still Matter?
 
WSO2CON 2024 - IoT Needs CIAM: The Importance of Centralized IAM in a Growing...
WSO2CON 2024 - IoT Needs CIAM: The Importance of Centralized IAM in a Growing...WSO2CON 2024 - IoT Needs CIAM: The Importance of Centralized IAM in a Growing...
WSO2CON 2024 - IoT Needs CIAM: The Importance of Centralized IAM in a Growing...
 
WSO2CON 2024 - WSO2's Digital Transformation Journey with Choreo: A Platforml...
WSO2CON 2024 - WSO2's Digital Transformation Journey with Choreo: A Platforml...WSO2CON 2024 - WSO2's Digital Transformation Journey with Choreo: A Platforml...
WSO2CON 2024 - WSO2's Digital Transformation Journey with Choreo: A Platforml...
 
WSO2CON 2024 - Software Engineering for Digital Businesses
WSO2CON 2024 - Software Engineering for Digital BusinessesWSO2CON 2024 - Software Engineering for Digital Businesses
WSO2CON 2024 - Software Engineering for Digital Businesses
 
WSO2CON 2024 - Navigating API Complexity: REST, GraphQL, gRPC, Websocket, Web...
WSO2CON 2024 - Navigating API Complexity: REST, GraphQL, gRPC, Websocket, Web...WSO2CON 2024 - Navigating API Complexity: REST, GraphQL, gRPC, Websocket, Web...
WSO2CON 2024 - Navigating API Complexity: REST, GraphQL, gRPC, Websocket, Web...
 
WSO2CON 2024 - Designing Event-Driven Enterprises: Stories of Transformation
WSO2CON 2024 - Designing Event-Driven Enterprises: Stories of TransformationWSO2CON 2024 - Designing Event-Driven Enterprises: Stories of Transformation
WSO2CON 2024 - Designing Event-Driven Enterprises: Stories of Transformation
 

Recently uploaded

Accelerate your Kubernetes clusters with Varnish Caching
Accelerate your Kubernetes clusters with Varnish CachingAccelerate your Kubernetes clusters with Varnish Caching
Accelerate your Kubernetes clusters with Varnish Caching
Thijs Feryn
 
Knowledge engineering: from people to machines and back
Knowledge engineering: from people to machines and backKnowledge engineering: from people to machines and back
Knowledge engineering: from people to machines and back
Elena Simperl
 
FIDO Alliance Osaka Seminar: Passkeys at Amazon.pdf
FIDO Alliance Osaka Seminar: Passkeys at Amazon.pdfFIDO Alliance Osaka Seminar: Passkeys at Amazon.pdf
FIDO Alliance Osaka Seminar: Passkeys at Amazon.pdf
FIDO Alliance
 
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...
DanBrown980551
 
When stars align: studies in data quality, knowledge graphs, and machine lear...
When stars align: studies in data quality, knowledge graphs, and machine lear...When stars align: studies in data quality, knowledge graphs, and machine lear...
When stars align: studies in data quality, knowledge graphs, and machine lear...
Elena Simperl
 
The Art of the Pitch: WordPress Relationships and Sales
The Art of the Pitch: WordPress Relationships and SalesThe Art of the Pitch: WordPress Relationships and Sales
The Art of the Pitch: WordPress Relationships and Sales
Laura Byrne
 
IOS-PENTESTING-BEGINNERS-PRACTICAL-GUIDE-.pptx
IOS-PENTESTING-BEGINNERS-PRACTICAL-GUIDE-.pptxIOS-PENTESTING-BEGINNERS-PRACTICAL-GUIDE-.pptx
IOS-PENTESTING-BEGINNERS-PRACTICAL-GUIDE-.pptx
Abida Shariff
 
De-mystifying Zero to One: Design Informed Techniques for Greenfield Innovati...
De-mystifying Zero to One: Design Informed Techniques for Greenfield Innovati...De-mystifying Zero to One: Design Informed Techniques for Greenfield Innovati...
De-mystifying Zero to One: Design Informed Techniques for Greenfield Innovati...
Product School
 
Slack (or Teams) Automation for Bonterra Impact Management (fka Social Soluti...
Slack (or Teams) Automation for Bonterra Impact Management (fka Social Soluti...Slack (or Teams) Automation for Bonterra Impact Management (fka Social Soluti...
Slack (or Teams) Automation for Bonterra Impact Management (fka Social Soluti...
Jeffrey Haguewood
 
How world-class product teams are winning in the AI era by CEO and Founder, P...
How world-class product teams are winning in the AI era by CEO and Founder, P...How world-class product teams are winning in the AI era by CEO and Founder, P...
How world-class product teams are winning in the AI era by CEO and Founder, P...
Product School
 
FIDO Alliance Osaka Seminar: Overview.pdf
FIDO Alliance Osaka Seminar: Overview.pdfFIDO Alliance Osaka Seminar: Overview.pdf
FIDO Alliance Osaka Seminar: Overview.pdf
FIDO Alliance
 
Dev Dives: Train smarter, not harder – active learning and UiPath LLMs for do...
Dev Dives: Train smarter, not harder – active learning and UiPath LLMs for do...Dev Dives: Train smarter, not harder – active learning and UiPath LLMs for do...
Dev Dives: Train smarter, not harder – active learning and UiPath LLMs for do...
UiPathCommunity
 
Assuring Contact Center Experiences for Your Customers With ThousandEyes
Assuring Contact Center Experiences for Your Customers With ThousandEyesAssuring Contact Center Experiences for Your Customers With ThousandEyes
Assuring Contact Center Experiences for Your Customers With ThousandEyes
ThousandEyes
 
GraphRAG is All You need? LLM & Knowledge Graph
GraphRAG is All You need? LLM & Knowledge GraphGraphRAG is All You need? LLM & Knowledge Graph
GraphRAG is All You need? LLM & Knowledge Graph
Guy Korland
 
Designing Great Products: The Power of Design and Leadership by Chief Designe...
Designing Great Products: The Power of Design and Leadership by Chief Designe...Designing Great Products: The Power of Design and Leadership by Chief Designe...
Designing Great Products: The Power of Design and Leadership by Chief Designe...
Product School
 
Neuro-symbolic is not enough, we need neuro-*semantic*
Neuro-symbolic is not enough, we need neuro-*semantic*Neuro-symbolic is not enough, we need neuro-*semantic*
Neuro-symbolic is not enough, we need neuro-*semantic*
Frank van Harmelen
 
GenAISummit 2024 May 28 Sri Ambati Keynote: AGI Belongs to The Community in O...
GenAISummit 2024 May 28 Sri Ambati Keynote: AGI Belongs to The Community in O...GenAISummit 2024 May 28 Sri Ambati Keynote: AGI Belongs to The Community in O...
GenAISummit 2024 May 28 Sri Ambati Keynote: AGI Belongs to The Community in O...
Sri Ambati
 
ODC, Data Fabric and Architecture User Group
ODC, Data Fabric and Architecture User GroupODC, Data Fabric and Architecture User Group
ODC, Data Fabric and Architecture User Group
CatarinaPereira64715
 
From Siloed Products to Connected Ecosystem: Building a Sustainable and Scala...
From Siloed Products to Connected Ecosystem: Building a Sustainable and Scala...From Siloed Products to Connected Ecosystem: Building a Sustainable and Scala...
From Siloed Products to Connected Ecosystem: Building a Sustainable and Scala...
Product School
 
Leading Change strategies and insights for effective change management pdf 1.pdf
Leading Change strategies and insights for effective change management pdf 1.pdfLeading Change strategies and insights for effective change management pdf 1.pdf
Leading Change strategies and insights for effective change management pdf 1.pdf
OnBoard
 

Recently uploaded (20)

Accelerate your Kubernetes clusters with Varnish Caching
Accelerate your Kubernetes clusters with Varnish CachingAccelerate your Kubernetes clusters with Varnish Caching
Accelerate your Kubernetes clusters with Varnish Caching
 
Knowledge engineering: from people to machines and back
Knowledge engineering: from people to machines and backKnowledge engineering: from people to machines and back
Knowledge engineering: from people to machines and back
 
FIDO Alliance Osaka Seminar: Passkeys at Amazon.pdf
FIDO Alliance Osaka Seminar: Passkeys at Amazon.pdfFIDO Alliance Osaka Seminar: Passkeys at Amazon.pdf
FIDO Alliance Osaka Seminar: Passkeys at Amazon.pdf
 
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...
 
When stars align: studies in data quality, knowledge graphs, and machine lear...
When stars align: studies in data quality, knowledge graphs, and machine lear...When stars align: studies in data quality, knowledge graphs, and machine lear...
When stars align: studies in data quality, knowledge graphs, and machine lear...
 
The Art of the Pitch: WordPress Relationships and Sales
The Art of the Pitch: WordPress Relationships and SalesThe Art of the Pitch: WordPress Relationships and Sales
The Art of the Pitch: WordPress Relationships and Sales
 
IOS-PENTESTING-BEGINNERS-PRACTICAL-GUIDE-.pptx
IOS-PENTESTING-BEGINNERS-PRACTICAL-GUIDE-.pptxIOS-PENTESTING-BEGINNERS-PRACTICAL-GUIDE-.pptx
IOS-PENTESTING-BEGINNERS-PRACTICAL-GUIDE-.pptx
 
De-mystifying Zero to One: Design Informed Techniques for Greenfield Innovati...
De-mystifying Zero to One: Design Informed Techniques for Greenfield Innovati...De-mystifying Zero to One: Design Informed Techniques for Greenfield Innovati...
De-mystifying Zero to One: Design Informed Techniques for Greenfield Innovati...
 
Slack (or Teams) Automation for Bonterra Impact Management (fka Social Soluti...
Slack (or Teams) Automation for Bonterra Impact Management (fka Social Soluti...Slack (or Teams) Automation for Bonterra Impact Management (fka Social Soluti...
Slack (or Teams) Automation for Bonterra Impact Management (fka Social Soluti...
 
How world-class product teams are winning in the AI era by CEO and Founder, P...
How world-class product teams are winning in the AI era by CEO and Founder, P...How world-class product teams are winning in the AI era by CEO and Founder, P...
How world-class product teams are winning in the AI era by CEO and Founder, P...
 
FIDO Alliance Osaka Seminar: Overview.pdf
FIDO Alliance Osaka Seminar: Overview.pdfFIDO Alliance Osaka Seminar: Overview.pdf
FIDO Alliance Osaka Seminar: Overview.pdf
 
Dev Dives: Train smarter, not harder – active learning and UiPath LLMs for do...
Dev Dives: Train smarter, not harder – active learning and UiPath LLMs for do...Dev Dives: Train smarter, not harder – active learning and UiPath LLMs for do...
Dev Dives: Train smarter, not harder – active learning and UiPath LLMs for do...
 
Assuring Contact Center Experiences for Your Customers With ThousandEyes
Assuring Contact Center Experiences for Your Customers With ThousandEyesAssuring Contact Center Experiences for Your Customers With ThousandEyes
Assuring Contact Center Experiences for Your Customers With ThousandEyes
 
GraphRAG is All You need? LLM & Knowledge Graph
GraphRAG is All You need? LLM & Knowledge GraphGraphRAG is All You need? LLM & Knowledge Graph
GraphRAG is All You need? LLM & Knowledge Graph
 
Designing Great Products: The Power of Design and Leadership by Chief Designe...
Designing Great Products: The Power of Design and Leadership by Chief Designe...Designing Great Products: The Power of Design and Leadership by Chief Designe...
Designing Great Products: The Power of Design and Leadership by Chief Designe...
 
Neuro-symbolic is not enough, we need neuro-*semantic*
Neuro-symbolic is not enough, we need neuro-*semantic*Neuro-symbolic is not enough, we need neuro-*semantic*
Neuro-symbolic is not enough, we need neuro-*semantic*
 
GenAISummit 2024 May 28 Sri Ambati Keynote: AGI Belongs to The Community in O...
GenAISummit 2024 May 28 Sri Ambati Keynote: AGI Belongs to The Community in O...GenAISummit 2024 May 28 Sri Ambati Keynote: AGI Belongs to The Community in O...
GenAISummit 2024 May 28 Sri Ambati Keynote: AGI Belongs to The Community in O...
 
ODC, Data Fabric and Architecture User Group
ODC, Data Fabric and Architecture User GroupODC, Data Fabric and Architecture User Group
ODC, Data Fabric and Architecture User Group
 
From Siloed Products to Connected Ecosystem: Building a Sustainable and Scala...
From Siloed Products to Connected Ecosystem: Building a Sustainable and Scala...From Siloed Products to Connected Ecosystem: Building a Sustainable and Scala...
From Siloed Products to Connected Ecosystem: Building a Sustainable and Scala...
 
Leading Change strategies and insights for effective change management pdf 1.pdf
Leading Change strategies and insights for effective change management pdf 1.pdfLeading Change strategies and insights for effective change management pdf 1.pdf
Leading Change strategies and insights for effective change management pdf 1.pdf
 

How to design a good REST API: Tools, techniques and best practices

  • 1. How to design a good REST API: Tools, techniques and best practices July 01, 2020
  • 3. ● Data Model ● Resource Model ● Resource URIs ● Proper naming ● Versioning ● HTTP Methods ● Pagination ● Security ● REST API Specification formats ● Tools ● Async APIs AGENDA 3
  • 4. The following major steps should be followed to create a RESTful API. 4
  • 5. ● The data model is an important source to determine an appropriate resource model. ● It is used to specify the properties of the resources manipulated by an API in an abstract manner. Data Model 5
  • 6. The resource model specifies the resources that are processed by the API Resource Model 6 Atomic Resources The entities of the data model that are exchanged as a whole via the API. Eg: Customer details Collection Resources When atomic resources of the same type are grouped into a set. Eg: Collection of Products Collection of items Collection of customers Composite Resources Instances of groups of different entity types that are manipulated as a whole . Eg: Shopping cart Controller Resources If multiple resources have to be manipulated in a single API call in order to maintain data consistency. Eg: Deleting an individual item from the shopping cart one after the other
  • 7. ● The complete URI of an API complies to the following structure: {scheme}://{host}/{base-path}/{path}[?{query-string}] "https://petstore.swagger.io/v2/pet/1" ● scheme : the transport protocol supported by the API ● host: the domain of the API ● base path: the base-path of an API follows the structure, /{feature-code}/[ {sub-code}/ ]/{version} Resource URIs 7
  • 8. ● Atomic resources, collection resources and composite resources should be named as nouns because they represent "things", not "actions" ● Processing function resources and controller resources should be named as verbs because they in fact represent "actions". ● Processing function resources and controller resources should not be sub-resources of individual other resources. ⦿ They should not be named by means of a URI template ⦿ Individual resources become parameters. ● Lower case characters should be used in names only because the rules about which URI element names are case sensitive and which are not may cause confusion. Proper naming 8
  • 9. ● If multiple words are used to name a resource, these words should be separated by dashes (i.e. "-"). ⦿ Especially, no underscore (i.e. "_") should be used. ⦿ Similarly, camel case or other programming language related naming should be avoided. ● Singular nouns should be used for naming atomic resources. ● Names of collections should be "pluralized". ● Use forward slashes (i.e. "/") to specify hierarchical relations between resources. A forward slash will separate the names of the hierarchically structured resources. The parent name will immediately precede the name of its immediate children. Proper naming 9
  • 10. ● The version is specified as a pair of integers (separated by a dot) referred to as the major and the minor number of the version, preceded by the lower case letter "v". E.g: v2.1 Versioning 10 - a bug fix - a minor internal modification - newly added optional parameters - completely new request - new mandatory parameters have been added - former parameters have been dropped - complete former requests are no longer available.
  • 11. ● Best practice is to support the current major version as well as at least one major version back. ● When a client is using an API's URI with a version number no longer supported, the server has to respond with a response message that contains a Location header field with the URI of the latest version of the API: HTTP/1.1 301 Moved Permanently Location: Versioning 11
  • 12. ● A URI template is an element which contains strings in curly brackets. These strings are variables that must be substituted by values when such a URI template is used by a client. /shopping-carts/{shopping-cart-id}/{item-id}/product ● An optional query string is a part of the URI contributing to the unique identification of a resource {scheme}://{host}/{base-path}/{path}?{query-string} ● The query string consists of a sequence of name/value pairs that are separated by an "&" ● The name-string and the value-string are separated by a "=". https://petstore.swagger.io/v2/pet/find-by-status?status=available URI Templates 12
  • 14. HTTP Methods 14 HTTP Method Usage GET Retrieving an atomic resource or a composite resource is done by performing a GET on the URI identifying the resource to be retrieved. PUT The body of the corresponding PUT message provides the modified but complete representation of a resource that will completely substitute the existing resource: Parts of the resource that have not changed must be included in the modified resource of the message body. POST The creation of new resource, and the initiation of functions, to interact with processing function resources as well as controller resource. DELETE A resource is deleted by means of the DELETE request on the URI of the resource.
  • 15. Status Codes 15 Status code Message 200 OK The request has been performed successfully. 400 Bad Request The request is invalid. syntax errors in expressions passed with the request are found, values are out of range, required data is missing etc. 401 Unauthorized The request requires client authorization or the passed credentials are not accepted. The response must include a WWW-Authenticate header. 403 Forbidden The server understood the request but refused to perform it. 404 Not Found The requested entity does not exist. 406 Not Acceptable The requested media type is not supported. https://wso2.com/whitepapers/wso2-rest-apis-design-guidelines/#09
  • 16. ● It is often convenient to retrieve the large result sets in smaller chunks. ● The retrieval request specifies a query string containing an "offset" field as well as a "limit" field;. ⦿ offset - the position number of a qualified resource where the retrieval should start ⦿ limit - the maximum number of resources to be returned. ● The response message with the subset of the qualified resource returned should specify, ⦿ total number of all qualified resources ("count" field) ⦿ a link to the next chunk of qualified resources ("next" field) ⦿ a link to the previous chunk of qualified resources ("previous" field) Pagination 16
  • 17. Example: GET /products?offset=42&limit=3 Response: HTTP/1.1 200 OK count=119 next={link-to-next-subset} previous={link-to-previous-subset} P42-details P43-details P44-details Pagination 17
  • 18. ● Resources should be accessible based on a properly designed permission model to prevent misuse of APIs. ● Different resources are protected by different permissions and these permissions may change. ● To support this, REST APIs need to support extensible security mechanisms like ⦿ Authentication (who are you) ⦾ HTTP Basic Authentication ⧁ Username/password auth. More suitable for internal/B2B APIs. ⦾ API Keys ⧁ One time API Key. More suitable for B2B APIs. ⦾ OAuth2.0 (Open Authentication) ⧁ The de-facto security for REST APIs. Supports a wide range of grant types covering many application types. ⦿ Authorization (what can you do) ⦾ OAuth2.0 scopes ⦾ XACML (eXtensible Access Control Markup Language). ⦾ OPA (Open Policy Agent) Security 18
  • 19. ● Open API Specification - JSON with YAML compatibility (best for request/response model) ● RAML - is strictly YAML in representation ● WADL - uses XML ● API Blueprint - uses Markdown as it’s format ● Slate REST API Specification Formats 19
  • 20. ● Swagger API tools https://swagger.io/tools/ ● Stoplight https://stoplight.io/ ● OData Open API https://github.com/oasis-tcs/odata-openapi ● Oas-tools https://github.com/isa-group/oas-tools ● OAS RAML Converter https://mulesoft.github.io/oas-raml-converter/ For more Tools check : https://openapi.tools/ Tools 20
  • 21. ● Event-driven APIs enable apps to integrate many products and services based on equivalence around event-driven interactions. ● AsyncAPI specification is used to design and develop event driven APIs like Kafka, WebSockets, etc. ● It was created to serve as a common unifying language for the diverse formats, protocols, and specifications, allowing for standardized communication in the message-driven system. Event-driven APIs - Async APIs 21
  • 22. REST API Design Guidelines Fore more information on how to design a good REST API, see https://wso2.com/whitepapers/wso2-rest-apis-design-guidelines/
  • 25. Status Codes 25 Status code Message 200 OK The request has been performed successfully. 201 Created The request has been performed successfully. The URL of the newly created entity is contained in the Location header of the response. An ETag header should be returned with the current entity tag of the resource just created 202 Accepted The processing of the request has started but will take some time. The body of the response message should provide information about the current state of the processing,as well as information about where the client can request updated status information at a later point in time 303 See Other The response of the request is available at a different URL; this URL is given as value of the Location header of the response message 304 Not Modified The requesting client has already received the latest version of the requested resource.
  • 26. Status Codes 26 Status code Message 400 Bad Request The request is invalid. syntax errors in expressions passed with the request are found, values are out of range, required data is missing etc. 401 Unauthorized The request requires client authorization or the passed credentials are not accepted. The response must include a WWW-Authenticate header. 403 Forbidden The server understood the request but refused to perform it. 404 Not Found The requested entity does not exist. 406 Not Acceptable The requested media type is not supported. 412 Precondition Failed The request has not been performed because one of the preconditions has not been met. 415 Unsupported Media Type The entity passed by the request was in a format that is not supported.
  • 27. ● A query on a collection resource consists of three artifacts: ⦿ a mandatory filter condition ⦿ an optional sort expression ⦿ an optional projection ● Filter condition ⦿ Is a boolean expression of attributes ⦿ The spectrum of filter conditions is from simple (supporting to specify a single attribute name with a value being compared for equality) to complex (arbitrary conditions and arbitrary comparison operators). Example of a complex query: filter=((price > 1000 AND status = on-stock) OR (price < 200 AND NOT(status = on-stock))) Queries 27
  • 28. ● Sort expression ⦿ consists of a list of attribute names together with the indication for each attribute name whether the result is to be sorted ascending or descending. ⦿ The order in which the result is sorted is implied by the order of the list of attribute names. Example: sort=(price ASC, delivery-date DESC) ● Projection ⦿ A list of attribute names that have to be used to create each item in the result set. ⦿ Each specified attribute name is used to extract the corresponding information from each resource and compile a corresponding item in the result set. Example: projection=price,color,status Queries 28
  • 29. ● There are two ways to enable queries on collections: ⦿ part of the query string of the URI used by a GET GET /products?status=on-stock&sortAsc=price&projection=price,color,status HTTP/1.1 This is preferred because a GET is used with this URI, clearly expressing the semantics of the request namely retrieving a subset of the collection ⦿ the query is passed in the body of a POST request of a special processing function resource. POST /product-search HTTP/1.1 filter=((price > 1000 AND status = on-stock) OR (price < 200 AND NOT(status = on-stock))) sort=(price ASC, delivery-date DESC) projection=price,color,status When queries may become complex where the maximum length may be exceeded, the use of a POST request that contains the (complex) query in the request body is enforced Queries 29
  • 30. ● Requests may take too long to return the response synchronously, Long Running Requests 30 ● "202 Accepted" status code specifies that the request is accepted but will be processed asynchronously. ● The task resource says that the request is running and gives an estimated completion time. ● In succeeding requests, the client will retrieve the actual task resource via the URI value of the Content-Location header field: GET /apply/tasks/1 HTTP/1.1 Host: www.shark-credits.com
  • 31. "200 OK" - means that the retrieval of the task resource was successful note especially that this does not indicate that the long running request completed successfully: Long Running Requests 31
  • 32. ● "303 See Other" specifies that a new resource has been created with the URI with the value of the Location header field. ● This is the URI of the result of the long running request. ● The task resource now reports in its state field that the long request succeeded successfully. Long Running Requests 32 After some time, the long running request will have completed, i.e. the GET request above will receive the following response:
  • 33. ● the retrieval of the task resource will succeed with a "200 OK" status code, ● the task resource's status will report that the long running request completed but was not successful. ● Note: the status code of the response of the retrieval of the task resource is not related to the status of the long running request at all. Long Running Requests 33 If the long running request fails,
  • 34. ● It assumes that a server processing a request determines the representation best suited to the requesting client. ● The server is dependent on the requesting client to specify information about its processing capabilities or requirements. ● It is done by means of header fields of the request message like Accept, AcceptEncoding etc. Server-driven Content Negotiation 34 Advantage Disadvantage Avoiding a second request to be made by the client Potentially responding a representation to the client that is not ideally suited
  • 35. ● The server detects that it has more than one representation of a resource available that may serve the client's needs. ● The server responds to the request with a "300 Multiple Choices" message that carries information about the representations available, ● The client finally selects one of these representations and explicitly requests it in a following request. Client-driven Content Negotiation 35 Advantage Disadvantage The client gets the representation that is best suited for it. Two round-trips.
  • 36. ● The client specifies that it is able to process JSON, XML as well as plain text, but that it prefers JSON. ● The preferences in media types is specified by weighting a media type by a quality value q. ● The server will determine which of the representations it has available and will return the one with the highest quality value. ● Example: GET /products/27182 Accept: application/json;q=0.9, application/xml;q=0.6, text/plain;q=0.1 ● In case the server does not have a client specified representation, it will respond with a message returning a corresponding status code: HTTP/1.1 406 Not acceptable 36
  • 37. ● Multiple clients interacting with the same resource may cause concurrency conflicts like lost updates. ● Pessimistic concurrency control mechanisms ⦿ avoid conflicts in advance by locking resources ⦿ used if the probability for conflicts is high ● Optimistic concurrency control ⦿ avoids conflicts by detecting conflicts and signaling them to clients that may retry their requests ⦿ used if the probability for conflicts is low. ● Many concurrent interactions in REST-based APIs can be handled by optimistic concurrency control. Concurrency Control 37
  • 38. ● For this purpose, requests are sent as conditional requests. ● A conditional request specifies the If-Match or If-Unmodified-Since header in the request. ● When performing the conditional request, the API implementation has to compare the value(s) passed by the client in the request with the corresponding values of the current resource as stored by the origin server. ● If the values have been changed, the request is rejected (response code "412 Precondition Failed"); otherwise, the request is executed. Example: PUT /products/31415 If-Match: "42049dcaf450987cffd" If-Unmodified-Since: Thu, 7 Jan 2016 17:41 CET Response: HTTP/1.1 412 Precondition Failed Concurrency Control 38
  • 39. ● Even with PATCH, special care must be taken with respect to lost updates: ⦿ If concurrent PATCHes are to be supported, concurrency control must be implemented as a conditional request. ● Following pattern may be used to realize partial updates without using processing function resources: ⦿ a client has to GET the resource to be updated ⦿ apply the partial updates locally ⦿ then send a conditional PUT with the complete resource to the server. Concurrency Control 39
  • 40. ● A client may cache resources as well as header fields of resources to reduce transfer of data that has not been changed since its last retrieval. ● For this purpose, a client uses a conditional request to retrieve data. ● Such a conditional request specifies the If-None-Match or the If-Modified-Since headers in the request. ⦿ If-None-Match - the value of the ETag header of the resource as retrieved last time by the requesting client. ⦿ If-Modified-Since - the value of the Last-Modified header of the resource as retrieved last time by the requesting client. ● When performing the conditional request, the API implementation has to compare the value(s) passed by the client in the request with the corresponding values of the current resource as stored by the server. Client-Side Caching 40
  • 41. ● If the values have not changed, the resource is not returned (response code "304 Not Modified"); otherwise, the resource is returned. Example: GET /products/31415 If-None-Match: "42049dcaf450987cffd" If-Modified-Since: Thu, 7 Jan 2016 17:41 CET Response: HTTP/1.1 304 Not Modified Client-Side Caching 41
  • 42. ● When a 4xx status code is returned, a client error has been detected. ● Detailed error information should be returned in the body of the response message. Reporting Errors 42
  • 43. ● If more than one error occurred, each error is reported as an element of the following array that is part of the error object before. Reporting Errors 43
  • 44. ● HTTP Basic Authentication is unsecure. (credentials are in clear text, i.e. it is Base64 encoded, which can be immediately translated into clear text) ● HTTP Basic Authentication is only viable over HTTPS. ● HTTP Digest encoding is more secure but is subject to a "man-in-the-middle-attack". ● By using HTTPS, this is avoided. ● HTTP security mechanisms are only acceptable for non-critical APIs, for requests that generate more secure access tokens. Basic Authentication 44
  • 45. ● A unique generated value is assigned to each first time user, signifying that the user is known. ● If an API is limited specifically in functionality where “read” is the only possible command, an API Key can be an adequate solution. ● API Key is not very secure because anyone who makes a request transmits their key. This key can be picked up just as easy as any network transmission, and if any point in the entire network is insecure, the entire network is exposed. API Keys 45
  • 46. ● OAuth is the best choice for identifying personal user accounts and granting proper permissions. ● The likelihood of possible attacks of HTTP Basic or Digest Authentication is reduced by using OAuth tokens. ● A set of scopes needs to be designed that protects individual processing function resources, collection resources, or the ability to create or delete resource. ● Although OAuth has been proposed as a mechanism over HTTP, it should be used over HTTPS to increase security. Open Authorization (OAuth) 46
  • 47. ● A more fine-grained control of access to resources is supported by XACML but XACML is considered quite complex in practice ● XACML is an attribute-based access control (ABAC) mechanism. ● Example: If a user is allowed to login to a system during a specific time this requirement can;t be achieved by OAuth alone a policy needs to be enforced. So we can use XACML eXtensible Access Control Markup Language (XACML) 47
  • 48. ● You can use OPA to enforce policies in microservices, Kubernetes, CI/CD pipelines, API gateways, and more. ● OPA generates policy decisions by evaluating the query input and against policies and data. ● Policy decisions are not limited to simple yes/no or allow/deny answers. Like query inputs, your policies can generate arbitrary structured data as output. Open Policy Agent (OPA) 48