• Don’t let implementation details leak into your API. Use clear resource concept names. Don’t use abbreviations or naming conventions in URLs.
  • Paginate search results and limit the number of pages returned and to cap the maximum number of records per request. Add hypermedia links to first, last, next & previous pages for easy navigation.
  • Stick to the standard response codes, don’t invent new ones. Use the common HTTP response codes 200, 201, 204, 400 and 404.
  • When data arrives from a client, always validate required fields, field types, & formats. Never passing SQL in the URL.
  • Add workflow-based functionality to APIs so that they go beyond mere data access.

Full post here, 6 mins read