Plain-English definitions for the HTTP and REST terms that come up when working with web APIs. The ones you will hit reading docs, building clients, and debugging integrations.
Application Programming Interface. The contract a piece of software exposes so other software can talk to it. On the web, an API almost always means an HTTP API: a set of URLs that return data when you call them. Go REST is a public HTTP API serving fake data over JSON.
Proving you are who you claim to be. On HTTP APIs this usually means presenting a credential the server can verify, most often a bearer token in the Authorization header and sometimes a cookie. Distinct from authorization, which is what you are allowed to do once authenticated.
Deciding what an authenticated caller is allowed to do. The HTTP header named Authorization is misleadingly named: it actually carries authentication credentials, not authorization rules. Authorization itself is enforced server-side by checking who you are against access rules.
An opaque credential a client sends in the Authorization header to identify itself. The format is Authorization: Bearer <token>. Whoever bears (presents) the token is treated as the owner; there is no signature or password to verify. Simple, common, and the standard for modern APIs including Go REST.
The payload of an HTTP request or response, separate from the headers. On a request, the body holds the data you are sending (typically JSON for POST/PATCH/PUT). On a response, the body holds what the server is sending back. The Content-Type header describes how to parse the body.
An HTTP header that declares the format of the body. Common values include application/json, application/xml, text/html, application/x-www-form-urlencoded. Send Content-Type on requests with a body so the server knows how to parse them.
Cross-Origin Resource Sharing. The browser's safety mechanism for letting JavaScript on one origin (https://app.example.com) call an API on another origin (https://api.example.com). The API has to opt in by returning Access-Control-Allow-Origin headers; without that, the browser blocks the response.
A command-line tool and library for making HTTP requests. The default debugging tool of every backend developer. curl -H 'Authorization: Bearer ...' https://example.com/api hits the API and prints the response. See the cURL guide in the docs for recipes.
An HTTP method that requests deletion of a resource. Typically returns 204 No Content on success. DELETE is idempotent: deleting the same resource twice has the same effect as deleting it once (the second call returns 404).
A specific URL on an API that performs a specific operation. /public/v2/users is an endpoint; so is /public/v2/users/:id. Sometimes used loosely to mean 'the API as a whole', but strictly each verb+path combination is an endpoint.
A response header containing a hash or version of the resource. Clients send the ETag back via If-None-Match on the next request; if the resource has not changed, the server responds 304 Not Modified with no body, saving bandwidth. Used for caching.
An HTTP method that requests a resource. Should be safe (no side effects) and idempotent (calling it twice returns the same result). The most common method on a REST API. GET requests should not have a body.
A name-value pair attached to an HTTP request or response. Common request headers: Authorization, Accept, Content-Type, User-Agent. Common response headers: Content-Type, Cache-Control, Set-Cookie. Header names are case-insensitive; values are not.
Hypertext Transfer Protocol. The application-layer protocol the web speaks. Defines requests (method + URL + headers + body) and responses (status code + headers + body). Versions in use: HTTP/1.1, HTTP/2, HTTP/3, all wire-format different but conceptually compatible.
HTTP encrypted with TLS. Same protocol semantics as HTTP, but the connection is private and authenticated. Modern browsers warn or refuse plain HTTP. Public APIs should always be HTTPS-only, and Go REST is.
A property where calling an operation multiple times has the same effect as calling it once. GET, PUT, DELETE, and HEAD are idempotent in REST. POST is not (each call typically creates a new row). Important for safe retries: idempotent calls are safe to retry on transient failures.
JavaScript Object Notation. A text format for structured data: objects, arrays, strings, numbers, booleans, nulls. The default body format for modern web APIs. Strict syntax: keys are double-quoted strings, no trailing commas, no comments.
JSON Web Token. A self-contained token that encodes claims (user id, expiry, etc.) plus a signature, all base64-encoded into one string. Lets servers validate the token without a database lookup. The opposite of an opaque token like Go REST uses, where validation requires a server-side lookup.
The verb on an HTTP request: GET, POST, PUT, PATCH, DELETE, HEAD, OPTIONS. Each method has implicit semantics: GET reads, POST creates, PATCH partially updates, DELETE deletes. REST APIs use methods to express intent rather than putting verbs in the URL.
A token that is just a string of bytes the client cannot interpret. The server looks it up in a database to identify the caller. The opposite of a JWT, which encodes claims you can decode. Go REST uses opaque tokens because they can be revoked instantly.
Splitting a large result set into pages. Common styles: page+limit (?page=2&limit=20), cursor (?cursor=abc), and Link-header. Go REST uses page+limit on list endpoints and exposes total/pages/page/limit in the X-Pagination-* response headers.
An HTTP method that requests a partial update of a resource. Send only the fields you want to change. Returns 200 with the updated resource. Compare with PUT, which replaces the whole resource.
A variable segment in a URL, typically the id of the resource being addressed. In /users/4521, the 4521 is the path parameter. Path parameters identify resources; query parameters filter or modify the request.
An HTTP method that sends data to the server, typically to create a new resource. Returns 201 Created with the new resource on success and a Location header pointing at it. Not idempotent: each call creates a new row.
An HTTP method that replaces a resource entirely. Send the full new state; missing fields are reset, not preserved. Idempotent: calling PUT twice with the same body has the same effect as calling it once. Compare with PATCH for partial updates.
The part of a URL after the ? character, holding name=value pairs. /users?status=active&page=2 has the query string status=active&page=2. Used to filter, sort, paginate, or otherwise modify a request without changing the resource being addressed.
Capping how many requests a client can make in a window of time. Protects the server from overload and the caller from runaway scripts. Go REST applies a per-token budget (default 90 requests per minute, configurable from 1 to 300 per token) and reports state in X-RateLimit-Limit / X-RateLimit-Remaining / X-RateLimit-Reset headers.
What a client sends to a server: a method, a URL, headers, and (optionally) a body. The four together fully describe what is being asked of the server.
Representational State Transfer. An architectural style for HTTP APIs where each URL identifies a resource (a noun) and HTTP methods (verbs) act on it. Guiding properties: stateless, cacheable, uniform interface, client-server. Most modern web APIs are 'RESTish' rather than strictly REST.
A noun in a REST API: a thing the API manages, such as a user, a post, a comment, or a todo. Each resource has a canonical URL (its identifier) and is acted on with the standard HTTP methods.
What a server sends back to a client: a status code, headers, and (optionally) a body. The status code is the most important part; clients should branch on it before looking at the body.
A three-digit number on every HTTP response indicating the outcome. 2xx = success, 3xx = redirect, 4xx = client error, 5xx = server error. Most common: 200, 201, 204, 301, 304, 400, 401, 403, 404, 422, 429, 500, 503. See the dedicated guide for the full list.
A URL is a URI; the terms are used interchangeably in casual writing. Strictly, URI is the abstract identifier and URL is the addressable location. Both refer to strings like https://gorest.co.in/public/v2/users in modern API discussions.
A request header identifying the client software making the call. Browsers send something like Mozilla/5.0 ...; HTTP libraries send their own (curl/8.4.0, Mozilla/Node, requests/2.31.0). Custom clients should send a meaningful User-Agent so server logs can attribute traffic.
An HTTP endpoint your server exposes that another service calls when an event happens. The reverse of a normal API call: instead of you polling for changes, the upstream pushes them to you. Used for event notifications (Stripe payments, GitHub pushes, etc.).
Extensible Markup Language. An older alternative to JSON, more verbose but with formal schemas. Go REST returns XML if you set Accept: application/xml or append .xml to a URL. JSON is the default and almost always the right choice for new code.