REST API Best Practices and Anti-Patterns

REST API•Permalink

High-signal design rules, consistency patterns, and common mistakes to avoid in production APIs.

View

Standard Detailed Compact

Export

Copy the compact sheet, download it, or print it.

Download

`D` dense toggle · `C` copy all

## Best practices

Keep response contracts consistent

↗#

List endpoints should return a predictable structure for data, pagination, and errors.

# Use the same top-level response structure across endpoints.

Return a request ID

↗#

X-Request-Id: req_01HXYZ123

# Make support and debugging easier.

Use ISO 8601 timestamps

↗#

2026-03-27T22:15:00Z

# Prefer explicit timezone-aware datetime strings.

Document rate limits clearly

↗#

RateLimit-Limit: 100
RateLimit-Remaining: 24
RateLimit-Reset: 60

# Help clients back off safely.

Provide copy-paste examples

↗#

curl -X GET https://api.example.com/v1/users/usr_123 \
  -H "Authorization: Bearer $TOKEN"

# Show real requests and responses in docs.

## Anti-patterns

Verbs in CRUD endpoints

↗#

Avoid: POST /createUser
Prefer: POST /users

# Avoid route names that duplicate the HTTP method.

Do not return 200 for every outcome

↗#

Avoid: HTTP 200 with { "success": false } for validation failures

# Use HTTP status codes meaningfully.

Do not expose raw database internals

↗#

Avoid exposing internal table names, join tables, and migration-driven field names directly.

# Keep API models stable and intentional.

Do not ship breaking changes silently

↗#

Avoid removing fields or changing meanings without deprecation and migration guidance.

# Version or phase in incompatible changes.

Avoid deeply nested routes

↗#

Avoid: /orgs/{orgId}/teams/{teamId}/projects/{projectId}/tickets/{ticketId}/comments

# Keep URLs maintainable.

More in REST API

REST API Request and Response Patterns

JSON request bodies, envelope choices, sparse fieldsets, includes, concurrency control, and common response contracts.

REST API Authentication, Authorization, and Versioning

Bearer auth, API keys, permission errors, versioning strategies, and compatibility patterns for HTTP APIs.

REST API Status Codes and Error Response Design

Practical HTTP status codes, error response bodies, validation failures, and troubleshooting-friendly API error contracts.

REST API Pagination, Filtering, Sorting, and Search

Common collection query patterns including offset pagination, cursor pagination, filtering, sorting, and search.

REST API Resource Naming and URL Design

Naming conventions for resources, relationships, nested endpoints, and clean URL design.

REST API Methods and Idempotency

HTTP methods, safe vs unsafe semantics, and idempotency examples for API consumers and designers.

Recommended next

No recommendations yet.

Browse all sheets →