1. API PAIN-POINTS
GETTING THINGS WRONG FOR FUN AND PROFIT
@PHILSTURGEON #PHPCAPETOWN14

11. ARCHITECTURE
OLD SCHOOL

13. http://girlsgotsole.com/blog/thankful-thursday-rest-days/

14. DATABASE SEEDING
LEAVE YOUR CUSTOMERS ALONE

15. ENDPOINT THEORY
NAMING THINGS IS HARD

16. PLURAL V SINGULAR?
CONSISTENCY IS KING
/user/23
/user
s

17. PLURAL V SINGULAR?
CONSISTENCY IS KING
/opportunity/43
/opportunities

18. PLURAL V SINGULAR?
CONSISTENCY IS KING
/places
/places/12
/places/12/checkins
/places/12/checkins/34
/checkins/34

19. NO NEED FOR SEO
QUERY STRINGS ARE FINE
/users/active/true
/users?active=tru
e

20. AUTO-INCREMENT = BAD
CTRL + S YOUR WEBSITE
/checkins/1
/checkins/2
/checkins/236
9
…
/checkins/3

21. AUTO-INCREMENT = BAD
CTRL + S YOUR WEBSITE
https://github.com/zackkitzmiller/tiny-php
https://github.com/ramsey/uuid

22. WHICH METHODS
VERB SOUP
List GET /users
Read GET /users/X
Update PUT /users/X
Update PATCH /users/X
Create POST /users
Delete DELETE /users/X
Image PUT /users/X/image
Images POST /users/X/images
Favorites GET /users/X/favorites
Checkins GET /users/X/checkins

23. FORM PAYLOADS
JUST SEND JSON
foo=something&bar[baz]=thi
ng
23

24. HACKY PAYLOADS
NOT LIKE THAT

25. REAL JSON PAYLOADS
THNX!

27. 200 = OK
Or deal with Chuck

28. 2xx is all about success
3xx is all about redirection
4xx is all about client errors
5xx is all about service errors

29. 200 - Generic everything is OK
201 - Created something OK
202 - Accepted but is being processed async
400 - Bad Request (Validation?)
401 - Unauthorized
403 - Current user is forbidden
404 - That URL is not a valid route
405 - Method Not Allowed
410 - Data has been deleted, deactivated, suspended, etc
500 - Something unexpected happened and it is the APIs fault
503 - API is not here right now, please try again later

30. SUPPLEMENT HTTP CODES
WHAT HAPPENED
{
"error": {
"type": "OAuthException",
"message": "Session has expired at unix time
1385243766. The current unix time is 1385848532"
}
}

31. SUPPLEMENT HTTP CODES
WHAT HAPPENED
{
"error": {
"type": "OAuthException",
"code": “ERR-1012“,
"message": "Session has expired at unix time
1385243766. The current unix time is 1385848532"
}
}

32. AUTHENTICATION STRATEGY
HOW MUCH DO YOU CARE
HTTP Basic
HTTP Digest
OAuth 1.0a
OAuth 2.0

33. OAUTH 2 CAN DO A LOT
PASSWORDS, IMPLICIT, SOCIAL LOGINS…

34. OAUTH 2.0
thephpleague.com
github.com/thephpleague/oauth2-server

35. USE SSL

36. LOL
EXCEPT FOR…

39. TRANSFORMERS… ASSEMBLE!

40. FLEXIBLE RESPONSES
STOP YOUR IPHONE DEV COMPLAINING
GET /checkins/dsfXte
?include=place,user,activity

41. PAGINATE
DATA GROWS FAST
{
"data": [
...
],
"cursors": {
"after": "MTI=",
"next_url": "https://api.example.com/places
?cursor=MTI%3&number=12"
}
}

42. DEFINE A LIMIT RANGE
PAGINATION DDOS
if ($limit < 1 || $limit > 100) {
$limit = 100;
}

44. AUTOMATE TESTING
IF YOU LOVE YOUR JOB
http://www.engineersgotblued.com/

45. PHPUNIT + BEHAT
http://www.bil-jac.com/bestfriendsclub.php

46. Scenario: Find a merchant
When I request "GET
/moments/1"
Then I get a "200" response
And scope into the "data"
property
And the properties exist:
"""
id
…
created_at

47. Scenario: Try to find an invalid
checkin
When I request "GET
/checkins/nope"
Then I get a "404" response

48. Scenario:Wrong Arguments for user
follow
Given I have the payload:
"""
{"is_following": "foo"}
"""
When I request "PUT /users/1”
Then I get a "400" response

49. apiblueprint.org

51. VERSIONING
/V1/DOESNT COUNT
https://api.example.com/v1/places

52. VERSIONING
/V1/DOESNT COUNT
https://api-v1.example.com/places

53. VERSIONING
/V1/DOESNT COUNT
Accept: application/vnd.com.example.api-v1+json
Accept: application/vnd.com.example.api-v2+json

54. VERSIONING
/V1/DOESNT COUNT
Accept: application/vnd.com.example.user-v2+json
Accept: application/vnd.com.example.user-v3+json

55. VERSIONING
/V1/DOESNT COUNT
Copy Facebook
Maybe?
THIS ONE TIME!

56. EVERYTHING IS WRONG
DONT BE THAT GUY
troyhunt.com/2014/02/your-api-versioning-is-wrong-which-is.html

57. leanpub.com/build-apis-you-wont-hate/c/CAPEMAN2014