Upgrade to Pro — share decks privately, control downloads, hide ads and more …

API Standards 2.0

API Standards 2.0

We’re all familiar with things like HTTP codes and content types, but there’s so much more we can do when developing an API to make life easier for consumers. How many times have you used an API only to find out that every endpoint is slightly different – some use `snake_case`, others `camelCase`, sometimes the field is called `id`, sometimes it’s `user_id`. How about pagination? Error responses? What about API documentation?

Trying to standardise on all these things can kill an engineering team. There are so many options out there it’s difficult to know where to start. Come along and learn what works for our team! We’ll cover contentious topics (should the version be in the URL or a header?), lesser-known standards that are great (RFC 7807 springs to mind) and a couple of things that aren’t an issue right up until they’re a really big issue (like pagination).

Michael Heap

October 04, 2018
Tweet

More Decks by Michael Heap

Other Decks in Technology

Transcript

  1. 5

  2. What we're not going to cover ▸ Message formats ▸

    Rate limiting ▸ Content negotiation ▸ HTTP headers ▸ Hypermedia ▸ Resource design ▸ Response design ▸ RPC endpoints ▸ Documentation ▸ Asynchronous actions ▸ Idempotency ▸ Caching ▸ API Gateways ▸ Security ▸ GraphQL ▸ Available RFCs 12
  3. RFC7807 Type A URI reference that identifies the problem type.

    When followed, it provides human-readable documentation for the problem type Title A short, human-readable summary of the problem type Detail A human- readable explanation specific to this occurrence of the problem 26 Instance A URI reference that identifies the specific occurrence of the problem
  4. RFC7807 Type A URI reference that identifies the problem type.

    When followed, it provides human-readable documentation for the problem type Title A short, human-readable summary of the problem type Detail A human- readable explanation specific to this occurrence of the problem 27 Instance A URI reference that identifies the specific occurrence of the problem Status The HTTP status code generated by the origin server for this occurrence of the problem.
  5. RFC7807 Type A URI reference that identifies the problem type.

    When followed, it provides human-readable documentation for the problem type Title A short, human-readable summary of the problem type Detail A human- readable explanation specific to this occurrence of the problem 28 Instance A URI reference that identifies the specific occurrence of the problem
  6. { "type": "https://developer.nexmo.com/api- errors#unauthorized", "title": "Invalid credentials supplied", "detail": "You

    did not provide correct credentials.", "instance": "797a8f199c45014ab7b08bfe9cc1c12c" } RFC7807 29
  7. 403 Forbidden { "type": "https://example.com/probs/out-of- credit", "title": "You do not

    have enough credit.", "detail": "Your current balance is 30, but that costs 50.", "instance": "/account/12345/msgs/abc" } Extension Members 30
  8. 403 Forbidden { "type": "https://example.com/probs/out-of-credit", "title": "You do not have

    enough credit.", "detail": "Your current balance is 30, but that costs 50.", "instance": "/account/12345/msgs/abc", "balance": 30, "accounts": ["/account/12345", "/account/67890"] } Extension Members 31
  9. 400 Bad Request { "type": "https://developer.nexmo.com/api-errors/account/secret- management#validation", "title": "Bad Request",

    "detail": "The request failed due to validation errors", "invalid_parameters": [ { "name": "secret", "reason": "must contain 1 upper case character" } ], "instance": "797a8f199c45014ab7b08bfe9cc1c12c" } Extension Members 32
  10. 401: No Credentials, Invalid Credentials 403: Feature disabled, Exceeded calls-per-second

    limit 422: Invalid product specified + more! Response Library 33
  11. “ As a consumer of the APIs, this has already

    dramatically reduced the amount of code I have to write for each endpoint, and I can't wait until all endpoints are standardised
  12. “ The reason to make a real REST API is

    to get evolvability … a "v1" is a middle finger to your API customers, indicating RPC/HTTP (not REST) https://twitter.com/fielding/status/376835835670167552
  13. “With a sufficient number of users of an interface, it

    doesn’t matter what you promised in the interface contracts, all observable behaviors of your class or function or whatnot will be depended upon by somebody. Hyrum's Law
  14. Have a deprecation policy. It doesn't matter what it is,

    but be consistent. Deprecation Policies 48
  15. When the decision has been taken to deprecate an API:

    • For beta products the deprecation period must be at least 30 days (60 days recommended) • For GA products the deprecation period must be at least 1 year • Warning emails will be sent to the API at regular intervals before the deprecation time • A guide will be supplied to customers explaining how to migrate to the replacement API with the initial deprecation notice. Deprecation Policies: Nexmo 49
  16. Use the Sunset Header Sunset: Sat, 31 Dec 2018 23:59:59

    GMT Sunset Header 50 https://tools.ietf.org/html/draft-wilde-sunset-header-03
  17. Industry Standards: SCIM 70 filter=userName eq "bjensen" filter=name.familyName co "O'Malley"

    filter=userName sw "J" filter=urn:ietf:params:scim:schemas:core: 2.0:User:userName sw "J" filter=title pr filter=meta.lastModified gt "2011-05-13T04:42:34Z" https://tools.ietf.org/html/rfc7644#section-3.4.2.2
  18. Pagination: Links 76 { "_links": { "next": { "href": "/calls?cursor=9274"

    } } } Link: <https://api.nexmo.com/v1/calls? cursor=9274>; rel="next",
  19. What we didn't cover ▸ Message formats ▸ Rate limiting

    ▸ Content negotiation ▸ HTTP headers ▸ Hypermedia ▸ Resource design ▸ Response design ▸ RPC endpoints ▸ Documentation ▸ Asynchronous actions ▸ Idempotency ▸ Caching ▸ API Gateways ▸ Security ▸ GraphQL ▸ Available RFCs 93