api

Graphene brings GraphQL to Django. I define types mapping to models and create resolvers for queries and mutations. Clients request exactly the data they need, reducing over-fetching. I use DjangoObjectType for automatic schema generation from models.

Clients love predictable pagination. Provide Link headers and totals when feasible. This snippet shows a small helper that generates RFC5988-ish link headers for JSON endpoints.

Offset pagination falls apart as soon as rows are inserted or deleted between page fetches—users see duplicates or missing items. Cursor pagination fixes that with stable ordering and ‘seek’ queries. I use a compound cursor that includes both the prim

I create custom permission classes to encapsulate authorization logic outside of views. This IsOwnerOrReadOnly pattern is useful for resources where anyone can read but only the owner can modify. By implementing has_object_permission, I can make granu

Cross-Origin Resource Sharing (CORS) enables frontend apps on different domains to access your API. I use django-cors-headers for production-ready CORS handling. I configure CORS_ALLOWED_ORIGINS for specific domains in production and use CORS_ALLOW_AL

For list endpoints, the frontend needs predictable pagination metadata, not just an array. I return items plus pageInfo (endCursor, hasNextPage) so building infinite scroll is straightforward and the API stays extensible if you later add totals (which

API docs shouldn’t be a wiki page that drifts from reality. I generate an OpenAPI spec from code-adjacent definitions so changes get reviewed alongside implementation. The frontend benefits too: typed clients, mock servers, and even contract tests bec

Even without extra gems, you can validate incoming JSON payloads with small “contracts” that coerce and validate keys. It’s a strong reliability upgrade for webhook and API ingestion.

API versioning via middleware provides clean URL routing. I extract version from Accept header or URL prefix and set it on the request object. Views can check request.api_version to return appropriate responses. For breaking changes, I maintain separa

CORS configs have a habit of getting more permissive over time until you’re basically allowing any origin. I keep an explicit allowlist and handle credentials carefully. If you allow cookies, you can’t use * as the origin. I also keep preflight respon

Inconsistent error responses cause death-by-a-thousand-cuts on the frontend. If one endpoint returns a string, another returns nested objects, and a third throws HTML, you end up with messy UI conditionals everywhere. I use a small set of stable error

APIs are easier to operate when errors are structured and consistent. Wrap errors into a problem-details style response with a stable type and request_id so support can quickly trace issues.