The document discusses best practices for REST API design, including:
1) Using nouns instead of verbs for endpoints, and plural resource names instead of singular. It also recommends snake_case formatting.
2) Properly using HTTP status codes like 201 Created, 202 Accepted, 204 No Content, and providing helpful error responses.
3) Supporting features like pagination, filtering, sorting, searching, and caching responses with headers like ETag and Last-Modified.
4) Discussing approaches for API versioning in the URL, custom headers, or accept headers. The importance of hypermedia and discoverability is also emphasized.
8. 5
Representational State Transfer
Architectural properties
• Performance
• Scalability
• Simplicity
• Modifiability
• Visibility
• Portability
• Reliability
Architectural constraints
• Client-server
• Stateless
• Cacheable
• Layered system
• Code on demand (optional)
• Uniform interface
9. 6
REST — Uniform interface
• Identification of resources
• Manipulation of resources
through representations
• Self-descriptive messages
• HATEOAS
(Hypermedia AsThe Engine
Of Application State)
10. 6
REST — Uniform interface
• Identification of resources
• Manipulation of resources
through representations
• Self-descriptive messages
• HATEOAS
(Hypermedia AsThe Engine
Of Application State)
Resource as URIs
http://api.co/cars/123
11. 6
REST — Uniform interface
• Identification of resources
• Manipulation of resources
through representations
• Self-descriptive messages
• HATEOAS
(Hypermedia AsThe Engine
Of Application State)
Resource as URIs
http://api.co/cars/123
JSON, XML…
12. 6
REST — Uniform interface
• Identification of resources
• Manipulation of resources
through representations
• Self-descriptive messages
• HATEOAS
(Hypermedia AsThe Engine
Of Application State)
Resource as URIs
http://api.co/cars/123
JSON, XML…
HTTP GET, POST, PUT, DELETE
media types, cacheability…
13. 6
REST — Uniform interface
• Identification of resources
• Manipulation of resources
through representations
• Self-descriptive messages
• HATEOAS
(Hypermedia AsThe Engine
Of Application State)
Resource as URIs
http://api.co/cars/123
JSON, XML…
HTTP GET, POST, PUT, DELETE
media types, cacheability…
Hypermedia APIs
HAL, JSON-LD, Siren…
14. 7
HTTP methods / URIs for collection/item
GET
POST
PUT
DELETE
http://api.co/v2/cars/ http://api.co/v2/cars/1234
List all the cars Retrieve an individual car
Create a new car Error
Replace the entire collection
with a whole new list of cars
Update an individual car
Delete all the cars Delete an individual car
16. 9
Nouns are good, verbs are bad!
• Prefer nouns to verbs
• nouns refer to resources
• resources are handled with HTTP verbs
• Verbs can be used for actions or calculations
• /login, /logout
• /convertTemperature
• /repositories/123/star
17.
18. 11
Singular or plural resources?
• Prefer plural forms
• /tickets/234 vs /ticket/234
• Avoid confusing odd singular vs plural forms
• /person vs /people, or /goose vs /geese
• Easier for URL routing (same prefix)
• Think of it as:
‘This is the 234th item of the tickets collection’
21. 13
Different casing in the wild
• UpperCamelCase or lowerCamelCase
• snake_case or dashed-snake-case
• Prefer lowercase
• Prefer snake_case
• Underscores seem more common in APIs
• But chose one casing and be consistent!
22. 14
Dealing with relations in your URLs
• /tickets/123/messages/4
• a ticket could be a group of messages
• /usergroups/234/users/67
• a user could belong to different usergroups
• user should have a URL of its own, referenced from the
usergroup payload
26. 18
Common HTTP status codes
• Use appropriate HTTP status codes when answering
requests:
• 1xx: Hold on…
• 2xx: Here you go!
• 3xx: Go away!
• 4xx:You fucked up :-D
• 5xx: I fucked up :-(
36. 23
Not just 200 OK! — 201 Created
• Specify a Location header, pointing at the location of the
newly created resource
POST /cars ...
HTTP/1.1 201 Created
Location: http://cars.co/v2/cars/5959
39. 26
Not just 200 OK! — 202 Accepted
• Request accepted but will be handled asynchronously
• a job might be running later and yield a result later on
POST /jobs ...
HTTP/1.1 202 Accepted
No payload
returned
40. 27
Not just 200 OK! — 204 No content
• The resource was deleted and no payload is returned
• but could return 200 OK
& provide the payload of the deleted element
DELETE /tickets/654
HTTP/1.1 204 No content
41. 28
Not just 200 OK! — 206 Partial content
• A partial list of meteorites is returned, using pagination
• add a Link header to facilitate navigation
GET /meteorites?page=4
HTTP/1.1 206 Partial content
Link: <http://nasa.co/meteorites?page=1>; rel="first",
<http://nasa.co/meteorites?page=3>; rel="prev",
<http://nasa.co/meteorites?page=5>; rel="next",
<http://nasa.co/meteorites?page=9>; rel="last"
...
42. 29
Not just 200 OK! — 304 Not modified
• When HTTP caching headers are in play
• the client should have a version in cache already
GET /meteorites/654
HTTP/1.1 304 Not modified
47. 34
Pagination with query parameters
• With a page number: ?page=23
• can also specify a page size
• might get odd results when insertions happen
• With a cursor: ?cursor=34ea3fd6
• insertion-friendly
• With a semantic parameter: ?page=A
• interesting when limited / discrete number of pages
48. 35
Pagination with accept range header
• Accept range header not just for bytes
GET /users
HTTP/1.1 206 Partial content
Accept-Ranges: users
Content-Range: users 0-9/200
GET /users
Range: users=0-9
63. 40
Provide helpful error payloads
• No definitive standard yet
• http problem proposal and vnd-error mime type
HTTP/1.1 403 Forbidden
Content-Type: application/problem+json
Content-Language: en
{
"type": "https://example.com/probs/out-of-credit",
"title": "You do not have enough credit.",
"detail": "Your current balance is 30, but that costs 50.",
"instance": "/account/12345/msgs/abc",
"balance": 30,
"accounts": ["/account/12345", "/account/67890"]
}
68. 42
Treating unknown status codes
• An unknown status code should be treated
as the first one of the family
• 4xx — 400 generic client error
• 5xx — 500 generic server error
70. 44
Rate limitation
HTTP/1.1 200 OK
Date: Mon, 01 Jul 2013 17:27:06 GMT
Status: 200 OK
X-RateLimit-Limit: 60
X-RateLimit-Remaining: 56
X-RateLimit-Reset: 1372700873
Total number of
requests allowed
Number of
requests left
remaining window before
the rate limit resets in UTC
epoch seconds
74. 48
Filtering
• Specify fields you’re interested in:
• GET https://api.co/users/123?fields=firstname,lastname,age
• Specify excluded fields:
• GET https://api.co/users/123?exclude=biography,resume
• Specify a « style »:
• GET https://api.co/users/123?style=compact
75. 49
Prefer… the prefer header
GET /users/123 HTTP/1.1
Content-Type: application/json
Prefer: return=minimal
Vary: Prefer,Accept,Accept-Encoding
HTTP/1.1 200 OK
Content-Type: application/json; charset=utf-8
Vary: Prefer,Accept,Accept-Encoding
Preference-Applied: return=minimal
Define different
profiles: minimal,
mobile, full…
76. 50
Expanding referenced resources
• Use the dot notation to explicit you want sub-resources
• GET https://api.co/users/123?fields=address.zip
• user
• name
• address
• zip
• country
• …
• …
83. 57
Different approaches for API versioning
• Most frequent, in the URL:
• https://api.com/v2/restaurants/1234
• Custom header:
• X-API-Version: 2
• Less frequent, with an accept header
• clients don’t have to change endpoint, but update headers
GET /restaurants
Accept: application/vnd.restaurants.v2+json
86. 60
Pros & Cons of hypermedia
• Pros
• more generic clients
• can palliate the need for API versioning
• Cons
• heavier payload (think mobile devices w/ bad connectivity)
• clients still need to understand what links are about and
how to represent them in their UI
88. 62
Lots of choice
• HAL
• JSON-LD
• Collection+JSON
• SIREN
• …
• Which to chose from?
• no real consensus yet
• but HAL seems quite common
89. 63
A word about IDs for linked resources
• If you’re tempted to go your own way for hypermedia…
• Be sure to define direct links to resources
• photos: [http://news.co/articles/123/photos/654,
http://news.co/articles/123/photos/659]
• Not mere IDs for which API clients need to figure out the
exact resource location (error-prone)
• photos: [654, 659]
90. 64
Another word about IDs
• Usually avoid counter-type IDs: 1, 2, 3, 4…
• Prefer UUIDs
• makes it harder for malignant users
to scan & discover existing resources
• auto-incrementing IDs might not be unique
in distributed systems