4. Common Design Challenges

Question 1

What are authentication and authorization commonly abbreviated as?

Answer 1

AuthN and AuthZ respectively.

Question 2

What can authorization depend on?

Answer 2

1. Identity
2. Group membership
3. Subscription level
4. Context (time of day, location, device)
5. Actions attempted
6. …

Question 3

What are the three most common API patterns for implementing authentication and authorization?

Answer 3

1. API Keys
2. Create Your Own Protocol
3. OAuth 2.0

Question 4

What are the benefits and drawbacks of using API Keys as a method of authentication and authorization?

Answer 4

Benefits:

1. Framework and programming language agnostic
2. Easy to add as a header or even to the URL

Drawbacks:

1. URLs are convenient but logged everywhere (not a secret)
2. Not easy to update/rotate if compromised

Question 5

What are the benefits and drawbacks of creating your own protocol for authentication and authorization?

Answer 5

Benefits:
1. None! Do not do this under any circumstances, EVER

Drawbacks:

1. Untested, unproven, supported by us
2. Everyone needs training on it
3. No supporting tools, ecosystems, or libraries

Question 6

What is OAuth 2.0?

Answer 6

It’s an authorization protocol. It doesn’t define how you authenticate, just that you must authenticate with a trusted entity. The access token you then get back describes or internally maps to a description of what actions you are or are not allowed to perform.

Question 7

What is the recommended API pattern for implementing authentication and authorization?

Answer 7

OAuth 2.0

Question 8

What are the benefits and drawbacks of using OAuth 2.0 for API as the method of authentication and authorization in your APIs?

Answer 8

Benefits:

1. Reliable and well-established
2. Massive ecosystem
3. Open-source and commercial options

Drawbacks:
1. Complicated and not easy to implement the first time

Question 9

What are the two primary schools of thought for versioning an API, and what is the high-level practical difference between them?

Answer 9

1. Versioning via Resource URL
2. Versioning via Accept Header

Resource URL is easier and more explicit, whereas Accept Header is “proper.”

Question 10

What does the Accept header specify in a HTTP request?

Answer 10

It specifies the formats that the client understands and asks the API to give back. This is called content negotiation.

Question 11

What is content negotiation in its three levels?

Answer 11

It’s the process of establishing the markup/notation for an API endpoint to return. This is done by an Accept header and is usually established as XML or JSON.

At the next level, the media type may also be established, which practically means the structure of the markup (XML/JSON).

At the third and final level, the version of the media type and the resource may also be established.

Question 12

What is a media type in the context of content negotiation?

Answer 12

A well-defined structure that both the client and the server know how to handle.

Question 13

What are the benefits and drawbacks of using the URL for API versioning?

Answer 13

Benefits:

1. Clear and explicit
2. Nothing is lost when you copy and paste

Drawbacks:
1. Is not considered “pure”

Question 14

What are the benefit and the drawback of returning key-value pairs such as JSON from API endpoints?

Answer 14

Benefit:
It’s incredibly easy to consume.

Drawback:
It becomes harder to extend and impossible to add detail about the data as it gets more and more complex

Question 15

What are media types in the context of API responses?

Answer 15

Media types allow us to use a commonly structured JSON file to move data back and forth.

Question 16

What are the three most popular media types?

Answer 16

1. Collection+JSON
2. Hypertext Application Language (HAL)
3. The Ion Hypermedia Type

Question 17

What are the characteristics of the Collection+JSON media type?

Answer 17

1. Designed specifically to deal with groups or collections of resources
2. Can also represent single items as a set of one
3. In use, helper libraries and examples.

Question 18

What are the characteristics of the Hypertext Application Language (HAL) media type?

Answer 18

1. Separates the payload into two parts — data and _links
2. Can also represent single items as a set of one.
3. Growing use, helper libraries and examples

Question 19

What are the drawbacks of the Hypertext Application Language (HAL) media type?

Answer 19

1. Can be verbose (though not significantly so)
2. Having metadata in _links separate from data is odd and this makes it easy to lose context and not explore as appropriate

Question 20

What are the characteristics of the Ion Hypermedia Type?

Answer 20

1. Designed specifically to key data
2. Metadata logically grouped and easier to process and apply
3. Little use, fewer helper libraries and examples

Question 21

What does hypermedia mean?

Answer 21

It means that the media in question is non-linear. Think of a “choose your own adventure” book — you don’t start from page one and make your way onto the last page sequentially.

Question 22

What is content negotiation?

Answer 22

The mechanism that allows different versions of the same document to exist at a single URL so the client and the server can determine which version best fits their needs.

Question 23

What is caching in the context of HTTP headers?

Answer 23

A way of storing and retrieving data so that future requests can retrieve it faster without performing an operation (calculation, network request, etc.) again.

Question 24

What HTTP header is used for caching, and how does it come about?

Answer 24

ETag, which is generated by the server and returned to the client.

Question 25

How does ETag work?

Answer 25

1. Client makes a request.
2. Server responds and creates an ETag based on resource state.
3. Client makes a HEAD request (same request as before)
4. If the data is unchanged, the server returns the same ETag — complete.
5. If the data is changed, the server returns a new ETag.
6. If the ETag is changed, the client recognises this and makes a full request.

Question 26

What can be said about distributing API documentation via PDF?

Answer 26

Don’t do it. You’ll have the problem of having multiple versions floating around, no one knowing which version is right, and your customers never knowing if things are quite right.

Question 27

What is an important capability that a documentation versioning strategy should have to ease the process of figuring out what has changed for developers?

Answer 27

It should provide history and versioning information to provide the ability to compare the current documentation with the older ones.

Question 28

What should be our goals when creating API documentation?

Answer 28

1. Code snippet friendly
2. Provides page history, specifically user facing
3. Easy to update
4. Searchable — if we can’t find it, it doesn’t exist

Question 29

What are the benefits and the drawback of using Wikis for API documentation?

Answer 29

Benefits:

1. Code snippets
2. Page histories
3. Easy to maintain
4. Search friendly

Drawback:
It’s either updated or not — there’s no workflow or staging space in most systems.

Question 30

What are the benefits and the drawback of using Jekyll or other static site generators for API documentation?

Answer 30

Benefits:

1. Code snippets via plugins
2. Page histories via Git
3. Easy to maintain
4. Search friendly

Drawback:
You’re working in raw text or markup, which may be a challenge for your team.