Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

WIP: Documenting an API standard #403

Open
wants to merge 11 commits into
base: main
Choose a base branch
from

Conversation

aaronrussellHO
Copy link
Contributor

Code change

I can confirm:

Accessibility considerations

  • This change will not change layouts, page structures or anything else that might impact accessibility

Content change

I can confirm:

  • Content does not include any code or configuration changes (excluding frontmatter information)
  • Content meets the content standards
    e.g. Writing a principle and Writing a standard
  • Content is suitable to open source, i.e.:
    • Content does not relate to unreleased gov policy
    • Content does not refer to anti-fraud mechanisms
    • Content does not include sensitive business logic
  • Last updated date for content is correct

@aaronrussellHO aaronrussellHO requested a review from a team as a code owner April 9, 2024 10:19
@aaronrussellHO aaronrussellHO changed the title WIP: Documenting an API standard Documenting an API standard Apr 22, 2024
@aaronrussellHO aaronrussellHO changed the title Documenting an API standard WIP: Documenting an API standard Apr 22, 2024
@daniel-ac-martin
Copy link
Contributor

I think there are some things missing here that we might want to think about:

  • What format should be used to document APIs? (e.g. OpenAPI)
  • Is a specification enough? (I think it needs to be supplemented with more traditional documentation.)
  • Where should the docs live?
  • Is it acceptable to generate specifications from implementation code? (I generally prefer a specification-first approach.)
  • How should docs be made available? - As a website, or is a raw spec enough? (Maybe this is covered as a part of the catalogues?)

We don't need to have answers to all of those right now, but I think we should bear them in mind.

@daniel-ac-martin
Copy link
Contributor

We might also want to think about GraphQL.

@daniel-ac-martin
Copy link
Contributor

@aaronrussellHO
Copy link
Contributor Author

I think there are some things missing here that we might want to think about:

  • What format should be used to document APIs? (e.g. OpenAPI)
  • Is a specification enough? (I think it needs to be supplemented with more traditional documentation.)
  • Where should the docs live?
  • Is it acceptable to generate specifications from implementation code? (I generally prefer a specification-first approach.)
  • How should docs be made available? - As a website, or is a raw spec enough? (Maybe this is covered as a part of the catalogues?)

We don't need to have answers to all of those right now, but I think we should bear them in mind.

We spoke about this in the guild meeting, and some of this we think may be better as a pattern to show how you might want to document something, without been an explicit must.

@edhamiltonHO edhamiltonHO linked an issue May 1, 2024 that may be closed by this pull request
3 tasks
@aaronrussellHO
Copy link
Contributor Author

To be included:

  • How raise an issue
  • Information about rate limits

@aaronrussellHO aaronrussellHO force-pushed the 402-documenting-an-api branch from 6398503 to 9154bf2 Compare June 11, 2024 07:39

Listing our APIs contributes to the government community as well as other organisations and wider industry. Listing our APIs here will also help inter-departmental data exchanges, as well as sharing best practice in API development.

If your API is for internal or team use only, then it should be included in the internal API register.
Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
If your API is for internal or team use only, then it should be included in the internal API register.

- [You MUST document how to raise an issue with your API](#you-must-document-how-to-raise-an-issue-with-your-api)
- [You MUST document information on rate limits](#you-must-document-information-on-rate-limits)

### You MUST include your API on the relevant registers
Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
### You MUST include your API on the relevant registers
### You MUST include your API on the relevant registers if your API is public


### You MUST document information on rate limits

Rate limiting is important to secure your API and consumers may want to query your API often, so documenting the rate limits helps consumers build their software around these limits.
Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
Rate limiting is important to secure your API and consumers may want to query your API often, so documenting the rate limits helps consumers build their software around these limits.
Rate limiting is important to secure your API and consumers may want to query your API often, so documenting the rate limits helps consumers build their software around these limits. This information may not want to be shared widely if rate limiting is in place for security reasons.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Add where appropriate to sharing parts of the documentation more widely.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Add to opening paragraph.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

If the rate limit being public is enough to make your application insecure, then it's not an adequate security measure. A malicious user can deterimine the limit through trial and error. Publishing the limit is not the issue, and makes your API harder to use for legitimate consumers.

A project can justify not meeting any part of any standard if their circumstances warrant it. This doesn't need to be a loophole encouraged by the standard.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
Projects
None yet
Development

Successfully merging this pull request may close these issues.

Documenting an API standard
4 participants