API Design
An API contract is forever. These posts cover webhook reliability, rate limiting beyond the textbook, HTTP caching headers, and the design choices that make an API survive contact with real callers.
REST vs GraphQL Is Over. You're Now Running Both, Badly.
REST vs GraphQL got declared a tie: use both. Nobody costs that out. Two contracts, the HTTP caching you lost, a leaky BFF, and the N+1 that just moved.
Read more BackendServer-Sent Events Are Back. You Should Use Them.
Server-Sent Events made a quiet comeback because of LLM streaming. SSE vs WebSocket, the HTTP/1.1 connection trap, and the cases where SSE is the right call.
Read more BackendThe Endpoint That Always Returns 200
REST APIs that wrap every error in HTTP 200 break retries, caches, load balancers, circuit breakers, and observability. The status code is part of the contract.
Read more BackendYour JWT Is Not a Session
JWTs cannot be revoked, permissions inside them go stale, and clocks drift. The failure modes that appear when you treat a signed token like a session.
Read more BackendThe Cache-Control Header You're Probably Ignoring
Most developers set max-age and call it done. The directives that matter for CDN behavior, revalidation, and stale content are all sitting there unused.
Read more BackendWebhook Reliability: The Lost Art
Webhooks break predictably: duplicate events, missed deliveries, retry storms. Here is what it actually takes to build receivers that hold up in production.
Read more BackendRate Limiting Is Harder Than It Looks
Token bucket, sliding window, fixed counter: rate limiting algorithms all sound simple until you actually implement them correctly across distributed systems.
Read more