Menu

Pages

Tools

Beginner Guide APIs Web Development March 2026 ⏱ 11 min read

What Is a REST API? How It Works, With Real Examples

REST API is one of the most searched terms in web development and one of the most poorly explained. Here is exactly what it is, why it was designed the way it was, and what every part of it means, with real examples throughout.

Most guides on REST APIs either make the topic too abstract or dive straight into code before building any mental model. This guide does neither. It starts with what REST actually means, walks through every component with real examples, and finishes with a practical checklist you can use immediately when working with any REST API.

What this guide covers
What REST stands for The six REST constraints How a request works The four HTTP methods HTTP status codes URL structure Authentication REST vs GraphQL vs gRPC

What REST Stands For

REST stands for Representational State Transfer. It was defined in 2000 by Roy Fielding in his doctoral dissertation. Fielding was one of the primary authors of the HTTP specification, and REST was his description of the architectural style that made the web work as well as it did.

The name sounds technical. The concept is not. REST is simply a set of conventions for building APIs that use the web's existing infrastructure, namely HTTP, rather than inventing something new on top of it. By following REST conventions, any API becomes predictable: a developer who knows one REST API can figure out another one quickly, regardless of which company built it or what programming language runs the server.

This predictability is REST's greatest value. Before REST, every API had its own format, its own conventions, and its own rules. REST standardised the approach so that the knowledge transfers.

REST did not invent anything new. It described the principles already present in HTTP and said: if you follow these principles when building an API, any client can use it predictably.

The Six Constraints of REST

REST is formally defined by six architectural constraints. You do not need to memorise all six, but understanding them explains why REST APIs behave the way they do. The two that matter most in day-to-day work are highlighted:

1
Client-Server
The client (your app) and the server (the API) are completely separate systems. The client handles the user interface. The server handles data storage and business logic. They communicate only through the API, never directly.
2
Stateless ★
Every request must contain all the information the server needs to process it. The server does not remember previous requests. Each request is completely independent. This is what makes REST APIs scalable: any server instance can handle any request.
3
Cacheable
Responses can be marked as cacheable. If a response is cached, the client can reuse it without making another request to the server. The server controls how long a response can be cached via response headers.
4
Uniform Interface ★
All REST APIs follow the same conventions: resources are identified by URLs, standard HTTP methods define operations, and responses use standard formats. This uniformity is what makes REST predictable across all implementations.
5
Layered System
The client does not need to know whether it is communicating directly with the server or through intermediary layers like load balancers, CDN caches, or API gateways. Each layer only knows about the layer directly adjacent to it.
6
Code on Demand (optional)
Servers can optionally send executable code to clients, like JavaScript for a browser. This is the only optional constraint. In practice it is rarely discussed in the context of REST APIs for web and mobile.
★ The two constraints that matter most

Stateless means each request is self-contained. Your API cannot rely on the server remembering a previous request. This is why authentication tokens are sent with every request rather than once at login. Uniform Interface is why REST APIs are so learnable: the same methods, the same URL patterns, and the same status codes apply everywhere.

How a REST API Request Works

Every REST API interaction follows the same flow:

Client → HTTP Request → Server → HTTP Response → Client

A request and its response each have distinct components. Understanding both is essential for debugging API issues:

📤 Request components
1
Method
What action to perform: GET, POST, PUT, DELETE
2
URL (Endpoint)
Which resource to act on, e.g. /users/42
3
Headers
Metadata: authentication token, content type, accepted response format
4
Body (optional)
Data sent with the request. Used with POST and PUT only. Usually JSON.
📥 Response components
1
Status Code
Whether the request succeeded: 200, 201, 404, 500, etc.
2
Headers
Metadata: content type, cache instructions, rate limit remaining
3
Body
The actual data returned. Almost always JSON in REST APIs.

The Four HTTP Methods — With Real Examples

The HTTP method tells the server what operation to perform. Four methods cover every possible data operation. Each one has a specific meaning and a specific expected behaviour:

GET Read data — never changes anything Read-only
Retrieve a resource from the server. No data is sent in the body. GET requests are safe and idempotent: calling them any number of times produces the same result with no side effects.
Request
GET https://api.stackdevtools.com/users/42 Authorization: Bearer sk_live_abc123
Response — 200 OK
{ "id": 42, "name": "Alex Johnson", "email": "alex@example.com", "plan": "pro" }
POST Create a new resource Creates data
Send data to create a new resource. The data is included in the request body as JSON. The server creates the resource, assigns an ID, and returns the created object with a 201 status.
Request
POST https://api.stackdevtools.com/users Content-Type: application/json { "name": "Sarah Mitchell", "email": "sarah@example.com", "plan": "free" }
Response — 201 Created
{ "id": 87, "name": "Sarah Mitchell", "email": "sarah@example.com", "plan": "free", "created_at": "2026-03-23T10:14:00Z" }
PUT Update an existing resource Modifies data
Replace an existing resource with new data. The full updated object is sent in the request body. Returns the updated resource with a 200 status. Some APIs use PATCH for partial updates.
Request
PUT https://api.stackdevtools.com/users/42 Content-Type: application/json { "plan": "enterprise" }
Response — 200 OK
{ "id": 42, "name": "Alex Johnson", "plan": "enterprise", "updated_at": "2026-03-23T10:18:00Z" }
DELETE Remove a resource permanently Removes data
Remove a specific resource. No body is sent in the request. On success, returns 204 No Content: the operation succeeded but there is nothing to return because the resource no longer exists.
Request
DELETE https://api.stackdevtools.com/users/42 Authorization: Bearer sk_live_abc123
Response — 204 No Content
// No response body // Empty 204 = success // The resource no longer exists

HTTP Status Codes — The Language of API Responses

Status codes tell you exactly what happened with a request. Every REST API uses the same codes, which is one of the benefits of the uniform interface constraint. Always check the status code before processing the response body:

Code Meaning When You See It Action Required
200 OK Request succeeded, data returned Validate structure before using
201 Created POST succeeded, new resource created Use the returned ID for follow-up requests
204 No Content DELETE succeeded, nothing to return No body processing needed
400 Bad Request Request is malformed or missing fields Log the error body, fix the request format
401 Unauthorised Missing or invalid authentication token Trigger token refresh or re-authentication
403 Forbidden Valid auth, but insufficient permissions Show permission error to user, do not retry
404 Not Found Resource does not exist or was deleted Handle gracefully, not a crash condition
429 Too Many Requests Rate limit exceeded Implement exponential backoff, check Retry-After header
500 Internal Server Error Bug on the server side Log, retry with backoff, alert if persistent
503 Service Unavailable API is down or overloaded Queue for retry, do not surface raw error to users
⚠ A 200 status code does not guarantee correct data

Always check the status code first, then validate the response structure. An API may return 200 with an unexpected shape if an internal transformation fails. Validate that required fields are present and have the expected types before processing. Use the JSON Formatter to inspect real responses before writing integration code.

REST API URLs — How Resources Are Structured

REST APIs organise URLs around resources, the nouns. Operations are expressed through the HTTP method, the verb. This separation is what makes REST URLs intuitive and consistent across any API.

The URL describes what you are acting on. The method describes what you are doing to it. You never need to see a URL like /getUser or /deletePost in a REST API:

Resource-based URL patterns — the REST standard
GET /users List all users (with pagination)
POST /users Create a new user
GET /users/42 Get the specific user with ID 42
PUT /users/42 Update user 42 with new data
DELETE /users/42 Delete user 42 permanently
GET /users/42/posts Get all posts belonging to user 42
POST /users/42/posts Create a new post for user 42

Notice that the same URL /users/42 is used for GET, PUT, and DELETE. The URL stays constant. The method changes the operation. This is the uniformity that makes REST predictable.

Authentication — How APIs Know Who You Are

Because REST is stateless, every request must carry its own authentication. The server cannot remember that you authenticated in a previous request. There are three common approaches, each suited to different use cases:

🔑
API Keys
A unique string passed in the request header. Simple and fast. The server looks up the key, finds the associated account, and either allows or rejects the request.
Best for: server-to-server, developer tools, read-heavy APIs
🔐
OAuth 2.0
Used when an API needs to act on behalf of a specific user. The user grants permission through a login flow. The app receives a short-lived access token and a refresh token. Used by Google, GitHub, Twitter, Spotify.
Best for: user-authorised actions, third-party integrations
🎫
JWT (JSON Web Tokens)
Signed tokens that encode claims about the user directly in the token. The server validates the signature without a database lookup. Compact, stateless, and fast. Common in modern web and mobile backends.
Best for: stateless authentication, microservices, mobile apps
How authentication looks in a real request
// API Key in header (most common) GET https://api.example.com/data Authorization: Bearer sk_live_abc123xyz789 // JWT token (same format, different content) GET https://api.example.com/user/profile Authorization: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9... // API key as query parameter (less secure, avoid for sensitive data) GET https://api.example.com/data?api_key=abc123
⚠ Keep API keys out of source code

Never hardcode an API key in your source code. Even in a private repository, keys committed to git history remain there forever. Always store API keys in environment variables or a secrets manager. If a key is ever accidentally committed, treat it as compromised and rotate it immediately.

REST vs GraphQL vs gRPC vs SOAP

REST is not the only API architecture. Understanding how it compares to the alternatives helps you choose the right approach for your use case:

Feature REST GraphQL gRPC SOAP
Data format JSON JSON Protocol Buffers XML
Flexibility Fixed responses Client controls fields Fixed contract Fixed contract
Performance Good Good Excellent Slow (XML parsing)
Human-readable Yes Yes No (binary) Verbose XML
Learning curve Low Medium High High
Best for Web and mobile APIs Complex data needs Internal microservices Legacy enterprise

For most web and mobile applications, REST is the right starting point. It is simple, widely supported, well-documented, and understood by every developer on any hiring market. GraphQL adds complexity that is only worth it when you have genuinely complex data fetching needs. gRPC is excellent for internal service-to-service communication where performance is critical. SOAP appears when a legacy enterprise system requires it.

A Checklist for Working With Any REST API

Before writing integration code with a new API, work through this checklist. Each item prevents a class of bugs that consistently appears in real-world integrations:

  • Read the full documentation before writing a single line of code, especially the rate limits, auth requirements, and error response formats.
  • Get a real response sample and format it with the JSON Formatter to understand the actual structure, not just the documentation version.
  • Note all nullable fields before assuming they are always present. Missing field access is one of the most common silent bugs in API integrations.
  • Write explicit handlers for 401, 403, 404, 429, and 5xx responses. Happy-path-only code fails silently in production.
  • Implement pagination for any endpoint that returns a list. The first page is never all the data.
  • Store API keys in environment variables. Never in source code. Never in a file committed to version control.
  • Add caching for data that does not change frequently. Every redundant API call costs latency and burns rate limit quota.
  • Compare responses across environments before debugging production issues. Environment divergence is one of the most common sources of production-only bugs.

Frequently Asked Questions

What is the difference between an API and a REST API?

An API (Application Programming Interface) is any defined way for two systems to communicate. A REST API is a specific type of API that follows the REST architectural constraints: stateless, uniform interface, resource-based URLs, and standard HTTP methods. All REST APIs are APIs, but not all APIs are REST APIs. SOAP APIs, GraphQL APIs, and gRPC APIs are all APIs that are not REST.

Why is REST called "stateless" and what does that mean in practice?

Stateless means the server does not store any session information between requests. Each request must carry all the context the server needs to process it, including the authentication token, user ID, and any relevant parameters. In practice this means: you cannot log in once and have the server remember you. Every request includes the token. This is why you stay logged into apps even when the server restarts: your token is stored client-side and sent with every request.

What is the difference between PUT and PATCH?

PUT replaces the entire resource with the data you send. If you send a PUT request with only the plan field, the server replaces the whole user object with just that field. PATCH applies a partial update: only the fields you send are changed, everything else remains. In practice many APIs accept partial data with PUT anyway, but the strict REST interpretation is that PUT is a full replacement and PATCH is a partial update.

When should I use REST vs GraphQL?

Use REST when: you are building a standard CRUD API, your data relationships are relatively flat, your team is new to APIs, or you need maximum ecosystem compatibility. Use GraphQL when: different clients need different subsets of the same data, you have deeply nested or complex data relationships, you are experiencing significant over-fetching or under-fetching with REST, or you want a single endpoint with a flexible query language. GraphQL adds complexity: schema definition, resolver implementation, and client-side query management. That complexity is only worthwhile when it solves a real problem.

How do I handle API rate limits?

When you receive a 429 Too Many Requests response, implement exponential backoff: wait 1 second, retry; if still 429, wait 2 seconds; then 4 seconds; then 8 seconds. Check the Retry-After header if the API provides one, as it specifies exactly how long to wait. For sustained high-volume operations, implement a client-side request queue that tracks your request rate and stays under the limit proactively rather than reacting to 429 errors after they occur.

Free browser-based tools

Tools for every stage of API work

Format and validate JSON responses, compare API outputs across environments, and convert between data formats. All free, all in your browser, no login required.

{ } JSON Formatter Text Diff Checker JSON to YAML JSON to XML

REST Is Simple. The Details Make It Reliable.

REST API architecture is straightforward once the mental model is in place: resources identified by URLs, operations expressed through HTTP methods, stateless requests, and uniform conventions across every implementation. That simplicity is the reason REST dominates web development. It uses infrastructure that already exists, follows conventions that are universally understood, and requires no special tooling beyond a standard HTTP client.

What makes the difference between an API integration that works and one that fails silently is the details: reading the full documentation, validating real responses, handling every error code explicitly, implementing pagination and rate limiting, and keeping authentication out of source code. The checklist in this guide covers the full list. Work through it for every new API and you will eliminate the majority of integration failures before they reach production.