What Makes a Good REST API?
A well-designed REST API is predictable, consistent, and easy to consume. Whether you're building an internal microservice or a public developer platform, following established conventions reduces friction for everyone who integrates with your work.
This guide covers the core best practices you should apply when designing and building RESTful APIs — regardless of language or framework.
Table of Contents
- Resource Naming Conventions
- Using HTTP Methods Correctly
- HTTP Status Codes
- API Versioning
- Security Essentials
- Documentation
1. Resource Naming Conventions
Resources should be represented as nouns, not verbs. The HTTP method already describes the action — your URL should describe the resource.
- Good:
GET /users/42/orders - Bad:
GET /getOrdersForUser?id=42
Additional naming rules to follow:
- Use lowercase letters and hyphens (not underscores) for multi-word resources:
/product-categories - Use plural nouns for collections:
/articles,/users - Nest resources logically but avoid deep nesting beyond 2–3 levels
2. Using HTTP Methods Correctly
| Method | Use Case | Idempotent? |
|---|---|---|
| GET | Retrieve a resource or list | Yes |
| POST | Create a new resource | No |
| PUT | Replace a resource entirely | Yes |
| PATCH | Partially update a resource | No |
| DELETE | Remove a resource | Yes |
Never use GET to perform state-changing operations. Search engines and caching layers may follow GET links, producing unintended side effects.
3. HTTP Status Codes — Use Them Meaningfully
Returning 200 OK for everything — including errors — is a common anti-pattern. Use appropriate status codes:
- 200 OK — Successful GET, PUT, PATCH
- 201 Created — Successful POST that created a resource
- 204 No Content — Successful DELETE
- 400 Bad Request — Malformed request or validation failure
- 401 Unauthorized — Missing or invalid authentication
- 403 Forbidden — Authenticated but not authorized
- 404 Not Found — Resource doesn't exist
- 429 Too Many Requests — Rate limit exceeded
- 500 Internal Server Error — Unexpected server-side failure
4. API Versioning
APIs evolve. Without versioning, breaking changes will break your consumers. Common strategies include:
- URI versioning:
/v1/users— Simple and visible, most widely used - Header versioning:
Accept: application/vnd.api+json;version=2— Cleaner URLs, harder to test in a browser - Query parameter:
/users?version=1— Easy to implement, less semantic
URI versioning is the most practical choice for most teams due to its simplicity and cache-friendliness.
5. Security Essentials
Every production API must address these fundamentals:
- Always use HTTPS — Never transmit tokens or data over plain HTTP
- Authenticate with tokens — Use JWT or OAuth 2.0; avoid API keys in URLs
- Implement rate limiting — Protect against abuse and DoS attacks
- Validate all input — Sanitize before processing; never trust client data
- Return minimal data — Don't expose fields consumers don't need
6. Documentation
An undocumented API is nearly unusable. Use the OpenAPI Specification (Swagger) to generate interactive documentation. Good docs include: authentication instructions, request/response examples, error codes, and a changelog.
Key Takeaways
Good REST API design is about consistency and clarity. Use meaningful resource names, the right HTTP methods, accurate status codes, a versioning strategy, and solid security from day one. Your future consumers — and your future self — will thank you.