REST (Representational State Transfer)
REST is an architectural style for designing APIs that use standard HTTP methods to access and manipulate resources in a stateless way.
What is REST?
Representational State Transfer (REST) is an architectural style - not a protocol - used to design scalable and interoperable web APIs. RESTful APIs expose resources (such as users, orders, or files) identified by URLs and manipulate them using standard HTTP methods. REST emphasizes simplicity, statelessness, and uniform interfaces.
Why REST matters
REST is widely adopted because it:
- Leverages ubiquitous web standards (HTTP, URLs)
- Is simple to understand and implement
- Scales well for web and cloud applications
- Works naturally with JSON payloads
- Is supported by virtually all platforms and tools
REST has become the de facto standard for public and internal APIs.
Core REST principles
A RESTful design typically follows these constraints:
- Client-server separation - clear responsibilities
- Statelessness - each request contains all required context
- Cacheability - responses can be cached where appropriate
- Uniform interface - consistent resource handling
- Layered system - intermediaries (proxies, gateways) allowed
Adhering to these principles improves scalability and reliability.
REST resources and HTTP methods
REST maps actions to HTTP verbs:
- GET - retrieve a resource
- POST - create a new resource
- PUT - replace a resource
- PATCH - update part of a resource
- DELETE - remove a resource
Resources are typically represented as JSON.
REST vs SOAP
| Aspect | REST | SOAP |
|---|---|---|
| Type | Architectural style | Protocol |
| Payload | JSON (commonly) | XML |
| Complexity | Lower | Higher |
| Contract | Optional | Strong (WSDL) |
| Modern APIs | Preferred | Legacy/enterprise |
REST favors flexibility and performance; SOAP favors strict contracts and enterprise features.
REST and security
REST APIs are commonly secured using:
- TLS (HTTPS) for transport security
- Token-based authentication (OAuth, JWT)
- API keys (basic scenarios)
- Rate limiting and input validation
Security is enforced outside REST itself, via standards and controls.
REST in enterprise and cloud environments
Organizations use REST for:
- Public and partner APIs
- Microservices communication
- SaaS integrations
- Mobile and web backends
- Headless CMS delivery (including Strapi)
REST integrates well with API gateways and cloud-native tooling.
REST limitations
REST may be less suitable when:
- Strict contracts and transactions are required
- Real-time, bidirectional communication is needed
- Over/under-fetching becomes problematic (GraphQL may help)
REST is often complemented by other approaches.
Common misconceptions
- "REST is a protocol"
- "Any HTTP API is RESTful"
- "REST requires JSON"
- "REST handles authentication by itself"