Upgrade to Pro — share decks privately, control downloads, hide ads and more …

API Design Anti-patterns: How to identify and a...

HariKrishnan
PRO
April 01, 2025
Programming
0
13

API Design Anti-patterns: How to identify and avoid them

We all want to build great APIs—but what exactly makes an API great? Is being RESTful enough? Is it always necessary to achieve Level 3 of the Richardson Maturity Model? What about principles like the Robustness Principle (Postel’s Law) or Hyrum’s Law, which expose the deeper challenges of designing APIs that are both resilient and predictable? How do these principles align with modern practices like the API Design First approach, where good API design is at the core of building adaptable systems? If these questions have been keeping you awake at night, this workshop is for you.

In this session, we’ll explore the principles and values that guide the design and development of great APIs. We’ll tackle the deeper challenges of creating APIs that are resilient and predictable by avoiding key anti-patterns—such as misused HTTP methods and hidden inter-parameter dependencies—that can make APIs harder to use, scale, and maintain. Furthermore, we’ll discuss how to shift-left the identification of breaking changes to the API design phase itself.

Through hands-on exercises and real-world examples, participants will learn to diagnose API design smells and apply practical strategies to fix them.

HariKrishnan
PRO

April 01, 2025
Tweet

More Decks by HariKrishnan

See All by HariKrishnan
API Resiliency Testing
harikrishnan83
PRO
0
34
The Functional Fix: Kotlin Error Handling Made Elegant
harikrishnan83
PRO
0
22
Contract-Driven Development for Event-Driven Architectures
harikrishnan83
PRO
1
63
Using API specs as executable contracts to mock and test microservices
harikrishnan83
PRO
1
63
API Design First in Practise - An Experience Report
harikrishnan83
PRO
1
34
Kafka and JMS Mocking with AsyncAPI using Specmatic
harikrishnan83
PRO
1
68
Contract Driven Development - API Specifications as Executable Contracts
harikrishnan83
PRO
1
100
Python in the MicroServices world
harikrishnan83
PRO
0
130
Truly Madly Deeply Parallel Ruby Web Applications
harikrishnan83
PRO
0
240

Other Decks in Programming

See All in Programming
NestJSのコードからOpenAPIを自動生成する際の最適解を探す
astatsuya
0
190
CTFのWebにおける⾼難易度問題について
hamayanhamayan
1
980
AI Agents with JavaScript
slobodan
0
130
PHPのガベージコレクションを深掘りしよう
rinchoku
0
240
S3静的ホスティング+Next.js静的エクスポート で格安webアプリ構築
iharuoru
0
200
Boost Your Performance and Developer Productivity with Jakarta EE 11
ivargrimstad
0
150
AIエージェントを活用したアプリ開発手法の模索
kumamotone
1
750
ニックトレイン登壇資料
ryotakurokawa
0
140
AI時代のプログラミング教育 / programming education in ai era
kishida
23
21k
2025/3/18 サービスの成長で生じる幅広いパフォーマンスの問題を、 AIで手軽に解決する
shirahama_x
0
160
Day0 初心者向けワークショップ 実践!ソフトウェアテストの第一歩
satohiroyuki
0
430
Devin , 正しい付き合い方と使い方 / Living and Working with Devin
yukinagae
1
530

Featured

See All Featured
The Art of Programming - Codeland 2020
erikaheidi
53
13k
ReactJS: Keep Simple. Everything can be a component!
pedronauck
666
120k
Facilitating Awesome Meetings
lara
53
6.3k
Responsive Adventures: Dirty Tricks From The Dark Corners of Front-End
smashingmag
251
21k
Optimising Largest Contentful Paint
csswizardry
35
3.2k
GitHub's CSS Performance
jonrohan
1030
460k
The Cult of Friendly URLs
andyhume
78
6.3k
Visualization
eitanlees
146
16k
Adopting Sorbet at Scale
ufuk
75
9.3k
Navigating Team Friction
lara
184
15k
How STYLIGHT went responsive
nonsquared
99
5.4k
Music & Morning Musume
bryan
46
6.4k

Transcript

  1. © 2025 All Rights Reserved API Design Anti-patterns: How to

    identify and avoid them Hari Krishnan https://www.linkedin.com/in/harikrishnan83/ https://x.com/HariKrishnan83 https://github.com/harikrishnan83

  2. © 2025 All Rights Reserved Are your APIs RESTful? How

    can we quantify this?

  3. Representational State Transfer (REST) Everything is treated as a resource

    Interactions are stateless Use of standard HTTP methods Predictability and consistency through Uniform Interface Abstraction by allowing for a layered architecture HATEOAS (Hypermedia As The Engine Of Application State) And more … https://ics.uci.edu/~fielding/pubs/dissertation/fielding_dissertation.pdf Roy Fielding

  4. Richardson Maturity Model (RMM) A model of restful maturity Level

    0: The Swamp of POX (Plain Old XML) Level 1: Resources Level 2: HTTP Verbs Level 3: Hypermedia Controls (HATEOAS – Hypermedia As The Engine Of Application State) https://www.crummy.com/writing/speaking/2008-QCon/act3.html Leonard Richardson

  5. © 2025 All Rights Reserved Level 0: The Swamp of

    POX (Plain Old XML) • RPC (Remote Procedure Call) style endpoints • Accept XML or JSON payloads • Ex: A single POST /api endpoint handling all requests • Disadvantages • No separation or identification of resources • No HTTP method semantics, thereby cannot leverage HTTP infrastructure for caching etc. • No HTTP status code semantics, thereby usually have to define custom error codes POST Response

  6. © 2025 All Rights Reserved Level 1: Resources • Each

    resource gets its on URI • May still accept XML or JSON payloads just like Level 0 • Disadvantages • No HTTP method semantics, thereby cannot leverage HTTP infrastructure for caching etc. • No HTTP status code semantics, thereby usually have to define custom error codes POST Response

  7. © 2025 All Rights Reserved Level 2: HTTP Verbs •

    Make use of HTTP methods (e.g., GET, POST, PUT, DELETE) in a way that aligns with REST principles • User of HTTP Status Codes • Adds significant value to API usability by providing a more predictable interaction model

  8. © 2025 All Rights Reserved Level 3: HATEOAS • Incorporates

    Hypermedia as the Engine of Application State • Links to understand what actions to take next Advantages: • No hardcoding of URLs in client • Workflow changes managed by Server Challenges: • Implementation complexity for client and server • Learning curve Examples: • Paypal - https://developer.paypal.com/api/rest/responses/#link-hateoaslinks • Github - https://docs.github.com/en/rest/repos/repos?apiVersion=2022-11-28

  9. Postel’s Law / Robustness Principle “be conservative in what you

    do, be liberal in what you accept from others” Examples: • Tolerating extra fields in inputs • Ignoring unknown query params • Allowing default values for some fields https://www.ietf.org/rfc/rfc793.txt Jon Postel

  10. © 2025 All Rights Reserved Robustness Principle • Positive implications

    • High levels of tolerance • Resilience against minor deviations • However, what about • Implementation complexity • How much do we tolerate

  11. Hyrum’s Law “With a sufficient number of users of an

    API, it does not matter what you promise in the contract: all observable behaviors of your system will be depended on by somebody.” https://www.hyrumslaw.com/ Hyrum Wright

  12. © 2025 All Rights Reserved Hyrum’s Law • Examples: •

    Order of fields in JSON • Response times • Messages per unit time • Impact: • Backward compatibility • API Evolution

  13. Resilience “The ability to recover from failures and continue to

    function” • Recovering gracefully • Expecting the unexpected • Handle and / or communicate disruptions

  14. © 2025 All Rights Reserved Is your API Resilient? Order

    Management Service Inventory Service Fulfilment Service DB Create Order Request Order Id Reserve Initiate

  15. © 2025 All Rights Reserved Mechanisms to achieve Resilience •

    Retry • Circuit Breaker • Rate limiting • Throttling • Fallback • Redundancy and Load Balancing • And more…

  16. © 2025 All Rights Reserved Idempotency “the intended effect on

    the server of multiple identical requests with that method is the same as the effect for a single such request” - https://www.rfc-editor.org/rfc/rfc9110.html#name-idempotent-methods • Idempotent Methods: • GET • PUT • Safe methods https://www.rfc-editor.org/rfc/rfc9110.html#name-safe-methods • Non-idempotent Methods: • POST

  17. © 2025 All Rights Reserved Why “Idempotency”? • Fault tolerance

    - safe retries • Consistency • Low complexity for Clients, Middleware • need not worry about request state • simpler error handling • Improves Caching • In line with HTTP Statelessness • Predictability

  18. © 2025 All Rights Reserved Anti-patterns API Design Smells

  19. © 2025 All Rights Reserved Review these API Endpoints

  20. © 2025 All Rights Reserved Automated Standardization - Linters https://quobix.com/vacuum/

    https://stoplight.io/open-source/spectral

  21. © 2025 All Rights Reserved Path and param naming conventions

    • Casing • Hyphenation / Underscores • Plural vs Singular • Trailing slashes • And more…

  22. © 2025 All Rights Reserved

  23. © 2025 All Rights Reserved • Not “Idempotent” • GET

    will be cached, so technically this will not even work • Any other issues? • What is the alternative? • GET /articles/123 # Retrieves the article without affecting view count • POST /articles/123/viewed # Increments the view count HTTP GET that updates / creates data

  24. © 2025 All Rights Reserved

  25. © 2025 All Rights Reserved POST to GET a resource

    • Catchability is lost • POST is not idempotent, so API clients may not perceive this as repeatable or safe • Alternatives • HTTP QUERY Method - https://www.ietf.org/archive/id/draft-ietf-httpbis- safe-method-w-body-02.html • Any others?

  26. © 2025 All Rights Reserved

  27. © 2025 All Rights Reserved Mandatory Query Params What about

    “Conditionally Optional”? • Optional by Default • Conditionally Required

  28. © 2025 All Rights Reserved

  29. © 2025 All Rights Reserved

  30. © 2025 All Rights Reserved

  31. © 2025 All Rights Reserved Returning 500 for business error

    Load Balancer Service A (Instance 1) Service A (Instance 2) 500 Removed from active status

  32. © 2025 All Rights Reserved

  33. © 2025 All Rights Reserved Smart Defaults • Consumers may

    start depending on your defaults • Screens may be designed to show max ten items • Users may expect that only popular items are at the top • If Front End does not explicitly state it wants most popular items first • And switches to sorting by price, users will see lowest price items first • Sounds familiar? Hyrum’s law

  34. © 2025 All Rights Reserved Nullable

  35. © 2025 All Rights Reserved Nullable Enums https://swagger.io/docs/specification/v3_0/data-models/enums/

  36. © 2025 All Rights Reserved Avoid “nullable: true” • Adds

    unnecessary complexity in handling the null • How does one interpret the null? • Is ”null” a true or false when it is applied to a Boolean • Which “enum” value applies when I send null • And more… • Use “optional” instead

  37. © 2025 All Rights Reserved

  38. © 2025 All Rights Reserved Overloading endpoints • Breaks “RMM

    Level 1” • Becomes more like an RPC

  39. © 2025 All Rights Reserved API Design Who’s responsibility it?

  40. © 2025 All Rights Reserved API Design – Who, When,

    What, Why, How? API Consumers API Providers Architects App Sec Code First Individual Collaborative Is API Design just an Afterthought / Byproduct? Spec First

  41. © 2025 All Rights Reserved API Design First in our

    context API Consumers API Providers Architects App Sec

  42. © 2025 All Rights Reserved Contract Driven Development API Governance

    in a nutshell

  43. © 2025 All Rights Reserved Contract Driven Development – In

    a nutshell Consumer Provider API Design First • Shift Left all the way to Design • Reduced time-to-market due to Parallel Development • Enhanced DevEx with improved Collaboration • Resilient API Building Blocks

  44. © 2025 All Rights Reserved API Developer Experience

  45. © 2025 All Rights Reserved Is your service adhering with

    your API spec?

  46. © 2025 All Rights Reserved https://insights.specmatic.io/

  47. © 2025 All Rights Reserved Thanks! Hari Krishnan https://www.linkedin.com/in/harikrishnan83/ https://x.com/HariKrishnan83

    https://github.com/harikrishnan83