API Response Formatter

An API response is the data a server sends back after receiving a request. Common formats: JSON (most common in REST APIs — lightweight, native JavaScript support), XML (used in SOAP services and some legacy APIs), YAML (rare but used in some developer tools APIs), Protocol Buffers (Google's binary format — very compact and fast, but not human-readable), MessagePack (binary JSON alternative). REST APIs should include Content-Type headers identifying the format.

HTTP status codes indicate the outcome of a request. 2xx Success: 200 OK (success), 201 Created (resource created), 204 No Content (success, no body). 3xx Redirection: 301 Moved Permanently, 302 Found (temporary redirect). 4xx Client Error: 400 Bad Request (invalid input), 401 Unauthorized (not authenticated), 403 Forbidden (authenticated but no permission), 404 Not Found, 422 Unprocessable Entity, 429 Too Many Requests. 5xx Server Error: 500 Internal Server Error, 503 Service Unavailable.

REST uses standard HTTP methods (GET, POST, PUT, DELETE) with URL-based resources. Each endpoint returns a fixed data structure — clients often receive more data than needed (over-fetching) or must make multiple requests (under-fetching). GraphQL uses a single endpoint where clients specify exactly the data they need in a query — solving over/under-fetching at the cost of complexity. gRPC uses Protocol Buffers over HTTP/2 for high-performance, type-safe service communication — common in microservices.

Pagination splits large datasets across multiple responses. Common approaches: Offset pagination (page=2&per_page=20 — simple but has gaps/duplicates with live data), Cursor pagination (cursor=abc123 — stable for real-time data, used by Twitter/Facebook feeds), Keyset pagination (after_id=500 — uses the last record's key — efficient for large tables). APIs should return pagination metadata: total count, current page, next/previous page links or cursors.

Rate limits cap how many requests you can make per time period. Common headers: X-RateLimit-Limit (total allowed), X-RateLimit-Remaining (left in window), X-RateLimit-Reset (when limit resets, Unix timestamp), Retry-After (seconds to wait after 429 response). Best practices: implement exponential backoff with jitter on 429 responses, cache responses where possible, batch requests when the API supports it, and request increased limits from providers for production use cases.

CORS (Cross-Origin Resource Sharing) is a browser security mechanism that blocks JavaScript on one origin (domain) from making requests to a different origin. APIs must include Access-Control-Allow-Origin headers to explicitly permit cross-origin requests. Access-Control-Allow-Origin: * allows any origin. APIs can specify specific allowed origins, methods and headers. CORS only applies to browser requests — server-to-server API calls are not restricted by CORS.

API versioning allows you to make breaking changes without disrupting existing clients. Common strategies: URL versioning (/api/v1/users vs /api/v2/users — most common and obvious), header versioning (API-Version: 2.0), query parameter versioning (?version=2). Always version your public API from day one — retrofitting versioning is painful. Deprecate old versions with advance notice and Sunset headers before removing them.

An API gateway sits between clients and backend services, handling cross-cutting concerns: authentication/authorisation, rate limiting, request/response transformation, SSL termination, load balancing, caching, logging and analytics. Popular API gateways: AWS API Gateway, Kong, Apigee, Nginx, Traefik, Tyk. In microservices architectures, the gateway is the single entry point for all client requests, routing them to the appropriate backend service.