Professional Documents
Culture Documents
The goal of this story is not to give a bad advertisement for a used
system, but to share how things should NOT be developed, as well as
learn the right approaches when it comes to designing APIs.
Assignment
My friend’s client is using Beds24 system to manage their property
listings and keep availability in sync across various booking systems
(Booking, AirBnB, etc.). They are building a website and would like the
search mechanism to only show properties that are available for the
selected dates and number of guests. Sounds like a trivial task, since
Beds24 provides an API for integrations with other systems.
Unfortunately, the developer has managed to make a lot of mistakes
https://medium.com/@robertas.konarskis/how-not-to-design-restful-apis-fb4892d9057a 1/12
1/18/2019 How NOT to design RESTful APIs – Rob Konarski – Medium
when designing it. Let’s walk through these mistakes, see what exactly
went wrong and how it should have been done.
{
"checkIn": "20151001",
"lastNight": "20151002",
"checkOut": "20151003",
"roomId": "12345",
"propId": "1234",
"ownerId": "123",
"numAdult": "2",
"numChild": "0",
"offerId": "1",
"voucherCode": "",
"referer": "",
"agent": "",
"ignoreAvail": false,
"propIds": [
1235,
1236
],
"roomIds": [
12347,
12348,
12349
]
}
Let me go through the JSON object and explain what is wrong with its
parameters.
https://medium.com/@robertas.konarskis/how-not-to-design-restful-apis-fb4892d9057a 2/12
1/18/2019 How NOT to design RESTful APIs – Rob Konarski – Medium
the last night. Please, always use standard date encoding formats
and do not ask the user of the API to supply redundant data.
2. All Ids, as well as numAdult and numChild elds are numeric, but
are encoded as strings. There seems to be no reason to encode
them as strings in this particular situation.
Please, do not confuse developers with such silly mistakes and try to
use standard formatting as well as pay attention to redundancy and
eld types. Do not just wrap everything in a string.
Request:
{
"checkIn": "20190501",
"checkOut": "20190503",
"ownerId": "25748",
"numAdult": "2",
"numChild": "0"
}
Response:
https://medium.com/@robertas.konarskis/how-not-to-design-restful-apis-fb4892d9057a 3/12
1/18/2019 How NOT to design RESTful APIs – Rob Konarski – Medium
{
"10328": {
"roomId": "10328",
"propId": "4478",
"roomsavail": "0"
},
"13219": {
"roomId": "13219",
"propId": "5729",
"roomsavail": "0"
},
"14900": {
"roomId": "14900",
"propId": "6779",
"roomsavail": 1
},
"checkIn": "20190501",
"lastNight": "20190502",
"checkOut": "20190503",
"ownerId": 25748,
"numAdult": 2
}
https://medium.com/@robertas.konarskis/how-not-to-design-restful-apis-fb4892d9057a 4/12
1/18/2019 How NOT to design RESTful APIs – Rob Konarski – Medium
{
"properties": [
{
"id": 4478,
"rooms": [
{
"id": 12328,
"available": false
}
]
},
{
"id": 5729,
"rooms": [
{
"id": 13219,
"available": false
}
]
},
{
"id": 6779,
"rooms": [
{
"id": 14900,
"available": true
}
]
}
],
"checkIn": "2019-05-01",
"lastNight": "2019-05-02",
"checkOut": "2019-05-03",
"ownerId": 25748,
"numAdult": 2
}
https://medium.com/@robertas.konarskis/how-not-to-design-restful-apis-fb4892d9057a 5/12
1/18/2019 How NOT to design RESTful APIs – Rob Konarski – Medium
Sin 4: “Guidelines”
Below are the API use “guidelines” from the documentation:
1. Calls should be designed to send and receive only the minimum required
data.
2. Only one API call at a time is allowed, You must wait for the rst call to
complete before starting the next API call.
3. Multiple calls should be spaced with a few seconds delay between each
call.
4. API calls should be used sparingly and kept to the minimum required for
reasonable business usage.
https://medium.com/@robertas.konarskis/how-not-to-design-restful-apis-fb4892d9057a 6/12
1/18/2019 How NOT to design RESTful APIs – Rob Konarski – Medium
While points 1, 4 make sense, I can’t agree that others do. Let me
explain why.
Sin 5: Documentation
This is how the API documentation looks like:
https://medium.com/@robertas.konarskis/how-not-to-design-restful-apis-fb4892d9057a 7/12
1/18/2019 How NOT to design RESTful APIs – Rob Konarski – Medium
The only problems here are readability and overall feel. The same
documentation could have looked way better if the author would have
used markdown instead of custom non-styled HTML. For the sake of
this post, I created a better version with the help of Dilliger in under 2
minutes. Here is the result:
https://medium.com/@robertas.konarskis/how-not-to-design-restful-apis-fb4892d9057a 8/12
1/18/2019 How NOT to design RESTful APIs – Rob Konarski – Medium
Here is a link to the Beds24 API docs for those who want to have a look
at it themselves.
Sin 6: Security
The API documentation states the following about all of the endpoints:
To use these functions, API access must be allowed in the menu SETTINGS
>> ACCOUNT >> ACCOUNT ACCESS.
Most JSON methods require an API key to access an account. The API code
can be set at the menu SETTINGS >> ACCOUNT >> ACCOUNT ACCESS.
https://medium.com/@robertas.konarskis/how-not-to-design-restful-apis-fb4892d9057a 9/12
1/18/2019 How NOT to design RESTful APIs – Rob Konarski – Medium
Having authentication token inside request body means that the server
would need to rst parse the request body, extract the key, perform
authentication, and then decide what to do with the request: execute it
or not. In case of a successful authentication, there is no overhead
involved as the body would have been parsed anyway. In case
authentication failed, the server did all the work described above just to
extract the token, spending precious processing time. A better approach
instead would be to send an authentication token as a request header,
using Bearer authentication scheme or similar. This way, the server
would only need to parse the request body in case of a successful
authentication. Another reason to use a standard authentication
scheme like a Bearer token is simply because most developers are
familiar with it.
Sin 7: Performance
Last but not least, it would take on average a little over 1 second for a
request to complete. With modern applications, such delays may not be
acceptable. Therefore, take performance into account when designing
APIs.
. . .
Despite all of the issues with the API explained above, it does the job.
However, it takes several times longer for developers to understand and
implement it, as well as forces to write more complex solutions to trivial
problems. Therefore, please think about developers implementing your
https://medium.com/@robertas.konarskis/how-not-to-design-restful-apis-fb4892d9057a 10/12
1/18/2019 How NOT to design RESTful APIs – Rob Konarski – Medium
API before releasing it. Make sure the documentation is complete, clear
and well-formatted. Check if your resource names follow conventions,
that your data is well structured, easy to understand and use. Also, pay
attention to security and performance, do not forget to implement error
handling correctly. If all of the above is taken into account when
designing an API, then there would be no need for weird “guidelines”,
like in the example earlier.
As already mentioned, the goal of this post was not to make you never
use Beds24 or any similar system because their API is not implemented
correctly. The target was to increase the quality of software products by
sharing a poor example and explaining how it could have been done
better. Hopefully, this post would make someone pay more attention to
software development best practices and make software systems better.
Till next time!
https://medium.com/@robertas.konarskis/how-not-to-design-restful-apis-fb4892d9057a 11/12
1/18/2019 How NOT to design RESTful APIs – Rob Konarski – Medium
https://medium.com/@robertas.konarskis/how-not-to-design-restful-apis-fb4892d9057a 12/12