Specifying the API endpoints

Our API interface will be as follows:

 

Note there are two elements of the API:

  • A public API, starting with /api:
    • An authenticated public API, starting with /api/me. The user needs to be authenticated to perform these actions. A non-authenticated request will return a 401 Unauthorized status code.
    • A non-authenticated public API, starting with /api. Any user, even not authenticated, can perform these actions.
  • An admin API (starting with /admin). This won't be exposed publicly. It spares the authentication and allows you to do operations that are not designed to be done by customers. Clearly labeling with a prefix helps to audit the operations and clearly signifies that they should not be available outside of your data center.

The format of a thought is as follows:

thought
{
id integer
username string
text string
timestamp string($date-time)
}

To create one, only the text needs to be sent. The timestamp is set automatically, the ID is created automatically, and the username is detected by the authentication data.

As this is an example, this API is designed to be minimal. In particular, more administrator endpoints could be created to effectively impersonate a user and allow administrator actions. The DELETE action was the first action included as a way of cleaning tests.

One final detail: there is some debate over whether it's best to end URI resources with a final slash or not. When working with Flask, though, defining them with a slash will return a redirect status code, 308 PERMANENT_REDIRECT, for a request without the proper ending. In any case, try to be consistent to avoid confusion.