What is a REST API?
What is a REST API?
A REST API (Representational State Transfer Application Programming Interface) is an architectural style for building networked services that uses standard HTTP methods to create, read, update, and delete resources. Defined by Roy Fielding in his doctoral dissertation in 2000, REST has become the dominant pattern for web APIs because its constraints map naturally to how HTTP works, making REST services straightforward to design, consume, and scale.
REST treats every piece of data as a resource identified by a URL. A customer record, a payment transaction, a product listing: each has its own endpoint. Clients interact with those resources using HTTP verbs, and responses carry the resource state in a standard format, typically JSON.
The Six REST Constraints
REST is defined by six architectural constraints that distinguish it from earlier RPC-style approaches:
- Stateless: Each request carries all the information the server needs. The server holds no client session state between requests, making REST services horizontally scalable: any server in a pool can handle any request.
- Uniform interface: Resources are identified by URIs, manipulated through standard representations, and described using consistent HTTP methods. Any developer familiar with REST can interact with any REST API using the same mental model.
- Client-server separation: The client and server evolve independently. The client does not need to know how data is stored; the server does not need to know how the client renders it.
- Cacheable: Responses can be marked cacheable, allowing clients and intermediaries to serve subsequent identical requests from cache, reducing server load and latency.
- Layered system: Clients do not need to know whether they are communicating directly with the origin server or through a load balancer, CDN, or API gateway.
- Code on demand (optional): Servers may send executable code to clients. Rarely used in practice.
HTTP Methods and CRUD Operations
The mapping between HTTP methods and data operations is one of REST's defining features:
- GET /resources: retrieve a collection
- GET /resources/{id}: retrieve a single resource
- POST /resources: create a new resource
- PUT /resources/{id}: replace a resource entirely
- PATCH /resources/{id}: update specific fields of a resource
- DELETE /resources/{id}: remove a resource
Combined with consistent HTTP status codes (200 OK, 201 Created, 400 Bad Request, 401 Unauthorized, 404 Not Found, 500 Internal Server Error), well-designed REST APIs are largely self-documenting for developers already familiar with the pattern.
REST API Design Best Practices
Several conventions have become de facto standards for REST API design beyond the core HTTP method mapping:
- Use nouns for resource names, not verbs. /orders rather than /getOrders or /createOrder.
- Use plural resource names. /customers/{id} rather than /customer/{id}.
- Version your API. Prefix endpoints with /v1/ or use a version header to allow backward-incompatible changes without breaking existing clients.
- Return appropriate status codes. 201 Created for new resources, not just 200. 422 Unprocessable Entity for validation failures, not just 400.
- Paginate collections. Return page size, offset, and total count in collection responses to avoid unbounded result sets.
- Document with OpenAPI. The OpenAPI Specification (formerly Swagger) is the standard format for machine-readable REST API documentation, enabling client SDK generation and interactive API explorers.
Teams building APIs as part of a software engineering engagement or a custom software development project typically establish these conventions in an API style guide early in the project to ensure consistency across endpoints and teams.
REST vs. GraphQL vs. gRPC
REST is the right default for most web and mobile APIs, but two alternatives have gained significant adoption for specific use cases.
GraphQL lets clients specify exactly what data they need in a single query rather than making multiple REST calls and receiving fixed response shapes. This reduces over-fetching and under-fetching, which matters for mobile clients on constrained connections. The trade-off is added complexity on the server (a schema to maintain, a query parser, resolver logic) and less effective caching because responses are highly variable. GraphQL is most compelling for public APIs with diverse client requirements or complex, deeply nested data models.
gRPC uses Protocol Buffers and HTTP/2 for high-performance, strongly-typed communication between services. It is significantly faster than REST for internal service-to-service communication because binary encoding produces smaller payloads than JSON and HTTP/2 multiplexes requests over a single connection. The trade-off is reduced human-readability and limited browser compatibility. gRPC is the right choice for internal microservice communication where performance matters more than interoperability.
For public APIs, partner integrations, and most web and mobile application backends, REST remains the most pragmatic choice: widely understood, well-tooled, easy to test with standard HTTP clients, and compatible with every programming environment.
REST API Security Considerations
Authentication and authorisation: OAuth 2.0 with JWT bearer tokens is the current standard for REST API authentication. API keys are appropriate for server-to-server integrations where user identity is not involved. Avoid passing credentials in query parameters as they appear in server logs and browser history.
HTTPS only: All REST APIs carrying sensitive data should be served exclusively over HTTPS. HTTP requests should redirect to HTTPS or return an error rather than serving API responses in plaintext.
Rate limiting: Protect APIs from abuse and unintended load with rate limiting at the gateway or application layer. Return 429 Too Many Requests with a Retry-After header when limits are exceeded.
Input validation: Validate and sanitise all input before using it in database queries or business logic. Return specific validation error messages in 422 responses to help legitimate clients debug issues without exposing internal system structure.
CORS: Configure Cross-Origin Resource Sharing headers carefully for browser-facing APIs. Overly permissive CORS configurations are a common source of security vulnerabilities in web applications.
REST APIs in Financial Services and SaaS
REST APIs are foundational infrastructure for most modern software products. In FinTech, REST APIs connect banking cores to mobile apps, expose payment rails to merchants, and power open banking integrations mandated by regulations such as PSD2. In banking and financial services, REST APIs enable third-party access to account data, transaction history, and product eligibility in controlled, auditable ways. In SaaS products, public REST APIs are often a product themselves: the surface area that partners, enterprise customers, and developers integrate against.
Well-designed REST APIs are a long-term asset. Poor design decisions made early (inconsistent naming, missing versioning, inadequate error responses) compound into significant engineering debt as the number of integrations and API consumers grows. Getting the design right from the start is substantially cheaper than fixing it after clients have built against a broken contract.
Common FAQs Around this Tech Term
REST stands for Representational State Transfer. The term was introduced by Roy Fielding in his 2000 doctoral dissertation, which described the architectural constraints that underpin the web and proposed REST as a style for building distributed hypermedia systems.
SOAP (Simple Object Access Protocol) is an older, XML-based messaging protocol with a strict contract defined in a WSDL file. REST is an architectural style rather than a protocol, uses standard HTTP methods and JSON, and is far simpler to work with in modern development environments. SOAP remains in use in legacy enterprise systems and regulated industries where its strict contract and built-in WS-Security features are valued, but REST is the default choice for new API development.
REST exposes fixed endpoints that return predetermined data shapes. GraphQL exposes a single endpoint where clients specify exactly the data they need in each query. GraphQL reduces over-fetching and under-fetching, which benefits complex front-end applications and mobile clients, but adds server-side complexity and makes HTTP caching harder. REST is simpler to implement, cache, and reason about for most use cases.
The current standard is OAuth 2.0 with JWT (JSON Web Token) bearer tokens. The client obtains a token from an authorisation server, then sends it in the Authorization header of each API request. API keys are a simpler alternative for server-to-server integrations where user identity is not involved. Session cookies can be used for browser-based APIs but require careful CSRF protection.
The OpenAPI Specification (OAS, formerly known as Swagger) is a machine-readable format for describing REST API endpoints, request/response schemas, authentication methods, and error codes. An OpenAPI document (typically a JSON or YAML file) serves as the source of truth for API documentation, enables automatic generation of client SDKs in multiple languages, and powers interactive API explorers like Swagger UI and Redoc. Most API-first teams maintain an OpenAPI spec alongside their codebase and generate documentation from it automatically.
Explore Software Development Blogs
The most recent trends and insights to expand your software development knowledge.
