API Design Patterns
Resource Naming
- •Use plural nouns:
/users,/orders,/products - •Nest for relationships:
/users/{id}/orders - •Max nesting depth: 2 levels. Beyond that, use query params or top-level resources
- •Use kebab-case:
/user-profiles, not/userProfiles - •Never put verbs in URLs:
/users/{id}/activateis wrong, usePOST /users/{id}/activation
HTTP Methods
| Method | Purpose | Idempotent | Request Body | Success Code |
|---|---|---|---|---|
| GET | Read resource(s) | Yes | No | 200 |
| POST | Create resource | No | Yes | 201 |
| PUT | Full replace | Yes | Yes | 200 |
| PATCH | Partial update | No | Yes | 200 |
| DELETE | Remove resource | Yes | No | 204 |
Return Location header on POST with the URL of the created resource.
Status Codes
code
200 OK - Successful read/update 201 Created - Successful creation 204 No Content - Successful delete 400 Bad Request - Validation error (include field-level errors) 401 Unauthorized - Missing or invalid authentication 403 Forbidden - Authenticated but not authorized 404 Not Found - Resource does not exist 409 Conflict - State conflict (duplicate, version mismatch) 422 Unprocessable - Semantically invalid (valid JSON, bad values) 429 Too Many Reqs - Rate limited (include Retry-After header) 500 Internal Error - Unhandled server error (never expose stack traces)
Error Response Format
json
{
"error": {
"code": "VALIDATION_ERROR",
"message": "Request validation failed",
"details": [
{ "field": "email", "message": "Must be a valid email address" },
{ "field": "age", "message": "Must be at least 18" }
]
}
}
Use consistent error codes across the API. Document every code in your API reference.
Cursor-Based Pagination (preferred)
code
GET /users?limit=20&cursor=eyJpZCI6MTAwfQ
Response:
{
"data": [...],
"pagination": {
"next_cursor": "eyJpZCI6MTIwfQ",
"has_more": true
}
}
Use cursor pagination for large or frequently changing datasets. Encode cursors as opaque base64 strings. Never expose raw IDs in cursors.
Offset-Based Pagination (simple cases only)
code
GET /users?page=3&per_page=20
Response:
{
"data": [...],
"pagination": {
"page": 3,
"per_page": 20,
"total": 245,
"total_pages": 13
}
}
Only use offset pagination when total count is cheap and dataset is small.
Filtering and Sorting
code
GET /orders?status=pending&created_after=2025-01-01&sort=-created_at,+total GET /products?category=electronics&price_min=100&price_max=500 GET /users?search=john&fields=id,name,email
Use field selection (fields param) to reduce payload size. Prefix sort fields with - for descending.
Versioning
Prefer URL path versioning for simplicity:
code
/api/v1/users /api/v2/users
Rules:
- •Never break v1 once published. Add fields, never remove them.
- •New required fields = new version
- •Deprecate old versions with
Sunsetheader and 6-month notice - •Support at most 2 active versions simultaneously
Request/Response Headers
code
Content-Type: application/json Accept: application/json Authorization: Bearer <token> X-Request-Id: <uuid> # For tracing X-RateLimit-Limit: 100 # Requests per window X-RateLimit-Remaining: 47 # Remaining in window X-RateLimit-Reset: 1700000000 # Window reset Unix timestamp Retry-After: 30 # Seconds until rate limit resets
Always return X-Request-Id in responses for debugging.
OpenAPI Spec Guidelines
- •Write spec first, then implement (spec-driven development)
- •Use
$reffor shared schemas:$ref: '#/components/schemas/User' - •Define
examplesfor every endpoint - •Use
oneOf/anyOffor polymorphic responses - •Generate client SDKs from the spec, never hand-write them
- •Validate requests against the spec in middleware
yaml
paths:
/users/{id}:
get:
operationId: getUser
parameters:
- name: id
in: path
required: true
schema:
type: string
format: uuid
responses:
'200':
description: User found
content:
application/json:
schema:
$ref: '#/components/schemas/User'
'404':
$ref: '#/components/responses/NotFound'
Rate Limiting Strategy
- •Apply per-user, per-endpoint limits
- •Use sliding window algorithm (not fixed window)
- •Return
429withRetry-Afterheader - •Exempt health check and auth endpoints from rate limits
- •Log rate-limited requests for abuse detection