REST API Quick Reference
Everything you need day‑to‑day – endpoints, status codes, security, and best practices.
What is REST?
- REpresentational State Transfer
- Architectural style for designing networked applications
- Uses HTTP as the protocol
- Stateless – each request contains all necessary information
- Resources identified by URLs (Uniform Resource Locators)
REST Constraints
- Client‑Server – separation of concerns
- Stateless – no client context stored on server
- Cacheable – responses can be cached
- Uniform Interface – consistent API design
- Layered System – intermediaries (load balancers, proxies)
- Code on Demand – optional, executable code
HTTP Methods
| Method | Purpose | Idempotent | Safe | Body |
|---|---|---|---|---|
| GET | Retrieve a resource | Yes | Yes | No |
| POST | Create a new resource | No | No | Yes |
| PUT | Replace a resource | Yes | No | Yes |
| PATCH | Partially update a resource | No | No | Yes |
| DELETE | Delete a resource | Yes | No | No |
| HEAD | Retrieve headers only | Yes | Yes | No |
| OPTIONS | Get supported methods | Yes | Yes | No |
When to Use Each
- GET – read data, no side effects (search, list, retrieve)
- POST – create new resource (orders, users, posts)
- PUT – full update (replace entire resource)
- PATCH – partial update (modify specific fields)
- DELETE – remove resource
HTTP Status Codes
2xx – Success
- 200 OK – successful request
- 201 Created – resource created (POST)
- 202 Accepted – request accepted, processing async
- 204 No Content – successful, no response body
3xx – Redirection
- 301 Moved Permanently – resource moved
- 302 Found – temporary redirect
- 304 Not Modified – cached version valid
- 307 Temporary Redirect – preserves method
4xx – Client Errors
- 400 Bad Request – invalid request
- 401 Unauthorized – missing authentication
- 403 Forbidden – insufficient permissions
- 404 Not Found – resource not found
- 405 Method Not Allowed – unsupported method
- 409 Conflict – resource conflict (duplicate)
- 422 Unprocessable Entity – validation failed
- 429 Too Many Requests – rate limited
5xx – Server Errors
- 500 Internal Server Error – generic server error
- 501 Not Implemented – unsupported method
- 502 Bad Gateway – upstream error
- 503 Service Unavailable – temporary down
- 504 Gateway Timeout – upstream timeout
Status Code Quick Reference
- 2xx – Everything worked
- 4xx – Client messed up
- 5xx – Server messed up
Resource Naming Conventions
Good Practices
/users– collection/users/123– single resource/users/123/posts– nested collection/users/123/posts/456– nested resource/search?q=term– query/api/v1/users– versioning
What to Avoid
- Avoid verbs –
/getUsers❌ - Avoid singular –
/user❌ - Avoid deep nesting – >3 levels ❌
- Avoid spaces –
/user%20list❌ - Avoid uppercase –
/Users❌
Actions as Resources
// For operations that don't map to CRUD
POST /users/123/activate
POST /users/123/deactivate
POST /orders/456/submit
Request & Response Formats
JSON Example
// Request POST /api/users Content-Type: application/json { "name": "Alice", "email": "alice@example.com", "age": 25 } // Response HTTP/1.1 201 Created Content-Type: application/json { "id": 123, "name": "Alice", "email": "alice@example.com", "age": 25, "createdAt": "2024-01-15T10:30:00Z" }
Query Parameters
GET /api/users?page=2&limit=10&sort=name&order=asc GET /api/users?name=Alice GET /api/users?age_gte=18&age_lte=30
Pagination
// Response with pagination metadata { "data": [ ... ], "pagination": { "page": 2, "limit": 10, "total": 56, "pages": 6, "next": "/api/users?page=3&limit=10", "prev": "/api/users?page=1&limit=10" } } // Alternative: Link headers Link: </api/users?page=3&limit=10>; rel="next", </api/users?page=1&limit=10>; rel="prev"
Filtering & Sorting
GET /api/users?filter=active&sort=-createdAt GET /api/users?fields=name,email GET /api/users?include=posts,comments
Authentication & Authorization
API Keys
GET /api/users
X-API-Key: abc123xyz
// Or in query
GET /api/users?api_key=abc123xyz
Basic Auth
GET /api/users Authorization: Basic dXNlcjpwYXNz
Bearer Token (JWT)
GET /api/users Authorization: Bearer eyJhbGciOiJIUzI1NiIs...
OAuth 2.0
GET /api/users Authorization: Bearer // access token // Refresh token POST /oauth/refresh { "refresh_token": "abc..." }
JWT Structure
// Header { "alg": "HS256", "typ": "JWT" } // Payload { "sub": "1234567890", "name": "Alice", "iat": 1516239022, "exp": 1516242622 } // Signature HMACSHA256( base64UrlEncode(header) + "." + base64UrlEncode(payload), secret )
Versioning
URL Versioning
GET /api/v1/users GET /api/v2/users
Header Versioning
GET /api/users Accept-Version: v1
Query Versioning
GET /api/users?version=1
Content Negotiation
GET /api/users Accept: application/vnd.myapp.v1+json
API Design Best Practices
- Use HTTPS – encrypt all traffic
- Version your API – from day one
- Use nouns for resources – not verbs
- Use plural endpoints –
/usersnot/user - Use proper HTTP status codes – don't return 200 for errors
- Provide consistent error responses
- Pagination, filtering, sorting – support from day one
- Limit request size – prevent abuse
- Rate limiting – protect your service
- Document your API – OpenAPI (Swagger), Postman
- Use JSON – as the primary format
- Return relevant status codes – 201 for created, 204 for no content
- Use nested resources – for relationships
- Use query parameters – for filtering, sorting, pagination
- Include proper CORS headers – for browser clients
- Log requests – for debugging and monitoring
- Use ETags – for caching and concurrency
- Use
Last-Modified– for caching
Error Response Format
{
"error": {
"code": "INVALID_INPUT",
"message": "The email address is not valid",
"details": {
"field": "email",
"value": "invalid-email",
"reason": "Must be a valid email format"
},
"timestamp": "2024-01-15T10:30:00Z",
"path": "/api/users"
}
}
Success Response Format
{
"data": { ... },
"meta": {
"timestamp": "2024-01-15T10:30:00Z",
"version": "v1"
}
}
CORS Headers
Access-Control-Allow-Origin: * Access-Control-Allow-Methods: GET, POST, PUT, DELETE, OPTIONS Access-Control-Allow-Headers: Content-Type, Authorization Access-Control-Allow-Credentials: true Access-Control-Max-Age: 86400
Documentation (OpenAPI 3.0)
// openapi.yaml
openapi: 3.0.0
info:
title: User API
version: 1.0.0
paths:
/users:
get:
summary: List users
parameters:
- name: page
in: query
schema:
type: integer
responses:
200:
description: OK
content:
application/json:
schema:
type: array
items:
$ref: '#/components/schemas/User'
components:
schemas:
User:
type: object
properties:
id:
type: integer
name:
type: string
Common API Patterns
CRUD Operations
// Create POST /users // Read (list) GET /users // Read (single) GET /users/123 // Update PUT /users/123 // Delete DELETE /users/123
Bulk Operations
POST /users/bulk
{
"data": [ ... ]
}
POST /users/bulk/delete
{
"ids": [1, 2, 3]
}
Search
GET /users?q=alice
POST /users/search
{
"name": "Alice",
"age_min": 18
}
Status / Health
GET /health GET /status GET /ping
📌 Quick Reference
Methods: GET (read), POST (create), PUT (replace), PATCH (partial), DELETE (remove)
Status codes: 2xx (success), 4xx (client error), 5xx (server error)
Authentication: API Key, Basic Auth, Bearer Token (JWT), OAuth 2.0
Versioning: URL (/v1), Header (Accept-Version), Query (?version=1)
Pagination: page/limit, offset/limit, cursor
Documentation: OpenAPI 3.0 (Swagger)
Best practices: HTTPS, versioning, proper status codes, JSON, rate limiting, CORS
Status codes: 2xx (success), 4xx (client error), 5xx (server error)
Authentication: API Key, Basic Auth, Bearer Token (JWT), OAuth 2.0
Versioning: URL (/v1), Header (Accept-Version), Query (?version=1)
Pagination: page/limit, offset/limit, cursor
Documentation: OpenAPI 3.0 (Swagger)
Best practices: HTTPS, versioning, proper status codes, JSON, rate limiting, CORS