How to create REST URLs without verbs?

by

General principles for good URI design:

  • Don’t use query parameters to alter state
  • Don’t use mixed-case paths if you can help it; lowercase is best
  • Don’t use implementation-specific extensions in your URIs (.php, .py, .pl, etc.)
  • Don’t fall into RPC with your URIs
  • Do limit your URI space as much as possible
  • Do keep path segments short
  • Do prefer either /resource or /resource/; create 301 redirects from the one you don’t use
  • Do use query parameters for sub-selection of a resource; i.e. pagination, search queries
  • Do move stuff out of the URI that should be in an HTTP header or a body

(Note: I did not say “RESTful URI design”; URIs are essentially opaque in REST.)

General principles for HTTP method choice:

  • Don’t ever use GET to alter state; this is a great way to have the Googlebot ruin your day
  • Don’t use PUT unless you are updating an entire resource
  • Don’t use PUT unless you can also legitimately do a GET on the same URI
  • Don’t use POST to retrieve information that is long-lived or that might be reasonable to cache
  • Don’t perform an operation that is not idempotent with PUT
  • Do use GET for as much as possible
  • Do use POST in preference to PUT when in doubt
  • Do use POST whenever you have to do something that feels RPC-like
  • Do use PUT for classes of resources that are larger or hierarchical
  • Do use DELETE in preference to POST to remove resources
  • Do use GET for things like calculations, unless your input is large, in which case use POST

General principles of web service design with HTTP:

  • Don’t put metadata in the body of a response that should be in a header
  • Don’t put metadata in a separate resource unless including it would create significant overhead
  • Do use the appropriate status code
  • 201 Created after creating a resource; resource must exist at the time the response is sent
  • 202 Accepted after performing an operation successfully or creating a resource asynchronously
  • 400 Bad Request when someone does an operation on data that’s clearly bogus; for your application this could be a validation error; generally reserve 500 for uncaught exceptions
  • 401 Unauthorized when someone accesses your API either without supplying a necessary Authorization header or when the credentials within the Authorization are invalid; don’t use this response code if you aren’t expecting credentials via an Authorization header.
  • 403 Forbidden when someone accesses your API in a way that might be malicious or if they aren’t authorized
  • 405 Method Not Allowed when someone uses POST when they should have used PUT, etc
  • 413 Request Entity Too Large when someone attempts to send you an unacceptably large file
  • 418 I'm a teapot when attempting to brew coffee with a teapot
  • Do use caching headers whenever you can
  • ETag headers are good when you can easily reduce a resource to a hash value
  • Last-Modified should indicate to you that keeping around a timestamp of when resources are updated is a good idea
  • Cache-Control and Expires should be given sensible values
  • Do everything you can to honor caching headers in a request (If-None-Modified, If-Modified-Since)
  • Do use redirects when they make sense, but these should be rare for a web service

With regard to your specific question, POST should be used for #4 and #5. These operations fall under the “RPC-like” guideline above. For #5, remember that POST does not necessarily have to use Content-Type: application/x-www-form-urlencoded. This could just as easily be a JSON or CSV payload.

More Related Contents:

  1. When do I use path params vs. query params in a RESTful API?
  2. What’s the best RESTful method to return total number of items in an object?
  3. Jersey with Struts2 [duplicate]
  4. RESTful – What should a DELETE response body contain
  5. Hyphen, underscore, or camelCase as word delimiter in URIs?
  6. RESTful Authentication
  7. RESTful URL design for search
  8. How can I handle many-to-many relationships in a RESTful API?
  9. What is the proper REST response code for a valid request but an empty data?
  10. How to version REST URIs
  11. HTTP response code for POST when resource already exists
  12. XDebug and RESTful server using PHPStorm or POSTman
  13. REST Complex/Composite/Nested Resources [closed]
  14. What is the advantage of using REST instead of non-REST HTTP?
  15. What is REST? Slightly confused [closed]
  16. Transactions across REST microservices?
  17. Designing URI for current logged in user in REST applications
  18. RESTful Services – WSDL Equivalent
  19. Unable to upload zip file through karate framework
  20. Firefox Add-on RESTclient – How to input POST parameters?
  21. Spring 4 RestController JSON: characteristics not acceptable according to the request “accept” headers
  22. REST API Authentication
  23. Should I use Singular or Plural name convention for REST resources?
  24. How to download excel (.xls) file from API in postman?
  25. Where can I find jenkins restful api reference? [closed]
  26. Is it correct to return 404 when a REST resource is not found?
  27. When is it appropriate to respond with a HTTP 412 error?
  28. Flutter fetched Japanese character from server decoded wrong
  29. Websocket vs REST when sending data to server
  30. ‘Best’ practice for restful POST response

Leave a Comment