API Best Practices
Use this page for operational and quality guardrails around APIs. Keep REST HTTP Fundamentals as the contract-surface source of truth (URLs, methods, status, error shape, validation, idempotency).
Security Basics
Section titled “Security Basics”- Authenticate clearly at boundaries (user tokens for user-facing APIs, service identity for service-to-service calls).
- Authorize per resource and action in domain logic, not only at route decorators.
- Treat secrets as toxic data: never place tokens, API keys, or credentials in URLs or logs.
- Use TLS everywhere and keep CORS explicit (allowed origins, methods, headers).
- Rate-limit by principal (token, client, or IP) and return
429withRetry-Afterwhere applicable.
For policy depth, see Security.
Observability Defaults
Section titled “Observability Defaults”- Emit structured logs with route, status, latency, and correlation or trace ID.
- Track RED metrics per endpoint family: request rate, error rate, and duration.
- Propagate trace context across downstream hops to preserve end-to-end visibility.
- Distinguish liveness and readiness checks (
/healthzvs/readyzstyle behavior).
For platform-level guidance, see Observability and Observability for systems.
Reliability Behavior
Section titled “Reliability Behavior”- Set timeouts by default on inbound handlers and outbound client calls.
- Retry only when safe: idempotent operations, or write operations with stable idempotency outcomes.
- Apply exponential backoff with jitter to reduce synchronized retry storms.
- Respect
Retry-Afteron429and overload responses. - Pair write endpoints with idempotency key policy and bounded server-side key retention.
For deeper retry and degradation strategy, see Fault tolerance.
Performance Hygiene
Section titled “Performance Hygiene”- Prefer cursor pagination on large or changing collections.
- Support field projection when payloads become wide (for example
?fields=id,name). - Use cache headers and ETag where clients and intermediaries can safely reuse responses.
- Keep connection pools tuned for databases and outbound HTTP clients.
- Avoid over-nesting resources in URLs and over-joining data in one endpoint by default.
Testing and Rollout Checks
Section titled “Testing and Rollout Checks”- Run contract tests against OpenAPI and critical endpoint fixtures.
- Cover one happy path plus representative edge failures per endpoint (validation, authz, conflict).
- Keep status and error envelope mapping consistent across handlers.
- Require explicit deprecation and versioning notes for breaking changes.
- Add rollout checks for backward compatibility and basic operational dashboards before wider release.
Quick Review Checklist
Section titled “Quick Review Checklist”- Security boundaries and secret handling are explicit.
- Logs, metrics, and trace propagation are present.
- Timeout and retry policy is documented and safe.
- Pagination and response size controls are in place.
- Contract and edge-case tests cover key failure modes.
Where To Go Next
Section titled “Where To Go Next”- Contract design rules: REST HTTP Fundamentals.
- Request and response shape examples: Payloads and responses.
- Implementation structure by language: Python (FastAPI) and Go (chi).