api-design
Compare original and translation side by side
🇺🇸
Original
English🇨🇳
Translation
ChineseAPI Design Patterns
API设计模式
Conventions and best practices for designing consistent, developer-friendly REST APIs.
设计一致、对开发者友好的REST API的规范与最佳实践。
When to Activate
适用场景
- Designing new API endpoints
- Reviewing existing API contracts
- Adding pagination, filtering, or sorting
- Implementing error handling for APIs
- Planning API versioning strategy
- Building public or partner-facing APIs
- 设计新的API端点
- 评审现有API契约
- 添加分页、过滤或排序功能
- 为API实现错误处理机制
- 规划API版本控制策略
- 构建面向公众或合作伙伴的API
Resource Design
资源设计
URL Structure
URL结构
undefinedundefinedResources are nouns, plural, lowercase, kebab-case
资源使用名词、复数形式、小写字母,采用短横线分隔命名法
GET /api/v1/users
GET /api/v1/users/:id
POST /api/v1/users
PUT /api/v1/users/:id
PATCH /api/v1/users/:id
DELETE /api/v1/users/:id
GET /api/v1/users
GET /api/v1/users/:id
POST /api/v1/users
PUT /api/v1/users/:id
PATCH /api/v1/users/:id
DELETE /api/v1/users/:id
Sub-resources for relationships
表示关联关系的子资源
GET /api/v1/users/:id/orders
POST /api/v1/users/:id/orders
GET /api/v1/users/:id/orders
POST /api/v1/users/:id/orders
Actions that don't map to CRUD (use verbs sparingly)
不对应CRUD操作的动作(尽量少用动词)
POST /api/v1/orders/:id/cancel
POST /api/v1/auth/login
POST /api/v1/auth/refresh
undefinedPOST /api/v1/orders/:id/cancel
POST /api/v1/auth/login
POST /api/v1/auth/refresh
undefinedNaming Rules
命名规则
undefinedundefinedGOOD
规范示例
/api/v1/team-members # kebab-case for multi-word resources
/api/v1/orders?status=active # query params for filtering
/api/v1/users/123/orders # nested resources for ownership
/api/v1/team-members # 多词资源使用短横线分隔命名法
/api/v1/orders?status=active # 使用查询参数进行过滤
/api/v1/users/123/orders # 使用嵌套资源表示所属关系
BAD
不规范示例
/api/v1/getUsers # verb in URL
/api/v1/user # singular (use plural)
/api/v1/team_members # snake_case in URLs
/api/v1/users/123/getOrders # verb in nested resource
undefined/api/v1/getUsers # URL中包含动词
/api/v1/user # 使用单数形式(应使用复数)
/api/v1/team_members # URL中使用下划线分隔
/api/v1/users/123/getOrders # 嵌套资源中包含动词
undefinedHTTP Methods and Status Codes
HTTP方法与状态码
Method Semantics
方法语义
| Method | Idempotent | Safe | Use For |
|---|---|---|---|
| GET | Yes | Yes | Retrieve resources |
| POST | No | No | Create resources, trigger actions |
| PUT | Yes | No | Full replacement of a resource |
| PATCH | No* | No | Partial update of a resource |
| DELETE | Yes | No | Remove a resource |
*PATCH can be made idempotent with proper implementation
| 方法 | 幂等性 | 安全性 | 适用场景 |
|---|---|---|---|
| GET | 是 | 是 | 获取资源 |
| POST | 否 | 否 | 创建资源、触发动作 |
| PUT | 是 | 否 | 完全替换资源 |
| PATCH | 否* | 否 | 部分更新资源 |
| DELETE | 是 | 否 | 删除资源 |
*通过合理实现可使PATCH具备幂等性
Status Code Reference
状态码参考
undefinedundefinedSuccess
成功响应
200 OK — GET, PUT, PATCH (with response body)
201 Created — POST (include Location header)
204 No Content — DELETE, PUT (no response body)
200 OK — GET、PUT、PATCH请求(带响应体)
201 Created — POST请求(需包含Location响应头)
204 No Content — DELETE、PUT请求(无响应体)
Client Errors
客户端错误
400 Bad Request — Validation failure, malformed JSON
401 Unauthorized — Missing or invalid authentication
403 Forbidden — Authenticated but not authorized
404 Not Found — Resource doesn't exist
409 Conflict — Duplicate entry, state conflict
422 Unprocessable Entity — Semantically invalid (valid JSON, bad data)
429 Too Many Requests — Rate limit exceeded
400 Bad Request — 验证失败、JSON格式错误
401 Unauthorized — 缺少或无效的认证信息
403 Forbidden — 已认证但无权限访问
404 Not Found — 资源不存在
409 Conflict — 重复条目、状态冲突
422 Unprocessable Entity — 语义无效(JSON格式正确但数据不合法)
429 Too Many Requests — 超出速率限制
Server Errors
服务器错误
500 Internal Server Error — Unexpected failure (never expose details)
502 Bad Gateway — Upstream service failed
503 Service Unavailable — Temporary overload, include Retry-After
undefined500 Internal Server Error — 意外故障(绝不能暴露细节信息)
502 Bad Gateway — 上游服务故障
503 Service Unavailable — 临时过载,需包含Retry-After响应头
undefinedCommon Mistakes
常见错误
undefinedundefinedBAD: 200 for everything
错误示例:所有请求都返回200
{ "status": 200, "success": false, "error": "Not found" }
{ "status": 200, "success": false, "error": "Not found" }
GOOD: Use HTTP status codes semantically
正确示例:语义化使用HTTP状态码
HTTP/1.1 404 Not Found
{ "error": { "code": "not_found", "message": "User not found" } }
HTTP/1.1 404 Not Found
{ "error": { "code": "not_found", "message": "用户不存在" } }
BAD: 500 for validation errors
错误示例:验证错误返回500
GOOD: 400 or 422 with field-level details
正确示例:返回400或422并附带字段级错误详情
BAD: 200 for created resources
错误示例:创建资源后返回200
GOOD: 201 with Location header
正确示例:返回201并包含Location响应头
HTTP/1.1 201 Created
Location: /api/v1/users/abc-123
undefinedHTTP/1.1 201 Created
Location: /api/v1/users/abc-123
undefinedResponse Format
响应格式
Success Response
成功响应
json
{
"data": {
"id": "abc-123",
"email": "alice@example.com",
"name": "Alice",
"created_at": "2025-01-15T10:30:00Z"
}
}json
{
"data": {
"id": "abc-123",
"email": "alice@example.com",
"name": "Alice",
"created_at": "2025-01-15T10:30:00Z"
}
}Collection Response (with Pagination)
集合响应(带分页)
json
{
"data": [
{ "id": "abc-123", "name": "Alice" },
{ "id": "def-456", "name": "Bob" }
],
"meta": {
"total": 142,
"page": 1,
"per_page": 20,
"total_pages": 8
},
"links": {
"self": "/api/v1/users?page=1&per_page=20",
"next": "/api/v1/users?page=2&per_page=20",
"last": "/api/v1/users?page=8&per_page=20"
}
}json
{
"data": [
{ "id": "abc-123", "name": "Alice" },
{ "id": "def-456", "name": "Bob" }
],
"meta": {
"total": 142,
"page": 1,
"per_page": 20,
"total_pages": 8
},
"links": {
"self": "/api/v1/users?page=1&per_page=20",
"next": "/api/v1/users?page=2&per_page=20",
"last": "/api/v1/users?page=8&per_page=20"
}
}Error Response
错误响应
json
{
"error": {
"code": "validation_error",
"message": "Request validation failed",
"details": [
{
"field": "email",
"message": "Must be a valid email address",
"code": "invalid_format"
},
{
"field": "age",
"message": "Must be between 0 and 150",
"code": "out_of_range"
}
]
}
}json
{
"error": {
"code": "validation_error",
"message": "请求验证失败",
"details": [
{
"field": "email",
"message": "必须是有效的邮箱地址",
"code": "invalid_format"
},
{
"field": "age",
"message": "必须在0到150之间",
"code": "out_of_range"
}
]
}
}Response Envelope Variants
响应封装变体
typescript
// Option A: Envelope with data wrapper (recommended for public APIs)
interface ApiResponse<T> {
data: T;
meta?: PaginationMeta;
links?: PaginationLinks;
}
interface ApiError {
error: {
code: string;
message: string;
details?: FieldError[];
};
}
// Option B: Flat response (simpler, common for internal APIs)
// Success: just return the resource directly
// Error: return error object
// Distinguish by HTTP status codetypescript
// 选项A:带数据包装的封装(推荐用于公开API)
interface ApiResponse<T> {
data: T;
meta?: PaginationMeta;
links?: PaginationLinks;
}
interface ApiError {
error: {
code: string;
message: string;
details?: FieldError[];
};
}
// 选项B:扁平化响应(更简洁,常用于内部API)
// 成功:直接返回资源
// 错误:返回错误对象
// 通过HTTP状态码区分结果Pagination
分页
Offset-Based (Simple)
基于偏移量(简单型)
GET /api/v1/users?page=2&per_page=20GET /api/v1/users?page=2&per_page=20Implementation
实现代码
SELECT * FROM users
ORDER BY created_at DESC
LIMIT 20 OFFSET 20;
**Pros:** Easy to implement, supports "jump to page N"
**Cons:** Slow on large offsets (OFFSET 100000), inconsistent with concurrent insertsSELECT * FROM users
ORDER BY created_at DESC
LIMIT 20 OFFSET 20;
**优点:** 易于实现,支持"跳转到第N页"
**缺点:** 偏移量较大时性能低下(如OFFSET 100000),并发插入时结果不一致Cursor-Based (Scalable)
基于游标(可扩展型)
GET /api/v1/users?cursor=eyJpZCI6MTIzfQ&limit=20GET /api/v1/users?cursor=eyJpZCI6MTIzfQ&limit=20Implementation
实现代码
SELECT * FROM users
WHERE id > :cursor_id
ORDER BY id ASC
LIMIT 21; -- fetch one extra to determine has_next
```json
{
"data": [...],
"meta": {
"has_next": true,
"next_cursor": "eyJpZCI6MTQzfQ"
}
}Pros: Consistent performance regardless of position, stable with concurrent inserts
Cons: Cannot jump to arbitrary page, cursor is opaque
SELECT * FROM users
WHERE id > :cursor_id
ORDER BY id ASC
LIMIT 21; -- 多获取一条数据以判断是否有下一页
```json
{
"data": [...],
"meta": {
"has_next": true,
"next_cursor": "eyJpZCI6MTQzfQ"
}
}优点: 无论数据位置如何性能一致,并发插入时结果稳定
缺点: 无法跳转到任意页面,游标为不透明格式
When to Use Which
选型建议
| Use Case | Pagination Type |
|---|---|
| Admin dashboards, small datasets (<10K) | Offset |
| Infinite scroll, feeds, large datasets | Cursor |
| Public APIs | Cursor (default) with offset (optional) |
| Search results | Offset (users expect page numbers) |
| 适用场景 | 分页类型 |
|---|---|
| 管理后台、小型数据集(<10K) | 偏移量分页 |
| 无限滚动、信息流、大型数据集 | 游标分页 |
| 公开API | 默认使用游标分页,可选支持偏移量分页 |
| 搜索结果 | 偏移量分页(用户期望页码跳转) |
Filtering, Sorting, and Search
过滤、排序与搜索
Filtering
过滤
undefinedundefinedSimple equality
简单等值过滤
GET /api/v1/orders?status=active&customer_id=abc-123
GET /api/v1/orders?status=active&customer_id=abc-123
Comparison operators (use bracket notation)
比较运算符(使用方括号表示)
GET /api/v1/products?price[gte]=10&price[lte]=100
GET /api/v1/orders?created_at[after]=2025-01-01
GET /api/v1/products?price[gte]=10&price[lte]=100
GET /api/v1/orders?created_at[after]=2025-01-01
Multiple values (comma-separated)
多值过滤(逗号分隔)
GET /api/v1/products?category=electronics,clothing
GET /api/v1/products?category=electronics,clothing
Nested fields (dot notation)
嵌套字段过滤(点符号表示)
GET /api/v1/orders?customer.country=US
undefinedGET /api/v1/orders?customer.country=US
undefinedSorting
排序
undefinedundefinedSingle field (prefix - for descending)
单字段排序(前缀-表示降序)
GET /api/v1/products?sort=-created_at
GET /api/v1/products?sort=-created_at
Multiple fields (comma-separated)
多字段排序(逗号分隔)
GET /api/v1/products?sort=-featured,price,-created_at
undefinedGET /api/v1/products?sort=-featured,price,-created_at
undefinedFull-Text Search
全文搜索
undefinedundefinedSearch query parameter
搜索查询参数
GET /api/v1/products?q=wireless+headphones
GET /api/v1/products?q=wireless+headphones
Field-specific search
字段专属搜索
GET /api/v1/users?email=alice
undefinedGET /api/v1/users?email=alice
undefinedSparse Fieldsets
稀疏字段集
undefinedundefinedReturn only specified fields (reduces payload)
仅返回指定字段(减少响应 payload)
GET /api/v1/users?fields=id,name,email
GET /api/v1/orders?fields=id,total,status&include=customer.name
undefinedGET /api/v1/users?fields=id,name,email
GET /api/v1/orders?fields=id,total,status&include=customer.name
undefinedAuthentication and Authorization
认证与授权
Token-Based Auth
基于令牌的认证
undefinedundefinedBearer token in Authorization header
在Authorization头中携带Bearer令牌
GET /api/v1/users
Authorization: Bearer eyJhbGciOiJIUzI1NiIs...
GET /api/v1/users
Authorization: Bearer eyJhbGciOiJIUzI1NiIs...
API key (for server-to-server)
API密钥(适用于服务间调用)
GET /api/v1/data
X-API-Key: sk_live_abc123
undefinedGET /api/v1/data
X-API-Key: sk_live_abc123
undefinedAuthorization Patterns
授权模式
typescript
// Resource-level: check ownership
app.get("/api/v1/orders/:id", async (req, res) => {
const order = await Order.findById(req.params.id);
if (!order) return res.status(404).json({ error: { code: "not_found" } });
if (order.userId !== req.user.id) return res.status(403).json({ error: { code: "forbidden" } });
return res.json({ data: order });
});
// Role-based: check permissions
app.delete("/api/v1/users/:id", requireRole("admin"), async (req, res) => {
await User.delete(req.params.id);
return res.status(204).send();
});typescript
// 资源级授权:检查资源归属
app.get("/api/v1/orders/:id", async (req, res) => {
const order = await Order.findById(req.params.id);
if (!order) return res.status(404).json({ error: { code: "not_found" } });
if (order.userId !== req.user.id) return res.status(403).json({ error: { code: "forbidden" } });
return res.json({ data: order });
});
// 基于角色的授权:检查权限
app.delete("/api/v1/users/:id", requireRole("admin"), async (req, res) => {
await User.delete(req.params.id);
return res.status(204).send();
});Rate Limiting
速率限制
Headers
响应头
HTTP/1.1 200 OK
X-RateLimit-Limit: 100
X-RateLimit-Remaining: 95
X-RateLimit-Reset: 1640000000HTTP/1.1 200 OK
X-RateLimit-Limit: 100
X-RateLimit-Remaining: 95
X-RateLimit-Reset: 1640000000When exceeded
超出限制时
HTTP/1.1 429 Too Many Requests
Retry-After: 60
{
"error": {
"code": "rate_limit_exceeded",
"message": "Rate limit exceeded. Try again in 60 seconds."
}
}
undefinedHTTP/1.1 429 Too Many Requests
Retry-After: 60
{
"error": {
"code": "rate_limit_exceeded",
"message": "超出速率限制,请60秒后重试。"
}
}
undefinedRate Limit Tiers
速率限制层级
| Tier | Limit | Window | Use Case |
|---|---|---|---|
| Anonymous | 30/min | Per IP | Public endpoints |
| Authenticated | 100/min | Per user | Standard API access |
| Premium | 1000/min | Per API key | Paid API plans |
| Internal | 10000/min | Per service | Service-to-service |
| 层级 | 限制额度 | 时间窗口 | 适用场景 |
|---|---|---|---|
| 匿名用户 | 30次/分钟 | 按IP地址 | 公开端点 |
| 已认证用户 | 100次/分钟 | 按用户 | 标准API访问 |
| 付费用户 | 1000次/分钟 | 按API密钥 | 付费API套餐 |
| 内部服务 | 10000次/分钟 | 按服务 | 服务间调用 |
Versioning
版本控制
URL Path Versioning (Recommended)
URL路径版本控制(推荐)
/api/v1/users
/api/v2/usersPros: Explicit, easy to route, cacheable
Cons: URL changes between versions
/api/v1/users
/api/v2/users优点: 明确清晰,易于路由,可缓存
缺点: 版本变更时URL会改变
Header Versioning
请求头版本控制
GET /api/users
Accept: application/vnd.myapp.v2+jsonPros: Clean URLs
Cons: Harder to test, easy to forget
GET /api/users
Accept: application/vnd.myapp.v2+json优点: URL简洁
缺点: 测试难度大,容易遗漏
Versioning Strategy
版本控制策略
1. Start with /api/v1/ — don't version until you need to
2. Maintain at most 2 active versions (current + previous)
3. Deprecation timeline:
- Announce deprecation (6 months notice for public APIs)
- Add Sunset header: Sunset: Sat, 01 Jan 2026 00:00:00 GMT
- Return 410 Gone after sunset date
4. Non-breaking changes don't need a new version:
- Adding new fields to responses
- Adding new optional query parameters
- Adding new endpoints
5. Breaking changes require a new version:
- Removing or renaming fields
- Changing field types
- Changing URL structure
- Changing authentication method1. 初始使用/api/v1/ —— 不需要过早版本化,直到有需求时再进行
2. 最多维护2个活跃版本(当前版本 + 上一版本)
3. 弃用时间线:
- 提前宣布弃用(公开API需提前6个月通知)
- 添加Sunset响应头:Sunset: Sat, 01 Jan 2026 00:00:00 GMT
- 弃用日期后返回410 Gone状态码
4. 非破坏性变更不需要新增版本:
- 响应中新增字段
- 新增可选查询参数
- 新增API端点
5. 破坏性变更需要新增版本:
- 删除或重命名字段
- 改变字段类型
- 修改URL结构
- 变更认证方式Implementation Patterns
实现模式
TypeScript (Next.js API Route)
TypeScript(Next.js API路由)
typescript
import { z } from "zod";
import { NextRequest, NextResponse } from "next/server";
const createUserSchema = z.object({
email: z.string().email(),
name: z.string().min(1).max(100),
});
export async function POST(req: NextRequest) {
const body = await req.json();
const parsed = createUserSchema.safeParse(body);
if (!parsed.success) {
return NextResponse.json({
error: {
code: "validation_error",
message: "Request validation failed",
details: parsed.error.issues.map(i => ({
field: i.path.join("."),
message: i.message,
code: i.code,
})),
},
}, { status: 422 });
}
const user = await createUser(parsed.data);
return NextResponse.json(
{ data: user },
{
status: 201,
headers: { Location: `/api/v1/users/${user.id}` },
},
);
}typescript
import { z } from "zod";
import { NextRequest, NextResponse } from "next/server";
const createUserSchema = z.object({
email: z.string().email(),
name: z.string().min(1).max(100),
});
export async function POST(req: NextRequest) {
const body = await req.json();
const parsed = createUserSchema.safeParse(body);
if (!parsed.success) {
return NextResponse.json({
error: {
code: "validation_error",
message: "请求验证失败",
details: parsed.error.issues.map(i => ({
field: i.path.join("."),
message: i.message,
code: i.code,
})),
},
}, { status: 422 });
}
const user = await createUser(parsed.data);
return NextResponse.json(
{ data: user },
{
status: 201,
headers: { Location: `/api/v1/users/${user.id}` },
},
);
}Python (Django REST Framework)
Python(Django REST Framework)
python
from rest_framework import serializers, viewsets, status
from rest_framework.response import Response
class CreateUserSerializer(serializers.Serializer):
email = serializers.EmailField()
name = serializers.CharField(max_length=100)
class UserSerializer(serializers.ModelSerializer):
class Meta:
model = User
fields = ["id", "email", "name", "created_at"]
class UserViewSet(viewsets.ModelViewSet):
serializer_class = UserSerializer
permission_classes = [IsAuthenticated]
def get_serializer_class(self):
if self.action == "create":
return CreateUserSerializer
return UserSerializer
def create(self, request):
serializer = CreateUserSerializer(data=request.data)
serializer.is_valid(raise_exception=True)
user = UserService.create(**serializer.validated_data)
return Response(
{"data": UserSerializer(user).data},
status=status.HTTP_201_CREATED,
headers={"Location": f"/api/v1/users/{user.id}"},
)python
from rest_framework import serializers, viewsets, status
from rest_framework.response import Response
class CreateUserSerializer(serializers.Serializer):
email = serializers.EmailField()
name = serializers.CharField(max_length=100)
class UserSerializer(serializers.ModelSerializer):
class Meta:
model = User
fields = ["id", "email", "name", "created_at"]
class UserViewSet(viewsets.ModelViewSet):
serializer_class = UserSerializer
permission_classes = [IsAuthenticated]
def get_serializer_class(self):
if self.action == "create":
return CreateUserSerializer
return UserSerializer
def create(self, request):
serializer = CreateUserSerializer(data=request.data)
serializer.is_valid(raise_exception=True)
user = UserService.create(**serializer.validated_data)
return Response(
{"data": UserSerializer(user).data},
status=status.HTTP_201_CREATED,
headers={"Location": f"/api/v1/users/{user.id}"},
)Go (net/http)
Go(net/http)
go
func (h *UserHandler) CreateUser(w http.ResponseWriter, r *http.Request) {
var req CreateUserRequest
if err := json.NewDecoder(r.Body).Decode(&req); err != nil {
writeError(w, http.StatusBadRequest, "invalid_json", "Invalid request body")
return
}
if err := req.Validate(); err != nil {
writeError(w, http.StatusUnprocessableEntity, "validation_error", err.Error())
return
}
user, err := h.service.Create(r.Context(), req)
if err != nil {
switch {
case errors.Is(err, domain.ErrEmailTaken):
writeError(w, http.StatusConflict, "email_taken", "Email already registered")
default:
writeError(w, http.StatusInternalServerError, "internal_error", "Internal error")
}
return
}
w.Header().Set("Location", fmt.Sprintf("/api/v1/users/%s", user.ID))
writeJSON(w, http.StatusCreated, map[string]any{"data": user})
}go
func (h *UserHandler) CreateUser(w http.ResponseWriter, r *http.Request) {
var req CreateUserRequest
if err := json.NewDecoder(r.Body).Decode(&req); err != nil {
writeError(w, http.StatusBadRequest, "invalid_json", "Invalid request body")
return
}
if err := req.Validate(); err != nil {
writeError(w, http.StatusUnprocessableEntity, "validation_error", err.Error())
return
}
user, err := h.service.Create(r.Context(), req)
if err != nil {
switch {
case errors.Is(err, domain.ErrEmailTaken):
writeError(w, http.StatusConflict, "email_taken", "Email already registered")
default:
writeError(w, http.StatusInternalServerError, "internal_error", "Internal error")
}
return
}
w.Header().Set("Location", fmt.Sprintf("/api/v1/users/%s", user.ID))
writeJSON(w, http.StatusCreated, map[string]any{"data": user})
}API Design Checklist
API设计检查清单
Before shipping a new endpoint:
- Resource URL follows naming conventions (plural, kebab-case, no verbs)
- Correct HTTP method used (GET for reads, POST for creates, etc.)
- Appropriate status codes returned (not 200 for everything)
- Input validated with schema (Zod, Pydantic, Bean Validation)
- Error responses follow standard format with codes and messages
- Pagination implemented for list endpoints (cursor or offset)
- Authentication required (or explicitly marked as public)
- Authorization checked (user can only access their own resources)
- Rate limiting configured
- Response does not leak internal details (stack traces, SQL errors)
- Consistent naming with existing endpoints (camelCase vs snake_case)
- Documented (OpenAPI/Swagger spec updated)
在发布新端点前,请确认:
- 资源URL符合命名规范(复数、短横线分隔、无动词)
- 使用了正确的HTTP方法(GET用于读取,POST用于创建等)
- 返回了合适的状态码(不所有请求都返回200)
- 使用Schema对输入进行验证(如Zod、Pydantic、Bean Validation)
- 错误响应遵循标准格式,包含错误码与信息
- 列表端点实现了分页(游标或偏移量方式)
- 已配置认证要求(或明确标记为公开)
- 已检查授权逻辑(用户仅能访问自身资源)
- 已配置速率限制
- 响应未泄露内部细节(如堆栈跟踪、SQL错误)
- 命名与现有端点保持一致(驼峰式 vs 下划线式)
- 已完成文档编写(更新OpenAPI/Swagger规范)