Question 1

What changes are breaking vs. non-breaking in a REST API?

Accepted Answer

Breaking changes (require a new version): removing a response field, renaming a field, changing a field's data type (string to integer), making an optional parameter required, changing HTTP status codes for existing conditions, removing an endpoint, changing authentication requirements. Non-breaking changes (safe to release without a new version): adding a new optional response field (clients that don't know about it ignore it), adding a new optional request parameter with a sensible default, adding a new endpoint, adding a new error code for a new error condition. The core principle: if an existing client that is not updated can still function correctly after the change, it is non-breaking. This distinction determines when versioning is necessary vs. when you can evolve in place.

Question 2

What are the trade-offs between URL path versioning and header versioning?

Accepted Answer

URL path versioning (/v1/orders, /v2/orders): immediately visible in logs and browser, easy to route different versions to different backends, clients explicitly choose their version. Not technically RESTful (URL should identify resources, not API contracts), creates documentation duplication pressure. Chosen by Stripe, Twilio, GitHub for public APIs — operational simplicity wins. Header versioning (Accept: application/vnd.api.v2+json or Api-Version: 2024-01-15): keeps URLs clean, supports date-based versioning (clients specify a date, get the API as it existed then), aligns with HTTP content negotiation. Harder to test in a browser, requires Vary header for caching, clients often skip setting it. Use URL versioning for public APIs; header versioning for internal APIs where client discipline is higher.

Question 3

How does GraphQL avoid traditional API versioning?

Accepted Answer

GraphQL clients request only the specific fields they need, so adding new fields is always non-breaking — existing clients don't request the new fields and are unaffected. Deprecate old fields with @deprecated(reason: 'Use newField instead') rather than removing them immediately. Only remove deprecated fields after monitoring confirms zero usage — track field-level resolver call counts in your GraphQL server. This enables continuous schema evolution without explicit version numbers. The trade-off: deprecated fields accumulate, requiring active pruning. The schema can become cluttered with legacy fields that some clients still use. This works best with an internal schema governance process that proactively migrates clients off deprecated fields before removing them.

Question 4

How should you sunset an old API version?

Accepted Answer

Define a deprecation policy upfront: e.g., a version is supported for 12 months after the next major version releases. Announce deprecation early via API response headers (Deprecation: true, Sunset: Sat, 01 Jan 2026 00:00:00 GMT), changelog, email to registered API users, and developer dashboard warnings. Track version usage metrics to identify clients still on the deprecated version — contact their owners directly. At the sunset date: return HTTP 410 Gone for all requests to the deprecated version (not 200 or 404 — 410 explicitly signals permanent removal). Do not silently break clients; do not delay the sunset date indefinitely for holdouts. Hard-deprecation is a forcing function that drives migration.

API Versioning Strategies: Low-Level Design

What Constitutes a Breaking Change

URL Path Versioning

Header Versioning

Query Parameter Versioning

GraphQL and Versioning

Managing Multiple Versions