An API is a promise to every developer who calls it. Breaking that promise — removing a field, changing a status code, redefining the semantics of an endpoint — breaks their code in production. Good API design means thinking about evolution, not just the current state.

The cost of a bad API compounds: once mobile clients depend on it, you cannot change it without a forced app update. Once 50 microservices call it, a breaking change requires coordinated deployment across 50 teams. Design as if you can never change it — because in practice, you often cannot.

Most APIs called "REST" are actually just JSON over HTTP. Real REST follows constraints: uniform interface, statelessness, cacheable responses, layered system.

Resource naming: Nouns, not verbs. `/users/42/orders` not `/getUserOrders`. Use plural nouns for collections (`/orders`), singular for specific resources (`/orders/42`).

HTTP methods semantics: GET (read, idempotent, cacheable), POST (create, not idempotent), PUT (replace entire resource, idempotent), PATCH (partial update), DELETE (remove, idempotent). Using POST for everything is a code smell.

Status codes mean something: 200 OK, 201 Created (with Location header), 204 No Content (successful DELETE), 400 Bad Request (client error, do not retry), 401 Unauthorized (missing/invalid auth), 403 Forbidden (valid auth, insufficient permissions), 404 Not Found, 409 Conflict (e.g. duplicate), 429 Too Many Requests, 500 Internal Server Error (server error, safe to retry with backoff).

Versioning: URI versioning (`/v1/users`) is most visible. Header versioning (`Accept: application/vnd.myapi.v2+json`) is more RESTful but less debuggable. Never version without a deprecation timeline — communicate sunset dates.

GraphQL lets clients request exactly the data they need — no over-fetching (getting more than needed) or under-fetching (needing multiple requests). One endpoint, flexible queries. Beloved by frontend teams.

When GraphQL wins: You have many client types (mobile, web, partners) with different data needs. Your data is a graph (social network, e-commerce product catalog with relationships). You want to eliminate multiple API round-trips.

When GraphQL hurts: N+1 query problem — if you have a list of 100 posts and each has an author, GraphQL naively makes 1 query for posts + 100 queries for authors. Fix with DataLoader (batch + deduplicate). HTTP caching is harder (all queries are POST to the same endpoint). Complexity in error handling (HTTP 200 even on errors).

DataLoader is not optional: Any production GraphQL server needs DataLoader for batching. Without it, a single query can generate thousands of database queries.

gRPC uses Protocol Buffers (binary serialization) over HTTP/2. It is 5-10x faster than JSON REST for internal communication, supports streaming, and provides strong typing through `.proto` files.

When to use gRPC: Internal microservices communication where latency matters, streaming (server → client, client → server, bidirectional), polyglot environments (`.proto` generates clients in any language).

When NOT to use: Public APIs (browser support requires gRPC-Web proxy), teams unfamiliar with Protobuf, when debugging ease is more important than performance.

Rate limiting enforces a maximum request rate per client (by IP, API key, or user). Without it, a single misconfigured client can DDOS your service or run up your database bill.

Token bucket algorithm: Each client has a bucket of tokens (capacity N). Each request consumes 1 token. Tokens replenish at a fixed rate. Allows bursts up to N, then smooths to the replenishment rate. Most common for API rate limiting.

Leaky bucket: Requests are queued and processed at a fixed rate. No bursts allowed — good for smoothing traffic to a downstream service.

Sliding window: Count requests in the last N seconds using a circular buffer or Redis sorted set. More accurate than fixed window (which allows 2x the limit at window boundaries).

Where to enforce: API Gateway level (early rejection, protect entire backend), middleware (per-service policy), database query rate (protect the database from application layer)

API Keys: Simple, long-lived credentials for machine-to-machine. Store hashed (bcrypt), never log raw keys, support rotation. Good for external developer APIs.

JWT (JSON Web Tokens): Short-lived signed tokens issued after login. Self-contained (no database lookup needed to verify). Caveat: cannot be revoked until expiry unless you maintain a token blocklist. Use access tokens (15-60 min) + refresh tokens (long-lived, rotatable).

OAuth 2.0: Delegation protocol — let users grant your app access to their resources on another service (Google, GitHub). Use for "Login with Google" and any cross-service authorization.

mTLS (Mutual TLS): Both client and server present certificates. Used for service-to-service auth in zero-trust networks. Highest security, highest operational overhead.