API Design: it's not rocket surgery (PHPNW2012)

API design
It’s Not Rocket Surgery
Dave Ingram
@dmi
October 6, 2012

View Slide

Who am I?
• Coder and Release Manager at GroupSpaces
• Worked there for over 41/2 years
• Twitter: @dmi
• Github: dingram
• Way too many projects of my own
• Also involved in open source, including Phabricator
• Occasionally found at London Hackspace

View Slide

Feedback/thoughts
on Twitter:
#apirocketsurgery
(or @dmi)

View Slide

What this isn’t

View Slide

T
T
REST
REST
REST
REST
REST
REST
REST
EST
EST
ST
ST
ST
T
T
REST
REST
REST
REST
REST
REST
REST
REST
REST
REST
REST
REST
REST
REST
R
REST
REST
REST
REST
REST
REST
REST
REST
REST
REST
REST
REST
REST
REST
REST
REST
REST
REST
REST
REST
REST
REST
REST
REST
REST
REST
REST
REST
REST
REST
REST
REST
REST
REST
REST
REST
REST
REST
REST
REST
REST
REST
REST
R
REST
REST
REST
REST
REST
REST
REST
REST
REST
REST
REST
REST
REST
REST
REST
REST
REST
REST
REST
REST
REST
REST
REST
REST
REST
REST
REST
REST
REST
REST
REST
REST
REST
REST
REST
REST
REST
REST
REST
REST
REST
REST
REST
R
REST
REST
REST
REST
REST
REST
REST
REST
REST
REST
REST
REST
REST
REST
RES
RES
REST
REST
REST
REST
REST
REST
REST
REST
REST
REST
REST
REST
REST
R
R
R
RE
RE
RE
RES
RES
REST
R

View Slide

There’s so much more!

View Slide

URLs

View Slide

URLs
verbs

View Slide

URLs
verbs
headers

View Slide

URLs
verbs
headers
authentication

View Slide

URLs
verbs
headers
authentication
formats

View Slide

URLs
verbs
headers
authentication
formats
validity

View Slide

URLs
verbs
headers
authentication
formats
validity
documentation

View Slide

DOCUMENTATION

View Slide

DOCUMENTATION
(later)

View Slide

Part 1: URLs

View Slide

Make them
versioned

View Slide

Make them
versioned,
hackable

View Slide

Make them
versioned,
hackable &
meaningful

View Slide

http://api.com/v1/

View Slide

http://api.com/v1/users/

View Slide

http://api.com/v1/users/31337

View Slide

http://api.com/v1/users/31337/posts/

View Slide

Look at URLs from a
consumer perspective

View Slide

They don’t care about
internal implementation
details

View Slide

Use common sense

View Slide

Don’t be afraid of
the query string

View Slide

Use query arguments to
ﬁlter output or for (some)
alternate representations

View Slide

Good: searching & verbosity
Bad: output format control
(XML vs JSON)

View Slide

Part 2: Verbs

View Slide

(in terms of model
operations)

View Slide

• GET = get()
• PUT = setAll() / new Obj($id)
• POST = new Obj() / doStuff() / set()
• DELETE = delete()
• HEAD ≈ getMetadata()
• OPTIONS ≈ Reﬂection

View Slide

Must at least support GET/POST

View Slide

Can emulate PUT/DELETE

View Slide

For example:
POST http://api.com/foo/456!PUT
POST http://api.com/foo/123!DELETE

View Slide

Remember that POST can
have side-effects and is
never cached

View Slide

PUT and DELETE are
idempotent, which means
they can be repeated
with same effect

View Slide

HEAD is rare and
can probably be ignored

View Slide

OPTIONS is used by CORS,
but otherwise rare

View Slide

CORS?

View Slide

Cross-Origin Resource Sharing

View Slide

A way to allow in-browser
cross-origin XMLHTTPRequests
Support: FF3.5+, Chrome 4+, Safari 4+, Opera 12+,
IE8+ (partial), IE10+ (full), iOS 3.2+, Android 2.1+
http://www.w3.org/TR/cors/
http://caniuse.com/cors

View Slide

Origin & Allow-Origin
A way to allow in-browser
cross-origin XMLHTTPRequests
Support: FF3.5+, Chrome 4+, Safari 4+, Opera 12+,
IE8+ (partial), IE10+ (full), iOS 3.2+, Android 2.1+
http://www.w3.org/TR/cors/
http://caniuse.com/cors

View Slide

Part 3: Headers

View Slide

Headers are important too!

View Slide

Some headers let you be
clever

View Slide

Accept
The MIME types the client will accept.
No need to use ﬁle extensions to decide
what content type to serve!
Accept-Language
The languages the client will accept.
No need to ask clients or (worse) just
assume English responses.

View Slide

Some headers reduce trafﬁc
(important for mobile)

View Slide

• ETag – A unique tag for the content
• If-(None-)Match – Check ETag
• If-Modified-Since – Is it newer?
• Cache-Control – Can it be cached?

View Slide

Beware: some proxies may
not pass custom headers

View Slide

Part 4: Authentication &
Authorization

View Slide

OAuth2 over HTTPS

View Slide

Much simpler than OAuth 1.0

View Slide

Many libraries for OAuth2
for many platforms as
it’s a popular standard

View Slide

If you really care about
security use OAuth2-MAC

View Slide

OAuth2-MAC uses signatures
instead of bearer tokens,
so secrets stay secret

View Slide

Then again, the author of OAuth2 has now
advised going back to OAuth 1.0a so
YMMV

View Slide

Part 5: Formats

View Slide

Sane default: JSON, plus
envelope with metadata

View Slide

{
"meta": {
"code": 2 ,
"dev_notes ": [
"This endpoint is deprecated"
]
},
"response ": {
...
}
}

View Slide

Use XML if you must,
or if users really want it

View Slide

HATEOAS tends to be verbose
and people may hate you
(unless they’re building an API explorer)

View Slide

At the very most,
HATEOAS should be opt-in

View Slide

Don’t forget: mobile
bandwidth is still very limited

View Slide

Timestamps
• ISO-8601 2 12- 5- 3T19: : Z
Human-readable, but needs parsing
• UTC seconds since epoch: 1336 716
Easily machine-usable

View Slide

Should your API really be
human-readable?
It’s better to help your
consumers.

View Slide

Part 6: Data Validity

View Slide

Allow your consumers
to cache data
whenever possible

View Slide

Encourage use of request headers:
• GET:
• If-Modified-Since
• If-None-Match
• POST/PUT/DELETE:
• If-Unmodified-Since
• If-Match

View Slide

Return useful response headers:
• Last-Modified
• Expires
• ETag
• Cache-Control

View Slide

Deal with preconditions and
give correct response codes

View Slide

For example:
ETag and Last-Modified
can help prevent race
conditions

View Slide

PUT /wiki/dealing -with -conflicts HTTP /1.1
Host: api.com
If -Unmodified -Since: Sat , 18 Feb 2 12 11: 9:21 GMT
If -Match: "x-rev -11294"
Content -Type: text/html
...
412 Precondition Failed
ETag: "x-rev -11467"
Last -Modified: Sat , 25 Feb 2 12 14:42:53 GMT
...

View Slide

New status codes in RFC6585:
428 Precondition Required
429 Too Many Requests

View Slide

Part 7: Documentation

View Slide

Documentation is important

View Slide

If people can’t understand
your API, they won’t use it

View Slide

Use examples liberally. . .
and make sure they’re both
up-to-date and correct!

View Slide

Assume nothing;
explain everything

View Slide

Try getting people you know
to build something using
only your own API docs

View Slide

Thanks!
http://dmi.me.uk/talks/
Feedback via Twitter:
#apirocketsurgery or @dmi
Built in L
ATEX Inspired by: http://goo.gl/ mT55

View Slide

API Design: it's not rocket surgery (PHPNW2012)

API Design: it's not rocket surgery (PHPNW2012)

Dave Ingram

More Decks by Dave Ingram

Other Decks in Technology

Featured

Transcript