Real-Life REST API Versioning Strategies & Best Practices Alexandre TOURET

No content

The Bookstore API

The context diagram

Under the hood

No content

Let's version this API

Alexandre TOURET Software Architect, Developer Advocate @touret_alex blog.touret.info alexandre-touret Who am I?

We design payments technology that powers the growth of millions of businesses around the world.

Delivery CI/CD Code management Security Backward compatibility Potential impacts

Hold on! What about the V1?

• Do I really need to version this API? • How to handle versioning? • How many versions can I handle at the same time? • Is my platform compatible with? • What are the impacts on my configuration? • What about security & authorization mechanisms? Some questions to ask to yourself

One deprecated O “ ” version How many versions at once?

What is it versioned? We only version API contract breaking changes (operations or data/fields)

✓ adding an operation ✓ adding an optional parameter ✓ adding an optional request header ✓ adding a response field ✓ adding a response header ✓ adding enum values ✓ removing an entire operation ✓ removing or renaming a parameter ✓ removing or renaming a response field ✓ adding a new required parameter ✓ making a previously optional parameter required ✓ changing the type of a parameter or response field ✓ removing enum values ✓ adding a new validation rule to an existing parameter ✓ changing authentication or authorization requirements Changes according GitHub https://docs.github.com/en/rest/overview/api-versions?apiVersion=2022-11-28 Breaking Non-breaking

A breaking change in the API contract e.g.,: In the Book object, the author field moves to a list of authors So what ? What is a breaking change?

What about non-breaking changes? Non-breaking changes can be applied without versioning

Adding operations & fields

How to handle versioning? URL Exemple /v1/api/books HTTP Header Exemple X-API-VERSION : v1 Content-Type Exemple Accept: application/vnd.myn ame.v1+json RFC 9110

No content

URL specification versioning Versions evolve through breaking changes URL specification versioning It sticks to the V1 Header specification versioning "X-GitHub-Api-Version” What about GAFAM & co?

If you want to use URL Versioning → put the version in the URI If you want to postpone it /v1/api/books

No content

When a new customer brings new functionalities

No content

The main functionality of the V2 Author list management V2 V1

API contract Database Backward compatibility with the V1 Impacts

V2 V1 V2 V1

From source code up to production

No content

• Adapt the code source to deliver at the same time many versions Source code management • JAR, ZIP, Helm charts, Docker images One deliverable per branch/tag • Dynamic: Configuration server • Static: Config Maps Configuration • Databases Scripts Impacts

• Pinpoint who uses your API • Publish and use dashboards (e.g., Kibana) • Use an API-KEY to clearly identify your customers Observability → Define the best strategy → Better anticipate the decomissioning of your deprecated APIs

• Unify and handle the version management by an API Gateway One runtime per version

• The API Gateway exposes both the two versions (V1 & V2) • It transforms requests and responses from the V1 to V2 format If we only deploy the latest service?

├── │ └── touret │ └── │ └── │ ├── │ │ ├── 1 │ │ ├── 2 │ │ ├── dto │ │ ├── y │ │ ├── │ │ ├── │ │ ├── y │ │ └── Handle versioning in the code base 1 version = 1 package Let the application deal w/ version handling ├── │ └── touret │ └── 1 │ └── 2

• Share your strategy to all the stakeholders • Draft your roadmap and changelogs on a regular basis • Use HTTP responses headers to indicate your API is deprecated Communication Deprecation: version="v1" Link:https://developer.example.com/deprecation

Authorization management

Authorization policy V1 Bookstore admin Bookstore customer Users Roles Permissions Books/write Books/search Isbns/read Isbns/write Books/read Admin Search Read

A new policy (V2) Bookstore Admin Bookstore customer Users Roles Permissions Books/search Isbns/read Books/write Isbns/write Books/read Authors/write Authors management admin

V2 V1

Enforce your versioning with scopes

We may have authorization policies update breaking changes D ’ y To sum up BookAdmin_V1

Wrap up

For your next APIs Avoid it first Identify breaking changes Work on the modularity Observe! Consider the big picture Communicate!

D ’ ! Follow & get in touch @touret_alex linkedin.com/in/atouret blog.worldline.tech @WorldlineTech Follow our tech team: Follow me: blog.touret.info alexandre-touret Feedback

Explore our jobs in tech: careers.worldline.com Want to shape how the world pays and get paid?