Template: REST API Guide for SaaS Product

Getting Started

3 questions

To start using our API, first obtain your API key from the dashboard. All requests must use HTTPS and include your key in the Authorization header.

🔑 Quick Start:

Get API key from dashboard → Settings → API
Make test call to https://api.example.com/v1/test
Check response for successful authentication

📋 Required Headers:

Authorization: Bearer YOUR_API_KEY
Content-Type: application/json
Accept: application/json

💡 Test Integration:

curl -X GET "https://api.example.com/v1/test" \
     -H "Authorization: Bearer YOUR_API_KEY" \
     -H "Accept: application/json"

We support Bearer token authentication using API keys, with optional OAuth 2.0 for user-context operations.

🔐 Authentication Methods:

API Key (Recommended)
- Generate in dashboard
- Include in Authorization header
- Different keys for test/prod
OAuth 2.0 (User Context)
- Authorization Code flow
- Refresh token support
- 2-hour access token lifetime

⚠️ Security Requirements:

HTTPS only
Keys must be kept secure
Rotate keys every 90 days
Invalid keys blocked after 10 fails

Example OAuth Flow:

1. Redirect to: /oauth/authorize
2. User approves access
3. Receive code at redirect_uri
4. Exchange code for tokens
5. Use access_token in requests

Rate limits vary by plan. Basic tier allows 60 requests/minute, Pro tier 300 requests/minute, custom limits for Enterprise.

⚡ Current Limits:

Plan	Requests/Min	Daily Quota	Burst
Basic	60	50,000	120
Pro	300	250,000	600
Enterprise	Custom	Custom	Custom

📊 Headers Returned:

X-RateLimit-Limit: 60
X-RateLimit-Remaining: 45
X-RateLimit-Reset: 1640995200

🔄 Handling Rate Limits:

Implement exponential backoff
Cache responses when possible
Monitor rate limit headers
Use bulk endpoints for large operations

API Basics

3 questions

Our API is available at https://api.example.com/v1/ with explicit versioning in the URL path. All API versions are maintained for 12 months after deprecation notice.

🌐 Environment URLs:

Production: https://api.example.com/v1/
Sandbox: https://sandbox-api.example.com/v1/
Development: https://dev-api.example.com/v1/

📚 Version Support:

Current: v1 (stable)
Beta: v2 (preview)
Deprecated: none

⚠️ Version Lifecycle:

Active: Full support
Deprecated: 12 months notice
Sunset: Endpoint removed

Version headers also supported: Accept: application/vnd.company.v1+json

All errors return appropriate HTTP status codes and a consistent JSON error object. Always check the error_code for programmatic handling.

🚨 Error Response Format:

{
  "error": {
    "code": "invalid_resource",
    "message": "Resource not found",
    "details": {...},
    "request_id": "req_123"
  }
}

📋 Common Status Codes:

400: Bad Request
401: Unauthorized
403: Forbidden
404: Not Found
429: Too Many Requests
500: Server Error

💡 Best Practices:

Always log request_id
Handle rate limits (429)
Implement retry logic
Check error_code not message

We use cursor-based pagination for all list endpoints. Use the next_cursor from response to fetch subsequent pages.

📝 Request Format:

GET /v1/resources?limit=10&cursor=next_cursor_token

📦 Response Format:

{
  "data": [...],
  "has_more": true,
  "next_cursor": "cursor_token"
}

⚡ Pagination Tips:

Default limit: 20
Max limit: 100
Always check has_more
Store next_cursor for subsequent requests

🔍 Filtering Options:

created[gte]=2024-01-01
status=active
type=subscription

Best Practices

3 questions

Implement exponential backoff with jitter for failed requests. Always retry 429 (rate limit) and 5xx errors, but not 4xx errors.

⚡ Retry Strategy:

const backoff = (attempt) => {
  return Math.min(1000 * Math.pow(2, attempt), 10000)
    + Math.random() * 1000;
}

📋 Retry Rules:

Max 3 retries
Don't retry 4xx (except 429)
Add jitter to prevent thundering herd
Respect Retry-After header

🔄 Retryable Status Codes:

429: Rate Limited
500: Server Error
502: Bad Gateway
503: Service Unavailable
504: Gateway Timeout

Optimize your integration by using bulk endpoints, implementing caching, and monitoring rate limits proactively.

🚀 Performance Tips:

Use Bulk Endpoints
- /v1/users/batch instead of multiple single calls
- Max 100 items per request
- Parallel processing for large datasets
Implement Caching
- Honor Cache-Control headers
- Store immutable data
- Cache user preferences
Connection Management
- Keep-alive connections
- Connection pooling
- DNS caching

📊 Monitoring Best Practices:

Track rate limit usage
Monitor error rates
Log request_ids
Set up alerts

Verify webhook signatures and implement proper retry handling for failed webhook deliveries. Always return 2xx quickly and process asynchronously.

🔒 Security Measures:

Verify signatures:

const signature = req.headers['x-signature'];
const isValid = verifyHMAC(payload, signature);

📤 Webhook Best Practices:

Respond quickly (< 3s)
Process asynchronously
Store raw payload
Implement idempotency
Handle duplicates

🔄 Retry Schedule:

5 minutes
15 minutes
1 hour
6 hours
24 hours

Common Issues

2 questions

Authentication errors (401/403) usually indicate invalid or expired credentials. Check these common causes first.

🔍 Common Causes:

Invalid API Key
- Check key format
- Verify environment (test/prod)
- Check key restrictions
Missing Headers
- Authorization header required
- Check header format
- Case-sensitive values
Expired Tokens
- OAuth tokens expired
- Refresh token invalid
- Check token lifetime

🛠️ Troubleshooting Steps:

Verify key in dashboard
Check request headers
Test in Postman/curl
Check permissions

Use request IDs and our debug mode to troubleshoot API issues. Every response includes a unique request_id for tracking.

🔍 Debugging Tools:

Debug Mode
- Add ?debug=true to URL
- Verbose error messages
- Performance metrics
Request Tracing
- request_id in all responses
- Detailed logs in dashboard
- Support ticket reference

📋 Required Information for Support:

request_id
Timestamp
Full request/response
Error message
Stack trace (if available)

This is a preview sample

Getting Started

API Basics

Best Practices

Common Issues