API Design: It's Not Rocket Surgery

API design
More than the REST
Dave Ingram
@dmi
February 25, 2012

View Slide

Who am I?
• Coder and Release Manager at GroupSpaces
• Twitter: @dmi
• Github: dingram
• Also occasionally found at London Hackspace
• Feedback: http://joind.in/6137

View Slide

What this isn’t

View Slide

ST
ST
T
T
REST
REST
REST
REST
REST
REST
REST
REST
EST
EST
REST
REST
REST
REST
REST
REST
REST
REST
REST
REST
REST
REST
REST
REST
REST
REST
REST
REST
REST
REST
EST
REST
REST
REST
REST
REST
REST
REST
REST
REST
RE
REST
REST
REST
REST
REST
REST
REST
REST
REST
REST
REST
REST
REST
REST
REST
REST
REST
REST
REST
REST
T
REST
REST
REST
REST
REST
REST
REST
REST
REST
REST
RE
RES
RES
RES
REST
REST
REST
REST
REST
REST
R
R
R
RE

View Slide

There’s so much more!

View Slide

URLs

View Slide

URLs
verbs

View Slide

URLs
verbs
headers

View Slide

URLs
verbs
headers
authentication

View Slide

URLs
verbs
headers
authentication
formats

View Slide

URLs
verbs
headers
authentication
formats
validty

View Slide

URLs
verbs
headers
authentication
formats
validty
documentation

View Slide

DOCUMENTATION

View Slide

DOCUMENTATION
(later)

View Slide

Part 1: URLs

View Slide

Make them
versioned

View Slide

Make them
versioned,
hackable

View Slide

Make them
versioned,
hackable &
meaningful

View Slide

http://api.com/v1/

View Slide

http://api.com/v1/users/

View Slide

http://api.com/v1/users/31337

View Slide

http://api.com/v1/users/31337/posts/

View Slide

Look at URLs from a
consumer perspective

View Slide

They don’t care about internal
implementation details

View Slide

Use common sense

View Slide

A good routing system is your
friend
You don’t want to be issuing 3xx redirects
because consumers forgot a slash

View Slide

Part 2: Verbs

View Slide

(in terms of model operations)

View Slide

• GET = get()
• PUT = set() / new Obj($id)
• POST = new Obj() / doThing()
• DELETE = delete()
• HEAD ≈ getMetadata()
• OPTIONS ≈ Reﬂection

View Slide

Must at least support GET/POST

View Slide

Can emulate PUT/DELETE

View Slide

HEAD is rare and can probably
be ignored

View Slide

OPTIONS is used by CORS, but
otherwise rare

View Slide

Part 3: Headers

View Slide

Headers are important too!

View Slide

Some headers let you be clever

View Slide

Accept
The MIME types the client will accept.
No need to use ﬁle extensions to decide what
content type to serve!
Accept-Language
The languages the client will accept.
No need to ask clients or (worse) just assume
English responses.

View Slide

Some headers reduce trafﬁc
(important for mobile)

View Slide

• ETag – A unique tag for the content
• If-(None-)Match – Check ETag
• If-Modified-Since – Cached by client
• Cache-Control – Can it be cached?

View Slide

Part 4: Authentication &
Authorization

View Slide

OAuth2 over HTTPS

View Slide

OAuth2 over HTTPS
(that’s it)

View Slide

Much simpler than OAuth 1.0

View Slide

Many libraries for OAuth2, as it’s
a popular standard

View Slide

Part 5: Formats

View Slide

Sane default: JSON, plus
envelope with metadata

View Slide

{
"meta": {
"code": 200,
"dev_notes": [
"This endpoint is deprecated"
]
},
"response": {
...
}
}

View Slide

Use XML if you must,
or if users really want it

View Slide

Idealistic REST XML is verbose
and people may hate you
(unless they’re building an API explorer)

View Slide

Don’t forget: mobile bandwidth
is still very limited

View Slide

Timestamps
• ISO-8601 2012-02-25T14:00:00Z
Human-readable(ish), but needs parsing
• UTC seconds since epoch: 1330178400
Easily machine-usable
Should your API really be human-readable?
It’s better to help your consumers.

View Slide

Part 6: Validity

View Slide

Allow your consumers to cache
data wherever possible

View Slide

Encourage use of request headers:
• GET:
• If-Modified-Since
• If-None-Match
• POST/PUT/DELETE:
• If-Unmodified-Since
• If-Match

View Slide

Return useful response headers:
• Last-Modified
• Expires
• ETag
• Cache-Control

View Slide

Deal with preconditions and give
appropriate response codes

View Slide

For example:
ETag and Last-Modified
can help prevent race conditions

View Slide

PUT /wiki/dealing-with-conflicts HTTP/1.1
Host: api.com
If-Unmodified-Since: Sat, 18 Feb 2012 11:09:21 GMT
If-Match: "x-rev-11294"
Content-Type: text/html
...
412 Precondition Failed
ETag: "x-rev-11467"
Last-Modified: Sat, 25 Feb 2012 14:42:53 GMT
...

View Slide

Part 7: Documentation

View Slide

Documentation is important

View Slide

If people can’t understand your
API, they won’t use it

View Slide

Use examples liberally. . .
and make sure they’re both
up-to-date and correct!

View Slide

Assume nothing;
explain everything

View Slide

Try building something using
only your own API docs

View Slide

Thanks!
http://dmi.me.uk/talks/ http://joind.in/6137
Built in L
ATEX Inspired by: http://goo.gl/0mT55

View Slide

API Design: It's Not Rocket Surgery

API Design: It's Not Rocket Surgery

Dave Ingram

More Decks by Dave Ingram

Other Decks in Technology

Featured

Transcript