API Development Best Practices | Versioning & Documentation
Build APIs with clear contracts and comprehensive documentation. Track endpoints in GitScrum, manage breaking changes, and ensure developer-friendly design.
9 min read
APIs are contracts between systems. GitScrum helps teams plan, track, and deliver API work with proper documentation and testing.
API Planning
API Stories in GitScrum
API STORY STRUCTURE:
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
β API-123: Create User Endpoint β
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ€
β β
β As an API consumer β
β I can create a new user via POST /api/v1/users β
β So that I can onboard users programmatically β
β β
β βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ β
β β
β ENDPOINT SPECIFICATION: β
β β
β Method: POST β
β Path: /api/v1/users β
β Auth: Bearer token required β
β β
β Request Body: β
β { β
β "email": "user@example.com", β
β "name": "John Doe", β
β "role": "member" β
β } β
β β
β Success Response (201): β
β { β
β "id": "usr_abc123", β
β "email": "user@example.com", β
β "name": "John Doe", β
β "role": "member", β
β "created_at": "2024-01-15T10:30:00Z" β
β } β
β β
β Error Responses: β
β 400 - Invalid input (missing field, invalid format) β
β 401 - Authentication required β
β 403 - Insufficient permissions β
β 409 - Email already exists β
β β
β βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ β
β β
β ACCEPTANCE CRITERIA: β
β β Endpoint accepts valid user data β
β β Returns 201 with created user β
β β Validates email format β
β β Rejects duplicate emails (409) β
β β Requires authentication β
β β Documentation updated β
β β Tests cover happy path and errors β
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
API Design Checklist
API DESIGN PRINCIPLES:
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
β β
β NAMING CONVENTIONS: β
β β
β β
Resources are nouns, plural: β
β /users, /projects, /tasks β
β β
β β
Use kebab-case for multi-word: β
β /project-members, /time-entries β
β β
β β
Nest for relationships: β
β /projects/{id}/tasks β
β /users/{id}/notifications β
β β
β β Don't use verbs in path: β
β /getUsers β GET /users β
β /createProject β POST /projects β
β β
β βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ β
β β
β HTTP METHODS: β
β β
β GET - Retrieve resource(s) β
β POST - Create new resource β
β PUT - Replace entire resource β
β PATCH - Update part of resource β
β DELETE - Remove resource β
β β
β βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ β
β β
β STATUS CODES: β
β β
β 200 OK - Successful GET/PUT/PATCH β
β 201 Created - Successful POST β
β 204 No Content - Successful DELETE β
β 400 Bad Request - Invalid input β
β 401 Unauthorized - No auth β
β 403 Forbidden - No permission β
β 404 Not Found - Resource doesn't exist β
β 409 Conflict - Duplicate/conflict β
β 422 Unprocessable - Validation failed β
β 500 Server Error - Our fault β
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
API Versioning
Version Strategy
API VERSIONING APPROACHES:
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
β β
β OPTION 1: URL PATH (Recommended) β
β β
β /api/v1/users β
β /api/v2/users β
β β
β Pros: Clear, easy to route, cacheable β
β Cons: URL changes between versions β
β β
β OPTION 2: HEADER β
β β
β Accept: application/vnd.api.v1+json β
β β
β Pros: Clean URLs β
β Cons: Less discoverable, harder to test β
β β
β OPTION 3: QUERY PARAMETER β
β β
β /api/users?version=1 β
β β
β Pros: Simple β
β Cons: Can be cached incorrectly β
β β
β βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ β
β β
β VERSIONING RULES: β
β β
β MAJOR VERSION (v1 β v2): β
β β’ Breaking changes β
β β’ Removed endpoints β
β β’ Changed response structure β
β β
β MINOR VERSION (tracked in changelog): β
β β’ New endpoints β
β β’ New optional fields β
β β’ Non-breaking changes β
β β
β MAINTAIN MULTIPLE VERSIONS: β
β v1: Deprecated, sunset date announced β
β v2: Current stable version β
β v3: Beta/preview (optional) β
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
Breaking Changes
MANAGING BREAKING CHANGES:
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
β β
β WHAT'S A BREAKING CHANGE: β
β β
β β
BREAKING: β
β β’ Removing an endpoint β
β β’ Removing a field from response β
β β’ Changing field type (string β object) β
β β’ Changing required/optional status β
β β’ Changing authentication method β
β β
β β
NOT BREAKING: β
β β’ Adding new endpoint β
β β’ Adding new field to response β
β β’ Adding new optional parameter β
β β’ Changing error message text β
β β
β βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ β
β β
β DEPRECATION PROCESS: β
β β
β 1. ANNOUNCE β
β "v1 will be deprecated in 6 months" β
β Add deprecation warnings to responses β
β β
β 2. SUPPORT TRANSITION β
β Run v1 and v2 simultaneously β
β Provide migration guide β
β β
β 3. MONITOR USAGE β
β Track v1 API calls β
β Notify active v1 consumers β
β β
β 4. SUNSET β
β Final warning 30 days before β
β Turn off v1, return 410 Gone β
β β
β GITSCRUM TRACKING: β
β Label: breaking-change β
β Include migration notes in story β
β Link to affected integrations β
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
API Documentation
Documentation Standards
API DOCUMENTATION REQUIREMENTS:
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
β β
β EVERY ENDPOINT NEEDS: β
β β
β 1. OVERVIEW β
β What does this endpoint do? β
β When would you use it? β
β β
β 2. REQUEST β
β β’ Method and path β
β β’ Headers required β
β β’ Path parameters β
β β’ Query parameters β
β β’ Request body schema β
β β’ Example request β
β β
β 3. RESPONSE β
β β’ Success response schema β
β β’ Example success response β
β β’ All possible error responses β
β β’ Example error responses β
β β
β 4. CODE EXAMPLES β
β cURL, JavaScript, Python examples β
β β
β βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ β
β β
β DOCUMENTATION TOOLS: β
β β
β OpenAPI/Swagger: β
β β’ Define API in YAML/JSON β
β β’ Auto-generate docs β
β β’ Interactive testing β
β β
β Keep docs with code: β
β β’ /docs/api/ in repository β
β β’ Updates with PRs β
β β’ Version control β
β β
β DEFINITION OF DONE: β
β β Endpoint works β
β β Tests written β
β β Documentation updated β
β β Changelog entry added β
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
API Testing
Test Categories
API TESTING STRATEGY:
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
β β
β UNIT TESTS: β
β Test individual functions/handlers β
β β’ Validation logic β
β β’ Business logic β
β β’ Data transformations β
β β
β INTEGRATION TESTS: β
β Test endpoint behavior β
β β’ Request β Response flow β
β β’ Database interactions β
β β’ External service calls (mocked) β
β β
β CONTRACT TESTS: β
β Verify API matches specification β
β β’ Response matches OpenAPI spec β
β β’ Breaking changes caught β
β β
β E2E TESTS: β
β Test full user workflows β
β β’ Create user β Create project β Add task β
β β’ Real database, real services β
β β
β βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ β
β β
β TEST COVERAGE FOR ENDPOINTS: β
β β
β β Happy path (success case) β
β β Validation errors (400) β
β β Authentication required (401) β
β β Permission denied (403) β
β β Not found (404) β
β β Conflict/duplicate (409) β
β β Rate limiting (429) β
β β Edge cases (empty input, max values) β
β β
β ACCEPTANCE CRITERIA: β
β Tests must cover all documented responses β
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
Error Handling
Consistent Errors
ERROR RESPONSE STANDARDS:
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
β β
β ERROR RESPONSE STRUCTURE: β
β β
β { β
β "error": { β
β "code": "validation_error", β
β "message": "Invalid input provided", β
β "details": [ β
β { β
β "field": "email", β
β "message": "Invalid email format" β
β }, β
β { β
β "field": "name", β
β "message": "Name is required" β
β } β
β ], β
β "request_id": "req_abc123" β
β } β
β } β
β β
β βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ β
β β
β ERROR CODES (Machine-readable): β
β β
β validation_error - Invalid input β
β authentication_error - No/invalid auth β
β authorization_error - No permission β
β not_found - Resource doesn't exist β
β conflict - Duplicate/conflict β
β rate_limited - Too many requests β
β server_error - Internal error β
β β
β PRINCIPLES: β
β β
β β’ Machine-readable error codes β
β β’ Human-readable messages β
β β’ Field-level details when relevant β
β β’ Request ID for debugging β
β β’ Don't expose internal details β
β β’ Consistent structure across all endpoints β
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ