ENGIMY.IO - CHEATSHEET
REST API × QUICK REFERENCE
REFERENCE v1.0

REST API Quick Reference

Everything you need day‑to‑day – endpoints, status codes, security, and best practices.

What is REST?

  • REpresentational State Transfer
  • Architectural style for designing networked applications
  • Uses HTTP as the protocol
  • Stateless – each request contains all necessary information
  • Resources identified by URLs (Uniform Resource Locators)

REST Constraints

  • Client‑Server – separation of concerns
  • Stateless – no client context stored on server
  • Cacheable – responses can be cached
  • Uniform Interface – consistent API design
  • Layered System – intermediaries (load balancers, proxies)
  • Code on Demand – optional, executable code

HTTP Methods

Method Purpose Idempotent Safe Body
GET Retrieve a resource Yes Yes No
POST Create a new resource No No Yes
PUT Replace a resource Yes No Yes
PATCH Partially update a resource No No Yes
DELETE Delete a resource Yes No No
HEAD Retrieve headers only Yes Yes No
OPTIONS Get supported methods Yes Yes No

When to Use Each

  • GET – read data, no side effects (search, list, retrieve)
  • POST – create new resource (orders, users, posts)
  • PUT – full update (replace entire resource)
  • PATCH – partial update (modify specific fields)
  • DELETE – remove resource

HTTP Status Codes

2xx – Success
  • 200 OK – successful request
  • 201 Created – resource created (POST)
  • 202 Accepted – request accepted, processing async
  • 204 No Content – successful, no response body
3xx – Redirection
  • 301 Moved Permanently – resource moved
  • 302 Found – temporary redirect
  • 304 Not Modified – cached version valid
  • 307 Temporary Redirect – preserves method
4xx – Client Errors
  • 400 Bad Request – invalid request
  • 401 Unauthorized – missing authentication
  • 403 Forbidden – insufficient permissions
  • 404 Not Found – resource not found
  • 405 Method Not Allowed – unsupported method
  • 409 Conflict – resource conflict (duplicate)
  • 422 Unprocessable Entity – validation failed
  • 429 Too Many Requests – rate limited
5xx – Server Errors
  • 500 Internal Server Error – generic server error
  • 501 Not Implemented – unsupported method
  • 502 Bad Gateway – upstream error
  • 503 Service Unavailable – temporary down
  • 504 Gateway Timeout – upstream timeout

Status Code Quick Reference

  • 2xx – Everything worked
  • 4xx – Client messed up
  • 5xx – Server messed up

Resource Naming Conventions

Good Practices
  • /users – collection
  • /users/123 – single resource
  • /users/123/posts – nested collection
  • /users/123/posts/456 – nested resource
  • /search?q=term – query
  • /api/v1/users – versioning
What to Avoid
  • Avoid verbs/getUsers
  • Avoid singular/user
  • Avoid deep nesting – >3 levels ❌
  • Avoid spaces/user%20list
  • Avoid uppercase/Users

Actions as Resources

// For operations that don't map to CRUD
POST /users/123/activate
POST /users/123/deactivate
POST /orders/456/submit

Request & Response Formats

JSON Example

// Request
POST /api/users
Content-Type: application/json
{
    "name": "Alice",
    "email": "alice@example.com",
    "age": 25
}

// Response
HTTP/1.1 201 Created
Content-Type: application/json
{
    "id": 123,
    "name": "Alice",
    "email": "alice@example.com",
    "age": 25,
    "createdAt": "2024-01-15T10:30:00Z"
}

Query Parameters

GET /api/users?page=2&limit=10&sort=name&order=asc
GET /api/users?name=Alice
GET /api/users?age_gte=18&age_lte=30

Pagination

// Response with pagination metadata
{
    "data": [ ... ],
    "pagination": {
        "page": 2,
        "limit": 10,
        "total": 56,
        "pages": 6,
        "next": "/api/users?page=3&limit=10",
        "prev": "/api/users?page=1&limit=10"
    }
}

// Alternative: Link headers
Link: </api/users?page=3&limit=10>; rel="next",
      </api/users?page=1&limit=10>; rel="prev"

Filtering & Sorting

GET /api/users?filter=active&sort=-createdAt
GET /api/users?fields=name,email
GET /api/users?include=posts,comments

Authentication & Authorization

API Keys
GET /api/users
X-API-Key: abc123xyz

// Or in query
GET /api/users?api_key=abc123xyz
Basic Auth
GET /api/users
Authorization: Basic dXNlcjpwYXNz
Bearer Token (JWT)
GET /api/users
Authorization: Bearer eyJhbGciOiJIUzI1NiIs...
OAuth 2.0
GET /api/users
Authorization: Bearer // access token

// Refresh token
POST /oauth/refresh
{
    "refresh_token": "abc..."
}

JWT Structure

// Header
{
    "alg": "HS256",
    "typ": "JWT"
}

// Payload
{
    "sub": "1234567890",
    "name": "Alice",
    "iat": 1516239022,
    "exp": 1516242622
}

// Signature
HMACSHA256(
    base64UrlEncode(header) + "." + base64UrlEncode(payload),
    secret
)

Versioning

URL Versioning
GET /api/v1/users
GET /api/v2/users
Header Versioning
GET /api/users
Accept-Version: v1
Query Versioning
GET /api/users?version=1
Content Negotiation
GET /api/users
Accept: application/vnd.myapp.v1+json

API Design Best Practices

  • Use HTTPS – encrypt all traffic
  • Version your API – from day one
  • Use nouns for resources – not verbs
  • Use plural endpoints/users not /user
  • Use proper HTTP status codes – don't return 200 for errors
  • Provide consistent error responses
  • Pagination, filtering, sorting – support from day one
  • Limit request size – prevent abuse
  • Rate limiting – protect your service
  • Document your API – OpenAPI (Swagger), Postman
  • Use JSON – as the primary format
  • Return relevant status codes – 201 for created, 204 for no content
  • Use nested resources – for relationships
  • Use query parameters – for filtering, sorting, pagination
  • Include proper CORS headers – for browser clients
  • Log requests – for debugging and monitoring
  • Use ETags – for caching and concurrency
  • Use Last-Modified – for caching

Error Response Format

{
    "error": {
        "code": "INVALID_INPUT",
        "message": "The email address is not valid",
        "details": {
            "field": "email",
            "value": "invalid-email",
            "reason": "Must be a valid email format"
        },
        "timestamp": "2024-01-15T10:30:00Z",
        "path": "/api/users"
    }
}

Success Response Format

{
    "data": { ... },
    "meta": {
        "timestamp": "2024-01-15T10:30:00Z",
        "version": "v1"
    }
}

CORS Headers

Access-Control-Allow-Origin: *
Access-Control-Allow-Methods: GET, POST, PUT, DELETE, OPTIONS
Access-Control-Allow-Headers: Content-Type, Authorization
Access-Control-Allow-Credentials: true
Access-Control-Max-Age: 86400

Documentation (OpenAPI 3.0)

// openapi.yaml
openapi: 3.0.0
info:
  title: User API
  version: 1.0.0
paths:
  /users:
    get:
      summary: List users
      parameters:
        - name: page
          in: query
          schema:
            type: integer
      responses:
        200:
          description: OK
          content:
            application/json:
              schema:
                type: array
                items:
                  $ref: '#/components/schemas/User'
components:
  schemas:
    User:
      type: object
      properties:
        id:
          type: integer
        name:
          type: string

Common API Patterns

CRUD Operations
// Create
POST /users
// Read (list)
GET /users
// Read (single)
GET /users/123
// Update
PUT /users/123
// Delete
DELETE /users/123
Bulk Operations
POST /users/bulk
{
    "data": [ ... ]
}

POST /users/bulk/delete
{
    "ids": [1, 2, 3]
}
Search
GET /users?q=alice
POST /users/search
{
    "name": "Alice",
    "age_min": 18
}
Status / Health
GET /health
GET /status
GET /ping
📌 Quick Reference
Methods: GET (read), POST (create), PUT (replace), PATCH (partial), DELETE (remove)
Status codes: 2xx (success), 4xx (client error), 5xx (server error)
Authentication: API Key, Basic Auth, Bearer Token (JWT), OAuth 2.0
Versioning: URL (/v1), Header (Accept-Version), Query (?version=1)
Pagination: page/limit, offset/limit, cursor
Documentation: OpenAPI 3.0 (Swagger)
Best practices: HTTPS, versioning, proper status codes, JSON, rate limiting, CORS
← Back to All Cheatsheets