Network Working Group
Internet Engineering Task Force (IETF) K. Smith
Internet-Draft
Request for Comments: 9727 Vodafone
Intended status:
Category: Standards Track 20 December 2024
Expires: 23 June 2025
ISSN: 2070-1721
api-catalog: a well-known A Well-Known URI and link relation Link Relation to help discovery Help Discovery of
APIs
draft-ietf-httpapi-api-catalog-08
Abstract
This document defines the "api-catalog" well-known URI and link
relation. It is intended to facilitate automated discovery and usage
of published APIs. Application Programming Interfaces (APIs). A request to
the api-catalog resource will return a document providing information
about, and links to, the publisher's Publisher's APIs.
About This Document
This note is to be removed before publishing as an RFC.
The latest revision of this draft can be found at https://ietf-wg-
httpapi.github.io/api-catalog/draft-ietf-httpapi-api-catalog.html.
Status information for this document may be found at
https://datatracker.ietf.org/doc/draft-ietf-httpapi-api-catalog/.
Discussion of this document takes place on the Building Blocks for
HTTP APIs Working Group mailing list (mailto:httpapi@ietf.org), which
is archived at https://mailarchive.ietf.org/arch/browse/httpapi/.
Subscribe at https://www.ietf.org/mailman/listinfo/httpapi/.
Source for this draft and an issue tracker can be found at
https://github.com/ietf-wg-httpapi/api-catalog.
Status of This Memo
This Internet-Draft is submitted in full conformance with the
provisions of BCP 78 and BCP 79.
Internet-Drafts are working documents an Internet Standards Track document.
This document is a product of the Internet Engineering Task Force
(IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list It represents the consensus of current Internet-
Drafts is at https://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid the IETF community. It has
received public review and has been approved for a maximum publication by the
Internet Engineering Steering Group (IESG). Further information on
Internet Standards is available in Section 2 of six months RFC 7841.
Information about the current status of this document, any errata,
and how to provide feedback on it may be updated, replaced, or obsoleted by other documents obtained at any
time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress."
This Internet-Draft will expire on 23 June 2025.
https://www.rfc-editor.org/info/rfc9727.
Copyright Notice
Copyright (c) 2024 2025 IETF Trust and the persons identified as the
document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents (https://trustee.ietf.org/
license-info)
(https://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents
carefully, as they describe your rights and restrictions with respect
to this document. Code Components extracted from this document must
include Revised BSD License text as described in Section 4.e of the
Trust Legal Provisions and are provided without warranty as described
in the Revised BSD License.
Table of Contents
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 3
1.1. Goals and non-goals . . . . . . . . . . . . . . . . . . . 3 Non-Goals
1.2. Notational Conventions . . . . . . . . . . . . . . . . . 4
2. Using the 'api-catalog' well-known "api-catalog" Well-Known URI . . . . . . . . . . . 4
3. The api-catalog link relation . . . . . . . . . . . . . . . . 5 Link Relation
3.1. Using additional link relations . . . . . . . . . . . . . 5 Additional Link Relations
4. The API catalog document . . . . . . . . . . . . . . . . . . 6 Catalog Document
4.1. API catalog contents . . . . . . . . . . . . . . . . . . 6 Catalog Contents
4.2. API catalog formats . . . . . . . . . . . . . . . . . . . 6 Catalog Formats
4.3. Nesting API catalog links . . . . . . . . . . . . . . . . 7 Catalog Links
5. Operational considerations . . . . . . . . . . . . . . . . . 7 Considerations
5.1. Accounting for APIs distributed across multiple
domains . . . . . . . . . . . . . . . . . . . . . . . . . 7 Distributed Across Multiple Domains
5.2. Internal use Use of api-catalog for private Private APIs . . . . . . 8
5.3. Scalability guidelines . . . . . . . . . . . . . . . . . 8 Guidelines
5.4. Monitoring and maintenance . . . . . . . . . . . . . . . 9 Maintenance
5.5. Integration with existing Existing API management frameworks . . . 10 Management Frameworks
6. Conformance to RFC8615 . . . . . . . . . . . . . . . . . . . 11 RFC 8615
6.1. Path suffix . . . . . . . . . . . . . . . . . . . . . . . 11 Suffix
6.2. Formats and associated media types . . . . . . . . . . . 11
6.3. Registration of the api-catalog well-known URI . . . . . 11 Associated Media Types
7. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 11
7.1. The api-catalog well-known Well-Known URI . . . . . . . . . . . . . 12
7.2. The api-catalog link relation . . . . . . . . . . . . . . 12 Link Relation
7.3. The api-catalog Profile URI . . . . . . . . . . . . . . . 12
8. Security Considerations . . . . . . . . . . . . . . . . . . . 12
9. References . . . . . . . . . . . . . . . . . . . . . . . . . 13
9.1. Normative References . . . . . . . . . . . . . . . . . . 13
9.2. Informative References . . . . . . . . . . . . . . . . . 14
Appendix A. Example API catalog documents . . . . . . . . . . . 15 Catalog Documents
A.1. Using Linkset with RFC8615 relations . . . . . . . . . . 15 Link Relations Defined in RFC 8631
A.2. Using Linkset with bookmarks . . . . . . . . . . . . . . 17 Bookmarks
A.3. Other API catalog formats . . . . . . . . . . . . . . . . 18 Catalog Formats
A.4. Nesting API catalog links . . . . . . . . . . . . . . . . 18
Appendix B. Catalog Links
Acknowledgements . . . . . . . . . . . . . . . . . . 19
Author's Address . . . . . . . . . . . . . . . . . . . . . . . . 19
1. Introduction
An application may publish Application Programming Interfaces (APIs) APIs to encourage requests for interaction
from external parties. Such APIs must be discovered before they may
be used - used, i.e., the external party needs to know what APIs a given publisher
Publisher exposes, their purpose, any policies for usage, and the
endpoint to interact with each API. To facilitate automated
discovery of this information, information and automated usage of the APIs, this
document proposes:
* a well-known URI [WELL-KNOWN], 'api-catalog', "api-catalog", that is encoded as a
URI reference to an API catalog document describing a Publisher's
API endpoints.
* a link relation [WEB-LINKING], 'api-catalog', "api-catalog", of which the target
resource is the Publisher's API catalog document.
1.1. Goals and non-goals Non-Goals
The primary goal of this document is to facilitate the automated
discovery of a Publisher's public API endpoints, along with metadata
that describes the purpose and usage of each API, by specifying a
well-known URI that returns an API catalog document. The API catalog
document is primarily machine-readable to enable automated discovery
and usage of APIs, and it may also include links to human-readable
documentation (see the example in Appendix A.1).
Non-goals: this This document does not mandate paths for API endpoints. endpoints,
i.e., it does not mandate that my_example_api's endpoint should be
https://www.example.com/.well-known/api-catalog/my_example_api, nor
even to be hosted at www.example.com (although it is not forbidden to
do so).
1.2. Notational Conventions
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
"SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and
"OPTIONAL" in this document are to be interpreted as described in BCP
14 [RFC2119] [RFC8174] when, and only when, they appear in all
capitals, as shown here. These words may also appear in this
document in lower case as plain English words, absent their normative
meanings.
The terms "content negotiation" and "status code" are from [HTTP].
The term "well-known URI" is from [WELL-KNOWN]. The term "link
relation" is from [WEB-LINKING].
The term "Publisher" refers to an organisation, company company, or
individual that publishes one or more APIs for usage use by external third
parties. A fictional Publisher named "example" is used throughout
this document. The examples use the FQDNs Fully Qualified Domain Names
(FQDNs) "www.example.com",
"developer.example.com" ,"apis.example.com", "developer.example.com",
"apis.example.com", "apis.example.net", "gaming.example.com", "iot.example.net",where the use of and
"iot.example.net", where the .com and .net TLDs Top-Level Domains (TLDs)
and various subdomains are simply used to illustrate that the
"example" Publisher may have their API portfolio distributed across
various domains for which they are the authority. For scenarios Scenarios where
the Publisher "example" is not the authority for a given _.example._
domain then that is are made explicit in the text.
In this document, "API" means refers to the specification resources
required for an external party (or in the case of 'private' "private" APIs, an
internal party) to implement software which that uses the Publisher's Application
Programming Interface. API.
The specification recommends the use of TLS, hence TLS. Hence, "HTTPS" and
"https://" are used throughout.
2. Using the 'api-catalog' well-known "api-catalog" Well-Known URI
The api-catalog well-known URI is intended for HTTPS servers that
publish APIs.
* The API catalog MUST be named "api-catalog" in a well-known
location as described by [WELL-KNOWN].
* The location of the API catalog document is decided by the
Publisher: the
Publisher. The /.well-known/api-catalog URI provides a convenient
reference to that location.
A Publisher supporting this URI:
* SHALL resolve an HTTPS GET request to /.well-known/api-catalog and
return an API catalog document ( as (as described in Section 4 ). 4).
* SHALL resolve an HTTPS HEAD request to /.well-known/api-catalog
with a response including a Link header with the relation(s)
defined in Section 3 3.
3. The api-catalog link relation Link Relation
This document introduces a new link relation [WEB-LINKING], "api-
catalog". This identifies a target resource that represents a list
of APIs available from the Publisher of the link context. The target
resource URI may be /.well-known/api-catalog , or any other URI chosen
by the Publisher. For example, the Publisher 'example' "example" could include
the api-catalog link relation in the HTTP header and/or content
payload when responding to a request to
https://www.example.com : https://www.example.com:
HTTP/1.1 200 OK
Content-Type: text/html; charset=UTF-8
Location: /index.html
Link: </my_api_catalog.json>; rel=api-catalog
Content-Length: 356
<!DOCTYPE HTML>
<html>
<head>
<title>Welcome to Example Publisher</title>
</head>
<body>
<p>
<a href="my_api_catalog.json" rel="api-catalog">
Example Publisher's APIs
</a>
</p>
<p>(remainder of content)</p>
</body>
</html>
3.1. Using additional link relations
* "item" [RFC6573]. Additional Link Relations
When used in an API catalog document, the "item" [RFC6573] link
relation identifies a target resource that represents an API that is
a member of the API catalog.
*
Other link relations may be utilised in an API catalog to convey
metadata descriptions for API links.
4. The API catalog document Catalog Document
The API catalog is a document listing a Publisher's APIs. The
Publisher may host the API catalog document at any URI(s) they
choose. As illustration, For example, the API catalog document URI of
https://www.example.com/my_api_catalog.json can be requested
directly, directly
or via a request to https://www.example.com/.well-known/
api-catalog, https://www.example.com/.well-known/api-catalog,
which the Publisher will resolve to
https://www.example.com/my_api_catalog. https://www.example.com/
my_api_catalog.
4.1. API catalog contents Catalog Contents
The API catalog MUST include hyperlinks to API endpoints, and endpoints. It is
RECOMMENDED to include that the API catalog also includes useful metadata, such
as usage policies, API version information, links to the OpenAPI
Specification [OAS] definitions for each API, etc. If the Publisher
does not include that metadata directly in the API catalog document,
they SHOULD make that metadata available at the API endpoint URIs
they have listed (see Appendix A.2 for an example).
4.2. API catalog formats Catalog Formats
The Publisher MUST publish the API catalog document in the Linkset
format application/linkset+json (section (Section 4.2 of [RFC9264]). The
Linkset SHOULD include a profile parameter (section (Section 5 of [RFC9264])
with a Profile URI [RFC7284] value of 'THIS-RFC-URL' "https://www.rfc-
editor.org/info/rfc9727" to indicate the Linkset is representing an
API catalog document as defined above. Appendix A includes example
API catalog documents based on the Linkset format.
The Publisher MAY make additional formats available via content
negotiation (section 5.3 (Section 12 of [HTTP]) to their /.well-known/api-catalog
location. A non-exhaustive list of such formats that support the
automated discovery, discovery and machine (and human) usage of a Publisher's
APIs,
APIs is listed at Appendix A.3. If a Publisher already lists their
APIs in a format other than Linkset Linkset, but wish wishes to utilise the /.well-
known/api-catalog
/.well-known/api-catalog URI, then:
* They MUST also implement a Linkset with, at minimum, hyperlinks to
API endpoints - endpoints; see the example of Appendix A.2 in Appendix A. A.2.
* They MAY support content negotiation at the /.well-known/api-
catalog URI to allow for the return of their existing format to be returned. format.
4.3. Nesting API catalog links Catalog Links
An API catalog may itself contain links to other API catalogs, catalogs by
using the 'api-catalog' "api-catalog" relation type for each link. An example of
this is given in Appendix A.4.
5. Operational considerations Considerations
5.1. Accounting for APIs distributed across multiple domains Distributed Across Multiple Domains
A Publisher ("example") may have their APIs hosted across multiple
domains that they manage: manage, e.g., at www.example.com,
developer.example.com, apis.example.com, apis.example.net apis.example.net, etc. They
may also use a third-party API hosting provider which that hosts APIs on a
distinct domain.
To account for this scenario, it is RECOMMENDED that:
* The Publisher also publish the api-catalog well-known URI at each
of their API domains e.g. domains, e.g., https://apis.example.com/.well-known/
api-catalog, https://developer.example.net/.well-known/api-catalog https://developer.example.net/.well-known/api-
catalog, etc.
* An HTTPS GET request to any of these URIs returns the same result,
namely, the API catalog document.
* Since the physical location of the API catalog document is decided
by the Publisher, and may change, the The Publisher choose one of their instances of /.well-known/api-catalog /.well-known/api-
catalog as a canonical reference to the location of the latest API catalog.
catalog since the physical location of the API catalog document is
decided by the Publisher and may change. The Publisher's other
instances of /.well-known/api-catalog should redirect to this
canonical instance of /.well-known/api-catalog to ensure the
latest API catalog is returned.
For example, if the Publisher's primary API portal is
https://apis.example.com, then https://apis.example.com/.well-known/
api-catalog should resolve to the location of the Publisher's latest
API catalog document. If the Publisher is also the domain authority
for www.example.net, which also hosts a selection of their APIs, then
a request to https://www.example.net/.well-known/api-catalog should
redirect to https://apis.example.com/.well-known/api-catalog . https://apis.example.com/.well-known/api-catalog.
If the Publisher is not the domain authority for www.example.net - or
any third-party domain that hosts any of the Publisher's APIs - www.example.net,
then the Publisher Publisher's API Catalog MAY include a link in its own to the API
catalog to that of the third-party domain's API catalog. that is the domain authority for
www.example.net. For example, the API catalog available at https://apis.example.com/.well-known/api-catalog)
https://apis.example.com/.well-known/api-catalog may list APIs hosted
at apis.example.com and also link to the API catalog hosted at
https://www.example.net/.well-known/api-catalog using the
"api-catalog" "api-
catalog" link relation:
{
"linkset": [
{
"anchor": "https://www.example.com/.well-known/api-catalog",
"item": [
{
"href": "https://developer.example.com/apis/foo_api"
},
{
"href": "https://developer.example.com/apis/bar_api"
},
{
"href": "https://developer.example.com/apis/cantona_api"
}
],
"api-catalog": "https://www.example.net/.well-known/api-catalog"
}
]
}
5.2. Internal use Use of api-catalog for private Private APIs
A Publisher may wish to use the api-catalog well-known URI on their
internal network, network to signpost authorised users (e.g. (e.g., company
employees) towards internal/private APIs not intended for third-party
use. This scenario may incur additional security considerations, considerations as
noted in Section 8.
5.3. Scalability guidelines Guidelines
In cases where a Publisher has a large number of APIs, APIs potentially
deployed across multiple domains, then two challenges may arise:
* Maintaining the catalog entries to ensure they are up to date and
correcting any errors corrected. errors.
* Restricting the catalog size to help reduce network and client-
processing overheads.
In both cases cases, a Publisher may benefit from grouping their APIs,
providing an API catalog document for each group - and use using the main
API catalog hosted at /.well-known/api-catalog to provide links to
these. For example example, a Publisher may decide to group their APIs
according to a business category (e.g. 'gaming APIs', 'anti-fraud
APIs etc.) or (e.g., "gaming APIs", "anti-fraud
APIs", etc.), a technology category (e.g. ''IOT', 'networks', 'AI' (e.g., "IOT", "networks", "AI",
etc.), or any other criterion. This grouping may already be implicit where
the Publisher has already published their APIs across multiple
domains, e.g. e.g., at gaming.example.com, iot.example.net, etc.
Section 4.3 shows how the API catalog at /.well-known/api-catalog can
use the api-catalog link relation to point to other API catalogs.
The Publisher SHOULD consider caching and compression techniques to
reduce the network overhead of large API catalogs.
5.4. Monitoring and maintenance Maintenance
Publishers are RECOMMENDED to follow operational best practice when
hosting API catalog(s), including including, but not limited to:
* Availability. The Publisher should monitor availability of the
API catalog, catalog and consider alternate means to resolve requests to
/.well-known/api-catalog during planned downtime of hosts.
* Performance. Although the performance of APIs listed in an API
catalog can demand high transactions per second and low-latency
response, the retrieval of the API catalog itself to discover
those APIs is less likely to incur strict performance demands.
That said, the Publisher should monitor the response time to
fulfil a request for the API catalog, catalog and determine any necessary
improvements (as with any other Web resource the Publisher
serves). For large API catalogs, the Publisher should consider
the techniques described in Section 5.3.
* Usage. Since the goal of the api-catalog well-known URI is to
facilitate discovery of APIs, the Publisher may wish to correlate
requests to the /.well-known/api-catalog URI with subsequent
requests to the API URIs listed in the catalog.
* Current data. The Publisher should include the removal of stale
API entries from the API catalog as part of their API release
lifecycle. The Publisher MAY decide to include metadata regarding
legacy API versions or deprecated APIs to help users of those APIs
discover up-to-date alternatives.
* Correct metadata. The Publisher should include human and/or
automated checks for syntax errors in the API catalog. Automated
checks include format validation (e.g. (e.g., to ensure valid JSON
syntax) and linting to enforce business rules - rules, such as removing
duplicate entries and ensuring descriptions are correctly named
with valid values. A proofread of the API catalog as part of the
API release lifecycle is RECOMMENDED to detect any errors in
business grammar (for example, an API entry that is described with
valid syntax, but has been allocated an incorrect or outdated
description.)
* Security best practice, as set out in practice. See Section 8.
5.5. Integration with existing Existing API management frameworks Management Frameworks
A Publisher may already utilise an API management framework to
produce their API portfolio. These frameworks typically include the
publication of API endpoint URIs, deprecation and redirection of
legacy API versions, API usage policies and documentation, etc. The
api-catalog well-known URI and API catalog document are intended to
complement API management frameworks by facilitating the discovery of
the framework's outputs - -- API endpoints, usage policies policies, and
documentation - -- and are not intended to replace any existing API
discovery mechanisms the framework has implemented.
Providers of such frameworks may include the production of an API
catalog and the publication of the /.well-known/api-catalog URI as a
final pre-release (or post-release) step in the release management
workflow. The following steps are recommended: recommended.
If the /.well-known/api-catalog URI has not been published previously
,
previously, the framework provider should:
* Collate and check the metadata for each API that will be included
in the API catalog. This metadata is likely to already exist in
the framework.
* Determine which metadata to include in the API catalog, catalog following
the requirements set out in Section 4.1 and the considerations set
out in Section 5.
* Map the chosen metadata to the format(s) described in Section 4.2.
Where
The structure suggested in Appendix A.2 may be followed where only
the hyperlinks to APIs are to be included in the API
catalog, then the structure suggested in Appendix A.2 may be
followed. catalog.
Where possible possible, the API catalog should include further metadata
per the guidance in Section 4.1, 4.1; in which case case, the structure
suggested in Appendix A can be utilised and adapted (ensuring
compliance to [RFC9264]) to reflect the nature of the chosen
metadata.
* Publish the /.well-known/api-catalog URI following the guidance
set out in Section 2.
If the /.well-known/api-catalog URI has previously been published,
the framework provider should:
* Include a step in the release management lifecycle to refresh the
API catalog following any changes in API hyperlinks or published
metadata. This could include placing triggers on certain metadata
fields, so that as they are updated in pre-production on the API
framework, the updates are pushed to a pre-production copy of the
API catalog to be pushed live when the release is published by the
framework.
6. Conformance to RFC8615 RFC 8615
The requirements in section Section 3 of [WELL-KNOWN] for defining Well-Known
Uniform Resource Identifiers
URIs are met as described in the following
sub-sections. subsections.
6.1. Path suffix Suffix
The api-catalog URI SHALL be appended to the /.well-known/ path-
prefix for "well-known locations".
6.2. Formats and associated media types Associated Media Types
A /.well-known/api-catalog location MUST support the Linkset
[RFC9264] format of application/linkset+json, application/linkset+json and MAY also support the
other formats via content negotiation.
6.3. Registration of the api-catalog well-known URI
See Section 7 considerations below.
7. IANA Considerations
7.1. The api-catalog well-known Well-Known URI
This specification registers the "api-catalog" well-known URI in the
Well-Known URI Registry
"Well-Known URIs" registry as defined by [WELL-KNOWN].
*
URI suffix: Suffix: api-catalog
*
Reference: RFC 9727
Status: permanent
Change Controller: IETF
* Specification document(s): THIS-RFC
* Status: permanent
7.2. The api-catalog link relation Link Relation
This specification registers the "api-catalog" link relation in the
"Link Relation Types" registry by following the procedures per section
Section 2.1.1.1 of [WEB-LINKING]
* [WEB-LINKING].
Relation Name: api-catalog
*
Description: Refers to a list of APIs available from the publisher Publisher
of the link context.
*
Reference: THIS-RFC RFC 9727
7.3. The api-catalog Profile URI
This specification registers "THIS-RFC-URL" "https://www.rfc-editor.org/info/
rfc9727" in the "Profile URIs" registry according to [RFC7284].
*
Profile URI: THIS-RFC-URL
* https://www.rfc-editor.org/info/rfc9727
Common Name: API catalog
*
Description: A profile Profile URI to request or signal a Linkset
representing an API catalog.
*
Reference: THIS-RFC
RFC Editor's Note: IANA is kindly requested to replace all instances
of THIS-RFC and THIS-RFC-URL with the actual RFC number/URL once
assigned. 9727
8. Security Considerations
For all scenarios:
* TLS SHOULD be used, i.e. i.e., make /.well-known/api-catalog available
exclusively over HTTPS, to ensure no tampering of the API catalog catalog.
* The Publisher SHOULD take into account the Security Considerations security considerations
from section Section 4 of [WELL-KNOWN].
* The Publisher SHOULD perform a security and privacy review of the
API catalog prior to deployment, deployment to ensure it does not leak
personal, business business, or other sensitive metadata, nor expose any
vulnerability related to the APIs listed.
* The Publisher SHOULD enforce read-only privileges for external
requests to .well-known/api-catalog, .well-known/api-catalog and for internal systems and
roles that monitor the .well-known/api-catalog URI. Write
privileges SHOULD only be granted to roles that perform updates to
the API catalog and/or the forwarding rewrite rules for the .well-
known/api-catalog URI.
* As with any Web offering, it is RECOMMENDED to apply rate-limiting
measures to help mitigate abuse and prevent Denial-of-Service denial-of-service
attacks on the API catalog endpoint.
For the public-facing APIs scenario: scenario, security teams SHOULD
additionally audit the API catalog to ensure no APIs intended solely
for internal use have been mistakenly included. For example, a
catalog hosted on https://developer.example.com should not expose
unnecessary metadata about any internal domains (e.g. (e.g.,
https://internal.example.com).
For the internal/private APIs scenario: scenario, the Publisher SHOULD take
steps to ensure that appropriate controls - controls, such as CORS Cross-Origin
Resource Sharing (CORS) policies and access control lists - lists, are in
place to ensure only authorised roles and systems may access an
internal api-catalog well-known URI.
A comprehensive API catalog that is regularly audited may assist the
Publisher in decommissioning 'zombie' APIs "zombie" APIs, i.e., legacy/obsolete
APIs that should no longer be available. Such APIs represent a
security vulnerability as they are unlikely to be supported,
monitored,
patched patched, or updated.
Note the registration of domain names and associated policies is out
of scope of this document.
9. References
9.1. Normative References
[HTTP] Fielding, R., Ed., Nottingham, M., Ed., and J. Reschke,
Ed., "HTTP Semantics", STD 97, RFC 9110,
DOI 10.17487/RFC9110, June 2022,
<https://www.rfc-editor.org/rfc/rfc9110>.
<https://www.rfc-editor.org/info/rfc9110>.
[RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
Requirement Levels", BCP 14, RFC 2119,
DOI 10.17487/RFC2119, March 1997,
<https://www.rfc-editor.org/rfc/rfc2119>.
<https://www.rfc-editor.org/info/rfc2119>.
[RFC6573] Amundsen, M., "The Item and Collection Link Relations",
RFC 6573, DOI 10.17487/RFC6573, April 2012,
<https://www.rfc-editor.org/rfc/rfc6573>.
<https://www.rfc-editor.org/info/rfc6573>.
[RFC7284] Lanthaler, M., "The Profile URI Registry", RFC 7284,
DOI 10.17487/RFC7284, June 2014,
<https://www.rfc-editor.org/rfc/rfc7284>.
<https://www.rfc-editor.org/info/rfc7284>.
[RFC8174] Leiba, B., "Ambiguity of Uppercase vs Lowercase in RFC
2119 Key Words", BCP 14, RFC 8174, DOI 10.17487/RFC8174,
May 2017, <https://www.rfc-editor.org/rfc/rfc8174>. <https://www.rfc-editor.org/info/rfc8174>.
[RFC9264] Wilde, E. and H. Van de Sompel, "Linkset: Media Types and
a Link Relation Type for Link Sets", RFC 9264,
DOI 10.17487/RFC9264, July 2022,
<https://www.rfc-editor.org/rfc/rfc9264>.
<https://www.rfc-editor.org/info/rfc9264>.
[WEB-LINKING]
Nottingham, M., "Web Linking", RFC 8288,
DOI 10.17487/RFC8288, October 2017,
<https://www.rfc-editor.org/rfc/rfc8288>.
<https://www.rfc-editor.org/info/rfc8288>.
[WELL-KNOWN]
Nottingham, M., "Well-Known Uniform Resource Identifiers
(URIs)", RFC 8615, DOI 10.17487/RFC8615, May 2019,
<https://www.rfc-editor.org/rfc/rfc8615>.
<https://www.rfc-editor.org/info/rfc8615>.
9.2. Informative References
[APIsjson] Kin Lane Lane, K. and Steve S. Willmott, "APIs.json", 15 September
2020, <http://apisjson.org/format/apisjson_0.16.txt>. "API Discovery Format", 6
November 2024,
<https://apisjson.org/format/apisjson_0.19.txt>. Latest
version available at <https://apisjson.org/>.
[HAL] Mike Kelly, M., "JSON Hypertext Application Language", 15
September 2020, Work in
Progress, Internet-Draft, draft-kelly-json-hal-11, 19
October 2023, <https://datatracker.ietf.org/doc/html/
draft-kelly-json-hal-11>.
[OAS] Darrel Miller, Jeremy D., Ed., Andrews, H., Ed., Whitlock, Marsh J., Ed.,
Mitchell, L., Ed., Gardiner, Mike
Ralphson, Ron Ratovsky, M., Ed., Quintero, M., Ed.,
Kistler, M., Ed., Handl, R., Ed., and Uri Sarid, R. Ratovsky, Ed.,
"OpenAPI Specification 3.1.0", 15 February 2021, v3.1.0", 24 October 2024,
<https://spec.openapis.org/oas/latest>. Latest version
available at <https://spec.openapis.org/oas/latest.html>.
[RESTdesc] Ruben Verborgh, Erik R., Mannens, Rick E., Van de Walle, R., and
Thomas T.
Steiner, "RESTdesc", 15 September 2023,
<http://apisjson.org/format/apisjson_0.16.txt>. 2025,
<https://restdesc.org/about/descriptions>.
[RFC8631] Wilde, E., "Link Relation Types for Web Services",
RFC 8631, DOI 10.17487/RFC8631, July 2019,
<https://www.rfc-editor.org/rfc/rfc8631>.
<https://www.rfc-editor.org/info/rfc8631>.
[WebAPIext]
Mike Ralphson
Ralphson, M., Ed. and Nick N. Evans, "WebAPI Ed., "WADG0001 WebAPI type
extension", Draft Community Group Report, 8 July 2020,
<https://webapi-discovery.github.io/rfcs/rfc0001.html>.
Appendix A. Example API catalog documents Catalog Documents
This section is informative and provides and example of an API
catalog document using the Linkset format.
A.1. Using Linkset with RFC8615 relations Link Relations Defined in RFC 8631
This example uses the Linkset format [RFC9264], [RFC9264] and the following link
relations defined in [RFC8631]:
* "service-desc", used
"service-desc": Used to link to a description of the API that is
primarily intended for machine consumption (for example example, the [OAS]
specification YAML
specification, YAML, or JSON file).
* "service-doc", used
"service-doc": Used to link to API documentation that is primarily
intended for human consumption (an example of human-readable
documentation is the IETF Internet-Draft submission API
instructions (https://datatracker.ietf.org/api/submission)).
* "service-meta", used <https://datatracker.ietf.org/api/submission>).
"service-meta": Used to link to additional metadata about the API, API
and is primarily intended for machine consumption.
* "status", used
"status": Used to link to the API status (e.g. (e.g., API "health"
indication etc.)
indication) for machine and/or human consumption.
Client request:
GET .well-known/api-catalog HTTP/1.1
Host: example.com
Accept: application/linkset+json
Server response:
HTTP/1.1 200 OK
Date: Mon, 01 Jun 2023 00:00:01 GMT
Server: Apache-Coyote/1.1
Content-Type: application/linkset+json;
profile="THIS-RFC-URL"
profile="https://www.rfc-editor.org/info/rfc9727"
{
"linkset": [
{
"anchor": "https://developer.example.com/apis/foo_api",
"service-desc": [
{
"href": "https://developer.example.com/apis/foo_api/spec",
"type": "application/yaml"
}
],
"status": [
{
"href": "https://developer.example.com/apis/foo_api/status",
"type": "application/json"
}
],
"service-doc": [
{
"href": "https://developer.example.com/apis/foo_api/doc",
"type": "text/html"
}
],
"service-meta": [
{
"href": "https://developer.example.com/apis/foo_api/policies",
"type": "text/xml"
}
]
},
{
"anchor": "https://developer.example.com/apis/bar_api",
"service-desc": [
{
"href": "https://developer.example.com/apis/bar_api/spec",
"type": "application/yaml"
}
],
"status": [
{
"href": "https://developer.example.com/apis/bar_api/status",
"type": "application/json"
}
],
"service-doc": [
{
"href": "https://developer.example.com/apis/bar_api/doc",
"type": "text/plain"
}
]
},
{
"anchor": "https://apis.example.net/apis/cantona_api",
"service-desc": [
{
"href": "https://apis.example.net/apis/cantona_api/spec",
"type": "text/n3"
}
],
"service-doc": [
{
"href": "https://apis.example.net/apis/cantona_api/doc",
"type": "text/html"
}
]
}
]
}
A.2. Using Linkset with bookmarks Bookmarks
This example also uses the Linkset format [RFC9264], listing [RFC9264] and lists the API
endpoints in an array of bookmarks. Each link shares the same
context anchor (the well-known URI of the API catalog) and "item"
[RFC9264] link relation (to indicate they are an item in the
catalog). The intent is that by following a bookmark link, a
machine-client machine
client can discover the purpose and usage policy for each
API, hence API; hence,
the document targeted by the bookmark link should support this.
Client request:
GET .well-known/api-catalog HTTP/1.1
Host: example.com
Accept: application/linkset+json
Server response:
HTTP/1.1 200 OK
Date: Mon, 01 Jun 2023 00:00:01 GMT
Server: Apache-Coyote/1.1
Content-Type: application/linkset+json;
profile="THIS-RFC-URL"
profile="https://www.rfc-editor.org/info/rfc9727"
{ "linkset":
[
{ "anchor": "https://www.example.com/.well-known/api-catalog",
"item": [
{"href": "https://developer.example.com/apis/foo_api"},
{"href": "https://developer.example.com/apis/bar_api"},
{"href": "https://developer.example.com/apis/cantona_api"}
]
}
]
}
A.3. Other API catalog formats Catalog Formats
A non-exhaustive list of other API catalog document formats includes:
* An APIs.json document [APIsjson].
* A RESTDesc semantic description for hypermedia APIs [RESTdesc].
* A Hypertext Application Language document [HAL].
* An extension to the Schema.org WebAPI type [WebAPIext].
A.4. Nesting API catalog links Catalog Links
In this example, a request to the /.well-known/api-catalog URI
returns an array of links of relation type 'api-catalog'. "api-catalog". This can
be useful to Publishers with a large number of APIs, APIs who wish to group
them in smaller catalogs (as described in Section 5.3).
Client request:
GET .well-known/api-catalog HTTP/1.1
Host: example.com
Accept: application/linkset+json
Server response:
HTTP/1.1 200 OK
Date: Mon, 01 Jun 2023 00:00:01 GMT
Server: Apache-Coyote/1.1
Content-Type: application/linkset+json;
profile="THIS-RFC-URL"
profile="https://www.rfc-editor.org/info/rfc9727"
{
"linkset": [
{
"anchor": "https://www.example.com/.well-known/api-catalog",
"api-catalog": [
{
"href": "https://apis.example.com/iot/api-catalog"
},
{
"href": "https://ecommerce.example.com/api-catalog"
},
{
"href": "https://developer.example.com/gaming/api-catalog"
}
]
}
]
}
Appendix B.
Acknowledgements
Thanks to Jan Algermissen, Phil Archer, Tim Bray, Ben Bucksch, Sanjay
Dalal, David Dong, Erik Kline, Mallory Knodel, Murray Kucherawy, Max
Maton, Darrel Miller, Mark Nottingham, Roberto Polli, Joey Salazar,
Rich Salz, Herbert Van De Sompel, Orie Steele, Tina Tsou, Gunter Van
Der
de Velde, Eric Éric Vyncke, and Erik Wilde for their reviews, suggestions suggestions,
and support.
Author's Address
Kevin Smith
Vodafone
Email: kevin.smith@vodafone.com
URI: https://www.vodafone.com