API Design Best Practices: REST, Versioning & Documentation

📋 Daftar Isi

Pengenalan: Mengapa API Design Penting?
REST API Fundamentals
URL Design & Resource Naming
HTTP Methods & Status Codes
API Versioning Strategies
Authentication & Authorization
Error Handling & Response Format
Pagination, Filtering & Sorting
API Documentation
API Testing
Rate Limiting & Caching
Security Best Practices
API Design Checklist
Quiz Pemahaman

1. Pengenalan: Mengapa API Design Penting?

API (Application Programming Interface) adalah jantung dari hampir semua aplikasi modern. Setiap kali kamu membuka aplikasi mobile, memesan makanan online, atau menggunakan media sosial, ada API yang bekerja di balik layar untuk mengirim dan menerima data.

API yang dirancang dengan baik akan:

Mempercepat development: Developer bisa menggunakan API dengan cepat tanpa perlu membaca dokumentasi panjang
Mengurangi bugs: Endpoint yang intuitif dan konsisten mengurangi kesalahan integrasi
Mudah di-maintain: Struktur yang terorganisir mempermudah update dan perbaikan di masa depan
Scalable: API yang baik bisa menangani pertumbuhan traffic tanpa perlu redesign
Meningkatkan adoption: Developer lebih suka menggunakan API yang konsisten dan well-documented

Menurut Postman State of the API Report 2025, 92% perusahaan teknologi mengandalkan API sebagai komponen utama bisnis mereka. Di Indonesia, API-first development menjadi tren yang semakin populer di startup dan enterprise.

Diagram: Arsitektur API

┌───────────────────────────────────────────────────────────────┐
│                  ARSITEKTUR API MODERN                        │
│                                                               │
│  ┌──────────┐  ┌──────────┐  ┌──────────┐  ┌──────────┐     │
│  │  Mobile   │  │  Web     │  │  IoT     │  │ 3rd-Party│     │
│  │  App      │  │  App     │  │  Device  │  │ Partner  │     │
│  └────┬─────┘  └────┬─────┘  └────┬─────┘  └────┬─────┘     │
│       │             │             │             │            │
│       └─────────────┼─────────────┼─────────────┘            │
│                     ▼                                         │
│            ┌──────────────────┐                              │
│            │   API GATEWAY    │                              │
│            │ • Authentication │                              │
│            │ • Rate Limiting  │                              │
│            │ • Load Balancing │                              │
│            │ • Logging        │                              │
│            └────────┬─────────┘                              │
│                     │                                         │
│       ┌─────────────┼─────────────┐                          │
│       ▼             ▼             ▼                          │
│  ┌──────────┐ ┌──────────┐ ┌──────────┐                    │
│  │  User    │ │  Order   │ │  Product │                    │
│  │  Service │ │  Service │ │  Service │                    │
│  │  API     │ │  API     │ │  API     │                    │
│  └──────────┘ └──────────┘ └──────────┘                    │
└───────────────────────────────────────────────────────────────┘

Jenis-Jenis API

Jenis API	Protocol	Data Format	Use Case
REST	HTTP/HTTPS	JSON (utama), XML	Web & mobile apps (paling populer)
GraphQL	HTTP/HTTPS	JSON	Complex data fetching, mobile apps
gRPC	HTTP/2	Protocol Buffers	Microservices internal communication
WebSocket	WS/WSS	JSON, binary	Real-time (chat, live data)
SOAP	HTTP, SMTP	XML	Legacy enterprise systems

2. REST API Fundamentals

REST (Representational State Transfer) adalah arsitektural style untuk mendesain API berbasis HTTP. RESTful API adalah standar industri untuk web API.

Prinsip REST

Prinsip	Penjelasan	Implementasi
Stateless	Setiap request harus mandiri, server tidak menyimpan state client	Token-based auth (JWT), no server sessions
Client-Server	Client dan server terpisah, bisa berkembang independen	Frontend dan backend terpisah
Uniform Interface	Antarmuka yang konsisten dan terstandarisasi	URL naming conventions, HTTP methods
Cacheable	Response bisa di-cache untuk meningkatkan performa	Cache-Control headers, ETag
Layered System	Client tidak perlu tahu apakah langsung ke server atau melalui proxy	API Gateway, Load Balancer, CDN
Code on Demand (opsional)	Server bisa mengirim executable code ke client	JavaScript dalam response (jarang digunakan)

Contoh REST API: Blog Platform

// Resource: Articles

// GET    /api/v1/articles          → Ambil semua artikel
// GET    /api/v1/articles/:id      → Ambil artikel by ID
// POST   /api/v1/articles          → Buat artikel baru
// PUT    /api/v1/articles/:id      → Update artikel (full)
// PATCH  /api/v1/articles/:id      → Update artikel (partial)
// DELETE /api/v1/articles/:id      → Hapus artikel

// Resource: Article Comments
// GET    /api/v1/articles/:id/comments       → Ambil semua komentar
// POST   /api/v1/articles/:id/comments       → Tambah komentar

// Resource: Users
// GET    /api/v1/users/:id/articles          → Artikel milik user
// GET    /api/v1/users/:id                   → Detail user

3. URL Design & Resource Naming

URL yang konsisten dan intuitif adalah tanda API yang baik. Berikut best practices untuk URL design:

✅ Best Practices URL Design

Aturan	✅ Benar	❌ Salah
Gunakan noun (bukan verb)	/api/v1/users	/api/getUsers, /api/createUser
Gunakan plural untuk collections	/api/v1/articles	/api/v1/article
Gunakan lowercase	/api/v1/user-profiles	/api/v1/UserProfiles
Gunakan hyphens (bukan underscores)	/api/v1/user-profiles	/api/v1/user_profiles
Hierarchical resource nesting	/api/v1/users/123/orders	/api/v1/userOrders?userId=123
Max 3 level nesting	/api/v1/users/123/orders	/api/v1/users/123/orders/456/items/789
Gunakan query params untuk filter	/api/v1/articles?status=published	/api/v1/articles/published
Consistent across all endpoints	Semua endpoint pakai /api/v1/	Beberapa pakai /v1/, beberapa tanpa prefix

🎯 Contoh URL Design yang Baik

// ✅ GOOD: Resource-oriented, consistent, intuitive
GET    /api/v1/users                    → Daftar semua user
GET    /api/v1/users/123                → Detail user #123
POST   /api/v1/users                    → Buat user baru
PATCH  /api/v1/users/123                → Update user #123
DELETE /api/v1/users/123                → Hapus user #123

// ✅ GOOD: Sub-resource (nested)
GET    /api/v1/users/123/orders         → Order milik user #123
POST   /api/v1/users/123/orders         → Buat order untuk user #123

// ✅ GOOD: Actions yang tidak bisa di-representasikan dengan CRUD
POST   /api/v1/orders/456/cancel        → Cancel order
POST   /api/v1/users/123/verify-email   → Verifikasi email
POST   /api/v1/auth/login               → Login
POST   /api/v1/auth/refresh-token       → Refresh access token

// ✅ GOOD: Query parameters untuk filter, sort, paginate
GET    /api/v1/articles?status=published&category=tech&sort=-created_at&page=1&limit=20
GET    /api/v1/products?min_price=10000&max_price=100000&brand=nike

// ❌ BAD: Action-based URLs
GET    /api/getAllUsers
POST   /api/createNewUser
POST   /api/deleteUser
GET    /api/fetchUserOrders?userId=123

🔍 Query Parameters Best Practices

Parameter Type	Convention	Contoh
Filtering	field_name=value	?status=active&category=tech
Sorting	sort=field atau sort=-field (descending)	?sort=-created_at&sort=name
Pagination (offset)	page & limit atau offset & limit	?page=2&limit=20
Pagination (cursor)	cursor & limit	?cursor=abc123&limit=20
Search	q=keyword atau search=keyword
Field selection	fields=field1,field2	?fields=name,email,avatar
Embedding related	include=relation atau embed=relation	?include=author,comments

4. HTTP Methods & Status Codes

HTTP Methods yang Benar

Method	Fungsi	Idempotent?	Contoh
GET	Mengambil data (read)	✅ Ya	GET /api/v1/users
POST	Membuat data baru (create)	❌ Tidak	POST /api/v1/users
PUT	Update seluruh resource	✅ Ya	PUT /api/v1/users/123
PATCH	Update sebagian resource	❌ Tidak (biasanya)	PATCH /api/v1/users/123
DELETE	Menghapus resource	✅ Ya	DELETE /api/v1/users/123
HEAD	Seperti GET tapi tanpa body	✅ Ya	HEAD /api/v1/users/123
OPTIONS	Informasi tentang allowed methods	✅ Ya	OPTIONS /api/v1/users

HTTP Status Codes yang Tepat

✅ Sukses (2xx)

Code	Meaning	Kapan Digunakan
200 OK	Berhasil	GET, PUT, PATCH yang berhasil
201 Created	Resource berhasil dibuat	POST yang berhasil membuat resource baru
204 No Content	Berhasil, tidak ada response body	DELETE yang berhasil
202 Accepted	Request diterima, diproses async	Background job queued

⚠️ Client Error (4xx)

Code	Meaning	Kapan Digunakan
400 Bad Request	Request tidak valid	Validasi gagal, format salah
401 Unauthorized	Tidak terautentikasi	Token tidak ada atau expired
403 Forbidden	Tidak punya izin	Authenticated tapi tidak punya akses
404 Not Found	Resource tidak ditemukan	ID tidak ada di database
409 Conflict	Konflik dengan state	Duplicate email, concurrent update
422 Unprocessable Entity	Validasi gagal	Format benar tapi value tidak valid
429 Too Many Requests	Rate limit exceeded	Client terlalu banyak request

🔴 Server Error (5xx)

Code	Meaning	Kapan Digunakan
500 Internal Server Error	Error di server	Unhandled exception
502 Bad Gateway	Gateway/proxy error	Upstream service down
503 Service Unavailable	Service sedang down	Maintenance, overload
504 Gateway Timeout	Timeout dari upstream	Request terlalu lama

5. API Versioning Strategies

Versioning sangat penting untuk API yang digunakan oleh banyak consumer. Tanpa versioning, perubahan API bisa memecah integrasi yang sudah ada.

Strategi Versioning

Diagram: API Versioning Approaches

┌───────────────────────────────────────────────────────────────┐
│                API VERSIONING STRATEGIES                      │
│                                                               │
│  1. URL PATH VERSIONING (Paling Populer)                     │
│     GET /api/v1/users                                        │
│     GET /api/v2/users                                        │
│                                                               │
│  2. HEADER VERSIONING                                        │
│     GET /api/users                                           │
│     Header: X-API-Version: 1                                 │
│                                                               │
│  3. QUERY PARAMETER VERSIONING                               │
│     GET /api/users?version=1                                 │
│     GET /api/users?version=2                                 │
│                                                               │
│  4. CONTENT NEGOTIATION (Media Type)                         │
│     GET /api/users                                           │
│     Accept: application/vnd.myapp.v1+json                    │
│                                                               │
│  RECOMMENDATION: URL Path Versioning                         │
│  ✓ Paling mudah dipahami                                    │
│  ✓ Visible di URL                                            │
│  ✓ Mudah di-cache                                            │
│  ✓ Supported di semua tools                                  │
└───────────────────────────────────────────────────────────────┘

Strategi	Contoh	Kelebihan	Kekurangan
URL Path	/api/v1/users	Jelas, mudah dipahami, cache-friendly	URL jadi lebih panjang
Header	X-API-Version: 1	URL tetap bersih	Tidak visible, sulit di-cache
Query Param	/api/users?v=1	Mudah digunakan	Opasional, sering terlewat
Content Negotiation	Accept: application/vnd.app.v1+json	Paling fleksibel, teknis tepat	Kompleks, sulit dipahami pemula

Best Practices API Versioning

Gunakan URL path versioning sebagai default — paling mudah dipahami developer
Mulai dari v1 dari awal — jangan tunggu sampai butuh breaking change baru bikin versi
Semantic versioning: Major (breaking changes), minor (new features), patch (bug fixes)
Dokumentasikan perubahan: Migrasi guide, changelog, deprecation timeline
Support versi lama: Minimal 6-12 bulan setelah versi baru dirilis
Deprecation headers: Sertakan header peringatan saat versi akan dihentikan

// Contoh API versioning dengan backward compatibility

// API v1 (legacy)
GET /api/v1/users/123
// Response:
{
  "id": 123,
  "name": "John Doe",
  "email": "john@example.com"
}

// API v2 (improved — field berubah)
GET /api/v2/users/123
// Response:
{
  "id": 123,
  "first_name": "John",
  "last_name": "Doe",
  "email": "john@example.com",
  "avatar_url": "https://...",
  "created_at": "2026-01-15T10:30:00Z"
}

// Deprecation header untuk v1
// HTTP/1.1 200 OK
// X-API-Deprecation-Date: 2026-12-31
// X-API-Deprecation-Info: Use /api/v2/users instead

6. Authentication & Authorization

Keamanan API adalah aspek kritis. Berikut metode authentication dan authorization yang umum digunakan:

Metode Authentication

Metode	Cara Kerja	Kelebihan	Kekurangan	Use Case
API Key	Key dikirim di header/query	Sederhana	Tidak ada expiry, kurang aman	Public API, server-to-server
JWT (Bearer Token)	Token signed di Authorization header	Stateless, scalable	Token bisa besar, revocation sulit	Web & mobile apps
OAuth 2.0	Authorization code flow	Aman, standardized	Kompleks untuk setup	3rd party integration
Session Cookie	Cookie berisi session ID	Mudah, built-in browser	Stateful, CORS issues	Traditional web apps

JWT Best Practices

// JWT Flow:
// 1. Client login → server berikan access_token + refresh_token
// 2. Client kirim access_token di setiap request
// 3. Token expired → client gunakan refresh_token untuk dapat access_token baru

// Request dengan JWT:
GET /api/v1/users/123
Authorization: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9...

// Login response:
{
  "access_token": "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9...",
  "refresh_token": "dGhpcyBpcyBhIHJlZnJlc2ggdG9rZW4...",
  "token_type": "Bearer",
  "expires_in": 3600
}

// Refresh token request:
POST /api/v1/auth/refresh
{
  "refresh_token": "dGhpcyBpcyBhIHJlZnJlc2ggdG9rZW4..."
}

Authorization (RBAC)

// Role-Based Access Control (RBAC):
// User      → bisa akses resource miliknya sendiri
// Editor    → bisa update semua artikel
// Admin     → bisa akses semua endpoint

// Contoh response 403 Forbidden:
{
  "error": {
    "code": "FORBIDDEN",
    "message": "You don't have permission to access this resource",
    "details": "Required role: admin, your role: user"
  }
}

7. Error Handling & Response Format

Format response yang konsisten — baik untuk sukses maupun error — sangat penting untuk developer experience:

Standard Response Format

// ✅ Success Response:
{
  "status": "success",
  "data": {
    "id": 123,
    "name": "John Doe",
    "email": "john@example.com"
  },
  "meta": {
    "request_id": "req_abc123def456",
    "timestamp": "2026-06-26T10:30:00Z"
  }
}

// ✅ Success Response (List):
{
  "status": "success",
  "data": [
    { "id": 1, "name": "John" },
    { "id": 2, "name": "Jane" }
  ],
  "meta": {
    "page": 1,
    "limit": 20,
    "total": 150,
    "total_pages": 8
  }
}

// ✅ Error Response:
{
  "status": "error",
  "error": {
    "code": "VALIDATION_ERROR",
    "message": "Request validation failed",
    "details": [
      { "field": "email", "message": "Invalid email format" },
      { "field": "password", "message": "Password must be at least 8 characters" }
    ]
  },
  "meta": {
    "request_id": "req_abc123def456",
    "timestamp": "2026-06-26T10:30:00Z"
  }
}

Contoh Error Responses

Scenario	Status	Error Code	Message
Validasi gagal	422	VALIDATION_ERROR	Field X tidak valid
Resource tidak ada	404	NOT_FOUND	User dengan ID 123 tidak ditemukan
Email duplicate	409	CONFLICT	Email sudah terdaftar
Token expired	401	TOKEN_EXPIRED	Access token has expired
Akses ditolak	403	FORBIDDEN	Tidak punya akses ke resource ini
Rate limit	429	RATE_LIMIT_EXCEEDED	Too many requests, try again later
Server error	500	INTERNAL_ERROR	Something went wrong

8. Pagination, Filtering & Sorting

Offset-Based Pagination

// Request:
GET /api/v1/articles?page=2&limit=20

// Response:
{
  "data": [...],
  "meta": {
    "page": 2,
    "limit": 20,
    "total": 150,
    "total_pages": 8,
    "has_next": true,
    "has_prev": true
  }
}

Cursor-Based Pagination (untuk dataset besar)

// Request:
GET /api/v1/articles?cursor=eyJpZCI6MTAwfQ==&limit=20

// Response:
{
  "data": [...],
  "meta": {
    "next_cursor": "eyJpZCI6MTIwfQ==",
    "has_more": true
  }
}

Filtering & Sorting

// Filter dengan multiple conditions
GET /api/v1/products?category=electronics&min_price=100000&in_stock=true

// Sort ascending dan descending
GET /api/v1/articles?sort=-created_at,title
// -created_at = descending, title = ascending

// Field selection
GET /api/v1/users?fields=id,name,email,avatar

// Include related resources
GET /api/v1/articles?include=author,category,comments

9. API Documentation

API yang tidak didokumentasikan dengan baik adalah API yang tidak akan digunakan. Berikut best practices untuk API documentation:

Tools API Documentation

Tools	Tipe	Kelebihan
OpenAPI (Swagger)	Specification (YAML/JSON)	Industry standard, banyak tools
Swagger UI	Interactive docs	Auto-generate dari OpenAPI spec
Redoc	Documentation renderer	Beautiful, responsive docs
Postman	API platform	Collections, testing, mock server
Stoplight	Design-first platform	Visual editor, mock server
Readme	Developer portal	Customizable, analytics, versioning

Contoh OpenAPI Specification (Snippet)

openapi: 3.0.3
info:
  title: BeebaneLabs API
  version: 1.0.0
  description: API untuk platform tutorial BeebaneLabs

paths:
  /api/v1/articles:
    get:
      summary: Daftar semua artikel
      description: Mengambil daftar artikel dengan pagination
      parameters:
        - name: page
          in: query
          schema:
            type: integer
            default: 1
        - name: limit
          in: query
          schema:
            type: integer
            default: 20
            maximum: 100
        - name: category
          in: query
          schema:
            type: string
      responses:
        '200':
          description: Berhasil
          content:
            application/json:
              schema:
                type: object
                properties:
                  data:
                    type: array
                    items:
                      $ref: '#/components/schemas/Article'
                  meta:
                    $ref: '#/components/schemas/PaginationMeta'
    post:
      summary: Buat artikel baru
      security:
        - bearerAuth: []
      requestBody:
        required: true
        content:
          application/json:
            schema:
              $ref: '#/components/schemas/ArticleCreate'
      responses:
        '201':
          description: Artikel berhasil dibuat
        '422':
          description: Validasi gagal

Apa yang Harus Ada di API Documentation

Getting Started Guide: Quick start, authentication setup, first request
Authentication: Cara mendapatkan token, refresh, dan handle error
Endpoint Reference: Semua endpoint dengan request/response examples
Error Codes: Daftar lengkap error codes dan cara handle
Rate Limits: Limitasi dan cara menghandle rate limiting
Changelog: Perubahan di setiap versi
SDKs & Code Examples: Contoh penggunaan di berbagai bahasa
Webhook Documentation: Events, payload format, retry policy

10. API Testing

Level API Testing

Level	Tujuan	Tools
Unit Testing	Test individual functions/validators	Jest, pytest, Go testing
Integration Testing	Test endpoint dengan database	Supertest, pytest + httpx
Contract Testing	Test kesesuaian dengan API spec	Pact, Dredd, Schemathesis
Performance Testing	Test load & stress	k6, Artillery, Apache Bench
Security Testing	Test vulnerabilities	OWASP ZAP, Burp Suite
E2E Testing	Test full workflow	Postman, Newman, REST Assured

Contoh API Testing (JavaScript/Jest)

// Integration test dengan Jest + Supertest
const request = require('supertest');
const app = require('../app');

describe('Articles API', () => {
  let authToken;

  beforeAll(async () => {
    // Login untuk mendapatkan token
    const res = await request(app)
      .post('/api/v1/auth/login')
      .send({ email: 'test@example.com', password: 'password123' });
    authToken = res.body.data.access_token;
  });

  describe('GET /api/v1/articles', () => {
    it('should return list of articles', async () => {
      const res = await request(app)
        .get('/api/v1/articles')
        .expect(200);

      expect(res.body.status).toBe('success');
      expect(Array.isArray(res.body.data)).toBe(true);
      expect(res.body.meta).toHaveProperty('page');
      expect(res.body.meta).toHaveProperty('total');
    });

    it('should filter articles by category', async () => {
      const res = await request(app)
        .get('/api/v1/articles?category=javascript')
        .expect(200);

      res.body.data.forEach(article => {
        expect(article.category).toBe('javascript');
      });
    });
  });

  describe('POST /api/v1/articles', () => {
    it('should create new article', async () => {
      const res = await request(app)
        .post('/api/v1/articles')
        .set('Authorization', `Bearer ${authToken}`)
        .send({
          title: 'Test Article',
          content: 'This is test content',
          category: 'testing'
        })
        .expect(201);

      expect(res.body.data).toHaveProperty('id');
      expect(res.body.data.title).toBe('Test Article');
    });

    it('should return 422 for invalid data', async () => {
      const res = await request(app)
        .post('/api/v1/articles')
        .set('Authorization', `Bearer ${authToken}`)
        .send({ title: '' })
        .expect(422);

      expect(res.body.error.code).toBe('VALIDATION_ERROR');
    });

    it('should return 401 without auth token', async () => {
      await request(app)
        .post('/api/v1/articles')
        .send({ title: 'Test' })
        .expect(401);
    });
  });
});

11. Rate Limiting & Caching

Rate Limiting Best Practices

Tier	Limit	Window	Contoh Response Header
Free	100 requests	Per menit	X-RateLimit-Limit: 100
Basic	1,000 requests	Per menit	X-RateLimit-Limit: 1000
Premium	10,000 requests	Per menit	X-RateLimit-Limit: 10000

// Rate limit response headers
X-RateLimit-Limit: 100          // Max requests per window
X-RateLimit-Remaining: 75       // Remaining requests
X-RateLimit-Reset: 1687812000   // Unix timestamp when limit resets

// Response 429 Too Many Requests:
{
  "status": "error",
  "error": {
    "code": "RATE_LIMIT_EXCEEDED",
    "message": "Too many requests. Please try again in 30 seconds.",
    "retry_after": 30
  }
}

// Header:
Retry-After: 30

Caching Strategies

Strategy	Header	Contoh	Use Case
No Cache	Cache-Control: no-store	Sensitive data	User profile, transactions
Short Cache	Cache-Control: max-age=60	Data berubah sesekali	Product list, news
Long Cache	Cache-Control: max-age=86400	Data jarang berubah	Categories, countries
ETag	ETag: "abc123"	Conditional request	Large resources
Last-Modified	Last-Modified: Wed, 26 Jun 2026	Conditional request	File-based resources

12. Security Best Practices

Checklist Keamanan API

Keamanan	Implementasi	Prioritas
HTTPS Only	Redirect HTTP → HTTPS, HSTS header	⭐⭐⭐⭐⭐
Input Validation	Validasi semua input di server, sanitize	⭐⭐⭐⭐⭐
Parameterized Queries	Hindari SQL injection dengan ORM/prepared statement	⭐⭐⭐⭐⭐
CORS Configuration	Whitelist allowed origins	⭐⭐⭐⭐⭐
Rate Limiting	Prevent brute force & DDoS	⭐⭐⭐⭐⭐
Authentication	JWT/OAuth2 dengan token expiry yang tepat	⭐⭐⭐⭐⭐
Authorization	RBAC, check permission di setiap endpoint	⭐⭐⭐⭐⭐
Security Headers	X-Content-Type-Options, X-Frame-Options, CSP	⭐⭐⭐⭐
Request Size Limit	Batasi ukuran request body (misal 1MB)	⭐⭐⭐⭐
Logging & Monitoring	Log semua request, alert untuk suspicious activity	⭐⭐⭐⭐
API Keys Rotation	Rotate API keys secara berkala	⭐⭐⭐
Data Encryption	Encrypt sensitive data at rest & in transit	⭐⭐⭐⭐⭐

13. API Design Checklist

📋 Checklist Perancangan API

Aspek	Checklist Item	Status
URL Design	✅ Gunakan nouns, bukan verbs	☐
URL Design	✅ Plural nouns untuk collections	☐
URL Design	✅ Konsisten lowercase + hyphens	☐
URL Design	✅ Versioning di URL (/api/v1/)	☐
HTTP Methods	✅ HTTP methods benar (GET/POST/PUT/PATCH/DELETE)	☐
Status Codes	✅ Status codes yang tepat	☐
Response Format	✅ Consistent JSON response format	☐
Error Handling	✅ Meaningful error messages	☐
Authentication	✅ JWT/OAuth2 implementation	☐
Authorization	✅ RBAC/permission check	☐
Pagination	✅ Pagination di semua list endpoints	☐
Filtering	✅ Query params untuk filter/sort/search	☐
Rate Limiting	✅ Rate limit headers	☐
Caching	✅ Cache-Control headers	☐
Documentation	✅ OpenAPI/Swagger spec	☐
Testing	✅ Integration & unit tests	☐
Security	✅ HTTPS, input validation, CORS	☐
Logging	✅ Request/response logging	☐
Monitoring	✅ Health check endpoint	☐
Performance	✅ Request size limits	☐

API Design Best Practices: Panduan Lengkap 2026