RESTful API Reference & Cheatsheet — Status Codes, Methods & Best Practices
RESTful API Reference & Cheatsheet — Status Codes, Methods & Best Practices
DodaTech
Updated Jun 6, 2026
5 min read
RESTful API reference and cheatsheet for HTTP methods, status codes, caching directives, security patterns, and REST design principles organized for daily use.
What You’ll Learn
- HTTP methods with idempotency and safety at a glance
- Complete status code reference (2xx, 3xx, 4xx, 5xx)
- Cache-Control directives and ETag usage
- Standard error response format
- Security patterns and best practices
Why This Reference Matters
Even experienced developers need quick access to status code ranges, method semantics, and header formats. DodaTech’s engineering team uses this reference daily when building and maintaining Durga Antivirus Pro’s REST API — it ensures consistency across all 50+ endpoints.
flowchart LR
A["REST Reference"] --> B["HTTP Methods"]
A --> C["Status Codes"]
A --> D["Caching"]
A --> E["Security"]
A --> F["Error Format"]
style A fill:#dbeafe,stroke:#2563eb
Prerequisites: Familiarity with REST. This is a reference, not a tutorial — use it alongside the RESTful Resources and RESTful Methods.
HTTP Methods Reference
| Method | CRUD | Safe | Idempotent | Request Body | Response |
|---|---|---|---|---|---|
GET | Read | Yes | Yes | No | 200 OK |
POST | Create | No | No | Yes | 201 Created |
PUT | Replace | No | Yes | Yes | 200 OK |
PATCH | Partial update | No | No | Yes | 200 OK |
DELETE | Delete | No | Yes | No | 204 No Content |
Safe: No server-side side effects. Idempotent: N identical requests produce the same server state as 1 request.
Status Codes Quick Reference
2xx Success
| Code | Meaning | Usage |
|---|---|---|
200 | OK | Standard success for GET, PUT, PATCH |
201 | Created | POST — new resource created |
202 | Accepted | Async processing accepted |
204 | No Content | DELETE — resource removed |
3xx Redirection
| Code | Meaning | Usage |
|---|---|---|
301 | Moved Permanently | Endpoint migrated |
304 | Not Modified | Conditional GET — use cache |
4xx Client Error
| Code | Meaning | Usage |
|---|---|---|
400 | Bad Request | Invalid JSON, missing fields |
401 | Unauthorized | Missing/invalid credentials |
403 | Forbidden | Authenticated but no permission |
404 | Not Found | Resource doesn’t exist |
405 | Method Not Allowed | Wrong HTTP method |
409 | Conflict | Duplicate, stale version |
422 | Unprocessable Entity | Validation failed |
429 | Too Many Requests | Rate limit exceeded |
5xx Server Error
| Code | Meaning | Usage |
|---|---|---|
500 | Internal Server Error | Unexpected failure |
502 | Bad Gateway | Upstream service failed |
503 | Service Unavailable | Overloaded, maintenance |
Cache-Control Directives
| Directive | Meaning | Example |
|---|---|---|
public | Any cache can store | public, max-age=3600 |
private | Only browser cache | private, max-age=600 |
no-store | Never cache | no-store |
no-cache | Revalidate before use | no-cache |
max-age=N | Valid for N seconds | max-age=86400 (1 day) |
must-revalidate | Must check origin | must-revalidate |
Standard Error Response Format
{
"error": {
"code": "VALIDATION_ERROR",
"message": "Human-readable summary",
"details": [
{ "field": "email", "message": "Must be valid email" }
],
"requestId": "req-abc-123"
}
}Security Reference
| Pattern | Implementation | Endpoint Example |
|---|---|---|
| API Key | X-API-Key header | Public read-only endpoints |
| JWT Bearer | Authorization: Bearer <token> | All authenticated endpoints |
| OAuth 2.0 | Authorization code flow | Third-party integrations |
| Rate Limiting | 100 req/min per key | All endpoints |
| HTTPS | TLS 1.2+ enforced | All endpoints |
Design Principles Reference
- Nouns, not verbs:
/users, not/getUsers - Plural collections:
/users,/products,/threats - Nested scope:
/users/{id}/orders - Versioned:
/api/v1/... - Consistent errors: Same JSON structure everywhere
- Idempotent methods: PUT, DELETE (same call, same result)
- Stateless: No server-side sessions, JWT carries state
Common Mistakes
- Inconsistent error formats — clients need different parsers per endpoint
- Not versioning — breaking changes break all existing clients
- Returning 200 for everything — loses semantic meaning
- No caching headers — caches behave unpredictably
- Session state on server — breaks horizontal scaling
- Exposing internal IDs — couples API to DB schema
Practice Questions
- What status code should a POST request return on success?
- Which HTTP methods are idempotent and why?
- What Cache-Control directive prevents any caching?
- What is the difference between 401 and 403?
- How does JWT maintain statelessness?
Answers:
201 Createdwith aLocationheader pointing to the new resource.- GET, PUT, DELETE — calling them multiple times produces the same server state.
Cache-Control: no-store401= not authenticated (missing/invalid credentials).403= authenticated but not authorized.- The JWT contains all user data (ID, role, permissions) signed by the server — no database lookup needed, no server-side state.
Challenge: Create a 5-line implementation of a rate limiter middleware for Express.js that tracks requests by IP and returns 429 when the limit is exceeded.
FAQ
What’s Next
| Topic | Description |
|---|---|
| Firebase Introduction | BaaS platform with real-time database and auth |
| GraphQL Introduction | Flexible data fetching and schema-based APIs |
| SOAP & Web Services | Enterprise API patterns for comparison |
| HTTP Protocol Deep Dive | Foundation protocol for all web APIs |
Built by the developers of DodaTech
Doda Browser, DodaZIP & Durga Antivirus Pro