API Design
REST-first, OpenAPI-driven, backward-compatible by default.
REST Principles
Resources as nouns. HTTP methods as verbs:
GET /users # List users
GET /users/123 # Get user
POST /users # Create user
PUT /users/123 # Replace user
PATCH /users/123 # Update user
DELETE /users/123 # Delete user
# Relationships through URL hierarchy
GET /users/123/orders
Never: /getUser, /createOrder, /api/processPayment
HTTP Status Codes
| Code | When | |------|------| | 200 | Successful GET, PUT, PATCH | | 201 | Successful POST (created) | | 204 | Successful DELETE (no body) | | 400 | Invalid request format | | 401 | Not authenticated | | 403 | Not authorized | | 404 | Resource not found | | 409 | Business logic conflict | | 422 | Validation failed | | 500 | Server error |
Error Format
{
"error": {
"code": "VALIDATION_ERROR",
"message": "Invalid request data",
"details": [
{
"field": "email",
"message": "Invalid email format",
"value": "not-an-email"
}
]
}
}
Pagination
GET /users?page=2&per_page=50&sort=created_at&order=desc
{
"data": [...],
"meta": {
"page": 2,
"per_page": 50,
"total": 150,
"total_pages": 3
}
}
Versioning
URL versioning for public APIs:
/v1/users
/v2/users
Rules:
- Major version for breaking changes only
- 6-month deprecation notice minimum
- Side-by-side version support during transition
- Additive changes don't require new version
OpenAPI First
Write spec before code:
openapi: 3.0.0
paths:
/users/{id}:
get:
summary: Get user by ID
parameters:
- name: id
in: path
required: true
schema:
type: string
responses:
'200':
description: User found
content:
application/json:
schema:
$ref: '#/components/schemas/User'
'404':
description: User not found
Anti-Patterns
- RPC-style endpoints (
/api/getUserById) - POST for everything
- Deep nesting (
/users/123/orders/456/items/789) - Inconsistent error formats
- Breaking changes without version bump
- Documentation that doesn't match implementation