book

Designing Web APIs

by Brenda Jin, Saurabh Sahni, Amir Shevat

September 2018

Intermediate to advanced

230 pages

5h 11m

English

O'Reilly Media, Inc.

Book available

Read now

Unlock full access

How This Book Is OrganizedConventions Used in This BookO’Reilly SafariHow to Contact UsAcknowledgments
Why Do We Need APIs?Who Are Our Users?The Business Case for APIsAPIs for Internal Developers First, External Developers SecondAPIs for External Developers First, Internal Developers SecondAPIs as the ProductWhat Makes an API Great?Closing Thoughts
Request–Response APIsRepresentational State TransferRemote Procedure CallGraphQLEvent-Driven APIsWebHooksWebSocketsHTTP StreamingClosing Thoughts
Authentication and AuthorizationOAuthToken GenerationScopesToken and Scope ValidationToken Expiry and Refresh TokensListing and Revoking AuthorizationsOAuth Best PracticesWebHooks SecurityVerification TokensRequest Signing and WebHook SignaturesMutual Transport Layer SecurityThin Payloads and API RetrievalWebHook Security Best PracticesClosing Thoughts
Designing for Real-Life Use CasesDesigning for a Great Developer ExperienceMake It Fast and Easy to Get StartedWork Toward ConsistencyMake Troubleshooting EasyMake Your API ExtensibleClosing Thoughts
Scenario 1Define Business ObjectivesOutline Key User StoriesSelect Technology ArchitectureWrite an API SpecificationScenario 2Define the ProblemOutline Key User StoriesSelect Technology ArchitectureWrite an API SpecificationValidate Your DecisionsClosing Thoughts
Scaling ThroughputFinding the BottlenecksAdding Computing ResourcesDatabase IndexesCachingDoing Expensive Operations AsynchronouslyScaling Throughput Best PracticesEvolving Your API DesignIntroducing New Data Access PatternsAdding New API MethodsSupporting Bulk EndpointsAdding New Options to Filter ResultsEvolving API Design Best PracticesPaginating APIsOffset-Based PaginationCursor-Based PaginationPagination Best PracticesRate-Limiting APIsWhat Is Rate-Limiting?Implementation StrategiesRate Limits and DevelopersRate-Limiting Best PracticesDeveloper SDKsRate-Limiting SupportPagination SupportUsing gzipCaching Frequently Used DataError Handling and Exponential Back-OffSDK Best PracticesClosing Thoughts
Toward ConsistencyAutomated TestingAPI description languagesBackward CompatibilityPlanning for and Communicating ChangeCommunication PlanAddingRemovingVersioningClosing Thoughts
Developers, Developers, DevelopersThe HobbyistThe HackerThe Business-Focused, Tech-Savvy UserThe Professional DeveloperAnd Many MoreBuilding a Developer StrategyDeveloper SegmentationDistilling the Value PropositionDefining Your Developer FunnelMapping the Current and Future StateOutlining Your TacticsDeriving MeasurementsClosing Thoughts
API DocumentationGetting StartedAPI Reference DocumentationTutorialsFrequently Asked QuestionsLanding PageChangelogTerms of ServiceSamples and SnippetsCode SamplesSnippetsSoftware Development Kits and FrameworksSDKsFrameworksDevelopment ToolsDebugging and TroubleshootingSandboxes and API TestersRich MediaVideosOffice HoursWebinars and Online TrainingCommunity ContributionClosing Thoughts

Defining Your Developer ProgramsBreadth and Depth AnalysisDeep Developer ProgramsTop Partner ProgramBeta ProgramDesign SprintsBroad Developer ProgramsMeetups and Community EventsHackathonsSpeaking at Events and Event SponsorshipsTrain-the-Trainer and Ambassador ProgramsOnline Videos and StreamingSupport, Forums, and Stack OverflowCredit ProgramMeasuring Developer ProgramsClosing Thoughts
Define Business ObjectivesThe ProblemThe ImpactKey User StoriesTechnology ArchitectureAPI Specification TemplateTitleAuthorsProblemSolutionImplementationAuthenticationOther Things We ConsideredInputs, Outputs (REST, RPC)Events, Payloads (Event-Driven APIs)ErrorsFeedback PlanAPI Implementation Checklist:

Content preview from Designing Web APIs

Chapter 3. API Security

Security is a critical element of any web application, particularly so for APIs. New security issues and vulnerabilities are always being discovered, and it’s important to protect your APIs from attacks. A security breach can be disastrous—poor security implementations can lead to loss of critical data as well as revenue.

To ensure an application is secure, there are many things engineers tend to do. This includes input validation, using the Secure Sockets Layer (SSL) protocol everywhere, validating content types, maintaining audit logs, and protecting against cross-site request forgery (CSRF) and cross-site scripting (XSS). All of these are important for any web application, and you should be doing them. Beyond these typical web application security practices, there are additional techniques that apply specifically to web APIs that you expose to developers outside your company. In this chapter, we look closely at those best practices and how companies are securing APIs in practice.

Authentication and Authorization

Authentication and authorization are two foundation elements of security:

Authentication: The process of verifying who you are. Web applications usually accomplish this by asking you to log in with a username and password. This combination is checked against an existing valid username/password record to ensure the request is authentic.
Authorization: The process of verifying that you are permitted to do what you are trying to do. For instance, ...