REST Resource Naming Guide

Comments

1. Hi,

   does it make sense to define a resource with an ’empty’ name, e.g.

   GET / HTTP/1.1
   Host: somehost.com
   ….

   I found something like this by my contributor; the server answers with some data from/about .net world. I requested actually some information (meta data) about the given API in the HEAD method.
   Is it a good solution?

   Reply

   • Personally, I will not go with this approach. And I will not be able to offer any suggestion without context.

     Reply

2. Hi,
   Great article, but I have a question.
   How can I get the filtered list of managed-devices with the name contains a string

   HTTP GET http://api.example.com/device-management/managed-devices?title|like=phone

   Reply

   • I find it pretty straight HTTP GET .../managed-devices?name=NOKIA shall return all devices with name containing Nokia (case-insensitive).

     Do you see any challenge in this?

     Reply

3. Hi,

   I have a question regarding resources with validity period. What should be resource identifier?

   Let say I have a resource document-template with attributes code, template, validFrom, validTo, e.g.:
   [GET] /document-templates returns:
   [
   {“code”: “doc1”, “template”: “This is template of doc1 ${code}”, “validFrom”: “2020-07-10T15:00:00”, “validTo”: “2021-07-10T15:00:00”},
   {“code”: “doc1”, “template”: “This is newer version of template of doc1 ${code}”, “validFrom”: “2021-07-10T15:00:01”, “validTo”: null}
   ]

   In database there would be an artificial ID for every resource, and ofc it could be a resource identifier, but what if I don’t want to communicate with such resource identifier but with code instead?

   Is there some propper way to do it?
   e.g. /document-templates/{id} would return only currently valid resource and if not valid resource is required, then it could be accessible through
   /document-templates?code=doc1&validAt=2021-01-01T15:00:00

   or is it correct that resource has no resource identifier and there is no endpoint /document-templates/{id} and if you want a resource you have to search for it using query params?

   Thanks

   Reply

   • Are you simply referring to “versions” of documents?

     e.g. /document-template/versions/current

     for previous versions:
     /document-template/versions -> then have a list of previous document-templates versions on this page?

     This way, users can access the ‘current’ document-template always at /versions/current and if they require older versions they can simply select from a list of previous versions at /document-template/versions

     Obviously “versions” naming can be changed to whatever is more appropriate and I am just using it here to help communicate my point.

     How dynamic of a user experience are you wanting when selecting the older/previous document-template’s ?

     Reply

4. For 2.1.4. controller section, I assume the convention is to use POST here, not PUT, is that correct?
   Or should this still follow the POST vs PUT determination?

   For example, let’s assume that I have an endpoint to create and run batches.
   In this case, I would use
   POST /batches/run
   because this would create a new batch (in the database) and then immediately run it.

   However, if after creation, I would like to select a particular batch (and all associated records) and send data, would I use PUT, i.e.
   PUT /batches/{id}/send

   or still use
   POST /batches/{id}/send

   Sending another batch send request will do nothing since the batch checks its status, if already sent, do nothing, so to me this follows the PUT naming convention, however I’ve never seen controller actions with the PUT naming convention.

   Reply

5. Hello beautiful people 🙂

   I have a very common question which I can’t seem to find the answer for.

   I’m developing an API which has different areas to access; an admins area, a business area and users area.

   To be RESTful, I divided the code for each of them. But how do I design the routes? I don’t know if this approach is RESTful:

   1- something.com/api/admins/some-resource
   2- something.com/api/businesses/some-resource
   3- something.com/api/users/some-resource

   I would be more than happy to get some RESTful ideas, thank you 🙂

   Reply

   • Ideally, you are sending a token / authorisation key of some sort when hitting these apis.

     This should tie into the user in the backend and the server should be able to determine if the current user is an admin / business owner / typical user, so there really should just be one endpoint.

     GET something.com/api/some-resource.

     This should also determine user access not to resources as a whole, but also on a row by row basis.
     For example, if we have users that can post,
     DELETE/user/3/post/5
     should only occur if current user (via token) = owner (i.e. he/she is user 3).

     Reply

     • you need a middleware for protected endpoints to check a users entitlements for each end point.

       Reply

     • Hi Nick & Red,
       I also pay attention to this question. But I don’t think Nick’s answer is good.
       For changing password:
       If you are admin, it should be:
       + PUT: /users/{id}/password. // change password a user
       But if you are a user, who is changing his password, it should be:
       + PUT /{proper_word}/password. // change his password
       + Suggest: /auth/password

       For getting devices, If you are admin, it should be:
       + GET: /devices // get all devices
       + GET: /users/{id}/devices // get devices of a user
       But if you are a user, who get his device
       + GET /auth/devices

       Because we shouldn’t add {id} in this path and verify {id} again with token. And need a distinction for 2 purposes.
       + /users/{id} -> get id from path
       + /auth -> get id from token

       Reply

6. Thanks for a great article!

   The resource archetypes don’t seem to clarify the differences between a collection and a store enough.
   I cant recognize how they differ through your URIs examples.

   Reply

   • A store is simply a collection of resources where we do not create any new resource in the system when we add something to the store; or we do not delete the resource from the system when we delete something from the store.

     You can think of a store as a shopping cart. When we can add and remove items from the cart, but actual items in the system do not change.

     Reply

7. Hello friends, good morning

   I have a service as follows:

   PUT api.com/v1/sellers/1

   My problem is that this service is divided into several parts (status editing, name editing) because not all users have access to both services, I have to convert the service into two separate services. Is my method wrong ??

   PUT api.com/v1/sellers/1/status
PUT api.com/v1/sellers/1/name

   If so, what is the correct method?

   Reply

   • Forsake of simplicity. I find your methods correct. Combining everything in one API and making it complex – I will not suggest that.

     Reply

     • Not OP, but I have a follow-up question.

       My situation is I have a resource–an item in a to-do list–that I want to perform different actions on. I have a button to increase priority and another button to decrease priority, both of which make a PUT request to my server.

       Right now, I have a single route that handles both actions, but given what you said above about not combining everything, I want to split it into several routes. I was thinking:

       PUT /items/{id}/increase-priority
       PUT /items/{id}/decrease-priority

       Does that sound okay to you? Above you wrote, “URIs should only be used to uniquely identify the resources and not any action upon them”, but I thought this might be an exception to that rule.

       Reply

       • PUT /items/{id}/priority sounds good enough to me. It’s a simple PUT API where we pass the latest number associated with the priority. Increase or decrease action is not important here. Even if the action is important, can’t we conclude that on the server-side by comparing the last stored priority in DB and the latest priority in the PUT request?

         A bigger number means increased priority and a lesser number means decreased priority.

         Reply

8. Great article, thank you!
   Is there a common convention on how to differentiate an internal service API (used by own clients) from the external API (used by other applications)? For the external API, a stable contract and versioning is required. E.g.

   /internal/users
   vs.
   /api/v1/users

   Reply

   • I have not come across such a discussion. I will leave this to others to share their thoughts.

     Reply

   • Your case is a common one that in Laravel framework for PHP, it is handled by separating them in two files : web.php and api.php.
     The /internal/users route or endpoint is placed in web.php file, while /api/v1/users is placed in api.php.
     That is exactly I will do in my application using Laravel if I have that similar case.
     I don’t know how it is handled in Node.Js/Express, Java, ASP.net or other server side techs.

     Reply

   • i question the premise “for external api, a stable contract and versioning is required”. this seems to be a principle relevant to all apis, internal, external, whatever. i think the point of differentiation will be the resource name itself. i’m not convinced that the internal definition of user resource is same as the external definition. perhaps the uri needs more clarity as to the context under which the user is relevant (system user, app user, account user, etc.).. hth

     Reply

9. Great article, it really helps a lot.

   I got a doubt now，for I am doing an upgrade operation now. Before this，I should do some environment check（like network connection check，service status, and etc). So I made a post API like this:

   POST /upgrade/environment/check

   Because the “check” is a time-consuming operation，so it’s an asynchronous operation. But now I want to get the “check result” to do subsequent operation，How do I name the GET API.

   Now I made it like this.

   GET /upgrade/environment/check/status

   I think it’s a bad name，What’s your opinion？
   Sorry for my poor English, Thanks for any suggestions.

   Reply

   • I will have a separate API for returning the status of long-running jobs submitted from any API in the system. So your /check API will run the checks and submit the progress to a JMS topic.

     Any API/application interested in the status of any Job, must subscribe to the correct topic/queue e.g. /jobs/job-status. And in the post body, it can provide the name of the queue name “network-upgrade-check”.

     Reply

   • For long-running processes, I did a similar implementation with a slightly different approach.

     POST /jobs/{job-type} – Creates an instance of a job and it gets processed by an asynchronous job handler in the backend. Pass required job request in the body. If a job name is known, pass it as the job-type

     GET /jobs/{job-type}/status – Returns the status of the job.

     POST /events – I also used this API to trigger an event in the system as part of any API completion or anything else.

     Reply

10. I have a question regarding the rest api.
    When I have a product and a pricing domain and want to search for a product priced by pricing, how do I determine the uri? For example, I have a product with an id of 1 and pricing policies A and B. How do I get the uri to retrieve a product with id 1 priced through pricing A?

    1. Get /products/1/pricing/a
    2. Get /products/1/calculate/pricing/a

    The uri I was thinking about is the two above. Do you have any other suggestions?

    Reply

    • Hey wonjin what about query parameter? since you are filtering products it looks like a query parameter instead of a path parameter. I think that you return products with price=a and not pricing objects.

      GET /products/1?pricing=a

      Reply

    • I would think avoid second option as it as a verb and the recommendation is to avoid any verb or action

      Reply

11. Thanks for the contribution, I have two questions

    1. If I want to quit a team, which one if prefer
    DELETE /teams/{team_id}/user
DELETE /teams/{team_id}/user/quit

    delete a user from a team means to quit, but information seems not clear enough

    2. if I need to send some email, which is better

    /users/email/send-verification
/users/email/send-reset-password

    /users/send-verification-email
/users/email/send-reset-password-email

    thanks

    Reply

    • 1. Players keep changing in a team, So I would have 2 resources historical/versioned team and the current team.
      You are talking about the current team, then delete the user from the team

      DELETE /teams/{team_id}/user/{userId}
      Once a new member is added or deleted, I will make a copy of the previous team for historical records.

      2. I would have an email field in the user table. If they have multiple emails, always designate one as primary.
      /users/{userId}/ to get and set email

      I will have a verification email as a different resource. Then
      POST /users/{userId}/verification-email – will post the request for sending verification email
      GET /users/{userId}/verification-email – will get the status of last verification email, timestamp etc.

      Reply

    • Hello,
      I am answering the second question. I think it would be more readable if you remove send- from the URI. My mentor advises me not to use verbs, but nouns.
      So the request will be:

      /users/email/verification
/users/email/reset-password

      Reply

12. Great article I have a doubt I have the next endpoints:

    localhost:8080/api/product: //can return one or more products given an array of ids
    maps to : (@RequestBody List<IdContainer> companyId)

    localhost:8080/api/product: // return 0 or N products
    maps to: getProductsAll() ;

    How should I name each endpoint?

    Reply

    • HTTP GET localhost:8080/api/products shall return all products. For a set of product ids, pass them as query parameter to filter i.e. HTTP GET localhost:8080/api/products?ids=1,2,3,4

      Reply

13. Hello,

    I’m a part-time developer, so I don’t keep up with these types of issues on a regular basis:

    Is there any discussion of an API standards definition for base object classes? For example, using this site’s terminology, will there ever be a standard Document for a Person base class, Location base class, etc?

    I find it interesting that almost every API I’ve developed has a couple of Document types that are reused to the point that I just copy/paste from my personal library when they’re needed. It would be nice if there was a universally recognized Person class that I could extend to meet my needs. More importantly, if I consumed someone else’s API, I would know that their RegisteredUser class, for example, extends this Person base class as well.

    In my opinion, APIs are THE next major advancement interoperability, personal devices/cool-bells-and-whistles notwithstanding. I think we’re still in the Wild West days of API technology but I would love to see some structure put around this, if it doesn’t already exist.

    Regards

    Zac

    Reply

    • What you are looking for does exist, have a look at RDF at https://en.wikipedia.org/wiki/Resource_Description_Framework

      Some nice RDFs are:

      FOAF: http://xmlns.com/foaf/spec/
      and
      DC: https://www.dublincore.org/specifications/dublin-core/

      Have fun!

      Reply

14. Really helpful article, thank you for taking your time and writing this.

    I have a question regarding naming of resource. If I want to fetch all the document-links in a document based on the type and version.

    Option 1: GET /documents/{type}/links?version=x&other=params

    Option 2: GET /documents/{type}/{version}/links?other=params

    Which endpoint naming should I follow?

    Reply

    • Hello. I think the better option will be GET http://documents/{document-id}/document-links?type=YOUR-TYPE&version=YOUR-VERSION
      Ps. You can simplify it to links from document-links, as you want.
      Hope, it will be helpful for you 🙂

      Reply

      • Hi.
         
        First. A very good guide on naming! Thanks.
         
        It is worth mentioning that hierarchical URLs may lead to problems if we (possibly at a later stage) want to enable filtering that span document-links of different document-ids. How can we represent such collection?  
         
        Alternative 1 – use some wildcard notation (*):
        http://documents/*/document-links?type=YOUR-TYPE&version=YOUR-VERSION
        
        The ‘*’ would need to be escaped and it is hard to find a good word that is intuitive. Maybe ‘null’ or ‘any’ would work?
         
        http://documents/null/document-links?type=YOUR-TYPE&version=YOUR-VERSION
http://documents/any/document-links?type=YOUR-TYPE&version=YOUR-VERSION
         
        …but this is a bit unconventional and not intuitive. We will not get support in standards like OpenAPI and in many server-side implementation frameworks you would have to do some workaround because it does not fit with out-of-the-box functionality.
         
        Alternative 2 – have all collections on the same level
         
        http://documents/{id}
http://document-links/{id}
         
        A search that spans multiple documents:
        http://document-links?type=YOUR-TYPE&version=YOUR-VERSION
         
        …and we would still be able to filter inside a specific document (documentId=abc123) by adding one more filter:
         
        http://document-links?documentId=abc123&type=YOUR-TYPE&version=YOUR-VERSION

        With this URL style we are able to introduce filtering based on fields without restricting them to be inside a specific document:
        http://document-links?type=YOUR-TYPE&version=YOUR-VERSION
         
        and are still able to filter within the scope of a specific document
        http://document-links?documentId=1type=YOUR-TYPE&version=YOUR-VERSION
         
        The hierarchical URL style is a bit easier to read but putting all collections on the same level makes it easier to extend the API with new filtering options and thus may be more suited for future requirements. 

        Reply

        • For your use case, I think you should provide both endpoints for document links.

          Documents being the key for access for document-links, the clients would call:
          /documents/{id}/document-links?type=YOUR-TYPE&version=YOUR-VERSION

          If they have specific type of links they are interested irrespective of , then they could call
          /document-links/{id}/document-links?documentId=abc123&type=YOUR-TYPE&version=YOUR-VERSION

          Allow both ways to access for clients depending on the need.

          Reply

          • I’d rather use as an easy to implement solution

            GET /documents?type=YOUR-TYPE&version=YOUR-VERSION&fields=links HTTP/1.1
            Host: api.example.org

            which means give me only the field links from all the documents you can find of a certain type and of a particular version

            Nice post on the available standard options
            https://www.freshblurbs.com/blog/2015/06/25/api-representations-prefer.html

            or you could use odata standard query approach

            https://www.odata.org/getting-started/basic-tutorial/

15. Thank you for a very interesting article. One of the very few that talk about a controller archetype.

    Here is my question to you. Let’s say you want to define the end-points for a College. You have a list of all courses available to the students for Fall 2019. This includes the course title, description, number of credits, pre-requisits … etc. The URI would would be https://api.mycollegesite.com/courses/2019/fall

    At the same time, you want to access the courses for which a particular student has registered for fall 2019. Those would include the ID of the course, the grade, the grades for each homework, grades for each exam …

    The URI would be https://api.mycollegesite.com/students/123456/courses/2019/fall

    Given that the resource returned by the first end-point is substantially different from the resource returned by the second end-point, should the resource name “courses” be used in both or is it better to have different resoure names?
    Would be better to replace the first URI by
    https://api.mycollegesite.com/courses/curriculum/2019/fall or
    https://api.mycollegesite.com/curriculum/courses/2019/fall

    Reply

    • First URI: Courses seems to be the “collection” and year & semester are filters.

      1. /courses?year=2019&semester=fall

       
      Second URI: Grades belong to each student so they could be a collection under students. These are filtered by semester. Grades could also be their own collection (maybe you want to get all grades for visualization?). If it’s useful for grades to exist independent from students, you can make grades their own collection.

      1. /students/{id}/grades?year=2019&semester=fall
      2. /grades?student_id=123&year=2019&semester=fall

       
       

      Reply

16. Hi there, Thanks for this rules list.
    I was wondering is there a naming convention for secured resources (endpoint protected by login/password ?)

    Reply

    • I think, those aforementioned conventions are enough, so as to comply with uniform interface constraint. The difference is to access secured resources, it must follow authentication mechanism which is a common practice.

      Reply

17. Excuse me, I have a question about hierarchical relationships. How to define the number of layers, whether the parameter in the path are counted as one layer.
    For example, if “/device-management/managed-devices” has two hierarchies, then how many hierarchies in “/device-management/managed-devices/{id}“? three? or still two?

    Reply

    • I am curious to know why you want to count the number of layers in the URI. But, anyway, for the given case, there are 3 layers, as the forward slashes are used to define relationships.
      “/device-management/managed-devices” is a collection
      while
      “/device-management/managed-devices/{id}” is a document (per definition of resource archetype)

      Reply

18. I think it is fair for the store archetype to use singular nouns. It is not designed to be an access point for individual items in it, which means URL pattern like the following is not used in general:

    …/store/{item-id}

    On the other hand, using “users/{id}/carts” leaves the impression that a user may have multiple carts. In fact, in your later controller examples, you used singular nouns (cart and playlist) for store as well:

    http://api.example.com/cart-management/users/{id}/cart/checkout
    http://api.example.com/song-management/users/{id}/playlist/play

    Reply

    • Nice catch on the two examples of controller resource. I wait for explanation/clarification of the admin, in case he had typos in those examples.

      Reply

    • I think I picked up the incorrect example. Fixed it.

      Reply

19. The problem with your logic is that collections aren’t the only resource that can act as a “directory”. All resources could potentially contain an infinite tree structure, so you might as well say all resources should have a trailing slash.

    A user could have a list of accounts and a separate URI for its address as you could consider addressing a separate resource. So you have /users/{userId}/accounts and /users/{userId}/address, therefore /users/{userId} is also a “directory” even though it only represents a singular resource, not a collection.

    Reply

20. Hey,
    Regarding using query component to filter URI collection – how should I do it if I want only managed-devices that has region field exists? Not specific region=USA, only that region exists?

    Reply

    • Maybe you can use a specific parameter to denote that the parameter is to be used for region field existence, e.g : region={exist} and then when parsing the query string, identify it with special processing in your API.

      Reply

21. Hi,

    Great article thank you,
    I have a question for naming of resource:
    – There are two api in my project. One of them is sending single message to my service. The other one sending multiple message to my service. How to naming of them correctly ?

    I am using this one, but i am sure there is better way to naming them.

    POST: api/v1/tickets/message // Single message
    POST api/v1/tickets/messages // Multiple message

    Reply

    • Without understanding the whole use-case, it would not be correct to suggest appropriate naming. Though, one suggestion is to have only one API "POST api/v1/tickets/messages". It should be accept 1 to N messages.

      Reply

      • “tickets/messages” — collection in a collection, shouldn’t be like this “tickets/{id}/messages?action=sendmultiple
        sendsingle”

        Reply

22. How to name Controller ? eg. If i have resource(Folder) called ‘Customers’ inside this should I create controller called CustomerController or CustomersConstroller ?

    Reply

    • Focus on resource naming. Here, the primary resource is “Customer” so CustomerController is a better name. “Customers” is like a collection of “Customer” resources.

      Reply

23. We use string type ID’s which could include special characters like the forward slash. A typical Url looks like this :
    GET https://hostname/api/v1/resource/AB/124747 / B1
    The spaces and forward slashes suppose to be there. The id in this example is: AB/124747 / B1
    Is there a way to deal with this type of id’s? Or do we have to use querystring type Url like:
    GET https://hostname/api/v1/resource?id=AB/124747 / B1

    Reply

    • I will suggest to consider a design change and replace “/” with another character e.g. hyphen, underscore or hash.

      Reply

    • If you need to keep the “/”, just replace it with something else for your request, as Admin suggested, and then when you retrieve it, parse it and replace that other symbol with “/” again. Example: “AB/124747 / B1” => in your request: “[email protected] @ B1” => after reading it from your request, transform it back to: “AB/124747 / B1”

      Reply

    • Couldn’t you just URL encode your id? So your id /AB/124747 / B1 will become AB%2F124747%20%2F%20B1

      Reply

24. Should the store endpoint have the GET method that returns everything stored or is it up to the client to “remember” the ids?

    Reply

25. There may be another practical reason to avoid trailing slashes.

    They might just not be supported by a particular framework, e.g. JAX-RS.

    See stackoverflow – rest – RESTEasy cutting trailing slash off @Path at https://stackoverflow.com/questions/15196698/rest-resteasy-cutting-trailing-slash-off-path

    Reply

26. This page presents a common myth of CRUD & URIs.

    Roy Fielding writes:
    A REST API must not define fixed resource names or hierarchies (an obvious coupling of client and server). Servers must have the freedom to control their own namespace. Instead, allow servers to instruct clients on how to construct appropriate URIs, such as is done in HTML forms and URI templates, by defining those instructions within media types and link relations.
    https://roy.gbiv.com/untangled/2008/rest-apis-must-be-hypertext-driven

    Reply

    • Thanks for sharing your thoughts. It is right that URIs should be instructed to clients through hypermedia.

      “Servers must have the freedom to control their own namespace” – but still there MUST be some design at server side which will create those hypermedia links in some standard structure. Or please share an example if there is a gap.

      Reply

      • If you use hypermedia in API, syle of URI all the more doesn’t matter for clients or users. Fielding confirms this in his dissertation:
        At no time whatsoever do the server or client software need to know or understand the meaning of a URI — they merely act as a conduit through which the creator of a resource (a human naming authority) can associate representations with the semantics identified by the URI.
        https://www.ics.uci.edu/~fielding/pubs/dissertation/evaluation.htm#sec_6_2_4

        He also said: There is no such thing as a REST endpoint. There are resources. A countably infinite set of resources bound only by restrictions on URL length.
        https://twitter.com/fielding/status/1052976631374000128

        Next, URI does not limit the scope of what might be a resource; rather, the term “resource” is used in a general sense for whatever might be identified by a URI.

        Finally, these APIs is RESTful? Or not? Please, provide argumentation.
        https://developers.facebook.com/docs/graph-api/
        https://api.slack.com/methods
        https://www.flickr.com/services/api/
        https://core.telegram.org/methods
        https://developer.twitter.com/en/docs/api-reference-index.html

        In general, all this talk of URI names is no more than REST buzzwording.

        Reply

    • A REST API must not define fixed resource names or hierarchies (an obvious coupling of client and server).
      You me like this->https://roy.gbiv.com/untangled/2008/rest-apis-must-be-hypertext-driven

      rest-apis-must-be-hypertext-driven seems like a fixed resource name to me.

      Reply

27. Let us say there is a single resource that we need to retrieve via two unique references (id or code) separately:
    *. Option 1.
    /v2/suppliers/{id}
    /v2/suppliers/{code}

    *. Option 2.
    /v2/suppliers/{id}
    /v2/suppliers?code={code}

    So from the above please let me know the preferred option or is there another way?

    Thanks.

    Reply

    • My question would be the reason why you have two URIs for the same resource? I’m here thinking about your database and how you have two unique identifiers for the same entity.

      TLDR: drop the /{code} or drop the /{id}. Use one of them. Query strings are meant to sort collections, not to get a single document.

      Reply

    • Option 1 cant work as the API wouldnt know which field to parse as. You could do
      /v2/suppliers/id/{id}
      /v2/suppliers/code/{code}

      Reply

      • No! What kind of resource is /v2/suppliers/id in this example? Or /v2/suppliers/code ? That’s right, there’s no good answer to that, because this is bad use of REST.
        Toni Maunde’s was just fine. Pick your identifier and stick with it.

        Reply

      • Let’s critical think it through,
        /v2/suppliers/id/{id}
        /v2/suppliers/code/{code}

        Is there a resource collection: /v2/suppliers/id or /v2/suppliers/code? Probably not — that’s an oops. {id} and {code} have no collection to belong to.

        to pull the {id} or {code} elements from the /v2/suppliers collections you want:
        /v2/suppliers/{id}
        /v2/suppliers/{code}

        Obviously, that creates a huge potential for ambiguity, which makes all things involved Client, server, and API consumer, work much harder to know which supplier the URI references.

        To simplify the engine (and the lives of your API consumers), pick one to identify the target resource and use the query pattern for all others. ID seems the better of the two in this case.

        Your API sould use:
        /v2/suppliers/{id}
        /v2/suppliers?code={code}

        Reply

        • What about really singular document URI:
          /v2/supplier/{id}
          /v2/suppliers?code=}code}

          And then you can also have a qualified collections, that does not mix itself up with single resource identifier:
          /v2/suppliers/top

          Or maybe better would be
          /v2/top-suppliers
          ?

          Reply

          • We’ve addressed this use-case by just using the following:

            /api/v1/users/{id}
            /api/v1/users?filter[code]=code

            The first is *the* method of returning a single resource by its primary identifier. This is usually a database primary key in our case.

            The second is the method of returning a list of resources, where any number of fields in the resource can be used to filter (there is also sorting and paging implemented as query options as well). In the case where “code” is referring to a single resource, a list of one item is returned.

    • Option 3.
      /v2/suppliers/{id}
      /v2/suppliers/code/{code}

      Reply

28. Great article!, how do you think access roles should be handled? for example we have two types of users (client and manager), a car can be created by each one of them, but the manager can create cars for other clients, and the client only for himself.

    We have the identity of the user from the token, so when designing the endpoint we are considering several options:

    1. one unique DTO that has the ids for the client and manager
    the endpoint would be the same
    api/cars/
    {
    “carName”:””,
    “ownerId”:””,
    “assignerId”:””
    }

    2. have different endpoints with different DTOs for each one, something like
    api/manager-management/cars
    with this DTO
    {
    “carName”:””,
    “ownerId”:””,
    “assignerId”:””
    }

    api/client-management/cars
    with this DTO
    {
    “carName”:””,
    “ownerId”:””
    }

    3. other….
    What do you think would be a good way to go?

    Reply

    • Use 1.

      Since in the frontend clients shouldn’t be able to set the ownerId and managers should, you must know the role for that (send it in the token).
      In the backend you can use the role in the token to validate the request, ex. if role is client the ownerid must be equal to assignerId if not the client could be hacking the API request.

      best regards.

      Reply

      • I agree with Jorge. Saying it in a different way:
        Your API needs to be able to authorize the user to perform the task. Otherwise, in option 2, anybody could call the manager API and still create cars for others. This could be done by a different client, or by someone maintaining your code (on purpose or by mistake). This is a huge security hole.
        Yeah, I know. It means you need to manage authorization code on the client and in the API.
        There are numerous options for this.
        role-based
        resource-based
        claims-based
        and more
        https://docs.microsoft.com/en-us/aspnet/core/security/authorization/introduction?view=aspnetcore-2.2

        Reply

29. If accountId is an unique global identifier on system , and I want to DELETE an account
    which is better ?

    DELETE /customers/{customerId}/accounts/{accountId}

    or

    DELETE /customers/accounts/{accountId}

    or

    DELETE /accounts/{accountId} ?

    My question is about if I must provide the customerId identifier ( although its not necessary to find the resource ,accountId is enough )

    Regards

    Reply

    • To me, DELETE /accounts/{accountId} is good. No need to complicate this simple requirement.

      Reply

      • If thats the case, only use of having customers/{Id}/ as prefix in URI would be while adding a new account.

        Reply

        • …or getting the accounts for a customer.
          or perhaps I don’t understand your comment.

          Reply

30. What should I name my api if I want to populate some fields? For example, I would like to get the course with university field and the city field of university populated, what is the best practice to do it? Would GET api/course/populated=[university,university.city] work fine?

    Reply

    • You can use JSON object to send data to the API.
      Typical Spring boot example will look like below.

      As there we use User objects, you can use University Object, where you can include all the details you need.

      
      @PostMapping("/users")
          public User create(@RequestBody User user) {
              return userService.create(user);
          }
      

      This is how the User class looks like.
      You can use implementation like this on your language too.

      
      public class User {
          private int id;
          private String firstName;
          private String lastName;
          private String email;
      
          public int getId() {
              return id;
          }
      
          public void setId(int id) {
              this.id = id;
          }
      
          public String getFirstName() {
              return firstName;
          }
      
          public void setFirstName(String firstName) {
              this.firstName = firstName;
          }
      
          public String getLastName() {
              return lastName;
          }
      
          public void setLastName(String lastName) {
              this.lastName = lastName;
          }
      
          public String getEmail() {
              return email;
          }
      
          public void setEmail(String email) {
              this.email = email;
          }
      }
      

      Reply

    • I personally prefer to use the filter _fields in query parameter to limit the fields i want to return from the backend.

      Ex.
      GET api/courses/populated?_fields=university,university.city&_sort=-university.city
      I don’t understand the populated resource, maybe you can remove it.

      —–Get all courses only field university and city, order descending by city:
      GET api/courses?_fields=university,university.city&_sort=-university.city

      Reply

31. http://api.example.com/song-management/users/{id}/playlists

    in php does this mean this?

    $_GET[‘song-management’] = ‘users’;
    $_GET[{id}] = ‘playlists’;

    or it’s actually..

    $_GET[‘page’] = ‘song-management’;
    $_GET[‘find’] = ‘users’;
    $_GET[‘select’] = {id};
    $_GET[‘show’] = ‘playlists’;

    i’m a bit lost in how the API’s URI should behave and how in php would think.

    Reply

    • In PHP the superglobal variable $_GET is used to access query string parameters. If you pass a URL with …/document?foo=bar then you would access the value of ‘foo’ with $_GET[‘foo’]. For managing URIs in a RESTful API written in PHP I recommend Slim Framework. There you define the routes individually or by using groups to form a hierarchy, including variables like {id} in your example. If you try to assign each part of the URI to an associative array you will lose flexibility. What happens when in your example we go to …/playlists/3/songs/7/history? You have to think of an index name for each part of that, which isn’t going to happen. More likely you’ll convert the entire URI into a string and use regular expressions to match predefined patterns that refer to a particular controller or controllers. But this would be better handled by a well-maintained framework, and Slim is the best I’ve found on PHP for lightweight RESTful APIs.

      Reply

32. Any thoughts on how to handle something like tiers/grades/reliability levels in the API resource naming? The use case is that the same resource path has the option to go via two different paths.

    Functionally, both the paths do the same thing, such that hitting either path would have the same result (based on what API is expected to do), but the approach taken is different, which leads to some non-functional differences. It is not also an optional thing in the sense that a certain set of objects are meant to hit one-tier vs the other.

    A simple example being a logging API

    
    POST /v1/logs
    

    whose job is to dump the log into the system. But based on what tier was chosen, the availability/indexing/replication of logs may change.

    Should this tier information be incorporated as part of the url or should it be placed somewhere else?

    Something like

    
    POST /v1/tier1/logs
    

    Reply

33. I think it is convenient to use only Post and Get. I hope DELETE and PUT are depreciated!

    Reply

    • POST are not intended to do what PUT does. A POST should always create a new resource where a PUT replaces an existing one.

      You’re free to use HTTP however you want, but if you go down that road, it’s no longer a REST API. I know if I come across a partner’s API that uses POST for every operation I tend to roll my eyes and it gives me the impression that they don’t quite know what they’re doing.

      If I were you, I would reconsider your stance on other HTTP verbs and study their purpose before committing to another non-REST, HTTP based API structure simply for “convenience”.

      Reply

      • > A POST should always create a new resource where a PUT replaces an existing one.

        There are edge cases. PUT need not result in actual resource creation. POST need not either.

        The more important invariant here is for PUT the subordinate resource identifier is *already known* by the client and the request is idempotent (meaning no new resources with new identities can ever be created with a PUT). POST is not idempotent and allows for the creation of new resources with new identities, with this is not necessary for its use.

        Reply

34. Hi, I’m new to API.

    The example u given using the “/” where it seems to be using “path name” as “argument” or they are actually different directories?

    http://api.example.com/device-management/managed-devices/{device-id}

    meaning?
    api.example.com/index.php
    — device-management/index.php
    — — managed-devices/index.php
    — — — {device-id}/index.php

    i got a feeling im getting this wrong. (seriously wrong)

    Reply

    • What I mean is :
      http://api.example.com/device-management/managed-devices/
      http://api.example.com/device-management/managed-devices/1
      http://api.example.com/device-management/managed-devices/2
      http://api.example.com/device-management/managed-devices/3

      Reply

    • Usually you would write one script that catches all the requests. So “/device-management/managed-dives” would be a parameter, not actual folders. Some frameworks use it like “https://example.com/index.php?q=/device-management/managed-dives” unless you set up mod_rewrite. The parameter then gets parsed within your script.

      You could also use the https server (Apache, nginx, lighttpd, etc) to split the parameter into different variables and pass them to your php script. But all the common frameworks I’ve seen (laravel, symfony, codeigniter) actually do in their php scripts for some reasons.

      Reply

      • Thanks.

        I was looking at the usage of .htaccess.
        still trying to see how i can past all the /var1/var2/var3 into actual $array[0] = “var1”;
        then the part where i need to specifically do /var3?foo=bar and i would still get $_GET[‘foo’].

        Reply

35. Thats a very opinionated response.

    Lewis couldn’t be more precise and logic about the functioning.

    Case 1:

    When you compose APIs in a navigating through the hierarchy you add the name of the resource without an initial slash because it will specified that your are defining the root path.

    Eg. If you define an URI for a resource an compose an HTML based on that that uri refers to the root so will be wrong

    Case 2:

    Developer define endpoint in his/her application without trailing slash and the wants to compile a full UIR with and ID to get sub-resources why you force to pass and ID with and / obviously this goes in the endpoint and you don’t want to define 2 endpoints one for listing and one for the sub-resource.

    Reply

36. Hi,
    You say elsewhere that a resource should have a single logical URI. But the example “/customers/{customerId}/accounts/{accountId}” could also be written “/accounts/{accountId}”, given that account IDs should be unique within a bank. So the URI is not unique.

    Reply

    • Very good question. I will argue two things.

      1) Account Id and account number are two different things. Account numbers are NPI (sensitive) data so I will never put them in URI/URL. Account id is some generated number (like primary key) for account record.

      2) accountIds in both URIs can be different numbers. In /accounts/{accountId}, it will be primary key for account record, while in second case it will be primary key which holds the relationship between account and customer. (It is just one example).

      Please note I am saying these ids to be primary keys in respective tables just me make things more relatable. An id can be a derived value as well.

      Reply

37. Excellent article, thank you for your hard work. Could you please provide a suggestion on:

    1. if we were to use a sensitive information like insuranceId as a search criteria, should the search be made GET or POST? (since everyone says that providing sensitive information in GET URL is not a good idea)

    2. How to handle GET search if we have complicated search criteria like:- searching on a user where first_name starts with a and age is greater than 17 and sort by last_name and show pages 3-7

    Reply

    • For your question 1, use HTTP Headers for any sensitive information.

      Reply

    • Search criteria should be public information, so if you’re searching on something that is not public, you might want to take another look at your requirements.
      What does sensitive mean? Your entire request should go via HTTPS anyway, so both the URL and the headers and the body would be encrypted. What you might be worried about is access logs where the URLs are logged (so if these are readable by a wider audience than the users of your system who already have access to that information, that might be a problem).

      How to handle GET if we have complicated search criteria:
      – you could have a min_age query parameter and pass in 18
      – you could have an age query paramater and allow values like ‘>17’
      – you could define a whole query language and pass the query in via a ‘query’ or ‘q’ parameter (like Google search)

      For pagination, check out http://otac0n.com/blog/2012/11/21/range-header-i-choose-you.html which I think is an elegant solution. Alternatively, have your API accept query parameters like the ‘$top’ and ‘$skip” parameters that OData declares so you can do /accounts?skip=10&top=20 to get results 10 through 30.

      Reply

38. No. They are not mine. They have been used in other references as well. Though not very widely used.

    Reply

39. Thanks for the article! Been looking for something just like this! One part still confuses me however:

    You recommend above to use the following for collections:

    
    http://api.example.com/user-management/users/{id}
    http://api.example.com/user-management/users/admin
    

    But wouldn’t the system just look at /users/admin and think that “admin” is a user ID? This is a problem I’ve run into before, and is actually what I was researching when I came across this post 🙂 As soon as you allow resources/{variable}, you can no longer put any controller verbs or anything after /resources/ because it’ll get interpreted as your variable.

    One workaround for this seems to be changing around the order you list your URLs in in your backend, putting the catch-all URL looking for a variable last. But that’s always seemed a little hack-y and I don’t like that it imposes restrictions on how I might want to organize my URLs in the backend.

    Any suggestions for this? Is that workaround in fact standard practice?

    Thanks.

    Reply

    • I had used 3 different examples to represent the document resource. It was never meant to be used collectively. I will also not recommend to use /{id} and /admin both for same API.

      Rather I will go for /roles/{roleName} e.g. /roles/{admin} which will return all users with admin access.

      Reply

      • To return all users with admin access, isn’t better to use /users?role=admin ?

        Reply

        • That also look OK to me. It is something more of preferences.

          Reply

      • /roles/admin should not return you users with admin access.
        Instead it will return a document describing the admin role.

        Reply

    • It’s also possible to have only numeric IDs. So the server script could distinguish wether it’s an ID or a role/username/whatever. Of course that also imposes some additional limitations like prohibiting numeric and duplicate usernames. Having “/users/{username}” and “/users/{user-id}” wouldn’t seem too illogical though (but on the other hand: what’s the purpose?). For roles I’d use another way so no one gets confused. You could even use “/users/{numeric-userid}” and “/users/roles/{role-id}” on the same api if you wanted to.

      Reply

40. Well summarized blog.

    I’m curious to find out what you think about designing the user authentication aspects of an application.

    I was thinking of following the Controller archetype as follows:

    For login:

    .../user/login

    For logout:

    .../users/{id}/logout

    Reply

    • /login and /logout are good enough for me. No need to put “id” in request path, because it will be stored in session in the server.

      Also, I will not put /user in the URL until I have a good reason for it.

      Reply

      • Login and Logout are verbs and should not be part of the resource URI.

        Instead consider something a like

        POST /auth
        DELETE /auth

        Login by POST-ing your credentials
        Logoff by DELETE-ing the auth

        If that doesn’t offer enough options for you, or to support additional admin resources or other use cases, this can be extended with additional URIs or query params:

        /auth?user={user_id}
        /auth?action=logout
        /auth/{auth_id}

        Session history for a user can be made available at:

        /user/{user_id}/auth

        To see currently active sessions:

        /user/{user_id}/auth?active=yes

        And the list goes on….

        Reply

      • How do you actually logout of the RESTful API? It is supposed to be stateless isn’t it.

        We have an endpoint /authenticate that requires Http Basic Auth credentials and generates bearer token.

        Client then must send the token with each subsequent request.

        The token is self contained and contains all the info to authenticate the user as well as limited validity.

        User can refresh the token prolonging the validity using the old, soon to expire token.

        Reply

41. Very good article, but I have a question,

    How could you do if you wanted an API that has the following functions with differents QueryString/ ParameterString/ Body/ Headers in a Messaging App?

    Example:

    SendMessage
    RedirectMessage
    RedirectToMessageBlock
    ForwardMessage
    UpdateAttributesInMessage

    All these functions are POST, but If you have a resource name “Message”, you can only have one POST,

    //yoursite.com/api/v1/messages

    Reply

    • Marcel,

      Here are one way you can handle actions:

      http://yoursite.com/api/v1/messages/{id}/send
      http://yoursite.com/api/v1/messages/{id}/redirect
      http://yoursite.com/api/v1/messages/{id}/redirect-to-message
      http://yoursite.com/api/v1/messages/{id}/forward
      HTTP POST http://yoursite.com/api/v1/messages/{id}

      Enjoy!
      JD

      Reply

      • send redirect forward etc are verbs. This document says resources should not be verb. So isnt this wrong?

        Reply

        • Avoid uses of verbs in the resource. Also avoid api versioning in the resource.

          You can use PATCH to update specific attributes within a message, or PUT to update the entire message.

          As for the other options it depends on what your intentions are for each as to what type of solution to use. One option is to POST to the /message/{message_id} with a param such as action=forward as part of the payload.

          Reply

42. Use “singular” name to denote document resource archetype.

    /api.example.com/device-management/managed-devices/{device-id}
/api.example.com/user-management/users/{id}
/api.example.com/user-management/users/admin

    But why plural is used ??

    Reply

    • Plurals denote collection resources.

      Reply

      • then in the example for the document resource there should be something like:
        [java]
        http://api.example.com/user/{user-id}
        [/java]

        Reply

    • I think the document notation is that
      http://api.example.com/device-management/…

      Reply

43. About Document archetype. We can do a get/put/delete/patch because we pass an “id”, it’s fine! Is there a situation where you can use a POST on a document. In which case we can we use POST on a Document archetype?

    If you see this presentation
    https://fr.slideshare.net/domenicdenicola/creating-truly-res-tful-apis

    What do you thing about =>page 4 Resource Archetype Document /users/0987/settings. Following you this example would not it be rather relative to controller Archetype ?

    What do you thing about => page 5 Archetypye collection : Could you explain the usage of PUT for a collection? It would be in the case where one wishes to replace ALL documents. My understanding A collection is not related to a specific ID. I doesn’t understand why the author mention PATCH and DELETE on an archetype collection also? Can you enlighten me on what is “true” of “false”

    Reply

44. What are the rules for identifying a complex resource by separating a url path? For eg., one of my resource is grouped by 2 tokens. Token one can have many other tokens. The format I am using is:

    abc.com/tokens/5678/2345

    But there is no page for abc.com/tokens/5678. Should I club “5678/2345” as “5678-2345” or using any other character?

    Reply

    • Yes. I will suggest to append token ids using hyphen.

      Reply

45. Hi I want get the data by multiple params (name,age,group)

    this case can I use GET method as below

    http://www.mywebsite.com/my-project/data/name/age/group

    What is the best approach

    Reply

    • I will suggest to use filters e.g. [java]http://www.mywebsite.com/my-project/data?fields=name,age,group[/java]

      Reply

46. Is it RESTful to use URI with query parameters for performing a POST/PATCH to a subset of a collection? For example, if I want to set all the live hosts in the Miami datacenter to status “dead”:

    POST /hosts?datacenter=miami&status=live
    { “status”: “dead” }

    In the response, I would include all the updated hosts and new status. Some fields (e..g hostname, IP address, etc.) would not be modifiable via this method, which would lead a 4XX status code and appropriate error message.

    Reply

47. I like to use this way of calling custom methods or what you call “controllers”.
    https://cloud.google.com/apis/design/custom_methods

    Basically when you need to perform a special action over a resource that can’t be represented you add the action after a colon at the end.

    For example I have this /groups/{id} resource I want to clone, but there is no such method or similar in HTTP, I could just use POST /groups/{id} with the fetched data of the group I want to clone but If I want to execute that in just one action, so I add /groups/{id}:clone .

    As stated in the link, there are some considerations when doing this, like using only POST method, but is more clear this way when are you executing something or not.

    Also this maps seamlessly with auth scopes. In this case my scope would be ‘groups:clone’.

    Thanks for all this huge documentation, it is really helpful.

    Reply

48. Wich pattern i can use in a model with a composite key?

    I have an entity called leaderboard that has a key composed by frontend + packagename, how would my endpoint for get a single leaderboard?

    
    GET /leaderboard/{frontend}?packagename={packagename} ?
    GET /leaderboard/{frontend}-{packagename} ?
    GET /leaderboard/{frontend}/{packagename} ?
    

    Reply

    • 1) If a frontend has many packages (in sinle screen) then GET /leaderboard/{frontend}-{packagename} does not make sense to me. Same for /leaderboard/{frontend}/{packagename}. I would not like to make N API calls to load one screen.
      2) GET /leaderboard/{frontend}?packagename={packagename} looks more flexible to me because it gives you freedom to fetch 1-N packages in single call.

      I am expressing my thoughts purely on assumption of your system. I may be incorrect, so please research.

      Reply

      • i would prefer

        [csharp]
        /leaderboard/{frontend}/packages/{packagename}
        [/csharp]

        Reply

49. Hi,

    I have a requirement where within the hierarchical data one of the resource is a collection instead of single id. What is the best way of modelling it? Example below

    Requirement: Give me access control list for specific list of roles. One way of modelling it is to allow only one role id, let the consumer call the API multiple times.
    access-management/roles/{id}/acls

    However, I want to receive all roles in one request and the response to be then able to return ACLs for all roles. Something along the lines
    access-management/roles/{ids}/acls

    What is the best way to model the API to adhere to REST and URI guidelines?

    Reply

    • Though, multiple “ACL”s can belong to single role (as sub-collection), still I see it independent resource different from “Role”. So model them accordingly.

      I will suggest to create following APIs.

      HTTP GET access-management/roles
      HTTP GET access-management/roles/{id}
      HTTP GET access-management/roles/{id}/acls

      HTTP GET access-management/acls
      HTTP GET access-management/acls/{id}

      So, to reply your query, you can use “access-management/roles” having response like this:

      <roles>
      	<role id="1" uri="/access-management/roles/1">
      		<name>admin</name>
      		<enabled>true</enabled>
      		<acls>
      			<acl id="11" uri="/access-management/acls/11">
      				<name>ADD</name>
      				<enabled>true</enabled>
      			</acl>
      			<acl id="12" uri="/access-management/acls/12">
      				<name>DELETE</name>
      				<enabled>true</enabled>
      			</acl>
      		</acls>
      	</role>
      	<role id="2" uri="/access-management/roles/2">
      		<name>user</name>
      		<enabled>true</enabled>
      		<acls>
      			<acl id="11" uri="/access-management/acls/11">
      				<name>ADD</name>
      				<enabled>true</enabled>
      			</acl>
      		</acls>
      	</role>
      </roles>

      Here you can iterate all rows and find related ACLs. If you want to fetch full details of any single ACL the follow its uri attribute. Feel free to add/remove fields as per design.

      Reply

      • In your API suggestions you list “HTTP GET access-management/roles/{id}/acls” and “access-management/acls” separately. That’s two distinct URI’s for the same collection resource “ACLs”

        Reply

        • Not really. I explained in the first sentence of the comment.

          Reply

50. Hi,
    Great article, but i have a question.
    How can I get the filtered list of managed-devices?
    My first idea was something like this:

    HTTP POST http://api.example.com/device-management/managed-devices

    with my list of device-id in body, but you wrote that this URI is for create.
    So what should i do then?

    Thanks.

    Reply

    • 1) In REST, HTTP POST is more close to “create”. I will suggest to use “HTTP GET” with query parameters.
      2) Why somebody will filter a collection by device ids? He will use search functionality (text box) directly.
      3) Filtering make sense on other parameters e.g. locations, IP ranges etc. For those usecases, use query parameters. e.g.

      HTTP GET http://api.example.com/device-management/managed-devices?states=CA,LS
HTTP GET http://api.example.com/device-management/managed-devices?ip-range=127-0-0-1,127-0-0-10
HTTP GET http://api.example.com/device-management/managed-devices?routes=route1,route2,route3

      This approach has benefit that you can use/share these URLs (e.g. bookmarks) again and again over the time.

      Reply

      • In my interface I have a list of vehicles names and checkbox next to each of them. When a user chooses few and want to e.g. display them on map, I would like to make only one request for the whole data.

        Thanks for the answer, I will pass list of ids in querystring.

        Reply

51. A controller resource models a procedural concept. Controller resources are like executable functions, with parameters and return values; inputs and outputs.
    Is it RESTful?

    Reply

    • Yes, it is.

      Reply

      • checkout is a verb and play are verbs and as you point out at the start it is considered bad practice to use verbs in the URI.

        “RESTful URI should refer to a resource that is a thing (noun) instead of referring to an action (verb)”

        Also you haven’t mentioned which HTTP method should be called for the controller pattern but if it is GET then you are changing state via a method that should be idempotent.

        If it is POST then the controller pattern is RPC rather than REST. A RESTful API would allow the retrieval of the “checkout” resource via

        "GET http://api.example.com/cart-management/users/{id}/cart/checkout"

        which doesn’t seem to make sense as a request.

        It would be better IMO to include a status attribute in the cart resource and update that.

        Reply

        • We can put actions in controller resources that are not logically mapped to any of CRUD operations e.g.

          POST /device-management/{id}/alerts/{id}/resend

          The above operation does not fall under CRUD.

          Reply

          • Would it be fair to say that “resend,” while not a direct CRUD type is actually a “Transaction” if we relate it to the Relational Database World?