Press enter to see results or esc to cancel.

How to avoid blindspots when consuming Web API

Reading Time: 2 minutes

There are 3 major questions we can ask before consuming a Web API.

  1. What is the security mechanism?
  2. What is the payload schema?
  3. What are the response types?

I have learnt about these blindspots the harder way. This may seem very obvious to lot of people, however as the proverb goes ‘Prevention is better than cure’ – i have had my own ‘Gotcha’ moments with these.

By enquiring ahead, we could save time, money, effort, and credibility.

Security mechanism:

All non-public Web API’s are secured with authorization tokens. Before writing code, it will be helpful to enquire about authorization style. It helps us to estimate size and hours in sprint planning. We can also make sure if we have to write up new code, or use an existing method.


  • How to generate token?
  • Is there a whitelisting on ip address?
    • Do dev and prod have same ip address?
    • Or are they different?
  • Is there any throttling?

Payload schema:

Sometimes payload require a data value currently unavailable in system. Detecting this problem early – will help us save time, and make sure we can set correct expectations on deliverables.

In case of missing data, we can request to backlog this user story until all the information is available, or better create a user story to collect the necessary data, or backlog this story until endpoint makes this field optional.

Sometimes payload datetime fields (createddatetime) are in UTC or local times. Sending out incorrect timezone information invalidates data.


    1. What are the required fields?
    2. What are the data types for each?


Responses will have both http status code, and the response body. When no data is found – Web API Puriest establishes strict http status codes like ‘204 No content’. However, others just send out ‘200 OK’ with no response body. To avoid problems from impurities, we have to first go through all responses and understand all permutation and combinations.


  • What is the response if no data?
  • What is the response if dependency failures?
  • What is the response if transient faults happens?

Please comment below, if you have any additions to above.


Leave a Comment

Leave a Reply

Architect | Lead | Mentor | Blogger | Tech Enthus



I help in automation of business processes in Cloud. I'm a Lead Full Stack .Net Developer with over 12+ years of experience in developing web applications. My core expertise is in web applications designing, programming, implementing, automating, and monitoring.

Verified Services

View Full Profile →