| name | api-design |
| description | REST API design patterns including resource naming, status codes, pagination, filtering, error responses, versioning, and rate limiting for production APIs. |
| origin | ECC |
API Design Patterns
äžè²«æ§ãããéçºè
ãã¬ã³ããªãŒãª REST API ãèšèšããããã®èŠçŽãšãã¹ããã©ã¯ãã£ã¹ã§ãã
èµ·åæ¡ä»¶
- æ°ãã API ãšã³ããã€ã³ããèšèšããå Žå
- æ¢åã® API ã³ã³ãã©ã¯ããã¬ãã¥ãŒããå Žå
- ããŒãžããŒã·ã§ã³ããã£ã«ã¿ãªã³ã°ããœãŒãã远å ããå Žå
- API ã®ãšã©ãŒãã³ããªã³ã°ãå®è£
ããå Žå
- API ããŒãžã§ãã³ã°æŠç¥ãèšç»ããå Žå
- ãããªãã¯ãŸãã¯ããŒãããŒåã API ãæ§ç¯ããå Žå
Resource Design
URL æ§é
# ãªãœãŒã¹ã¯åè©ãè€æ°åœ¢ãå°æåãkebab-case
GET /api/v1/users
GET /api/v1/users/:id
POST /api/v1/users
PUT /api/v1/users/:id
PATCH /api/v1/users/:id
DELETE /api/v1/users/:id
# ãªã¬ãŒã·ã§ã³ã·ããã®ããã®ãµããªãœãŒã¹
GET /api/v1/users/:id/orders
POST /api/v1/users/:id/orders
# CRUD ã«ãããã³ã°ãããªãã¢ã¯ã·ã§ã³ïŒåè©ã¯æ§ããã«äœ¿çšïŒ
POST /api/v1/orders/:id/cancel
POST /api/v1/auth/login
POST /api/v1/auth/refresh
åœåã«ãŒã«
# GOOD
/api/v1/team-members # è€æ°èªã®ãªãœãŒã¹ã«ã¯ kebab-case
/api/v1/orders?status=active # ãã£ã«ã¿ãªã³ã°ã«ã¯ã¯ãšãªãã©ã¡ãŒã¿
/api/v1/users/123/orders # ææé¢ä¿ã«ã¯ãã¹ãããããªãœãŒã¹
# BAD
/api/v1/getUsers # URL ã«åè©
/api/v1/user # åæ°åœ¢ïŒè€æ°åœ¢ã䜿çšïŒ
/api/v1/team_members # URL ã« snake_case
/api/v1/users/123/getOrders # ãã¹ãããããªãœãŒã¹ã«åè©
HTTP Methods ãšã¹ããŒã¿ã¹ã³ãŒã
ã¡ãœããã®ã»ãã³ãã£ã¯ã¹
| ã¡ãœãã | åªçæ§ | å®å
šæ§ | çšé |
|---|
| GET | ãã | ãã | ãªãœãŒã¹ã®ååŸ |
| POST | ãªã | ãªã | ãªãœãŒã¹ã®äœæãã¢ã¯ã·ã§ã³ã®ããªã¬ãŒ |
| PUT | ãã | ãªã | ãªãœãŒã¹ã®å®å
šãªçœ®æ |
| PATCH | ãªã* | ãªã | ãªãœãŒã¹ã®éšåçãªæŽæ° |
| DELETE | ãã | ãªã | ãªãœãŒã¹ã®åé€ |
*PATCH ã¯é©åãªå®è£
ã«ããåªçã«ããããšãã§ããŸã
ã¹ããŒã¿ã¹ Code Reference
# æå
200 OK â GET, PUT, PATCHïŒã¬ã¹ãã³ã¹ããã£ããïŒ
201 Created â POSTïŒLocation ããããŒãå«ããïŒ
204 No Content â DELETE, PUTïŒã¬ã¹ãã³ã¹ããã£ãªãïŒ
# ã¯ã©ã€ã¢ã³ããšã©ãŒ
400 Bad Request â ããªããŒã·ã§ã³å€±æãäžæ£ãª JSON
401 Unauthorized â èªèšŒã®æ¬ èœãŸãã¯ç¡å¹
403 Forbidden â èªèšŒæžã¿ã ãæš©éãªã
404 Not Found â ãªãœãŒã¹ãååšããªã
409 Conflict â éè€ãšã³ããªãç¶æ
ã®ç«¶å
422 Unprocessable Entity â ã»ãã³ãã£ãã¯ã«ç¡å¹ïŒæå¹ãª JSONãäžæ£ãªããŒã¿ïŒ
429 Too Many Requests â ã¬ãŒãå¶éè¶
é
# ãµãŒããŒãšã©ãŒ
500 Internal Server Error â äºæããªãé害ïŒè©³çްãå
¬éããªãïŒ
502 Bad Gateway â ã¢ããã¹ããªãŒã ãµãŒãã¹ã®é害
503 Service Unavailable â äžæçãªéè² è·ãRetry-After ãå«ãã
ããããééã
# BAD: ãã¹ãŠã« 200
{ "status": 200, "success": false, "error": "Not found" }
# GOOD: HTTP ã¹ããŒã¿ã¹ã³ãŒããã»ãã³ãã£ãã¯ã«äœ¿çš
HTTP/1.1 404 Not Found
{ "error": { "code": "not_found", "message": "User not found" } }
# BAD: ããªããŒã·ã§ã³ãšã©ãŒã« 500
# GOOD: ãã£ãŒã«ãã¬ãã«ã®è©³çްä»ãã§ 400 ãŸã㯠422
# BAD: äœæããããªãœãŒã¹ã« 200
# GOOD: Location ããããŒä»ãã§ 201
HTTP/1.1 201 Created
Location: /api/v1/users/abc-123
Response Format
æåã¬ã¹ãã³ã¹
{
"data": {
"id": "abc-123",
"email": "alice@example.com",
"name": "Alice",
"created_at": "2025-01-15T10:30:00Z"
}
}
ã³ã¬ã¯ã·ã§ã³ã¬ã¹ãã³ã¹ïŒããŒãžããŒã·ã§ã³ä»ãïŒ
{
"data": [
{ "id": "abc-123", "name": "Alice" },
{ "id": "def-456", "name": "Bob" }
],
"meta": {
"total": 142,
"page": 1,
"per_page": 20,
"total_pages": 8
},
"links": {
"self": "/api/v1/users?page=1&per_page=20",
"next": "/api/v1/users?page=2&per_page=20",
"last": "/api/v1/users?page=8&per_page=20"
}
}
ãšã©ãŒã¬ã¹ãã³ã¹
{
"error": {
"code": "validation_error",
"message": "Request validation failed",
"details": [
{
"field": "email",
"message": "Must be a valid email address",
"code": "invalid_format"
},
{
"field": "age",
"message": "Must be between 0 and 150",
"code": "out_of_range"
}
]
}
}
ã¬ã¹ãã³ã¹ãšã³ãããŒãã®ããªãšãŒã·ã§ã³
interface ApiResponse<T> {
data: T;
meta?: PaginationMeta;
links?: PaginationLinks;
}
interface ApiError {
error: {
code: string;
message: string;
details?: FieldError[];
};
}
Pagination
ãªãã»ããããŒã¹ïŒã·ã³ãã«ïŒ
GET /api/v1/users?page=2&per_page=20
# å®è£
SELECT * FROM users
ORDER BY created_at DESC
LIMIT 20 OFFSET 20;
é·æ: å®è£
ãç°¡åããN ããŒãžç®ã«ãžã£ã³ãããå¯èœ
çæ: 倧ããªãªãã»ããã§äœéïŒOFFSET 100000ïŒãåææ¿å
¥ã§äžæŽå
ã«ãŒãœã«ããŒã¹ïŒã¹ã±ãŒã©ãã«ïŒ
GET /api/v1/users?cursor=eyJpZCI6MTIzfQ&limit=20
# å®è£
SELECT * FROM users
WHERE id > :cursor_id
ORDER BY id ASC
LIMIT 21; -- has_next ãå€å®ããããã«1ä»¶å€ãååŸ
{
"data": [...],
"meta": {
"has_next": true,
"next_cursor": "eyJpZCI6MTQzfQ"
}
}
é·æ: äœçœ®ã«é¢ä¿ãªãäžå®ã®ããã©ãŒãã³ã¹ãåææ¿å
¥ã§ãå®å®
çæ: ä»»æã®ããŒãžãžã®ãžã£ã³ãäžå¯ãã«ãŒãœã«ã¯äžéæ
䜿çšã¿ã€ãã³ã° Which
| ãŠãŒã¹ã±ãŒã¹ | ããŒãžããŒã·ã§ã³æ¹åŒ |
|---|
| 管çç»é¢ãå°èŠæš¡ããŒã¿ã»ããïŒ<10KïŒ | ãªãã»ãã |
| ç¡éã¹ã¯ããŒã«ããã£ãŒããå€§èŠæš¡ããŒã¿ã»ãã | ã«ãŒãœã« |
| ãããªã㯠API | ã«ãŒãœã«ïŒããã©ã«ãïŒããªãã»ããïŒãªãã·ã§ã³ïŒ |
| æ€çŽ¢çµæ | ãªãã»ããïŒãŠãŒã¶ãŒã¯ããŒãžçªå·ãæåŸ
ïŒ |
ãã£ã«ã¿ãªã³ã°ããœãŒããæ€çŽ¢
ãã£ã«ã¿ãªã³ã°
# åçŽãªç䟡
GET /api/v1/orders?status=active&customer_id=abc-123
# æ¯èŒæŒç®åïŒãã©ã±ãã衚èšã䜿çšïŒ
GET /api/v1/products?price[gte]=10&price[lte]=100
GET /api/v1/orders?created_at[after]=2025-01-01
# è€æ°å€ïŒã«ã³ãåºåãïŒ
GET /api/v1/products?category=electronics,clothing
# ãã¹ãããããã£ãŒã«ãïŒããã衚èšïŒ
GET /api/v1/orders?customer.country=US
ãœãŒã
# åäžãã£ãŒã«ãïŒéé ã¯ãã¬ãã£ãã¯ã¹ -ïŒ
GET /api/v1/products?sort=-created_at
# è€æ°ãã£ãŒã«ãïŒã«ã³ãåºåãïŒ
GET /api/v1/products?sort=-featured,price,-created_at
å
šææ€çŽ¢
# æ€çŽ¢ã¯ãšãªãã©ã¡ãŒã¿
GET /api/v1/products?q=wireless+headphones
# ãã£ãŒã«ãåºæã®æ€çŽ¢
GET /api/v1/users?email=alice
Sparse Fieldsets
# æå®ããããã£ãŒã«ãã®ã¿è¿ãïŒãã€ããŒããåæžïŒ
GET /api/v1/users?fields=id,name,email
GET /api/v1/orders?fields=id,total,status&include=customer.name
èªèšŒãšèªå¯
ããŒã¯ã³ããŒã¹èªèšŒ
# Authorization ããããŒã« Bearer ããŒã¯ã³
GET /api/v1/users
Authorization: Bearer eyJhbGciOiJIUzI1NiIs...
# API ããŒïŒãµãŒããŒééä¿¡çšïŒ
GET /api/v1/data
X-API-Key: sk_live_abc123
èªå¯ãã¿ãŒã³
app.get("/api/v1/orders/:id", async (req, res) => {
const order = await Order.findById(req.params.id);
if (!order) return res.status(404).json({ error: { code: "not_found" } });
if (order.userId !== req.user.id) return res.status(403).json({ error: { code: "forbidden" } });
return res.json({ data: order });
});
app.delete("/api/v1/users/:id", requireRole("admin"), async (req, res) => {
await User.delete(req.params.id);
return res.status(204).send();
});
Rate Limiting
ããããŒ
HTTP/1.1 200 OK
X-RateLimit-Limit: 100
X-RateLimit-Remaining: 95
X-RateLimit-Reset: 1640000000
# è¶
éæ
HTTP/1.1 429 Too Many Requests
Retry-After: 60
{
"error": {
"code": "rate_limit_exceeded",
"message": "Rate limit exceeded. Try again in 60 seconds."
}
}
Rate Limit Tiers
| ãã£ã¢ | å¶é | ãŠã£ã³ã㊠| ãŠãŒã¹ã±ãŒã¹ |
|---|
| Anonymous | 30/å | IP ããš | ãããªãã¯ãšã³ããã€ã³ã |
| Authenticated | 100/å | ãŠãŒã¶ãŒããš | æšæº API ã¢ã¯ã»ã¹ |
| Premium | 1000/å | API ããŒããš | ææ API ãã©ã³ |
| Internal | 10000/å | ãµãŒãã¹ããš | ãµãŒãã¹ééä¿¡ |
ããŒãžã§ãã³ã°
URL ãã¹ããŒãžã§ãã³ã°ïŒæšå¥šïŒ
/api/v1/users
/api/v2/users
é·æ: æç€ºçãã«ãŒãã£ã³ã°ãç°¡åããã£ãã·ã¥å¯èœ
çæ: ããŒãžã§ã³éã§ URL ã倿Žããã
ããããŒããŒãžã§ãã³ã°
GET /api/users
Accept: application/vnd.myapp.v2+json
é·æ: URL ãã¯ãªãŒã³
çæ: ãã¹ããé£ãããæå®å¿ããèµ·ãããã
ããŒãžã§ãã³ã°æŠç¥
1. /api/v1/ ããå§ãã â å¿
èŠã«ãªããŸã§ããŒãžã§ãã³ã°ããªã
2. ã¢ã¯ãã£ãããŒãžã§ã³ã¯æå€§2ã€ïŒçŸè¡ïŒåããŒãžã§ã³ïŒ
3. éæšå¥šåã®ã¿ã€ã ã©ã€ã³:
- éæšå¥šãåç¥ïŒãããªã㯠API ã¯6ã¶æåã®éç¥ïŒ
- Sunset ããããŒã远å : Sunset: Sat, 01 Jan 2026 00:00:00 GMT
- Sunset æ¥ä»¥é㯠410 Gone ãè¿ã
4. ç Žå£çã§ãªã倿Žã¯æ°ããŒãžã§ã³äžèŠ:
- ã¬ã¹ãã³ã¹ãžã®æ°ãããã£ãŒã«ãã®è¿œå
- æ°ãããªãã·ã§ã³ã¯ãšãªãã©ã¡ãŒã¿ã®è¿œå
- æ°ãããšã³ããã€ã³ãã®è¿œå
5. ç Žå£ç倿Žã«ã¯æ°ããŒãžã§ã³ãå¿
èŠ:
- ãã£ãŒã«ãã®åé€ãŸãã¯ãªããŒã
- ãã£ãŒã«ãåã®å€æŽ
- URL æ§é ã®å€æŽ
- èªèšŒæ¹æ³ã®å€æŽ
å®è£
Patterns
TypeScript (Next.js API Route)
import { z } from "zod";
import { NextRequest, NextResponse } from "next/server";
const createUserSchema = z.object({
email: z.string().email(),
name: z.string().min(1).max(100),
});
export async function POST(req: NextRequest) {
const body = await req.json();
const parsed = createUserSchema.safeParse(body);
if (!parsed.success) {
return NextResponse.json({
error: {
code: "validation_error",
message: "Request validation failed",
details: parsed.error.issues.map(i => ({
field: i.path.join("."),
message: i.message,
code: i.code,
})),
},
}, { status: 422 });
}
const user = await createUser(parsed.data);
return NextResponse.json(
{ data: user },
{
status: 201,
headers: { Location: `/api/v1/users/${user.id}` },
},
);
}
Python (Django REST Framework)
from rest_framework import serializers, viewsets, status
from rest_framework.response import Response
class CreateUserSerializer(serializers.Serializer):
email = serializers.EmailField()
name = serializers.CharField(max_length=100)
class UserSerializer(serializers.ModelSerializer):
class Meta:
model = User
fields = ["id", "email", "name", "created_at"]
class UserViewSet(viewsets.ModelViewSet):
serializer_class = UserSerializer
permission_classes = [IsAuthenticated]
def get_serializer_class(self):
if self.action == "create":
return CreateUserSerializer
return UserSerializer
def create(self, request):
serializer = CreateUserSerializer(data=request.data)
serializer.is_valid(raise_exception=True)
user = UserService.create(**serializer.validated_data)
return Response(
{"data": UserSerializer(user).data},
status=status.HTTP_201_CREATED,
headers={"Location": f"/api/v1/users/{user.id}"},
)
Go (net/http)
func (h *UserHandler) CreateUser(w http.ResponseWriter, r *http.Request) {
var req CreateUserRequest
if err := json.NewDecoder(r.Body).Decode(&req); err != nil {
writeError(w, http.StatusBadRequest, "invalid_json", "Invalid request body")
return
}
if err := req.Validate(); err != nil {
writeError(w, http.StatusUnprocessableEntity, "validation_error", err.Error())
return
}
user, err := h.service.Create(r.Context(), req)
if err != nil {
switch {
case errors.Is(err, domain.ErrEmailTaken):
writeError(w, http.StatusConflict, "email_taken", "Email already registered")
default:
writeError(w, http.StatusInternalServerError, "internal_error", "Internal error")
}
return
}
w.Header().Set("Location", fmt.Sprintf("/api/v1/users/%s", user.ID))
writeJSON(w, http.StatusCreated, map[string]any{"data": user})
}
API Design Checklist
æ°ãããšã³ããã€ã³ãããªãªãŒã¹ããåã«: