Designing and Implementing REST APIs for the Long Haul

Transcript

1. @schneidenbach Designing and Building REST APIs For the Long Haul

   Spencer Schneidenbach

2. @schneidenbach

3. @schneidenbach More questions than answers

4. @schneidenbach

5. @schneidenbach API Design is Hard

6. @schneidenbach

7. @schneidenbach API Design is UX for Developers

8. @schneidenbach API Design is Important

9. @schneidenbach “Long Haul”

10. @schneidenbach –Kirsten Hunter @synedra “If you don’t make usability a

    priority, you’ll never have to worry about scalability.”

11. @schneidenbach REST

12. @schneidenbach Representational State Transfer

13. @schneidenbach Uniform Interface Code on Demand (optional) Layered Stateless Cacheable

    Client-Server The Six Constraints of REST

14. @schneidenbach Resource identification Uniform Interface constraint Content-Type: application/json Resource manipulation

    with representations Self-descriptive Hypermedia as the engine of application state (HATEOAS) GET /employees/1234 PUT /employees/1234

15. @schneidenbach What IS a REST API?

16. @schneidenbach RESTful API != Good API

17. @schneidenbach

18. @schneidenbach

19. @schneidenbach RESTful API != Good API

20. @schneidenbach

21. @schneidenbach

22. @schneidenbach “Build our own spec”

23. @schneidenbach Who/what/where/why/how

24. @schneidenbach Why/who/what/how/where

25. @schneidenbach Why/who/what/how/where Technology questions LAST!

26. @schneidenbach

27. @schneidenbach Why?

28. @schneidenbach Why? • Support of a SPA or mobile app?

    • Internal use? • Integration?

29. @schneidenbach –https://dzone.com/articles/designing-a-usable-flexible-long-lasting-api “If you don't understand what it is you're

    building, why you're building it, or who you're building it for — how can it truly meet their needs? How can it meet your needs? How can it be successful?”

30. @schneidenbach Who?

31. @schneidenbach Who? …will use it?

32. @schneidenbach Who? …will test it?

33. @schneidenbach

34. @schneidenbach Who? …will help it go from beta to prod?

35. @schneidenbach What?

36. @schneidenbach How/Where?

37. @schneidenbach Begin with the end in mind

38. @schneidenbach A few simple rules • Don’t be creative, be

    predictable. • Be consistent. • Get the important stuff right - don’t bikeshed on things that don’t matter

39. @schneidenbach Step 0 Start by designing the basic behaviors of

    the whole API.

40. @schneidenbach Basic Considerations • Security (authentication and authorization) • Status

    codes • Response format • Leaky abstractions • Error handling • Versioning

41. @schneidenbach Security

42. @schneidenbach Authentication Authorization

43. @schneidenbach Authentication

44. @schneidenbach OAuth Authorization: Bearer niuq39cqj39042q39q

45. @schneidenbach Basic Authorization: Basic QWxhZGRpbjpvcGVuIHNlc2FtZQ==

46. @schneidenbach API Key X-Application-Key: this-is-a-secret-header

47. @schneidenbach Federated?

48. @schneidenbach Authorization

49. @schneidenbach Status Codes 403 Forbidden (aka you can’t do that)

    401 Unauthorized (aka not authenticated) 404 Not Found 400 Bad Request 201 Created 200 OK

50. @schneidenbach This isn’t predictable Status Code: 403 Forbidden { "Error":{

    "Message":"Authentication failed: Employee does not exist or an Invalid Employee" } }

51. @schneidenbach Verbs PATCH DELETE POST PUT GET

52. @schneidenbach Accept: application/json Format

53. @schneidenbach Accept: application/xml Format

54. @schneidenbach Nouns vs. verbs Basically, use plural nouns

55. @schneidenbach { "invoices": [ { ... }, { ... }

    ] } GET /customers/1234/invoices GET /customers/1234 ?expand=invoices Within the parent object Sub-resource strategies As a separate request Using an expand parameter

56. @schneidenbach POST /api/jobs/123/phases GET /api/jobs/123/phases/1

57. @schneidenbach POST /api/jobs/123/phases GET /api/jobs/123/phases/234

58. @schneidenbach Sorting/paging/filtering

59. @schneidenbach Leaky abstractions

60. @schneidenbach Theory Annex Threshold Lilia

61. @schneidenbach Inactive Deleted Visible Retired

62. @schneidenbach Avoid letting your specific implementations leak if they are

    hard to use or understand.

63. @schneidenbach Error Handling Errors are going to happen. How will

    you and your API manage them?

64. @schneidenbach 400 Bad Request

65. @schneidenbach Error reporting { "name": "Aviron Software" } Requires name

    and state POST /vendors 400 Bad Request Content-Type: application/json "State is required." { "firstName": "Spencer" } Requires first and last name POST /employees 400 Bad Request Content-Type: application/json { "errorMessage": "Your request was invalid." }

66. @schneidenbach General error guidelines • Be as consistent as possible

    across your API. • Provide enough information for the caller to fix the issue with the least number of requests… mainly for their convenience. • Log requests and responses in their entirety and return a Request ID with the response for support.

67. @schneidenbach

68. @schneidenbach COME ^ TO THAT

69. @schneidenbach Versioning

70. @schneidenbach Versioning should be top of mind from the get

    go

71. @schneidenbach Change Management

72. @schneidenbach Versioning strategies • Header • Query String • Accept

    • Route

73. @schneidenbach Header X-Api-Version: 1.0

74. @schneidenbach Query string GET /api/jobs?api-version=1.0

75. @schneidenbach Accept Accept: application/json;v=1.0

76. @schneidenbach Route GET /api/v1/jobs

77. @schneidenbach

78. @schneidenbach Versioning > breaking changes

79. @schneidenbach v1

80. @schneidenbach v2

81. @schneidenbach v3

82. @schneidenbach

83. @schneidenbach

84. @schneidenbach Deprecation

85. @schneidenbach

86. @schneidenbach

87. @schneidenbach Other Considerations • Documentation • SLAs (uptime) • Performance

    guarantees • Deployment • Maintenance

88. @schneidenbach

89. @schneidenbach https://www.twilio.com/docs/api/errors/30003

90. @schneidenbach

91. @schneidenbach DOCUMENTATION

92. @schneidenbach DOCUME NTATION

93. @schneidenbach An API lives and dies by its documentation.

94. @schneidenbach

95. @schneidenbach

96. @schneidenbach

97. @schneidenbach https://www.twilio.com/docs/api/errors/30003 A Great Example An Ok Example

98. @schneidenbach SLAs

99. @schneidenbach SLAs • Will your API have a guaranteed uptime?

    • What is the impact of downtime?

100. @schneidenbach Performance

101. @schneidenbach Performance • Scaling up/scaling out? • Guaranteed response times?

     • Do you even need to think about this?

102. @schneidenbach Deployment

103. @schneidenbach

104. @schneidenbach Utilize your tools

105. @schneidenbach

106. @schneidenbach Maintenance

107. @schneidenbach Versioning > breaking changes

108. @schneidenbach Fix bugs, but don’t break things

109. @schneidenbach

110. @schneidenbach Support

111. @schneidenbach

112. @schneidenbach Support guidelines • More GOOD documentation may mean less

     support • You must provide a means for people to ask for help • Make their jobs as consumers as easy as possible.

113. @schneidenbach Remember these things • Think a little up front

     before File -> New Project. • Design a consistent “spec” for how your REST API will behave. • CONFORM TO THAT SPEC. COMMUNICATE WHEN YOU DON’T. • Remember good documentation and support!

114. @schneidenbach Thank you!