[sradnidge]

Nice post. The single biggest criticism I usually level at REST implementations is the lack of HATEOAS - the discoverability aspect of REST is about more than just an easily understood URI. As the author of this post states in his 2nd bullet point (emphasis mine):

"It’s expressive, REST paths and CRUD requests are easy to understand _and hypermedia makes it easy to navigate_"

It's that second part that so many implementations gloss completely over, it's probably worth discussing that separately in the same way that authentication is discussed in the post.

[mpakes]

It's no accident that many public web APIs don't implement HATEOAS. Conceptually, HATEOAS is fantastic. Practically, it often stumbles.

As an example, 90+% of the web APIs I've designed and worked with are heavily used by mobile clients, which often suffer low bandwidth and high latency. Using proper HATEOAS URIs bloats payloads. Similarly, high latency for requests means that traversing hypermedia links across the API space is untenable.

In the real world, we design a structured API with well-known endpoints, and clients directly retrieve the resources they need. If the API needs to diverge from the specification substantially, then it gets versioned. The result is small, simple JSON payloads and nice, responsive clients.

If I'm missing something obvious here, I'd love to be educated.

[sradnidge]

Sure, but I'm sure Roy Fielding would argue you can't have REST without HATEOAS. So on some level yes, it is great in theory, but on another level I would also argue that's where the 'ful' comes in ala 'RESTful'. I guess you could look at it in a 'spirit of the law vs letter of the law' kind of way - REST without HATEOAS is certainly in the spirit, but perhaps so is XML-RPC with HATEOAS. Neither are the letter though.

The website example below is a good one, but as I'm and infrastructure oriented kind of guy I'll give another one which is the Sun Cloud API, under the now defunct project Kenai http://kenai.com/projects/suncloudapis/pages/Home. For example, doing a GET on a VM resource will return a payload that contains a URI for a power operation on the VM. What that power operation is obviously depends on what the power state of the VM at the time of the GET. The AWS API's provide a SOAPy interface, but they return information about objects that much more adheres to HATEOAS than the Rackspace API for example, which goes to _great_ lengths to espouse it's RESTy virtues (even consisently, and incorrectly, lowering the 'E' in the API docs lol).

So yeh, of course it all comes down to the infinite scales of grey, I wasn't trying to imply that I know any better than anyone or that REST-without-HATEOAS is wrong or suboptimal or whatever (and I know you're not interpreting it that way either), just that I have sometimes wondered how many REST implementors actually took the time to understand what Fielding was/is on about. And I certainly don't believe you or the author of the post fall into that category!

[extension]

The important quality that HATEOAS gives you is the freedom to evolve the application on the server without changing the client. It's the reason that the web can be used for things that TBL didn't anticipate when he invented it. If an API can't adopt new functionality without breaking clients then there is no sense in calling it RESTful.

As other commenters, and Fielding himself, have pointed out, REST is inefficient in terms of both computer and human resources. It's an architecture optimized for wide scale and long term use. That's why most APIs don't turn out very RESTful.

[notJim]

I wrote an api that has HATEOAS, but none of the devs really use it. They seem to prefer hardcoding strings.

[justincormack]

The hardcore randomly change all the urls in testing to make sure nothing is hardcoded. A hateos api should still work.

[notJim]

Haha, I thought about doing that, but it would just serve to piss a lot of people off.

I think it would be kind of cool to have a little project/developer toy that would be an API where only a single endpoint was provided (think http://mysteryapi.com), and the rest of it had to be discovered. It could be like the labyrinth from House of Leaves, but in REST API format.

[vdm]

Developers Like Hypermedia, But They Don't Like Web Browsers. From Leonard Richardson at WS-REST2010.

http://ws-rest.org/2010/files/WSREST2010-Preliminary-Proceed... starts at page 6

[seangeo]

I agree that this is often glossed over. In fact I can't think of any framework implementation that provides it.

About the best example I can think of is the Atom publishing protocol where a service links to it's publishing URLs and a feed can provide pagination through hyperlinks. But still it is not a particularly sophisticated example, do you know of any others?

[extension]

I'm not sure how HATEOAS could be bundled into a framework as there is no straightforward process for realizing it. Designing a generic hypermedia format is a huge undertaking and a RESTful service must be almost completely specified by such formats.

If you can implement your service entirely with existing formats, that could make things much simpler. But the only kind of hypermedia for machine data access that I've ever heard of is RDF, and there is nothing simple about that.

[leftnode]

The best example of that is a website. It provides links to other documents. It just happens to be that the output is usually HTML, but there's no reason why JSON or XML can't contain links to other hypermedia as well.

[extension]

Most any document format can contain links, but that doesn't make it hypermedia. You can't make a client that knows what to do with any JSON or XML document.

[leftnode]

Wait, why not? The JSON could return in a standard format that the client knows where to look for links to other documents.

[extension]

Sure, you can design a standard format on top of JSON, but that is rarely done. The whole appeal of it is for passing around ad-hoc data structures.

There are many hypermedia formats built on XML, but when it's just used as a data container for an API, it's not hypermedia.

[leftnode]

Gotcha, that makes sense. Thanks.