SOFTWARE ENGINEERING TEMPLATE
API Documentation Template
Protocol-agnostic API documentation covering contract, authentication, errors, reliability, versioning, and operations.
Use this templateWhat's inside
Field | Details |
|---|---|
API Name | Clear name that identifies this API |
Status | Active |
API Style | REST / gRPC / GraphQL / WebSocket / Event-Driven / RPC / SOAP |
Current Version | v1 / v2 / semver |
Owner | Team or individual responsible |
Last Updated | |
Source of Truth | Link to OpenAPI spec, .proto files, GraphQL schema, WSDL, or code |
Overview
Describe what this API does, who it is for, and when you would use it. A developer should be able to read this section and know whether this is the right API for their use case.
Dimension | Details |
|---|---|
Purpose | What capability does this API provide? What problem does it solve? |
Primary Consumers | Who calls this API? (Frontend, mobile app, partner service, internal microservice, third-party integration) |
Data Owned | What domain entities does this API manage or expose? |
Upstream Dependencies | Other services or data stores this API depends on |
Downstream Consumers | Services or systems that depend on this API |
Connection & Access
How to connect to and authenticate with this API. Adapt the sections below to your API style — not every field applies to every protocol.
Endpoints / Connection Details
Environment | Address | Notes |
|---|---|---|
Production | https://api.example.com/v1 or grpc.example.com:443 | |
Staging | https://api.staging.example.com/v1 | Data resets weekly |
Local Development | localhost:8080 |
Authentication
Describe how consumers authenticate. Include the mechanism (API key, OAuth 2.0, mTLS, service account, JWT) and where credentials go (header, metadata, query param, certificate).
# Example: Bearer token (REST/GraphQL)
curl -H "Authorization: Bearer $API_TOKEN" https://api.example.com/v1/resource
# Example: gRPC metadata
grpcurl -H "authorization: Bearer $TOKEN" grpc.example.com:443 service.Method
# Example: API key
curl -H "X-API-Key: $KEY" https://api.example.com/v1/resourcePaste your API key or token here for reference (stored securely)
Authorization Model
Describe the permission model. What scopes, roles, or policies control access? How does a consumer request elevated permissions?
Scope / Role | Access Level | How to Request |
|---|---|---|
read | Read-only access to resources | Default for all API keys |
write | Create and update resources | Request via API settings dashboard |
admin | Full access including deletion and configuration | Requires approval from API owner |
API Contract
This section documents the operations, types, and behaviors your API exposes. Structure it according to your API style.
Operations
Document each operation with its purpose, input, output, and an example. Use the table below as a summary index, then provide detailed documentation for each operation.
Operation | Description | Auth Required | Idempotent |
|---|---|---|---|
GET /resources or ListResources() or query { resources } | Returns a list of resources matching the filter criteria | Yes | Yes |
POST /resources or CreateResource() or mutation { createResource } | Creates a new resource | Yes | No (use idempotency key) |
GET /resources/:id or GetResource() or query { resource(id) } | Returns a single resource by ID | Yes | Yes |
PUT /resources/:id or UpdateResource() | Replaces or updates a resource | Yes | Yes |
DELETE /resources/:id or DeleteResource() | Deletes a resource (soft or hard) | Yes | Yes |
Operation Detail: [Operation Name]
Document one operation in full. Duplicate this subsection for each operation that needs detailed documentation.
Dimension | Details |
|---|---|
Description | What this operation does and when to use it |
Endpoint / Method | REST: GET /resources, gRPC: service.ListResources, GraphQL: query { resources } |
Input Parameters | Required and optional parameters with types and constraints |
Response | What the successful response contains |
Side Effects | Does this operation trigger emails, webhooks, background jobs, or state changes in other systems? |
Caching | Is the response cacheable? For how long? What invalidates the cache? |
Request example:
# Adapt to your API style
curl -X GET "https://api.example.com/v1/resources?limit=10&offset=0" \
-H "Authorization: Bearer $TOKEN"Response example:
{
"data": [
{
"id": "res_abc123",
"name": "Example Resource",
"created_at": "2025-01-15T10:30:00Z"
}
],
"pagination": {
"total": 42,
"limit": 10,
"offset": 0
}
}Data Types / Schemas
Document the core data structures your API uses. For REST/GraphQL, these are your response shapes. For gRPC, these are your protobuf messages. For event-driven APIs, these are your event payloads.
Field | Type | Required | Description | Constraints |
|---|---|---|---|---|
id | string | Yes (response only) | Unique identifier, prefixed with resource type | Read-only, UUID or prefixed ID |
name | string | Yes | Human-readable name | 1-255 characters |
status | enum | Yes | Current state of the resource | active | archived | deleted |
created_at | datetime | Yes (response only) | ISO 8601 timestamp of creation | Read-only, UTC |
metadata | object | No | Arbitrary key-value pairs | Max 50 keys, 500 chars per value |
Error Handling
Document how errors are communicated. Every API style has a different error mechanism — HTTP status codes, gRPC status codes, GraphQL errors array, SOAP faults — but the principle is the same: give the consumer enough information to understand what went wrong and how to fix it.
Error Response Format
{
"error": {
"code": "RESOURCE_NOT_FOUND",
"message": "The requested resource does not exist.",
"details": {
"resource_id": "res_abc123"
},
"request_id": "req_xyz789"
}
}Error Codes
Code | HTTP / gRPC Status | Meaning | Consumer Action |
|---|---|---|---|
VALIDATION_ERROR | 400 / INVALID_ARGUMENT | Request input failed validation | Fix the input and retry |
UNAUTHORIZED | 401 / UNAUTHENTICATED | Missing or invalid credentials | Re-authenticate and retry |
FORBIDDEN | 403 / PERMISSION_DENIED | Valid credentials but insufficient permissions | Request elevated access from API owner |
RESOURCE_NOT_FOUND | 404 / NOT_FOUND | The requested resource does not exist | Verify the ID; the resource may have been deleted |
CONFLICT | 409 / ALREADY_EXISTS | Operation conflicts with current state | Fetch current state and resolve the conflict |
RATE_LIMITED | 429 / RESOURCE_EXHAUSTED | Too many requests | Back off using the Retry-After header or exponential backoff |
INTERNAL_ERROR | 500 / INTERNAL | Unexpected server error | Retry with exponential backoff; report if persistent |
Pagination, Filtering & Sorting
If your API returns lists, document the pagination strategy. Different strategies have different trade-offs:
Strategy | Best For | Trade-off |
|---|---|---|
Offset (page/per_page) | Simple UIs, small datasets | Inconsistent results if data changes between pages |
Cursor (after/before) | Large datasets, real-time data, infinite scroll | Cannot jump to arbitrary page |
Keyset (after_id + limit) | Ordered data with unique keys | Requires stable sort key |
Document your specific implementation: what parameters control pagination, how the consumer gets the next page, and what the maximum page size is.
Rate Limiting & Quotas
Document the rate limits and how they are communicated to consumers. If limits differ by tier, plan, or operation, make that clear.
Tier / Plan | Limit | Window | Scope |
|---|---|---|---|
Free / Default | 100 requests | Per minute | Per API key |
Pro | 1,000 requests | Per minute | Per API key |
Enterprise | Custom | Custom | Negotiated per contract |
Rate limit feedback (adapt to your API style):
REST: X-RateLimit-Limit, X-RateLimit-Remaining, X-RateLimit-Reset headers
gRPC: Rate limit info in trailing metadata or RESOURCE_EXHAUSTED status with retry-after detail
GraphQL: Rate limit info in the extensions field of the response
Reliability & Resilience
Document the operational characteristics that consumers need to build reliable integrations. This section is the difference between an API that works in a demo and one that works in production.
SLA / SLO
Metric | Target | Measurement |
|---|---|---|
Availability | 99.9% uptime | Measured monthly, excluding scheduled maintenance |
Latency (p50) | < 100ms | Measured at the API gateway |
Latency (p99) | < 500ms |
Retry & Idempotency
Guide consumers on how to safely retry failed requests:
Which operations are idempotent and safe to retry without side effects?
For non-idempotent operations: does the API support an idempotency key? How should the consumer pass it?
Recommended retry strategy: exponential backoff with jitter, max retries, circuit breaker thresholds
Timeouts
Recommended client-side timeout settings:
Operation Type | Recommended Timeout | Notes |
|---|---|---|
Read (list, get) | 5 seconds | Fail fast; data is eventually consistent anyway |
Write (create, update) | 10 seconds | Allow for transaction commit |
Long-running / batch | 30-60 seconds | Consider async pattern with polling instead |
Versioning & Deprecation
Document how the API evolves without breaking consumers. This is where trust is built or destroyed.
Dimension | Policy |
|---|---|
Versioning strategy | URL path (/v1/) / header / query param / content negotiation / package version |
Breaking change policy | Minimum N months notice before breaking changes; old version supported for M months after new version launches |
Non-breaking changes | Additive changes (new fields, new operations) ship without version bump; consumers must tolerate unknown fields |
Deprecation signals | Deprecated operations return a Deprecation header / emit a warning / are marked in the schema |
Migration support | Migration guides published for each major version; codemods or adapter libraries provided when feasible |
Events & Webhooks
If this API emits events (webhooks, message queue topics, server-sent events, WebSocket messages), document them here. If not applicable, delete this section.
Event | Trigger | Payload Schema | Delivery Guarantee |
|---|---|---|---|
resource.created | A new resource is created | Link to schema or describe inline | At least once |
resource.updated | A resource is modified | At least once | |
resource.deleted | A resource is deleted | At least once |
Delivery mechanism: HTTP webhook / message queue (Kafka, SQS, Pub/Sub) / WebSocket / SSE
Retry policy: How many times, how long between retries, what happens after max retries?
Ordering: Are events guaranteed to arrive in order? If not, how should consumers handle out-of-order delivery?
Signature verification: How consumers verify that the event is authentic (HMAC, JWT, mTLS)
SDKs & Client Libraries
List the official and community-maintained client libraries. If none exist, document how to generate a client from the API definition (OpenAPI codegen, protoc, GraphQL codegen).
Language | Package | Status | Install |
|---|---|---|---|
Python | example-api-python | Official | pip install example-api |
JavaScript/TypeScript | @example/api-client | Official | npm install @example/api-client |
Go | github.com/example/api-go | Community | go get github.com/example/api-go |
Observability & Debugging
Help consumers debug integration issues. This section saves your support team hundreds of hours.
Request ID: Every response includes a request_id (or trace ID). Include this in support requests.
Status page: Link to your API status page for incident and maintenance updates
Health check endpoint: Link or describe the health/readiness probe consumers can poll
Logging recommendations: What should consumers log on their side for effective debugging?
Sandbox / test mode: How to test the integration without affecting production data
Support channel: Where to get help (Slack channel, email, issue tracker, forum)
Changelog
Track changes to the API contract. Consumers rely on this to understand what changed and whether they need to update their integration.
Date | Version | Change | Type | Migration Required |
|---|---|---|---|---|
v1.0 | Initial release | Release | N/A | |
Addition | No | |||
Deprecation |
Other Engineering templates
-
Project READMEDocument a project's purpose, setup instructions, architecture, and contribution guidelines. -
Architecture Decision Record (ADR)Structured record of an architecture decision: context, options evaluated, decision rationale, and consequences. -
Bug ReportReport a bug with reproduction steps, expected vs. actual behavior, and environment details.