API Design

Deliveroo

API Design

API counts

How many endpoints/resources in an API?

Global design

General considerations on API design

API Lifecycle

Updates and Versioning

How to handle API updates and versioning

  • Content type negotiation
    The Accept header may include the v parameter to specify the API version requested; see “Versioning” below.
  • Versioning
  • Public-friendly APIs
    a new (breaking/major) version of a set of public-facing APIS should be an entirely new domain (e.g. v2.my-api.example.com), with entirely segregated infrastructure.

Collection Resources

Pagination

How to retrieve a range of resources in a collection

Retrieve a collection

How to get a collection or resources

Collection

What is a collection (set) of resources

Data

Internationalization

Providing internationalized data representation (e.g. adapted to the user’s country)

Error handling

Errors

How to handle errors

Error format

How to provide information about errors

HTTP Methods

DELETE

The DELETE method deletes the specified resource.

GET

The GET method requests a representation of the specified resource. Requests using GET should only retrieve data and should have no other effect.

HEAD

The HEAD method asks for a response identical to that of a GET request, but without the response body. This is useful for retrieving meta-information written in response headers, without having to transport the entire content.

PATCH

The PATCH method applies partial modifications to a resource.

POST

The POST method requests that the server accept the entity enclosed in the request as a new subordinate of the web resource identified by the URI. The data POSTed might be, for example, an annotation for existing resources; a message for a bulletin board, newsgroup, mailing list, or comment thread; a block of data that is the result of submitting a web form to a data-handling process; or an item to add to a database.

HTTP methods

General information about HTTP methods usage

HTTP Protocol

Caching

How to use and provide relevant caching informations

Content negociation and media types

How to describe your API data format and/or propose different formats (like json, yaml, xml atom, …)

HTTP Headers

How to use standard or custom HTTP headers

  • Resource lifecycle
    either If-Unmodified-Since or If-Match
  • Versioning
    Clients may specify a desired version as the v parameter of the Accept header
  • Versioning
    If the version was unspecified, the server should use the latest available version, and specify the Vary header
  • Internationalisation (i18n)
    Localisation is inherently a representation concern, and HTTP mandates such concerns to be addressed using protocol headers.
  • Single-entity GET endpoints
    Responses should include a Last-Modified or ETag header, and may include both
  • Compression
    Servers may support the Accept-Encoding header for compression purposes, but this is not mandatory.

HTTP protocol

General informations about HTTP protocol

  • Compression
    Servers may support the Accept-Encoding header for compression purposes, but this is not mandatory.

HTTP Status Redirection

300 Multiple Choices

The 300 (Multiple Choices) status code indicates that the target resource has more than one representation, each with its own more specific identifier, and information about the alternatives is being provided so that the user (or user agent) can select a preferred representation by redirecting its request to one or more of those identifiers. In other words, the server desires that the user agent engage in reactive negotiation to select the most appropriate representation(s) for its needs.

  • Caching
    Responses with the following status codes should specify a Cache-Control header

301 Moved Permanently

This and all future requests should be directed to the given URI.

  • Caching
    Responses with the following status codes should specify a Cache-Control header

302 Found

Common way of performing URL redirection. An HTTP response with this status code will additionally provide a URL in the location header field. The user agent (e.g. a web browser) is invited by a response with this code to make a second, otherwise identical, request to the new URL specified in the location field.

  • Caching
    Responses with the following status codes should specify a Cache-Control header

304 Not Modified

Indicates that the resource has not been modified since the version specified by the request headers If-Modified-Since or If-None-Match. In such case, there is no need to retransmit the resource since the client still has a previously-downloaded copy.

307 Temporary Redirect

The 307 (Temporary Redirect) status code indicates that the target resource resides temporarily under a different URI and the user agent MUST NOT change the request method if it performs an automatic redirection to that URI. Since the redirection can change over time, the client ought to continue using the original effective request URI for future requests.

  • Caching
    Responses with the following status codes should specify a Cache-Control header

308 Permanent Redirect

The 308 (Permanent Redirect) status code indicates that the target resource has been assigned a new permanent URI and any future references to this resource ought to use one of the enclosed URIs.

  • Caching
    Responses with the following status codes should specify a Cache-Control header

HTTP Status Success

200 OK

Standard response for successful HTTP requests. The actual response will depend on the request method used. In a GET request, the response will contain an entity corresponding to the requested resource. In a POST request, the response will contain an entity describing or containing the result of the action.

201 Created

The request has been fulfilled, resulting in the creation of a new resource.

202 Accepted

The request has been accepted for processing, but the processing has not been completed. The request might or might not be eventually acted upon, and may be disallowed when processing occurs.

203 Non-Authoritative Information

The 203 (Non-Authoritative Information) status code indicates that the request was successful but the enclosed payload has been modified from that of the origin server’s 200 (OK) response by a transforming proxy.

  • Caching
    Responses with the following status codes should specify a Cache-Control header

204 No Content

The server successfully processed the request and is not returning any content.

206 Partial Content

The server is delivering only part of the resource (byte serving) due to a range header sent by the client. The range header is used by HTTP clients to enable resuming of interrupted downloads, or split a download into multiple simultaneous streams.

  • Caching
    Responses with the following status codes should specify a Cache-Control header

HTTP Status User Error

400 Bad Request

The server cannot or will not process the request due to an apparent client error (e.g., malformed request syntax, too large size, invalid request message framing, or deceptive request routing).

  • POST, creating entities
    400 Bad Request if the entity cannot be created with the information in the request body
  • PATCH, mutating entities
    400 Bad Request, if the modification failed.
  • Return codes and errors
    400 Bad Request: bad syntax (unknown route, missing required fields or parameters, unknown extra parameters, bad field or parameter values).
  • Parameters
    Those endpoints may return 400 Bad Request if parameters are specified.

404 Not Found

The requested resource could not be found but may be available in the future. Subsequent requests by the client are permissible.

406 Not Acceptable

The requested resource is capable of generating only content not acceptable according to the Accept headers sent in the request.

  • Versioning
    The service should respond with status 406, Not Acceptable if the version is unavailable.

409 Conflict

Indicates that the request could not be processed because of conflict in the request, such as an edit conflict between multiple simultaneous updates.

410 Gone

Indicates that the resource requested is no longer available and will not be available again. This should be used when a resource has been intentionally removed and the resource should be purged. Upon receiving a 410 status code, the client should not request the resource in the future. Clients such as search engines should remove the resource from their indices. Most use cases do not require clients and search engines to purge the resource, and a 404 Not Found may be used instead.

412 Precondition Failed

The server does not meet one of the preconditions that the requester put on the request.

415 Unsupported Media Type

The request entity has a media type which the server or resource does not support. For example, the client uploads an image as image/svg+xml, but the server requires that images use a different format.

428 Precondition Required

The origin server requires the request to be conditional. Intended to prevent the lost update problem, where a client GETs a resource’s state, modifies it, and PUTs it back to the server, when meanwhile a third party has modified the state on the server, leading to a conflict.

429 Too Many Requests

The user has sent too many requests in a given amount of time. Intended for use with rate-limiting schemes.

Hypermedia

Hypermedia (read)

How to use hypermedia to read data

Hypermedia

How to use hypermedia

Miscellaneous

Documentation

How to produce and/or propose API documentation

Query parameters

How to use query parameters

Performance and bandwidth

How to deal with high traffic or consumers with low bandwith

Rate limiting

How to provide information about how many calls a consumer can do

Naming

Naming

How to name things

Resources

Track change

How to track change on resources

Create resource

How to create resources

Delete resource

How to delete resources

Resource ID

What is a resource ID and/or how it’s built

Relationships

How to define and use relations between resources

Dereference Relationships

How to load a resource and its linked resources in one call

Retrieve resource partially

How to retrieve partially a resource

Retrieve resource

How to retrieve a resource

Update resource partially

How to udate partially a resource

Update resource

How to update a resource

URL format

How to design URLs

Resource

General informations about resources

Security

Security

Security concerns

  • Caching
    External APIs must always use TLS so only direct clients or trusted intermediaries who have our certificates (CDNs, typically) will be able to view the content