- Don’t let implementation details leak into your API. Use clear resource concept names. Don’t use abbreviations or naming conventions in URLs.
- Paginate search results and limit the number of pages returned and to cap the maximum number of records per request. Add hypermedia links to first, last, next & previous pages for easy navigation.
- Stick to the standard response codes, don’t invent new ones. Use the common HTTP response codes 200, 201, 204, 400 and 404.
- When data arrives from a client, always validate required fields, field types, & formats. Never passing SQL in the URL.
- Add workflow-based functionality to APIs so that they go beyond mere data access.
Full post here, 6 mins read