BUSINESS_EMAIL_COMPROMISE JULY 17, 2024

Social Engineering and Phishing: How to Protect Your Business from Human-Targeted Attacks

12 min read 2,352 words
Social Engineering and Phishing: Protecting Your Business from the Attack That Bypasses All Technology featured image

Why Most API Documentation Fails Developers

Developers abandon API documentation every day. They land on a page, scan it for thirty seconds, and go looking for answers elsewhere. This is not because developers are impatient. It is because most API documentation is written for machines, not people.

The problem is rarely a missing endpoint or outdated URL. Most APIs cover the basics. What developers struggle with is context. They need to understand why an endpoint exists, what assumptions it makes, and what happens when something goes wrong. Without that context, even technically correct documentation becomes useless.

This guide covers how to write API documentation that developers actually use. It starts with the problems that make docs fail, moves through the components that make them work, and ends with practical steps for keeping documentation useful over time.

The Core Problem With API Documentation

Most API documentation follows a template. There is an overview, an authentication section, a list of endpoints, and some code samples. This structure looks complete. It covers the surface. But it leaves the questions that developers actually have unanswered.

When a developer integrates an API, they are not just mapping endpoints to features. They are building a mental model of how the system works. They need to understand the expected flow, the edge cases, the error handling, and the constraints. Documentation that only lists endpoints forces developers to reverse-engineer this model from examples.

The gap between listing what an API does and explaining how to use it effectively is where most documentation fails. Closing this gap requires thinking about the developer experience from the first line to the last.

What Good API Documentation Actually Contains

Good API documentation answers three questions before the developer has to ask them. What does this endpoint do and why would I use it. What do I need to send and what will I get back. What can go wrong and how do I handle it.

Each endpoint in your documentation should cover these areas clearly and concisely.

Endpoint Purpose and Context

Start each endpoint section by explaining what the endpoint does and when to use it. Avoid repeating the HTTP method and URL in the description. The developer can already see those in the header.

Describe the resource the endpoint manages. Explain the relationship to other endpoints in your API. If an endpoint has dependencies or prerequisites, mention them here. For example, a DELETE endpoint might require a resource to exist first, or a POST endpoint might create a resource that must be activated through a separate endpoint.

Give developers enough context to decide whether they need this endpoint. If there are alternatives or related endpoints, point to them. This reduces trial and error during integration.

Request Format and Parameters

Document every parameter clearly. For each parameter, include the name, data type, whether it is required or optional, a description of what it does, and any constraints or format requirements.

For path parameters, explain what happens if the value does not exist. For query parameters, describe the default behaviour if the parameter is omitted. For body parameters, show the expected structure with field names, types, and example values.

Many APIs accept date formats, currency values, or nested objects. Specify the exact format expected. If your API accepts multiple formats, document all of them and explain how they are handled.

POST /api/v2/orders
Content-Type: application/json

{
  "customer_id": "cust_8f2k9xm3",
  "items": [
    {
      "sku": "WIDGET-RED-L",
      "quantity": 2
    }
  ],
  "shipping_address": {
    "line1": "14 Maple Street",
    "city": "Manchester",
    "postcode": "M1 4BT",
    "country": "GB"
  }
}

Show real example requests rather than generic placeholders. Placeholder examples teach developers that the documentation might not be trustworthy. Real examples, even if simplified, build confidence that the documented behaviour matches actual behaviour.

Response Structure and Status Codes

Document the full response structure for each endpoint. Include all fields that can appear in a successful response, even if they are not always present. Show data types and explain what each field represents.

List every status code the endpoint can return. For each status code, describe what it means in the context of this specific endpoint. A 400 Bad Request might mean different things for different endpoints. A 404 might mean the resource does not exist, or that it has been permanently deleted versus temporarily unavailable.

For error responses, include the error format. Show an example error response with the fields that will be present. This matters because developers need to parse errors programmatically and knowing the structure ahead of time reduces integration time.

HTTP/1.1 201 Created
Content-Type: application/json

{
  "order_id": "ord_9kp3nx7w",
  "status": "pending",
  "created_at": "2025-03-12T14:32:00Z",
  "total_amount": {
    "value": 47.50,
    "currency": "GBP"
  }
}

Authentication and Security Context

Authentication documentation should explain not just how to authenticate, but when authentication is required, how tokens are obtained, how long they last, and what happens when they expire. If your API uses scopes or permissions, explain how those affect which endpoints a caller can access.

When documenting API keys, specify where to include them, whether they go in headers or query strings, and any rate limiting that applies. If different authentication methods are supported, explain the tradeoffs and which is recommended for different use cases.

Security documentation belongs in the context of how the API is used. Rather than a separate security section that developers must find separately, include security details alongside the endpoints they apply to. If a specific endpoint has additional security considerations, document them with that endpoint.

For APIs that handle sensitive data, documenting TLS requirements and any certificate validation steps helps developers set up their clients correctly from the start. You can learn more about securing API connections in this HTTPS and TLS security guide for business websites.

Code Examples That Developers Can Run

Code examples serve different purposes for different developers. Some want to understand the concept before they write any code. Others are ready to copy and run immediately. Good documentation serves both groups.

Start with the most common use case in the language developers ask for most. Show a complete, working example that demonstrates the full flow from authentication through making a request to handling the response. Keep the example focused. Do not include error handling, logging, or retry logic in the first example unless those are essential to understanding the core concept.

For each endpoint, provide at least one complete request example. Show the full request including headers. Follow it with a complete response example. If the endpoint has multiple possible responses, show the most common success case and the most common error case.

Include examples in at least two or three common languages or platforms. Developers often recognise patterns across languages even if they do not know the specific language. Seeing the same logic expressed differently can clarify what is essential versus what is syntactic.

# Python example using the requests library
import requests

response = requests.post(
    "https://api.example.com/v2/orders",
    headers={
        "Authorization": "Bearer YOUR_API_KEY",
        "Content-Type": "application/json"
    },
    json={
        "customer_id": "cust_8f2k9xm3",
        "items": [{"sku": "WIDGET-RED-L", "quantity": 2}]
    }
)

if response.status_code == 201:
    order = response.json()
    print(f"Order created: {order['order_id']}")
else:
    print(f"Error: {response.json()['error']['message']}")

Common API Documentation Mistakes

Several patterns appear repeatedly in API documentation that fails. Recognising these helps you avoid them in your own docs.

  • No error documentation: Listing success responses but not explaining what errors can occur leaves developers guessing. Every endpoint should document its error cases with example responses.
  • Outdated examples: Documentation that does not match the current API version erodes trust. Version your documentation or clearly indicate when it was last reviewed.
  • Inconsistent terminology: Using different names for the same concept across endpoints confuses developers. Maintain a glossary or style guide to keep terminology consistent.
  • Missing authentication context: Assuming developers know your auth flow without explaining it leads to avoidable support questions. Walk through the complete auth flow with examples.
  • No pagination documentation: List endpoints that return multiple items must explain how pagination works, what the limits are, and how to fetch subsequent pages.
  • Generic error messages: "An error occurred" tells developers nothing. Error messages should identify the problem type and, where possible, suggest a fix.

Using OpenAPI to Generate Documentation

OpenAPI specification provides a standard format for describing REST APIs. Writing your API definition in OpenAPI allows tools to generate interactive documentation, client libraries, and server stubs automatically.

The specification covers endpoints, parameters, request and response schemas, authentication methods, and more. Many API platforms support OpenAPI natively, and third-party tools like Swagger UI, Redoc, and Stoplight can generate readable documentation from OpenAPI definitions.

Using OpenAPI does not replace good writing. Generated documentation still needs human review for clarity, accuracy, and helpfulness. The descriptions, examples, and context that make documentation useful cannot be auto-generated. OpenAPI handles structure and consistency. Human writers handle the content that makes it understandable.

openapi: 3.0.0
info:
  title: Business Orders API
  version: 2.0.0
  description: Manage customer orders and inventory

servers:
  - url: https://api.example.com/v2
    description: Production server

paths:
  /orders:
    post:
      summary: Create a new order
      operationId: createOrder
      requestBody:
        required: true
        content:
          application/json:
            schema:
              $ref: '#/components/schemas/OrderRequest'
      responses:
        '201':
          description: Order created successfully
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/OrderResponse'

Maintaining Documentation Over Time

Documentation that ships with an API and is never updated becomes a liability. Developers who rely on outdated documentation make mistakes that could have been prevented with accurate docs.

Treat documentation as part of the API itself. When an endpoint changes, update its documentation in the same pull request. When a breaking change is introduced, document the migration path clearly. When a new feature launches, include complete documentation before or at launch, not after.

Track which documentation pages generate the most support questions. This usually indicates areas where the documentation is unclear or incomplete. Review feedback from developers who integrate your API. Their confusion points are exactly where documentation needs improvement.

Schedule regular documentation reviews. Even small improvements in clarity reduce support load and speed up integrations. A documentation review takes less time than answering repeated questions about the same topic.

When to Improve Your API Documentation

If developers are regularly asking the same questions, your documentation likely has gaps. If integration time is longer than expected, documentation may be missing the context developers need to move quickly. If your API has changed but documentation has not, that is a clear signal that updates are overdue.

Improving documentation is a practical investment. Clear documentation reduces support load, speeds up adoption, and reduces errors in production. It also makes onboarding new developers easier when they join a project that uses your API.

You do not need to rewrite everything at once. Start with the most used endpoints. Add the examples that are missing. Clarify the areas that generate the most questions. Incremental improvements accumulate into documentation that developers trust and actually use.

If you need help reviewing your current documentation or setting up a documentation workflow for an API project, prepare a short note with your API structure, current documentation format, and the areas where developers struggle most before getting in touch.

Related practical reading

These related guides can help you connect this topic with the wider website, server, security, and support decisions around it.

Frequently Asked Questions

How long should API documentation be?
Documentation length depends on API complexity, not a target word count. Focus on covering every endpoint completely with purpose, parameters, responses, errors, and examples. Omit padding. If an endpoint is simple, a short description with a clear example is appropriate. If an endpoint has complex behaviour, document it thoroughly. The goal is completeness and clarity, not length.
Should API documentation include tutorials or just reference material?
Both serve different needs. Reference documentation covers what each endpoint does and how to use it. Tutorials guide developers through common workflows from start to finish. Reference material answers specific questions. Tutorials build understanding. Most APIs benefit from having both. Start with good reference documentation and add tutorials for the most common integration flows once the reference material is solid.
How often should API documentation be updated?
Documentation should update whenever the API changes. Any endpoint modification, new feature, deprecation, or breaking change should include documentation updates in the same change request. Beyond reactive updates, schedule periodic reviews to check accuracy, improve clarity, and address areas where developers have shown confusion. Quarterly reviews work well for stable APIs. More frequent reviews may be needed for APIs that change rapidly.
Is OpenAPI documentation enough on its own?
OpenAPI defines what your API does in a machine-readable format. It enables consistent documentation, client generation, and testing tools. It does not explain why your API works a certain way, what assumptions it makes, or how to handle edge cases that arise in production. OpenAPI covers structure. Human-written documentation covers context. Use both together. Let OpenAPI handle consistency and auto-generation where possible, and use human writing to add the context that makes documentation genuinely useful.
What programming languages should code examples cover?
Include examples in the languages your users are most likely to use. For most public APIs, Python, JavaScript, and curl examples cover the majority of developers. If your API targets mobile developers, include Swift or Kotlin examples. If you serve enterprise customers, Java examples may be relevant. You do not need examples in every possible language. Choose two or three that represent the majority of your developer base and keep those examples accurate and working. Outdated examples in many languages are worse than accurate examples in a few.
How do I know if my API documentation is working?
Measure support tickets related to documentation. Track how long new developers take to complete their first integration. Monitor how many developers successfully complete common workflows without requesting help. Survey developers who have integrated with your API about what was clear and what was confusing. These signals reveal whether documentation is actually helping or whether it needs more work. If developers regularly ask questions that documentation should answer, that is a clear sign the documentation needs improvement in those areas.
business email compromise CEO fraud phishing security awareness training social engineering spear phishing vishing

Related Articles

Google Earth flight simulator

What Google's Earth Flight Simulator Means for Small Business SEO

Jul 7, 2026 Backup Strategy

Website Backup Strategy for WordPress and Custom PHP Sites

Jun 15, 2026 ai tools

How Google Keep with Gemini Can Support Your Small Business SEO

Jun 15, 2026
Cookie choices

Your privacy choices matter.

We use an essential cookie to remember your preferences. Optional analytics and diagnostics help us understand visits, identify issues, and improve the site, but they stay off unless you allow them.

Read the privacy notice