Back to Templates

REST API Guide for SaaS Product

Comprehensive guide for developers integrating with your REST API

Last updated
Getting Started
3 questions

To start using our API, first obtain your API key from the dashboard. All requests must use HTTPS and include your key in the Authorization header.

šŸ”‘ Quick Start:

  1. Get API key from dashboard ā†’ Settings ā†’ API
  2. Make test call to https://api.example.com/v1/test
  3. Check response for successful authentication

šŸ“‹ Required Headers:

Authorization: Bearer YOUR_API_KEY
Content-Type: application/json
Accept: application/json

šŸ’” Test Integration:

curl -X GET "https://api.example.com/v1/test" \
     -H "Authorization: Bearer YOUR_API_KEY" \
     -H "Accept: application/json"

We support Bearer token authentication using API keys, with optional OAuth 2.0 for user-context operations.

šŸ” Authentication Methods:

  1. API Key (Recommended)

    • Generate in dashboard
    • Include in Authorization header
    • Different keys for test/prod
  2. OAuth 2.0 (User Context)

    • Authorization Code flow
    • Refresh token support
    • 2-hour access token lifetime

āš ļø Security Requirements:

  • HTTPS only
  • Keys must be kept secure
  • Rotate keys every 90 days
  • Invalid keys blocked after 10 fails

Example OAuth Flow:

1. Redirect to: /oauth/authorize
2. User approves access
3. Receive code at redirect_uri
4. Exchange code for tokens
5. Use access_token in requests

Rate limits vary by plan. Basic tier allows 60 requests/minute, Pro tier 300 requests/minute, custom limits for Enterprise.

āš” Current Limits:

PlanRequests/MinDaily QuotaBurst
Basic6050,000120
Pro300250,000600
EnterpriseCustomCustomCustom

šŸ“Š Headers Returned:

X-RateLimit-Limit: 60
X-RateLimit-Remaining: 45
X-RateLimit-Reset: 1640995200

šŸ”„ Handling Rate Limits:

  • Implement exponential backoff
  • Cache responses when possible
  • Monitor rate limit headers
  • Use bulk endpoints for large operations
API Basics
3 questions

Our API is available at https://api.example.com/v1/ with explicit versioning in the URL path. All API versions are maintained for 12 months after deprecation notice.

šŸŒ Environment URLs:

  • Production: https://api.example.com/v1/
  • Sandbox: https://sandbox-api.example.com/v1/
  • Development: https://dev-api.example.com/v1/

šŸ“š Version Support:

  • Current: v1 (stable)
  • Beta: v2 (preview)
  • Deprecated: none

āš ļø Version Lifecycle:

  1. Active: Full support
  2. Deprecated: 12 months notice
  3. Sunset: Endpoint removed

Version headers also supported: Accept: application/vnd.company.v1+json

All errors return appropriate HTTP status codes and a consistent JSON error object. Always check the error_code for programmatic handling.

šŸšØ Error Response Format:

{
  "error": {
    "code": "invalid_resource",
    "message": "Resource not found",
    "details": {...},
    "request_id": "req_123"
  }
}

šŸ“‹ Common Status Codes:

  • 400: Bad Request
  • 401: Unauthorized
  • 403: Forbidden
  • 404: Not Found
  • 429: Too Many Requests
  • 500: Server Error

šŸ’” Best Practices:

  • Always log request_id
  • Handle rate limits (429)
  • Implement retry logic
  • Check error_code not message

We use cursor-based pagination for all list endpoints. Use the next_cursor from response to fetch subsequent pages.

šŸ“ Request Format:

GET /v1/resources?limit=10&cursor=next_cursor_token

šŸ“¦ Response Format:

{
  "data": [...],
  "has_more": true,
  "next_cursor": "cursor_token"
}

āš” Pagination Tips:

  1. Default limit: 20
  2. Max limit: 100
  3. Always check has_more
  4. Store next_cursor for subsequent requests

šŸ” Filtering Options:

  • created[gte]=2024-01-01
  • status=active
  • type=subscription
Best Practices
3 questions

Implement exponential backoff with jitter for failed requests. Always retry 429 (rate limit) and 5xx errors, but not 4xx errors.

āš” Retry Strategy:

const backoff = (attempt) => {
  return Math.min(1000 * Math.pow(2, attempt), 10000)
    + Math.random() * 1000;
}

šŸ“‹ Retry Rules:

  1. Max 3 retries
  2. Don't retry 4xx (except 429)
  3. Add jitter to prevent thundering herd
  4. Respect Retry-After header

šŸ”„ Retryable Status Codes:

  • 429: Rate Limited
  • 500: Server Error
  • 502: Bad Gateway
  • 503: Service Unavailable
  • 504: Gateway Timeout

Optimize your integration by using bulk endpoints, implementing caching, and monitoring rate limits proactively.

šŸš€ Performance Tips:

  1. Use Bulk Endpoints

    • /v1/users/batch instead of multiple single calls
    • Max 100 items per request
    • Parallel processing for large datasets
  2. Implement Caching

    • Honor Cache-Control headers
    • Store immutable data
    • Cache user preferences
  3. Connection Management

    • Keep-alive connections
    • Connection pooling
    • DNS caching

šŸ“Š Monitoring Best Practices:

  • Track rate limit usage
  • Monitor error rates
  • Log request_ids
  • Set up alerts

Verify webhook signatures and implement proper retry handling for failed webhook deliveries. Always return 2xx quickly and process asynchronously.

šŸ”’ Security Measures:

  1. Verify signatures:
const signature = req.headers['x-signature'];
const isValid = verifyHMAC(payload, signature);

šŸ“¤ Webhook Best Practices:

  • Respond quickly (< 3s)
  • Process asynchronously
  • Store raw payload
  • Implement idempotency
  • Handle duplicates

šŸ”„ Retry Schedule:

  • 5 minutes
  • 15 minutes
  • 1 hour
  • 6 hours
  • 24 hours
Common Issues
2 questions

Authentication errors (401/403) usually indicate invalid or expired credentials. Check these common causes first.

šŸ” Common Causes:

  1. Invalid API Key

    • Check key format
    • Verify environment (test/prod)
    • Check key restrictions
  2. Missing Headers

    • Authorization header required
    • Check header format
    • Case-sensitive values
  3. Expired Tokens

    • OAuth tokens expired
    • Refresh token invalid
    • Check token lifetime

šŸ› ļø Troubleshooting Steps:

  1. Verify key in dashboard
  2. Check request headers
  3. Test in Postman/curl
  4. Check permissions

Use request IDs and our debug mode to troubleshoot API issues. Every response includes a unique request_id for tracking.

šŸ” Debugging Tools:

  1. Debug Mode

    • Add ?debug=true to URL
    • Verbose error messages
    • Performance metrics
  2. Request Tracing

    • request_id in all responses
    • Detailed logs in dashboard
    • Support ticket reference

šŸ“‹ Required Information for Support:

  • request_id
  • Timestamp
  • Full request/response
  • Error message
  • Stack trace (if available)
FAQBeeMade with FAQBee