I am trying to gather information about REST versioning. When I check forums the most preferred one seems to be to use Accept headers.
However if I check APIs of StackExchange, Google, Twitter, Yahoo, Instagram and eBay they all use versioning through URI.
I can't find why they prefer this way over HTTP headers. I would like to know the facts, not opinions. Can anyone help with this?
There really is no 'right' way to do api versioning in REST. The best article I've read explaining the different 'wrong' ways to do it is this one by Troy Hunt: Your API versioning is wrong, which is why I decided to do it 3 different wrong ways
To quote the article, he writes about three options:
URL: You simply whack the API version into the URL, for example: https://haveibeenpwned.com/api/v2/breachedaccount/foo
Custom request header: You use the same URL as before but add a header such as api-version: 2
Accept header: You modify the accept header to specify the version, for example Accept: application/vnd.haveibeenpwned.v2+json
In the comments and discussion, a few more techniques are identified:
hostname: e.g. https://v2.api.hostname.com/resource
Query String: e.g. https://api.hostname.com/resource?api-version=2.0
A variant of the accept header: application/vnd.haveibeenpwned+json; version=2.0
You wrote:
I would like to know the facts, not opinions.
Unfortunately there is no such thing as facts here - for all the reasons above, any decision is based on the opinion of the person responsible.
So, while there is a lot of argument one way or the other (see also this Best practices for API versioning? and other references Troy links to) I believe many of the 'big' services converge on the URI approach for one simple pragmatic reason:
It is the simplest to understand and implement for a novice client developer.
These services want to make it as easy as possible for the most number of client developers to interact with their api, with as little support required as possible - many of whom will have only been inspired to code at all by the desire to interact with this services' api.
Manipulating a string to construct the uri is a fairly trivial task in most client languages, and many novice developers will possibly have never heard of an accept header. So, you could consider it designed to suit the lowest common denominator of developer.
Related
after reading all the threads on stackoverflow and other platforms, I still wasn't able to find an answer, which satisfies me.
The task:
I want to create a single page application (SPA) which receives data from a REST API. In this SPA, NO authentication should be used. It's a public site.
But the REST API should only be accessible from people who loaded the SPA from my webserver.
I assume this is only solvable with something on server side like sessions, cookies etc. - otherwise I'm open for your suggestions, solutions etc.
Thx in advance!
There's no reasonably easy way to do this. You can easily prevent other domains (in browsers) from accessing a an API on your domain (via CORS), but it's significantly harder to prevent scripts from doing this.
The issue lies in 'how do you detect legit browser traffic from a script'. It turns out that this is not easy. You could try to detect 'unusual behavior' as much as possible (for example a large amount of requests in a short time), but this doesn't stop clients that are slower.
Ultimately if people want your data, they will find some way around whatever restrictions you come up with. You should reevaluate this and use one of the following options:
Don't do an SPA and API. Although one could wonder, if the data exists in HTML it can still be crawled.
Add authentication. But obviously this won't help you in any way if anyone can authenticate.
Re-evaluate why you have this restriction. What are you worried about? If you're worried about people taking your data and using it elsewhere, how does only showing it in a browser from 1 domain help with that? If you're worried about copyright theft, why not use a legal approach to this?
I've seen a lot of these types of questions, but in my opinion I haven't yet seen one that has a legitimate good reason to want this. But, maybe you're the first.
I believe I answered my question myself on a comment 30 minutes ago... I think with captcha I'm able to secure the REST API against unwanted access to my REST API
Closed. This question is opinion-based. It is not currently accepting answers.
Want to improve this question? Update the question so it can be answered with facts and citations by editing this post.
Closed 4 years ago.
Improve this question
Everybody can be sure of the benefits and the drawbacks of an open API.
But is it a good or a bad practice to publicly document the open API (which requires authentication for its requests)?
By publicly document I mean creating a documentation showing the structure of the body of the request that the API can receive and by giving descriptions for all these fields.
Eg, given an endpoint my-public.url/myendpoint/myresource, with available PUT, POST, DELETE and GET http requests there's a static page my-public.url/document/myendpointwhich shows all the acceptable http requests along with description for the headers and the body of the request that are needed in order to perform it.
On the one side, this will help external developers to use the API easily, but on the other hand, if somebody gains access somehow, it would be easy for them to make requests and corrupt the system, since the whole structure of the API is given.
You can look at this from the risk perspective. Providing public documentation for an API presents a risk, for the reason you mentioned, it may help an attacker. On the other hand, security is always a balance, providing documentation helps (or is even necessary for) your users.
Also you shouldn't implement security by obscurity, ie. how things work should be considered known to attackers - but it's true that many times that's not the case in reality.
As providing public documentation is a risk, you then have to treat it somehow. You can do several things with risk, for example you can accept it (~do nothing), eliminate it (~not provide documentation in this case), or mitigate it.
Mitigating this risk would mean additional things you do to make an exploit less likely, or to decrease the impact. Likelihood can be reduced by for example stronger controls around how you develop your software, adding automated testing around authentication and authorization features, adding static code analyzers to the mix and so on. Impact can be reduced by good architecture that separates logical layers, intrusion detection/prevention systems, or even going for single tenant instead of multi-tenant.
In the end it all comes down to what risk you want to accept, and that entirely depends on you. With proper controls, it is ok to provide public docs - how else could you expect users to be able to use your api? The question is what are "proper" controls, and that depends on your risk appetite.
Risk in your application's APIs is not at all increased because of publicly documenting it.
Here are some reasons which I get in mind when thinking of this,
If you are having a browser based client, anyone with a bit of knowledge to inspect the browser developer tools' NETWORK tab can find your API details.
In case if there is any mobile client which uses your API, the request information can be easily viewed using applications like WireShark. The most famous API tester application POSTMAN also supports such a functionality.
With the help of the above tools, it's more likely for anyone can know about your API details.
Advantages of public documentation
API consumers can just visit your public API documentation which clearly saves a lot of man-time in API developer-consumer communication. (Version based API (and documentation) will be very helpful in time of changes in existing ones)
Creating API demo/test kits like Postman Collections will help the API consumers to test and use the APIs easily.
Here are some points which you can note to reduce the risks in your application.
Authentication - Login credentials / Access token / API Keys
Authorization - Access check for any resource which is being accessed / modified.
API Rate limiting - To avoid a DOS attack.
Imagine I have a fully implemented REST API that offers HATEOAS as well.
Let's assume I browse the root and besides the self link two other links (e.g. one for /users and one for /orders) are returned. As far as I have heard, HATEOAS eliminates the need for out-of-band information. How should a client know what users means? Where are the semantics stored?
I know that is kind of a stupid question, but I really would like to know that.
Suppose you've just discovered Twitter and are using it for the very first time. In your Web browser you see a column of paragraphs with a bunch of links spread around the page. You know there's a way to do something with this, but you don't know specifically what actions are available. How do you figure out what they are?
Well, you look at the links and consider what their names mean. Some you recognize right away based on convention: As an experienced Web user, you have a pretty good idea what clicking on the "home", "search" and "sign out" links is meant to accomplish.
But other links have names you don't recognize. What does "retweet" do? What does that little star icon do?
There are basically two ways you, or anyone, will figure this out:
Through experimentation, which is to say, clicking on the links and seeing what happens, then deriving a meaning for each link from the results.
Through some source of out-of-band information, such as the online help, a tutorial found through a Google search or a friend sitting next to you explaining how the site works.
It's the same with REST APIs. (Recall that REST is intended to model the way the Web enables interaction with humans.)
Although in principle computers (or API-client developers) could deduce the semantics of link relations through experimentation, obviously this isn't practical. That leaves
Convention, based on for instance the IANA 's list of standardized link relations and their meanings.
Out-of-band information, such as API documentation.
There is nothing inconsistent in the notion of REST requiring client developers to rely on something beyond the API itself to understand the meaning of link relations. This is standard practice for humans using websites, and humans using websites is what REST models.
What REST accomplishes is removing the need for out-of-band information regarding the mechanics of interacting with the API. Going back to the Twitter example, you probably had to have somebody explain to you at some point what, exactly, the "retweet" link does. But you didn't have to know the specific URL to type in to make the retweet happen, or the ID number of the tweet you wanted to act on, or even the fact that tweets have unique IDs. The Web's design meant all this complexity was taken care of for you once you figured out which link you wanted to click.
And so it is with REST APIs. It's true that in most cases, the computer or programmer will just need to be told what each link relation means. But once they have that information, they can navigate through the entire API without needing to know anything else about the details of how it's all put together.
REST doesn't eliminate the need for out-of-band information. You still have to document your media-types. REST eliminates the need for out-of-band information in the client interaction with the API underlying protocol.
The semantics are documented by the media-type. Your API root is a resource of a media-type, let's say something like application/vnd.mycompany.dashboard.v1+json, and the documentation for that media type would explain that the link relation users leads to a collection of application/vnd.mycompany.user.v1+json related to the currently authenticated user, and orders leads to a collection of application/vnd.mycompany.order.v1+json.
The library analogy works here. When you enter a library after a book, you know how to read a book, you know how to walk to a bookshelf and pick up the book, and you know how to ask the librarian for directions. Each library may have a different layout and bookshelves may be organized differently, but as long as you know what you're looking for and you and the librarian speak the same language, you can find it. However, it's too much to expect the librarian to teach you what a book is.
Closed. This question does not meet Stack Overflow guidelines. It is not currently accepting answers.
We don’t allow questions seeking recommendations for books, tools, software libraries, and more. You can edit the question so it can be answered with facts and citations.
Closed 5 years ago.
Improve this question
I'm designing a REST-like API over Http.
I need the API Clients (apps, not browsers) to follow the links (HATEOAS), not to build them.
Also, I'll still use readable URLs for some reasons that can be disagreed.
However, if pretty ways to document url templates exist (like these ones), I don't think it is the right way as it could clearly tempt and legitimate developers to build urls themselves.
So, How to document an API in a way that respects HATEOAS ?
We often find Discoverability associated to HATEOAS.. To be honest, I don't think this is enough in real life : where business concepts are multiple, subtle to understand and client developers are not your teammates..
Meaningful names are clearly not enough.
Developers need to make their Client apps ..
Navigate into the API from the entry url to the relevant documents
Build valid requests (parameters and bodies) and interpret responses with no ambiguity on the semantics.
So, How to document this ?
Are there existing tools that generate documentation this way ?
Would a "Glossary" be enough to fill-in the gap between discoverability and unambiguous interpretation ?
Maybe the html representation of the API (Accept:text/html) could return human readable documentation...
.. any other idea or experience on this ?
Related concepts :
Design with Intent, Versioning, Level 3 API
First of all, there's nothing wrong with readable URIs and with users being able to easily explore your API by building URIs by hand. As long as they are not using that to drive the actual API usage, that's not a problem at all, and even encouraged by Roy Fielding himself. Disagreement on that on the basis that URIs must be opaque is a myth. Quoting Fielding himself on that matter:
Maybe I am missing something, but since several people have said that REST implies opaqueness in the URI, my guess is that a legend has somehow begun and I need to put it to rest (no pun intended).
REST does not require that a URI be opaque. The only place where the word opaque occurs in my dissertation is where I complain about the opaqueness of cookies. In fact, RESTful applications are, at all times,
encouraged to use human-meaningful, hierarchical identifiers in order to maximize the serendipitous use of the information beyond what is anticipated by the original application.
It is still necessary for the server to construct the URIs and for the client to initially discover those URIs via hypertext responses, either in the normal course of creating the resource or by some form of query
that results in a hypertext list. However, once that list is provided, people can and do anticipate the names of other/future resources in that name space, just as I would often directly type URIs into the
location bar rather than go through some poorly designed interactive multi-page interface for stock charts.
http://osdir.com/ml/web.services.rest/2003-01/msg00074.html
If you need your client developers to follow the hyperlinks and not build URIs by hand, from my experience I think the best way to do that is to promote it as a cultural change in your work environment. In my case I had a supportive manager, so it was much easier. You should warn them that the URI namespace is under control of the server and the URIs may change anytime. If their clients break because they failed to comply, it's not your responsibility. It also helps a lot to have some sort of workshop or presentation to explain how HATEOAS works and the benefits for everyone. I noticed how a lot of street-REST developers think it's superfluous, until they actually get it.
Now, to address your main question, you shouldn't document the API, you should focus your documentation efforts on your media-type. Quoting Fielding again:
A REST API should spend almost all of its descriptive effort in defining the media type(s) used for representing resources and driving application state, or in defining extended relation names and/or hypertext-enabled mark-up for existing standard media types. Any effort spent describing what methods to use on what URIs of interest should be entirely defined within the scope of the processing rules for a media type (and, in most cases, already defined by existing media types). [Failure here implies that out-of-band information is driving interaction instead of hypertext.]
http://roy.gbiv.com/untangled/2008/rest-apis-must-be-hypertext-driven
That means, you should have custom media-types for your representations, and instead of documenting API endpoints or URIs, you should document those media-types and the operations for the links available in them. For instance, let's say you have an API for a Q&A site like StackOverflow. Instead of having an API documentation telling them that they should POST to the rel:answers link in the representation of a question in order to answer it with their current user, your questions should have a media-type of application/vnd.yourcompany.question+xml and on the documentation for that media-type you say that a POST to a rel:answers http link will answer the question.
I don't know of any existing tools for this, but from my experience, any tool that can be used to generate documentation from abstract models can be used for this.
I don't know how your ecosystem of APIs is, but what works for me is to have a generic documentation with a gentle introduction to REST, addressing some of the misconceptions, and detailed general usage to your patterns, that should apply to any API. After that, each individual server should have its own documentation, focused on the media-type.
I don't like the idea of returning documentation in the text/html representation, because that's supposed to represent the resource itself, but I love the idea of having a rel:doc link pointing to your HTML documentation for that media-type.
I've seen some people say that this is the only way to do REST:
/car
Displays all cars
/car/123
Displays information about the car with ID of 123
I have also seen others that prefer to do this with REST:
/car
Displays all cars
/car?id=123
Displays information about the car with ID of 123
Which is correct for REST?
Please note that I am only posting this question to get a real answer, I am not trolling. If REST is not defined enough for a definitive answer, or it is not clear which option above is "correct" for REST, then that would be a fine answer for me. I am simply trying to understand REST.
Thank you.
REST was originally designed based on a purely path-driven architecture, although different implementations of REST APIs in software like Flickr and JIRA have clouded this a bit. In the end what is most important is that the standards used within the entirety of your own API are consistent (i.e. don't use /api/user/21 for getting a user and then /api/group?id=3 for another). Ideally, use paths to locate a resource and then use different HTTP verbs to determine what you're doing with that resource (GETing it, POSTing a new one, PUTting an update, etc).
Wikipedia has a very informative article on it.. http://en.wikipedia.org/wiki/Representational_state_transfer