BREACH_RECOVERY APRIL 24, 2023

Incident Response for PHP Web Applications: The First 24 Hours After a Breach

12 min read 2,269 words
Incident Response for PHP Web Applications: The First 24 Hours After a Breach featured image

SDK Design for Internal APIs: Making the API Easy to Consume Correctly

An SDK wraps the API and provides a typed interface for the programming language used by the consuming application. A well-designed SDK makes the correct API usage the easy usage. A badly designed SDK requires the developer to read the API documentation for every call.

When building internal tools, business applications, or microservices that other parts of the organisation will consume, the quality of the SDK determines whether developers adopt it quickly or spend weeks fighting against it. This guide covers practical principles for designing SDKs that developers actually want to use.

Why SDK Design Matters for Internal APIs

Internal APIs serve different consumers than public APIs. Your team is building these interfaces for colleagues who need to integrate your service into their own applications, dashboards, or automation workflows. The consumers are developers, but they may not have deep knowledge of your specific system.

A good SDK reduces the cognitive load on consuming developers. Instead of understanding HTTP verbs, status codes, authentication headers, and request formatting, developers interact with clear, typed methods that match their application logic. The SDK handles the complexity behind a clean interface.

Poor SDK design creates friction that compounds over time. Consuming developers write workarounds, copy-paste code examples without understanding them, or build their own abstraction layers on top of your API. This defeats the purpose of providing an SDK in the first place.

For internal development teams, this friction translates directly into slower delivery, harder maintenance, and more support requests going back to your service team. Investing time in SDK design pays dividends across every team that integrates with your API.

Core Principles of Good SDK Design

Make the Correct Usage the Default Usage

The most important principle in SDK design is that the path of least resistance should be the correct path. If developers can accidentally use the SDK incorrectly, they eventually will. Design interfaces where mistakes are either impossible or immediately obvious.

Type systems are your ally here. Using a language like TypeScript, PHP with PHPDoc types, or Python with type hints means that incorrect usage often surfaces as a compile-time or static-analysis error rather than a runtime crash. Strongly-typed method signatures document expected inputs and return values alongside their constraints.

Abstract Away Implementation Details

Consuming developers should not need to understand how your API works internally. They should not construct HTTP requests manually, parse response bodies, or handle authentication tokens. The SDK handles all of this.

Consider what a developer needs to accomplish, not what your API endpoints are. An endpoint called POST /users/{id}/deactivate might be exposed as a deactivateUser(userId) method in the SDK. The developer thinks in terms of their domain, not your routing structure.

Provide Sensible Defaults

Every configuration option you expose is a choice the consuming developer must make. If the correct default choice is obvious, make it the actual default and let developers override it only when needed. This reduces the surface area developers must understand before they can be productive.

Sensible defaults also reduce errors. A timeout of 30 seconds is reasonable for most operations. Retrying failed requests with exponential backoff handles transient network issues without requiring developers to implement their own retry logic. Connection pooling works better when the SDK manages it than when each consumer implements their own solution.

Structuring the SDK

Client Classes and Resource Objects

The SDK typically centres on a client class that holds the connection configuration, authentication, and shared settings. This client then provides access to resource objects that group related operations.

In a TypeScript SDK, this might look like:

const client = new BillingClient({
  apiKey: process.env.BILLING_API_KEY,
  baseUrl: 'https://api.example.internal/v2'
});

const invoices = await client.invoices.list({ status: 'pending' });
const invoice = await client.invoices.get(invoiceId);

Resource objects group operations logically. Instead of a flat list of methods on the client, client.invoices.list(), client.invoices.create(), and client.invoices.get() are clearly related to the invoice concept.

Request and Response Objects

Complex request parameters are easier to manage when grouped into named objects. Instead of passing five positional arguments to a method, consuming developers pass a single object with named keys.

// Instead of this
const result = client.users.create(
  'name',
  'email@example.com',
  true,
  ['admin'],
  'description'
);

// Do this
const result = client.users.create({
  name: 'name',
  email: 'email@example.com',
  isAdmin: true,
  roles: ['admin'],
  description: 'description'
});

The second approach is self-documenting. A developer reading this code immediately understands what each value means. IDE autocompletion surfaces the available keys. Adding new optional parameters later does not break existing calls.

Typed Responses and Error Handling

Return types should clearly communicate what the method returns. If a method returns a single user object, the return type should be User, not a generic object or any. If a method returns a list, wrap it in a pagination object that includes metadata like total count, next page cursor, or has-more flag.

Error handling deserves careful attention. Network errors, validation errors, authentication failures, and server errors should all be distinct types that consuming code can handle appropriately. Avoid swallowing errors silently. Let developers decide how to handle failures in their specific context.

try {
  const user = await client.users.get(userId);
} catch (error) {
  if (error instanceof NotFoundError) {
    // Handle missing user
  } else if (error instanceof AuthenticationError) {
    // Handle auth failure
  } else {
    throw error; // Re-throw unexpected errors
  }
}

Authentication and Configuration

Handling Authentication Securely

Internal SDKs often use API keys, OAuth tokens, or service accounts. The SDK should handle token refresh, storage, and transmission securely without exposing credentials to consuming code.

API keys should be provided at client initialisation, not hardcoded in the application. The SDK should support environment variable configuration, which keeps credentials out of source control and makes deployment to different environments straightforward.

const client = new ReportingClient({
  apiKey: process.env.REPORTING_API_KEY
});

Never log API keys or include them in error messages. If something goes wrong and you need to debug, a redacted reference is sufficient.

Configuration Options

Beyond authentication, SDK clients typically accept configuration for timeouts, retry behaviour, base URLs, and logging. Keep the configuration surface minimal. Most developers need only a few options.

  • baseUrl: Allows pointing at different environments like staging or local development.
  • timeout: Controls how long requests wait before failing. Useful for long-running operations.
  • retries: Configures automatic retry behaviour for transient failures.
  • logger: Enables visibility into SDK operations for debugging.

Documentation That Developers Actually Use

An SDK without documentation is only half useful. Good documentation explains concepts, shows common patterns, and provides copy-paste examples for typical use cases.

For internal SDKs, documentation should cover how to set up the SDK, how to handle authentication, and walkthroughs for the most common operations. Code examples in the documentation should be complete, runnable, and tested. Stale examples are worse than no examples because they teach developers the wrong thing.

Good documentation also explains error handling. Developers need to know what can go wrong, how to detect it, and what recovery options they have. For guidance on writing documentation that people actually read, see the guide on IT documentation that gets read.

Versioning and Breaking Changes

Internal APIs evolve. New fields appear, methods change, and sometimes you need to remove functionality. SDK versioning gives consuming developers a stable interface even as the underlying API changes.

Semantic versioning communicates the impact of updates clearly. A patch version bump means bug fixes only. A minor version bump means new functionality without breaking existing usage. A major version bump signals breaking changes that consuming code must adapt to.

When introducing breaking changes, provide a migration path. Document what changed, why it changed, and how to update existing code. Give consuming teams reasonable time to migrate before you remove the old version. Rushing breaking changes creates friction and resentment.

Testing the SDK

SDKs deserve their own test suite. Unit tests verify that methods produce correct requests, parse responses correctly, and handle errors appropriately. Integration tests verify that the SDK works against a real API instance.

Mocking the HTTP layer lets you test request construction and response parsing without network calls. This makes tests fast and reliable. When the underlying API changes, update your mocks and tests to match.

it('creates a user with the correct payload', async () => {
  const mock = mockApi.intercept('POST', '/users').reply(201, {
    id: 'user-123',
    name: 'Test User'
  });

  const user = await client.users.create({
    name: 'Test User',
    email: 'test@example.com'
  });

  expect(mock.request.body).toMatchObject({
    name: 'Test User',
    email: 'test@example.com'
  });
  expect(user.id).toBe('user-123');
});

Common SDK Design Mistakes

Leaking HTTP Implementation Details

If developers need to understand HTTP status codes, request headers, or response body structure to use your SDK, the abstraction is not working. They should not need to know that creating a user requires a POST request to /users or that successful creation returns 201 Created.

Exposing Too Many Options

Every configuration option adds complexity. If you expose 30 different settings, developers must understand most of them to use the SDK confidently. Identify which options are truly necessary and provide sensible defaults for everything else.

Silent Failures and Magic Behaviour

When the SDK encounters an error, it should fail visibly rather than returning partial data or guessing at the intended behaviour. Silent failures are difficult to debug and can corrupt data in ways that are hard to recover from.

Ignoring Developer Experience

SDKs are developer tools. Treat the developer experience with the same care you would give a user-facing product. Fast feedback loops, clear error messages, and sensible defaults make the difference between a SDK that developers enjoy using and one they avoid.

Working with API Design Principles

Good SDK design starts with good API design. If the underlying API is confusing, the SDK will struggle to provide a clean interface. When designing the API itself, consider how it will be consumed and build the SDK alongside the API rather than as an afterthought.

For practical guidance on designing APIs that work well with SDKs, the article on simple API design for business applications covers RESTful patterns, resource naming, and request structure that support clean SDK interfaces.

Security Considerations for Internal SDKs

Internal SDKs handle sensitive operations and data. Design with security in mind from the start rather than adding it later. Authentication credentials should never be logged or exposed through error messages. HTTPS should be enforced for all API communication.

Rate limiting and request throttling protect both the API and consuming applications from unexpected load. The SDK should handle rate limit responses gracefully, either by implementing automatic backoff or by providing clear errors that consuming code can act on.

When working with APIs that handle sensitive data, ensure the SDK supports the same security controls as the underlying API. For guidance on security considerations for web applications and APIs, see the OWASP Top 10 guide for business web applications.

Getting Started with SDK Design

Designing a good SDK requires thinking from the perspective of the consuming developer. What do they need to accomplish? What should be easy? Where are the traps that lead to mistakes? Answering these questions shapes an interface that developers find natural and productive.

Start simple, observe how the SDK is used, and iterate based on real feedback. The best SDK designs evolve through actual use rather than being perfect from the start.

If you are building an internal API and want guidance on structuring the SDK, setting up authentication, or designing a clean interface that developers will actually use, there are practical approaches that help. Getting the fundamentals right early prevents a lot of refactoring work later.

Frequently Asked Questions

Should we build one SDK per language or a multi-language SDK?
Each language community has different conventions and expectations. A PHP SDK should follow PHP patterns, while a JavaScript SDK should match JavaScript conventions. Writing one SDK and translating it mechanically usually produces interfaces that feel awkward in each language. It is better to invest in one well-designed SDK first, then replicate the design patterns in other languages as needed.
How do we handle API changes without breaking consuming code?
Version the SDK separately from the API when possible. The SDK can adapt to API changes internally while presenting a stable interface to consuming code. When breaking changes are necessary, increment the major version, document the changes clearly, and give consuming teams time to migrate before removing the old version. Avoid making breaking changes without notice whenever possible.
How much configuration should the SDK expose?
Start with minimal configuration and add options only when real use cases demand them. Sensible defaults handle the majority of scenarios. Expose configuration for things that genuinely vary between environments or use cases: timeouts, retry behaviour, base URLs for different environments, and logging verbosity. Avoid exposing internal implementation details as configuration options.
What should we do when the API design is already poor?
Sometimes you need to build an SDK for an existing API with suboptimal design. In that case, the SDK becomes the abstraction layer that hides the awkwardness. Build a clean interface that internally handles the messiness of the underlying API. This way, consuming teams interact with a sensible interface while the complexity lives in one place.
How do we get developer feedback on the SDK?
Put the SDK in front of developers early and iterate based on their experience. Internal developer teams are your best beta testers. Watch how they use the SDK, what questions they ask, and where they get stuck. If developers are asking the same question repeatedly, that is a signal that the SDK interface needs improvement. If developers are building workarounds, understand why and address the underlying issue.
breach recovery incident response malware containment PHP breach response post-incident review security incident management web application security

Related Articles

Google Earth flight simulator

What Google's Earth Flight Simulator Means for Small Business SEO

Jul 7, 2026 Backup Strategy

Website Backup Strategy for WordPress and Custom PHP Sites

Jun 15, 2026 ai tools

How Google Keep with Gemini Can Support Your Small Business SEO

Jun 15, 2026
Cookie choices

Your privacy choices matter.

We use an essential cookie to remember your preferences. Optional analytics and diagnostics help us understand visits, identify issues, and improve the site, but they stay off unless you allow them.

Read the privacy notice