ESEN
Back to Blog
API

Best Practices for REST API Design

2026-04-26 8 min read

Designing a quality REST API goes well beyond just exposing endpoints. A good API is predictable, consistent, secure, and easy to consume. Here are the most important practices.

1. Use Nouns, Not Verbs in Routes

The HTTP method already describes the action. Routes should represent resources:

❌ GET /getUsers
❌ POST /createUser
❌ DELETE /deleteUser/1

✅ GET    /users
✅ POST   /users
✅ DELETE /users/1

2. Use HTTP Methods Correctly

  • GET – read resources (no side effects)
  • POST – create a new resource
  • PUT – fully replace a resource
  • PATCH – partially update a resource
  • DELETE – remove a resource

3. Version Your API from the Start

/api/v1/users
/api/v2/users

Versioning prevents breaking existing clients when your API evolves.

4. Use HTTP Status Codes Correctly

200 OK              → successful request
201 Created         → resource created
204 No Content      → success with no response body
400 Bad Request     → invalid client data
401 Unauthorized    → not authenticated
403 Forbidden       → authenticated but no permission
404 Not Found       → resource doesn't exist
422 Unprocessable   → validation failed
500 Server Error    → internal server error

5. Consistent Response Structure

// Success
{
  "data": { "id": 1, "name": "Ana" },
  "meta": { "page": 1, "total": 100 }
}

// Error
{
  "error": {
    "code": "VALIDATION_ERROR",
    "message": "The email field is required.",
    "details": [{ "field": "email", "issue": "required" }]
  }
}

6. Pagination, Filtering and Sorting

GET /users?page=2&limit=20
GET /users?sort=createdAt&order=desc
GET /users?role=admin&status=active

7. Basic Security

  • Always use HTTPS in production
  • Implement authentication with JWT or OAuth 2.0
  • Validate and sanitize all inputs
  • Implement rate limiting to prevent abuse
  • Use security headers: CORS, Content-Security-Policy

8. Document Your API

An undocumented API is an API nobody will use. Tools like Swagger/OpenAPI or Postman let you generate interactive documentation easily.

9. Plural Lowercase Naming

✅ /api/v1/blog-posts
✅ /api/v1/users/1/orders
❌ /api/v1/BlogPost
❌ /api/v1/User/1/Order

10. Idempotency

Operations GET, PUT and DELETE must be idempotent: calling them multiple times must have the same effect as calling them once.

Working with JWT? Try our tool to generate secure secrets.

JWT Secret Generator