API Design Patterns

Design robust, scalable APIs using proven patterns for REST, GraphQL, and gRPC with proper versioning, authentication, and error handling.

Quick Reference

API Style Selection:

REST: Resource-based CRUD, simple clients, HTTP-native caching
GraphQL: Client-driven queries, complex data graphs, real-time subscriptions
gRPC: High-performance RPC, microservices, strong typing, streaming

Critical Patterns:

Versioning: URI (/v1/users ), header (Accept: application/vnd.api+json;version=1 ), content negotiation
Pagination: Offset (simple), cursor (stable), keyset (performant)
Auth: OAuth2 (delegated), JWT (stateless), API keys (service-to-service)
Rate limiting: Token bucket, fixed window, sliding window
Idempotency: Idempotency keys, conditional requests, safe retry

See references/ for deep dives: rest-patterns.md , graphql-patterns.md , grpc-patterns.md , versioning-strategies.md , authentication.md

Core Principles

Universal API Design Standards

Apply these principles across all API styles:

Consistency Over Cleverness

Follow established conventions for your API style
Use predictable naming patterns (snake_case or camelCase, pick one)
Maintain consistent error response formats
Version breaking changes, never surprise clients

Design for Evolution

Plan for versioning from day one
Use optional fields with sensible defaults
Deprecate gracefully with sunset dates
Document breaking vs non-breaking changes

Security by Default

Require authentication unless explicitly public
Use HTTPS/TLS for all production endpoints
Implement rate limiting and throttling
Validate and sanitize all inputs
Return minimal error details to clients

Developer Experience First

Provide comprehensive documentation (OpenAPI, GraphQL schema)
Return meaningful error messages with actionable guidance
Use standard HTTP status codes correctly
Include request IDs for debugging
Offer SDKs and code generators

API Style Decision Tree

When to Choose REST

✅ Use REST when:

Building CRUD-focused resource APIs
Clients need HTTP caching (ETags, Cache-Control)
Wide platform compatibility required (browsers, mobile, IoT)
Simple, stateless client-server model fits
Team familiar with HTTP/REST conventions

❌ Avoid REST when:

Complex data fetching with nested relationships (N+1 queries)
Real-time updates are primary use case
Need strong typing and code generation
High-performance RPC between microservices

Example Use Cases: Public APIs, mobile backends, traditional web services

When to Choose GraphQL

✅ Use GraphQL when:

Clients need flexible, client-driven queries
Complex data graphs with nested relationships
Multiple client types with different data needs
Real-time subscriptions required
Strong typing and schema validation needed

❌ Avoid GraphQL when:

Simple CRUD operations dominate
HTTP caching is critical (GraphQL uses POST)
File uploads are primary feature (requires extensions)
Team lacks GraphQL expertise
Performance optimization is complex (N+1 problem)

Example Use Cases: Client-facing APIs, dashboards, mobile apps with varied UIs

When to Choose gRPC

✅ Use gRPC when:

Microservice-to-microservice communication
High performance and low latency critical
Bidirectional streaming needed
Strong typing with Protocol Buffers
Polyglot environments (language interop)

❌ Avoid gRPC when:

Browser clients (limited support, needs grpc-web)
HTTP/JSON required for compatibility
Human-readable payloads preferred
Simple request/response patterns

Example Use Cases: Internal microservices, streaming data, service mesh

REST API Patterns

Resource Naming

✅ Good: Plural nouns, hierarchical

GET /users # List users GET /users/123 # Get user POST /users # Create user PUT /users/123 # Update user (full) PATCH /users/123 # Update user (partial) DELETE /users/123 # Delete user GET /users/123/orders # User's orders (sub-resource)

❌ Bad: Verbs, mixed conventions

GET /getUsers # Don't use verbs POST /user/create # Don't use verbs GET /Users/123 # Don't capitalize GET /user/123 # Don't mix singular/plural

HTTP Status Codes

Success Codes:

200 OK : Successful GET, PUT, PATCH, DELETE with body
201 Created : Successful POST, return Location header
202 Accepted : Async operation started
204 No Content : Successful DELETE, no body

Client Error Codes:

400 Bad Request : Invalid input, validation error
401 Unauthorized : Missing or invalid authentication
403 Forbidden : Authenticated but insufficient permissions
404 Not Found : Resource doesn't exist
409 Conflict : State conflict (duplicate, version mismatch)
422 Unprocessable Entity : Semantic validation error
429 Too Many Requests : Rate limit exceeded

Server Error Codes:

500 Internal Server Error : Unexpected error
502 Bad Gateway : Upstream service error
503 Service Unavailable : Temporary outage
504 Gateway Timeout : Upstream timeout

Error Response Format

✅ Consistent error structure

{ "error": { "code": "VALIDATION_ERROR", "message": "Invalid request parameters", "details": [ { "field": "email", "message": "Invalid email format", "code": "INVALID_FORMAT" } ], "request_id": "req_abc123", "documentation_url": "https://api.example.com/docs/errors/validation" } }

Pagination Patterns

Offset Pagination (simple, familiar):

GET /users?limit=20&offset=40

✅ Use for: Small datasets, admin interfaces ❌ Avoid for: Large datasets (skips become expensive), real-time data

Cursor Pagination (stable, efficient):

GET /users?limit=20&cursor=eyJpZCI6MTIzfQ Response: { "data": [...], "next_cursor": "eyJpZCI6MTQzfQ" }

✅ Use for: Infinite scroll, real-time feeds, large datasets ❌ Avoid for: Random access, page numbers

Keyset Pagination (performant):

GET /users?limit=20&after_id=123

✅ Use for: Ordered data, database index friendly ❌ Avoid for: Complex sorting, multiple sort keys

See references/rest-patterns.md for filtering, sorting, field selection, HATEOAS

GraphQL Patterns

Schema Design

✅ Good: Clear types, nullable by default

type User { id: ID! # Non-null ID email: String! # Required field name: String # Optional (nullable by default) createdAt: DateTime! orders: [Order!]! # Non-null array of non-null orders }

type Query { user(id: ID!): User users(first: Int, after: String): UserConnection! }

type Mutation { createUser(input: CreateUserInput!): CreateUserPayload! }

input CreateUserInput { email: String! name: String }

type CreateUserPayload { user: User userEdge: UserEdge errors: [UserError!] }

Resolver Patterns

Avoid N+1 Queries with DataLoader:

import DataLoader from 'dataloader';

const userLoader = new DataLoader(async (userIds: string[]) => { const users = await db.users.findMany({ where: { id: { in: userIds } } }); return userIds.map(id => users.find(u => u.id === id)); });

// Resolver batches queries automatically const resolvers = { Order: { user: (order) => userLoader.load(order.userId) } };

Query Complexity Analysis

Prevent expensive queries:

import { createComplexityLimitRule } from 'graphql-validation-complexity';

const server = new ApolloServer({ schema, validationRules: [ createComplexityLimitRule(1000, { onCost: (cost) => console.log('Query cost:', cost), }), ], });

See references/graphql-patterns.md for subscriptions, relay cursor connections, error handling

gRPC Patterns

Service Definition

syntax = "proto3";

package users.v1;

service UserService { rpc GetUser (GetUserRequest) returns (User) {} rpc ListUsers (ListUsersRequest) returns (ListUsersResponse) {} rpc CreateUser (CreateUserRequest) returns (User) {} rpc StreamUsers (StreamUsersRequest) returns (stream User) {} rpc BidiChat (stream ChatMessage) returns (stream ChatMessage) {} }

message User { string id = 1; string email = 2; string name = 3; google.protobuf.Timestamp created_at = 4; }

message GetUserRequest { string id = 1; }

message ListUsersRequest { int32 page_size = 1; string page_token = 2; }

message ListUsersResponse { repeated User users = 1; string next_page_token = 2; }

Error Handling

import ( "google.golang.org/grpc/codes" "google.golang.org/grpc/status" )

func (s *server) GetUser(ctx context.Context, req *pb.GetUserRequest) (*pb.User, error) { if req.Id == "" { return nil, status.Error(codes.InvalidArgument, "user ID is required") }

user, err := s.db.GetUser(ctx, req.Id)
if err != nil {
    if errors.Is(err, sql.ErrNoRows) {
        return nil, status.Error(codes.NotFound, "user not found")
    }
    return nil, status.Error(codes.Internal, "database error")
}

return user, nil

}

See references/grpc-patterns.md for streaming, interceptors, metadata, health checks

Versioning Strategies

URI Versioning (Simple, Explicit)

✅ Most common, easy to understand

GET /v1/users/123 GET /v2/users/123

Pros: Clear, easy to route, browser-friendly Cons: Couples version to URL, duplicates routes

Header Versioning (Clean URLs)

GET /users/123 Accept: application/vnd.myapi.v2+json

Pros: Clean URLs, version separate from resource Cons: Less visible, harder to test manually

Content Negotiation (Granular)

GET /users/123 Accept: application/vnd.myapi.user.v2+json

Pros: Resource-level versioning, backward compatible Cons: Complex, harder to implement

Version Deprecation Process

{ "version": "1.0", "deprecated": true, "sunset_date": "2025-12-31", "migration_guide": "https://docs.api.com/v1-to-v2", "replacement_version": "2.0" }

Include deprecation warnings:

HTTP/1.1 200 OK Deprecation: true Sunset: Sat, 31 Dec 2025 23:59:59 GMT Link: <https://docs.api.com/v1-to-v2>; rel="deprecation"

See references/versioning-strategies.md for detailed migration patterns

Authentication & Authorization

OAuth 2.0 (Delegated Access)

Use for: Third-party access, user consent, token refresh

Authorization Code Flow (most secure for web/mobile):

Client redirects to /authorize
User authenticates, grants permissions
Auth server redirects to callback with code
Client exchanges code for access token
Client uses access token for API requests

Request token

POST /oauth/token Content-Type: application/x-www-form-urlencoded

grant_type=authorization_code &code=AUTH_CODE &redirect_uri=https://client.com/callback &client_id=CLIENT_ID &client_secret=CLIENT_SECRET

Response

{ "access_token": "eyJhbGc...", "token_type": "Bearer", "expires_in": 3600, "refresh_token": "tGzv3JOkF0XG5Qx2TlKWIA", "scope": "read write" }

Use token

GET /v1/users/me Authorization: Bearer eyJhbGc...

JWT (Stateless Auth)

Use for: Microservices, stateless API auth, short-lived tokens

✅ Good: Minimal claims, short expiry

{ "sub": "user_123", "iat": 1516239022, "exp": 1516242622, "scope": "read:users write:orders" }

Validation:

import jwt from 'jsonwebtoken';

const token = req.headers.authorization?.split(' ')[1]; const payload = jwt.verify(token, process.env.JWT_SECRET); req.userId = payload.sub;

API Keys (Service-to-Service)

Use for: Server-to-server, CLI tools, webhooks

GET /v1/users X-API-Key: sk_live_abc123...

Or query parameter (less secure)

GET /v1/users?api_key=sk_live_abc123

Key Practices:

Prefix keys with environment (sk_live_ , sk_test_ )
Hash keys before storage (bcrypt, scrypt)
Allow key rotation without downtime
Support multiple keys per user
Rate limit per key

See references/authentication.md for API key rotation, scopes, RBAC

Rate Limiting

Token Bucket (Burst-Friendly)

Bucket: 100 tokens, refill 10/second Request costs 1 token Allows bursts up to bucket size

Headers:

HTTP/1.1 200 OK X-RateLimit-Limit: 100 X-RateLimit-Remaining: 73 X-RateLimit-Reset: 1640995200

429 Response:

HTTP/1.1 429 Too Many Requests Retry-After: 60 X-RateLimit-Limit: 100 X-RateLimit-Remaining: 0 X-RateLimit-Reset: 1640995200

{ "error": { "code": "RATE_LIMIT_EXCEEDED", "message": "Rate limit exceeded. Try again in 60 seconds.", "limit": 100, "reset_at": "2025-01-01T00:00:00Z" } }

Sliding Window (Fair Distribution)

Counts requests in rolling time window. More accurate than fixed window.

Per-User vs Per-IP

Per-User: Authenticated requests, fair quotas
Per-IP: Unauthenticated requests, prevent abuse
Combined: Both limits, take stricter

Idempotency

Idempotent Methods (HTTP Spec)

Naturally Idempotent: GET, PUT, DELETE, HEAD, OPTIONS Not Idempotent: POST, PATCH

Idempotency Keys

Make POST requests idempotent:

POST /v1/payments Idempotency-Key: uuid-or-client-generated-key Content-Type: application/json

{ "amount": 1000, "currency": "USD", "customer": "cust_123" }

Server behavior:

First request: Process and store result with key
Duplicate request (same key): Return stored result (200 or 201)
Different request (same key): Return 409 Conflict

Implementation:

const result = await processPayment(req.body); await redis.setex(idempotency:${idempotencyKey}, 86400, { status: 201, body: result });

Conditional Requests

Use ETags for safe updates:

Get resource with ETag

GET /v1/users/123 Response: ETag: "abc123"

Update only if unchanged

PUT /v1/users/123 If-Match: "abc123"

412 Precondition Failed if ETag changed

Caching Strategies

HTTP Caching Headers

Public, cacheable for 1 hour

Cache-Control: public, max-age=3600

Private (user-specific), revalidate

Cache-Control: private, must-revalidate, max-age=0

No caching

Cache-Control: no-store, no-cache, must-revalidate

ETag Validation

Server returns ETag

GET /v1/users/123 Response: ETag: "33a64df551425fcc55e4d42a148795d9f25f89d4" Cache-Control: max-age=3600

Client conditional request

GET /v1/users/123 If-None-Match: "33a64df551425fcc55e4d42a148795d9f25f89d4"

304 Not Modified if unchanged (saves bandwidth)

HTTP/1.1 304 Not Modified

Last-Modified

GET /v1/users/123 Response: Last-Modified: Wed, 21 Oct 2025 07:28:00 GMT

Conditional request

GET /v1/users/123 If-Modified-Since: Wed, 21 Oct 2025 07:28:00 GMT

304 Not Modified if not modified

Webhooks

Event Delivery

POST https://client.com/webhooks/payments Content-Type: application/json X-Webhook-Signature: sha256=abc123... X-Webhook-Id: evt_abc123 X-Webhook-Timestamp: 1640995200

{ "id": "evt_abc123", "type": "payment.succeeded", "created": 1640995200, "data": { "object": { "id": "pay_123", "amount": 1000, "status": "succeeded" } } }

Signature Verification

import crypto from 'crypto';

function verifyWebhookSignature( payload: string, signature: string, secret: string ): boolean { const expectedSignature = crypto .createHmac('sha256', secret) .update(payload) .digest('hex'); return crypto.timingSafeEqual( Buffer.from(signature), Buffer.from(sha256=${expectedSignature}) ); }

Retry Strategy

Exponential backoff: 1s, 2s, 4s, 8s, 16s, 32s, 64s
Timeout: 5-30 seconds per attempt
Max attempts: 3-7 attempts
Dead letter queue: Store failed events
Manual retry: UI for re-sending failed events

API Documentation

OpenAPI/Swagger (REST)

openapi: 3.0.0 info: title: User API version: 1.0.0 paths: /users/{id}: get: summary: Get user by ID parameters: - name: id in: path required: true schema: type: string responses: '200': description: Successful response content: application/json: schema: $ref: '#/components/schemas/User' '404': description: User not found components: schemas: User: type: object required: [id, email] properties: id: type: string email: type: string format: email name: type: string

GraphQL Schema (Self-Documenting)

GraphQL introspection provides automatic documentation. Use descriptions:

""" Represents a user account in the system. Created via the createUser mutation. """ type User { """Unique identifier for the user""" id: ID!

"""Email address, must be unique""" email: String!

"""Optional display name""" name: String }

API Documentation Best Practices

Interactive examples: Provide working code samples
Authentication guide: Step-by-step auth setup
Error catalog: Document all error codes with examples
Rate limits: Clearly state limits and headers
Changelog: Track breaking and non-breaking changes
Migration guides: Version upgrade instructions
SDKs: Provide client libraries for popular languages

Anti-Patterns

❌ Over-fetching (REST): Returning entire objects when fields are unused ✅ Solution: Support field selection (?fields=id,name,email )

❌ Under-fetching (REST): Requiring multiple requests for related data ✅ Solution: Support expansion (?expand=orders,profile ) or use GraphQL

❌ Chatty APIs: Too many round-trips for common operations ✅ Solution: Batch endpoints, compound documents, or GraphQL

❌ Ignoring HTTP semantics: Using GET for mutations, wrong status codes ✅ Solution: Follow HTTP spec, use correct methods and status codes

❌ Exposing internal structure: URLs/schemas mirror database ✅ Solution: Design resource-oriented APIs independent of storage

❌ Missing versioning: Breaking changes without version increments ✅ Solution: Version from day one, never break existing versions

❌ Poor error messages: Generic "An error occurred" ✅ Solution: Specific, actionable error messages with codes

❌ No rate limiting: APIs vulnerable to abuse ✅ Solution: Implement rate limiting from the start

Testing Strategies

Contract Testing

// Pact contract test import { PactV3 } from '@pact-foundation/pact';

const provider = new PactV3({ consumer: 'FrontendApp', provider: 'UserAPI' });

it('gets a user by ID', () => { provider .given('user 123 exists') .uponReceiving('a request for user 123') .withRequest({ method: 'GET', path: '/users/123' }) .willRespondWith({ status: 200, body: { id: '123', email: 'user@example.com' } }); });

Load Testing

// k6 load test import http from 'k6/http'; import { check } from 'k6';

export const options = { stages: [ { duration: '30s', target: 20 }, { duration: '1m', target: 20 }, { duration: '10s', target: 0 } ], thresholds: { http_req_duration: ['p(95)<500'], // 95% under 500ms http_req_failed: ['rate<0.01'] // <1% errors } };

export default function () { const res = http.get('https://api.example.com/users'); check(res, { 'status is 200': (r) => r.status === 200, 'response time < 500ms': (r) => r.timings.duration < 500 }); }

Related Skills

graphql: Deep GraphQL schema design, resolvers, Apollo Server
typescript: Type-safe API clients and servers
nodejs-backend: Express/Fastify REST API implementation
django: Django REST Framework patterns
fastapi: FastAPI Python REST/GraphQL APIs
flask: Flask-RESTful patterns

References

rest-patterns.md: Deep REST coverage (HATEOAS, filtering, field selection)
graphql-patterns.md: GraphQL subscriptions, relay cursor connections, federation
grpc-patterns.md: Streaming patterns, interceptors, service mesh integration
versioning-strategies.md: Detailed versioning approaches and migration patterns
authentication.md: OAuth flows, JWT best practices, API key rotation, RBAC

Additional Resources

REST API Design Rulebook - O'Reilly REST guide
GraphQL Best Practices - Official GraphQL guide
gRPC Best Practices - Official gRPC guide
RFC 7807: Problem Details for HTTP APIs - Standard error format
OpenAPI Specification - REST documentation standard

api-design-patterns

Safety Notice

Copy this and send it to your AI assistant to learn