# API Design Quiz

## Question 1

In REST, which HTTP method should be used to create a new resource?

A) GET
B) PUT
C) POST
D) PATCH

<!-- ANSWER: C -->
<!-- EXPLANATION: POST is used to create a new resource. The client sends the representation in the body; the server assigns the ID and returns 201 Created. PUT typically replaces a resource at a known URL. -->

## Question 2

When is GraphQL typically preferred over REST?

A) When you need simple CRUD operations
B) When clients have varying data needs and want to avoid over-fetching
C) When HTTP caching is the top priority
D) When you have no frontend team

<!-- ANSWER: B -->
<!-- EXPLANATION: GraphQL lets clients request exactly the fields they need. Mobile apps and varied clients benefit from avoiding over-fetching and under-fetching. REST is often simpler for straightforward CRUD. -->

## Question 3

Contract-first API design means:

A) Writing the API specification before implementing the backend
B) Signing a legal contract before building
C) Designing for backward compatibility only
D) Using REST exclusively

<!-- ANSWER: A -->
<!-- EXPLANATION: Contract-first means defining the API (e.g., OpenAPI spec or GraphQL schema) before writing server code. This enables client generation, mocks, and parallel work. -->

## Question 4

For paginating a feed of posts that changes frequently, which strategy is best?

A) Offset-based (?page=5)
B) Cursor-based (?cursor=abc123)
C) No pagination
D) Random access by ID

<!-- ANSWER: B -->
<!-- EXPLANATION: Cursor-based pagination is stable when data is inserted or deleted. Offset-based can produce duplicates or skipped items. For feeds and infinite scroll, cursor is preferred. -->

## Question 5

What does a 429 status code mean?

A) Server error
B) Not found
C) Too many requests (rate limited)
D) Unauthorized

<!-- ANSWER: C -->
<!-- EXPLANATION: 429 Too Many Requests indicates the client has exceeded the rate limit. The response should include Retry-After to indicate when to retry. -->

## Question 6

Which authentication method is best for delegated user access (e.g., "this app can read my data")?

A) API key in the query string
B) OAuth 2.0
C) Basic auth
D) No authentication

<!-- ANSWER: B -->
<!-- EXPLANATION: OAuth 2.0 is designed for delegated access: the user authorizes an app to act on their behalf. API keys are better for server-to-server. Basic auth sends credentials with every request and is less suitable for third-party apps. -->

## Question 7

<!-- VISUAL: matching -->

Match each HTTP method to its typical REST operation:

A) GET → 1) Create a new resource
B) POST → 2) Replace a resource at a known URL
C) PUT → 3) Retrieve a resource
D) DELETE → 4) Remove a resource

<!-- ANSWER: A3,B1,C2,D4 -->
<!-- EXPLANATION: GET retrieves (3). POST creates (1). PUT replaces at a known URL (2). DELETE removes (4). -->

## Question 8

<!-- VISUAL: fill-blank -->

Complete the RESTful endpoint URL pattern for a nested resource (orders belonging to a user):

```
/users/___0___/orders
```

<!-- ANSWER: :id -->
<!-- EXPLANATION: REST uses path segments for resource IDs. Common patterns are :id, {id}, or :userId. The placeholder represents the user identifier in the URL. -->