Upgrade to Pro — share decks privately, control downloads, hide ads and more …

API Antipatterns : APICon SF

API Antipatterns : APICon SF

My talk at APICon San Francisco on API Antipatterns.

APIs have become a part of the product ecosystem - and help the businesses by extending their developer base, and offering seamless integration with other services or products. Sometimes, the APIs themselves are the product. However, with so many APIs around, patterns emerge. Patterns are repeatable, reusable solutions to commonly occurring problems. Where there are patterns, there are also antipatterns. While APIs are not a new paradigm - there are no set standards or specifications formed by a committees or governing bodies for APIs. On top of this, the APIs are often built at various stages of the product, and have a good chance of being disjoint as more are added. In this talk Netflix engineers will discuss various antipatterns that creep into the API design and implementation, and how to identify and avoid them. They will also share their experiences with building APIs. While the antipatterns do not pose as big a functional challenge, they can and do impact integration efforts, scalability and performance among other things. After this session, you should be able to get familiar with the best practices around solving the most common patterns, and make your engineers and API consumers happy! -

Manish Pandit

May 28, 2014
Tweet

More Decks by Manish Pandit

Other Decks in Programming

Transcript

  1. Payload   Data  Format     •  XML   • 

    JSON   •  Custom  Text   •  Binary…    
  2. Payload         Transport  mechanism     • 

    HTTP     •  SMTP   •  Custom  Text-­‐based   •  Raw  sockets  
  3. HTTP  Request       h)p://www.neSlix.com/header/neSlix_logo.gif     Or,  geUng

     a  resource  from  the  server  by  giving   its  loca&on.  
  4. HTTP  Response   – Headers   •  Describing  the  response  

    – Status  Code   •  Indica&ng  the  success/failure  
  5. HTTP  Response   – Headers   •  Describing  the  response  

    – Status  Code   •  Indica&ng  the  success/failure   – Body   •  The  data  we  asked  for  
  6. REST  API   REST  is  not  a  standard,  but  an

     architecture,   which  uses  HTTP  as  a  model  for  all  interac/ons.  
  7. Pa)erns   They  are  iden8fied  by  humans  who  write  code

     –  the  API  as  well  as  the  client.  
  8. HTTP  Response  Codes   HTTP  200  OK     {

     “success”  :  false  }  
  9. HTTP  Response  Codes   HTTP  200  OK     {

     “error”  :  ”Person  abc  not  found”  }  
  10. HTTP  Response  Codes   •  There  are  more  codes  than

       200  and  500   – 2xx  for  success   – 3xx  for  redirects/caching   – 4xx  for  request/client  errors   – 5xx  for  server  errors  
  11.       also,  the  client  does  not  need  to

     see  your  excep&on   trace…  
  12. HTTP  Response  Codes   •  Return  acer  a  delete?  204

      •  Failed  database  constraint?  409   •  Method  not  supported?  405   •  Trying  to  ask  for  too  much  data?  413  
  13. Query  Strings   •  Avoid  query  strings  for  resource  iden&fica&on

      •  But  use  them  for  request  metadata  
  14. Methods   •  Do  not  use  GET  for  all  reads

      – HEAD  to  get  headers  (mostly  used  for  caching)   – OPTIONS   •  Do  not  use  POST  for  all  writes   – POST  to  create,  or  upsert   – PUT  to  update   – DELETE  to  delete  
  15. Resources  vs.  Collec&ons     A  collec&on  holds  similar  resources

      – movies   – accounts   – persons  
  16. Resources  vs.  Collec&on     A  path  should  iden&fy  a

     resource  (or  resources)   in  a  collec&on  of  said  resources  
  17. Resources  vs.  Collec&on     Always  specify  a  qualifier  in

     the  path  when   accessing  resource(s)  in  a  collec&on  
  18. Resources  vs  Collec&on     Always  think  about  the  path

     to  the  resource.     /<collec&on>/<resource  iden&fier>/value     And  manipulate  it  with  the  verbs  
  19. Resources       Also,  the  proper&es  of  the  resource

     can  also  be   a  part  of  the  path.     /movies/ra&ng/G  
  20. Authen&ca&on   •  Use  HTTP  401  to  indicate  that  the

     client  needs   to  authen&cate   •  Use  HTTP  403  to  indicate  that  the  creden&als   the  client  holds  do  not  allow  access  to  the  said   resource(s).  
  21. 401  vs  403       401  =  Come  back

     with  a  key     403  =  Your  key  does  not  work  for  this  lock.  
  22. Resources  in  an  Island       Every  en&ty  or

     a  resource  is  &ed  to  others.  
  23. Resources  in  an  Island       When  you’re  stuck

     guessing  the  connec&ons  of   a  resource.  
  24. Resource  Discovery     So  we  talked  a  lot  about

     discoverability  and   islands..  
  25. Async  Opera&ons     HTTP  202  –  Accepted    

    But…what  about  the  response?    
  26. Updates  vs.  Deletes     Everything  works  when  there  is

     data..but  what   when  there  is  no  data..?  
  27. Updates  vs.  Deletes       HTTP  DELETE  to  set

     a  value  to  null?     (Remember,  we  have  a  path  to  not  just  the   resource..)  
  28. Data  feeds   Request  metadata  to  the  rescue?    

    ….how  about  a  ?since=1d     …or  ?since=UTC  
  29. State     •  State  sits  only  on  the  server

      •  Requests  either  change  the  state,  or  get  it.   •  All  requests  see  the  same  state  of  the   resource    
  30. State   Avoid  cookies!   •  Use  tokens  instead.  Let

     the  client  figure  out  to   store  it  as  a  cookie  for  convinience.   •  Accept  cookies  as  a  fallback,  but  prefer  a   query  parameter  or  HTTP  request  header.    
  31. More  topics..     •  Versioning   – Using  301s  to

     redirect/re&re  APIs   •  Caching   – Using  HTTP  headers  correctly   – Caching  response  bodies