I noticed that some APIs like the Twitter API use get methods for everything, so the parameters are passed in the URL like this:
http://api.twitter.com/1/statuses/user_timeline.json?screen_name=screenname
I have some questions and would appreciate comments or corrections:
I always thought that using GET is not a good idea, and that it's better to use POST.
The API I'm coding requires a key, and I don't think it's a good idea to send it in the URL. So, is it possible to mix both POST parameters and URL parameters?
Another problem is that I hear URLs have a max length, so I guess that would make GET out of the way, or is there a workaround?
The only problem I'm seeing with POST (and which I'm guessing is why a site like twitter went with GET) is that the request can't be made directly from the browser. Correct me if I'm wrong on this.
Updates: Thanks to everyone who's helping me brainstorm this. I have some updates to clarify some of the comments.
When I was talking about not wanting to send the key in the URL, what I meant is that I don't want the key bookmarked if a user were to bookmark a call, not that I don't want the key exposed at all. So I guess from the answers that I could send it in the header field? Any other options?
I want to clarify that when I said POST requests can't be made from the browser
, I should have said, POST requests can't be made from the URL
as in http://example.com/api/op.json?param=value
. Sorry, I misspoke, should have been clearer.
Re whether it's RESTful or not: I've done RESTful before with an MVC framework that took care of detecting the verbs and the URLs ended up looking like example.com/entry/1
, or example.com/entry/
and the HTTP verbs are what controlled the operation being performed (create, update, delete, list). I thought, in a practical sense, that RESTful was most useful for crud-like data (create entry, get entry, update entry, delete entry, show all entries). So if I don't need crud, do I need REST? My question: if a call simply gives input and returns output, does this API need to be RESTful? The URL doesn't look RESTful, so is there something else in the implementation that could make it RESTful?
As to the URL size, you commented but if you're seriously concerned about it you probably should rethink your API. GET requests shouldn't be sending that much data to the server.
So I have this example: user wants to send a large file. On the server, I won't enter the file into the database or save it (so according to standards I'm not "posting" data), but maybe I'm (these are quickly thought examples, so please take them loosely):
Learn why one type of processing request provides more security for your Web application in this expert tip. It's the age-old question: is the POST method better than the GET method for processing HTTP requests? The common response is always use POST.
The second most common HTTP method you'll encounter in your API tests is POST . As mentioned above, POST requests are used to send data to the API server and create or update a resource. Since POST requests modify data, it's important to have API tests for all of your POST methods.
It can be done at client side by passing API URL and getting the request status back. But for some other reasons, I need to add a dummy method in my API which will just return the status code. So from my client side, I will just call http://example.com/alive to check service status.
@gordie, yes if your API request is large JSON then you should use POST which allows you to send the request body. Generally GET API doesn't need so many parameters or JSON request.
1. I always thought that using GET is not a good idea and that it's better to use POST.
Use GET for reading information, POST for writing information. GET requests shouldn't modify server-side state, while POST requests can safely do so. In general use GET for reads and POST for writes. Your API should probably use a mixture of both, depending on which each specific API call does.
2. The API I'm coding requires a key, and I don't think it's a good idea to send it in the URL. So is it possible to mix both POST parameters and URL parameters?
Sending data via POST doesn't add any level of security at all. GET requests are no less insecure than POST requests; they are identical. For transferring private data, use SSL.
You should ideally use an HTTP header like Authorization
to transmit the key, as this is less likely to be logged by intermediaries, or to be emitted to 3rd party services like bug-trackers.
3. Another problem is that I hear URLs have a max length, so I guess that would make GET out of the way, or is there a workaround
There is no maximum URL length defined by the HTTP standard, though some browsers impose one. This probably doesn't matter when generating GET requests via JavaScript, but if you're seriously concerned about it you probably should rethink your API. GET requests shouldn't be sending that much data to the server.
4. The only problem I'm seeing with POST (and which I'm guessing is why a site like twitter went with GET) is that the request can't be made directly from the browser. Correct me if I'm wrong on this.
Your browser can generate POST requests just as easily as GET requests, it's simply harder to submit POST requests via the address bar.
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With