As others have alluded to, it's all fine & dandy to try to adhere to the guidelines of "pure REST" but in reality, you have customers/users who know enough to construct a web request, but don't really understand what HTTP verbs are, what HTTP headers are etc. In my experience, your average developer (of course, not anyone who'd frequent HN!) really doesn't have a good grasp of how HTTP works. So the way you combat this problem is either
1) You provide client libraries in the popular languages so your users can download those and not have to make requests directly. This way you can put versioning and accepted response types in the headers instead of the URL
OR
2) You put everything in the URL and you're done with.
In my company, we initially went with 1) but then realized that just putting a version & format (.json, .xml etc.) in the URL lead to much fewer "Your API isn't working" emails.
Sometimes I feel like I'm missing something, but then I read specs and I read REST manifestos and I just don't see the value over RPC style. When coding against an API, clients are pretty much always want to make "function calls" and get values back. So even if the URL is just "api.localhost.com/apiv1.handler" and everything goes into a XML or JSON body, what's the drawback?
REST advocates insist that URLs shouldn't be constructed either. So every site that boasts "REST" but then goes on to say accounts are at "/account/{id}" aren't really RESTful. (You're supposed to find the account URI via a search or save it from creation.)
Spreading the values of the "function call" all over the place just makes your plumbing code more complicated, but the end result to the user will still be "GetAccount(id) -> Account".
Plus, the concept of making the URIs all be nouns then cramming your logic into the few HTTP verbs is just odd. OK, so HTTP has a DELETE method. Why is that somehow intrinsically better than <action name="DELETE" id="123" />?
So far I've yet to see a real REST API where I say "oh wow, that's a lot easier to handle". Maybe I'm looking at it wrong, and ease-of-use for programmers isn't a goal.
>Maybe I'm looking at it wrong, and ease-of-use for programmers isn't a goal.
IMO, ease of use for the programmers using the API is not the goal. Ease of maintenance is the goal. Basically RPC is bad because it is an extreme tight coupling between client and server. Change one single parameter in one single SOAP method? Get ready for every single client to have to recompile. Even the ones that never used that particular method (there are techniques to minimize this, but with REST you don't have to think about this problem).
REST is about loose coupling. If you follow HATEOAS properly the clients won't even need to recompile if you do a massive refactoring of where your resources are. So long as you're not doing direct serialization of the XML resources, you also won't have to recompile for every tiny schema tweak. If a field you use changes, obviously you have to change the client. If a field you don't use changes you probably don't even need to restart your client.
This is what it buys you. If you don't get any benefit from the loose coupling then you don't need REST. But if that's the case then I wonder if you need a three tiered system at all.
Forget SOAP. Just think of XML-RPC. How does changing one parameter break things any differently than with REST? If I'm offering an API that has a POST with a body containing a field "client_id", and I change that to "clientid"... stuff breaks.
If you use a single endpoint like "/service" and POST bodies, then there are no "resources" to locate in the first place, so no problem when changing your URI schema. "GET /service?type=account&id=123". Or even just "POST /service {body Action=GetAccount Id=123".
I agree with you. For most people, switching to REST is useless, because they're still attached to the conceptual framework of RPC. We're still in the dark ages, re-writing the wheel again and again and again, coding clients for each single service out there. It's not wonder that REST seems useless.
But there's a vast network of services, far bigger than all the RPC APIs out there, that isn't like that. Where clients can connect to different services - even services made years after them, with functionality they couldn't have anticipated - without having to be tailored to them. Where the user can switch the provider of a specific service without having to switch clients, because the protocols are standard and compatible.
I'm talking, of course, about the HTML Web. Where people implement RESTful services without even knowing what they are, just because following a standard is just painfully obvious.
REST is the way we can implement something better; instead of dumb clients, we can have smart agents that interact with the rest of the web as browsers now do, but without the user hand-holding it. And gradually switching RPC to REST is the only way to accomplish that.
REST is one of the stupidest ideas to have ever come out of HTML.
When you write a class do you only have 4 methods on it? Create, Read, Update, Delete?
Case shut & closed.
But, but, but, I hear you say? It's not about the verbs, it's about the intention behind the verb?
Any GET you do to the system inherently changes it. I log you accessed the system, it often changes the way the object behaves (for example, you viewed it, it is now more popular, it now appears higher in results).
I could go on for hours about how virtually every concept in REST is obviously flawed if you are an experienced programmer and simply sit down and think about it.
It doesn't work!
So the concept was flawed from the beginning.
RESTful APIs died a long time ago, but somehow some people are hanging on to the archaic meaning of REST without really realizing that 'REST' now simply means 'API over HTTP'. The best APIs simply dropped supporting RESTful interfaces a long time ago and those crazy people who stick to it, like Google, have to contort their APIs into utter messes just to facilitate it.
Worse, people are still building entire systems based off its flawed nature. Microsoft just released WebAPI which tries to force you into a RESTful model. But then again, they never really have understood the web.
When you write a class do you only have 4 methods on it? Create, Read, Update, Delete?
Just because you are unable to stop thinking in terms of classes, doesn't mean REST is flawed. REST doesn't have classes, it has resources, and they work differently.
Any GET you do to the system inherently changes it. I log you accessed the system, it often changes the way the object behaves (for example, you viewed it, it is now more popular, it now appears higher in results).
GET is not part of REST, it's part of HTTP, which is a particular implementation of a RESTful architecture. The flaws of HTTP are irrelevant to whether REST makes sense or not.
It doesn't work!
Your line is self-disproving, since you used a RESTful service to send it. The web has literally billions of services following REST. The proof that it works is shown again every time you click a link.
RESTful APIs died a long time ago, but somehow some people are hanging on to the archaic meaning of REST without really realizing that 'REST' now simply means 'API over HTTP'. The best APIs simply dropped supporting RESTful interfaces a long time ago and those crazy people who stick to it, like Google, have to contort their APIs into utter messes just to facilitate it.
Again, you've used a RESTful API to post this very message. RESTful APIs work, it's RPC with a RESTful facade which doesn't, and it can't die soon enough.
There is however one use case for which I haven't found a good way to use REST: have the client upload a document to the server and return the same document in a single call, transformed (say, applying an XSL server-side). You're not really creating a new resource here, or accessing an existing one.
But I agree that in most cases, REST is good enough, and certainly a hell of a lot better than old-style RPC or "let's-put-an-action-verb-in-the-URL-and-call-it-REST" HTTP APIs.
What happens if the connection is lost during the conversion? Do you really want to force the client to send it again and redo the conversion? Is the document time sensitive enough that it's better to repeat the process?
If not, then I'd say that it does make sense to create a new resource: the document. You create it by POSTing the original, and the server returns a 201 Created, with a Location header pointing to its new URL. The client can then GET it to download the converted version. The document resource should have a TTL so that it can be pruned from cache.
I don't think REST fits all use cases, and RPC does make sense when your needs don't fit the advantages of following REST, but I don't think that's the case here.
> What happens if the connection is lost during the conversion? Do you really want to force the client to send it again and redo the conversion? Is the document time sensitive enough that it's better to repeat the process?
No, I don't think it would be an issue to repeat the process in this case.
> f not, then I'd say that it does make sense to create a new resource: the document. You create it by POSTing the original, and the server returns a 201 Created, with a Location header pointing to its new URL. The client can then GET it to download the converted version. The document resource should have a TTL so that it can be pruned from cache.
I guess, but it forces the server to store the document somewhere (presumably in RAM). It's much easier and cheaper in RAM to answer the POST with the formatted document, and you also spare complexity client-side (only a single HTTP call and only a single location for error handling). But yes, it would be a possibility.
... The HTML Web works because the "smart client" is a human driving the browser. (Or a dumb crawler that doesn't care what it gets.) I don't see how it's at all related to APIs driven by software.
And the HTML Web is NOT RESTful. Plenty of sites return different results for a URL, break links, have non-idempotent GET, don't return the created item's URL on POST, etc.
So when people talk like this about API-driven stuff, it sounds like UDDI or some magic dream. Can you draw a direct line to what kind of code is gonna be written? Or is this like a "well if we invent AI-like stuff then it'd be nice because AI won't be able to figure out RPC?" Maybe I'm being dumb and unimaginative.
I think you misinterpreted the parent post. You two are almost certainly talking about the same kind of REST aka the mainstream understanding of it popularized by APIs like Twitter, Twilio, Stripe, etc. The "real/pure REST" folks are talking about by-the-dissertion Fielding's REST which is far more complicated and confusing and is probably not a good idea for a public API. It goes beyond verbs and pretty URLs. Look into Hypermedia APIs. That's the One True REST.
Yeah, Twilio's API isn't REST as it has versions and content types in the URIs. Plus, you're supposed to construct URIs (and all the clients do this AFAIK, since it'd be idiotic waste of a roundtrip not to). E.g. "/2010-04-01/Accounts/{AccountSid}/IncomingPhoneNumbers/{IncomingPhoneNumberSid}"
Yet it's the closest thing I've seen held up as a "good RESTful API". In practise, it just means I've got to write more code to shove parameters into the URI and body.
"REST" as used by pretty much everyone is just a codeword for "we didn't use SOAP!". And maybe the URLs are more than just "/FooService" and maybe they use HTTP verbs.
The top answer seems to have the mentality of "screw the consumer" when it comes to versioning. If you have someone using version 1 of an api, when you decide to make it version 2, you're essentially breaking their app by having the reference change to the new one.
The answer even touches on the subject that it should be a permalink, yet they then say that a new version should be the same url as the old one, which means it's not a permalink! In my view, this is madness and potentially breaking for people using your api.
In my personal opinion, you should set out with versioning in mind from the start, otherwise by making even a slight change to your api, you change what the consumer receives, potentially breaking stuff.
It should be the same URL as the old one. Just not the same content type.
The user /u/john of version 1 is the same user /u/john of version 2. You don't want to break all links just because the client upgraded. Just reply with the appropriate format for the version the client is asking for.
I'd like to see the subset of the answers from people who have actually maintained a successful and widely used API. I'm skeptical that most clients are sophisticated enough to deal with the pure REST dream.
Specifically, changing the JSON representation of, say, a list of account activity, is perfectly compatible with REST. "Oh, you want /account-activity, here it is, why yes, it does happen to be a list of links to /account-activity/messages and /account-activity/transactions instead of the flat list of things with a 'type' field like it was last week, but I'm directing you to the resource, so it's all good"
From my experience, you can go a long way by just adding new HTTP end-points and extending the JSON with new attributes with no versionning. By the time you really want to change things it probably mean that you understand the domain well enough to make a new better service.
I worked on and supported a pseudo-API at PayPal for 7 or 8 years..."Web Accept" and "IPN". 10s or 100s of thousands of integrations. 10s or 100s of millions of payments.
No versioning.
It works really well. Once you add versioning, it's too tempting to add breaking changes and just keep versioning. It becomes a total mess for everyone.
I'm tempted to both agree with you and curse at you.
Yes, I agree with the idea of enforcing backward compatibility as much as possible and, when that fails, make it a social problem (documentation, email, advance notice...).
But being in the midst of one of those PayPal integration... oh my, what a mess!
* The sea of DEPRECATED in the documentation (hide it away?)
* The pervasive inconsistency in everything
* The choice of x-www-form-urlencoded for IPN data... (I'm
trying to figure out some charset bug at the moment)
PayPals API certainly isn't the worst but it's pretty awful. So much pain doing PayPal integrations. I assumed it just kind of happened but I'm shocked if you guys thought it was good... See Stripe for an example of not to abuse your API users.
It's not perfect but I'd like to point out that it was born in 2000 and still works fine today 13 years later. I think all the sample code I wrote is still in the PayPal docs somewhere.
The most painful PayPal integrations for me were the SOAP ones.
No. There's nothing RESTful about changing the data format without notice - on the contrary: REST implies that media types should be well defined, and that includes specifying those issues.
There's nothing in REST that opposes versioning either. All it says is that you shouldn't use the URLs for it, since then if the client wants to upgrade, it'll break all his stored links.
Versioning can be handled just fine by having the client request the media type with the version he needs, e.g.:
Accept: application/users-list+v1
And if it asks for that, you should definitively give it the v1 format, not throw the v2 and let it deal with that.
We found that our API and web controllers were doing the exact same thing, so with rails we're just hitting the same endpoints but just using respond_to to differentiate whether we respond with a jbuilder view (json) or standard HTML.
The client passes in a version number and VersionCake intelligently renders the appropriate view version or degrades to a prior version when the specified versioned view doesn't exist.
Happy user of VersionCake here! I am using it to support older versions of our iPhone apps while our backend can improve and expand without problems. Thanks for your work!
That's exactly what I thought. I can't help feeling this is yet another "do it this way" post by a person that is big on theory but probably very low on real life in-the-field practice. You can't advise 301 when you had to actually implement it. IMO this post does more harm than good by misleading its readers. It reminds me a lot of (sometimes very well known) people that feel entitled to teach you how to write javascript SPAs after trying their hand at the most simple case, like a todo app. The incentive to be seen, known, collect points here or there is totally biasing the game.
Pure REST can be a roadblock in the pragmatic real world. I've impemented "REST" API calls in client platforms that could do GET and POST and that's it. No PUT, DELETE, etc. But since the API allowed deletes via a POST action, it was possible for me to achieve what I needed to do within those constraints.
No matter how large, successful and technical your client is, they'll undoubtedly have their least HTTP-literate monkey developing against your API. It gets awkward having to explain basic things to someone you started out assuming was your peer.
I always thought API versions in URLs had more to do with efficient URL routing than RESTful semantics.
If you're Twitter or AWS and handling tens of millions of requests a day it would (seem) far less resource intensive to determine routing based on a pre-defined URL structure than to inspect the headers of each incoming API request. It might also save development time. So you have your block of v1 API servers and your block of v2 servers, without having to re-code the v1 stack to also parse v2 requests.
The version identifier is always in the same place.
HTTP headers come in an unordered list. And a client can send any number of headers to the API. And the version identifier may be at the beginning of the list, in the middle, the end, any position really.
Even so, I doubt the resource usage is very different per-request. But writ large it may make a difference.
GNU Grep can search for a string in 41000 files in 1.2s (that's with open(), mmap(), close(), etc). I really doubt that web frameworks are so optimized that matching a particular header would take any perceivable time.
I wouldn't worry too much about the cost of parsing. I'd be a lot more concerned about APIs that rely on proxy and UA caches for performance and/or scaling.
A request has a much better chance of getting cached reliably if all the important semantics are in the path than if they're in arbitrarily-ordered querystring args or headers. Squid's default config didn't cache anything with a querystring up through v3. OldIE wouldn't cache an uncompressed response with any Vary headers. I suspect there are landmines like this buried all over the place.
In the context of a load balancing proxy, you apply the SSL cert to the proxy, and do the encryption there - known as SSL termination. Otherwise like you said, the proxy can't see inside the request (not even the URL).
I've never really cared for API versioning, especially the "/v1/" or whatever in the URL.
Come up with a decent API design from the beginning; commit to backwards compatibility, non-breaking changes, thorough testing and fast fixes; and stick with it for a decade or so.
Throwing out backwards compatibility should be an absolute last resort, you may as well start a new project that is written clean from the beginning.
No function should be promoted to the core API without serious consideration. Instead use something like /alpha/function-v2.2/ for testing functions that may disappear or be updated, making it easy for clients to write workarounds for these non permanent functions.
Which is fine as long as you aren't planning to change your product at all.
Yes, you can try and put it off for as long as possible, only making backwards compatible changes. But it's likely at some point you'll need to change something in your API, that simply won't work with existing clients.
It's better to be able to start from a clean slate in the future while still being able to support legacy versions if it is advantageous to do so. You are not smart enough to do it right the first time, because you cannot predict what changing conditions the future will bring.
The version thing is interesting. How do you maintain various current versions of an API? If a URI cannot contain a version number (as the purists would claim) then versioning happens in the underlying code base? If so, a client still would have to specify a version, either in a query parameters, request header or somewhere else.
In reality, if an API doesn't contain a version number in it's URI will almost be impossible to maintain. To give a simple example, what if you decide to switch technologies between API v1 and v2? How would you deal with that? Some sort of abstraction layer I'd guess...
As far as I'm concerned, a version number in the URI makes the most sense. They way I look at is is that /v1/resources/123 is a different resource than /v2/resources/123.
So far, using a version number in the URI has worked out quite well for me over time since I can isolate various code bases containing different versions. Something that would not have been possible otherwise.
My understanding is that request header is the most standards compliant way. In principle, you could certainly determine how you interpret the URL based on that.
In practice, both clients and servers aren't really designed for that, though. Particularly browsers, if you expect people to want to access/explore your API that way.
> If a URI cannot contain a version number (as the purists would claim) then versioning happens in the underlying code base?
It happens in the underlying code base whether or not it is reflected in the URI; one "pure" REST would have it in the Content-Type, but that's problematic with pure-HTML forms.
How is this even a debate? Versioning is a form of content negotiation just like encoding, language, mimetype, and charset. Why treat this one extra property any differently?
We run an API with probably 20 registered consumers, supporting apps and websites with different versions. This is not by any means an example of "the one true way", but it seems to be working well for us.
Basically, we put together a simple wrapper that lets us automatically pick which API version to use based on a users apikey, registered version (I set them up with v1 or v2), and what they pass in. A before_filter automatically pulls the apikey and version from params/headers, and it's consumed like this:
I think there is a lot of whimsy in what Don Knuth chose to do to version TeX -- using pi (3.14) and moving the precision to the right upon every (though, not often) version bump. Probably a little impractical for the rest of us, but it's my favorite! `So creative!
Agreed with kevinpet, I'd like to hear from people who built large, public APIs. In my experience of doing this in the wild, it usually goes like so: you develop a set of API calls, a client that talks to that API and release the client. Then your director of product demands a change which requires a modification in the data model. You need api versions to avoid your old clients crashing if they use the new data model. Eventually your data model stabilizes and you don't need versions so much, but in my experience, it can take years.
Ideally your data model is identified by the media type, which would look something like 'application/vnd.yourco.foo.v2+json', but in reality that will get you a lot of blank stares.
I don't agree with the top response's recomendation of using redirects to represent sunsetting of versions. That behaviour breaks POSTing. [1]
> Note: When automatically redirecting a POST request after
receiving a 301 status code, some existing HTTP/1.0 user agents
will erroneously change it into a GET request.
It breaks behavior in some misbehaving HTTP/1.0 clients at the time the HTTP/1.1 RFC was written.
I'm not sure that that's a signficiant concern now.
Still, if the behavior has changed, 301 isn't appropriate for other reasons, and if it hasn't changed, you shouldn't need a redirect at all, just handle requests to the old URL.
The only thing I'd consider to be close to a "best" practice is to maintain backwards compatibility. This means a little more effort initially put into the design, but it pays off if it's to stay around for a long time.
1) You provide client libraries in the popular languages so your users can download those and not have to make requests directly. This way you can put versioning and accepted response types in the headers instead of the URL
OR
2) You put everything in the URL and you're done with.
In my company, we initially went with 1) but then realized that just putting a version & format (.json, .xml etc.) in the URL lead to much fewer "Your API isn't working" emails.