Skip to main content

StateSet API Design Guidelines

This document outlines the design principles, patterns, and best practices for the StateSet API. Following these guidelines ensures consistency, usability, and maintainability across all API endpoints.

Core Principles

1. RESTful Design

  • Use standard HTTP methods appropriately:
    • GET for retrieving resources
    • POST for creating resources
    • PUT/PATCH for updating resources
    • DELETE for removing resources

2. Resource-Oriented URLs

3. Consistent Naming Conventions

  • Use lowercase with hyphens for URLs: /v1/work-orders
  • Use camelCase for JSON properties: firstName, createdAt
  • Use snake_case for query parameters: created_after, sort_by
  • Pluralize collection endpoints: /orders not /order

Request Standards

Headers

Required headers for all requests:
Optional headers:

Query Parameters

Pagination

All list endpoints must support:
Default pagination:
  • limit: 20 (max: 100)
  • offset: 0

Filtering

Use consistent filter patterns:

Sorting

Request Body

Required Fields

Clearly mark required fields in documentation:

Nested Objects

Use nested objects for logical grouping:

Response Standards

Success Responses

Single Resource

Collection

With Metadata

Error Responses

Standard Error Format

HTTP Status Codes

Data Types and Formats

Timestamps

Always use ISO 8601 format with timezone:

Money/Currency

Store monetary values in smallest currency unit (cents):

Phone Numbers

Use E.164 format:

Countries and States

Use ISO standards:
  • Countries: ISO 3166-1 alpha-2 (US, CA, GB)
  • States/Provinces: ISO 3166-2 (CA-ON, US-NY)

Versioning

URL Versioning

Primary versioning method:

Header Versioning

For minor versions:

Deprecation Process

  1. Announce deprecation with 90-day notice
  2. Add deprecation headers:
  3. Maintain deprecated version for minimum 12 months

Idempotency

Implementation

Support idempotency for all POST, PUT, PATCH requests:
Response includes:

Webhooks

Event Naming

Use dot notation for event types:

Webhook Payload

Security

Always include signature header:

Performance Guidelines

Response Times

Target response times:
  • Simple reads: < 200ms
  • Complex queries: < 500ms
  • Writes: < 1000ms

Payload Size

  • Limit response size to 1MB
  • Use pagination for large collections
  • Support field filtering:

Caching

Include cache headers:

GraphQL Guidelines

Query Naming

Mutations

Error Handling

Return errors in userErrors field:

Testing

Test Coverage

All endpoints must include:
  • Success path tests
  • Error handling tests
  • Edge case tests
  • Performance tests

Example Test Cases

Documentation Requirements

Every endpoint must document:
  1. Description: Clear explanation of what the endpoint does
  2. Authentication: Required permissions
  3. Parameters: All query params, headers, and body fields
  4. Response: Success and error response formats
  5. Examples: Working code examples in multiple languages
  6. Rate Limits: Specific limits if different from defaults
  7. Webhooks: Related webhook events
  8. See Also: Links to related endpoints

Security Best Practices

  1. Always use HTTPS
  2. Validate all inputs - Never trust client data
  3. Rate limit all endpoints
  4. Log security events - Failed auth, permission denials
  5. Sanitize outputs - Prevent XSS in responses
  6. Use secure headers:

Monitoring and Observability

Include correlation IDs in all requests:
Log format:

Change Management

  1. Backwards Compatibility: Never break existing integrations
  2. Additive Changes: New fields are safe to add
  3. Deprecation Notices: Minimum 90 days
  4. Migration Guides: Provide clear upgrade paths
  5. Changelog: Maintain detailed changelog

Contact

For API design questions or to propose changes to these guidelines: