API Design

Home > Architecture & Patterns > API DesignUpdated Dec 2025
api

API Design Principles

RESTful Design

Representational State Transfer architectural style. Resources identified by URIs (nouns, not verbs). Standard HTTP methods: GET (read), POST (create), PUT (update), DELETE (remove), PATCH (partial update). Stateless requests with all context included. Hypermedia as Engine of Application State (HATEOAS). Uniform interface and layered system. Resource-oriented not action-oriented.

Similar Technologies
GraphQLgRPCSOAPRPCWebSockets
Resource Naming & URI Design

Plural nouns for collections (/users not /user). Hierarchical paths for relationships (/users/123/orders). Lowercase with hyphens, not underscores. Avoid file extensions in URIs. Version in path or header. Query parameters for filtering, sorting, pagination. Predictable, intuitive URLs. /users/123/posts/456/comments follows clear hierarchy. Consistent naming conventions.

Similar Technologies
Action-based NamingQuery-basedCustom ConventionsFlat StructureVerb-based URLs
API Versioning

Managing API evolution while supporting existing clients. URI versioning (/v1/users, /v2/users). Header versioning (Accept: application/vnd.api.v2+json). Query parameter (?version=2). Semantic versioning (major.minor.patch). Deprecation warnings and sunset headers. Support multiple versions simultaneously. Clear migration path and documentation. Breaking vs non-breaking changes.

Similar Technologies
No VersioningHeader VersioningContent NegotiationQuery ParameterSubdomain Versioning
Pagination & Filtering

Handle large result sets efficiently. Offset-based (?offset=20&limit=10) simple but slow for deep pages. Cursor-based (?cursor=abc123&limit=10) consistent and performant. Page-based (?page=3&size=20) user-friendly. Include total count, next/previous links. Filter with query params (?status=active&role=admin). Sorting (?sort=created_at:desc). Range headers for pagination metadata.

Similar Technologies
Load All DataServer-side Pagination OnlyInfinite ScrollKeyset PaginationTime-based
HTTP Status Codes

Meaningful status codes for API responses. 2xx success (200 OK, 201 Created, 204 No Content). 3xx redirection (301 Moved Permanently, 304 Not Modified). 4xx client errors (400 Bad Request, 401 Unauthorized, 403 Forbidden, 404 Not Found, 429 Too Many Requests). 5xx server errors (500 Internal Server Error, 503 Service Unavailable). Consistent error response format.

Similar Technologies
200 for EverythingCustom Status CodesLimited Status CodesStatus in BodySimple Success/Fail
HATEOAS (Hypermedia)

Hypermedia as Engine of Application State. Include links to related resources in responses. Self-describing API, client discovers actions dynamically. HAL (Hypertext Application Language), JSON:API, Siren formats. Reduces coupling between client and server. Links for navigation (self, next, prev, related). Richardson Maturity Model Level 3. Complex but provides API discoverability.

Similar Technologies
Static APIDocumentation-drivenClient-side LogicHardcoded URLsGraphQL
description

API Standards & Documentation

OpenAPI Specification (Swagger)

Standard for describing RESTful APIs. YAML or JSON format defining endpoints, parameters, responses, schemas. Machine-readable for code generation, testing, documentation. Swagger UI for interactive docs. OpenAPI 3.x most current. Tools: Swagger Editor, Swagger Codegen, Postman. API-first development with contract-first approach. Industry standard for REST API definition.

Similar Technologies
RAMLAPI BlueprintGraphQL SchemaWSDLCustom Documentation
JSON:API Specification

Standardized JSON format for REST APIs. Conventions for resource objects, relationships, pagination, filtering. Compound documents with included resources. Sparse fieldsets (?fields[articles]=title,body). Consistent error format. Reduces bikeshedding and custom formats. Client libraries for common frameworks. Alternative to custom JSON structures. More opinionated than plain REST.

Similar Technologies
HALJSON-LDODataCustom JSONGraphQL
GraphQL Schema Definition

Strongly-typed schema for GraphQL APIs. Define types, queries, mutations, subscriptions. Schema Definition Language (SDL). Introspection for documentation and tooling. Single endpoint with flexible queries. Client specifies exact data needs. Resolver functions for each field. Schema stitching and federation for microservices. Apollo, Relay implementations.

Similar Technologies
REST OpenAPIgRPC ProtoJSON SchemaCustom SchemaNo Schema
API Documentation

Comprehensive guide for API consumers. Getting started, authentication, endpoints, examples. Interactive documentation (Swagger UI, Redoc, Stoplight). Code samples in multiple languages. Changelog and versioning. Error codes and troubleshooting. Rate limits and quotas. SDKs and client libraries. Postman collections. Keep docs in sync with implementation. Readme, Gitbook, developer portals.

Similar Technologies
Code Comments OnlyInline DocumentationWikiAPI Specs OnlyMinimal Docs
API Style Guides

Organizational standards for API consistency. Naming conventions, error handling, versioning approach. HTTP methods usage, status codes. JSON structure and casing (camelCase vs snake_case). Authentication patterns. Pagination and filtering standards. Documentation requirements. Example: Google API Design Guide, Microsoft REST API Guidelines, Zalando RESTful API Guidelines. Enforced via linting and reviews.

Similar Technologies
No StandardsAd-hoc DesignIndividual PreferencesFramework DefaultsCopy Existing
API Contracts & Testing

Contract-first development with API specifications. Consumer-driven contracts (Pact, Spring Cloud Contract). Contract testing ensures provider meets consumer expectations. Prevents breaking changes. Schema validation for requests/responses. API mocking for parallel development. Contract as single source of truth. Integration tests against contract. Supports microservices with independent deployments.

Similar Technologies
Integration Testing OnlyManual TestingE2E TestingNo ContractsDocumentation as Contract
security

API Security

API Authentication

Verifying identity of API consumer. Basic Auth (username:password, base64 encoded) simple but insecure. API Keys in headers or query params. OAuth 2.0 for delegated access. JWT (JSON Web Tokens) for stateless auth. Mutual TLS (mTLS) for service-to-service. API keys for service accounts. Multi-factor authentication for sensitive operations. Rotate credentials regularly.

Similar Technologies
No AuthenticationIP WhitelistingCertificate AuthHMAC SignaturesSession-based
OAuth 2.0 & OpenID Connect

Industry standard for authorization. Grant types: Authorization Code (web apps), Client Credentials (service-to-service), Implicit (deprecated), PKCE (mobile/SPA). Access tokens (short-lived) and refresh tokens. Scopes for granular permissions. OpenID Connect adds identity layer on OAuth 2.0. JWT format for tokens. Authorization server, resource server, client. Auth0, Okta, Keycloak implementations.

Similar Technologies
API KeysBasic AuthSAMLCustom AuthSession Cookies
API Authorization & RBAC

Controlling access to resources after authentication. Role-Based Access Control (RBAC) with roles and permissions. Attribute-Based Access Control (ABAC) for complex policies. Scope-based authorization with OAuth. Resource-level permissions. Policy engines (OPA, Casbin). Principle of least privilege. Separate authorization logic from business logic. Centralized policy management.

Similar Technologies
No AuthorizationABACACLCustom LogicPermission Lists
Rate Limiting & Throttling

Protecting APIs from abuse and overload. Fixed window (requests per minute/hour). Sliding window for smoother limits. Token bucket algorithm for burst handling. Rate limit headers (X-RateLimit-Limit, X-RateLimit-Remaining, X-RateLimit-Reset). 429 Too Many Requests status. Per-user, per-IP, per-API-key limits. Tiered limits for different plan levels. Redis for distributed rate limiting.

Similar Technologies
No LimitsManual BlockingCost-based ThrottlingAdaptive ThrottlingQueue-based
API Keys & Secret Management

Managing credentials for API access. API keys for service identification. Client ID and secret pairs. Never commit secrets to code. Environment variables and secret managers. AWS Secrets Manager, Azure Key Vault, HashiCorp Vault. Rotation policies and expiration. Separate keys per environment. Audit logging of key usage. Revocation capabilities. Key prefixes for identification and leaking prevention.

Similar Technologies
Hardcoded SecretsConfiguration FilesOAuth OnlyCertificate AuthPasswords
API Security Best Practices

Comprehensive security measures. HTTPS/TLS for all communication. Input validation and sanitization. Output encoding to prevent injection. CORS policies for browser security. CSRF tokens for state-changing operations. Disable unnecessary HTTP methods. Security headers (HSTS, CSP, X-Frame-Options). SQL injection, XSS, XXE prevention. API security gateways. Regular security audits and pen testing. OWASP API Security Top 10.

Similar Technologies
Minimal SecurityNetwork Security OnlyAuthentication OnlyWAF OnlyPerimeter Security
settings_applications

API Management

API Gateway

Single entry point for API requests. Request routing to backend services. Cross-cutting concerns: auth, rate limiting, caching, logging. Request/response transformation. Protocol translation (REST to gRPC). Load balancing and circuit breaking. API composition and aggregation. AWS API Gateway, Kong, Apigee, Azure APIM, Tyk. Centralized management and policies. Service mesh alternative for east-west traffic.

Similar Technologies
Direct Service CallsService MeshReverse ProxyLoad BalancerBFF Pattern
Developer Portal

Self-service hub for API consumers. API documentation and interactive exploration. Signup and API key management. Code samples and SDKs. Sandbox environment for testing. Community forums and support. API catalog and discovery. Usage analytics and dashboards. Billing and subscription management. Getting started guides and tutorials. Swagger UI, Redoc, Readme.io, Stoplight.

Similar Technologies
Documentation OnlyWikiGitHub PagesCustom PortalNo Portal
API Analytics & Monitoring

Observability into API usage and performance. Request volume, latency, error rates. Consumer usage patterns and top endpoints. API health dashboards. Real-time alerts for anomalies. Geographic distribution of traffic. Payload size analysis. Business metrics (API calls per customer). OpenTelemetry instrumentation. DataDog, New Relic, Elastic APM. Correlate API metrics with business KPIs.

Similar Technologies
Logs OnlyBasic MetricsNo MonitoringSamplingApplication Monitoring Only
API Monetization

Generating revenue from API access. Tiered pricing plans (free, basic, premium). Usage-based billing (per request, per data volume). Freemium model with rate limits. Quota management and overage charges. Stripe, Recurly for billing. API marketplace listings. Partner programs and revenue sharing. Clear pricing documentation. Usage reports for customers. Trial periods and sandboxes.

Similar Technologies
Free APIsFlat FeeEnterprise OnlyNo MonetizationInternal Only
API Lifecycle Management

Managing APIs from design to retirement. Design, develop, test, deploy, operate, deprecate phases. Environment promotion (dev, staging, production). Release management and versioning. Canary deployments and blue-green. Monitoring and feedback loops. Continuous integration and delivery. Rollback capabilities. Sunset periods for deprecated versions. API portfolio management.

Similar Technologies
Ad-hoc ManagementManual ProcessesSimple DeploymentNo LifecycleCI/CD Only
API Mocking & Virtualization

Simulating APIs for development and testing. Mock servers based on OpenAPI specs. Parallel development without backend dependencies. Contract testing and validation. Sandbox environments for partners. WireMock, Prism, Mockoon, Postman Mock Server. Configurable responses and delays. Stateful mocking for complex scenarios. Reduce external dependencies in testing. Development velocity and isolation.

Similar Technologies
Wait for BackendStub ImplementationsIn-memory MocksNo MockingTest Doubles
policy

API Governance

API Governance Framework

Policies and processes for API consistency. Governance board for standards and decisions. API review and approval process. Design principles and guidelines. Compliance requirements (security, privacy). Naming conventions and patterns. Exception handling and escalation. Metrics and KPIs for API quality. Regular audits and reviews. Balanced governance without bureaucracy. Automated policy enforcement.

Similar Technologies
No GovernanceDecentralized ControlAd-hoc StandardsManual Reviews OnlyCentralized Control
API Design Reviews

Peer review of API designs before implementation. Design review checklist (REST principles, naming, security). Architecture review board for major APIs. Async reviews via comments or sync meetings. Early feedback reduces rework. Consistency across organization. Knowledge sharing and best practices. API style guide compliance. Breaking change analysis. OpenAPI spec review. Design-first approach.

Similar Technologies
No ReviewsPost-implementation ReviewSelf ReviewAutomated OnlyMinimal Review
API Deprecation Strategy

Sunsetting old API versions gracefully. Deprecation announcement with timeline. Sunset header in responses. Migration guides and tooling. Support period for old versions (6-12 months typical). Monitoring usage of deprecated endpoints. Direct communication with affected consumers. Gradual enforcement (warnings → rate limits → blocking). Versioning strategy to minimize disruption. Clear deprecation policy.

Similar Technologies
Immediate RemovalIndefinite SupportNo Deprecation PlanBreaking ChangesParallel Support
API Change Management

Managing evolution without breaking consumers. Semantic versioning for clarity. Backward compatible changes preferred. Breaking changes require new version. Changelog and release notes. Consumer notification of changes. Canary releases and gradual rollout. Feature flags for experimental features. Compatibility testing. API contract validation. Additive changes vs breaking changes distinction.

Similar Technologies
Break without NoticeNo Change ControlFrequent Breaking ChangesFreeze ChangesAd-hoc Updates
API Standards Enforcement

Automated validation of API compliance. Spectral, Zally for linting OpenAPI specs. Style guide validation in CI/CD. Pre-commit hooks for spec checking. API gateway policies enforcement. Automated security scanning. Breaking change detection. Contract testing. Quality gates in deployment pipeline. Shift-left approach to catch issues early. Balance automation with pragmatism.

Similar Technologies
Manual EnforcementNo EnforcementPeriodic AuditsReview OnlyPost-deployment Checks
API Catalog & Discovery

Centralized registry of all organizational APIs. Searchable catalog with metadata. API ownership and contact info. Status (beta, stable, deprecated). Documentation links. Dependencies and relationships. Internal and external APIs. Service mesh integration. API marketplace for discovery. Prevents duplicate APIs. Promotes reuse. Backstage, Kong Konnect, Azure APIM. API sprawl prevention.

Similar Technologies
Documentation SitesWikiSpreadsheetsNo CatalogDecentralized Discovery