Network Working Group K. Smith
Internet-Draft Vodafone
Intended status: Standards Track 18 October 2024
Expires: 21 April 2025
api-catalog: a well-known URI and link relation to help discovery of
APIs
draft-ietf-httpapi-api-catalog-05
Abstract
This document defines the "api-catalog" well-known URI and link
relation. It is intended to facilitate automated discovery and usage
of the APIs published by a given organisation or individual. A
request to the api-catalog resource will return a document providing
information about, and links to, the publisher's APIs.
About This Document
This note is to be removed before publishing as an RFC.
The latest revision of this draft can be found at https://ietf-wg-
httpapi.github.io/api-catalog/draft-ietf-httpapi-api-catalog.html.
Status information for this document may be found at
https://datatracker.ietf.org/doc/draft-ietf-httpapi-api-catalog/.
Discussion of this document takes place on the Building Blocks for
HTTP APIs Working Group mailing list (mailto:httpapi@ietf.org), which
is archived at https://mailarchive.ietf.org/arch/browse/httpapi/.
Subscribe at https://www.ietf.org/mailman/listinfo/httpapi/.
Source for this draft and an issue tracker can be found at
https://github.com/ietf-wg-httpapi/api-catalog.
Status of This Memo
This Internet-Draft is submitted in full conformance with the
provisions of BCP 78 and BCP 79.
Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet-
Drafts is at https://datatracker.ietf.org/drafts/current/.
Smith Expires 21 April 2025 [Page 1]
�
Internet-Draft api-catalog well-known URI October 2024
Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress."
This Internet-Draft will expire on 21 April 2025.
Copyright Notice
Copyright (c) 2024 IETF Trust and the persons identified as the
document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents (https://trustee.ietf.org/
license-info) in effect on the date of publication of this document.
Please review these documents carefully, as they describe your rights
and restrictions with respect to this document. Code Components
extracted from this document must include Revised BSD License text as
described in Section 4.e of the Trust Legal Provisions and are
provided without warranty as described in the Revised BSD License.
Table of Contents
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 3
1.1. Goals and non-goals . . . . . . . . . . . . . . . . . . . 3
1.2. Notational Conventions . . . . . . . . . . . . . . . . . 3
2. Using the 'api-catalog' well-known URI . . . . . . . . . . . 4
3. Link relations . . . . . . . . . . . . . . . . . . . . . . . 4
4. Accounting for APIs distributed across multiple domains . . . 5
5. Internal use of api-catalog for private APIs . . . . . . . . 6
6. The API Catalog . . . . . . . . . . . . . . . . . . . . . . . 7
7. Conformance to RFC8615 . . . . . . . . . . . . . . . . . . . 8
7.1. Path suffix . . . . . . . . . . . . . . . . . . . . . . . 8
7.2. Supported URI schemes . . . . . . . . . . . . . . . . . . 8
7.3. Formats and associated media types . . . . . . . . . . . 8
7.4. Registration of the api-catalog well-known URI . . . . . 8
8. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 8
8.1. The api-catalog well-known URI . . . . . . . . . . . . . 8
8.2. The api-catalog link relation . . . . . . . . . . . . . . 9
8.3. the api-catalog Profile URI . . . . . . . . . . . . . . . 9
9. Security Considerations . . . . . . . . . . . . . . . . . . . 9
10. References . . . . . . . . . . . . . . . . . . . . . . . . . 9
10.1. Normative References . . . . . . . . . . . . . . . . . . 10
10.2. Informative References . . . . . . . . . . . . . . . . . 10
Appendix A. Example API Catalog documents . . . . . . . . . . . 11
A.1. Using Linkset with RFC8615 relations . . . . . . . . . . 11
A.2. Using Linkset with bookmarks . . . . . . . . . . . . . . 13
Appendix B. Acknowledgements . . . . . . . . . . . . . . . . . . 14
Smith Expires 21 April 2025 [Page 2]
�
Internet-Draft api-catalog well-known URI October 2024
Author's Address . . . . . . . . . . . . . . . . . . . . . . . . 14
1. Introduction
An organisation or individual may publish Application Programming
Interfaces (APIs) to encourage requests for interaction from external
parties. Such APIs must be discovered before they may be used -
i.e., the external party needs to know what APIs a given publisher
exposes, their purpose, any policies for usage, and the endpoint to
interact with each API. To facilitate automated discovery of this
information, and automated usage of the APIs, this document proposes:
* a well-known URI, 'api-catalog', as a reference to the URI of an
API Catalog document describing a Publisher's API endpoints.
* a link relation, 'api-catalog', of which the target resource is
the Publisher's API Catalog document.
1.1. Goals and non-goals
The primary goal is to facilitate the automated discovery of a
Publisher's public API endpoints, along with metadata that describes
the purpose and usage of each API, by specifying a well-known URI
[RFC8615] that returns an API catalog document. The API catalog
document is primarily machine-readable to enable automated discovery
and usage of APIs, and it may also include links to human-readable
documentation.
Non-goals: this document does not mandate paths for API endpoints.
i.e., it does not mandate that my_example_api's endpoint should be
example.com/.well-known/api-catalog/my_example_api , nor even to be
hosted at example.com (although it is not forbidden to do so). This
document does not mandate a specific format for the API catalog
document, although it does suggest some existing formats and provide
a recommendation.
1.2. Notational Conventions
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
"SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and
"OPTIONAL" in this document are to be interpreted as described in
BCP 14 [RFC2119] [RFC8174] when, and only when, they appear in all
capitals, as shown here. These words may also appear in this
document in lower case as plain English words, absent their normative
meanings.
The term "content negotiation" and "status code" are from [HTTP].
The term well-known URI is from [RFC8615].
Smith Expires 21 April 2025 [Page 3]
�
Internet-Draft api-catalog well-known URI October 2024
The term "Publisher" refers to an organisation, company or individual
that publishes one or more APIs for usage by external third parties.
2. Using the 'api-catalog' well-known URI
The api-catalog well-known URI is intended for HTTP(S) servers that
publish APIs. As the key aim is to facilitate discovery and usage of
APIs, a Publisher supporting this URI:
* SHOULD publish the /.well-known/api-catalog URI at a predictable
location. For example as companies typically own a .com TLD, a
predictable location for the company 'example' would be
https://www.example.com/.well-known/api-catalog
* SHALL resolve an HTTP(S) GET request to /.well-known/api-catalog
and return an API catalog document ( as described in Section 6 ).
* SHOULD resolve an HTTP(S) HEAD request to /.well-known/api-catalog
with a response including a Link header with the relation(s)
defined in Section 3
The location (URL) of the API Catalog document is decided by the
Publisher: the ./well-known/api-catalog URI provides a convenient
reference to that URL.
3. Link relations
* "api-catalog": the 'api-catalog' link relation identifies a target
resource that represents a list of APIs available from the
Publisher of the context resource. The target resource URI may be
./well-known/api-catalog , or any other URI chosen by the
Publisher. For example, the Publisher 'example.com' could include
the api-catalog link relation in the HTTP header and/or content
payload when responding to a request to https://example.com :
Smith Expires 21 April 2025 [Page 4]
�
Internet-Draft api-catalog well-known URI October 2024
HTTP/1.1 200 OK
Content-Type: text/html; charset=UTF-8
Location: http://www.example.com/
Link: ; rel=api-catalog
Content-Length: 356
Welcome to Example Publisher
Example Publisher's APIs.
(remainder of content)
* "item" [RFC9264]. When used in an API Catalog document, the
'item' link relation identifies a target resource that represents
an API that is a member of the API Catalog.
4. Accounting for APIs distributed across multiple domains
A Publisher ('example') may have their APIs hosted across multiple
domains that they manage: e.g., at example.com,
developer.example.com, apis.example.com, apis.example.net etc. They
may also use a third party API hosting provider which hosts APIs on a
distinct domain.
To account for this scenario, it is RECOMMENDED that:
* the Publisher publish the api-catalog well-known URI at a
predictable location, e.g. example.com/.well-known/api-catalog .
* the Publisher also publish the api-catalog well-known URI at each
of their API domains e.g. apis.example.com/.well-known/api-
catalog, developer.example.net/.well-known/api-catalog etc.
* an HTTP GET request to any of these URIs returns the same result,
namely, the API Catalog document.
Smith Expires 21 April 2025 [Page 5]
�
Internet-Draft api-catalog well-known URI October 2024
* since the physical location (URL) of the API Catalog document is
decided by the Publisher, and may change, the Publisher choose one
of their instances of .well-known/api-catalog as a canonical
reference to the location of the latest API Catalog. The
Publisher's other instances of ./well-known/api-catalog SHOULD
redirect to this canonical instance of /.well-known/api-catalog ,
using HTTP Status Code 308 (Permanent Redirect), to ensure the
latest API Catalog is returned.
As illustration, if the Publisher's primary API portal is
apis.example.com, then apis.example.com/.well-known/api-catalog
should resolve to the location of the latest API Catalog document.
If the Publisher is also the domain authority for example.net, which
also hosts a selection of their APIs, then a request to
www.example.net/.well-known/api-catalog SHOULD return a redirect as
follows.
Client request:
GET /.well-known/api-catalog HTTP/1.1
User-Agent: curl/7.16.3 libcurl/7.16.3 OpenSSL/0.9.7l zlib/1.2.3
Host: www.example.net
Server response:
HTTP/1.1 308 Permanent Redirect
Content-Type: text/html; charset=UTF-8
Location: http://apis.example.com/.well-known/api-catalog
Content-Length: 356
Permanent Redirect
Redirected to: https://apis.example.com/.well-known/api-catalog.
5. Internal use of api-catalog for private APIs
A Publisher may wish to use the api-catalog well-known URI on their
internal network, to signpost authorised users (e.g. company
employees) towards internal/private APIs not intended for third-party
use. This scenario may incur additional security considerations, as
noted in Section 9.
Smith Expires 21 April 2025 [Page 6]
�
Internet-Draft api-catalog well-known URI October 2024
6. The API Catalog
The API Catalog is a document listing hyperlinks to a Publisher's
APIs. The Publisher may host this API Catalog document at any URI(s)
they choose. Hence the API Catalog document URI of example.com/
my_api_catalog.json can be requested directly, or via a request to
example.com/.well-known/api-catalog, which the Publisher will resolve
to example.com/my_api_catalog.
The Publisher MUST publish the API Catalog document in the Linkset
format application/linkset+json (section 4.2 of [RFC9264]). In
addition, the Publisher MAY make additional formats available via
content negotiation (section 5.3 of [HTTP]) to their /.well-known/
api-catalog location. A non-exhaustive list of such formats that
support the automated discovery, and machine (and human) usage of a
Publisher's APIs, is listed below.
The API Catalog document MUST include hyperlinks to API endpoints,
and is RECOMMENDED to include useful metadata, such as usage
policies, API version information, links to the OpenAPI Specification
[OAS] definitions for each API, etc. . If the Publisher does not
include these metadata directly in the API Catalog document, they
SHOULD make that metadata available at the API endpoint URIs they
have listed (see Appendix A.2 for an example).
Some suitable API Catalog document formats include:
* (RECOMMENDED) A linkset in JSON Document format (section 4.2 of
[RFC9264]) of API endpoints and information to facilitate API
usage. The linkset SHOULD include a profile parameter (section 5
of [RFC9264]) with a Profile URI [RFC7284] value of 'THIS-RFC-URL'
to indicate the linkset is representing an API Catalog document as
defined above. Appendix A includes example API Catalog documents
based on the linkset format.
* An APIs.json document [APIsjson]
* API bookmarks that represent an API entry-point URI, which may be
followed to discover purpose and usage
* A RESTDesc semantic description for hypermedia APIs [RESTdesc]
* A Hypertext Application Language document [HAL]
* An extension to the Schema.org WebAPI type [WebAPIext].
Smith Expires 21 April 2025 [Page 7]
�
Internet-Draft api-catalog well-known URI October 2024
If a Publisher already lists their APIs in a format other than
linkset but wish to utiise the /.well-known/api-catalog URI, then: *
they MUST also implement a linkset with, at minimum, hyperlinks to
API endpoints - see the exmple of Using Linkset with bookmarks in
Appendix A. * they MAY support content negotiation at the /.well-
known/api-catalog URI to allow their existing format to be returned.
7. Conformance to RFC8615
The requirements in section 3 of [RFC8615] for defining Well-Known
Uniform Resource Identifiers are met as follows:
7.1. Path suffix
The api-catalog URI SHALL be appended to the /.well-known/ path-
prefix for "well-known locations".
7.2. Supported URI schemes
The api-catalog well-known URI may be used with the HTTP and HTTPS
URI schemes.
7.3. Formats and associated media types
A /.well-known/api-catalog location MUST support the Linkset
[RFC9264] format of application/linkset+json, and MAY also support
the other formats via content negotiation.
7.4. Registration of the api-catalog well-known URI
See Section 8 considerations below.
8. IANA Considerations
8.1. The api-catalog well-known URI
This specification registers the "api-catalog" well-known URI in the
Well-Known URI Registry as defined by [RFC8615].
* URI suffix: api-catalog
* Change Controller: IETF
* Specification document(s): THIS-RFC
* Status: permanent
Smith Expires 21 April 2025 [Page 8]
�
Internet-Draft api-catalog well-known URI October 2024
* Related information: The "api-catalog" documents obtained from the
same host using the HTTP and HTTPS protocols (using default ports)
MUST be identical.
8.2. The api-catalog link relation
This specification registers the "api-catalog" link relation by
following the procedures per section 2.1.1.1 of [RFC8288]
* Relation Name: api-catalog
* Description: The link target identifies a catalog of APIs
published by the owner of the link context.
* Reference: THIS-RFC
8.3. the api-catalog Profile URI
This specification registers "THIS-RFC-URL" in the "Profile URIs"
registry according to [RFC7284].
* Profile URI: THIS-RFC-URL
* Common Name: API Catalog
* Description: A profile URI to request or signal a linkset
representing an API Catalog.
* Reference: THIS-RFC
RFC Editor's Note: IANA is kindly requested to replace all instances
of THIS-RFC and THIS-RFC-URL with the actual RFC number/URL once
assigned.
9. Security Considerations
For all scenarios: the Publisher SHOULD perform a security and
privacy review of the API Catalog prior to deployment, to ensure it
does not leak personal, business or other sensitive metadata, nor
expose any vulnerability related to the APIs listed.
For the internal/private APIs scenario: the Publisher SHOULD take
steps to ensure that appropriate access controls are in place to
ensure only authorised users access the internal api-catalog well-
known URI.
10. References
Smith Expires 21 April 2025 [Page 9]
�
Internet-Draft api-catalog well-known URI October 2024
10.1. Normative References
[HTTP] Fielding, R., Ed., Nottingham, M., Ed., and J. Reschke,
Ed., "HTTP Semantics", STD 97, RFC 9110,
DOI 10.17487/RFC9110, June 2022,
.
[RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
Requirement Levels", BCP 14, RFC 2119,
DOI 10.17487/RFC2119, March 1997,
.
[RFC7284] Lanthaler, M., "The Profile URI Registry", RFC 7284,
DOI 10.17487/RFC7284, June 2014,
.
[RFC8174] Leiba, B., "Ambiguity of Uppercase vs Lowercase in RFC
2119 Key Words", BCP 14, RFC 8174, DOI 10.17487/RFC8174,
May 2017, .
[RFC8288] Nottingham, M., "Web Linking", RFC 8288,
DOI 10.17487/RFC8288, October 2017,
.
[RFC8615] Nottingham, M., "Well-Known Uniform Resource Identifiers
(URIs)", RFC 8615, DOI 10.17487/RFC8615, May 2019,
.
[RFC9264] Wilde, E. and H. Van de Sompel, "Linkset: Media Types and
a Link Relation Type for Link Sets", RFC 9264,
DOI 10.17487/RFC9264, July 2022,
.
10.2. Informative References
[APIsjson] Kin Lane and Steve Willmott, "APIs.json", 15 September
2020, .
[HAL] Mike Kelly, "JSON Hypertext Application Language", 15
September 2020, .
[OAS] Darrel Miller, Jeremy Whitlock, Marsh Gardiner, Mike
Ralphson, Ron Ratovsky, and Uri Sarid, "OpenAPI
Specification 3.1.0", 15 February 2021,
.
Smith Expires 21 April 2025 [Page 10]
�
Internet-Draft api-catalog well-known URI October 2024
[RESTdesc] Ruben Verborgh, Erik Mannens, Rick Van de Walle, and
Thomas Steiner, "RESTdesc", 15 September 2023,
.
[RFC8631] Wilde, E., "Link Relation Types for Web Services",
RFC 8631, DOI 10.17487/RFC8631, July 2019,
.
[WebAPIext]
Mike Ralphson and Nick Evans, "WebAPI type extension", 8
July 2020,
.
Appendix A. Example API Catalog documents
This section is informative, and provides and example of an API
Catalog document using the RECOMMENDED linkset format.
A.1. Using Linkset with RFC8615 relations
This example uses the linkset format [RFC9264], and the following
link relations defined in [RFC8631]:
* "service-desc", used to link to a description of the API that is
primarily intended for machine consumption.
* "service-doc", used to link to API documentation that is primarily
intended for human consumption.
* "service-meta", used to link to additional metadata about the API,
and is primarily intended for machine consumption.
* "status", used to link to the API status (e.g. API "health"
indication etc.) for machine and/or human consumption.
Client request:
GET .well-known/api-catalog HTTP/1.1
Host: example.com
Accept: application/linkset+json
Server response:
HTTP/1.1 200 OK
Date: Mon, 01 Jun 2023 00:00:01 GMT
Server: Apache-Coyote/1.1
Content-Type: application/linkset+json;
profile="THIS-RFC-URL"
Smith Expires 21 April 2025 [Page 11]
�
Internet-Draft api-catalog well-known URI October 2024
{
"linkset": [
{
"anchor": "https://developer.example.com/apis/foo_api",
"service-desc": [
{
"href": "https://developer.example.com/apis/foo_api/spec",
"type": "application/yaml"
}
],
"status": [
{
"href": "https://developer.example.com/apis/foo_api/status",
"type": "application/json"
}
],
"service-doc": [
{
"href": "https://developer.example.com/apis/foo_api/doc",
"type": "text/html"
}
],
"service-meta": [
{
"href": "https://developer.example.com/apis/foo_api/policies",
"type": "text/xml"
}
]
},
{
"anchor": "https://developer.example.com/apis/bar_api",
"service-desc": [
{
"href": "https://developer.example.com/apis/bar_api/spec",
"type": "application/yaml"
}
],
"status": [
{
"href": "https://developer.example.com/apis/bar_api/status",
"type": "application/json"
}
],
"service-doc": [
{
"href": "https://developer.example.com/apis/bar_api/doc",
"type": "text/plain"
}
Smith Expires 21 April 2025 [Page 12]
�
Internet-Draft api-catalog well-known URI October 2024
]
},
{
"anchor": "https://apis.example.net/apis/cantona_api",
"service-desc": [
{
"href": "https://apis.example.net/apis/cantona_api/spec",
"type": "text/n3"
}
],
"service-doc": [
{
"href": "https://apis.example.net/apis/cantona_api/doc",
"type": "text/html"
}
]
}
]
}
A.2. Using Linkset with bookmarks
This example also uses the linkset format [RFC9264], listing the API
endpoints in an array of bookmarks. Each link shares the same
context (the API Catalog) and "item" [RFC9264] link relation (to
indicate they are an item in the catalog).The intent is that by
following a bookmark link, a machine-client can discover the purpose
and usage of each API, hence the document targeted by the bookmark
link should support this.
Note in the example below, the context anchor is example/com/.well-
known/api-catalog, however as explained above the context anchor may
be any other URI at which the api-catalog is available.
Client request:
GET .well-know/api-catalog HTTP/1.1
Host: example.com
Accept: application/linkset+json
Server response:
HTTP/1.1 200 OK
Date: Mon, 01 Jun 2023 00:00:01 GMT
Server: Apache-Coyote/1.1
Content-Type: application/linkset+json;
profile="THIS-RFC-URL"
Smith Expires 21 April 2025 [Page 13]
�
Internet-Draft api-catalog well-known URI October 2024
[
{ "anchor": "https://example.com/.well-known/api-catalog",
"item": [
{"href": "https://developer.example.com/apis/foo_api"},
{"href": "https://developer.example.com/apis/bar_api"},
{"href": "https://developer.example.com/apis/cantona_api"}
]
}
]
Appendix B. Acknowledgements
Thanks to Phil Archer, Ben Bucksch, Sanjay Dalal, Max Maton, Darrel
Miller, Mark Nottingham, Roberto Polli, Rich Salz, Herbert Van De
Sompel and Erik Wilde for their suggestions and feedback.
Author's Address
Kevin Smith
Vodafone
Email: kevin.smith@vodafone.com
URI: https://www.vodafone.com
Smith Expires 21 April 2025 [Page 14]