Search
⌘K
Full Article
Quick Reference

API Design

API Selection

Protocol Choice

REST is the default for most designs and standard CRUD; GraphQL fits diverse clients and over-fetching or under-fetching; RPC fits internal microservices and performance-critical calls; WebSockets or Server-Sent Events fit notifications, chat, or live updates.
  • REST: Default for most designs; standard HTTP CRUD over resource URLs.
  • GraphQL: Use for diverse clients and over-fetching or under-fetching; adds complexity.
  • RPC: Use for internal microservices or performance-critical calls; action-oriented.
  • WebSockets or Server-Sent Events: Use for notifications, chat, or live updates; persistent connections.

GraphQL Design

Schema relationships define entity links directly so clients traverse them in one query; the N+1 problem is parent queries plus N child queries and is fixed with batching or dataloaders; field-level authorization secures individual fields in resolvers.
  • Schema relationships: Define entity links directly so clients traverse them in one query.
  • N+1 problem: Parent query plus N child queries; fix with batching or dataloader patterns.
  • Field-level authorization: Secure individual fields in resolvers, not just entire endpoints.

REST Basics

Resource Shape

Resource nouns model things, not actions, and use plural nouns; parent-child nesting fits clear ownership like tickets under an event.
  • Resource nouns: Model things, not actions; use plural nouns like events or bookings.
  • Parent-child nesting: Use clear ownership like /events/{id}/tickets when a child belongs under a parent.

Method Semantics

GET retrieves without changing state and is idempotent; POST creates resources and retries can duplicate bookings; PUT replaces a full resource or creates it if absent and is idempotent; PATCH updates part of a resource and idempotency depends on the operation; DELETE removes a resource and is idempotent even if later responses differ.
  • GET: Retrieve without changing state; idempotent.
  • POST: Create resources; not safe or idempotent, so retries can duplicate bookings.
  • PUT: Replace a full resource or create it if absent; idempotent.
  • PATCH: Update part of a resource; idempotency depends on the operation.
  • DELETE: Remove a resource; idempotent even if later responses differ.

Input Placement

Path parameters hold required identifiers for specific resources; query parameters hold optional filters, sorting, behavior, or pagination; request bodies hold complex create or update payloads.
  • Path parameters: Required identifiers for a specific resource, e.g., /events/123.
  • Query parameters: Optional filters, sorting, behavior, or pagination, e.g., ?city=NYC&limit=20.
  • Request body: Complex create or update payloads; use for data too large or sensitive for URLs.

Response Codes

200 Success means the request succeeded and the body is usually JSON; 201 Created means a resource was created and the new resource is returned; 4xx Client Errors include 400 bad request, 401 authentication required, and 404 not found; 5xx Server Errors include 500 server errors.
  • 200 Success: Request succeeded; response body is typically JSON.
  • 201 Created: Resource created; return the newly created resource.
  • 4xx Client Errors: 400 bad request, 401 auth required, 404 not found.
  • 5xx Server Errors: 500 for server errors; distinguish these from client errors.

Shared Patterns

Pagination Choice

Offset-based Pagination is the default for most interviews and is simple but can duplicate or miss records as data shifts; Cursor-based Pagination is stable under inserts but makes jumping to page 5 harder.
  • Offset-based Pagination: Default for most interviews; simple offset/limit but shifts can duplicate or miss records.
  • Cursor-based Pagination: Stable under new records by using a pointer; harder to jump to page 5.

Versioning Choice

URL Versioning is the default for interviews and uses paths like /v1/events; Header Versioning keeps URLs cleaner but is less obvious and harder to test in browsers.
  • URL Versioning: Default for interviews; explicit paths like /v1/events or /v2/events.
  • Header Versioning: Cleaner URLs, but less obvious and harder to test in browsers.

Security

Credential Choice

JWT Tokens are the default for user-facing sessions and carry user ID, permissions, and expiration; API Keys fit internal services or third-party developers, not human user sessions.
  • JWT Tokens: Default for user-facing sessions; carry user ID, permissions, and expiration.
  • API Keys: Use for internal services or third-party developers, not human user sessions.

Authorization Model

RBAC assigns permissions to roles; role examples include customer, venue_manager, and admin.
  • RBAC: Assign permissions to roles.
  • Role examples: Roles like customer, venue_manager, and admin.

Abuse Prevention

Rate Limiting limits API use; limit per user, IP, or endpoint with examples of 1000 per hour, 100 per hour, and 10 booking attempts per minute, returning 429.
  • Rate Limiting: Limit API use.
  • Limit scopes and thresholds: Limit per user/IP/endpoint, e.g., 1000/hour, 100/hour, 10 booking attempts/min; return 429.

Your account is free and you can post anonymously if you choose.

Reading Progress

On This Page

API Selection

Protocol Choice

GraphQL Design

REST Basics

Resource Shape

Method Semantics

Input Placement

Response Codes

Shared Patterns

Pagination Choice

Versioning Choice

Security

Credential Choice

Authorization Model

Abuse Prevention

Questions
Meta SWE Interview QuestionsAmazon SWE Interview QuestionsGoogle SWE Interview QuestionsOpenAI SWE Interview QuestionsEngineering Manager (EM) Interview Questions
Learn
Learn System DesignLearn DSALearn BehavioralLearn ML System DesignLearn Low Level DesignGuided Practice
Links
FAQPricingGift PremiumHello Interview Premium
Legal
Terms and ConditionsPrivacy PolicySecurity
Contact
About UsProduct Support

7511 Greenwood Ave North Unit #4238 Seattle WA 98103

© 2026 Optick Labs Inc. All rights reserved.