Web-Development-Interview
๐ The Ultimate API Interview Guide: From Novice to Expert ๐ง
Welcome to the most comprehensive API interview guide youโll ever need! Whether youโre a beginner just starting your journey or an experienced developer looking to brush up on your skills, this guide has got you covered. Letโs dive in and explore the fascinating world of APIs! ๐
Table of Contents
Basic API Questions
1. What is an API? ๐ค
Novice Explanation: Imagine youโre at a restaurant. You, the customer, are like a user of an app. The kitchen is like the appโs server where all the data and functionality live. But you canโt go into the kitchen yourself! Thatโs where the waiter (the API) comes in. The waiter takes your order (your request), brings it to the kitchen, and then brings back your food (the data or functionality you requested). An API does the same thing between different software systems!
Expert Explanation: An API (Application Programming Interface) is a set of protocols, routines, and tools for building software applications. It specifies how software components should interact, abstracting the underlying implementation and exposing only the objects or actions the developer needs. APIs streamline software development and innovation by enabling applications to exchange data and functionality easily and securely.
Use Case: Consider a weather app on your smartphone. The app itself doesnโt have a database of weather information for every location. Instead, it uses an API provided by a weather service. When you check the weather for New York, the app makes an API call to the weather service, which returns the current weather data for New York. The app then displays this information to you.
2. What are the different types of APIs? ๐
- REST (Representational State Transfer) APIs ๐
- Stateless, client-server communication
- Uses standard HTTP methods (GET, POST, PUT, DELETE)
- Example: Twitter API for retrieving tweets
- SOAP (Simple Object Access Protocol) APIs ๐งผ
- Uses XML for message format
- Can work over different protocols (HTTP, SMTP, etc.)
- Example: PayPalโs older API for payment processing
- GraphQL APIs ๐
- Query language for APIs
- Allows clients to request exactly what they need
- Example: GitHub API v4
- RPC (Remote Procedure Call) APIs ๐
- Clients execute procedures on remote systems
- Examples: XML-RPC, JSON-RPC
- WebSocket APIs ๐
- Full-duplex communication channels over a single TCP connection
- Example: Real-time chat applications
- Library-based APIs ๐
- Language-specific APIs that you can include in your project
- Example: Pythonโs requests library for making HTTP requests
3. What is the difference between REST and SOAP APIs? ๐
| Feature | REST | SOAP |
|---|---|---|
| Protocol | HTTP | Any (commonly HTTP) |
| Data Format | Usually JSON | XML |
| Ease of Use | Generally easier | More complex |
| Performance | Lightweight, faster | More overhead, slower |
| Security | HTTPS | WS-Security |
| Caching | Supports caching | Limited caching |
| Flexibility | More flexible | Stricter standards |
REST Example:
GET /api/users/123 HTTP/1.1
Host: example.com
Accept: application/json
SOAP Example:
<soap:Envelope xmlns:soap="http://www.w3.org/2003/05/soap-envelope">
<soap:Header>
</soap:Header>
<soap:Body>
<m:GetUser>
<m:UserId>123</m:UserId>
</m:GetUser>
</soap:Body>
</soap:Envelope>
4. What is RESTful architecture? ๐๏ธ
RESTful architecture is a set of constraints and principles for designing networked applications. It was introduced by Roy Fielding in his doctoral dissertation in 2000.
Key Principles:
- Client-Server: Separation of concerns between the user interface and data storage.
- Stateless: Each request from client to server must contain all the information needed to understand the request.
- Cacheable: Responses must define themselves as cacheable or non-cacheable.
- Uniform Interface: A uniform way of interacting with a given server irrespective of device or type of application.
- Layered System: A client cannot ordinarily tell whether it is connected directly to the end server or an intermediary along the way.
- Code on Demand (optional): Servers can temporarily extend client functionality by transferring executable code.
Diagram:
graph TD
A[Client] -->|Request| B(API Gateway)
B -->|Forward Request| C{Load Balancer}
C -->|Route| D[Server 1]
C -->|Route| E[Server 2]
C -->|Route| F[Server 3]
D --> G[(Database)]
E --> G
F --> G
D -->|Response| B
E -->|Response| B
F -->|Response| B
B -->|Response| A
5. What are the main HTTP methods used in REST APIs? ๐ ๏ธ
- GET ๐ฅ: Retrieve a resource
GET /api/users/123 HTTP/1.1 Host: example.com - POST ๐ค: Create a new resource
POST /api/users HTTP/1.1 Host: example.com Content-Type: application/json { "name": "John Doe", "email": "john@example.com" } - PUT ๐: Update an existing resource (full update)
PUT /api/users/123 HTTP/1.1 Host: example.com Content-Type: application/json { "name": "John Smith", "email": "john.smith@example.com" } - PATCH ๐ฉน: Partially update an existing resource
PATCH /api/users/123 HTTP/1.1 Host: example.com Content-Type: application/json { "email": "john.updated@example.com" } - DELETE ๐๏ธ: Remove a resource
DELETE /api/users/123 HTTP/1.1 Host: example.com - HEAD ๐: Similar to GET but retrieves only headers, not body
HEAD /api/users/123 HTTP/1.1 Host: example.com - OPTIONS โน๏ธ: Describes the communication options for the target resource
OPTIONS /api/users HTTP/1.1 Host: example.com
6. What is the purpose of the status codes in HTTP? ๐
HTTP status codes are three-digit numbers returned by a server in response to a clientโs request. They provide information about the status of the request.
Categories:
- 1xx (Informational): Request received, continuing process
- 2xx (Successful): The action was successfully received, understood, and accepted
- 3xx (Redirection): Further action needs to be taken to complete the request
- 4xx (Client Error): The request contains bad syntax or cannot be fulfilled
- 5xx (Server Error): The server failed to fulfill an apparently valid request
Common Status Codes:
- 200 OK: Request succeeded
- 201 Created: New resource has been created
- 204 No Content: Request succeeded, but no content to send back
- 400 Bad Request: Server cannot process the request due to client error
- 401 Unauthorized: Authentication is required and has failed
- 403 Forbidden: Server understood the request but refuses to authorize it
- 404 Not Found: Requested resource could not be found
- 500 Internal Server Error: Generic error message when server encounters unexpected condition
Diagram:
graph TD
A[Client] -->|Request| B(Server)
B -->|1xx: Informational| A
B -->|2xx: Success| A
B -->|3xx: Redirection| A
B -->|4xx: Client Error| A
B -->|5xx: Server Error| A
7. What is JSON and why is it commonly used in APIs? ๐ฆ
JSON (JavaScript Object Notation) is a lightweight data interchange format that is easy for humans to read and write and easy for machines to parse and generate.
Key Features:
- Language-independent
- Self-describing and easy to understand
- Supports nested structures
- Can represent complex data structures
Example JSON:
{
"name": "John Doe",
"age": 30,
"city": "New York",
"hobbies": ["reading", "cycling", "photography"],
"married": false,
"children": null
}
Why is JSON popular in APIs?
- Lightweight: Minimal overhead in transmission
- Readable: Easy for developers to understand and debug
- Language Support: Native support in JavaScript, easy parsing in other languages
- Flexibility: Can represent complex nested structures
- Speed: Faster parsing compared to XML
- Data Types: Supports common data types (strings, numbers, booleans, null, arrays, objects)
8. What is the difference between GET and POST requests? ๐ vs ๐ฎ
| Feature | GET | POST |
|---|---|---|
| Purpose | Retrieve data | Submit data |
| Data in URL | Yes (visible) | No (in request body) |
| Cacheability | Cacheable | Not typically cached |
| Length Restriction | Limited URL length | No restriction on data length |
| Idempotency | Idempotent | Not idempotent |
| Security | Less secure for sensitive data | More secure for sensitive data |
| Bookmarking | Can be bookmarked | Cannot be bookmarked |
GET Example:
GET /api/users?id=123 HTTP/1.1
Host: example.com
POST Example:
POST /api/users HTTP/1.1
Host: example.com
Content-Type: application/json
{
"name": "John Doe",
"email": "john@example.com"
}
9. What is an API endpoint? ๐ฏ
An API endpoint is a specific URL where an API can be accessed by a client application. Itโs the point of entry in a communication channel when two systems are interacting.
Example:
- Base URL:
https://api.example.com/v1 - Endpoints:
/users(Get all users)/users/{id}(Get a specific user)/posts(Get all posts)/posts/{id}(Get a specific post)
Diagram:
graph LR
A[Client] --> B{API Gateway}
B -->|/users| C[Users Service]
B -->|/posts| D[Posts Service]
B -->|/comments| E[Comments Service]
10. How do you authenticate API requests? ๐
API authentication ensures that only authorized clients can access the API. Common methods include:
- API Keys: A unique identifier sent with each request
GET /api/data HTTP/1.1 Host: example.com X-API-Key: abcdef123456 - OAuth 2.0: A protocol for authorization
GET /api/user-data HTTP/1.1 Host: example.com Authorization: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9... - JWT (JSON Web Tokens): Encoded tokens containing claims
GET /api/protected-resource HTTP/1.1 Host: example.com Authorization: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9... - Basic Auth: Username and password encoded in Base64
GET /api/data HTTP/1.1 Host: example.com Authorization: Basic dXNlcm5hbWU6cGFzc3dvcmQ= - Session-based Authentication: Using cookies to maintain session state
GET /api/user-profile HTTP/1.1 Host: example.com Cookie: session_id=1234567890abcdef
OAuth 2.0 Flow Diagram:
sequenceDiagram
participant User
participant Client
participant AuthServer
participant ResourceServer
User->>Client: Request Protected Resource
Client->>AuthServer: Request Authorization
AuthServer->>User: Prompt for Credentials
User->>AuthServer: Provide Credentials
AuthServer->>Client: Authorization Code
Client->>AuthServer: Exchange Code for Token
AuthServer->>Client: Access Token
Client->>ResourceServer: Request with Access Token
ResourceServer->>Client: Protected Resource
Client->>User: Display Protected Resource
Intermediate API Questions
1. What are query parameters and how are they used in APIs? ๐
Query parameters are key-value pairs added to the end of a URL to provide additional information to a request. They start with a question mark ? and are separated by ampersands &.
Example:
https://api.example.com/users?page=2&limit=10&sort=name
In this example:
page=2: Requests the second page of resultslimit=10: Limits the results to 10 itemssort=name: Sorts the results by name
Use Cases:
- Pagination: Control the number of results and which page to display
- Filtering: Narrow down results based on specific criteria
- Sorting: Specify the order of results
- Search: Provide search terms or parameters
- API Versioning: Specify which version of the API to use
Code Example (Python with requests library):
import requests
params = {
'page': 2,
'limit': 10,
'sort': 'name'
}
response = requests.get('https://api.example.com/users', params=params)
print(response.url) # https://api.example.com/users?page=2&limit=10&sort=name
2. What is API versioning and why is it important? ๐
API versioning is the practice of managing changes to an API over time while maintaining backward compatibility for existing clients.
Importance:
- Backward Compatibility: Allows existing clients to continue functioning without immediate updates
- Evolution: Enables the API to evolve and improve over time
- Client Control: Gives clients control over when to upgrade to new versions
- Error Prevention: Reduces the risk of breaking changes affecting live applications
- Documentation: Helps in maintaining clear documentation for different API versions
Common Versioning Strategies:
- URL Versioning:
https://api.example.com/v1/users https://api.example.com/v2/users - Header Versioning:
GET /users HTTP/1.1 Host: api.example.com Accept-Version: v2 - Query Parameter Versioning:
https://api.example.com/users?version=2 - Content Type Versioning:
GET /users HTTP/1.1 Host: api.example.com Accept: application/vnd.example.v2+json
Best Practices:
- Clearly communicate versioning strategy in API documentation
- Maintain older versions for a reasonable period
- Provide migration guides between versions
- Use semantic versioning (e.g., v1.2.3) for more granular control
3. What are rate limits in API usage? โฑ๏ธ
Rate limiting is a strategy used to control the rate of incoming requests to an API within a given timeframe. It prevents abuse, ensures fair usage, and helps maintain the stability and performance of the API.
Types of Rate Limits:
- Requests per Second (RPS): Limit the number of requests in a one-second window
- Requests per Minute (RPM): Limit the number of requests in a one-minute window
- Requests per Hour (RPH): Limit the number of requests in a one-hour window
- Requests per Day (RPD): Limit the number of requests in a 24-hour period
Implementation Strategies:
- Token Bucket: Tokens are added to a bucket at a fixed rate, each request consumes a token
- Leaky Bucket: Requests are processed at a fixed rate, excess requests are queued or discarded
- Fixed Window: Count requests in fixed time intervals (e.g., 60-second windows)
- Sliding Window: Use a moving time window to count requests
Example Rate Limit Header:
HTTP/1.1 200 OK
X-RateLimit-Limit: 100
X-RateLimit-Remaining: 75
X-RateLimit-Reset: 1623456789
Handling Rate Limits (Python Example):
import requests
import time
def make_api_request(url):
response = requests.get(url)
if response.status_code == 429: # Too Many Requests
retry_after = int(response.headers.get('Retry-After', 60))
print(f"Rate limit exceeded. Retrying after {retry_after} seconds.")
time.sleep(retry_after)
return make_api_request(url) # Retry the request
return response
response = make_api_request('https://api.example.com/data')
print(response.json())
4. How do you handle errors in API responses? ๐ซ
Proper error handling in APIs is crucial for providing a good developer experience and helping clients troubleshoot issues.
Best Practices:
- Use appropriate HTTP status codes
- Provide detailed error messages
- Include an error code for programmatic handling
- Add a link to documentation for more information
- Maintain consistency in error response format
Example Error Response:
{
"error": {
"code": "INVALID_PARAMETER",
"message": "The 'email' parameter is not a valid email address.",
"details": {
"parameter": "email",
"value": "invalid.email",
"constraint": "Must be a valid email address"
},
"documentation_url": "https://api.example.com/docs/errors#INVALID_PARAMETER"
}
}
Handling Errors (JavaScript Example):
async function fetchData(url) {
try {
const response = await fetch(url);
if (!response.ok) {
const errorData = await response.json();
throw new Error(`API Error: ${errorData.error.message}`);
}
return await response.json();
} catch (error) {
console.error('Error fetching data:', error.message);
// Handle the error (e.g., show user-friendly message, retry, etc.)
}
}
fetchData('https://api.example.com/data')
.then(data => console.log(data))
.catch(error => console.error(error));
5. What is CORS and how does it affect API requests? ๐
CORS (Cross-Origin Resource Sharing) is a security mechanism implemented by browsers to restrict web pages from making requests to a different domain than the one serving the web page.
Key Concepts:
- Same-Origin Policy: By default, web browsers restrict cross-origin HTTP requests initiated from scripts
- Preflight Request: For certain requests, browsers send an OPTIONS request to check if the actual request is safe to send
- CORS Headers: Servers can include specific headers to allow cross-origin requests
CORS Headers:
Access-Control-Allow-Origin: Specifies which origins are allowedAccess-Control-Allow-Methods: Specifies the allowed HTTP methodsAccess-Control-Allow-Headers: Specifies which headers can be usedAccess-Control-Max-Age: Specifies how long the preflight response can be cached
Example Server Configuration (Node.js with Express):
const express = require('express');
const cors = require('cors');
const app = express();
// Allow all origins (not recommended for production)
app.use(cors());
// Or, configure CORS for specific origin
app.use(cors({
origin: 'https://example.com',
methods: ['GET', 'POST'],
allowedHeaders: ['Content-Type', 'Authorization']
}));
app.get('/api/data', (req, res) => {
res.json({ message: 'This is accessible from allowed origins' });
});
app.listen(3000, () => console.log('Server running on port 3000'));
Diagram: CORS Preflight Request
sequenceDiagram
participant Browser
participant Server
Browser->>Server: OPTIONS /api/data
Note right of Browser: Preflight Request
Server-->>Browser: Access-Control-Allow-Origin: *
Server-->>Browser: Access-Control-Allow-Methods: GET, POST
Browser->>Server: GET /api/data
Note right of Browser: Actual Request
Server-->>Browser: Data (with CORS headers)
6. What is the purpose of API documentation? ๐
API documentation serves as a comprehensive guide for developers to understand and effectively use an API. Itโs crucial for adoption, integration, and proper usage of the API.
Key Components of API Documentation:
- Overview: Introduction to the API, its purpose, and key concepts
- Authentication: How to authenticate requests to the API
- Endpoints: List of all available endpoints with their descriptions
- Request/Response Format: Expected input and output formats for each endpoint
- Parameters: Description of query parameters, headers, and request body fields
- Error Codes: List of possible error codes and their meanings
- Rate Limiting: Information about rate limits and how theyโre enforced
- Examples: Code samples in various programming languages
- Changelog: History of API changes and versioning information
- SDKs and Libraries: Links to official SDKs or client libraries
Tools for API Documentation:
- Swagger / OpenAPI
- Postman
- ReadMe
- GitBook
- Slate
Example: Swagger UI
7. How do you test APIs? ๐งช
Testing APIs is crucial to ensure reliability, performance, and correctness. There are several types of tests and tools that can be used for API testing.
Types of API Tests:
- Unit Tests: Test individual components or functions
- Integration Tests: Test interactions between different parts of the API
- Functional Tests: Validate API behavior against specifications
- Load Tests: Assess API performance under high load
- Security Tests: Check for vulnerabilities and proper authentication/authorization
Testing Pyramid for APIs:
graph TD
A[UI Tests] --> B[API Tests]
B --> C[Unit Tests]
style A fill:#ff9999,stroke:#333,stroke-width:2px
style B fill:#99ccff,stroke:#333,stroke-width:2px
style C fill:#99ff99,stroke:#333,stroke-width:2px
Example: API Test using Jest and Supertest (Node.js)
const request = require('supertest');
const app = require('../app'); // Your Express app
describe('GET /api/users', () => {
it('responds with json containing a list of users', async () => {
const response = await request(app)
.get('/api/users')
.set('Accept', 'application/json');
expect(response.status).toBe(200);
expect(response.body).toBeInstanceOf(Array);
expect(response.body.length).toBeGreaterThan(0);
});
});
8. What tools can be used for API testing? ๐ ๏ธ
There are numerous tools available for API testing, each with its own strengths. Here are some popular options:
- Postman: ๐ฌ
- GUI-based tool for API development and testing
- Supports automated testing, mock servers, and documentation
- cURL: ๐ฅ๏ธ
- Command-line tool for making HTTP requests
- Useful for quick tests and debugging
- JMeter: โ๏ธ
- Open-source tool for load testing and performance measurement
- Can simulate heavy loads on servers
- SoapUI: ๐งผ
- Specializes in testing SOAP and REST APIs
- Supports functional, security, and load testing
- Insomnia: ๐ด
- REST client with a clean, intuitive interface
- Supports GraphQL and gRPC
- Swagger Inspector: ๐ต๏ธ
- Web-based tool for validating and testing APIs
- Integrated with Swagger ecosystem
- Karate DSL: ๐ฅ
- Open-source tool that combines API test-automation, mocks, and performance-testing
- Paw (for macOS): ๐พ
- Native macOS HTTP client for testing APIs
- Supports code generation for various languages
Example: Using cURL for API Testing
# GET request
curl -X GET https://api.example.com/users
# POST request with JSON data
curl -X POST -H "Content-Type: application/json" -d '{"name":"John","email":"john@example.com"}' https://api.example.com/users
# GET request with authentication
curl -X GET -H "Authorization: Bearer YOUR_TOKEN" https://api.example.com/protected-resource
9. What is the difference between synchronous and asynchronous API calls? โณ
Understanding the difference between synchronous and asynchronous API calls is crucial for designing efficient and responsive applications.
Synchronous API Calls:
- The client sends a request and waits for the response before continuing execution
- Simpler to implement and reason about
- Can lead to blocking behavior, especially for long-running operations
Asynchronous API Calls:
- The client sends a request and continues execution without waiting for the response
- More complex to implement but provides better performance and responsiveness
- Essential for handling long-running operations without blocking the main thread
Comparison:
| Feature | Synchronous | Asynchronous |
|---|---|---|
| Execution | Blocking | Non-blocking |
| Complexity | Simpler | More complex |
| Performance | Can be slower | Generally faster |
| Use Case | Simple, quick operations | Long-running tasks, multiple concurrent operations |
Example: Synchronous vs Asynchronous in JavaScript
Synchronous:
function getUserSync(id) {
// This would block until the response is received
const response = someSynchronousApiCall(id);
console.log(response);
}
getUserSync(123);
console.log("This will print after the user data");
Asynchronous:
function getUserAsync(id) {
someAsynchronousApiCall(id)
.then(response => console.log(response))
.catch(error => console.error(error));
}
getUserAsync(123);
console.log("This will print before the user data");
Diagram: Synchronous vs Asynchronous API Calls
sequenceDiagram
participant Client
participant API
%% Synchronous
Client->>API: Synchronous Request
API-->>Client: Response
Client->>Client: Continue Execution
%% Asynchronous
Client->>API: Asynchronous Request
Client->>Client: Continue Execution
API-->>Client: Response (later)
10. How can you secure an API? ๐
Securing an API is crucial to protect sensitive data and prevent unauthorized access. Here are some key strategies for API security:
- Use HTTPS: ๐
- Encrypt all data in transit using TLS/SSL
- Implement Authentication: ๐ซ
- Use strong authentication methods (e.g., OAuth 2.0, JWT)
- Implement multi-factor authentication for sensitive operations
- Apply Authorization: ๐ฆ
- Use role-based access control (RBAC)
- Implement the principle of least privilege
- Input Validation: โ
- Validate and sanitize all input to prevent injection attacks
- Rate Limiting: โฑ๏ธ
- Implement rate limiting to prevent abuse and DDoS attacks
- Use API Keys: ๐
- Assign unique API keys to clients for identification and tracking
- Implement Proper Error Handling: โ
- Avoid exposing sensitive information in error messages
- Logging and Monitoring: ๐
- Implement comprehensive logging
- Set up real-time monitoring and alerting for suspicious activities
- Keep Dependencies Updated: ๐
- Regularly update all libraries and dependencies to patch known vulnerabilities
- Use Security Headers: ๐ก๏ธ
- Implement headers like Content-Security-Policy, X-XSS-Protection, etc.
Example: Implementing JWT Authentication in Express.js
const express = require('express');
const jwt = require('jsonwebtoken');
const app = express();
const SECRET_KEY = 'your-secret-key';
// Middleware to verify JWT
function verifyToken(req, res, next) {
const token = req.headers['authorization'];
if (!token) return res.status(403).send({ auth: false, message: 'No token provided.' });
jwt.verify(token, SECRET_KEY, (err, decoded) => {
if (err) return res.status(500).send({ auth: false, message: 'Failed to authenticate token.' });
req.userId = decoded.id;
next();
});
}
// Protected route
app.get('/api/protected', verifyToken, (req, res) => {
res.status(200).send({ message: 'Access granted to protected resource' });
});
// Login route to get a token
app.post('/api/login', (req, res) => {
// Verify user credentials (simplified for example)
if (req.body.username === 'admin' && req.body.password === 'password') {
const token = jwt.sign({ id: 1 }, SECRET_KEY, { expiresIn: 86400 }); // expires in 24 hours
res.status(200).send({ auth: true, token: token });
} else {
res.status(401).send({ auth: false, message: 'Invalid credentials' });
}
});
app.listen(3000, () => console.log('Server is running on port 3000'));
This concludes the intermediate section of our API interview guide. In the next section, weโll dive into advanced API concepts and questions. Stay tuned! ๐
Advanced API Questions
1. What is GraphQL and how does it differ from REST? ๐
GraphQL is a query language and runtime for APIs, developed by Facebook. It provides a more efficient, powerful, and flexible alternative to REST.
Key Differences:
| Feature | GraphQL | REST |
|---|---|---|
| Data Fetching | Client specifies exact data needs | Server determines response structure |
| Endpoints | Single endpoint | Multiple endpoints |
| Over/Under-fetching | Minimized | Common issue |
| Versioning | Easier evolution without versions | Often requires versioning |
| Learning Curve | Steeper initial learning curve | Generally simpler to start with |
GraphQL Example:
query {
user(id: "123") {
name
email
posts {
title
comments {
author {
name
}
}
}
}
}
Equivalent REST Calls:
/users/123/users/123/posts/posts/{id}/comments(for each post)/users/{id}(for each comment author)
GraphQL Advantages:
- Flexible Data Fetching: Clients can request exactly what they need
- Reduced Network Overhead: Minimizes over-fetching and under-fetching of data
- Strongly Typed: The schema provides clear contract between client and server
- Introspection: APIs can be queried for their own schemas
GraphQL Challenges:
- Complexity: More complex to set up and manage compared to simple REST APIs
- Caching: More difficult to implement efficient caching
- File Uploads: Not natively supported (though extensions exist)
Example: Simple GraphQL Server with Apollo Server and Express
const express = require('express');
const { ApolloServer, gql } = require('apollo-server-express');
// Define schema
const typeDefs = gql`
type User {
id: ID!
name: String!
email: String!
}
type Query {
user(id: ID!): User
}
`;
// Define resolvers
const resolvers = {
Query: {
user: (_, { id }) => {
// In a real app, you'd fetch this from a database
return { id, name: 'John Doe', email: 'john@example.com' };
},
},
};
async function startApolloServer() {
const app = express();
const server = new ApolloServer({ typeDefs, resolvers });
await server.start();
server.applyMiddleware({ app });
app.listen({ port: 4000 }, () =>
console.log(`๐ Server ready at http://localhost:4000${server.graphqlPath}`)
);
}
startApolloServer();
2. What are webhooks and how do they work? ๐ฃ
Webhooks are a way for apps to receive real-time notifications or data from other apps or services. Instead of constantly polling for data, an app can register a URL that will be called when certain events occur.
How Webhooks Work:
- Registration: The client registers a URL with the service
- Event Occurs: Something happens on the service (e.g., new order placed)
- Notification: The service sends an HTTP POST request to the registered URL
- Processing: The client processes the received data
Diagram: Webhook Flow
sequenceDiagram
participant Client
participant Service
Client->>Service: Register Webhook URL
Note right of Service: Event occurs
Service->>Client: HTTP POST to Webhook URL
Client->>Service: 200 OK
Note left of Client: Process webhook data
Example: Creating a Webhook Receiver with Express
const express = require('express');
const crypto = require('crypto');
const app = express();
app.use(express.json());
const SECRET = 'your-webhook-secret';
function verifySignature(req) {
const signature = req.headers['x-hub-signature-256'];
const hmac = crypto.createHmac('sha256', SECRET);
const digest = 'sha256=' + hmac.update(JSON.stringify(req.body)).digest('hex');
return crypto.timingSafeEqual(Buffer.from(signature), Buffer.from(digest));
}
app.post('/webhook', (req, res) => {
if (!verifySignature(req)) {
return res.status(403).send('Invalid signature');
}
const event = req.body;
console.log('Received webhook:', event);
// Process the webhook data
// ...
res.status(200).send('Webhook received successfully');
});
app.listen(3000, () => console.log('Webhook receiver listening on port 3000'));
3. What is the purpose of API gateways? ๐ช
An API gateway is a server that acts as an API front-end, receiving API requests, enforcing throttling and security policies, passing requests to the back-end service, and then passing the response back to the requester.
Key Functions of API Gateways:
- Request Routing: Direct requests to the appropriate microservice
- Authentication and Authorization: Verify the identity of clients and their permissions
- Rate Limiting: Enforce usage quotas and prevent abuse
- Caching: Store frequent responses to reduce backend load
- Monitoring and Analytics: Track API usage and performance
- Protocol Translation: Convert between different protocols (e.g., REST to gRPC)
- Load Balancing: Distribute incoming requests across multiple instances
Diagram: API Gateway Architecture
graph TD
A[Client] --> B[API Gateway]
B --> C[Authentication Service]
B --> D[Service 1]
B --> E[Service 2]
B --> F[Service 3]
Example: Simple API Gateway with Express
const express = require('express');
const httpProxy = require('http-proxy');
const app = express();
const proxy = httpProxy.createProxyServer();
// Rate limiting middleware
const rateLimit = require("express-rate-limit");
const limiter = rateLimit({
windowMs: 15 * 60 * 1000, // 15 minutes
max: 100 // limit each IP to 100 requests per windowMs
});
app.use(limiter);
// Authentication middleware
function authenticate(req, res, next) {
const token = req.headers['authorization'];
if (token === 'valid-token') {
next();
} else {
res.status(401).send('Unauthorized');
}
}
app.use(authenticate);
// Routing
app.use('/service1', (req, res) => {
proxy.web(req, res, { target: 'http://localhost:3001' });
});
app.use('/service2', (req, res) => {
proxy.web(req, res, { target: 'http://localhost:3002' });
});
app.listen(8080, () => console.log('API Gateway running on port 8080'));
4. How do you implement caching in APIs? ๐พ
Caching is a technique used to store copies of frequently accessed data in a location thatโs faster to access, improving API performance and reducing load on backend services.
Types of API Caching:
- Client-Side Caching: Browsers or mobile apps store responses
- Server-Side Caching: API servers cache responses before sending to clients
- CDN Caching: Content Delivery Networks cache responses geographically closer to users
Caching Strategies:
- Time-Based Expiration: Cache entries expire after a set time
- Conditional Caching: Use ETags or Last-Modified headers to validate cache freshness
Example: Implementing Caching with Express and Node-Cache
const express = require('express');
const NodeCache = require('node-cache');
const app = express();
const cache = new NodeCache({ stdTTL: 600 }); // 10 minutes default TTL
app.get('/api/data', (req, res) => {
const cacheKey = 'api_data';
const cachedData = cache.get(cacheKey);
if (cachedData) {
console.log('Cache hit');
return res.json(cachedData);
}
// Simulate data fetching
const data = { message: 'This is expensive data', timestamp: Date.now() };
cache.set(cacheKey, data);
console.log('Cache miss, data stored');
res.json(data);
});
app.listen(3000, () => console.log('Server running on port 3000'));
Best Practices for API Caching:
- Use appropriate cache control headers (e.g.,
Cache-Control,ETag) - Implement cache invalidation strategies
- Consider cache warming for frequently accessed data
- Use cache keys that accurately represent the uniqueness of the data
- Monitor cache hit rates and adjust caching strategies accordingly
5. What is the role of middleware in API development? ๐
Middleware in API development refers to functions that have access to the request and response objects, and the next middleware function in the applicationโs request-response cycle. It can execute code, make changes to the request and response objects, end the request-response cycle, and call the next middleware function.
Common Uses of Middleware:
- Logging: Record incoming requests and outgoing responses
- Authentication: Verify user credentials before allowing access
- Error Handling: Catch and process errors consistently
- Body Parsing: Parse incoming request bodies
- CORS Handling: Manage Cross-Origin Resource Sharing
- Compression: Compress response bodies
- Rate Limiting: Control the rate of incoming requests
Example: Custom Middleware in Express
const express = require('express');
const app = express();
// Logging middleware
app.use((req, res, next) => {
console.log(`${new Date().toISOString()} - ${req.method} ${req.url}`);
next();
});
// Error handling middleware
app.use((err, req, res, next) => {
console.error(err.stack);
res.status(500).send('Something broke!');
});
// Route-specific middleware
app.get('/protected',
(req, res, next) => {
if (!req.headers.authorization) {
return res.status(403).json({ error: 'No credentials sent!' });
}
next();
},
(req, res) => {
res.send('Protected resource');
}
);
app.listen(3000, () => console.log('Server running on port 3000'));
6. How do you handle pagination in API responses? ๐
Pagination is a technique used to divide large sets of data into smaller chunks (pages) to improve performance and usability. Itโs crucial for APIs that return potentially large datasets.
Common Pagination Strategies:
- Offset-Based Pagination:
- Use
limitandoffsetparameters - Example:
/api/items?limit=10&offset=20
- Use
- Cursor-Based Pagination:
- Use a unique identifier (cursor) to fetch the next set of results
- Example:
/api/items?limit=10&cursor=abc123
- Page-Based Pagination:
- Use
pageandper_pageparameters - Example:
/api/items?page=2&per_page=10
- Use
Example: Implementing Offset-Based Pagination with Express and Sequelize
const express = require('express');
const { Sequelize, DataTypes } = require('sequelize');
const app = express();
const sequelize = new Sequelize('sqlite::memory:');
const Item = sequelize.define('Item', {
name: DataTypes.STRING
});
app.get('/api/items', async (req, res) => {
const limit = parseInt(req.query.limit) || 10;
const offset = parseInt(req.query.offset) || 0;
try {
const result = await Item.findAndCountAll({
limit: limit,
offset: offset
});
res.json({
items: result.rows,
total: result.count,
next: offset + limit < result.count ?
`/api/items?limit=${limit}&offset=${offset + limit}` : null
});
} catch (error) {
res.status(500).json({ error: error.message });
}
});
sequelize.sync().then(() => {
app.listen(3000, () => console.log('Server running on port 3000'));
});
Best Practices for Pagination:
- Use consistent pagination methods across your API
- Include metadata about the pagination (total count, links to next/previous pages)
- Set a reasonable default and maximum limit for page size
- Handle edge cases (e.g., out-of-range pages)
- Consider the performance implications of your pagination strategy, especially for large datasets
7. What are some common API design best practices? ๐๏ธ
Designing a good API requires careful consideration of usability, consistency, and performance. Here are some best practices:
- Use RESTful Principles:
- Use appropriate HTTP methods (GET, POST, PUT, DELETE)
- Use nouns for resource names, not verbs
- Versioning:
- Include the API version in the URL or header
- Example:
/api/v1/users
- Consistent Naming Conventions:
- Use kebab-case for URLs
- Use camelCase for JSON properties
- Proper Use of HTTP Status Codes:
- 200 for success, 201 for creation, 204 for no content
- 400 for bad request, 401 for unauthorized, 404 for not found, etc.
- Filtering, Sorting, and Searching:
- Allow these operations via query parameters
- Example:
/api/users?sort=name&filter=active&search=john
- Security:
- Use HTTPS
- Implement proper authentication and authorization
- Rate Limiting:
- Prevent abuse by implementing rate limits
- Comprehensive Documentation:
- Provide clear, up-to-date documentation with examples
- HATEOAS (Hypertext As The Engine Of Application State):
- Include links in responses for related resources
- Asynchronous Operations:
- For long-running operations, return a 202 Accepted status and provide a way to check the status
Example: RESTful API Design in Express
const express = require('express');
const app = express();
app.use(express.json());
// GET all users
app.get('/api/v1/users', (req, res) => {
// Logic to fetch users
res.json({ users: [] });
});
// GET a specific user
app.get('/api/v1/users/:id', (req, res) => {
// Logic to fetch a user
res.json({ user: { id: req.params.id, name: 'John Doe' } });
});
// CREATE a new user
app.post('/api/v1/users', (req, res) => {
// Logic to create a user
res.status(201).json({ user: { id: 'new-id', ...req.body } });
});
// UPDATE a user
app.put('/api/v1/users/:id', (req, res) => {
// Logic to update a user
res.json({ user: { id: req.params.id, ...req.body } });
});
// DELETE a user
app.delete('/api/v1/users/:id', (req, res) => {
// Logic to delete a user
res.status(204).send();
});
app.listen(3000, () => console.log('Server running on port 3000'));
8. How do you monitor API performance? ๐
Monitoring API performance is crucial for maintaining service quality, identifying issues, and planning for scalability. Here are key aspects and tools for API monitoring:
Key Metrics to Monitor:
- Response Time: How long it takes to process requests
- Throughput: Number of requests processed per unit of time
- Error Rate: Percentage of requests that result in errors
- CPU and Memory Usage: Server resource utilization
- Concurrent Connections: Number of simultaneous connections
- Uptime: Percentage of time the API is available
Monitoring Tools:
- Prometheus: Open-source monitoring and alerting toolkit
- Grafana: Platform for monitoring and observability
- New Relic: Application Performance Monitoring (APM) tool
- Datadog: Monitoring and analytics platform
- ELK Stack (Elasticsearch, Logstash, Kibana): Log analysis and visualization
Example: Basic API Monitoring with Express and Prometheus
const express = require('express');
const promClient = require('prom-client');
const app = express();
// Create a Registry to register the metrics
const register = new promClient.Registry();
promClient.collectDefaultMetrics({ register });
// Create a custom counter for HTTP requests
const httpRequestsTotal = new promClient.Counter({
name: 'http_requests_total',
help: 'Total number of HTTP requests',
labelNames: ['method', 'route', 'status_code']
});
register.registerMetric(httpRequestsTotal);
// Middleware to count requests
app.use((req, res, next) => {
res.on('finish', () => {
httpRequestsTotal.inc({
method: req.method,
route: req.route ? req.route.path : req.path,
status_code: res.statusCode
});
});
next();
});
// Expose metrics endpoint for Prometheus to scrape
app.get('/metrics', async (req, res) => {
res.set('Content-Type', register.contentType);
res.end(await register.metrics());
});
app.get('/', (req, res) => {
res.send('Hello World!');
});
app.listen(3000, () => console.log('Server running on port 3000'));
Best Practices for API Monitoring:
- Set up alerts for abnormal patterns or threshold breaches
- Use distributed tracing for complex, microservices-based architectures
- Implement logging for detailed debugging information
- Regularly review and act on monitoring data
- Test your monitoring setup to ensure it captures issues accurately
9. What is the significance of HATEOAS in REST APIs? ๐
HATEOAS (Hypermedia as the Engine of Application State) is a constraint of the REST application architecture. It keeps the REST style architecture unique from other network application architectures.
Key Aspects of HATEOAS:
- The client interacts with the network application entirely through hypermedia provided dynamically by application servers
- A REST client needs no prior knowledge about how to interact with an application or server beyond a generic understanding of hypermedia
Benefits of HATEOAS:
- Improved discoverability
- Reduced coupling between client and server
- Easier API evolution
Example: HATEOAS Response in JSON
{
"id": 1,
"name": "John Doe",
"links": [
{
"rel": "self",
"href": "http://api.example.com/users/1"
},
{
"rel": "posts",
"href": "http://api.example.com/users/1/posts"
},
{
"rel": "comments",
"href": "http://api.example.com/users/1/comments"
}
]
}
Implementing HATEOAS with Express:
const express = require('express');
const app = express();
app.get('/api/users/:id', (req, res) => {
const userId = req.params.id;
const user = {
id: userId,
name: 'John Doe',
links: [
{
rel: 'self',
href: `http://localhost:3000/api/users/${userId}`
},
{
rel: 'posts',
href: `http://localhost:3000/api/users/${userId}/posts`
},
{
rel: 'comments',
href: `http://localhost:3000/api/users/${userId}/comments`
}
]
};
res.json(user);
});
app.listen(3000, () => console.log('Server running on port 3000'));
10. How do you manage API keys and secrets? ๐
Managing API keys and secrets securely is crucial for maintaining the integrity and security of your API. Here are some best practices:
1. Use Environment Variables:
- Store sensitive information in environment variables, not in your codebase
- Use tools like
dotenvfor local development
2. Implement Key Rotation:
- Regularly update API keys and secrets
- Provide a way for clients to smoothly transition to new keys
3. Use a Secrets Management Service:
- AWS Secrets Manager
- HashiCorp Vault
- Azure Key Vault
4. Implement Proper Access Controls:
- Use the principle of least privilege
- Regularly audit who has access to what
5. Encrypt Secrets at Rest and in Transit:
- Use strong encryption algorithms
- Always use HTTPS for API communications
6. Use API Gateways for Key Management:
- Centralize key management and validation
- Implement rate limiting and usage analytics
7. Avoid Logging Sensitive Information:
- Be cautious about what gets logged
- Mask sensitive data in logs
Example: Using Environment Variables with Node.js
// .env file
API_KEY=your-secret-api-key
DATABASE_URL=your-database-connection-string
// app.js
require('dotenv').config();
const express = require('express');
const app = express();
const apiKey = process.env.API_KEY;
const dbUrl = process.env.DATABASE_URL;
app.get('/api/data', (req, res) => {
if (req.headers['x-api-key'] !== apiKey) {
return res.status(401).json({ error: 'Invalid API key' });
}
// Process the request...
});
app.listen(3000, () => console.log('Server running on port 3000'));
Best Practices for API Key Distribution:
- Use secure channels to distribute keys (e.g., encrypted email, secure portal)
- Implement a self-service portal for key generation and management
- Educate clients on proper key storage and usage
- Implement key expiration and renewal processes
By following these practices and continuously educating yourself on security best practices, you can significantly enhance the security of your API and protect sensitive information.