docs: improve api guidelines (#9478)

# Which Problems Are Solved The API guidelines were not completely accurate on how we want to check permissions. # How the Problems Are Solved Made the description clearer and added examples. # Additional Changes Improved the error code example as initially intended in #9340 and added notes about the `limits` for listing resources. # Additional Context popped up in PR review of https://github.com/zitadel/zitadel/pull/9445
2025-04-02 17:14:10 +00:00 · 2025-03-07 15:19:09 +01:00 · 2025-03-07 15:19:09 +01:00 · ead9fde16a
commit ead9fde16a
parent 27b319bd98
1 changed files with 43 additions and 13 deletions
--- a/API_DESIGN.md
+++ b/API_DESIGN.md
@ -158,9 +158,33 @@ Additionally, state changes, specific actions or operations that do not fit into
 The API uses OAuth 2 for authorization. There are corresponding middlewares that check the access token for validity and 
 automatically return an error if the token is invalid.
-Permissions grated to the user are organization specific and might only be checked based on the queried resource.
+Permissions grated to the user might be organization specific and can therefore only be checked based on the queried resource.
-Therefore, the API does not check the permissions itself but relies on the checks of the functions that are called by the API.
+In such case, the API does not check the permissions itself but relies on the checks of the functions that are called by the API.
-Required permissions need to be documented in the [API documentation](#documentation).
+If the permission can be checked by the API itself, e.g. if the permission is instance wide, it can be annotated on the endpoint in the proto file (see below).
 In any case, the required permissions need to be documented in the [API documentation](#documentation).
 ### Permission annotations
 Permissions can be annotated on the endpoint in the proto file. This allows the API to automatically check the permissions for the user.
 The permissions are checked by the middleware and an error is returned if the user does not have the required permissions.
 The following example requires the user to have the `iam.web_key.write` permission to call the `CreateWebKey` method.
 ```protobuf
 option (zitadel.protoc_gen_zitadel.v2.options) = {
  auth_option: {
    permission: "iam.web_key.write"
  }
 };
 ```
 In case the permission cannot be checked by the API itself, but all requests need to be from an authenticated user, the `auth_option` can be set to `authenticated`.
 ```protobuf
 option (zitadel.protoc_gen_zitadel.v2.options) = {
  auth_option: {
    permission: "authenticated"
  }
 };
 ```
 ## Pagination
@ -186,6 +210,8 @@ message ListQuery {
 On the corresponding responses the `ListDetails` can be used to return the total count of the resources
 and allow the user to handle their offset and limit accordingly.
 The API MUST enforce a reasonable maximum limit for the number of resources that can be retrieved and returned in a single request.
 The default limit is set to 100 and the maximum limit is set to 1000. If the client requests a limit that exceeds the maximum limit, an error is returned.
 ## Error Handling
@ -222,19 +248,21 @@ HTTP/1.1 400 Bad Request
 Content-Type: application/json
 {
-  "code": "user_missing_information",
+  "code": "user_invalid_information",
-  "message": "missing required information for the creation of the user",
+  "message": "invalid or missing information provided for the creation of the user",
  "details": [
    {
      "@type": "type.googleapis.com/google.rpc.BadRequest",
      "fieldViolations": [
        {
          "field": "given_name",
-          "description": "given name is required"
+          "description": "given name is required",
          "reason": "MISSING_VALUE"
        },
        {
          "field": "family_name",
-          "description": "family name is required"
+          "description": "family name must not exceed 200 characters",
          "reason": "INVALID_LENGTH"
        }
      ]
    }
@ -246,23 +274,25 @@ gRPC / connectRPC example:
 ```
 HTTP/2.0 200 OK
 Content-Type: application/grpc
-Grpc-Message: missing required information for the creation of the user
+Grpc-Message: invalid information provided for the creation of the user
 Grpc-Status: 3
 {
-  "code": "user_missing_information",
+  "code": "user_invalid_information",
-  "message": "missing required information for the creation of the user",
+  "message": "invalid or missing information provided for the creation of the user",
  "details": [
    {
      "@type": "type.googleapis.com/google.rpc.BadRequest",
      "fieldViolations": [
        {
          "field": "given_name",
-          "description": "given name is required"
+          "description": "given name is required",
          "reason": "MISSING_VALUE"
        },
        {
          "field": "family_name",
-          "description": "family name is required"
+          "description": "family name must not exceed 200 characters",
          "reason": "INVALID_LENGTH"
        }
      ]
    }
@ -292,7 +322,7 @@ Grpc-Status: 3
 //   - user.write
 //
 // Error Codes:
-//   - user_missing_information: The request is missing required information (either given_name, family_name and/or email) for the creation of the user. Check error details for the missing fields.
+//   - user_missing_information: The request is missing required information (either given_name, family_name and/or email) or contains invalid data for the creation of the user. Check error details for the missing or invalid fields.
 //   - user_already_exists: The user already exists. The username must be unique.
 //   - invalid_request: Your request does not have a valid format. Check error details for the reason.
 //   - permission_denied: You do not have the required permissions to access the requested resource.