HTTP API Design

PayPal's "HTTP API Design" interview question focuses on designing a RESTful HTTP API for a specific backend scenario, often involving resource management like user accounts, transactions, or payments, with emphasis on best practices in API design.

Problem Statement

Candidates are typically asked to design an API for a payments or transfers system (e.g., "Design the HTTP API for a peer-to-peer money transfer service"). Key requirements include handling CRUD operations for resources like /users, /accounts, and /transfers, supporting idempotency, pagination, versioning, authentication (e.g., OAuth/JWT), rate limiting, and error handling. The design must follow REST principles: use appropriate HTTP methods (GET, POST, PUT, DELETE, PATCH), status codes (200, 201, 400, 401, 429, 5xx), HATEOAS links, and JSON payloads.[3]

Core Endpoints

• POST /v1/transfers: Initiate a transfer between accounts.
• GET /v1/transfers/{transferId}: Retrieve transfer details.
• GET /v1/accounts/{accountId}/transfers: List paginated transfers for an account.
• PATCH /v1/transfers/{transferId}/cancel: Cancel a pending transfer.

Input/Output Examples

Example 1: Create Transfer (POST /v1/transfers)

Input (JSON body): { "fromAccountId": "acc_123", "toAccountId": "acc_456", "amount": 100.50, "currency": "USD", "idempotencyKey": "uuid-1234" }

Output (201 Created): { "transferId": "trans_789", "status": "pending", "fromAccountId": "acc_123", "toAccountId": "acc_456", "amount": 100.50, "currency": "USD", "createdAt": "2026-02-02T04:41:00Z", "_links": { "self": {"href": "/v1/transfers/trans_789"}, "cancel": {"href": "/v1/transfers/trans_789/cancel"} } }

Example 2: Retrieve Transfer (GET /v1/transfers/{transferId})

Output (200 OK): { "transferId": "trans_789", "status": "completed", "fromAccountId": "acc_123", "toAccountId": "acc_456", "amount": 100.50, "currency": "USD", "completedAt": "2026-02-02T04:42:00Z" }

Example 3: List Transfers (GET /v1/accounts/{accountId}/transfers?limit=10&status=completed)

Output: { "transfers": [...], "nextPageToken": "token123", "totalCount": 50 }

Constraints

• Throughput: Handle 10,000 requests/second with <200ms p99 latency.[3]
• Data: Account balances up to $1M; transfers $0.01–$10,000; 25+ currencies.
• Idempotency: Replay-safe using unique keys (TTL 24h, Redis-backed).
• Security: TLS 1.3, JWT auth, input validation (no SQL injection), audit logs.
• Scalability: Stateless services, horizontal scaling, regional sharding for data locality.
• Edge cases: Negative balances forbidden, concurrent transfers (optimistic locking), partial failures (sagas/orchestration).[3]