
---

# 🧭 Routing & Requests

> **Intent** → Design clear, stable endpoints and accept input safely from URL, query, and body—plus headers, cookies, forms, and files.

---

## 🔗 Paths, Queries, Bodies

* **Path params** → Identify a specific resource (stable, required).
* **Query params** → Filters/sorting/pagination (optional, combinable).
* **Request body** → Complex inputs (create/update payloads).
* **Consistency** → Nouns for resources, verbs via HTTP methods.

---

## 🏷️ Resource Design

* **Collections**: `/items` (list/create)
* **Members**: `/items/{id}` (read/update/delete)
* **Subresources**: `/users/{id}/orders` (scoped lists)
* **Actions**: prefer state changes to stay RESTful; use verbs sparingly for non-CRUD operations (e.g., `/invoices/{id}/send`)

---

## ✅ Validation & Types (Pydantic v2)

* **Strong types** for path/query/body → fewer runtime errors.
* **Field constraints** for length, ranges, formats.
* **Examples & defaults** → better docs and DX.
* **Enums** for finite choices (status, role, sort order).

---

## 📦 Headers, Cookies, Forms, Files

* **Headers** → auth tokens, idempotency keys, client hints.
* **Cookies** → session flows for browser clients.
* **Forms** → HTML form submissions and login flows.
* **Files** → single/multi uploads; store externally; return references.

---

## 🔁 Idempotency & Safety

* **GET/HEAD** → safe, no side effects.
* **PUT/DELETE** → idempotent by design.
* **POST** → use **Idempotency-Key** for retriable operations.
* **Pagination** → page/limit or cursor-based; always bound limits.

---

## 🧯 Errors & Contracts

* **Clear status codes**: 200/201/204, 400/401/403/404, 409, 422, 429, 500.
* **Structured error shape**: message, code, field errors.
* **Documentation first**: keep responses in OpenAPI with examples.

---

## 🧩 Common Patterns

* **Filtering**: `?status=active&owner=me`
* **Sorting**: `?sort=-created_at` (minus = desc)
* **Sparse fields**: `?fields=id,name`
* **Embedding/expansion**: `?include=profile,roles`
* **Versioning**: path (`/v1/...`) or header (prefer header for longevity).

---

## 🔒 Security Touchpoints

* **Auth**: bearer tokens in **Authorization** header.
* **Scopes**: tie routes to permissions.
* **CORS**: allow only trusted origins; narrow methods/headers.
* **Rate limiting**: per route or key; communicate limits via headers.

---

## 🚦 Performance Tips

* Prefer **cursor pagination** for large datasets.
* Validate early; reject oversized bodies.
* Stream large downloads/uploads; avoid loading everything in memory.
* Cache read-heavy endpoints (ETag/If-None-Match).

---

## 🏁 Outcome

A **clean, predictable** routing layer with **typed inputs**, **clear contracts**, and **safe handling** of headers, cookies, forms, and files.
