Sometimes it is necessary to phase out an API endpoint, an API version, or an API feature, e.g. if a field or parameter is no longer supported or a whole business functionality behind an endpoint is supposed to be shut down. As long as the API endpoints and features are still used by consumers these shut downs are breaking changes and not allowed. To progress the following deprecation rules have to be applied to make sure that the necessary consumer changes and actions are well communicated and aligned using deprecation and sunset dates.
The API deprecation must be part of the API specification.
If an API endpoint (operation object), an input argument (parameter object),
an in/out data object (schema object), or on a more fine grained level, a
schema attribute or property should be deprecated, the producers must set
deprecated: true
for the affected element and add further explanation to the
description
section of the API specification. If a future shut down is
planned, the producer must provide a sunset date and document in details
what consumers should use instead and how to migrate.
Before shutting down an API, version of an API, or API feature the producer
must make sure, that all clients have given their consent on a sunset date.
Producers should help consumers to migrate to a potential new API or API
feature by providing a migration manual and clearly state the time line for
replacement availability and sunset (see also {SHOULD} add Deprecation
and Sunset
header to responses). Once all clients of
a sunset API feature are migrated, the producer may shut down the deprecated
API feature.
If the API is consumed by any external partner, the API owner must define a reasonable time span that the API will be maintained after the producer has announced deprecation. All external partners must state consent with this after-deprecation-life-span, i.e. the minimum time span between official deprecation and first possible sunset, before they are allowed to use the API.
Owners of an API, API version, or API feature used in production that is scheduled for sunset must monitor the usage of the sunset API, API version, or API feature in order to observe migration progress and avoid uncontrolled breaking effects on ongoing consumers. See also [193].
During the deprecation phase, the producer should add a Deprecation: <date-time>
(see draft: RFC
Deprecation HTTP Header Field) and - if also planned - a Sunset: <date-time>
(see {RFC-8594}#section-3[RFC 8594]) header on each response affected by a
deprecated element (see {MUST} reflect deprecation in API specifications).
The {Deprecation} header can either be set to true
- if a feature is retired
-, or carry a deprecation time stamp, at which a replacement will become/became
available and consumers must not on-board any longer (see {MUST} not start using deprecated APIs). The optional
{Sunset} time stamp carries the information when consumers latest have to stop
using a feature. The sunset date should always offer an eligible time interval
for switching to a replacement feature.
Deprecation: Tue, 31 Dec 2024 23:59:59 GMT
Sunset: Wed, 31 Dec 2025 23:59:59 GMT
If multiple elements are deprecated the {Deprecation} and {Sunset} headers are expected to be set to the earliest time stamp to reflect the shortest interval at which consumers are expected to get active. The {Deprecation} and {Sunset} headers can be defined as follows in the API specification (see also the default definition below):
components:
parameters|headers:
Deprecation:
$ref: 'https://opensource.zalando.com/restful-api-guidelines/models/headers-1.0.0.yaml#/Deprecation'
Sunset:
$ref: 'https://opensource.zalando.com/restful-api-guidelines/models/headers-1.0.0.yaml#/Sunset'
link:../includes/deprecation.yaml[role=include]
link:../includes/sunset.yaml[role=include]
Note: adding the {Deprecation} and {Sunset} header is not sufficient to gain client consent to shut down an API or feature.
Hint: In earlier guideline versions, we used the {Warning} header to provide the deprecation info to clients. However, {Warning} header has a less specific semantics, will be obsolete with draft: RFC HTTP Caching, and our syntax was not compliant with {RFC-9111}#section-5.5[RFC 9111 Section 5.5 "Warning"].
Clients should monitor the {Deprecation} and {Sunset} headers in HTTP responses
to get information about future sunset of APIs and API features (see {SHOULD} add Deprecation
and Sunset
header to responses).
We recommend that client owners build alerts on this monitoring information to
ensure alignment with service owners on required migration task.
Hint: In earlier guideline versions, we used the Warning
header to provide
the deprecation info (see hint in {SHOULD} add Deprecation
and Sunset
header to responses).