API Development Workflow

Master the complete API development workflow from authentication to testing. This guide walks you through building, documenting, and testing REST APIs using industry-standard tools and practices.

Overview

Modern API development involves multiple stages: designing the API specification, implementing authentication, building and testing endpoints, and documenting the API for consumers. This workflow demonstrates how to use StrateCode DevTools at each stage to streamline your development process.

Estimated time: 30-45 minutes

Prerequisites: Basic understanding of REST APIs, HTTP methods, and JSON

Step 1: Design Your API with OpenAPI

Start by defining your API structure using the OpenAPI specification format. This provides a contract that both frontend and backend teams can work from.

Example OpenAPI Specification

openapi: 3.0.0
info:
  title: User Management API
  version: 1.0.0
  description: API for managing user accounts

paths:
  /api/users:
    get:
      summary: List all users
      responses:
        '200':
          description: Successful response
          content:
            application/json:
              schema:
                type: array
                items:
                  $ref: '#/components/schemas/User'
    post:
      summary: Create a new user
      requestBody:
        required: true
        content:
          application/json:
            schema:
              $ref: '#/components/schemas/UserInput'
      responses:
        '201':
          description: User created

components:
  schemas:
    User:
      type: object
      properties:
        id:
          type: string
        email:
          type: string
        name:
          type: string
    UserInput:
      type: object
      required:
        - email
        - name
      properties:
        email:
          type: string
        name:
          type: string

Use the OpenAPI Viewer to visualize and validate your specification. Paste your YAML or JSON specification to see an interactive documentation preview.

Step 2: Generate JWT Tokens for Authentication

Most modern APIs use JWT (JSON Web Tokens) for authentication. Generate tokens with appropriate claims for testing your protected endpoints.

Example JWT Payload

{
  "sub": "user123",
  "email": "developer@example.com",
  "role": "admin",
  "iat": 1640000000,
  "exp": 1640086400
}

Use the JWT Generator to create tokens with custom claims. Select your algorithm (HS256 for development, RS256 for production), add your payload, and generate the token. Save this token for testing authenticated endpoints.

💡 Tip: For development, use HS256 with a simple secret. For production, use RS256 with public/private key pairs for better security.

Step 3: Build API Requests with Curl

Construct your API requests using the curl command builder. This visual interface helps you configure all request parameters without memorizing curl syntax.

Open the Curl Command Builder
Select your HTTP method (GET, POST, PUT, DELETE)
Enter your API endpoint URL
Add headers (Content-Type, Authorization)
Add request body for POST/PUT requests
Copy the generated curl command

Example: Create User Request

curl -X POST https://api.example.com/api/users \
  -H "Content-Type: application/json" \
  -H "Authorization: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9..." \
  -d '{
    "email": "newuser@example.com",
    "name": "New User"
  }'

Step 4: Convert Curl to JavaScript Fetch

Once you've tested your API with curl, convert the commands to JavaScript fetch() calls for your frontend application.

Use the Curl to Fetch Converter to transform your curl commands into clean JavaScript or TypeScript code.

Generated Fetch Code

const response = await fetch('https://api.example.com/api/users', {
  method: 'POST',
  headers: {
    'Content-Type': 'application/json',
    'Authorization': 'Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9...'
  },
  body: JSON.stringify({
    email: 'newuser@example.com',
    name: 'New User'
  })
});

const data = await response.json();
console.log(data);

Step 5: Inspect and Debug HTTP Headers

When debugging API issues, inspect request and response headers to understand what's being sent and received.

Use the HTTP Header Inspector to parse and analyze headers. Paste raw header strings to see structured output with explanations for common headers.

Example Headers to Inspect

Content-Type: application/json
Authorization: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9...
Cache-Control: no-cache
X-RateLimit-Remaining: 99
X-Request-ID: abc123def456

Step 6: Validate and Format API Responses

Validate JSON responses from your API to ensure they match your expected schema and format them for better readability during development.

Copy the JSON response from your API
Use JSON Validator to check for syntax errors
Use JSON Formatter to beautify the response
Use JSONPath Tester to extract specific fields

Example: Extract User Emails with JSONPath

// JSONPath expression
$.users[*].email

// Extracts all email addresses from:
{
  "users": [
    { "id": "1", "email": "user1@example.com", "name": "User One" },
    { "id": "2", "email": "user2@example.com", "name": "User Two" }
  ]
}

// Result: ["user1@example.com", "user2@example.com"]

Complete Workflow Example

Here's how all the tools work together in a real API development scenario:

Design: Create OpenAPI spec → Validate with OpenAPI Viewer
Authenticate: Generate test JWT → Use JWT Generator
Build Request: Configure endpoint → Use Curl Builder
Test: Execute curl command in terminal
Debug: Inspect headers → Use Header Inspector
Validate: Check response JSON → Use JSON Validator
Implement: Convert to fetch() → Use Curl to Fetch

Best Practices

Version your API: Include version numbers in your OpenAPI spec and URLs
Use proper HTTP methods: GET for reading, POST for creating, PUT for updating, DELETE for removing
Implement proper error handling: Return appropriate HTTP status codes and error messages
Secure your endpoints: Always use HTTPS and validate JWT tokens on the server
Document everything: Keep your OpenAPI specification up-to-date as your API evolves
Test edge cases: Test with invalid tokens, missing headers, and malformed JSON

Related Tools

OpenAPI Viewer - Visualize API specifications
JWT Generator - Create authentication tokens
JWT Decoder - Inspect token contents
Curl Command Builder - Build HTTP requests
Curl to Fetch Converter - Convert to JavaScript
HTTP Header Inspector - Analyze headers
JSON Formatter - Format API responses
JSON Validator - Validate JSON syntax
JSONPath Tester - Extract data from responses

Frequently Asked Questions

What's the difference between HS256 and RS256 JWT algorithms?

HS256 uses a symmetric secret key (same key for signing and verifying), making it simpler but requiring the secret to be shared. RS256 uses asymmetric keys (private key for signing, public key for verifying), which is more secure for distributed systems where multiple services need to verify tokens.

How do I handle JWT expiration in my application?

Include an "exp" claim in your JWT payload with a Unix timestamp. The server should reject expired tokens. Implement token refresh logic in your frontend to request new tokens before expiration.

Can I use these tools for production API testing?

Yes! All tools run entirely in your browser, so your API credentials and data never leave your device. However, never commit JWT secrets or API keys to version control.

What's the best way to organize OpenAPI specifications?

Split large specifications into multiple files using $ref references. Keep schemas in a separate components section. Use tags to group related endpoints. Version your spec files alongside your code.

How do I test APIs that require OAuth2 authentication?

First obtain an access token through your OAuth2 flow, then use the JWT Generator to create test tokens with similar claims. For actual OAuth2 testing, use the curl builder to construct token exchange requests.