DEV Community: Wongsaphat Nakmuang The latest articles on DEV Community by Wongsaphat Nakmuang (@beeworkk). https://dev.to/beeworkk https://media2.dev.to/dynamic/image/width=90,height=90,fit=cover,gravity=auto,format=auto/https:%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Fuser%2Fprofile_image%2F3963681%2F6005ffca-a098-416b-ad1e-194b2518dcb2.jpg DEV Community: Wongsaphat Nakmuang https://dev.to/beeworkk en # What I'm Learning About API Design in My First Month as a Backend Engineer Wongsaphat Nakmuang Tue, 02 Jun 2026 07:04:21 +0000 https://dev.to/beeworkk/-what-im-learning-about-api-design-in-my-first-month-as-a-backend-engineer-43gf https://dev.to/beeworkk/-what-im-learning-about-api-design-in-my-first-month-as-a-backend-engineer-43gf <p>Thirty seconds into my first code review at work, my senior engineer pointed at my error response and said:</p> <p><em>"This works. But if I'm a frontend dev consuming this at 2am trying to debug a production issue — this tells me nothing."</em></p> <p>I had returned this:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight json"><code><span class="p">{</span><span class="w"> </span><span class="nl">"success"</span><span class="p">:</span><span class="w"> </span><span class="kc">false</span><span class="p">,</span><span class="w"> </span><span class="nl">"message"</span><span class="p">:</span><span class="w"> </span><span class="s2">"Error"</span><span class="w"> </span><span class="p">}</span><span class="w"> </span></code></pre> </div> <p>That moment changed how I think about API design forever.</p> <p>I'm Wongsaphat — a Junior Backend Engineer, 30 days into my first real job at INET (Internet Thailand). Before this, I spent years in university learning the theory. But theory and production are two very different things.</p> <p>This article isn't a guide from an expert. It's an honest look at what I'm learning — the hard way — about designing APIs that other developers actually want to use.</p> <h2> Lesson 1: Error Responses Are a Product Feature </h2> <p>Before my job, I thought error handling meant wrapping code in <code>try/catch</code> and returning <code>500</code> if something broke.</p> <p>I was wrong.</p> <p>An error response is the first thing a frontend developer sees when something goes wrong. If it's vague, they have to come find you. If it's clear, they can fix it themselves.</p> <p><strong>What I was doing:</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight json"><code><span class="p">{</span><span class="w"> </span><span class="nl">"success"</span><span class="p">:</span><span class="w"> </span><span class="kc">false</span><span class="p">,</span><span class="w"> </span><span class="nl">"message"</span><span class="p">:</span><span class="w"> </span><span class="s2">"Error"</span><span class="w"> </span><span class="p">}</span><span class="w"> </span></code></pre> </div> <p><strong>What I learned to do instead:</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight json"><code><span class="p">{</span><span class="w"> </span><span class="nl">"status"</span><span class="p">:</span><span class="w"> </span><span class="s2">"error"</span><span class="p">,</span><span class="w"> </span><span class="nl">"code"</span><span class="p">:</span><span class="w"> </span><span class="mi">422</span><span class="p">,</span><span class="w"> </span><span class="nl">"message"</span><span class="p">:</span><span class="w"> </span><span class="s2">"Validation failed"</span><span class="p">,</span><span class="w"> </span><span class="nl">"errors"</span><span class="p">:</span><span class="w"> </span><span class="p">[</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"field"</span><span class="p">:</span><span class="w"> </span><span class="s2">"email"</span><span class="p">,</span><span class="w"> </span><span class="nl">"message"</span><span class="p">:</span><span class="w"> </span><span class="s2">"Email is required"</span><span class="w"> </span><span class="p">},</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"field"</span><span class="p">:</span><span class="w"> </span><span class="s2">"password"</span><span class="p">,</span><span class="w"> </span><span class="nl">"message"</span><span class="p">:</span><span class="w"> </span><span class="s2">"Password must be at least 8 characters"</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="p">]</span><span class="w"> </span><span class="p">}</span><span class="w"> </span></code></pre> </div> <p>The difference? The second one tells you <strong>exactly</strong> what went wrong and <strong>where</strong>. No guessing. No Slack messages asking "hey what does this error mean?"</p> <p><strong>The rule I now follow:</strong> Every endpoint in my API returns the same error structure. Always. No exceptions.</p> <h2> Lesson 2: Consistency Is More Important Than Cleverness </h2> <p>Early on, I was inconsistent without realizing it. Some endpoints returned:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight json"><code><span class="p">{</span><span class="w"> </span><span class="nl">"data"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"user"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="err">...</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="p">}</span><span class="w"> </span></code></pre> </div> <p>Others returned:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight json"><code><span class="p">{</span><span class="w"> </span><span class="nl">"result"</span><span class="p">:</span><span class="w"> </span><span class="p">[</span><span class="w"> </span><span class="err">...</span><span class="w"> </span><span class="p">]</span><span class="w"> </span><span class="p">}</span><span class="w"> </span></code></pre> </div> <p>And some just returned the raw object:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight json"><code><span class="p">{</span><span class="w"> </span><span class="nl">"id"</span><span class="p">:</span><span class="w"> </span><span class="mi">1</span><span class="p">,</span><span class="w"> </span><span class="nl">"name"</span><span class="p">:</span><span class="w"> </span><span class="s2">"Wongsaphat"</span><span class="w"> </span><span class="p">}</span><span class="w"> </span></code></pre> </div> <p>All three "worked." But from a frontend developer's perspective, every endpoint behaved differently. They had to read the docs (or ask me) for every single endpoint.</p> <p><strong>What I do now — one response structure for everything:</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight json"><code><span class="err">//</span><span class="w"> </span><span class="err">Success</span><span class="w"> </span><span class="err">-</span><span class="w"> </span><span class="err">single</span><span class="w"> </span><span class="err">resource</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"status"</span><span class="p">:</span><span class="w"> </span><span class="s2">"success"</span><span class="p">,</span><span class="w"> </span><span class="nl">"data"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"id"</span><span class="p">:</span><span class="w"> </span><span class="mi">1</span><span class="p">,</span><span class="w"> </span><span class="nl">"name"</span><span class="p">:</span><span class="w"> </span><span class="s2">"Wongsaphat"</span><span class="p">,</span><span class="w"> </span><span class="nl">"email"</span><span class="p">:</span><span class="w"> </span><span class="s2">"wongsaphat@example.com"</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="err">//</span><span class="w"> </span><span class="err">Success</span><span class="w"> </span><span class="err">-</span><span class="w"> </span><span class="err">list</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"status"</span><span class="p">:</span><span class="w"> </span><span class="s2">"success"</span><span class="p">,</span><span class="w"> </span><span class="nl">"data"</span><span class="p">:</span><span class="w"> </span><span class="p">[</span><span class="err">...</span><span class="p">],</span><span class="w"> </span><span class="nl">"pagination"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"page"</span><span class="p">:</span><span class="w"> </span><span class="mi">1</span><span class="p">,</span><span class="w"> </span><span class="nl">"limit"</span><span class="p">:</span><span class="w"> </span><span class="mi">20</span><span class="p">,</span><span class="w"> </span><span class="nl">"total"</span><span class="p">:</span><span class="w"> </span><span class="mi">100</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="err">//</span><span class="w"> </span><span class="err">Error</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"status"</span><span class="p">:</span><span class="w"> </span><span class="s2">"error"</span><span class="p">,</span><span class="w"> </span><span class="nl">"code"</span><span class="p">:</span><span class="w"> </span><span class="mi">404</span><span class="p">,</span><span class="w"> </span><span class="nl">"message"</span><span class="p">:</span><span class="w"> </span><span class="s2">"User not found"</span><span class="w"> </span><span class="p">}</span><span class="w"> </span></code></pre> </div> <p>Pick a structure. Use it everywhere. Your future teammates will thank you.</p> <h2> Lesson 3: Auth Is Not Something You Add Later </h2> <p>This one came from my professor, not my job — but I saw why it mattered once I started working.</p> <p>When you're building fast, it's tempting to skip auth on endpoints because "I'll add it later." The problem is later never comes, or comes too late.</p> <p>Here's what I now implement from day one — no exceptions:</p> <p><strong>JWT with expiry:</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="c1">// ❌ Don't do this — no expiry</span> <span class="kd">const</span> <span class="nx">token</span> <span class="o">=</span> <span class="nx">jwt</span><span class="p">.</span><span class="nf">sign</span><span class="p">({</span> <span class="na">userId</span><span class="p">:</span> <span class="nx">user</span><span class="p">.</span><span class="nx">id</span> <span class="p">},</span> <span class="nx">SECRET_KEY</span><span class="p">)</span> <span class="c1">// ✅ Do this — short-lived access token</span> <span class="kd">const</span> <span class="nx">accessToken</span> <span class="o">=</span> <span class="nx">jwt</span><span class="p">.</span><span class="nf">sign</span><span class="p">(</span> <span class="p">{</span> <span class="na">userId</span><span class="p">:</span> <span class="nx">user</span><span class="p">.</span><span class="nx">id</span> <span class="p">},</span> <span class="nx">SECRET_KEY</span><span class="p">,</span> <span class="p">{</span> <span class="na">expiresIn</span><span class="p">:</span> <span class="dl">'</span><span class="s1">15m</span><span class="dl">'</span> <span class="p">}</span> <span class="p">)</span> <span class="c1">// ✅ Plus a refresh token for longer sessions</span> <span class="kd">const</span> <span class="nx">refreshToken</span> <span class="o">=</span> <span class="nx">jwt</span><span class="p">.</span><span class="nf">sign</span><span class="p">(</span> <span class="p">{</span> <span class="na">userId</span><span class="p">:</span> <span class="nx">user</span><span class="p">.</span><span class="nx">id</span> <span class="p">},</span> <span class="nx">REFRESH_SECRET</span><span class="p">,</span> <span class="p">{</span> <span class="na">expiresIn</span><span class="p">:</span> <span class="dl">'</span><span class="s1">7d</span><span class="dl">'</span> <span class="p">}</span> <span class="p">)</span> </code></pre> </div> <p><strong>Return the right status code for auth failures:</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="c1">// 401 = not authenticated (no token / invalid token)</span> <span class="c1">// 403 = authenticated but no permission</span> <span class="c1">// ❌ Using 403 for everything</span> <span class="k">if </span><span class="p">(</span><span class="o">!</span><span class="nx">token</span><span class="p">)</span> <span class="k">return</span> <span class="nx">res</span><span class="p">.</span><span class="nf">status</span><span class="p">(</span><span class="mi">403</span><span class="p">).</span><span class="nf">json</span><span class="p">({</span> <span class="na">message</span><span class="p">:</span> <span class="dl">"</span><span class="s2">Forbidden</span><span class="dl">"</span> <span class="p">})</span> <span class="c1">// ✅ Correct</span> <span class="k">if </span><span class="p">(</span><span class="o">!</span><span class="nx">token</span><span class="p">)</span> <span class="k">return</span> <span class="nx">res</span><span class="p">.</span><span class="nf">status</span><span class="p">(</span><span class="mi">401</span><span class="p">).</span><span class="nf">json</span><span class="p">({</span> <span class="na">message</span><span class="p">:</span> <span class="dl">"</span><span class="s2">Authentication required</span><span class="dl">"</span> <span class="p">})</span> <span class="k">if </span><span class="p">(</span><span class="o">!</span><span class="nx">hasPermission</span><span class="p">)</span> <span class="k">return</span> <span class="nx">res</span><span class="p">.</span><span class="nf">status</span><span class="p">(</span><span class="mi">403</span><span class="p">).</span><span class="nf">json</span><span class="p">({</span> <span class="na">message</span><span class="p">:</span> <span class="dl">"</span><span class="s2">Access denied</span><span class="dl">"</span> <span class="p">})</span> </code></pre> </div> <p>Mixing up <code>401</code> and <code>403</code> seems small, but it breaks automated tools and confuses developers integrating with your API.</p> <h2> Lesson 4: Name Your Endpoints Like a Human, Not a Computer </h2> <p>This took me embarrassingly long to internalize.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>// ❌ What I used to write GET /getUsers POST /createUser PUT /updateUser/1 DELETE /deleteUser/1 // ✅ What I write now GET /users POST /users PUT /users/1 DELETE /users/1 </code></pre> </div> <p>The HTTP method already tells you the action. The URL should only describe the <strong>resource</strong>. Nouns, not verbs.</p> <p>One more thing — be consistent with casing. Pick one and stick to it:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>✅ /user-profiles (kebab-case — recommended) ❌ /userProfiles (camelCase — avoid in URLs) ❌ /user_profiles (snake_case — inconsistent with REST conventions) </code></pre> </div> <h2> What I'm Still Figuring Out </h2> <p>I want to be honest — there's a lot I don't have answers to yet:</p> <ul> <li> <strong>When should I use GraphQL vs REST?</strong> I understand both conceptually, but I haven't built enough real systems to have a strong opinion.</li> <li> <strong>How do you version APIs without breaking existing clients?</strong> I know the theory (<code>/api/v1/</code>, <code>/api/v2/</code>), but handling it gracefully in practice is still unclear to me.</li> <li> <strong>Rate limiting strategy</strong> — what's the right limit for different endpoint types?</li> </ul> <p>If you have experience with any of these, I'd genuinely love to hear your approach in the comments.</p> <h2> Summary </h2> <p>Here's what changed in my thinking since starting work:</p> <div class="table-wrapper-paragraph"><table> <thead> <tr> <th>Before</th> <th>After</th> </tr> </thead> <tbody> <tr> <td>Error = <code>{ "success": false }</code> </td> <td>Error = structured, field-level details</td> </tr> <tr> <td>Different response shape per endpoint</td> <td>One consistent envelope for everything</td> </tr> <tr> <td>Add auth "later"</td> <td>Auth from day one, JWT with expiry</td> </tr> <tr> <td> <code>/getUsers</code>, <code>/createUser</code> </td> <td> <code>/users</code> with correct HTTP methods</td> </tr> </tbody> </table></div> <p>None of this is revolutionary. But consistently doing these four things makes the difference between an API that developers enjoy working with — and one they complain about in Slack.</p> <h2> What's Next </h2> <p>I'm documenting everything I learn as I go. Next up:</p> <ul> <li> <strong>REST vs GraphQL: My Honest Take as a Junior Dev</strong> — what I've actually used and what I think</li> <li> <strong>5 API Design Mistakes I Made (And How I Fixed Them)</strong> — a more detailed breakdown of real errors from my first weeks</li> </ul> <p>If this was useful, follow me here on Dev.to — I post regularly about Backend Engineering and API Design, in both English and Thai 🇹🇭</p> <p>Also check out my <a href="https://github.com/Bee34949/api-design-checklist" rel="noopener noreferrer">API Design Checklist on GitHub</a> — a living document I update as I learn.</p> <p><em>Questions, disagreements, or things I got wrong? Drop them in the comments. I'm here to learn.</em> 🌱</p> api backend beginners webdev