## 21. Designing URLs: nouns not verbs

URLs should identify **resources**, not actions. Prefer plural nouns and hierarchical paths; reserve query parameters for filtering or optional aspects.

Good: `/users/123/posts?limit=10`   Bad: `/getUserPosts?id=123`

```text
Collection   GET /books           ← list
Item         GET /books/42        ← fetch one
Subresource  GET /books/42/reviews
```

### Quick check

1. Which conveys resource hierarchy?
  a. /authors/7/books  b. /getBooks?author=7

2. True / False Query parameters are part of resource identity.

<details><summary>Answer key</summary>

1. **a**.
2. **False** – path identifies; query modifies.

</details>

## 22. Pagination patterns

* **Limit/offset** – `?limit=20&offset=40`; easy but fragile to inserts.
* **Cursor** – opaque token returned by server; stable ordering.
RFC 5988 defines `Link: <next>; rel="next"` header for navigation.

```http
HTTP/1.1 200 OK
Link: </posts?cursor=abc>; rel="next"

[ {"id":101}, {"id":100} ]
```

### Quick check

1. Limit/offset suffers from duplicate/missing rows if:
  a. data static  b. new inserts

2. True / False Cursor pagination exposes internal IDs.

<details><summary>Answer key</summary>

1. **b**.
2. **False** – token should be opaque.

</details>

## 23. Versioning strategies

Ways to evolve API without breaking clients:
1. URI segment: `/v2/users` – cache friendly but clutters routing.
2. Custom header: `Accept-Version: 2` – keeps URLs clean.
3. Content negotiation: `Accept: application/vnd.shop.v2+json`.
Some teams advocate "no breaking changes" + additive evolution.

```bash
curl -H 'Accept-Version: 2' https://api.example.com/users/1
```

### Quick check

1. Which breaks browser cache least?
  a. URI version  b. header version

2. True / False Adding new optional response fields is a breaking change.

<details><summary>Answer key</summary>

1. **a** – different URL key.
2. **False** – clients ignoring unknown fields stay fine.

</details>

## 24. Authentication basics

* **Basic Auth** – `Authorization: Basic base64(user:pass)`; HTTPS required.
* **Bearer tokens / JWT** – `Authorization: Bearer <token>`; stateless.
* **API keys** – simple string in header or query; easy but less flexible.
Always use TLS; never log full tokens.

```bash
curl -H 'Authorization: Basic $(printf ":secret"|base64)' https://httpbin.org/basic-auth/user/secret
```

### Quick check

1. JWT payload is:
  a. encrypted  b. base64 JSON

2. True / False API keys in query params can leak via access logs.

<details><summary>Answer key</summary>

1. **b**.
2. **True**.

</details>

## 25. Content types beyond JSON

* **multipart/form-data** – file uploads.
* **application/x-www-form-urlencoded** – legacy HTML forms.
* **application/protobuf** – compact binary with schema.
* **text/event-stream** – Server-Sent Events streaming.
Set correct `Content-Type` so server/parser behaves.

```bash
curl -F 'file=@photo.jpg' https://api.example.com/upload
```

### Quick check

1. `application/x-www-form-urlencoded` encodes body as:
  a. JSON  b. key1=val1&key2=val2

2. True / False Multipart bodies require boundary marker.

<details><summary>Answer key</summary>

1. **b**.
2. **True**.

</details>