API Design: It's Not Rocket Surgery (ODI)

API design It’s Not Rocket Surgery Dave Ingram @dmi December
6, 2012

Who am I? • Was developer/RM at GroupSpaces for 41/2
years • Now DevOps freelancer • Twitter: @dmi • Github: dingram • Way too many projects • Involved in open source, including Phabricator • Occasionally found at London Hackspace

Why am I giving this talk? • I’ve built a
number of APIs • Both for GroupSpaces and my own projects • Sadly most are not public (yet!) • I’m also a consumer of many other APIs • Twitter • Foursquare • Tumblr • TfL • Spotify • . . . blah blah blah. . .

Feedback/thoughts via Twitter: #apirocketsurgery (or @dmi)

What this isn’t

T T REST REST REST REST REST REST REST EST
EST ST ST ST T T REST REST REST REST REST REST REST REST REST REST REST REST REST REST R REST REST REST REST REST REST REST REST REST REST REST REST REST REST REST REST REST REST REST REST REST REST REST REST REST REST REST REST REST REST REST REST REST REST REST REST REST REST REST REST REST REST REST R REST REST REST REST REST REST REST REST REST REST REST REST REST REST REST REST REST REST REST REST REST REST REST REST REST REST REST REST REST REST REST REST REST REST REST REST REST REST REST REST REST REST REST R REST REST REST REST REST REST REST REST REST REST REST REST REST REST RES RES REST REST REST REST REST REST REST REST REST REST REST REST REST R R R RE RE RE RES RES REST R

There’s so much more!

URLs verbs

URLs verbs headers

URLs verbs headers authentication

URLs verbs headers authentication formats

URLs verbs headers authentication formats integrity

URLs verbs headers authentication formats integrity documentation

DOCUMENTATION

DOCUMENTATION (later)

Part 1: URLs

Make them versioned

Make them versioned, hackable

Make them versioned, hackable & meaningful

http://api.com/v1/

http://api.com/v1/users/

http://api.com/v1/users/31337

http://api.com/v1/users/31337/posts/

Look at URLs from a consumer perspective

They don’t care about internal implementation details

Use common sense

Don’t be afraid of the query string

Use query arguments to ﬁlter output or for (some) alternate
representations

Good: searching & verbosity Bad: output format control (XML vs
JSON)

Good: http://api.com/v1/search?q=foobar Bad: http://api.com/v1/search/foobar

Good: http://api.com/v1/foo.json Bad: http://api.com/v1/foo?format=json

Part 2: Verbs

• GET = get() • PUT = setAll() / new
Obj($id) • POST = new Obj() / doStuff() / set() • DELETE = delete() • HEAD ≈ getMetadata() • OPTIONS ≈ reﬂection/permissions

Must at least handle GET/POST

Can emulate PUT/DELETE

For example: POST http://api.com/v1/foo/42!PUT POST http://api.com/v1/foo/11!DELETE

Remember that POST can have side-effects and is never cached

PUT and DELETE are idempotent, which means they have the
same effect even if they’re repeated

HEAD is rare and can probably be ignored

OPTIONS is used by CORS, but otherwise rare

Cross-Origin Resource Sharing

A way to allow in-browser cross-origin XMLHTTPRequests Support: FF3.5+, Chrome
4+, Safari 4+, Opera 12+, IE8+ (partial), IE10+ (full), iOS 3.2+, Android 2.1+ http://www.w3.org/TR/cors/ http://caniuse.com/cors

Origin & Allow-Origin A way to allow in-browser cross-origin XMLHTTPRequests
Support: FF3.5+, Chrome 4+, Safari 4+, Opera 12+, IE8+ (partial), IE10+ (full), iOS 3.2+, Android 2.1+ http://www.w3.org/TR/cors/ http://caniuse.com/cors

Part 3: Headers

Headers are important too! (and you can be clever)

Accept The MIME types the client will accept. No need
to use ﬁle extensions to decide what content type to serve! Accept-Language The languages the client will accept. No need to ask clients or (worse) just assume English responses.

Some headers reduce trafﬁc (important for mobile)

• ETag – A unique tag for the content •
If-(None-)Match – Check ETag • If-(Un)Modified-Since – Is it newer? • Cache-Control – Can it be cached? • Expires – How long is it valid? • Vary – Additional caching rules

Beware: some proxies may not pass custom headers

Beware: even some standard headers are not safe

Prefer headers, but accept other methods

Part 4: Authentication & Authorization

OAuth2 over HTTPS

Much simpler than OAuth1 (similar to session cookies)

Many libraries for OAuth2 for many platforms as it’s a
popular standard

For extra security use OAuth2-MAC

OAuth2-MAC uses signatures instead of bearer tokens, so secrets stay
secret

Then again, the author of OAuth2 has now advised not
upgrading from OAuth 1.0a and either using OAuth 1.0a for new sites or staying close to a large provider’s implementation

No need to worry about rate-limiting (to start with*) 3scale,
Apiaxle, Mashery can help

Part 5: Formats

Sane default: JSON, plus envelope with metadata

{ "meta": { "code": 2 , "dev_notes ": [ "This
endpoint is deprecated" ] }, "response ": { ... } }

Metadata envelope helps with JSONP and limited clients that discard
errors

Having metadata allows out-of-band information, like deprecation warnings

What about XML?

*Hypertext as the Engine of Application State HATEOAS* is a
nice idea, although it’s very verbose (but useful for building an API explorer)

HATEOAS adds links to related endpoints in the response

At the very most, HATEOAS should be opt-in for clients
that will use it

Don’t forget: mobile bandwidth is still very limited

Timestamps • ISO-8601 2 12- 5- 3T19: : Z Human-readable,
but needs parsing • UTC seconds since epoch: 1336 716 Easily machine-usable

Should your API really be human-readable? It’s better to help
your consumers.

Part 6: Data integrity

Allow your consumers to cache data whenever possible

Encourage use of request headers: • GET: • If-Modified-Since •
If-None-Match • POST/PUT/DELETE: • If-Unmodified-Since • If-Match

Return useful response headers: • Last-Modified • Expires • ETag
• Cache-Control

Deal with preconditions and give correct response codes

Useful status codes: 4 5 Method Not Allowed 4 6
Not Acceptable 412 Precondition Failed 428 Precondition Required* 429 Too Many Requests* *New in RFC6585

For example: ETag and Last-Modified can help prevent race conditions

PUT /v1/wiki/dealing -with -conflicts HTTP /1.1 Host: api.com Content -Type:
text/html ... 428 Precondition Required ETag: "x-rev -11294" Last -Modified: Sat , 18 Feb 2 12 11: 9:21 GMT ...

PUT /v1/wiki/dealing -with -conflicts HTTP /1.1 Host: api.com If -Unmodified
-Since: Sat , 18 Feb 2 12 11: 9:21 GMT If -Match: "x-rev -11294" Content -Type: text/html ... 412 Precondition Failed ETag: "x-rev -11467" Last -Modified: Sat , 25 Feb 2 12 14:42:53 GMT ...

Part 7: Documentation

Documentation is important

If people can’t understand your API, they won’t use it

Use examples liberally. . . and make sure they’re both
up-to-date and correct!

Assume nothing; explain everything

Try getting people you know to build something using only
your own API docs

Be helpful: provide an interactive console e.g. Apiary, Apigee console,
Mashery’s iodocs

And ﬁnally: Statistics

Record numbers for anything and everything you can imagine

Everybody loves graphs (and they’re important for understanding API usage
and performance)

Things to measure Counters: HTTP status (200, 400, 500, .
. . ) Tokens issued Token refreshes Clients created Client usage Auth successes Auth failures Auth grants Auth rejections DB queries API version/release Client type . . . Avg response time: Auth requests General requests Speciﬁc subsystems . . . Other Memory usage Client location . . .

Thanks! Any questions? Feedback via Twitter: #apirocketsurgery or @dmi Slides:
http://www.dmi.me.uk/talks/ Built in L ATEX Inspired by: http://goo.gl/ mT55

API Design: It's Not Rocket Surgery (ODI)

API Design: It's Not Rocket Surgery (ODI)

More Decks by Dave Ingram

Other Decks in Programming

Featured

Transcript