More devices than ever are connected to the Internet these days, and the need and consumption of APIs is growing fast. We'll talk about what an API is (and what it's not), why you might need one, how you might use one, and how to make one that other people will enjoy using.
2. SouthEast LinuxFest
Who am I to judge?
⢠Associate Product Manager/Developer
Evangelist at PagerDuty
⢠Average consumer of APIs and IPAs
⢠Well RESTed (you can boo at my pun)
⢠Professional conference attendee and
tinkerer
6/17/2015Your API is Bad and You Should Feel Bad
4. SouthEast LinuxFest
Great, but why do I care?
⢠Provides a uniform interface for interacting
with your application
⢠API allows you to shard off services
â Decouples services
â Website->API
â Mobile->API
⢠This is cool if youâre into SoA
â I am.
6/17/2015
5. SouthEast LinuxFest
Types of Application
Programming Interfaces
⢠Language/Platform/Library APIs
â Win32
â C++
â OpenGL
⢠Web APIs
â SOAP
â XML-RPC
â REST
6/17/2015
6. SouthEast LinuxFest
SOAP
⢠Stateful
⢠WS-Security
⢠Mostly obvious procedures (getRecord,
delRecord)
â Need to know procedure name
â Need to know order of parameters
6/17/2015
7. SouthEast LinuxFest
REST
⢠Gaining adoption
⢠HTTP-based (usually)
⢠No need to know order of parameters in
most cases
⢠Can return XML, JSON, ?
6/17/2015
10. SouthEast LinuxFest
Slow Down
⢠Donât rush into v1,
v2, etc.
⢠Make sure you meet
goals
⢠Involve
users/engineers
from the start
⢠This is hard
6/17/2015
12. SouthEast LinuxFest
Design
⢠Immutable blueprint
⢠Contract between you
and users
⢠SHARE
â The worst feedback is the
feedback you donât hear
⢠Account for existing
architecture
⢠Changes should provide
actual value not
perceived/potential value
⢠Design for uniformity
6/17/2015
13. SouthEast LinuxFest
Know Thy Audience
⢠Who is this for?
â Us? Internal?
â Them? Business partners/3rd parties?
â ???
⢠Whatâs the incentive?
6/17/2015
14. SouthEast LinuxFest
Ask!
⢠Stakeholders will tell you what they need
⢠Regardless of version, feedback should
make it into your spec
⢠Build something people want
6/17/2015
16. SouthEast LinuxFest
What is REST?
⢠Representational
State Transfer
⢠HTTP-based routing
and methods
â PUT/GET/POST/etc.
⢠Stateless
â No sessions
â HATEOAS
6/17/2015
17. SouthEast LinuxFest
Resources
⢠/resource is a gateway to an area of your
application
â /users
â /places
â /things
⢠CRUD actions can be performed on a single
resource
â GET vs getUser, getMessage, getThing
⢠Use plural nouns, no verbs (GET, CREATE, etc.)
â Can be for a single item or a collection of items
6/17/2015
19. SouthEast LinuxFest
GET
⢠GET data from a /resource
⢠You do this daily by browsing the web. Go
you.
⢠Uses query string to tell API what data to
retrieve
⢠Returns 200 if everythingâs OK
6/17/2015
20. SouthEast LinuxFest
POST
⢠Used to create/manipulate data
⢠Relies on a message body being sent vs
query string (XML, JSON, ?)
⢠Returns 201 Created
⢠Should return URI to newly created
resource
6/17/2015
21. SouthEast LinuxFest
PUT
⢠Update a resource
⢠OVERWRITES EXISTING OBJECT WITH NEW
ONE
â You donât have to allow this, be careful with this
because its use is inconsistent across APIs, should
be used consistently across resources
â Return 201 created if you do this
â Canât use PUT within the resource itself (/messages)
without an ID
â PUT should never be use to wrangle partial updates
6/17/2015
23. SouthEast LinuxFest
DELETE
⢠Donât allow on an entire collection (/users
or /messages or /places) or limit it
⢠200 if item or collection was deleted
⢠204 if item or collection was deleted but
thereâs no body to return
⢠202 if request was accepted and deletion
was queued (CDN, cache, etc.)
6/17/2015
24. SouthEast LinuxFest
OPTIONS
⢠Not for interacting with data
⢠Informs clients of available methods
⢠Return 200 or 204
⢠You could also return 405 (Method Not
Allowed) but why would you do that you
monster?
⢠Useful when method should work on items but
not collections within a resource (donât DELETE
and collection of users or messages)
6/17/2015
25. SouthEast LinuxFest
Content Types
⢠Be nice, return more than one
â JSON and XML are common
â Different clients have different needs
â Easy to add new types as needed if you design for this
early on
⢠If you only allow one type, inform that others
arenât allowed
⢠Use Content-type: to receive and parse client data
⢠Can use Accept header to see what format client
wants back
⢠For simplicity you can just send back what they
send
6/17/2015
26. SouthEast LinuxFest
Replying
⢠Provide information on failures beyond
HTTP status codes.
â âAPI Key does not have access to modify
resourceâ is better than 403 Forbidden alone
â 200 OK, 201 Created, 204 No Content, 304 Not
Modified, 5xx We Screwed Up, Not You
â HTTP status codes let client decide what to do
next
â No true standardized error message format, but
Google Errors and JSON API are trying
6/17/2015
27. SouthEast LinuxFest
HATEOAS
⢠Hypermedia As The Engine Of Application State
⢠Hypertext links to other resources (like links on a page)
â Every object has actions to perform
⢠Choose your own adventure for navigation/pagination
â Give clients list of actions to take
â Client tracks state
â Server provides options to change state
⢠HARD
â Requires knowing possible ways to interact with object
⢠Clients have to know how to handle this, some will
hardcode anyway
6/17/2015
28. SouthEast LinuxFest
Hypermedia Specs
⢠Wishful thinking
⢠There are no standards for this
⢠JSON API? Custom? HAL?
⢠HAL/JSON API are good starting points with
wide adoption
6/17/2015
29. SouthEast LinuxFest
Versioning
⢠API is not the time to cowboy
deploys/releases
⢠Design so that you never have to version
⢠Migrations are hard
⢠Maintaining n versions
⢠Deprecate carefully
â Not everyone can update in a weekend
6/17/2015
30. SouthEast LinuxFest
When to Version
⢠Backwards incompatible changes
â Creating new data models
⢠When your API no longer meets you or
your usersâ needs
BUT NOT
⢠When you add new resources or data fields
6/17/2015
31. SouthEast LinuxFest
Version in URI
⢠https://api.myawesomestuff.com/v1/stuff
⢠Version is obvious to users
⢠Relative paths canât always be hypermedia
driven
6/17/2015
32. SouthEast LinuxFest
Version in Content-type
⢠Content-type: application/json+v1
⢠Cleaner, not as obvious
⢠Can default to a version if none is specified
⢠Devs need to know that they need to send
this
6/17/2015
33. SouthEast LinuxFest
Version in Custom Header
⢠Version: 1
⢠MyApp: 2.6
⢠No standards
⢠Requires GREAT docs
⢠Confusing for users who arenât expecting it
6/17/2015
34. SouthEast LinuxFest
Caching
⢠Ssscccaaallleee
⢠Cache on API client end
⢠Cache-control header (public, expires-at,
no-cache, max-age), Expires
⢠Important that this info end up in
docs/SDKs
6/17/2015
35. SouthEast LinuxFest
Authentication
⢠Kill Basic Auth
â Keep username/passwords safe
⢠OAuth
â Require users to explicitly authorize an app
â Tricky for some people to implement
â Restrict auth to HTTPS endpoints
â Restrict domains allowed to auth
â MITM attacks, make sure users store tokens
well
6/17/2015
36. SouthEast LinuxFest
Security
⢠Treat users as hostile
⢠Donât rely on single method
⢠Apply layers of security
â Permissions-based API keys/UAC
⢠Per app, not per account. Will depend on your
architecture
â DNSBL
â Content length/depth limits
⢠¿Recursive?
â SQL injection
â Rate limit/throttling
6/17/2015
37. SouthEast LinuxFest
Prototyping
⢠Laravel/Lumen, Flask, Rails, Mojolicious
â RESTful HTTP routing
â Zero to API in ~1hr
⢠Specs
â Apiary, Mockable, RAML
â Frameworks allow importing of specs
â Some spec tools can autogenerate SDKs for you
(APIMatic)
⢠Chrome REST API client, Postman, jsfiddle
6/17/2015
39. SouthEast LinuxFest
Maintenance
⢠Plan to maintain API, SDKs, docs
⢠Donât launch and leave
⢠Allocate maintenance resources
⢠Community? Paid service?
6/17/2015
40. SouthEast LinuxFest
Things Bad People Do
⢠Log in to view API docs
â Counter to open source mentality to use docs as
a lead generation tool
⢠Use HTTP (needs more S)
⢠No documentation
⢠Require name/password in URL structure
â Can be saved in browser/CLI which is very
insecure
6/17/2015
41. SouthEast LinuxFest
SDKs
⢠Nice when these are provided to users
⢠Should have maintenance plan like API
⢠Need to be kept in sync
⢠Should be made by language experts
6/17/2015
42. SouthEast LinuxFest
Documentation
⢠API is useless if no one knows how to use it
⢠NEEDS to be part of design process
⢠All inclusive
â Errors/methods/parameters
â Reference and tutorial
â In sync with changes to API
⢠Include how to get help
⢠Open source is nice ď
6/17/2015
44. SouthEast LinuxFest
/resources
⢠Build APIs You Wonât Hate - Phil Sturgeon
http://apisyouwonthate.com/
⢠Undisturbed REST - Mike Stowe
http://mulesoft.com/restbook
⢠Apiary â http://apiary.io
⢠RESTful Web APIs - Leonard Richardson, Mike
Amundsen, Sam Ruby
6/17/2015
The best method is the one that results in an API that meets needs. SOME API is usually better than none.
The idea is to build a solid foundation to build on, not to join the 9001 other people trying to get their API out the door ASAP.
Picture shows some overlap which is encouraged and weâll see why later on
Before you dive in, keep in mind that the idea is to promote uniformity across the API
Except in cases where this makes sense to use singular like /cart
Tells the server what action you want to take
Take advantage of HTTP methods/ Create, Read, Update, Delete
This could be its own talkâŚ
Try to make as few API revisions as possible, high numbers men more versions to maintain!
Users should be immersed within minutes, not hours
Common mistake for people and companies to make, forces users to scrape HTML to get the data they want, in the end costs you more than just having an API
This talk isnât meant to be all encompassing, feel free to reach out if you want to chat some more. Happy to provide additional resources.