Sitemap
Open in app

Sign in

Medium Logo
Write
Search

Sign in

Your API Isn’t Just an Endpoint — It’s a Promise You’ll Regret Breaking

7 min readOct 5, 2025

An API isn’t a magic tunnel to your database. It’s a blood oath between your system and everyone desperate enough to call it. The moment you publish it, you’ve made a promise: “I won’t screw you tomorrow.”

Every method, every field, every header — that’s part of the contract. Break it, and you’re not “innovating.” You’re detonating.

Good APIs aren’t clever; they’re consistent. They’re the boring friend who never cancels plans. They do what they said they’d do — today, tomorrow, and under load at 3:00 a.m.

Mature teams don’t chase shiny frameworks. They build guardrails:

  • Common naming, common responses, no wild-west JSON freestyle.
  • Automated checks that scream when someone “refactors” stability into oblivion.
  • Version tracking that actually lives somewhere besides Slack.
  • Real metrics — latency, errors, who’s using what.

You don’t run an API. You parent one.

Versioning: How to Change Without a Body Count

When to Bump the Version

Only when you’re about to break something for real — like deleting a field, renaming it, or turning an integer into a string because you “felt like it.” That’s not creativity; that’s vandalism.

If you’re adding something new and harmless? Keep the same version. Don’t spawn /v17/ because you renamed a tooltip.

Where to Put It

You’ve got two homes for version info:

  1. Path versioning: /api/v1/users
  • Loud, clear, and easy to debug.
  • The choice of people who enjoy sleeping.
  1. Header versioning: Accept: application/vnd.myapp.v2+json
  • Clean URLs, messy tooling.
  • Great if you enjoy reading RFCs by candlelight.

The real world? It runs on path-based versioning because it’s easy to spot at 2 a.m. when your pager goes off.

How to Retire Old Versions Without Burning Bridges

You keep v1 alive while v2 finds its footing. Six months minimum, a year if you’re nice. Watch the metrics — how much traffic still hits v1, how often it fails. Don’t yank life support until the numbers say “safe.”

Run regression tests between versions. Add a schema diff check to your CI. If someone removes a field that clients still need, the pipeline should smack them on the wrist.

You want to evolve, not commit API genocide.

Idempotency: Stop Double-Charging Your Users

Here’s how the internet works: packets get lost, requests get retried, and somewhere, your code decides to bill twice. That’s how careers end.

Idempotency says: “Do it once — and only once — no matter how many times you’re asked.”

How It Works

  1. The client sends a header: Idempotency-Key: some-uuid.
  2. The server checks:
  • Seen this key? Return the same old result.
  • New key? Run the action, save the result, remember it.
  1. Save the result for 24–72 hours (that’s your TTL).
  2. If the same key comes in with different data, respond with 409 Conflict and a raised eyebrow.

The Fine Print

  • Keys must include the client and the endpoint. Otherwise, collisions turn your logs into spaghetti.
  • The stored response must be byte-for-byte identical — same status, same body.
  • Write down what’s idempotent, what’s not, and what happens when people mess up.

Good SDKs handle retries safely. Bad SDKs handle lawsuits.

Cursor Pagination: Because Offset/Limit Is a Lie

Offset pagination looks innocent — until your dataset changes mid-scroll and suddenly “page 3” is missing half its rows. You think you’re listing records; you’re actually pulling a slot machine.

Cursor-based pagination fixes that. Instead of skipping by number, it remembers the last item you saw and starts from there.

How It Works

Each response gives you a cursor token, an opaque blob of nonsense (like base64(timestamp+id)), and says, “Use this to get the next batch.” You send it back; the API picks up exactly where you left off.

SQL Example (PostgreSQL):

SELECT *
FROM orders
WHERE (order_ts <  :last_ts)
   OR (order_ts =  :last_ts AND id < :last_id)
ORDER BY order_ts DESC, id DESC
LIMIT :page_size;

The Ground Rules

  • Cursors are opaque — don’t make users decode them like spies.
  • Sort results by a stable field (timestamp + ID combo).
  • Cap the page size — nobody needs 10,000 records at once.
  • If you change sorting logic (say, from date to “popularity”), that’s effectively a new version.

Cursor pagination doesn’t let you “jump to page 100.” But it doesn’t collapse under pressure either. Trade-offs, baby.

Security & Operations: Not Optional, Not Sexy, Still Mandatory

Security isn’t a feature — it’s oxygen. You only notice it when it’s gone.

The Basics

  • TLS everywhere. If your API speaks plain HTTP, it’s a cry for help.
  • Authentication: API keys, OAuth2, JWT — pick your poison, but rotate and revoke them properly.
  • Authorization: scopes, roles, least privilege. Nobody gets admin by accident.
  • Rate limiting: Protect your backend and your sanity. Include headers:
  • X-RateLimit-Limit
  • X-RateLimit-Remaining
  • X-RateLimit-Reset
  • Input validation: Never trust the user. They’ll find new ways to break you.

Watching Your Back

  • Track latency, error rates, and load by endpoint and version.
  • Use distributed tracing — attach correlation IDs like dog tags.
  • Build alerting around SLOs so you know when “fine” isn’t fine anymore.

Security isn’t glamorous, but neither is cleaning up after a breach.

Testing and Fuzzing: The API Fight Club

Unit tests are polite. The real world isn’t.

Contract testing checks that your API still matches its own documentation — because nothing says “enterprise-ready” like a spec that lies. Replay old client calls on the new version. See what explodes.

Then bring out the fuzzers — those delightful chaos engines that send malformed payloads until something breaks. Reinforcement learning fuzzers even learn how to hurt you better.

Your goal: make them fail in staging so your users don’t do it in production.

Battle-Tested Blueprints

Versioning

  • /api/v1/ and /api/v2/ run together for a while.
  • Deprecation dates written down — not “known by Dave.”
  • Each version gets its own latency and error metrics.
  • Every log line carries x-api-version.

Idempotency

  • POST /api/v1/orders must have an Idempotency-Key.
  • TTL = 48 hours.
  • Same key + same body → identical response.
  • Same key + different body → 409 Conflict.
  • Log user ID, endpoint, key, request hash, and response hash.

Cursor Pagination

  • Request: GET /api/v1/orders?cursor=<token>&limit=50
  • Response:
{   "data": [...],   "pagination": { "next_cursor": "<token>", "has_more": true } }
  • Sort by created_at DESC, id DESC.
  • Invalid cursor? 400 Bad Request.

The 2025 Survival Checklist

Governance: Common rules, lint in CI, version catalogs, per-version metrics.
Versioning: Additive first, destructive last; overlap versions; monitor real usage.
Idempotency: Use keys, store results, replay responses exactly.
Pagination: Cursor-based; stable sort; tight limits; opaque tokens.
Security & Testing: Lock it down, fuzz it up, and never assume “it’s fine.”

The Final Truth

APIs are not code — they’re promises written in JSON.

You break one, you break trust. You version badly, you create orphans. You skip idempotency, you bill twice. You ignore pagination, you melt a database. You skip security, you make the news.

Do it right, and your API doesn’t just survive — it earns respect.
It grows, evolves, and doesn’t wake you up at night.

And that, my friend, is the real definition of scalable architecture.

If you’re enjoying the content on my blog and would like to dive deeper into exclusive insights, I invite you to check out my Patreon page. It’s a space where you can support my work and get access to behind-the-scenes articles, in-depth analyses, and more. Your support helps me keep creating high-quality content and allows me to explore even more exciting topics. Visit [patreon.com/ChristianBaghai](https://www.patreon.com/ChristianBaghai) and join the community today! Thank you for being a part of this journey!

Christian Baghai | Patreon

Democracy in the Distraction Age: Prague’s Pocket-Sized Coup | Patreon

Mesh Manufacturing Meets War: How Ukraine Is Rewriting Drone Warfare | Patreon

Swarms at the Spigot: The Night Robot Surfboards Sent an Oil Empire Looking for a Plunger | Patreon

Ghost Ships on the Horizon: The Shadow Fleet as Russia’s Covert Maritime Engine | Patreon

Refineries: Spare Me the Halo — They’re War Fill-Up Stations | Patreon

Russia’s August Gamble, Ukraine’s Fierce Rebound | Patreon

Russia’s False-Flag Fixation: Smoke, Mirrors, and a Fire Alarm That Won’t Shut Up | Patreon

Purdue Pharma 2025: The Expensive Funeral of Corporate Greed | Patreon

America’s Strategic Gamble: A Shield Made of Dollar Bills and Wishful Thinking | Patreon

Latrodectus: The Loader That Picks Your Locks, Drinks Your Milk, and Sublets Your Server | Patreon

Novorossiysk at Gibraltar: Russia’s Floating Punchline | Patreon

Hungary’s Disinformation State: The “Public Service” News You Pay For — Whether You Like It or Not | Patreon

Hungary’s Propaganda Machine: A Maintenance Manual for Manufactured Reality (2025) | Patreon

LAMEHUG: When Malware Starts Asking For Directions | Patreon

Operation HAECHI VI: The World’s Most Polite Bank Robbery in Reverse | Patreon

Mercenaries Without Pay: How France’s Far Right Became Dassault’s Free Advertising Agency | Patreon

Vectis, CCAs, and the New Airpower Architecture: From “Missile Trucks” to Algorithmic Mass | Patreon

Forty Warships and a Load of Bull: Disinformation on the High Seas | Patreon

The Shadow Voyage of Heng Yang 9 | Patreon

Mercenaries Without Pay: How France’s Far Right Became Dassault’s Free Advertising Agency | Patreon

Sovereignty for Sale: Europe’s Far Right as the Kremlin’s Bargain Bin Loudspeakers | Patreon

API
Software Development
Business
Technology

--

--

Christian Baghai
Christian Baghai

Written by Christian Baghai

1K followers
75 following

Clinical statistical programmer

No responses yet

Help

Status

About

Careers

Press

Blog

Privacy

Rules

Terms

Text to speech