| Internet-Draft | api-catalog well-known URI | February 2024 |
| Smith | Expires 12 August 2024 | [Page] |
This document defines the "api-catalog" well-known URI. It is intended to facilitate automated discovery and usage of the APIs published by a given organisation or individual.¶
This note is to be removed before publishing as an RFC.¶
The latest revision of this draft can be found at https://ietf-wg-httpapi.github.io/api-catalog/draft-ietf-httpapi-api-catalog.html. Status information for this document may be found at https://datatracker.ietf.org/doc/draft-ietf-httpapi-api-catalog/.¶
Discussion of this document takes place on the Building Blocks for HTTP APIs Working Group mailing list (mailto:httpapi@ietf.org), which is archived at https://mailarchive.ietf.org/arch/browse/httpapi/. Subscribe at https://www.ietf.org/mailman/listinfo/httpapi/.¶
Source for this draft and an issue tracker can be found at https://github.com/ietf-wg-httpapi/api-catalog.¶
This Internet-Draft is submitted in full conformance with the provisions of BCP 78 and BCP 79.¶
Internet-Drafts are working documents of the Internet Engineering Task Force (IETF). Note that other groups may also distribute working documents as Internet-Drafts. The list of current Internet-Drafts is at https://datatracker.ietf.org/drafts/current/.¶
Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress."¶
This Internet-Draft will expire on 12 August 2024.¶
Copyright (c) 2024 IETF Trust and the persons identified as the document authors. All rights reserved.¶
This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (https://trustee.ietf.org/license-info) in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect to this document. Code Components extracted from this document must include Revised BSD License text as described in Section 4.e of the Trust Legal Provisions and are provided without warranty as described in the Revised BSD License.¶
An organisation or individual may publish Application Programming Interfaces (APIs) to encourage requests for interaction from external parties. Such APIs must be discovered before they may be used - i.e., the external party needs to know what APIs a given publisher exposes, their purpose, any policies for usage, and the endpoint to interact with each APIs. To facilitate automated discovery of this information, and automated usage of the APIs, this document proposes a well-known URI, 'api-catalog', as a location where a Publisher's API endpoints are described in an API catalog document.¶
'Publisher' - an organisation, company or individual that publishes one or more APIs for usage by external third parties.¶
The primary goal is to facilitate the automated discovery of a Publisher's public API endpoints, along with metadata that describes the purpose and usage of each API, by specifying a well-known URI [RFC8615] that returns an API catalog document. The API catalog document is primarily machine-readable to enable automated discovery and usage of APIs, and it may also include links to human-readable documentation.¶
Non-goals: this document does not mandate paths for API endpoints. i.e., it does not mandate that my_example_api's endpoint should be example.com/.well-known/api-catalog/my_example_api , nor even to be hosted at example.com (although it is not forbidden to do so). This document does not mandate a specific format for the API catalog document, although it does suggest some existing formats and provide a recommendation.¶
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in BCP 14 [RFC2119] [RFC8174] when, and only when, they appear in all capitals, as shown here.¶
The api-catalog well-known URI is intended for HTTP(S) servers that publish APIs. As the key aim is to facilitate their discovery and usage, a Publisher supporting this URI:¶
SHOULD host the /.well-known/api-catalog URI at a predictable location. For example as companies typically own a .com TLD, a predictable location for the company 'example' would be https://www.example.com/.well-known/api-catalog¶
SHALL resolve an HTTP(S) GET request to /.well-known/api-catalog and return an API catalog document, as described in Section 5¶
SHOULD resolve an HTTP(S) HEAD request to /.well-known/api-catalog with a response including a Link header with the relation(s) defined in Section 6¶
A Publisher ('example') may have their APIs hosted across multiple domains that they manage: e.g., at example.com, developer.example.com, apis.example.com, apis.example.net etc. They may also use a third party API hosting provider which hosts APIs on a distinct domain.¶
To account for this scenario, it is recommended that:¶
the Publisher publish the api-catalog well-known URI at a predictable location, as described above.¶
the Publisher also publish the api-catalog well-known URI at each of their API domains e.g. apis.example.com/.well-known/api-catalog, developer.example.com/.well-known/api-catalog etc.¶
only one of these locations needs to host the canonical API Catalog document. The other locations SHOULD redirect any requests they receive for /.well-known/api-catalog to that primary location, using HTTP Status Code 308 Permanent Redirect [RFC9110].¶
As illustration, if the Publisher's primary API portal is apis.example.com, then apis.example.com/.well-known/api-catalog should be the location to host the API Catalog document. If the Publisher is also the domain authority for example.net, which also hosts a selection of their APIs, then a request to www.example.net/.well-known/api-catalog SHOULD return a redirect as follows.¶
Clienr request:¶
Server response:¶
A Publisher may wish to use the api-catalog well-known URI on their internal network, to signpost authorised users (e.g. company employees) towards internal/private APIs not intended for third-party use. This scenario may incur additional security considerations, as noted in Section 9¶
The API Catalog is a document listing hyperlinks to a Publisher's APIs.¶
There is no mandated format for the API Catalog document: the Publisher is free to choose any format that supports the automated discovery, and machine (and human) usage of their APIs. However, it is RECOMMENDED to use a linkset [RFC9264] of API endpoints (see Appendix A for an example).¶
The API Catalog document MUST include hyperlinks to API endpoints, and is RECOMMENDED to include useful metadata, such as usage policies, API version information, links to the OpenAPI Specification [OAS] definitions for each API, etc. . If the Publisher does not include these metadata directly in the API Catalog document, they SHOULD make that metadata available at the API endpoint URIs they have listed (see Appendix A.2 for an example).¶
Some suitable API Catalog document formats include:¶
(RECOMMENDED) A linkset [RFC9264] of API endpoints and information to facilitate API usage¶
API bookmarks that represent an API entry-point URI, which may be followed to discover purpose and usage¶
A RESTDesc semantic description for hypermedia APIs [RESTdesc]¶
Appendix A includes example API Catalog documents based on the linkset format.¶
"item" [RFC9264]. When used in an API Catalog document, the 'item' link relation identifies a target resource that represents a API that is a member of the API Catalog.¶
"api-catalog": the 'api-catalog' link relation identifies a target resource that represents a list of APIs of which the context resource is a member.¶
The requirements in section 3 of [RFC8615] for defining Well-Known Uniform Resource Identifiers are met as follows:¶
The api-catalog URI SHALL be appended to the /.well-known/ path-prefix for "well-known locations".¶
The api-catalog well-known URI may be used with the HTTP and HTTPS URI schemes.¶
This specification registers the "api-catalog" well-known URI in the Well-Known URI Registry as defined by [RFC6415] .¶
URI suffix: api-catalog¶
Specification document(s): draft-ietf-httpapi-api-catalog-01¶
Related information: The "api-catalog" documents obtained from the same host using the HTTP and HTTPS protocols (using default ports) MUST be identical.¶
This specification registers the "api-catalog" link relation by following the procedures per section 4.2.2 of [RFC8288]¶
For all scenarios: the Publisher SHOULD perform a security and privacy review of the API Catalog prior to deployment, to ensure it does not leak personal, business or other metadata, nor expose any vulnerability related to the APIs listed.¶
For the internal/private APIs scenario: the Publisher SHOULD take steps to ensure that appropriate access controls are in place to ensure only authorised users access the internal api-catalog well-known URI.¶
This section is informative, and provides and example of an API Catalog document using the RECOMMENDED linkset format.¶
This example uses the linkset format [RFC9264], and the following link relations defined in [RFC8631]:¶
"service-desc", used to link to a description of the API that is primarily intended for machine consumption.¶
"service-doc", used to link to API documentation that is primarily intended for human consumption.¶
"service-meta", used to link to additional metadata about the API, and is primarily intended for machine consumption.¶
"status", used to link to the API status (e.g. API "health" indication etc.) for machine and/or human consumption.¶
Client request:¶
Server response:¶
{
"linkset": [
{
"anchor": "https://developer.example.com/apis/foo_api",
"service-desc": [
{
"href": "https://developer.example.com/apis/foo_api/spec",
"type": "application/yaml"
}
],
"status": [
{
"href": "https://developer.example.com/apis/foo_api/status",
"type": "application/json"
}
],
"service-doc": [
{
"href": "https://developer.example.com/apis/foo_api/doc",
"type": "text/html"
}
],
"service-meta": [
{
"href": "https://developer.example.com/apis/foo_api/policies",
"type": "text/xml"
}
]
},
{
"anchor": "https://developer.example.com/apis/bar_api",
"service-desc": [
{
"href": "https://developer.example.com/apis/bar_api/spec",
"type": "application/yaml"
}
],
"status": [
{
"href": "https://developer.example.com/apis/bar_api/status",
"type": "application/json"
}
],
"service-doc": [
{
"href": "https://developer.example.com/apis/bar_api/doc",
"type": "text/plain"
}
]
},
{
"anchor": "https://apis.example.net/apis/cantona_api",
"service-desc": [
{
"href": "https://apis.example.net/apis/cantona_api/spec",
"type": "text/n3"
}
],
"service-doc": [
{
"href": "https://apis.example.net/apis/cantona_api/doc",
"type": "text/html"
}
]
}
]
}
¶
This example also uses the linkset format [RFC9264], listing the API endpoints in an array of bookmarks. Each link shares the same context (the API Catalog) and "item" [RFC9264] link relation (to indicate they are an item in the catalog).The intent is that by following a bookmark link, a machine-client can discover the purpose and usage of each API, hence the document targeted by the bookmark link should support this.¶
Client request:¶
Server response:¶
[
{ "anchor": "https://example.com/.well-known/api-catalog",
"item": [
{"href": "https://developer.example.com/apis/foo_api"},
{"href": "https://developer.example.com/apis/bar_api"}
{"href": "https://developer.example.com/apis/cantona_api"}
]
}
]
¶
Thanks to Phil Archer, Ben Bucksch, Sanjay Dalal, Max Maton, Darrel Miller, Mark Nottingham, Roberto Polli, Rich Salz, Herbert Van De Sompel and Erik Wilde for their suggestions and feedback.¶