Securing a Swagger API with OAuth2

In our previous article on Swagger, we defined a Player API modelling GET access to a Player resource. In this article, I show how to use Swagger’s security models to to deploy this API using an OAuth2 configuration. Swagger handles authentication and authorization using a combination of a “Security Definitions” Object and a list of “Security Requirements” Objects. Each of these definitions are applied at the top-level of your Swagger specification. ...

October 19, 2016 · 3 min · Kevin Sookocheff

How to deploy a Swagger specification to Amazon API Gateway using CloudFormation

Full sample code for this article is available on Github. Aamazon’s API Gateway supports the direct importing of Swagger specification files using CloudFormation rules. To do this, you have two choices. Injecting the swagger.json or swagger.yaml file directly into the Body field of the CloudFormation template, or uploading the swagger.json or swagger.yaml file to an S3 location and setting that location as the BodyS3Location field of the CloudFormation template. A minimal YAML template is listed below: ...

October 18, 2016 · 3 min · Kevin Sookocheff

Designing a Swagger API

The goal of Swagger is to define a standard interface for describing REST APIs. In an ideal world, a Swagger definition for your API will allow both humans and computers to discover and understand your API. At it’s core, Swagger is a formal specification of an API. Surrounding this specification are a wide swath of tools to support creating documentation, providing client libraries, and managing API deployments. One of Swagger’s original goal was to provide a way to document an API in both a human and machine readable way. Swagger provides such a documentation format for RESTful APIs. By augmenting this documentation format with tools for API clients and developers, Swagger grew into an ecosystem providing for API developers and consumers. ...

October 12, 2016 · 6 min · Kevin Sookocheff

Creating RESTful APIs with App Engine Cloud Endpoints

App Engine Cloud Endpoints is a great way to quickly and easily create JSON API endpoints. What’s not clear is how to structure your Message code to support a RESTful create-read-update-delete (CRUD) API. This article will show the basic CRUD operations for one Resource. The results can easily be adapted to support a full REST API. ...

July 2, 2014 · 3 min · Kevin Sookocheff

Understanding JSON Patch

The typical update cycle for an API resource is to (1) GET the representation, (2) modify it and (3) PUT back the entire representation. This can waste bandwidth and processing time for large resources. An alternative is to use the HTTP PATCH extension method to only send the differences between two resources. HTTP PATCH applies a set of changes to the document referenced by the HTTP request. ...

April 8, 2014 · 5 min · Kevin Sookocheff

How to Version a REST API

API versioning is a fact of life. Even the most well designed API changes as new features and relationships are uncovered. Unfortunately, updating an API is seldom as simple as changing the behaviour of our existing URL endpoints on her he server. If we have existing clients we need to explicitly advertise breaking changes in a seamless way. This article explains a few methods of specifying breaking changes that offer a clear upgrade path for existing API clients. ...

April 1, 2014 · 5 min · Kevin Sookocheff

When to Use HTTP PUT and HTTP POST

The HTTP protocol defines two methods for updating a resource – PUT and POST. Both PUT and POST are used to modify a resource and this semantic similarity can confuse API developers. This confusion has led most developers to use POST for any action which may modify the state of a resource, ignoring PUT entirely. This article attempts to explain the semantics behind the PUT and POST methods and offers clear suggestions on when to use each method. ...

March 27, 2014 · 4 min · Kevin Sookocheff

How REST Constraints Affect API Design

REST was developed and formalized by analyzing the existing Web and extracting the principles that made it work. This set of principles was written down in the Fielding dissertation which lays out the set of constraints that, when enforced, will make a generic network system into a resilient network like the Web. In Chapter 5 of the dissertation Fielding outlines REST’s interface constraints. REST is defined by four interface constraints: identification of resources; manipulation of resources using representations; self-descriptive messages; and, hypermedia as the engine of application state. ...

March 19, 2014 · 5 min · Kevin Sookocheff

On choosing a hypermedia type for your API - HAL, JSON-LD, Collection+JSON, SIREN, Oh My!

In recent years REST has been at the forefront of modern API design. This has led to APIs with manageable URLs that respect the HTTP verbs (GET, POST, PUT and the rest), producing an intuitive model for client developers. Unfortunately, there are two problems that REST doesn’t solve alone. ...

March 11, 2014 · 20 min · Kevin Sookocheff