10 REST API MISTAKES TO AVOID

If you're building APIs with Wordpress, Laravel or Node.js, this might hit a bit close to home

A lot of developers aren’t really designing APIs
they’re just returning JSON and calling it a day.

And that’s where things start to fall apart.

Because a solid API isn’t just something that “works.”
It should be consistent, scalable, predictable, and easy for other developers to use.

Let’s break down some of the most common mistakes and how to fix them 👇

❌ 1. Using Verbs in URLs

Wrong

GET /getBooks  
POST /createBook 
DELETE /deleteBook/1

Right

GET /books  
POST /books 
DELETE /books/1

👉 URLs should represent resources (nouns) — not actions.
HTTP methods already define the action.

❌ 2. Ignoring HTTP Status Codes

Wrong

200 OK
{ "status": "error", "message": "User not found" }

Right

• 200 → Success
• 201 → Created
• 400 → Bad Request
• 401 → Unauthorized
• 403 → Forbidden
• 404 → Not Found
• 422 → Validation Error
• 500 → Server Error

👉 Status codes are part of your API contract.

❌ 3. Inconsistent JSON Structure

Wrong

{ "userName": "Paul" }
{ "username": "Paul" }

Right

• Pick one style: snake_case OR camelCase
• Use it everywhere

👉 Consistency builds trust.

❌ 4. No API Versioning

Wrong

/books

Right

/api/v1/books
/api/v2/books

👉 Versioning prevents breaking existing clients.

❌ 5. No Pagination

Wrong

GET /books → returns 10,000 records

Right

GET /books?page=1&limit=10
{
  "data": [],
  "meta": {
    "current_page": 1,
    "total": 1000
  }
}

👉 Pagination improves performance, scalability, and UX.

❌ 6. Mixing Authentication & Authorization

• Authentication = Who are you?
• Authorization = What can you do?

👉 Use proper tools:

• JWT / OAuth
• Laravel Sanctum / Passport
• Never trust frontend validation alone.

❌ 7. Poor Error Handling

Bad

"Something went wrong"

Good

{
  "error": {
    "code": 404,
    "message": "Book not found"
  }
}

👉 Errors should be predictable and structured.

❌ 8. Bad Filtering & Sorting

Wrong

GET /getActiveEventsSortedByName

Right

GET /events?status=active&sort=name

👉 Keep it clean, flexible, and scalable.

❌ 9. Ignoring Security

Common mistakes:

• No rate limiting
• No validation
• No HTTPS
• Exposing sensitive data

👉 Best practices:

• Always use HTTPS
• Validate all inputs
• Add rate limiting
• Hide sensitive/internal fields

❌ 10. Designing APIs Around Your Database

Bad mindset

“This is my table structure”

Good mindset

“This is what the client needs”

👉 Your API is a contract, not a database mirror.

What Good APIs Look Like

• Versioned endpoints
• Consistent naming
• Proper status codes
• Pagination
• Filtering & sorting
• Secure authentication
• Structured errors
• Resource-based URLs

REST API design isn’t about returning JSON.

It’s about:

• Consistency
• Scalability
• Predictability
• Security
• Developer Experience

When your API is clean and predictable…
developers love working with it.