API Versioning

Overview

Version your APIs from day one. Never break existing clients.

Breaking changes without versioning destroy client trust. Version APIs explicitly, support multiple versions gracefully, and deprecate with ample warning.

When to Use

• Designing new API endpoints
• Adding or modifying existing endpoints
• Making changes that could break clients
• Planning API evolution strategy
• Reviewing API design decisions

The Iron Rule

NEVER make breaking changes to a released API version.

No exceptions:

• Not for "it's a bug fix"
• Not for "nobody uses that field"
• Not for "we'll notify clients"
• Not for "it's just internal"
• Not for "the old way was wrong"

Breaking changes require a new version. Always.

Detection: What's a Breaking Change?

Change	Breaking?	Safe Alternative
Removing a field	YES	Deprecate, keep returning
Renaming a field	YES	Add new, keep old
Changing field type	YES	Add new field
Changing response structure	YES	New version
Adding required parameter	YES	Make optional with default
Removing endpoint	YES	Deprecate, maintain
Changing error codes	YES	Add new codes, keep old
Adding optional field	NO	Safe to add
Adding new endpoint	NO	Safe to add
Adding optional parameter	NO	Safe to add

Versioning Strategies

1. URL Path Versioning (Recommended)

// ✅ CORRECT: Version in URL path
// /api/v1/users
// /api/v2/users

app.get('/api/v1/users', handleUsersV1);
app.get('/api/v2/users', handleUsersV2);

Pros: Explicit, cacheable, easy to route Cons: URL proliferation

2. Header Versioning

// ✅ CORRECT: Version in Accept header
// Accept: application/vnd.api+json; version=1

app.get('/api/users', (req, res) => {
  const version = parseVersion(req.headers.accept);
  if (version === 1) return handleUsersV1(req, res);
  if (version === 2) return handleUsersV2(req, res);
  return res.status(406).json({ error: 'Unsupported version' });
});

Pros: Clean URLs Cons: Hidden, harder to test, caching complexity

3. Query Parameter Versioning

// ✅ ACCEPTABLE: Version as query param
// /api/users?version=1

app.get('/api/users', (req, res) => {
  const version = parseInt(req.query.version) || LATEST_VERSION;
  // ...
});

Pros: Simple Cons: Optional parameter often forgotten

Correct Version Evolution Pattern

// Version 1: Original API
interface UserV1 {
  id: string;
  name: string;       // Full name
  email: string;
}

// Version 2: Split name into parts (BREAKING!)
interface UserV2 {
  id: string;
  firstName: string;  // New field
  lastName: string;   // New field
  email: string;
}

// ✅ CORRECT: Support both versions
class UserController {
  async getUserV1(id: string): Promise<UserV1> {
    const user = await this.userService.getUser(id);
    return {
      id: user.id,
      name: `${user.firstName} ${user.lastName}`,  // Compute for v1 clients
      email: user.email,
    };
  }

  async getUserV2(id: string): Promise<UserV2> {
    const user = await this.userService.getUser(id);
    return {
      id: user.id,
      firstName: user.firstName,
      lastName: user.lastName,
      email: user.email,
    };
  }
}

// ❌ WRONG: Silently change v1 response
// ❌ WRONG: Force all clients to update simultaneously
// ❌ WRONG: Remove v1 without deprecation period

Deprecation Protocol

Never surprise clients. Follow this:

// 1. Announce deprecation (headers + docs)
res.setHeader('Deprecation', 'true');
res.setHeader('Sunset', 'Sat, 01 Jan 2025 00:00:00 GMT');
res.setHeader('Link', '</api/v2/users>; rel="successor-version"');

// 2. Log usage to track migration
logger.info('Deprecated v1 endpoint called', { 
  endpoint: '/api/v1/users',
  clientId: req.clientId,
});

// 3. Maintain for deprecation period (minimum 6 months for external APIs)

// 4. Return 410 Gone after sunset date
if (isPastSunset('/api/v1/users')) {
  return res.status(410).json({
    error: 'This API version has been retired',
    migration: 'https://docs.api.com/migration-v1-to-v2',
    successor: '/api/v2/users',
  });
}

Pressure Resistance Protocol

1. "Just Ship It, We'll Version Later"

Pressure: "We need to launch, versioning can wait"

Response: Adding versioning to an existing API is 10x harder than starting with it. Clients already depend on the unversioned endpoints.

Action: Add /v1/ prefix now. Takes 5 minutes.

2. "It's Internal, We Control All Clients"

Pressure: "We can just update all our services"

Response: Internal APIs become external. Services can't update simultaneously. Deployments fail mid-rollout.

Action: Version internal APIs too. Your future self will thank you.

3. "It's a Bug Fix, Not a Breaking Change"

Pressure: "The old behavior was wrong"

Response: Clients may depend on the "wrong" behavior. A fix can break them.

Action: Fix in new version. Document the fix. Let clients opt-in.

4. "Nobody Uses That Field"

Pressure: "Analytics show it's unused"

Response: Analytics might be wrong. One client relying on it = breaking change.

Action: Deprecate with warning, keep returning the field, sunset after migration period.

5. "We'll Just Notify Clients"

Pressure: "We'll email everyone before the change"

Response: Emails get missed. Clients need deploy time. Surprise breaks cause outages.

Action: Deprecation headers + sunset period + new version.

Red Flags - STOP and Reconsider

If you notice ANY of these, you're about to break clients:

• Removing or renaming fields without new version
• Changing response structure "to improve it"
• "Nobody will notice this change"
• No version in API path or headers
• Only one version supported
• Deprecating without sunset date
• Changing semantics (same field, different meaning)

All of these mean: Create a new API version.

Version Lifecycle Management

┌─────────┐     ┌─────────────┐     ┌────────────┐     ┌───────┐
│  Alpha  │ ──► │  Released   │ ──► │ Deprecated │ ──► │ Sunset│
└─────────┘     └─────────────┘     └────────────┘     └───────┘
 Breaking OK     No breaking         Warn clients      410 Gone
                 Support 2-3 ver     6+ months         Remove code

Phase	Breaking Changes	Client Action
Alpha (v0.x)	Allowed with notice	Expect instability
Released (v1+)	Never	Rely on stability
Deprecated	None	Migrate to successor
Sunset	N/A	Endpoint returns 410

Common Rationalizations (All Invalid)

Excuse	Reality
"We'll add versioning later"	Later = breaking existing clients.
"It's internal only"	Internal becomes external. Version anyway.
"Small change, won't break anything"	Small changes break clients constantly.
"We'll coordinate the update"	Coordination fails. Services deploy independently.
"It's just a rename"	Renames break clients that parse responses.
"The docs explain the change"	Clients don't re-read docs. Code breaks.
"Analytics show no usage"	One client matters. Analytics miss things.

Quick Reference

Scenario	Action
New API	Start with /v1/ immediately
Adding field	Add to current version (non-breaking)
Removing field	New version + deprecate old
Renaming field	Add new name, keep old, deprecate old
Changing structure	New version
Bug that changes behavior	Fix in new version
Deprecating version	Announce + 6mo minimum + sunset date

The Bottom Line

Version from day one. Never break released versions. Deprecate gracefully.

When pressured to "just change it" or "version later": add versioning now, create new version for breaking changes, give clients time to migrate. API stability is a contract—don't break it.