Blueprint Docs

This API blueprint is subject to change due to technology restrictions, performance optimizations or changing requirements.

Authentication

• This API uses JWT for authentication,

• Every token MUST be refreshed before its expiration time,

• Token MUST be provided in Authorization header,

• Toke MUST be provided for each request that requires authentication,

• This API issues a long-lived access tokens for consumers. A long-lived JWT generally SHOULD lasts about 30 days. If no requests are made, the token MUST expire and the user MUST go through the login flow again to get a new one.

A custom scheme like "JWT" seems to be more appropriate than coercing the OAuth2 Bearer scheme.

Example Header

Authorization: JWT eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiJhNnZoQW8zRkc3dDEiLCJuYW1lIjoiSm9obiBEb2UiLCJpYXQiOjE0NzA1OTg5NzIsImV4cCI6MTQ3MDY4NTM3Mn0.ltA9zZmJKszBJuuV7pTWtY7LzLXrRUfebJDhy_jGMeM

Claims

• exp - The exp ( expiration time ) claim identifies the expiration time on or after which the JWT MUST NOT be accepted for processing.

• iat - The iat ( issued at ) claim identifies the time at which the JWT was issued.

• sub - The aud ( audience ) claim identifies the subject of this token (for e.g. a user id).

• iss - The iss ( issuer ) claim identifies the principal that issued the JWT.

Consumer Identification

This API uses User-Agent and Application-Id headers to identify API consumer. Application-Id MUST contain an UUID that uniquely identifies a particular consumer installation.

Example Headers

User-Agent: Mozilla/5.0 (Linux; Android 4.4; Nexus 5 Build/_BuildID_) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/30.0.0.0 Mobile Safari/537.36
Application-Id: 6454d937-0a18-44a8-b482-bb48684f1ed4

Filtering, Ordering, Pagination & Searching

Filtering

This API can filter returned collections based on provided query parameters. Virtually any model field can be used as a filter.

For example, when requesting a list of movies from the /movies endpoint, you may want to limit these to only those of drama genre. This could be accomplished with a request like GET /movies?genre=drama. Here, genre is a query parameter that implements a filter.

Ordering

This API can sort returned collections. A generic query parameter sort is used to describe sorting rules. This parameter can take a list of comma separated field, each with a possible unary negative to imply descending sort order.

E.g. GET /movies?sort=-rating - Retrieves a list of movies in descending order of user rating.

By default all resources are ordered by their creation time, from newest to oldest.

Pagination

This API uses the Link header - RFC 5988 to include pagination details.

An example of a Link header is described in GitHub documentation.

This API returns total count of paged resources in Total-Count HTTP header.

Searching

This API uses a generic parameter search to expose a full text search mechanism.

HTTP Methods

This API uses HTTP verbs (methods) as following:

• GET - Read - used to read (or retrieve) a representation of a resource,

• POST - Create - used to create new resources. In particular, it's used to create subordinate resources.

• PUT - Update/Replace - used for update capabilities, PUT-ing to a known resource URI with the request body containing the newly-updated representation of the original resource. On successful request, replaces identified resource with the request body.

• PATCH - Update/Modify - used for modify capabilities. The PATCH request only needs to contain the changes to the resource, not the complete resource.

• DELETE - Delete - used to delete a resource identified by a URI.

Localization

This API uses Accept-Language header to identify the locale.

Accept-Language: en

This header SHOULD be present in every request. If not, API MUST use the english language/locale.

Media Type

Where applicable this API MUST use the JSON media-type. Requests with a message-body are using plain JSON to set or update resource states.

Content-type: application/json and Accept: application/json headers SHOULD be set on all requests if not stated otherwise.

Notational Conventions

The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in RFC2119.

Representation of Date and Time

All exchange of date and time-related data MUST be done according to ISO 8601 standard and stored in UTC.

When returning date and time-related data YYYY-MM-DDThh:mm:ss.SSSZ format MUST be used.

Resource IDs

This API uses short non-sequential url-friendly unique ids. Every resource id MUST consists of 9 url-friendly characters: A-Z, a-z, 0-9, _ and -.

Example

a6vhAo3FG7t1

Status Codes and Errors

This API uses HTTP status codes to communicate with the API consumer.

• 200 OK - Response to a successful GET, PUT, PATCH or DELETE.

• 201 Created - Response to a POST that results in a creation.

• 204 No Content - Response to a successful request that won't be returning a body (like a DELETE request).

• 400 Bad Request - Malformed request; form validation errors.

• 401 Unauthorized - When no or invalid authentication details are provided.

• 403 Forbidden - When authentication succeeded but authenticated user doesn't have access to the resource.

• 404 Not Found - When a non-existent resource is requested.

• 405 Method Not Allowed - Method not allowed.

• 406 Not Acceptable - Could not satisfy the request Accept header.

• 415 Unsupported Media Type - Unsupported media type in request.

Error response

This API returns both, machine-readable error codes and human-readable error messages in response body when an error is encountered.

Example

Validation Error

{
    "statusCode": 400,
    "error": "Bad Request",
    "message": "Invalid query parameters",
    "data": {
        "code": 10003,
        "validation": {
            "details":[
                {
                    "message": "\"name\" is required",
                    "path": "name",
                    "type": "any.required",
                    "context": {
                        "key": "name"
                    }
                },{
                    "message": "\"email\" must be a valid email",
                    "path": "email",
                    "type": "string.email",
                    "context": {
                        "value": "foo",
                        "key": "email"
                    }
                }
            ],
            "source": "query",
            "keys": [ "name","email" ]
        }
    }
}

Generic Error

{
    "statusCode": 403,
    "error": "Forbidden",
    "message": "Your account is suspended and is not permitted to access this feature",
    "data": {
        "code": 13003
    }
}

Error Codes Dictionary

• 10003 - Invalid query parameters

• 10005 - Date is not in ISO 8601 standard

• 10010 - Invalid Content-Type

• 10011 - Invalid User-Agent

• 10012 - Invalid or missing Application-Id

• 11001 - Invalid or expired token

• 11003 - Bad authentication data - Method requires authentication but it was not presented or was wholly invalid.

• 11005 - Account not allowed to access this endpoint

• 13003 - Your account is suspended and is not permitted to access this feature

Versioning

This API uses Api-Version header to identify requested version. Every minor version SHOULD be backward compatible. However, major versions MAY introduce breaking changes.

Api-Version: 1.0.0

This header SHOULD be present in every request. If not, API MUST use the newest available major release.

If requested version is not available, API SHOULD try to fall back to the next available minor release.