Module 04: Web, APIs, And Integration
Understand how systems talk to each other through HTTP, APIs, contracts, auth, and error behavior.
The Mental Model
Section titled “The Mental Model”An API is a promise between systems.
client sends method + path + headers + bodyserver validates + acts + returns status + headers + bodyIf the promise is vague, integration becomes guesswork.
Analogy
Section titled “Analogy”An API is like a restaurant order ticket. If the ticket says “food please”, the kitchen guesses. If it says “one veg thali, no onion, table 7”, the kitchen can act.
HTTP Essentials
Section titled “HTTP Essentials”| Method | Meaning |
|---|---|
GET | Read |
POST | Create or trigger |
PUT | Replace |
PATCH | Partially update |
DELETE | Delete |
| Status | Meaning |
|---|---|
200 | Success |
201 | Created |
400 | Bad request |
401 | Not authenticated |
403 | Not authorized |
404 | Not found |
409 | Conflict |
422 | Valid shape but invalid meaning |
500 | Server failed |
API Contract Shape
Section titled “API Contract Shape”Every endpoint needs:
- Method and path.
- Auth requirement.
- Request schema.
- Response schema.
- Error responses.
- Idempotency behavior.
- Rate limits if needed.
- Example request and response.
Visual: API Boundary
Section titled “Visual: API Boundary”frontend object -> JSON request body -> backend validation schema -> domain object -> database row -> response DTO -> frontend stateIntegration Drill
Section titled “Integration Drill”Design ticket APIs:
POST /ticketsGET /ticketsGET /tickets/{id}POST /tickets/{id}/commentsPATCH /tickets/{id}/statusPOST /tickets/{id}/attachments
For each endpoint, write:
- Who can call it.
- What request it accepts.
- What response it returns.
- What errors are expected.
Failure Cases
Section titled “Failure Cases”- Missing auth token.
- User tries to access another user’s ticket.
- Request body is invalid JSON.
- Required field is missing.
- Status transition is illegal.
- Upload is too large.
- Client retries a create request.
Agentic Angle
Section titled “Agentic Angle”Ask an agent:
Review this API contract. Find ambiguous fields, missing errors, auth gaps,idempotency problems, and mismatches between endpoint names and behavior.Questions
Section titled “Questions”- Why is authentication different from authorization?
- Why should the backend validate even if the frontend already validated?
- When should an endpoint be idempotent?
- What error should an unauthorized user receive?
- What should clients do with a
409? - What makes an API easy for another engineer to use?
- Create
portfolio/04-web-apis-and-integration/api-contract.md. - Write six ticket endpoints.
- Add success and error examples.
- Call one real API with
curl. - Build or mock two endpoints.
- Add validation tests.
- Record request and response evidence.
Done When
Section titled “Done When”- Another learner can build a client using only your contract.
- Expected errors are explicit.
- Auth and authorization rules are visible.
- You have called and inspected real HTTP traffic.