Application/Json Headers Content-Type: Application/Json

Documenting APIs with Swagger

TC Camp

Peter Gruenbaum Introduction

} Covers } What is an API Definition? } YAML } Open API Specification } Writing Documentation } Generating Documentation } Alternatives to Swagger and the Open API Specification } Presentation and workbook at sdkbridge.com/downloads

© 2018 SDK Bridge Peter Gruenbaum } PhD in Applied Physics from Stanford } Commercial Software Developer } Boeing, Microsoft, start-ups } C#, C++, Java, JavaScript, Objective-C } API Writer } Brought together writing and technology } Since 2003 } President of SDK Bridge } Teacher: Programming at middle, high school, and college

} Swagger and the Open API Specification are ways to define an API } What is an API? } What can you do with an API definition?

API request

API response Creative Commons Attribution 3.0. webdesignhot.com Creative Commons Attribution 3.0. Not a full web page ─ just the data! openclipart.org

The API definition describes: • What requests are available • What the response looks like for each request © 2018 SDK Bridge REST } Swagger and the Open API Specification are designed for RESTful APIs } REST is a type of web API REpresentational State Transfer

API request

API response

I am transferring to you some data that represents the state of your feed

} File describes all the things you can do with an API } Lists every request you can make } Tells you how to make that request } Tells you what the response will look like

} Lets you design the API before implementing it } Helps with automated testing } Automatically create code in several languages } Can be used to automatically generate documentation } Documentation can be interactive

} Historically, Swagger was a specification for how to create an API definition file } After a new version (Swagger 2.0), the specification became the Open API Specification (OAS) } Swagger is now a collection of tools that use the Open API Specification } Many people still refer to OAS as “Swagger”

© 2018 SDK Bridge Open API Initiative } The Open API Initiative (OAI) is an organization created by a consortium of industry experts } Focused on creating, evolving, and promoting a vendor neutral description format. } It is in charge of the Open API Specification, but not in charge of any tools that use it } I will show you version 2.0, and talk about 3.0

© 2018 SDK Bridge Swagger Tools Swagger provides several tools: } Swagger Editor: Helps you write OAS files } Swagger CodeGen: Generates code in popular languages for using your API } Swagger UI: Generates documentation from OAS files } SwaggerHub: Hosted platform for designing and documenting APIs

} http://petstore.swagger.io/

Open API Specification Format

Documenting APIs with Swagger Open API Specification } You can use one of two data formats for OAS: } YAML } JSON } For this seminar, I’ll use YAML

} Stands forYAML Ain’t Markup Language } It’s not a Markup Language like HTML } Used for structured data instead of free-form content } Compared to JSON and XML, it minimizes characters } It's most often used for configuration files, rather than files passed over the web, like JSON

} Key/value pairs are indicated by a colon followed by a space

date: 2017-08-06 firstName: Peter

} Levels are indicated by white space indenting } Cannot be a tab indent

Peter XML Gruenbaum

} Types are determined from context } Example:

string part_no: A4786 description: Photoresistor price: 1.47 float quantity: 4 integer

} In general, you don’t need quotes around strings } Exception: something that will be interpreted as a number or boolean

float price: 11.47 version: "11.47" company: SDK Bridge string

} Use a dash to indicate a cart: list item - part_no: A4786 description: Photoresistor } You don’t need to price: 1.47 declare the list quantity: 4

- part_no: B3443 description: LED color: blue price: 0.29 quantity: 12

© 2018 SDK Bridge Multi-line strings } Because there are no quotation marks on strings, you need special characters for multiline strings } | means preserve lines and spaces } > means fold lines } There are variations: |-, |+, etc. speech: | speech: > Four score Four score and seven years ago and seven years ago Four score and seven years ago Four score and seven years ago © 2018 SDK Bridge Comments } Comments are denoted with the # } Everything after # is ignored

# LED part_no: B3443 description: LED color: blue price: 0.29 # US Dollars quantity: 12

} Although not officially part of YAML, OAS uses references for schemas } Used for request and response bodies } Use $ref to indicate a reference } Typically put the schema in a definitions section

} Write some simple YAML } Follow along in exercise book } Electronic copy available at sdkbridge.com/downloads

What’s in an API Definition file?

Documenting APIs with Swagger What’s an API Definition File? } A file that describes everything you can do with an API } Note: “API” means a collection of related requests } Server location } How security is handled (i.e., authorization) } All the available requests in that API } All the different data you can send in a request } What data is returned } What HTTP status codes can be returned

Method URL Query parameters

POST http://api.example.com/user?source=ios&device=ipad

Accept: application/json Headers Content-type: application/json

{ "name": "Peter Gruenbaum", "email": "[email protected]" Body }

} The HTTP method describes what kind of action to take } GET, POST, PUT, DELETE, etc.

} Example: } https://api.muzicplayz.com/v3/playlist/{playlist-id}?language=en } Path Parameters } {playlist-id} } Query Parameters } language

} For some methods (POST, PUT, etc.) you can specify a request body, often in JSON } The body is treated as a parameter } You specify a schema for the request body

} In REST, the response body can be anything, but is most often structured data, such as JSON } The response object has a schema to describe the structured data } You can have a separate response object for each HTTP status code returned

} Security means authentication and authorization } Can be: } None } Basic Auth } API key } OAuth

© 2018 SDK Bridge Documentation } Human-readable descriptions of elements } For generating documentation } Add a “description” section for: } The API } Each operation (path and method) } Each parameter } Each response element } Will go into detail in the next section

} If you are asked to create an OAS file, how do you find the information? } Developers can provide rough documentation } Developers can provide sample requests and responses } Most common } You can figure it out from the code } Requires strong coding skills

Defining Simple Requests

Documenting APIs with Swagger Open API Specification File } Choose an example and build a file } Company: example.com } Service for uploading and sharing photos } API base URL: } https://api.example.com/photo

© 2018 SDK Bridge Adding a Request Let’s define requests for getting photo albums Requests will have: } URL endpoint } HTTP Method } Path parameters } Query parameters } Also (covered later): } Request body } Responses

GET https://api.example.com/photo/album/123456

} The data type can have several values } Includes: } Boolean } integer } number } string } array

} Documentation is added using the description key } I will talk about this later in the workshop

} Swagger provides an editor for Open API Specification files } Go to http://editor2.swagger.io

} Create an OAS file for a music system } The API manages playlists } Describe overall API information, paths, methods, and some parameters

Defining Request and Response Bodies

Learn Swagger and the Open API Specification Request and Response Bodies } Certain kinds of requests have extra data } POST, PUT, etc. } Called the request body } Typically data is formatted in JSON (or sometimes XML) } Nearly all responses return a response body } Also typically formatted in JSON

© 2018 SDK Bridge What is a schema? } The schema indicates the structure of the data } OAS schema object is based off the JSON Schema Specification } http://json-schema.org/ } What are the keys in key/value pairs? } What type of data are the values? } Can be many levels

© 2018 SDK Bridge Request Body } Under parameters: } name – just for reference (not shown in docs) } in – set to body } required – typically set to true } schema – } Add a level } Key of $ref } Value of the reference path, in quotes

© 2018 SDK Bridge Schema section } Create a key called definitions at the end of the file } Add a level and give it the name from the $ref value } Add a properties key } For each top level element in the JSON, add a key of its name. } Add a type key that says what type of data it is } Add other keys for other data (more later)

© 2018 SDK Bridge Response Body } Under response:, under the response code } schema: } Add a level } Key of $ref } Value of the reference path, in quotes } If the response is an array instead of an object, then add: } type: array } Note: you can have different schemas for different response codes

Note: The album schema is identical to the newAlbum schema except it has an id

} Responses can also have custom headers } You can include example bodies in OAS files } Refer to the Open API Specification on how these work } (Just search on “Open API Specification”)

} Add to your OAS file } POST, PUT, and responses } Describe overall API information, paths, methods, and some parameters

Security, errors, content types, and operation IDs

Learn Swagger and the Open API Specification Security } Security means what kind of authentication or authorization is required } Authentication: the user has correct username and password } Authorization: the user has access to this API and data

© 2018 SDK Bridge Security types } None } Used for getting publically available information } API key } Indicates that the app has permission to use the API } Basic Authentication } Username and password is included in a header } OAuth } Complex issuance of temporary token

© 2018 SDK Bridge How security is indicated } Each operation has a security key } Contains an array of security definition objects } Often just one element in the array } Security Definitions } The file contains a securityDefinitions key } Typically at the end } Contains security objects } Security object } Contains information needed for that type of security

� © 2018 SDK Bridge API key } Add security key to each operation } Use dash to indicate an array } Create name for definition and use empty bracket, since no data is needed } Add security definition } Add definition for that name in securityDefinition section } type: apiKey } name: name of the header or query parameter to be used } in: query or header © 2018 SDK Bridge API key example } Put a security key in the get section and securityDefinitions at the end of the file

https://…?token=23a645ga2798

© 2018 SDK Bridge Basic authentication } Add security key to an operation } Use dash to indicate an array } Create name for definition and use empty bracket, since no data is needed } Add security definition } Add definition for that name in securityDefinition section } type: basic

© 2018 SDK Bridge OAuth } OAuth is too complicated to explain here } Add security key to request, like before } However, now you add scopes in the array } Add security definition } Add definition for that name in securityDefinition section } type: oauth2 } authorizationUrl: URL where credentials are entered } tokenUrl: URL for the token } flow: OAuth 2 flow (implicit, password, application or accessCode.) } scopes: list of scopes with descriptions

© 2018 SDK Bridge Errors } Errors are simply different response codes } Often APIs return a special structure with errors } Example 401 (Unauthorized) code returned {"errorCode": 13, "message": "Username not found"} } Should include schema for every potential status code } Refer to this in response

© 2018 SDK Bridge Content Types } Content types indicate the format of the data in the request and response bodies } This is done through the Content-Ty p e header } You can specify this for: } The whole API } Individual operations } Use the consumes and produces keys } consumes for requests, produces for responses } Use the Content-Ty p e value (for example, application/json)

} Add to your OAS file: } Security, } Errors, } Content type } Operation IDs

Adding Descriptions

Document APIs Using Swagger Autogenerated Documentation } Tools (including Swagger) take OAS files and generate HTML documentation to put on the web } If the OAS file is kept up to date, then the documentation is likely to be more accurate than if you wrote the docs manually } Autogenerated documentation allows you to try out requests from within the documentation

Method URL Query parameters

POST http://api.example.com/user?source=ios&device=ipad

Accept: application/json Headers Content-type: application/json

{ "name": "Peter Gruenbaum", "email": "[email protected]" Body }

} Bring up example on editor

} Add documentation to your example } See the effects on the right side of the page

Editor, CodeGen, UI, and Core Tooling

Learn Swagger and the Open API Specification Swagger Tools Placeholder

} https://swagger.io/tools/

© 2018 SDK Bridge SwaggerHub } Provides all of the tools on a hosted platform } As of this video: } Free for one user } $75/month for team of 5 } Advantages: } Don’t have to install and host } Designed for collaboration

} Try out SwaggerHub for free } Import your OAS file

The Next Generation

Document APIs with Swagger Several changes from 2.0 } Improved overall structure } Support for callbacks } Links to express relationships between operations } The JSON schema includes support for: oneOf, anyOf and not } Improved parameter descriptions } Better support for multipart document handling } Cookie parameters } Body parameters have their own entity } Better support for content-type negotiation } The security definitions have been simplified and enhanced © 2018 SDK Bridge JSON

Alternative to YAML

Learn Swagger and the Open API Specification Why JSON? } Older format } Some people may be more familiar with it than YAML } Some tools only read JSON

YAML JSON { info: "info": version: "0.1.0" { title: Meme Meister "version": "0.1.0" description: Meme API "title": "Meme Meister" "description": "Meme API" } }

YAML JSON { consumes: "consumes": - image/jpeg [ - image/gif "image/jpeg", - image/png "image/gif", "image/png", ] }

Other autogenerated doc tools

Document APIs with Swagger Alternatives to Swagger } Swagger is great, but… } Some people think it could be better } In particular, the autogenerated documentation } Not “responsive”, not that pretty, etc. } In theory, you can take OAS files and do whatever you want with them } There are several alternatives to Swagger } Disclaimer: I am not an expert in any of these

} http://dapperdox.io

} https://github.com/jensoleg/swagger-ui

} http://readme.io

} http://stoplight.io

} I’d Rather Be Writing - Tom Johnson } Sarah Maddox } SDK Bridge Online courses } Last page of workbook has links with discounts

} Create an OAS file for a Meme API from scratch } Not an easy assignment } In the electronic version of the workbook only