| #100 |
MUST follow API first principle |
❕ |
❕ |
B |
| #101 |
MUST provide API specification using OpenAPI |
❕ |
❕ |
A |
| #102 |
SHOULD provide API user manual |
- |
- |
C |
| #103 |
MUST write APIs using U.S. English |
❕ |
❕ |
A |
| #104 |
MUST secure endpoints with OAuth 2.0 |
- |
- |
B |
| #105 |
MUST define and assign permissions (scopes) |
- |
- |
B |
| #106 |
MUST not break backward compatibility |
- |
- |
B |
| #107 |
SHOULD prefer compatible extensions |
❕ |
❕ |
- |
| #108 |
MUST prepare clients accept compatible API extensions |
❕ |
❕ |
C |
| #109 |
SHOULD design APIs conservatively |
❕ |
❕ |
- |
| #110 |
MUST always return JSON objects as top-level data structures |
✔️ |
✔️ |
A |
| #111 |
MUST treat Open API specification as open for extension by default |
❕ |
❕ |
- |
| #112 |
SHOULD used open-ended list of values (x-extensible-enum) for enumerations |
✔️ |
✔️ |
- |
| #113 |
SHOULD avoid versioning |
❕ |
❕ |
B |
| #114 |
MUST use media type versioning |
❕ |
❕ |
- |
| #115 |
MUST not use URI versioning |
✔️ |
- |
A |
| #115a |
CAN use correct URI versioning: ^((?!.*\/v\d+(\/.*)?\/v\d+)\/.*)$ |
- |
✔️ |
A |
| #116 |
MUST use semantic versioning |
✔️ |
✔️ |
B |
| #118 |
MUST property names must be ASCII snake_case (and never camelCase): ^[a-z_][a-z_0-9]*$ |
✔️ |
- |
A |
| #118a |
MUST property names must be ASCII camelCase: ^[a-z]+((\d)([A-Z0-9][a-z0-9]+))*([A-Z])?$ |
- |
✔️ |
A |
| #120 |
SHOULD pluralize array names |
- |
- |
B |
| #122 |
MUST not use null for boolean properties |
❕ |
❕ |
- |
| #123 |
MUST use same semantics for null and absent properties |
❕ |
❕ |
- |
| #124 |
SHOULD not use null for empty arrays |
❕ |
❕ |
- |
| #125 |
SHOULD represent enumerations as strings |
- |
- |
? |
| #126 |
SHOULD define dates properties compliant with RFC 3339 |
- |
- |
? |
| #127 |
SHOULD define time durations and intervals properties conform to ISO 8601 |
❕ |
❕ |
- |
| #128 |
SHOULD use standards for country, language and currency codes |
- |
- |
? |
| #129 |
MUST use lowercase separate words with hyphens for path segments |
✔️ |
✔️ |
A |
| #130 |
MUST use snake_case (never camelCase) for query parameters |
✔️ |
- |
B |
| #130a |
MUST use camelCase (never snake_case) for query parameters |
- |
✔️ |
B |
| #132 |
SHOULD prefer hyphenated-pascal-case for HTTP header fields |
✔️ |
✔️ |
B |
| #133 |
MAY use standardized headers |
- |
- |
- |
| #134 |
MUST pluralize resource names |
- |
- |
A |
| #135 |
SHOULD not use /api as base path |
✔️ |
✔️ |
A |
| #136 |
MUST use normalized paths without empty path segments and trailing slashes |
✔️ |
✔️ |
B |
| #137 |
MUST stick to conventional query parameters |
❕ |
❕ |
- |
| #138 |
MUST avoid actions — think about resources |
❕ |
❕ |
A |
| #139 |
SHOULD model complete business processes |
❕ |
❕ |
- |
| #140 |
SHOULD define useful resources |
❕ |
❕ |
- |
| #141 |
MUST keep URLs verb-free |
❕ |
❕ |
A |
| #142 |
MUST use domain-specific resource names |
❕ |
❕ |
- |
| #143 |
MUST identify resources and sub-resources via path segments |
- |
- |
- |
| #144 |
SHOULD only use UUIDs if necessary |
❕ |
❕ |
- |
| #145 |
MAY consider using (non-)nested URLs |
❕ |
❕ |
- |
| #146 |
SHOULD limit number of resource types |
✔️ |
✔️ |
B |
| #147 |
SHOULD limit number of sub-resource levels |
✔️ |
✔️ |
B |
| #148 |
MUST use HTTP methods correctly |
❕ |
❕ |
A |
| #149 |
MUST fulfill common method properties |
❕ |
❕ |
- |
| #150 |
MUST use standard HTTP status codes |
✔️ |
|
- |
| #150a |
MUST use additional standard HTTP status codes |
- |
✔️ |
- |
| #151 |
MUST specify success and error responses |
✔️ |
✔️ |
B |
| #152 |
MUST use code 207 for batch or bulk requests |
❕ |
❕ |
C |
| #153 |
MUST use code 429 with headers for rate limits |
❕ |
❕ |
C |
| #154 |
MUST define collection format of header and query parameters |
❕ |
❕ |
- |
| #155 |
SHOULD reduce bandwidth needs and improve responsiveness |
❕ |
❕ |
- |
| #156 |
SHOULD use gzip compression |
❕ |
❕ |
- |
| #157 |
SHOULD support partial responses via filtering |
❕ |
❕ |
- |
| #158 |
SHOULD allow optional embedding of sub-resources |
❕ |
❕ |
- |
| #159 |
MUST support pagination |
- |
- |
- |
| #160 |
SHOULD prefer cursor-based pagination, avoid offset-based pagination |
- |
- |
- |
| #161 |
SHOULD use pagination links where applicable |
- |
- |
- |
| #162 |
MUST use REST maturity level 2 |
- |
- |
- |
| #163 |
MAY use REST maturity level 3 - HATEOAS |
- |
- |
- |
| #164 |
MUST use common hypertext controls |
- |
- |
- |
| #165 |
SHOULD use simple hypertext controls for pagination and self-references |
- |
- |
- |
| #166 |
MUST not use link headers with JSON entities |
- |
- |
- |
| #167 |
MUST use JSON to encode structured data |
- |
- |
- |
| #168 |
MAY use non JSON media types for binary data or alternative content representations |
❕ |
❕ |
- |
| #169 |
MUST use standard date and time formats |
❕ |
❕ |
A |
| #170 |
SHOULD use standards for country, language and currency codes |
- |
- |
B |
| #171 |
MUST define format for number and integer types |
✔️ |
- |
- |
| #172 |
SHOULD prefer standard media type name application/json |
✔️ |
✔️ |
B |
| #173 |
MUST use the common money object |
❕ |
❕ |
- |
| #174 |
MUST use common field names and semantics |
❕ |
❕ |
- |
| #176 |
MUST support problem JSON |
✔️ |
✔️ |
- |
| #177 |
MUST not expose stack traces |
❕ |
❕ |
- |
| #178 |
MUST use Content-* headers correctly |
❕ |
❕ |
- |
| #179 |
MAY use Content-Location header |
❕ |
❕ |
- |
| #180 |
SHOULD use Location header instead of Content-Location header |
- |
- |
- |
| #181 |
MAY consider to support Prefer header to handle processing preferences |
❕ |
❕ |
- |
| #182 |
MAY consider to support ETag together with If-Match/If-None-Match header |
❕ |
❕ |
- |
| #183 |
SHOULD use only the specified proprietary Zalando headers |
- |
- |
- |
| #184 |
MUST propagate proprietary headers |
- |
- |
- |
| #185 |
MUST obtain approval of clients before API shut down |
❕ |
❕ |
- |
| #186 |
MUST collect external partner consent on deprecation time span |
❕ |
❕ |
- |
| #187 |
MUST reflect deprecation in API specifications |
❕ |
❕ |
- |
| #188 |
MUST monitor usage of deprecated API scheduled for sunset |
❕ |
❕ |
- |
| #189 |
SHOULD add Deprecation and Sunset header to responses |
❕ |
❕ |
- |
| #190 |
SHOULD add monitoring for Deprecation and Sunset header |
❕ |
❕ |
- |
| #191 |
MUST not start using deprecated APIs |
❕ |
❕ |
B |
| #192 |
MUST publish Open API specification |
❕ |
❕ |
A |
| #193 |
SHOULD monitor API usage |
❕ |
❕ |
- |
| #194 |
MUST treat events as part of the service interface |
- |
- |
- |
| #195 |
MUST make event schema available for review |
- |
- |
- |
| #196 |
MUST ensure event schema conforms to Open API schema object |
- |
- |
- |
| #197 |
MUST ensure that events are registered as event types |
- |
- |
- |
| #198 |
MUST ensure that events conform to a well-known event category |
- |
- |
- |
| #199 |
MUST ensure that events define useful business resources |
- |
- |
- |
| #200 |
MUST ensure that events do not provide sensitive data |
- |
- |
- |
| #201 |
MUST use the general event category to signal steps and arrival points in business processes |
- |
- |
- |
| #202 |
MUST use data change events to signal mutations |
- |
- |
- |
| #203 |
SHOULD provide means for explicit event ordering |
- |
- |
- |
| #204 |
SHOULD use the hash partition strategy for data change events |
- |
- |
- |
| #205 |
SHOULD ensure that data change events match the APIs resources |
- |
- |
- |
| #207 |
MUST indicate ownership of event types |
- |
- |
- |
| #208 |
MUST define event payloads compliant with overall API guidelines |
- |
- |
- |
| #209 |
MUST maintain backwards compatibility for events |
- |
- |
- |
| #210 |
SHOULD avoid additionalProperties in event type definitions |
- |
- |
- |
| #211 |
MUST use unique event identifiers |
- |
- |
- |
| #212 |
SHOULD design for idempotent out-of-order processing |
- |
- |
- |
| #213 |
MUST follow naming convention for event type names |
- |
- |
- |
| #214 |
MUST prepare event consumers for duplicate events |
- |
- |
- |
| #215 |
MUST provide API identifiers |
✔️ |
✔️ |
- |
| #216 |
SHOULD define maps using additionalProperties |
- |
- |
- |
| #217 |
MUST use full, absolute URI |
- |
- |
- |
| #218 |
MUST contain API meta information |
✔️ |
✔️ |
- |
| #219 |
MUST provide API audience |
✔️ |
- |
- |
| #219a |
MUST provide baloise API audience |
- |
✔️ |
- |
| #220 |
MUST use most specific HTTP status codes |
❕ |
❕ |
- |
| #223 |
MUST-SHOULD use functional naming schema |
❕ |
❕ |
- |
| #224 |
MUST follow naming convention for hostnames |
❕ |
❕ |
- |
| #225 |
MUST follow naming convention for permissions (scopes) |
❕ |
❕ |
- |
| #226 |
MUST document implicit filtering |
❕ |
❕ |
- |
| #227 |
MUST document cachable GET, HEAD, and POST endpoints |
❕ |
❕ |
- |
| #228 |
MUST use URL-friendly resource identifiers: [a-zA-Z0-9:._-/]* |
❕ |
❕ |
A |
| #229 |
SHOULD consider to design POST and PATCH idempotent |
❕ |
❕ |
- |
| #230 |
MAY consider to support Idempotency-Key header |
❕ |
❕ |
- |
| #231 |
Should use secondary key for idempotent POST design |
❕ |
❕ |
- |
| #233a |
MUST request must use b3 tracing headers |
- |
✔️ |
- |
| #234 |
MUST only use durable and immutable remote references |
❕ |
❕ |
- |
| #235 |
SHOULD name date/time properties with _at suffix |
- |
- |
- |
| #236 |
SHOULD design simple query languages using query parameters |
❕ |
❕ |
- |
| #237 |
SHOULD design complex query languages using JSON |
❕ |
❕ |
- |
| #238 |
SHOULD use standardized property formats |
❕ |
❕ |
- |
| #239 |
SHOULD encode embedded binary data in base64url |
❕ |
❕ |
- |
| #240 |
SHOULD declare enum values using UPPER_SNAKE_CASE format |
✔️ |
✔️ |
- |
| #241 |
MAY expose compound keys as resource identifiers |
❕ |
❕ |
- |
