⚡ Backend & API Design

REST, auth, security, best practices

REST Methods

GET /users/:id Read a resource. Idempotent. Cacheable.
POST /users Create a resource. Not idempotent.
PUT /users/:id Full replace. Idempotent.
PATCH /users/:id Partial update. May not be idempotent.
DELETE /users/:id Remove resource. Idempotent.

HTTP Status Codes

200 OK
201 Created
204 No Content
301 Moved Permanently
304 Not Modified
400 Bad Request
401 Unauthorized
403 Forbidden
404 Not Found
409 Conflict
422 Unprocessable Entity
429 Too Many Requests
500 Internal Server Error
502 Bad Gateway
503 Service Unavailable

Authentication Methods

JWT

Stateless token. Header.Payload.Signature (HMAC/RSA)

✓ No server state, scalable ✗ Can't revoke easily, size

Session

Server-side session ID in cookie

✓ Revocable, simple ✗ Server state, scaling

OAuth 2.0

Authorization code → access token → refresh token

✓ Third-party auth, scoped ✗ Complex flows

API Key

Static key in header/query param

✓ Simple, M2M ✗ No user context, rotation

API Design Patterns

Pagination

Offset: ?page=2&limit=20
Cursor: ?cursor=abc123&limit=20 (preferred)
Keyset: ?after_id=100&limit=20

Versioning

URL: /api/v1/users
Header: Accept: application/vnd.api+json;version=1
Query: ?version=1

Rate Limiting

X-RateLimit-Limit: 100
X-RateLimit-Remaining: 95
X-RateLimit-Reset: 1620000000
429 when exceeded

Error Format

{ "error": { "code": "VALIDATION_ERROR",
"message": "Email is required",
"details": [...] } }

Frameworks & Tools

FrameworkLanguageTypeKey Features
FastAPI Python Async REST Pydantic models, auto OpenAPI, dependency injection
Django Python Full-stack ORM, admin, auth, batteries-included
Express Node.js Minimal REST Middleware chain, routing
Actix-web Rust High-perf REST Actor model, extractors, middleware
gRPC Multi RPC/Protobuf HTTP/2, streaming, code generation
GraphQL Multi Query language Schema, resolvers, no over-fetching

Security Checklist