← Back to glossary

Hypermedia APIs — HATEOAS

API Design Advanced

debt(d7/e7/b7/t5)

d7 Detectability Operational debt — how invisible misuse is to your safety net

Closest to 'only careful code review or runtime testing' (d7). The detection_hints indicate automated detection is 'no' and tools listed (postman, hal-browser) are manual inspection tools. Hardcoded URL patterns in clients or missing HATEOAS links are only visible through deliberate API response review or runtime testing — no linter or SAST flags this architectural absence.

e7 Effort Remediation debt — work required to fix once spotted

Closest to 'cross-cutting refactor across the codebase' (e7). The quick_fix describes adding a _links section, but the common_mistakes reveal that clients must also stop hardcoding URLs and start following links. This requires changing both the API server responses AND all API clients, which is a cross-cutting change spanning multiple components and potentially many consuming services.

b7 Burden Structural debt — long-term weight of choosing wrong

Closest to 'strong gravitational pull' (e7). The applies_to covers web and api contexts broadly. Choosing (or not choosing) HATEOAS shapes how every client is written, how URL structures are designed, how documentation is maintained, and how API evolution is handled. Every future endpoint and client interaction is shaped by this architectural decision, but it doesn't quite define the entire system shape (not b9).

t5 Trap Cognitive debt — how counter-intuitive correct behaviour is

Closest to 'notable trap — a documented gotcha most devs eventually learn' (t5). The misconception field explicitly states that developers believe 'REST requires HATEOAS' when in fact most production REST APIs are Level 2 and work perfectly well without it. This is a well-documented gotcha — developers invest in full HATEOAS implementation believing it's required for 'proper REST', only to find it adds complexity without proportionate benefit for many use cases.

About DEBT scoring → scored by claude-sonnet-4-6 · 2026-05-08 · reviewed by human

Also Known As

HATEOAS HAL JSON:API hypermedia REST level 3

TL;DR

REST APIs that include links in responses — clients discover available actions from the response rather than hardcoding URLs, making APIs self-describing and evolvable.

Explanation

HATEOAS (Hypermedia as the Engine of Application State) is a REST constraint where responses include links to related resources and available actions. JSON:API and HAL (Hypertext Application Language) are standardised hypermedia formats. A payment response includes links: {self: /payments/42, refund: /payments/42/refund, receipt: /payments/42/receipt}. Benefits: clients are not hardcoded to URL structure, available actions change based on state (no refund link if already refunded), and APIs are self-documenting. In practice: rarely implemented fully; most REST APIs are not truly HATEOAS — they use stable versioned URLs instead.

Common Misconception

✗ REST requires HATEOAS — HATEOAS is Level 3 of Richardson's REST maturity model; most production REST APIs are Level 2 (resources + HTTP verbs) and work perfectly well without hypermedia links.

Why It Matters

A fully HATEOAS API can change its URL structure without breaking clients — clients follow links rather than constructing URLs, decoupling them from the API's URL design decisions.

Common Mistakes

Hardcoding URLs in API clients instead of following links — defeats the purpose of HATEOAS.
Including links to unavailable actions — the presence of a link implies the action is available.
Inconsistent link relation names — use standard relations (self, next, prev) where possible.
HATEOAS as a substitute for documentation — links are machine-readable; humans still need docs.

Code Examples

✗ Vulnerable

// Client hardcodes URL structure:
$baseUrl = 'https://api.example.com/v2';
$payment = $client->get($baseUrl . '/payments/' . $id);
$refund  = $client->post($baseUrl . '/payments/' . $id . '/refund');
// Breaks if API moves to /v3/payments or changes URL structure

✓ Fixed

// HATEOAS response:
// GET /payments/42
{
    "id": 42,
    "amount": 99.99,
    "status": "completed",
    "_links": {
        "self":    {"href": "/payments/42"},
        "refund":  {"href": "/payments/42/refund", "method": "POST"},
        "receipt": {"href": "/payments/42/receipt"}
    }
}
// No refund link when status=refunded — client knows refund unavailable
// Client follows _links.refund — URL can change without breaking client

Tags

api-design rest architecture

Added 16 Mar 2026

Edited 22 Mar 2026

Curated in Warsaw under one editorial standard. 1,506 terms, single voice. About this reference →

Rate this term

No ratings yet

🤖 AI Guestbook educational data only

| |

Last 30 days

Agents 0

No pings yet today

No pings yesterday

Amazonbot 7 Ahrefs 4 Perplexity 3 Unknown AI 3 Google 3 SEMrush 3 Claude 2 Bing 2 Scrapy 2 Meta AI 1 Majestic 1 Sogou 1

Also referenced

REST Architectural Constraints 105 API Versioning 58 API Documentation 44 GraphQL vs REST vs gRPC 35

How they use it

crawler 27 crawler_json 4 pre-tracking 1

Related categories

api_design 901

⚡ DEV INTEL Tools & Severity

🔵 Info ⚙ Fix effort: High

⚡ Quick Fix

Include a _links section in API responses with related action URLs — this lets clients discover available operations without hardcoding URLs, making your API more self-describing

📦 Applies To

any web api

🔗 Prerequisites

REST Architectural Constraints API Design Principles API Versioning

🔍 Detection Hints

API clients hardcoding URL patterns instead of following links from responses; no HATEOAS links in REST API responses

Auto-detectable: ✗ No postman hal-browser

⚠ Related Problems

REST Architectural Constraints API Design Principles API Backwards Compatibility

🤖 AI Agent

Confidence: Low False Positives: High ✗ Manual fix Fix: High Context: File Tests: Update

References

https://htmx.org/essays/hateoas/