Loading source
Pulling the file list, source metadata, and syntax-aware rendering for this listing.
Source from repo
Design RESTful and GraphQL APIs following industry best practices for consistency, versioning, and developer experience.
Files
Skill
Size
Entrypoint
Format
Open file
Syntax-highlighted preview of this file as included in the skill package.
references/rest-best-practices.md
1# REST API Best Practices2## URL Structure4### Resource Naming6```8# Good - Plural nouns9GET /api/users10GET /api/orders11GET /api/products12# Bad - Verbs or mixed conventions14GET /api/getUser15GET /api/user (inconsistent singular)16POST /api/createOrder17```18### Nested Resources20```22# Shallow nesting (preferred)23GET /api/users/{id}/orders24GET /api/orders/{id}25# Deep nesting (avoid)27GET /api/users/{id}/orders/{orderId}/items/{itemId}/reviews28# Better:29GET /api/order-items/{id}/reviews30```31## HTTP Methods and Status Codes33### GET - Retrieve Resources35```37GET /api/users → 200 OK (with list)38GET /api/users/{id} → 200 OK or 404 Not Found39GET /api/users?page=2 → 200 OK (paginated)40```41### POST - Create Resources43```45POST /api/users46Body: {"name": "John", "email": "[email protected]"}47→ 201 Created48Location: /api/users/12349Body: {"id": "123", "name": "John", ...}50POST /api/users (validation error)52→ 422 Unprocessable Entity53Body: {"errors": [...]}54```55### PUT - Replace Resources57```59PUT /api/users/{id}60Body: {complete user object}61→ 200 OK (updated)62→ 404 Not Found (doesn't exist)63# Must include ALL fields65```66### PATCH - Partial Update68```70PATCH /api/users/{id}71Body: {"name": "Jane"} (only changed fields)72→ 200 OK73→ 404 Not Found74```75### DELETE - Remove Resources77```79DELETE /api/users/{id}80→ 204 No Content (deleted)81→ 404 Not Found82→ 409 Conflict (can't delete due to references)83```84## Filtering, Sorting, and Searching86### Query Parameters88```90# Filtering91GET /api/users?status=active92GET /api/users?role=admin&status=active93# Sorting95GET /api/users?sort=created_at96GET /api/users?sort=-created_at (descending)97GET /api/users?sort=name,created_at98# Searching100GET /api/users?search=john101GET /api/users?q=john102# Field selection (sparse fieldsets)104GET /api/users?fields=id,name,email105```106## Pagination Patterns108### Offset-Based Pagination110```python112GET /api/users?page=2&page_size=20113Response:115{116"items": [...],117"page": 2,118"page_size": 20,119"total": 150,120"pages": 8121}122```123### Cursor-Based Pagination (for large datasets)125```python127GET /api/users?limit=20&cursor=eyJpZCI6MTIzfQ128Response:130{131"items": [...],132"next_cursor": "eyJpZCI6MTQzfQ",133"has_more": true134}135```136### Link Header Pagination (RESTful)138```140GET /api/users?page=2141Response Headers:143Link: <https://api.example.com/users?page=3>; rel="next",144<https://api.example.com/users?page=1>; rel="prev",145<https://api.example.com/users?page=1>; rel="first",146<https://api.example.com/users?page=8>; rel="last"147```148## Versioning Strategies150### URL Versioning (Recommended)152```154/api/v1/users155/api/v2/users156Pros: Clear, easy to route158Cons: Multiple URLs for same resource159```160### Header Versioning162```164GET /api/users165Accept: application/vnd.api+json; version=2166Pros: Clean URLs168Cons: Less visible, harder to test169```170### Query Parameter172```174GET /api/users?version=2175Pros: Easy to test177Cons: Optional parameter can be forgotten178```179## Rate Limiting181### Headers183```185X-RateLimit-Limit: 1000186X-RateLimit-Remaining: 742187X-RateLimit-Reset: 1640000000188Response when limited:190429 Too Many Requests191Retry-After: 3600192```193### Implementation Pattern195```python197from fastapi import HTTPException, Request198from datetime import datetime, timedelta199class RateLimiter:201def __init__(self, calls: int, period: int):202self.calls = calls203self.period = period204self.cache = {}205def check(self, key: str) -> bool:207now = datetime.now()208if key not in self.cache:209self.cache[key] = []210# Remove old requests212self.cache[key] = [213ts for ts in self.cache[key]214if now - ts < timedelta(seconds=self.period)215]216if len(self.cache[key]) >= self.calls:218return False219self.cache[key].append(now)221return True222limiter = RateLimiter(calls=100, period=60)224@app.get("/api/users")226async def get_users(request: Request):227if not limiter.check(request.client.host):228raise HTTPException(229status_code=429,230headers={"Retry-After": "60"}231)232return {"users": [...]}233```234## Authentication and Authorization236### Bearer Token238```240Authorization: Bearer eyJhbGciOiJIUzI1NiIs...241401 Unauthorized - Missing/invalid token243403 Forbidden - Valid token, insufficient permissions244```245### API Keys247```249X-API-Key: your-api-key-here250```251## Error Response Format253### Consistent Structure255```json257{258"error": {259"code": "VALIDATION_ERROR",260"message": "Request validation failed",261"details": [262{263"field": "email",264"message": "Invalid email format",265"value": "not-an-email"266}267],268"timestamp": "2025-10-16T12:00:00Z",269"path": "/api/users"270}271}272```273### Status Code Guidelines275- `200 OK`: Successful GET, PATCH, PUT277- `201 Created`: Successful POST278- `204 No Content`: Successful DELETE279- `400 Bad Request`: Malformed request280- `401 Unauthorized`: Authentication required281- `403 Forbidden`: Authenticated but not authorized282- `404 Not Found`: Resource doesn't exist283- `409 Conflict`: State conflict (duplicate email, etc.)284- `422 Unprocessable Entity`: Validation errors285- `429 Too Many Requests`: Rate limited286- `500 Internal Server Error`: Server error287- `503 Service Unavailable`: Temporary downtime288## Caching290### Cache Headers292```294# Client caching295Cache-Control: public, max-age=3600296# No caching298Cache-Control: no-cache, no-store, must-revalidate299# Conditional requests301ETag: "33a64df551425fcc55e4d42a148795d9f25f89d4"302If-None-Match: "33a64df551425fcc55e4d42a148795d9f25f89d4"303→ 304 Not Modified304```305## Bulk Operations307### Batch Endpoints309```python311POST /api/users/batch312{313"items": [314{"name": "User1", "email": "[email protected]"},315{"name": "User2", "email": "[email protected]"}316]317}318Response:320{321"results": [322{"id": "1", "status": "created"},323{"id": null, "status": "failed", "error": "Email already exists"}324]325}326```327## Idempotency329### Idempotency Keys331```333POST /api/orders334Idempotency-Key: unique-key-123335If duplicate request:337→ 200 OK (return cached response)338```339## CORS Configuration341```python343from fastapi.middleware.cors import CORSMiddleware344app.add_middleware(346CORSMiddleware,347allow_origins=["https://example.com"],348allow_credentials=True,349allow_methods=["*"],350allow_headers=["*"],351)352```353## Documentation with OpenAPI355```python357from fastapi import FastAPI358app = FastAPI(360title="My API",361description="API for managing users",362version="1.0.0",363docs_url="/docs",364redoc_url="/redoc"365)366@app.get(368"/api/users/{user_id}",369summary="Get user by ID",370response_description="User details",371tags=["Users"]372)373async def get_user(374user_id: str = Path(..., description="The user ID")375):376"""377Retrieve user by ID.378Returns full user profile including:380- Basic information381- Contact details382- Account status383"""384pass385```386## Health and Monitoring Endpoints388```python390@app.get("/health")391async def health_check():392return {393"status": "healthy",394"version": "1.0.0",395"timestamp": datetime.now().isoformat()396}397@app.get("/health/detailed")399async def detailed_health():400return {401"status": "healthy",402"checks": {403"database": await check_database(),404"redis": await check_redis(),405"external_api": await check_external_api()406}407}408```409