0

I am a beginner in REST API development, I read some docs online and now I'm developing a REST API for 2 platforms with different kinds of users.

Which is the most efficient way to choose URL for authentication endpoints in REST API development?

One of the very first rule is never use verbs in REST API URL so these URLs are not correct.

  • /auth/resetPassword
  • /auth/refreshToken
  • /auth/login
  • ...

Reset, refresh, login are all verbs. Are this URLs corrects? What is a better choose?

Then if I have more then one kind of user is correct to use these?

  • /auth/customers/login
  • /auth/admins/login
  • etc.

Login is a verb, is it correct? Then /auth/:entity/ don't seems to me very right for what I read about REST API.

Antonello Gatto
  • 1,603
  • 2
  • 16
  • 29

1 Answers1

0

The 'no verb' rules are not hard rules, they're just an approach to design that people like.

While it's definitely possible to convert every endpoint to something that resembles a noun, and you're just shoving state down the pipe, it's not always desirable. If it really feels like you're trying to square peg in a round hole, you perhaps you are, and something like a 'login' endpoint is definitely a classic example.

But, if you would convert everything to the REST style of "Everything must be a noun and we are PUTing and GETing state", one way to look at this would be:

  1. You are not logging in, you are creating a new session (with PUT or POST).
  2. You are not 'resetting your password', you are sending a PUT request to a password endpoint.

But I am not sure if I would recommend introducing this kind of complexity.

I'd also suggest you look into OAuth2, because it seems like there's at least some overlap in what you're doing and reinventing the wheel is probably inadvisable.

Evert
  • 93,428
  • 18
  • 118
  • 189