REST API Notes for 2016/05/09

This week I'm flying to San Francisco to lead API training. I had just made it through Dulles airport security and was idly flipping through Twitter when it became obvious that dashing out another batch of RESTful API notes was mandatory. Just because I'm traveling doesn't mean new releases take a holiday.


Perhaps the most intriguing event of the last week was the release of TAuth, an alternative to Oauth 2.0 for securing RESTful APIs. Writing on the blog, Steve Graham doesn't posit an alternative; he declares Oauth 2.0 "bad for banking APIs".

If this was just a rouge developer complaining about the complexity of Oauth's various "flows" I'd probably dismiss it. However, during last year's APIDays-London, I was lucky enough to watch Steve cut like a knife through multiple bank's security butter. If anyone understands the vulnerabilities in Oauth, it would be Steve.

Is TAuth inevitable? Given Oauth's successful implementation throughout companies large and small I'm not sure. But after a phase of seeming stagnation, I'm excited to see these debates firing up again.


Hearing Les Hazlewood speak is a special treat. If you can't catch Les in person, he has a new YouTube recording available on Best Practices for REST+JSON API Developers. Even if you are an experience RESTful API ninja, guaranteed there is something here worth refreshing yourself on.


If you've been reading this newsletter for any amount of time, you're familiar with one of the common API specifications like Swagger/OpenAPI, RAML, or API Blueprint. But while those formats describe an API, they fall short of being complete documentation. Jenn Strater recently presented her talk "Test-Driven Approaches to Documenting RESTful APIs". In it she identifies where annotation-based documentation schemes fail.

This dovetails with Guillaume LaForge's piece, How Far Should API Definition Languages Go?


In his piece, "Real World Microservices: When Services Stop Playing Well and Start Getting Real", Oliver Gould shares his experience working with microservices at Twitter. As he points out, the flexibility for creating new products is countered by the increased management for a distributed system.

"It’s my experience that they are considerably more difficult to operate than their monolithic counterparts."

Oliver's solution demonstrates the benefit of introducing Linkerd to a microservice system. While not for everyone, Linkerd potentially is a powerful solution for service discovery at scale.


It is almost time to fly away to my training. But if you're looking for an API related event in your area, check out for meetups, workshops, hackathons, and conferences. And if you see something missing, shoot me a note - I'd be glad to add it.

Till next time,

Matthew (@libel_vox)

Subscribe to Net API Notes

Don’t miss out on the latest issues. Sign up now to get access to the library of members-only issues.