API Creation to Iteration without the Frustration

APICreationtoIterationWithouttheFrustration

steverice/pagerduty-api-v2-deck

SteveRicesoftwareengineer

frontend,backend,APIs

APICaptainatPagerDutyinSanFrancisco

PlatformTeam


WhatisPagerDuty?incidentresolutionplatformtriageeventsnotifyrespondersmanageincidentresponseSaaSproduct~250employees,startedwithhalfthatRails,MySQL,Scala,Cassandra,Kafka,etc.Backbone,Ember.js,Android+iOS


https://web.archive.org/web/20130116145245/http://developer.pagerduty.com/


https://web.archive.org/web/20130116145245/http://developer.pagerduty.com/

#Thiscontrollerisforcommunicationbetweenthemainapp#serverandotherprocessesinthesystem.Theideahereis#thatthisshouldn’tbeexposedtotheoutsideworld.


https://web.archive.org/web/20130312085114/http://blog.pagerduty.com/2012/09/you-have-the-power/


https://web.archive.org/web/20130312085114/http://blog.pagerduty.com/2012/09/you-have-the-power/


Research


StandontheShouldersofGiants


ConferencesandTalkshttps://www.heavybit.com/library/video/move-fast-dont-break-api/

http://amberonrails.com/move-fast-dont-break-your-api/


https://www.heavybit.com/library/video/move-fast-dont-break-api/

http://amberonrails.com/move-fast-dont-break-your-api/

DeveloperBlogshttps://blogs.dropbox.com/developers/2015/04/a-preview-of-the-new-dropbox-api-v2/


https://blogs.dropbox.com/developers/2015/04/a-preview-of-the-new-dropbox-api-v2/

ProtocolsandHypermediaTypesHAL:OData:Collection+JSON:

JSON-API:JSON-LD:GData:GraphQL:Siren:

http://stateless.co/hal_specification.htmlhttp://www.odata.org

https://github.com/collection-json/spec

http://jsonapi.orghttp://json-ld.org

https://developers.google.com/gdata/http://graphql.org

https://github.com/kevinswiber/sirenhttps://sookocheff.com/post/api/on-choosing-a-hypermedia-format/


http://stateless.co/hal_specification.html

http://www.odata.org/

https://github.com/collection-json/spec

http://jsonapi.org/

http://json-ld.org/

https://developers.google.com/gdata/

http://graphql.org/

https://github.com/kevinswiber/siren

https://sookocheff.com/post/api/on-choosing-a-hypermedia-format/

Plan


Makedecisions.


GototheSourcehttps://github.com/dropbox/pygerduty


https://github.com/dropbox/pygerduty

Pouroverlogswhichendpointsaren’tbeingused?whichendpointsarebeingusedinwaystheyshouldn’t?whichcustomersareusingtheAPIs?


An example of a relationship is Notification Rules, whose primary meaning is as a link between a user and a contact method.No individual notification rule has a unique, name-worthy meaning, and so they are handled (read and written) only as acollection. There is no compelling reason to update a single notification rule in place rather than replace the entire object witha new one. While this might seem like a significant loss of functionality, data shows that a trivially small number of clientsoutside of the PagerDuty web app are using it:

over the last 30 days, only 11 requests were made to PUTnotification_rules/id using non-cookie authentication,and all by the subdomain redacted. While the mobile team experimented with it in the latest "Edit Notification Rules"update in 3.6, they've confirmed that that endpoint isn't being used.

Similarly, the escalation rules relationship sees little in-place use:

over the last 30 days, only one request was made to PUTescalation_rules/id using non-cookie authentication.


https://v1.developer.pagerduty.com/documentation/rest/users/notification_rules

http://localhost:9000/pitchme/gist/2f939ec894dfadc749bd1ac4b74c3d13#one-to-many

http://localhost:9000/pitchme/gist/redacted

https://v1.developer.pagerduty.com/documentation/rest/escalation_policies/escalation_rules/update


http://localhost:9000/pitchme/gist/redacted


This document outlines the vision and scope for v2 of the API.

Ordered lists represent prioritized order. We recannot accomplish everything at once, and thus everything needs to beprioritized sooner or later. I choose sooner.

This document does not attempt to present a comprehensive record of all the changes that will be made, as those will becaptured by stories in JIRA. Instead, it establishes the goals, principles, and patterns that we'll use to make the decisionsabout what needs to change.

It is a living document and will evolve as we discover new edge cases and outliers that weren't previously considered.

Goals

What are we trying to accomplish with API v2?

These are the high-level goals, in priority order:

1. iterationleave well enough alone

2. adoptionprove the effectiveness of our versioning strategy

3. consistencyprovide consistency across endpoints

4. performancefix design decisions that have led to performance problems

see Deprecated API Functionalityenable greater cacheability

5. semanticsbetter use of generic HTTP libraries and patterns


https://pagerduty.atlassian.net/issues/?filter=16920

http://localhost:9000/pitchme/gist/e33e5d401e5f8fa9e260ba1b7a20bdd2#iteration

http://localhost:9000/pitchme/gist/e33e5d401e5f8fa9e260ba1b7a20bdd2#adoption

http://localhost:9000/pitchme/gist/e33e5d401e5f8fa9e260ba1b7a20bdd2#consistency

http://localhost:9000/pitchme/gist/e33e5d401e5f8fa9e260ba1b7a20bdd2#performance

http://localhost:9000/pitchme/gist/e33e5d401e5f8fa9e260ba1b7a20bdd2#deprecated-api-functionality

http://localhost:9000/pitchme/gist/e33e5d401e5f8fa9e260ba1b7a20bdd2#semantics

PickyourBattlesDon’tchangewhatworksPrioritizeKeepbulletsawayfromfeet


header-andkey-basedversioningAccept:application/vnd.pagerduty+json;version=2


canonicalAPIsubdomaininitech.pagerduty.com

acmemonitoring.pagerduty.com

evilcorp.pagerduty.com

api.pagerduty.com


usestandardsrespectHTTPsemanticsISO8601IANAtzinfo


deprecatebasicauth


performancetweak{"incidents":[{"id":"P1R8NC6","type":"incident","summary":"[#7893]Thereare2Charizardnearby!","self":"https://api.pagerduty.com/incidents/P1R8NC6",}],"limit":1,"offset":0,"total":null,//don'tcareaboutthis"more":true//moreresourcesavailable}


consistency


ChangethePlan


ProcessisParamount


your prototype is not making any breaking changes to existing contracted APIs

What constitutes approval?

An API is not approved until it's been merged into the Captain's Log.

Wild Clients

Any client that PagerDuty cannot, at a whim, revoke or modify without customer impact, is a "wild client". These clients areoutside PagerDuty's control. These include:

Mobile apps that have been shipped to a public app storeClients or client libraries written by third parties based on our published documentationClient libraries that have been written and released by PagerDuty

Managed Clients

Any client whose distribution is controlled entirely by PagerDuty is a "managed client". This control includes the ability tostop users of the client from being able to use it at any time.

Clients that are under PagerDuty's control include:

the Backbone-based Web appthe Ember-based Web UI appthe mobile-web appWatchdogMobile apps that are only available on an internal testing platform (Crashlytics Beta, Deploygate)

However, you should still expect to modify managed clients if you're making a change to an API change they depend upon— otherwise the client will break!


https://github.com/PagerDuty/ios

https://github.com/PagerDuty/android

https://developer.pagerduty.com/

https://github.com/PagerDuty/web/tree/master/app/assets/javascripts

https://github.com/PagerDuty/web-ui

https://github.com/PagerDuty/mobile-web

https://github.com/PagerDuty/watchdog

https://github.com/PagerDuty/ios

https://github.com/PagerDuty/android

https://get.fabric.io/beta

https://deploygate.com/

https://github.com/PagerDuty/flagger


https://github.com/PagerDuty/flagger

Document


Keepitmaintainable


449

450

451

452

453

454

455

456

457

458

459

460

461

462

463

464

465

466

467

468

469

470

471

472

473

474

475

476

477

478

479

480

481

service

</td>

<td>

<ahref="/documentation/rest/types#object">Object</a>

</td>

<td>

ThePagerDuty<ahref="/documentation/rest/services/">service</a>thattheincidentbelongsto.Theservicewillcontainfieldsofitsown.

</td>

</tr>

<tr>

<td>

escalation_policy

</td>

<td>

<ahref="/documentation/rest/types#object">Object</a>

</td>

<td>

The<ahref="/documentation/rest/escalation_policies/">escalationpolicy</a>thattheincidentbelongsto.Thepolicywillcontainfieldsofitsown.

</td>

</tr>

<tr>

<td>

teams

</td>

<td>

<ahref="/documentation/rest/types#array">Array</a>

</td>

<td>



The<ahref="/documentation/rest/teams/">teams</a>involvedintheincident’slifecycle.Theteamswillcontainfieldsoftheirown.





NOTE:Youmustexplicitlyinclude<code>teams</code>inthe<code>fields</code>parameterinordertoincludeitintheresponse. steverice/pagerduty-api-v2-deck

Domain-specifictechnologies


4282

4283

4284

4285

4286

4287

4288

4289

4290

4291

4292

4293

4294

4295

4296

4297

4298

4299

4300

4301

4302

4303

4304

4305

4306

4307

4308

4309

4310

4311

4312

4313

4314

"summary":"Createateam",

"parameters":[{

"name":"team",

"in":"body",

"description":"Theteamtobecreated.",

"schema":{

"type":"object",

"properties":{

"team":{

"$ref":"#/definitions/Team"

}

},

"required":["team"]

}

}],

"responses":{

"201":{

"description":"Theteamthatwascreated.",

"schema":{

"type":"object",

"properties":{

"team":{

"$ref":"#/definitions/Team"

}

},

"required":["team"]

},

"examples":{

"application/json":{

"team":{

"id":"PQ9K7I8",

"type":"team",

"summary":"Engineering", steverice/pagerduty-api-v2-deck

ConsidertheHumans


https://stripe.com/docs/api


https://stripe.com/docs/api

Makeitinteractive


Rememberyouraudience


Develop


KeepitSimpleclassApi::V2::EscalationPolicyAdapter::Base<ApiDuty::Adapterroot_attribute:escalation_policy

validate:name,validator::is_stringvalidate:escalation_rules,validator::is_arrayvalidate:description,validator::is_stringvalidate:num_loops,validator::is_integervalidate:teams,validator::is_arrayvalidate:teams,validator:make_validator_each(make_validator_object_resource(%w(team).freeze))

passthrough:name,:descriptiongenerate:num_repeats,from::num_loopsdo|num|num.to_i+1endgenerate:escalation_policies_teams_attributes,from::teams,generator::teams_join_paramsgenerate:escalation_policies_teams_attributes,from::teams,generator:make_generator_default([])


KeepitSimplemoduleApimoduleV2classSchedulesController<Api::V1::SchedulesControllerendendend


BepragmaticDRYisnotagod

defunwrapped_incident_json#V2+:incidentobjectiswrapped.json[:incident]end

defassert_assigned_to_user(json,user)#V2+:assigned_to_userisremovedassert_not_includejson.keys,’assigned_to_user’end

defassert_reassigned_to_user(json,user)#V2+:assigned_to_userisremovedassert_not_includejson.keys,’assigned_to_user’end

defassert_incident_count(expected,json)assert_equal(expected,json)end


Test


Dogfood.Everything.



Automate


Trust,butVerifydefself.compare_json(old,new,consider_ordering=false)returntrueifold==new

old,new=*[old,new].map(&JSON.method(:parse))

unlessconsider_ordering#Recursivelysorthashkeyssothediffignoresorderingoriginal=self.sort_recursively(original)modified=self.sort_recursively(modified)

#Quicktest,incasethesortedhashesareequalreturntrueiforiginal==modifiedendreturnfalseend


Connect




Hello,

Thanks for your continued interest and use of the PagerDuty API.

We're writing to let you know that as of November 4th, 2015, we will be discontinuing the ability to authenticate against theAPI using HTTP Basic Authentication (PagerDuty username and password), which has been deprecated since mid-2014.

We are doing this to improve security of PagerDuty accounts by limiting the spread of PagerDuty user passwords, which aredifficult to audit and revoke should they become compromised.

Additionally, the need to authenticate a user via HTTP Basic Authentication imposes a performance penalty on every APIrequest due to the robust hashing techniques we use to store and validate user passwords. This is done by design to makebrute forcing passwords computationally infeasbile.

Switching away from basic authentication will improve the security of your users' passwords and make your API requestsfaster.

We've identified your PagerDuty account as one that is likely using HTTP Basic Authentication for automated HTTP requestsagainst our API. The following PagerDuty users on your account are making recurring Basic Authentication requests:${USER_NAME} ${USER_EMAIL}

If you don't recognize any of these users as being used with a PagerDuty integration or don't believe you are using HTTPBasic Authentication, please let us know and we can investigate further to help identify your integration.

If you are using a third-party client, tool, or library to connect to PagerDuty, check with the vendor/maintainer for an updatedversion that supports API Token Authentication. If you maintain such an integration internally, your development team canrefer to our authentication documentation at https://developer.pagerduty.com/documentation/rest/authentication to learnmore about using API Tokens.

Should you have any questions, don't hesitate to reach out. We recommend making the necessary changes well in advanceof the November 4th deadline to provide ample time for testing and prevent any interruption in service.


https://developer.pagerduty.com/release_notes#june-16-2014

https://developer.pagerduty.com/documentation/rest/authentication

https://www.pagerduty.com/blog/pagerduty-api-v2-now-in-beta/

Instead, we've focused on refining, standardizing, and simplifying the patterns that appear across our API. We've gotten a lotof great feedback over the years and are addressing a lot of the challenges developers have faced. And we're providingdevelopers with better tools to build on and interact with the API, starting with a brand new developer portal and the ability toplay with API v2 right from a web browser.

Here are just a few of the highlights:

We've simplified our API URLs. Instead of needing to know an account's subdomain, just point all your requests to api.pagerduty.com and we'll figure out what account you wanted from the authentication. No more /api/v1 root patheither — it's as simple as /incidents or /schedules!

We've standardized all of our resource types so that a user is always a user and a service is always a service, no matterwhere they appear in the API.

We're launching a new /oncalls API that makes accessing information about who is on call, when, and for what morestraightforward than it's ever been.

We're adhering even more closely to REST architectural constraints. HTTP verbs work as you'd expect, and URIs areprovided for every resource.

We've given every resource a summary that describes what it is. It's your one-stop-shop for getting text to name andidentify a resource.

Across the board, we've taken steps to simplify or eliminate things in the v1 API that weren't strictly necessary, weren'tbeing used, or caused developer confusion.

Our v1 to v2 migration guide has all the details about what sorts of things have changed, and our new referencedocumentation backed by a comprehensive Open API Initiative Specification contains complete specifics about all of oursupported endpoints.

The PagerDuty Events API is versioned separately and is unaffected by these changes. All of your PagerDuty integrationswill be able to continue sending events to PagerDuty as they always have.


https://www.pagerduty.com/blog/pagerduty-api-v2-now-in-beta/

https://v2.developer.pagerduty.com/

https://v2.developer.pagerduty.com/v2/page/api-reference#/reference/oncalls

https://en.wikipedia.org/wiki/Representational_state_transfer#Architectural_constraints

https://v2.developer.pagerduty.com/v2/page/migrating-to-api-v2

https://pagerduty.readme.io/v2/page/api-reference

https://openapis.org/specification

https://v2.developer.pagerduty.com/v2/page/events-api-reference

Market






Demonstratewebinars

salesdemoslivedemos

customersuccess



What’snext?


Deprecation


BFF


ThePlatformStrategy

https://www.pagerduty.com/features/platform-extensibility/


https://www.pagerduty.com/features/platform-extensibility/


Ittakesavillage


Fin?developer.pagerduty.com


Appendix


ImageCredits"SteveRice"BySteveRice©2016(Ownwork),allrightsreserved"StandontheShouldersofGiants"BySamirEberlin[CC0],viaWikimediaCommons—

"MakeDecisions."BySeppVei(Ownwork)[CC0],viaWikimediaCommons—

"BePragmatic"ByLiveon001©TravisK.Witt(Ownwork)[CCBY-SA3.0( )orGFDL( )],viaWikimediaCommons—"Dogfood.Everything."Originalsourcenotfound.Usedwithoutpermission."Keepitmaintainable"ByDavidJonesfromIsleofWight,UnitedKingdom[ ],viaWikimediaCommons—

"Pouroverlogs"byTimothyMarsee[ ],viaFlickr—

"BFF"ByGuillaumePaumier(Ownwork)[CCBY-SA3.0()],viaWikimediaCommons—

"Fin?"Copyright1984WarnerBros.Pictures,viaCinemaAutopsy—

https://commons.wikimedia.org/wiki/File:Turtles.on.a.stone.in.brazil.jpg

https://commons.wikimedia.org/wiki/File:Bicycle_shed.JPG

http://creativecommons.org/licenses/by-sa/3.0 http://www.gnu.org/copyleft/fdl.htmlhttps://commons.wikimedia.org/wiki/File:Farfalle_Pasta.JPG

CCBY2.0https://commons.wikimedia.org/wiki/File:Mike_O%27Callaghan-

Pat_Tillman_Bridge_construction.jpgCCBY2.0

https://www.flickr.com/photos/tmarsee530/9899684046http://creativecommons.org/licenses/by-

sa/3.0 https://commons.wikimedia.org/wiki/File:Best_Frends_Forever_-_Golden_Gate_bridge_guard_rail_166.jpg

https://blog.cinemaautopsy.com/2013/04/02/film-review-the-neverending-story-1984/


https://commons.wikimedia.org/wiki/File:Turtles.on.a.stone.in.brazil.jpg

https://commons.wikimedia.org/wiki/File:Bicycle_shed.JPG

http://creativecommons.org/licenses/by-sa/3.0

http://www.gnu.org/copyleft/fdl.html

https://commons.wikimedia.org/wiki/File:Farfalle_Pasta.JPG

http://creativecommons.org/licenses/by/2.0

https://commons.wikimedia.org/wiki/File:Mike_O%27Callaghan-Pat_Tillman_Bridge_construction.jpg

http://creativecommons.org/licenses/by/2.0

https://www.flickr.com/photos/tmarsee530/9899684046

http://creativecommons.org/licenses/by-sa/3.0

https://commons.wikimedia.org/wiki/File:Best_Frends_Forever_-_Golden_Gate_bridge_guard_rail_166.jpg

https://blog.cinemaautopsy.com/2013/04/02/film-review-the-neverending-story-1984/

Technology

API Creation to Iteration without the Frustration