An SDK — a software development kit providing a client library for an API — is the interface through which most developers interact with a third-party API in production. The quality of the SDK determines the quality of the integration experience more than the quality of the underlying API, because most developers never interact with the API directly. They interact with the SDK that wraps it.

The gap between a good API and a good SDK is wide and frequently underestimated. A well-designed API with a poorly designed SDK produces frustrated developers who waste time on integration mechanics instead of building their application. A mediocre API with a well-designed SDK produces developers who build successfully and attribute the quality of their experience to the API provider rather than the SDK.

Unit tests verify that individual functions behave correctly in isolation. They run fast, catch regressions close to where they are introduced, and document expected behavior at the code level. They do not verify that the API endpoints exposed to consumers behave according to the documented contract, that changes in one service do not break the consumers that depend on it, or that the system behaves correctly under the conditions that production traffic creates.

The N+1 query problem is the GraphQL performance issue that every team encounters and few solve completely before it causes a production incident. Its mechanics are straightforward. Its solutions are well-documented. Its persistence in production systems reflects the gap between understanding a problem and implementing a solution that holds under all the query patterns a flexible API allows.

A GraphQL query that requests a list of posts and the author of each post produces, in a naive resolver implementation, one database query to fetch the posts and one database query per post to fetch each author. A query requesting 100 posts with their authors produces 101 database queries. A query requesting 1,000 posts produces 1,001. The number of database queries grows linearly with the number of items in the list — hence N+1, where N is the list length and 1 is the initial list query.

The OWASP API Security Top 10 is updated periodically based on analysis of real API vulnerabilities in production systems. The list is not theoretical. The vulnerabilities it documents are the ones that security researchers find in bug bounty programs, that appear in breach disclosures, and that affect applications built by teams that considered security during development. Their persistence on the list across multiple editions reflects the difficulty of eliminating them in complex systems, not a lack of awareness that they exist.

Offset pagination — the pattern where a consumer requests a page by specifying how many records to skip — is the default choice for most APIs because it maps naturally to SQL’s LIMIT and OFFSET clauses and allows consumers to request any page directly by number. It is also the pagination strategy that fails most visibly at scale and produces the most confusing behavior when underlying data changes between page requests.

The HTTP status code specification is 30 years old, fully documented, and widely misimplemented. The misimplementation is not ignorance — most API developers know that 200 means success and 404 means not found. It is the edge cases where the correct status code requires a moment of thought that the wrong choice gets made, and the wrong choice gets propagated to every consumer who must now handle an error that does not mean what the specification says it means.

Third-party API integrations are the debts that engineering organizations incur with optimism and repay with regret. The integration that takes two days to build and saves six months of custom development looks like an unambiguous win until the third-party API changes its pricing, introduces a breaking change, degrades in availability, or is discontinued entirely. The costs of the dependency were deferred, not eliminated. They appear later, at a time not of the integrating team’s choosing, with a magnitude that was not budgeted.

The API gateway decision — whether to build custom routing and middleware infrastructure or to adopt a commercial or open-source gateway product — is one of the more consequential infrastructure choices an API team makes, and it is frequently made at the wrong time with the wrong information.

The wrong time is too early: a team of three engineers building an API with one consumer has different infrastructure requirements than a team of thirty engineers building an API platform with hundreds of consumers. The wrong information is a product comparison done without a realistic understanding of the operational overhead that gateway products introduce regardless of their feature set.

The API specification format wars ended without a formal declaration of victory. RAML, API Blueprint, WSDL, and a half-dozen proprietary formats all had moments of advocacy and adoption. OpenAPI — originally released as Swagger by Wordnik, donated to the Linux Foundation, and renamed — outlasted them through a combination of tooling ecosystem depth, industry adoption breadth, and the practical network effects that come from being the format that most developers encounter first.

The polling versus webhooks decision is frequently made on the basis of what the API provider finds easiest to implement rather than what serves consumers best. Polling is easier to provide — it requires no additional infrastructure beyond the existing API endpoints. Webhooks require the provider to maintain delivery infrastructure, handle failures, implement retry logic, and manage consumer endpoint registration. The provider’s preference for polling is understandable. For the consumers who pay the operational cost of polling, it is not a neutral choice.