API Design workbook: API fundamentals, communication patterns, architectural styles (REST, GraphQL, gRPC), security, operational concerns, worked API designs, and failure postmortems.http://localhost:4321/http://localhost:4321/api-design/api-security-overview/http://localhost:4321/api-design/api-security-overview/The threat model: authentication, authorization, integrity, confidentiality, availability. What an API designer owns.Sat, 30 May 2026 00:00:00 GMTFoundationalconceptSecuritysecuritythreat-modelowaspauthnauthzhttp://localhost:4321/api-design/api-monitoring/http://localhost:4321/api-design/api-monitoring/Logs, metrics, traces, the four golden signals (latency, traffic, errors, saturation), what the on-call must see in 5 seconds.Sat, 30 May 2026 00:00:00 GMTIntermediatebuilding-blockOperational Concernsmonitoringobservabilitymetricstracingsrehttp://localhost:4321/api-design/api-architectural-styles-overview/http://localhost:4321/api-design/api-architectural-styles-overview/REST, GraphQL, gRPC, SOAP, WebSocket, webhook. The catalogue, when each is right, and why every team thinks theirs is special.Sat, 30 May 2026 00:00:00 GMTFoundationalconceptArchitectural Stylesapiarchitectural-stylerestgraphqlgrpchttp://localhost:4321/api-design/api-versioning/http://localhost:4321/api-design/api-versioning/URI versioning, header versioning, semantic versioning. The choice that ages well vs the one that bites every quarter.Sat, 30 May 2026 00:00:00 GMTIntermediateconceptOperational Concernsversioningevolutionhttprestcontractshttp://localhost:4321/api-design/api-security-recap/http://localhost:4321/api-design/api-security-recap/The checklist: TLS, validate, AuthN, AuthZ, rate limit, audit. The mnemonic an API designer carries into every review.Sat, 30 May 2026 00:00:00 GMTFoundationalconceptSecuritysecuritychecklistowaspreviewhttp://localhost:4321/api-design/authentication-vs-authorization/http://localhost:4321/api-design/authentication-vs-authorization/Who you are vs what you can do. The two-word vocabulary every API designer must use precisely.Sat, 30 May 2026 00:00:00 GMTFoundationalconceptSecurityauthnauthzsecurityidentityaccess-controlhttp://localhost:4321/api-design/aws-s3-2017-service-disruption/http://localhost:4321/api-design/aws-s3-2017-service-disruption/A typo in a maintenance command cascaded through the S3 control plane. The API's read path went down and took half the Internet.Sat, 30 May 2026 00:00:00 GMTFoundationalpostmortemFailures & Postmortemspostmortemawss3control-planeblast-radiushttp://localhost:4321/api-design/caching-at-different-layers/http://localhost:4321/api-design/caching-at-different-layers/Browser, CDN, gateway, app, database. Where to cache, what to cache, the cache-invalidation problem the joke is about.Sat, 30 May 2026 00:00:00 GMTIntermediatebuilding-blockOperational Concernscachingcdnhttp-cacheperformanceinvalidationhttp://localhost:4321/api-design/binary-data-formats/http://localhost:4321/api-design/binary-data-formats/When the wire matters more than the diff. Schema-first vs schema-less, evolution semantics, the size-vs-debuggability trade-off.Sat, 30 May 2026 00:00:00 GMTIntermediatebuilding-blockCommunication Patternsprotobufmessagepackavroserializationbinaryhttp://localhost:4321/api-design/business-considerations-of-apis/http://localhost:4321/api-design/business-considerations-of-apis/APIs as products. Monetisation, partner programs, developer experience as a moat, why Stripe is Stripe.Sat, 30 May 2026 00:00:00 GMTFoundationalconceptFoundationsapibusinessmonetisationdeveloper-experienceproducthttp://localhost:4321/api-design/chess-api-design/http://localhost:4321/api-design/chess-api-design/Game lifecycle, move validation, time control, spectator stream. The cleanest turn-based-game API in the catalogue.Sat, 30 May 2026 00:00:00 GMTIntermediatesystemAPI Designschessapi-designturn-basedssehttp://localhost:4321/api-design/camelcamelcamel-api-design/http://localhost:4321/api-design/camelcamelcamel-api-design/Price-tracking for Amazon products. A scraper-shaped API that must respect a partner's rate limits and ToS.Sat, 30 May 2026 00:00:00 GMTIntermediatesystemAPI Designsprice-trackingscrapingrate-limitingpartner-apialertshttp://localhost:4321/api-design/client-adapting-apis/http://localhost:4321/api-design/client-adapting-apis/When the server shapes its response to the client (mobile vs web vs partner). The BFF pattern in API form.Sat, 30 May 2026 00:00:00 GMTIntermediateconceptOperational Concernsbffmobilewebgraphqlapi-designhttp://localhost:4321/api-design/comparing-api-styles/http://localhost:4321/api-design/comparing-api-styles/The honest trade-offs. Latency, payload size, tooling, debuggability, mobile-friendliness, where each one breaks first.Sat, 30 May 2026 00:00:00 GMTIntermediateconceptArchitectural Stylesrestgraphqlgrpccomparisonapihttp://localhost:4321/api-design/comment-service-api-design/http://localhost:4321/api-design/comment-service-api-design/Threaded comments, pagination by cursor, moderation hooks, the reaction subsystem. The CRUD that scales to millions of nodes.Sat, 30 May 2026 00:00:00 GMTIntermediatesystemAPI Designscommentsapi-designthreadingpaginationhttp://localhost:4321/api-design/circuit-breaker-pattern/http://localhost:4321/api-design/circuit-breaker-pattern/Closed → Open → Half-Open. Failing fast when a dependency is sick; the cascade-prevention pattern Netflix made famous.Sat, 30 May 2026 00:00:00 GMTIntermediatebuilding-blockOperational Concernsresiliencecircuit-breakerfault-tolerancecascading-failureshttp://localhost:4321/api-design/cookies-and-sessions-for-apis/http://localhost:4321/api-design/cookies-and-sessions-for-apis/Stateful sessions over stateless HTTP, the SameSite / Secure / HttpOnly trio, when JWTs replace cookies and when they shouldn't.Sat, 30 May 2026 00:00:00 GMTFoundationalbuilding-blockOperational Concernscookiessessionsjwtcsrfauthenticationhttp://localhost:4321/api-design/data-fetching-patterns/http://localhost:4321/api-design/data-fetching-patterns/Eager vs lazy, batch vs single, paginated vs streamed. The four levers every API designer pulls.Sat, 30 May 2026 00:00:00 GMTIntermediateconceptOperational Concernspaginationstreamingbatchingfetchingapi-designhttp://localhost:4321/api-design/cors-cross-origin-resource-sharing/http://localhost:4321/api-design/cors-cross-origin-resource-sharing/The same-origin policy, preflight, Access-Control-Allow-*, credentials, the wildcard that breaks production.Sat, 30 May 2026 00:00:00 GMTIntermediatebuilding-blockSecuritycorsbrowsersecuritypreflightheadershttp://localhost:4321/api-design/data-representation-overview/http://localhost:4321/api-design/data-representation-overview/On the wire, every API is bytes. The trade-off between human-readable and compact, and why both have their place.Sat, 30 May 2026 00:00:00 GMTFoundationalconceptCommunication Patternsserializationencodingwire-formatschemahttp://localhost:4321/api-design/event-driven-architecture-protocols/http://localhost:4321/api-design/event-driven-architecture-protocols/Webhooks, server-sent events, Kafka, message queues. The push-shaped alternative to request/response.Sat, 30 May 2026 00:00:00 GMTIntermediatebuilding-blockOperational Concernswebhooksssekafkaqueuesevent-drivenhttp://localhost:4321/api-design/estimating-api-latency/http://localhost:4321/api-design/estimating-api-latency/Processing time + network time + queueing. The numbers every engineer should know (memory, SSD, datacenter RTT, cross-continent RTT).Sat, 30 May 2026 00:00:00 GMTIntermediateconceptOperational Concernslatencyperformanceback-of-envelopecapacity-planninghttp://localhost:4321/api-design/evolving-an-api-design/http://localhost:4321/api-design/evolving-an-api-design/Backward-compatible additions, breaking-change taxonomy, deprecation timelines. How successful APIs survive a decade.Sat, 30 May 2026 00:00:00 GMTIntermediateconceptOperational Concernsevolutiondeprecationbackward-compatibilitycontractshttp://localhost:4321/api-design/facebook-and-uber-api-outages/http://localhost:4321/api-design/facebook-and-uber-api-outages/Two short case studies of cascading API failures from major social and mobility APIs. What the contract didn't say.Sat, 30 May 2026 00:00:00 GMTFoundationalpostmortemFailures & Postmortemspostmortemfacebookuberbgpretry-stormcontrol-planehttp://localhost:4321/api-design/facebook-messenger-api-design/http://localhost:4321/api-design/facebook-messenger-api-design/Real-time delivery, presence, read receipts, group threads, end-to-end encryption. WebSockets + a careful state machine.Sat, 30 May 2026 00:00:00 GMTAdvancedsystemAPI Designsapi-designreal-timee2e-encryptionhttp://localhost:4321/api-design/file-service-api-design/http://localhost:4321/api-design/file-service-api-design/Upload, download, range requests, multipart, signed URLs, resumability. The S3-shaped contract every backend reinvents.Sat, 30 May 2026 00:00:00 GMTIntermediatesystemAPI Designsfile-serviceapi-designmultipart-uploadsigned-urlshttp://localhost:4321/api-design/gaming-api-design/http://localhost:4321/api-design/gaming-api-design/Matchmaking, lobby, real-time game state, leaderboards, anti-cheat hooks. Latency-sensitive APIs where 50 ms is everything.Sat, 30 May 2026 00:00:00 GMTAdvancedsystemAPI Designsgamingreal-timewebsocketsmatchmakingleaderboardslatencyhttp://localhost:4321/api-design/graphql/http://localhost:4321/api-design/graphql/One endpoint, client-shaped responses, the N+1 problem, schema as the contract. When the flexibility earns its complexity.Sat, 30 May 2026 00:00:00 GMTIntermediatebuilding-blockArchitectural Stylesgraphqlapiquery-languageschemasdlhttp://localhost:4321/api-design/grpc-framework/http://localhost:4321/api-design/grpc-framework/Service-definition-first, code-generated clients, streaming variants, the polyglot internal-RPC story that won at Google.Sat, 30 May 2026 00:00:00 GMTIntermediatebuilding-blockArchitectural Stylesgrpcprotobufrpchttp2streaminghttp://localhost:4321/api-design/google-maps-api-design/http://localhost:4321/api-design/google-maps-api-design/Tiles, geocoding, routing, places, distance matrix. The geospatial endpoints behind a billion daily queries.Sat, 30 May 2026 00:00:00 GMTAdvancedsystemAPI Designsapi-designgeospatialcdnhttp://localhost:4321/api-design/http-fundamentals-for-apis/http://localhost:4321/api-design/http-fundamentals-for-apis/Methods, status codes, headers, persistent connections — the parts of HTTP every API designer must own.Sat, 30 May 2026 00:00:00 GMTFoundationalbuilding-blockCommunication Patternshttpprotocolheadersstatus-codescachinghttp://localhost:4321/api-design/http-evolution-2-and-3/http://localhost:4321/api-design/http-evolution-2-and-3/Pipelining to multiplexing to QUIC. How each version solved the previous one's head-of-line problem and what that buys API designers.Sat, 30 May 2026 00:00:00 GMTIntermediatebuilding-blockCommunication Patternshttphttp2http3quicperformancehttp://localhost:4321/api-design/idempotency-in-api-design/http://localhost:4321/api-design/idempotency-in-api-design/Idempotency keys, safe retries, the difference between idempotent and safe verbs. Why payments APIs care most.Sat, 30 May 2026 00:00:00 GMTIntermediateconceptOperational Concernsidempotencyretrieshttppaymentsreliabilityhttp://localhost:4321/api-design/input-validation/http://localhost:4321/api-design/input-validation/Validate at the boundary, reject early, normalise once. SQL/NoSQL injection, type confusion, the OWASP API top-10.Sat, 30 May 2026 00:00:00 GMTFoundationalbuilding-blockSecurityvalidationsecurityowaspinjectionschemahttp://localhost:4321/api-design/latency-and-throughput/http://localhost:4321/api-design/latency-and-throughput/The two performance dimensions every API designer must hold in head. The 100 ms human-perception ceiling and the throughput-vs-latency trade.Sat, 30 May 2026 00:00:00 GMTFoundationalconceptFoundationsperformancelatencythroughputtail-latencybandwidthhttp://localhost:4321/api-design/knight-capital-2012-deployment-bug/http://localhost:4321/api-design/knight-capital-2012-deployment-bug/An un-removed feature flag (SMARS) revived dead code on one of eight servers. A trading-API contract that didn't enforce safety.Sat, 30 May 2026 00:00:00 GMTFoundationalpostmortemFailures & Postmortemspostmortemknight-capitaldeploymentfeature-flaghttp://localhost:4321/api-design/leetcode-api-design/http://localhost:4321/api-design/leetcode-api-design/Problem, submission, judge, leaderboard. The fan-out from problem-fetch to async judge to result subscription.Sat, 30 May 2026 00:00:00 GMTIntermediatesystemAPI Designsapi-designleetcodeasync-judgehttp://localhost:4321/api-design/managing-retries/http://localhost:4321/api-design/managing-retries/Exponential backoff, jitter, retry budgets, the retry-storm that takes down a recovering service. Idempotency is mandatory.Sat, 30 May 2026 00:00:00 GMTIntermediatebuilding-blockOperational Concernsretriesbackoffjitterresilienceidempotencyhttp://localhost:4321/api-design/network-sockets-as-a-foundation/http://localhost:4321/api-design/network-sockets-as-a-foundation/Sockets as the OS-level primitive every HTTP server stands on. Why API designers should know what's underneath.Sat, 30 May 2026 00:00:00 GMTFoundationalconceptFoundationssocketstcpudpnetworkingoperating-systemshttp://localhost:4321/api-design/oauth-2-authorization/http://localhost:4321/api-design/oauth-2-authorization/Authorization Code + PKCE, refresh tokens, scopes, the four roles. The protocol every modern API uses and gets wrong half the time.Sat, 30 May 2026 00:00:00 GMTIntermediatebuilding-blockSecurityoauthauthorizationsecuritytokenshttp://localhost:4321/api-design/openid-connect-and-saml/http://localhost:4321/api-design/openid-connect-and-saml/OIDC layers identity on OAuth; SAML is the older enterprise SSO. When to pick each, and why both still ship in 2026.Sat, 30 May 2026 00:00:00 GMTIntermediatebuilding-blockSecurityoidcsamlssoidentityauthenticationhttp://localhost:4321/api-design/pub-sub-service-api-design/http://localhost:4321/api-design/pub-sub-service-api-design/Topics, subscribers, fan-out, at-least-once vs exactly-once. The asynchronous backbone of every modern microservice mesh.Sat, 30 May 2026 00:00:00 GMTIntermediatesystemAPI Designspub-subapi-designmessagingevent-drivenhttp://localhost:4321/api-design/rate-limiting/http://localhost:4321/api-design/rate-limiting/Token bucket, leaky bucket, fixed window, sliding window. Per-user vs per-IP, the 429 contract, and the burst question.Sat, 30 May 2026 00:00:00 GMTIntermediatebuilding-blockOperational Concernsrate-limitingthrottlinghttpcapacityreliabilityhttp://localhost:4321/api-design/remote-procedure-calls/http://localhost:4321/api-design/remote-procedure-calls/Calling a remote function as if it were local. The 'function-call' abstraction, its leaks, and where it's still the right call.Sat, 30 May 2026 00:00:00 GMTIntermediatebuilding-blockCommunication Patternsrpcjson-rpcgrpcprotocolsmicroserviceshttp://localhost:4321/api-design/rest-api-style/http://localhost:4321/api-design/rest-api-style/Resources, verbs, statelessness, cache, uniform interface, HATEOAS. Fielding's PhD thesis applied to your CRUD endpoints.Sat, 30 May 2026 00:00:00 GMTFoundationalbuilding-blockArchitectural Stylesresthttparchitectural-styleapihttp://localhost:4321/api-design/resource-hints-and-debouncing/http://localhost:4321/api-design/resource-hints-and-debouncing/preload, prefetch, dns-prefetch, preconnect. Debouncing user input to API calls; the trade-off between fresh and floody.Sat, 30 May 2026 00:00:00 GMTIntermediateconceptOperational Concernspreloadprefetchdebouncethrottleperformancehttp://localhost:4321/api-design/restful-api-design/http://localhost:4321/api-design/restful-api-design/Path conventions, status codes that fit, payload shape, pagination, filtering, the bulk-operations friction every REST API hits.Sat, 30 May 2026 00:00:00 GMTFoundationalbuilding-blockArchitectural Stylesrestapihttppaginationdesignhttp://localhost:4321/api-design/search-service-api-design/http://localhost:4321/api-design/search-service-api-design/Query, suggest, rank, paginate. Where latency budget lives and how to write a search API that won't go viral on the wrong page.Sat, 30 May 2026 00:00:00 GMTIntermediatesystemAPI Designssearchapi-designpaginationrankinghttp://localhost:4321/api-design/speeding-up-page-loading/http://localhost:4321/api-design/speeding-up-page-loading/Critical render path, third-party blockers, what an API designer can give the front-end to win the LCP and CLS scores.Sat, 30 May 2026 00:00:00 GMTIntermediateconceptOperational Concernsperformancelcpclsweb-vitalsoptimizationhttp://localhost:4321/api-design/ssr-vs-csr/http://localhost:4321/api-design/ssr-vs-csr/The render seam shapes the API contract. SSR's full-payload vs CSR's many-small-calls, and the hybrid in between.Sat, 30 May 2026 00:00:00 GMTIntermediateconceptOperational Concernsssrcsrrenderingperformanceapi-designhttp://localhost:4321/api-design/textual-data-formats/http://localhost:4321/api-design/textual-data-formats/The trio every API designer must read fluently. Why JSON won, where XML still lives, what YAML costs in subtle bugs.Sat, 30 May 2026 00:00:00 GMTFoundationalbuilding-blockCommunication Patternsjsonxmlyamlserializationschemahttp://localhost:4321/api-design/the-api-design-walkthrough/http://localhost:4321/api-design/the-api-design-walkthrough/A repeatable seven-step recipe for an API-design interview: requirements, endpoints, data, constraints, auth, evolution, latency.Sat, 30 May 2026 00:00:00 GMTFoundationalconceptOperational Concernsinterviewwalkthroughmethodframeworkrecipehttp://localhost:4321/api-design/stripe-payment-api-design/http://localhost:4321/api-design/stripe-payment-api-design/PaymentIntent, charge, refund, webhook, the cards-network interaction. The gold-standard for payments-API design.Sat, 30 May 2026 00:00:00 GMTAdvancedsystemAPI Designsapi-designstripepaymentsidempotencyhttp://localhost:4321/api-design/the-world-wide-web/http://localhost:4321/api-design/the-world-wide-web/URLs, HTTP, HTML — the three-letter trio Tim Berners-Lee picked in 1989 and the rest of API design has been catching up with since.Sat, 30 May 2026 00:00:00 GMTFoundationalconceptFoundationswebhttpurlhtmlhistoryhttp://localhost:4321/api-design/the-narrow-waist-of-the-internet/http://localhost:4321/api-design/the-narrow-waist-of-the-internet/Why IP is the everything-over-IP-and-IP-over-everything pivot, and what that means for API designers building on top.Sat, 30 May 2026 00:00:00 GMTFoundationalconceptFoundationsinternetipnetworkinglayeringhourglasshttp://localhost:4321/api-design/transport-layer-security/http://localhost:4321/api-design/transport-layer-security/TLS 1.2 vs 1.3 handshake, cert chains, mTLS, the cost of a TLS terminator, why HTTPS is non-negotiable.Sat, 30 May 2026 00:00:00 GMTFoundationalbuilding-blockSecuritytlshttpssecuritymtlscertificateshttp://localhost:4321/api-design/twitter-api-design/http://localhost:4321/api-design/twitter-api-design/Tweet, timeline, follow graph, search, streaming. The read-heavy fan-out problem at planet scale.Sat, 30 May 2026 00:00:00 GMTAdvancedsystemAPI Designsapi-designtwitterfan-outstreaminghttp://localhost:4321/api-design/uber-api-design/http://localhost:4321/api-design/uber-api-design/Riders, drivers, dispatch, trip lifecycle, surge. Real-time matching with geospatial constraints.Sat, 30 May 2026 00:00:00 GMTAdvancedsystemAPI Designsapi-designubergeospatialwebsocketshttp://localhost:4321/api-design/what-causes-api-failures/http://localhost:4321/api-design/what-causes-api-failures/Deploy bugs, capacity, contract drift, dependency outage, cascading retries. The five patterns that recur in every public postmortem.Sat, 30 May 2026 00:00:00 GMTFoundationalconceptFailures & Postmortemspostmortemfailuresreliabilitytaxonomyincidentshttp://localhost:4321/api-design/websockets/http://localhost:4321/api-design/websockets/Upgrade-handshake, full-duplex frames, the long-lived connection model. When push beats poll.Sat, 30 May 2026 00:00:00 GMTIntermediatebuilding-blockCommunication Patternswebsocketstreamingreal-timepushbidirectionalhttp://localhost:4321/api-design/youtube-streaming-api-design/http://localhost:4321/api-design/youtube-streaming-api-design/Upload pipeline, transcode, ABR manifests, CDN, recommendation. The biggest video service in the world, from the API's side.Sat, 30 May 2026 00:00:00 GMTAdvancedsystemAPI Designsapi-designvideo-streamingabrhttp://localhost:4321/api-design/what-is-api-design/http://localhost:4321/api-design/what-is-api-design/APIs as contracts between systems. The product-architecture lens, why API design is its own discipline, and what good looks like.Sat, 30 May 2026 00:00:00 GMTFoundationalconceptFoundationsapifundamentalsproduct-architecturecontractshttp://localhost:4321/api-design/zoom-api-design/http://localhost:4321/api-design/zoom-api-design/Meetings, participants, signalling, recording, webhooks. The video-conferencing API behind a pandemic-era infrastructure.Sat, 30 May 2026 00:00:00 GMTAdvancedsystemAPI Designsapi-designwebrtcwebhooks