Partial
dependent
associative
linked
/companies/{id} and /company
/company/{id} and /companies
/companies/{id} and /companies
/company/{id} and /company
data in the token
Ownership
a permission
and integer
Uniform Interface
Client-Server
Stateless
Chacheable
HTTP
REST
OPTIONS
CORS
notify other systems of an event
catch error faster
improve error logging
log additional data
to add new technologies to an organization's infrastructure.
to share features and functionality with other system.
to move infrastructure to the cloud.
to appease the latest digital transformation effort.
bash
curl
ssh
powerShell
OpenAPI (Swagger)
WADL
WSDL
OAuth
SUBMIT
WRITE
POST
CREATE
Mobile app work better.
It improves uptime.
It offers better security.
It reduce load on servers.
409 Conflict
400 Bad Request
406 Not Acceptable
405 Method Not Allowed
an identify layer on top of OAuth 2.0
the new name for SAML 3.0
a modern replacement for API keys
an SSO competitor for OAuth 2.0
flexible querying/responses
more stable APIs
compatible with more gateways
more secure by default
Stateless
Client-Server
Uniform Interface
Cacheable
It identifies the user ID.
It identifies the client application or SDK.
It identifies if the API should expect a user authentication.
It identifies if the API should accept microservice traffic.
application/json
application/json_version2
text/html
application/vnd.myapp.v2+json
A token is encrypted.
A token is encoded.
A token is scoped to the use case.
A token can be shared between systems.
How to easily secure your APIs with API keys and OAuth
stateless architecture
idempotency
a uniform interface
cacheability
API proxy
API gateway
OpenAPI
OAuth authorization server
transport over SSL
encrypted payload
a signature
encoded payload
token
scope
claim
back channel
ID token
refresh token
access token
auth code token
no-proxy
client-only
restricted
private
Authorization Code Grant
Client Credentials Grant
Implicit Grant
Authentication Grant
It varies from API to API.
admin
write
read-write
_embedded
resources
subresources
_links
tracking downloads
Accept headers
user agents
polling users
Layered System
Stateless
Client-Server
Cacheable
your tech stack
reasoning for your naming schema
your mission statement
sample code
Response Time
Time to First Hello World
TTL
Uptime
GET /user/{id}
GET /users/{id}
GET /user?id={id}
GET /users?id={id}
to describe relationships between resources or actions
to describe subresources related to the current one
to link two resources together
to describe a resource and its purpose
resources
_embedded
subresources
_links
API gateway
API logging
a layered system
API proxy
common knowledge
URLs
no versioning
the Accept header
URL parameter
Authorization header
Base64 encoding
Basic Auth
client
not specified
authorization server
resource server
inbound traffic
north-south traffic
internal traffic
east-west traffic
Add .json to the URL.
APIs do not use XML.
Use the Content-Type header.
Use the Accept header.
403
404
401
405
HTTP verbs
JSON payloads
HTTP response codes
rate limiting/throttling
red team testing
white box testing
blue box testing
black box testing
PUT
POST
GET
OPTIONS
Expires: 1 minute
Cache-Control: max-age=60
Expires: 1 January 2020
Cache-Expires: max-age=60
hypermedia
link relations
parsing
browsing
405
201
204
202
REST Architectural Constraints
A. The exp (expiration) has not passed.
B. The algorithm is sufficient.
C. The signature matches the payload.
D. The token was Base64 encoded.
E. The iss (issuer) is the auth server you expect.
F. There is a refresh token.
G. The cid (client ID) is the client you expect.
H. The token was encrypted.
east-west traffic
inbound traffic
north-south traffic
external traffic
North-South vs East-West Traffic
OAuth 2.0 for Native and Mobile Apps
YY-M-D hh:mm:ss+TZ
YY-M-D h:mm:ss
YYYY-MM-DDThh:mm:ssZ
YYYY-M-D hh:mm:ss
The 5 laws of API dates and times
Cache-Control Expires Etag Rate limiting your RESTful API
RETRIEVE
FORM
GET
READ
200
405
201
204