API Design

Learn it once, explain it cold

API design, from first principles.

A visual, interactive course that builds your intuition from the wire up — so you can design, defend, and debug an API in any interview, from low-level networking to high-level system design. Every lesson has diagrams, worked examples, common traps, the interview angle, quizzes, and hands-on exercises.

0 / 107 lessons complete

Part 1 — Foundations10/10

How the machinery under every API works. Master this and the rest is application.

01

What an API really is

Contracts, not code — the promise between two programs.

 02

What makes an API good

Qualities of a great contract; design-first vs code-first; the lifecycle.

 03

Layers & the narrow waist

TCP/IP & OSI layers and why everything funnels through IP.

 04

Latency vs throughput

The two numbers, the four delays, and percentiles.

 05

Network sockets

The pipe every API rides on: ports, TCP handshake, keep-alive.

 06

How the Web works

URLs, DNS, and the full lifecycle of a request.

 07

HTTP & how it evolved

Methods, status codes, headers; 1.0 → HTTP/3 over QUIC.

 08

Remote procedure calls

Making a network call feel local — and where the illusion leaks.

 09

WebSockets & real-time

Two-way channels: polling vs SSE vs WebSockets.

 10

SLIs, SLOs & SLAs

Measuring reliability and spending an error budget.

Part 2 — Data & Formats3/3

How API data is represented on the wire and why format choice matters.

df-01

Data representation & efficiency

Serialization, schemas, and compression on the wire.

 df-02

Textual formats: JSON, XML

Human-readable payloads and their trade-offs.

 df-03

Binary formats: Protobuf, Avro

Compact, schema-driven encoding for speed and size.

Part 3 — Architectural Styles7/7

REST, GraphQL, gRPC — what each is and when to reach for it.

as-01

Web API styles overview

Request-response, query, and RPC families compared.

 as-02

REST architecture style

Resources, uniform interface, statelessness, HATEOAS.

 as-03

RESTful APIs in practice

Richardson maturity, naming, status codes, pagination.

 as-04

GraphQL: a query language

One endpoint, client-shaped responses, N+1 traps.

 as-05

gRPC framework

Protobuf + HTTP/2 streaming for internal services.

 as-06

Comparing the styles

A decision guide: pick the right style per use case.

 as-07

Client-adapting APIs

Content negotiation, sparse fields, and the BFF pattern.

Part 4 — Security10/10

Protecting APIs end to end: transport, identity, and input.

sec-01

API security threats

The threat model and the OWASP API risks.

 sec-02

Transport Layer Security (TLS)

Encryption, certificates, and the TLS handshake.

 sec-03

Securing APIs with input validation

Injection, allow-lists, and never trusting the client.

 sec-04

CORS, explained

The same-origin policy and how CORS safely relaxes it.

 sec-05

Authentication vs authorization

Who you are vs what you may do.

 sec-06

OAuth 2.0

Delegated access, tokens, and the common flows.

 sec-07

OpenID Connect & SAML

Federated identity and single sign-on.

 sec-08

API keys, JWTs & a checklist

Bearer tokens, JWT pitfalls, and a hardening checklist.

 sec-09

Cookies, sessions & CSRF

Web state, session vs token auth, and CSRF defenses.

 sec-10

Threat modeling (STRIDE)

Think like an attacker: trust boundaries and the six threat classes.

Part 5 — Reliability & Scale18/18

The patterns that keep APIs correct and fast under load.

rel-01

API versioning

Evolving without breaking callers.

 rel-02

Idempotency

Making retries safe; idempotency keys in practice.

 rel-03

Rate limiting algorithms

Token/leaky bucket, fixed & sliding windows — with code.

 rel-04

API gateway deep dive

The front door: routing, auth, limiting, aggregation.

 rel-05

Retries & backoff

Exponential backoff, jitter, and retry storms.

 rel-06

Circuit breaker pattern

Failing fast to protect a struggling dependency.

 rel-07

Caching at every layer

Client, CDN, gateway, app, and DB caches.

 rel-08

Load balancing

Spreading traffic; L4 vs L7; health checks.

 rel-09

Monitoring & observability

Metrics, logs, traces, and the four golden signals.

 rel-10

Event-driven & pub/sub

Queues, topics, and decoupling with messages.

 rel-11

Evolving APIs safely

Additive change, tolerant reader, expand-and-contract.

 rel-12

Designing webhooks

Payloads, HMAC signing, retries, replay, idempotent consumers.

 rel-13

Capacity estimation

Back-of-the-envelope sizing: QPS, storage, servers for N users.

 rel-14

Scaling 1 → 1M users

Vertical vs horizontal, statelessness, the architecture progression.

 rel-15

Scaling the database

Read replicas, sharding, hot keys, denormalization, CQRS.

 rel-16

Consistency & CAP

Strong vs eventual, CAP/PACELC, quorum, stale reads.

 rel-17

High availability

No SPOF, multi-AZ/region, active-active, failover.

 rel-18

Resilience & disaster recovery

Graceful degradation, bulkheads, load shedding, RTO/RPO, chaos.

Part 6 — Performance5/5

Estimating and shrinking response time.

perf-01

Estimating response time

A repeatable method to estimate an API's response time.

 perf-02

Latency budgets

Splitting a target across hops and components.

 perf-03

Speeding up page loads

Critical path, payload size, and round trips.

 perf-04

Data fetching & pagination

Cursor vs offset, batching, prefetch, debouncing.

 perf-05

Server vs client rendering

SSR, CSR, SSG and what each means for your API.

Part 7 — Debugging & Real-World6/6

Diagnosing real API failures — the skills interviews and on-call both test.

dbg-01

The API debugging mindset

Reproduce, isolate by layer, read the evidence.

 dbg-02

Reading errors & status codes

What 4xx/5xx, timeouts, and resets actually tell you.

 dbg-03

Acing the Stripe-style debugging interview

The bug-squash round: format, scoring, a 10-step playbook, and a worked walkthrough.

 dbg-04

Debugging webhooks

Missed events, retries, signatures, and replay.

 dbg-05

Idempotency in practice

Double charges, dedup keys, and safe retries.

 dbg-06

Handling 429s & throttling

Reading limit headers and backing off correctly.

Part 8 — Design Case Studies18/18

The repeating interview pattern: requirements → decisions → API model → evaluation.

cs-00

The case-study framework

How to drive any 'design the API for X' question.

 cs-01

Design: Search API

Query, filters, pagination, latency budget.

 cs-02

Design: File upload/download API

Chunking, resumable uploads, presigned URLs.

 cs-03

Design: Comment & rating API

Nested resources, moderation, counts.

 cs-04

Design: Pub/Sub API

Topics, subscriptions, delivery guarantees.

 cs-05

Design: URL shortener

Key generation, redirects, analytics (original).

 cs-06

Design: Notification service

Fan-out, channels, preferences (original).

 cs-07

Design: Video streaming API

Upload, transcode, adaptive playback.

 cs-08

Design: Chat/messenger API

Delivery, presence, ordering, real-time.

 cs-09

Design: Maps API

Tiles, routing, geo queries.

 cs-10

Design: Video conferencing API

Rooms, signaling, media routing.

 cs-11

Design: Online judge API

Submit, sandbox, verdicts.

 cs-12

Design: Payments API

Charges, idempotency, webhooks, the money path.

 cs-13

Design: Social feed API

Timeline, fan-out, follows.

 cs-14

Design: Ride-hailing API

Matching, location, trip lifecycle.

 cs-15

Design: Gaming/leaderboard API

Real-time state, rankings, anti-cheat.

 cs-16

Design: Chess / turn-based game API

Move validation, game state, anti-cheat, real-time turns.

 cs-17

Design: Price-tracker API

External polling, price history, alerts (original).

Part 9 — Failure Case Studies4/4

What real outages teach about API design.

fail-01

What causes API failures

The taxonomy: load, dependencies, deploys, data.

 fail-02

Knight Capital

How a deploy/flag bug lost $440M in 45 minutes.

 fail-03

The 2017 S3 outage

A typo, a cascading dependency, and blast radius.

 fail-04

Config & dependency outages

When the control plane takes everything down.

Part 10 — Resource Design Patterns8/8

Build-along resource modelling — standard & custom methods, field masks, long-running ops, batch, soft delete — ending in a complete mock API you can stand up.

rdp-01

Resource-oriented design & naming

Model the domain as resources, collections, and a clean hierarchy.

 rdp-02

Standard methods (CRUD)

List, Get, Create, Update, Delete — the canonical contract.

 rdp-03

Custom methods (:verb)

Actions that aren't CRUD, done the REST way.

 rdp-04

Partial updates & field masks

PATCH with update_mask — change only what you mean to.

 rdp-05

Long-running operations

Async operation resources you poll to completion.

 rdp-06

Batch operations

batchGet/Create/Update/Delete — kill the N+1 round trips.

 rdp-07

Soft delete & validation

Recycle-bin deletes, undelete, expunge, and dry-run.

 rdp-08

Capstone: build a mock API

Assemble every pattern into a complete, buildable mock.

Part 11 — Interview Prep7/7

Drill, self-test, and a repeatable method to ace the interview.

prep-01

API interview question bank

100+ questions, low → high, with answers.

 prep-02

The API design cheat-sheet

One-page method + checklists for the whiteboard.

 prep-03

How you're scored

The rubric interviewers use, and how to hit it.

 prep-04

Mock interview prompts

Timed prompts with model answers.

 prep-05

Business & product sense

API business models, metering, and leading with the 'why'.

 prep-06

How leading APIs do it

Stripe, AWS, GitHub, HubSpot, Shopify: rate limits, versioning, auth, webhooks — cited.

 prep-07

Inside Stripe's API (deep dive)

Token-bucket + 4 limiters, the version-change layer, idempotency-key store — traced.

Part 12 — Production at Scale10/10

Interactive simulators + evidence-based scaling walkthroughs — drag the load toward 100M and watch the behaviour. Figures are first-principles models, cited and labeled.

sim-01

Simulator: rate limiter

Multi-tenant token bucket — watch throttling & 429s as load hits 100M.

 sim-02

Simulator: cache hit ratio

Hit rate → effective latency and origin load.

 sim-03

Simulator: consistent hashing

Add nodes, push a hot key → per-node load & remap %.

 sim-04

Simulator: queue & backpressure

Producer vs consumers → queue depth, lag, drops.

 sim-05

Simulator: retry storm

Failure rate × retries → the traffic amplification.

 sim-06

Simulator: capacity & latency

QPS → servers needed and the utilization hockey-stick.

 ws-01

Walkthrough: 1 box → 100M/day

The scaling staircase, each step forced by a number.

 ws-02

Walkthrough: payments at 100M

Keeping money correct at scale (Stripe-style, modeled).

 ws-03

Walkthrough: read-heavy feed

Fan-out, write amplification, the celebrity problem.

 ws-04

Walkthrough: real-time chat

Millions of connections + pub/sub fan-out.

Part 13 — Wrap-up1/1

wrap-01

Where to go next

Consolidate, keep practising, ship something.