tags:

views:

2648

answers:

8
+17  Q: 

Examples of the best SOAP/REST/RPC web APIs? And why do you like them? And what's wrong with them?

At my company we're starting to branch into web APIs to access and update our data; initially for partners but then likely to the public in future. At the moment the way the API will look (e.g. SOAP, REST, RPC) is completely open and we haven't made any decisions yet, so I'm interested in both examples of web APIs people think are good, and why you think that.

What I'm interested in is opinions from people using different languages (we're likely to be offering the API to people using a number of platforms, particularly including .NET, Java, ActionScript and JavaScript) about web APIs that you think are good examples, and that you've had good experiences with.

Some points I'd like to cover:

  1. Do you prefer SOAP type services or REST/RPC style ones? I suspect that people with platform support (e.g. .NET, Java) will prefer SOAP ones and people using languages without platform support will prefer the others, but I'd like to validate that assumption.

  2. Do you care whether an API is actually RESTful or whether it is a plain old RPC style HTTP GET/POST? If so, why do you care? Is it more important that an API describes itself correctly (i.e. don't claim to be RESTful if it's RPC style) than whether it actually is one of the two?

  3. We need to verify who is using the service. I've been looking at the Amazon S3 authentication which uses a public identifier and a private token that's used to hash the parameters of the request into a verification token (this is also similar to flickr). Have you used this type of authentication before, and how did you get on with it? Are there any hash algorithms you find problematic (i.e. not supported by your platform)? Would you prefer to send the hash in an HTTP header or in the URI?

  4. How should versioning be handled? Is it a good idea to have a /v1/ type subdirectory so that future versions can be added alongside, or would you do something differently like have the version in the request payload or query? How long would you expect a version of an API that you'd built against to be supported for (i.e. if v2 was introducted, what would be your expectancy around the lifetime of v1).

Also, any other opinions and points to cover would be useful.

I'm deliberately staying vague on the actual type of API we're implementing, as I'm looking for general guidance in terms of what people think are good APIs and implementation mechanisms, so this post and its answers will be useful to more people in the future.

Note: I have searched and can't find a generic question about this - they all seem specific to a certain type of API - but if it is a duplicate then please let me know. Also if it should be community wiki (I think people ought to get credit for answers so I haven't made it one) then please let me know and I'll change it to be.

+1  A: 

IMHO, it all depends on what kind of apps you're offering. If you are doing important, big time transactions, then definitely go with SOAP (WS "death star" as they call it). But if you're offering social apps, then go with REST, since it's simpler and a better fit for public hacking.

barneytron  2009-01-03 22:12:41
+3  A: 

Versioning for REST using Content-Type headers is covered well here: http://barelyenough.org/blog/2008/05/versioning-rest-web-services/

asplake  2009-01-04 12:18:46
Could you make that an actual link, please?
JB  2009-01-04 13:34:21
A: 

If you can not make up your mind eventually you could implement them all. In these cases it is useful to look how others have done it. I recommend you Open Source XML Native Database eXist that offers the three types of interfaces you are intestigating.

Fernando Miguélez  2009-01-04 12:49:04
+2  A: 

I'd see what Amazon is doing - http://aws.amazon.com/ - the guys making money off this stuff obviouslly will have learned more lessons than anyone else.

Other API's I'd look at - salesforce.com and Microsofts CRM api was rather interesting. Twitter has a battle hardened REST api too.

BPAndrew  2009-01-05 13:30:56
I would like to assume amazon is profitable not because of its API but because of the rest of their services. Just because a big corperation has used a paticular method of coding does not make it the best or even mean that they did their homework. For all we know it was a random choice.
nlaq  2009-01-07 21:48:07
I'm looking at it from the opposite direction. They picked the best tool/methodology for the job based on the fact that they have to sell a product/service with it. They've gone through iterations, they've supported customers. They see flaws that an idea out of a book hasnt gotten to yet.
BPAndrew  2009-01-08 12:15:56
Amazon's API is not actually REST, it's just RPC.
Wahnfrieden  2009-07-22 14:58:08
+1  A: 

REST, if done correctly, is easy to understand (models HTTP), straightforward (resource oriented) and can be parsed by pretty much every programming language (XML).

detour  2009-01-05 15:19:53
REST needn't be HTTP, it's protocol-independent.
Wahnfrieden  2009-07-21 15:27:21
+4  A: 

You might be interested in Joshua Bloch's presentation "How to Design a Good API and Why it Matters". Joshua Bloch is the author of "Effective Java" and a Principal Software Engineer and Chief Java Architect at Google.

Abstract: http://portal.acm.org/citation.cfm?id=1176622

Slides: http://lcsd05.cs.tamu.edu/slides/keynote.pdf

Video: http://www.youtube.com/watch?v=aAb7hSCtvGw

 2009-01-06 07:27:05
+4  A: 

Here's my take.

  1. Although coming from a Java standpoint, I actually prefer REST. SOAP envelope with multiple namespaces and its complex structure is abomination. It tries to solve mostly imaginary problems, and doesn't solve anything efficiently. Only thing about SOAP I've found useful is that it has standards for authorization and errors. On the other hand, both could be solved much easier by including four standard attributes in root XML element - username, password, errorCode, errorDescription.

  2. Good API description and documentation is indeed all that matters. Difference between REST and SOAP in mature framework is mostly in a few lines of configuration.

  3. For SOAP, send hash as part of SOAP security; for REST, I like to package everything in payload and avoid HTTP headers for authentication. I have only subjective reasons though, since I had to battle with frameworks which don't easily expose HTTP headers.

  4. My personal preference is having different URIs for different protocol versions. In my experience, this gives you more flexibility in newer versions, and old clients which connect to unsupported versions of a protocol stop working immediately and for obvious reasons. Also, sometimes you can map old version of application to old URI, to avoid having legacy support code in new server version.

    As for how long you support old version of protocol... ideally, as long as you have clients which use it. This is more business than technical decision. You should support at least one previous protocol version. It's usually in your interest to push clients towards new version to lower legacy support costs; from the clients side, new version should mean new features, better protocol, and some sort of additional business incentive (if new features alone are not enough).

Domchi  2009-01-06 10:35:59
HTTP has "standards" for authentication (Authenticate header) and errors (5XX responses). Packaging authentication in the payload is usually a bad idea, it breaks intermediaries that may cache them or process them, and it prevents the authentication scheme from being resued across sites. When you breach serendipity, you also breach REST.
serialseb  2009-05-21 00:23:15
+1  A: 

The RPC approach is also a good option. It reduces the overhead, and projects like Ice,Google Protocol Buffers and Apache Thrift are making it easier to develop RPC based services easier.

If you do not have to provide a web based API, then RPC can also be a choice you want to explore.

sheki  2010-09-02 06:58:41
Another thing that ties into this is ease: Its 1) easy for people to understand an RPC approach instead of a rest approach and 2) Easier to implement ("here's a function and its arguments and return value")
Richard Levasseur  2010-09-03 02:30:28

related questions

Displaying Version Information in a Web Service
Example Web Service
SoapException: Root element is missing occurs when .NET web service called from Flex
Best practice for webservices
What is your preferred method of sending complex data over a web service?
.Net - Returning DataTables in WCF
Is it possible to return objects from a WebService?
How much extra overhead is generated when sending a file over a web service as a byte array?
Returning Large Results Via a Webservice
File Uploads via Web Services
best way to persist data in .NET Web Service
What is the difference between an endpoint, a service, and a port when working with webservices?
Calling REST web services from a classic asp page
Best way to write a RESTful service "client" in .Net?
Where can I find some good WS-Security introductions and tutorials?
ASP.NET Web Service Results, Proxy Classes and Type Conversion
Web Services -- WCF vs. Standard
C# WCF Service - Backward compatibility issue
Document or RPC based web services
How to easily consume a web service from PHP
Timer-based event triggers
How to pass enumerated values to a web service
Homegrown consumption of web services
How do I print an HTML document from a web service?
How do I fill a DataSet or a DataTable from a LINQ query resultset ?