This is a preview sample
REST API Guide for SaaS Product
Comprehensive guide for developers integrating with your REST API
Getting Started
3 questionsHow do I get started with the API?
To start using our API, first obtain your API key from the dashboard. All requests must use HTTPS and include your key in the Authorization header.
š Quick Start:
- Get API key from dashboard ā Settings ā API
- Make test call to
https://api.example.com/v1/test - Check response for successful authentication
š Required Headers:
Authorization: Bearer YOUR_API_KEY
Content-Type: application/json
Accept: application/json
š” Test Integration:
curl -X GET "https://api.example.com/v1/test" \
-H "Authorization: Bearer YOUR_API_KEY" \
-H "Accept: application/json"
What are the API authentication options?
We support Bearer token authentication using API keys, with optional OAuth 2.0 for user-context operations.
š Authentication Methods:
-
API Key (Recommended)
- Generate in dashboard
- Include in Authorization header
- Different keys for test/prod
-
OAuth 2.0 (User Context)
- Authorization Code flow
- Refresh token support
- 2-hour access token lifetime
ā ļø Security Requirements:
- HTTPS only
- Keys must be kept secure
- Rotate keys every 90 days
- Invalid keys blocked after 10 fails
Example OAuth Flow:
1. Redirect to: /oauth/authorize
2. User approves access
3. Receive code at redirect_uri
4. Exchange code for tokens
5. Use access_token in requests
What are the rate limits and quotas?
Rate limits vary by plan. Basic tier allows 60 requests/minute, Pro tier 300 requests/minute, custom limits for Enterprise.
ā” Current Limits:
| Plan | Requests/Min | Daily Quota | Burst |
|---|---|---|---|
| Basic | 60 | 50,000 | 120 |
| Pro | 300 | 250,000 | 600 |
| Enterprise | Custom | Custom | Custom |
š Headers Returned:
X-RateLimit-Limit: 60
X-RateLimit-Remaining: 45
X-RateLimit-Reset: 1640995200
š Handling Rate Limits:
- Implement exponential backoff
- Cache responses when possible
- Monitor rate limit headers
- Use bulk endpoints for large operations
API Basics
3 questionsWhat's the base URL and versioning scheme?
Our API is available at https://api.example.com/v1/ with explicit versioning in the URL path. All API versions are maintained for 12 months after deprecation notice.
š Environment URLs:
- Production:
https://api.example.com/v1/ - Sandbox:
https://sandbox-api.example.com/v1/ - Development:
https://dev-api.example.com/v1/
š Version Support:
- Current: v1 (stable)
- Beta: v2 (preview)
- Deprecated: none
ā ļø Version Lifecycle:
- Active: Full support
- Deprecated: 12 months notice
- Sunset: Endpoint removed
Version headers also supported:
Accept: application/vnd.company.v1+json
How does error handling work?
All errors return appropriate HTTP status codes and a consistent JSON error object. Always check the error_code for programmatic handling.
šØ Error Response Format:
{
"error": {
"code": "invalid_resource",
"message": "Resource not found",
"details": {...},
"request_id": "req_123"
}
}
š Common Status Codes:
- 400: Bad Request
- 401: Unauthorized
- 403: Forbidden
- 404: Not Found
- 429: Too Many Requests
- 500: Server Error
š” Best Practices:
- Always log request_id
- Handle rate limits (429)
- Implement retry logic
- Check error_code not message
How should I handle pagination?
We use cursor-based pagination for all list endpoints. Use the next_cursor from response to fetch subsequent pages.
š Request Format:
GET /v1/resources?limit=10&cursor=next_cursor_token
š¦ Response Format:
{
"data": [...],
"has_more": true,
"next_cursor": "cursor_token"
}
ā” Pagination Tips:
- Default limit: 20
- Max limit: 100
- Always check has_more
- Store next_cursor for subsequent requests
š Filtering Options:
- created[gte]=2024-01-01
- status=active
- type=subscription
Best Practices
3 questionsWhat are the recommended retry strategies?
Implement exponential backoff with jitter for failed requests. Always retry 429 (rate limit) and 5xx errors, but not 4xx errors.
ā” Retry Strategy:
const backoff = (attempt) => {
return Math.min(1000 * Math.pow(2, attempt), 10000)
+ Math.random() * 1000;
}
š Retry Rules:
- Max 3 retries
- Don't retry 4xx (except 429)
- Add jitter to prevent thundering herd
- Respect Retry-After header
š Retryable Status Codes:
- 429: Rate Limited
- 500: Server Error
- 502: Bad Gateway
- 503: Service Unavailable
- 504: Gateway Timeout
How should I optimize API usage?
Optimize your integration by using bulk endpoints, implementing caching, and monitoring rate limits proactively.
š Performance Tips:
-
Use Bulk Endpoints
- /v1/users/batch instead of multiple single calls
- Max 100 items per request
- Parallel processing for large datasets
-
Implement Caching
- Honor Cache-Control headers
- Store immutable data
- Cache user preferences
-
Connection Management
- Keep-alive connections
- Connection pooling
- DNS caching
š Monitoring Best Practices:
- Track rate limit usage
- Monitor error rates
- Log request_ids
- Set up alerts
How do I handle webhooks securely?
Verify webhook signatures and implement proper retry handling for failed webhook deliveries. Always return 2xx quickly and process asynchronously.
š Security Measures:
- Verify signatures:
const signature = req.headers['x-signature'];
const isValid = verifyHMAC(payload, signature);
š¤ Webhook Best Practices:
- Respond quickly (< 3s)
- Process asynchronously
- Store raw payload
- Implement idempotency
- Handle duplicates
š Retry Schedule:
- 5 minutes
- 15 minutes
- 1 hour
- 6 hours
- 24 hours
Common Issues
2 questionsWhy am I getting authentication errors?
Authentication errors (401/403) usually indicate invalid or expired credentials. Check these common causes first.
š Common Causes:
-
Invalid API Key
- Check key format
- Verify environment (test/prod)
- Check key restrictions
-
Missing Headers
- Authorization header required
- Check header format
- Case-sensitive values
-
Expired Tokens
- OAuth tokens expired
- Refresh token invalid
- Check token lifetime
š ļø Troubleshooting Steps:
- Verify key in dashboard
- Check request headers
- Test in Postman/curl
- Check permissions
How do I debug API requests?
Use request IDs and our debug mode to troubleshoot API issues. Every response includes a unique request_id for tracking.
š Debugging Tools:
-
Debug Mode
- Add ?debug=true to URL
- Verbose error messages
- Performance metrics
-
Request Tracing
- request_id in all responses
- Detailed logs in dashboard
- Support ticket reference
š Required Information for Support:
- request_id
- Timestamp
- Full request/response
- Error message
- Stack trace (if available)
Made with FAQBee