PHPackages                             webiny/rest - PHPackages - PHPackages  [Skip to content](#main-content)[PHPackages](/)[Directory](/)[Categories](/categories)[Trending](/trending)[Leaderboard](/leaderboard)[Changelog](/changelog)[Analyze](/analyze)[Collections](/collections)[Log in](/login)[Sign up](/register)

1. [Directory](/)
2. /
3. [HTTP & Networking](/categories/http)
4. /
5. webiny/rest

ActiveLibrary[HTTP & Networking](/categories/http)

webiny/rest
===========

Webiny REST Component

v1.6.1(8y ago)325MITPHPPHP ^7

Since Sep 19Pushed 8y ago9 watchersCompare

[ Source](https://github.com/Webiny/Rest)[ Packagist](https://packagist.org/packages/webiny/rest)[ Docs](http://www.webiny.com/)[ RSS](/packages/webiny-rest/feed)WikiDiscussions master Synced 1w ago

READMEChangelog (1)Dependencies (9)Versions (23)Used By (0)

REST Component
==============

[](#rest-component)

A simple but powerful REST library that doesn't get in the way.

Install the component
---------------------

[](#install-the-component)

The best way to install the component is using Composer.

```
composer require webiny/rest
```

For additional versions of the package, visit the [Packagist page](https://packagist.org/packages/webiny/rest).

Usage
-----

[](#usage)

Some of the built-in features:

- supports **GET**, **POST**, **PUT**, **PATCH** and **DELETE** requests
- resource naming (via `@rest.url` annotation)
- integrated version management system
- effective Rate Control mechanism
- services are configured using annotations
- built in Cache using [Webiny Framework Cache component](../Cache/)
- built in ACL using [Webiny Framework Security component](../Security/)
- built in routing using [Webiny Framework Router component](../Router/)
- nice debug options
- pretty formatted JSON output (only in development mode)
- CRUD support

Usage example
-------------

[](#usage-example)

```
// create REST instance for the given configuration and the API class
$rest = new \Webiny\Component\Rest\Rest('InternalApi', '\MyApp\Services\TestService');

// process the request and send the output to browser
$rest->processRequest()->sendOutput();

// simple as that...
```

Configuration and dependencies
------------------------------

[](#configuration-and-dependencies)

This is an example configuration:

```
Rest:
    ExampleApi:
		CompilePath: /var/tmp
		Router:
            Class: \Foo\Bar\MyServices\{foo}\{bar}
            Path: /services/{test}/{foo}/{mock}/{bar}
            Normalize: true
    MiddlewareApi:
        CompilePath: /var/tmp
        Middleware: \My\Custom\Handler
        Router:
            Class: \Foo\Bar\MyServices\{foo}\{bar}
            Path: /services/{test}/{foo}/{mock}/{bar}
            Normalize: true
	SomeOtherApi:
	    CompilePath: /var/www/Cache/Rest
        Cache: someCacheService
        Security:
            Role: ROLE_ANONYMOUS
            Firewall: Admin
        RateControl:
         Limit: 60
         Interval: 1 # in minutes
         Penalty: 10 # in minutes
        Environment: production
```

As you can see, you can have multiple REST configurations. The minimum that one configuration must have is just the definition of `CompilePath`.

### Configuration parameters:

[](#configuration-parameters)

#### **CompilePath**

[](#compilepath)

This is the absolute path to a folder where the REST component will store the compiled files.

*If you want to know more:*When you register a class, or in API naming, a "service", the component will parse through that class and all its methods and their annotations, which would be then evaluated based on different rules, to define the service behaviour. All this is then saved an array that is actually stored in a file, that we call the compile cache file.

#### **Router**

[](#router)

This is an optional setting, it tells to the Rest component how it should transform the current url to get the service class name. However to trigger that mechanism, the url must match the `Path` parameter. Variables in brackets will act as patterns to match certain parts of the url. Those matches can then be used to create the `Class` name. You will find more about routing in the [Routing and accessing the APIs](#routing-and-accessing-the-apis) section.

#### **Cache**

[](#cache)

As stated before, the component uses the [Cache component](../Cache/) from Webiny Framework. The value of the `Cache`should point to a defined cache service.

The cache is used for two different operations, one is to provide a caching layer for storing results, and the other one is that Cache is a requirement if you wish to use the Rate Control mechanism.

#### **Security**

[](#security)

Security section provides a layer for authorization and authentication above your REST APIs. It is dependent upon the [Security](../Security) component.

The configuration takes two parameters:

- `Firewall`: name of the registered firewall on the Security component configuration.
- `Role`: this is the default role that all users need to have in order to access the API. You can overwrite the required role in the annotations. If you don't want to force the role, you can either remove this part from your configuration, or set it to `ROLE_ANONYMOUS`, which will then allow access to all users, unless it's overwritten by a method or class annotation.

If the user doesn't have access, a **403 - Forbidden** response is returned.

#### **RateControl**

[](#ratecontrol)

Rate control is a protection mechanism preventing anyone from abusing your REST API in a way the he is making too many requests in a short period of time.

With rate control you set the following parameters:

- `Limit`: how many requests per interval a particular IP can make
- `Interval`: after how many minutes should be reset the limit
- `Penalty`: for how long should we block the IP if it has reached the limit

If limit is reached, and penalty is activated, the component will return **429 - Too Many Requests** response, until the limit is restored.

Note that the rate control mechanism requires that you have `Cache` specified on that REST configuration.

#### **Environment**

[](#environment)

The value of `Environment` attribute can either be 'production' or 'development'. The difference is that in development mode we constantly rebuild the compiled cache files, we also output special debug response headers, and JSON output uses pretty format.

#### **Middleware**

[](#middleware)

If this parameter is set, it should point to your class that implements `MiddlewareInterface`. This gives you control over execution of your REST service method. Everything until and after the execution of the service is done by the component. The component passes the `RequestBag` to your middleware, and it is up to you how you will execute the method, maybe perform additional checks, or some custom business logic. Whatever you do, the return value will be passed directly to the REST component and will be used as a service result.

Class and method annotations
----------------------------

[](#class-and-method-annotations)

```
/**
 * @rest.role ROLE_EDITOR
 */
class FooService
{
    /**
     * @rest.method get
     * @rest.default
     * @rest.ignore
     * @rest.cache.ttl 100
     * @rest.header.cache.expires 3600
     * @rest.header.status.success 200
     * @rest.header.status.errorMessage No Author for specified id.
     * @rest.rateControl.ignore
     * @rest.url some/custom/url/{param1}/param2/{param2}/other/{param3}
     *
     * @param integer $param1 Some param.
     * @param string $param2 Other param.
     * @param string $param3 Other param.
     */
    function fooMethod($param1, $param2 = "default", $param3 = "p3def")
    {
        ...
    }
}
```

Annotations are a way of describing certain properties of an object. With annotations you can configure the behaviour of your service. All the REST component annotations have a `rest` namespace.

All the annotations can be defined on a class level, making them default to methods, and on the method level you can overwrite them. There are no required annotations.

**When one class extends another, where the child class is actually your REST API, the parent class automatically passes, its class and method, annotations the child class, so make sure when overwriting methods, that you also overwrite the annotations, if necessary.**

### The following annotations are available:

[](#the-following-annotations-are-available)

#### **@rest.method**

[](#restmethod)

```
/**
 * @rest.method get
 */
```

Defines over which HTTP method the service can be accessed. If not defined, `get` is set as default. The supported request types are **GET**, **POST**, **PUT**, **PATCH** and **DELETE**. They are not case sensitive.

#### **@rest.default**

[](#restdefault)

```
/**
 * @rest.default
 */
```

Defines that this method is the default method for the defined `@rest.method` request type. For example if you have `@rest.method` set to `post` and the method is marked with `@rest.default` and you do a POST request just to the service name, without the method, the defined default method for POST request will be triggered.

#### **@rest.ignore**

[](#restignore)

```
/**
 * @rest.ignore
 */
```

This flag tells to the component that it should ignore that method and that it's not part of the service. Usually used for some internal methods.

#### **@rest.cache.ttl**

[](#restcachettl)

```
/**
 * @rest.cache.ttl 100
 */
```

Marks that the returned result from this method can be cached for the specific amount of time. The time is defined in seconds. Note that this feature requires that you have a `Cache` service defined in your configuration.

#### **@rest.header**

[](#restheader)

There are several options in the `header` section that you can control:

- `cache.expires`: defines what ttl will be set in `Expires` header that component will send to the browser. If you don't set it, it will be set to '-1' telling the browser to always grab fresh content from the server.
- `status.success`: what response status code should be returned if the request was successful. By default **200 - OK** is returned, with an exception of **201 - Created** for **POST** requests.
- `status.errorMessage`: defines a custom error message that will be attached to the response status code.

#### **@rest.role**

[](#restrole)

```
/**
 * @rest.role ROLE_EDITOR
 */
```

Defines that a method can only be accessed by users that have the specific, or higher, access level.

This annotation requires that you define the `Security` section in your configuration.

#### **@rest.rateControl.ignore**

[](#restratecontrolignore)

```
/**
 * @rest.rateControl.ignore
 */
```

This flag marks that rate control will not be applied to that method.

#### **@rest.url**

[](#resturl)

```
/**
 * @rest.url some/custom/url/{param1}/param2/{param2}/other/{param3}
 */
```

This annotation provides the resource naming feature by specifying a custom url that will be used in the url matching, instead of the `method name`. **Note:** When using resource naming, you cannot use `@rest.default` annotation on that method, and also you cannot specify optional parameters.

Routing and accessing the APIs
------------------------------

[](#routing-and-accessing-the-apis)

This is an example `Router` config.

```
Rest:
    ExampleApi:
        Router:
            Class: \Foo\Bar\MyServices\{foo}\{bar}
            Path: /services/{test}/{foo}/{mock}/{bar}
            Normalize: true
```

The config takes the following parameters:

#### Class

[](#class)

This parameter tells to the `Router` how it should implement the matching parameters from the url and the `Path` to get the class name used for the called Rest service.

#### Path

[](#path)

Path is a url pattern that the component tries to match agains the current url. If a match is made, the matched parameters are used to create the `Class` name. All the patterns are inside curly brackets `{foo}` and `([\w-]+)` regex pattern is used for matching.

#### Normalize

[](#normalize)

This is an optional feature. It tells to the component if the matched parameters should be normalized. In this case under "normalize" we consider transforming parameter value like this one `some-application` into this `SomeApplication`.

#### Example

[](#example)

Let's say you have the upper configuration example in place. The following url will produce the example class name.

Url: `http://www.hats.com/services/my-app/some-longer-name/test/pac-man`

Class: `\Foo\Bar\MyServices\SomeLongerName\PacMan`

#### Some pre-requirements

[](#some-pre-requirements)

All you need to do is set on your web server that all requests should be routed to a single file, for example `rest.php`On that file call the static `iniRest` method with the API name. That method returns a new Rest instance where you can call the `processRequest` method that triggers the service call. If the url is not matched boolean `false` is returned.

```
try{
    $rest = Rest::initRest('ExampleApi');
    if($rest){
        $rest->processRequest()->sendOutput();
    }
}catch (RestException $e){
    // handle the exception
}
```

Interfaces
----------

[](#interfaces)

The component provides several interfaces that you can implement on your API class to gain more control over some aspects of the component.

All the interfaces are under the a namespace `Webiny\Component\Rest\Interfaces\`.

### Versioning and VersionInterface

[](#versioning-and-versioninterface)

The component gives you the option to version your APIs, meaning that you can have multiple active version of one API. This helps a lot when you are deploying a new version, but you still need to support the old one.

Also you have two version aliases, making things even more simpler for you. The alias is nothing but a pointer to an actual version. The two available aliases are `latest` and `current`. If somebody requests your API, and if he hasn't defined a version, he will be pointed to the `current` version, which is then mapped to an actual version.

In order to implement versioning feature, you need to implement `Webiny\Component\Rest\Interfaces\VersionInterface` on your class. This looks something like this:

```
class FooService implements \Webiny\Component\Rest\Interfaces\VersionInterface
{

    static public function getLatestVersion(){
        return '2.0';
    }

    static public function getCurrentVersion(){
        return '1.0';
    }

    static public function getAllVersions(){
        return [
            '1.0' => 'FooService',
            '2.0' => 'FooServiceNew',
            '2.1' => 'FooServiceBetaInTesting'
        ];
    }
}
```

The interface will tell you to implement the upper three methods, `getLatestVersion`, `getCurrentVersion` and `getAllVersions`. The most important method is the `getAllVersions` which returns an array of supported versions where the key is the version number, in format X.Y, and the class name is the value. This is the class that will be used to handle the requests.

Note that only the 'main' class needs to be registered with the component `$rest = new \Webiny\Component\Rest\Rest('InternalApi', 'FooService');`. Also the main class is the only one that needs to implement the interface, making everything a whole lot easier to maintain.

#### How to access a specific version

[](#how-to-access-a-specific-version)

By default all users will be pointed to the `current` version. To make a request to a specific version you need to add a request header. The request header name is `X-Webiny-Rest-Version` and the value is the version. For the version you can send a specific version number, or an alias. All requests that have this header will be mapped to that concrete version.

// point the request to version 2.1

```
X-Webiny-Rest-Version: 2.1
```

### AccessInterface

[](#accessinterface)

If you wish to implement your own security layer, you can implement the `Webiny\Component\Rest\Interfaces\AccessInterface`.

```
class FooService implements \Webiny\Component\Rest\Interfaces\AccessInterface
{

    public function hasAccess($role)
    {
        // do you processing here
    }
}
```

The interface will ask you to define `hasAccess` method. This method takes only one parameter `$role`. This parameter contains the value defined in `@rest.role` annotation. The method should return either `true` or `false`, allowing or denying access to the user.

Note that you still need to define the `Security` section in your REST configuration. The configuration should only contain the default required role. Don't define the `Firewall` attribute.

```
Rest:
    SomeOtherApi:
        CompilePath: /var/www/Cache/Rest
        Security:
            Role: ROLE_ANONYMOUS
```

`ROLE_ANONYMOUS` allows non authenticated users to call the service. You can overwrite the required role with the `@rest.role` annotation on a per-class and per-method basis.

### CacheKeyInterface

[](#cachekeyinterface)

Rest component, by default, creates cache keys from these parameters:

- url path
- query parameters
- http method
- post parameters
- payload parameters
- api version (we use the actual version number, not the aliases like current, and latest)

Implement this interface to define your own method for generating a cache key. Some common use cases are to generate a cache key based on some cookie or token. Note that you should still include the url, query parameters and the http method. Always take into account that generating the cache key doesn't actually take longer than getting the data without cache.

The implementation looks like this:

```
class FooService implements \Webiny\Component\Rest\Interfaces\CacheKeyInterface
{

    public function getCacheKey($role)
    {
        // return your generated key
    }
}
```

Note that the returned key is used "as it is", nothing is appended to it, nor it is hashed, so make sure that you return a key with a proper size.

### CrudInterface

[](#crudinterface)

Implementing this interface you will get the basic CRUD methods and behavior described in the table below:

Request typeUrlMappingDescriptionGETfoo-class/FooClass::crudListRetrieve all records in a collection.POSTfoo-class/FooClass::crudCreate()Create new record.DELETEfoo-class/{id}FooClass::crudDelete($id)Delete a record with the given id.GETfoo-class/{id}FooClass::crudGet($id)Retrieve a single record.PUTfoo-class/{id}FooClass::crudReplace($id)Replace a single record.PATCHfoo-class/{id}FooClass::crudUpdate($id)Update a single record.RestTrait
---------

[](#resttrait)

In practice you often need to use things like paging, sorting and similar, which doesn't make since to put as a parameter in your method. The best approach is to use query parameters. The `RestTrait` provides you with helper functions and suggestions.

In the trait you will find the next methods:

- `restGetPage`: returns the value of `_page` query parameter
- `restGetPerPage`: returns the value of `_perPage` query parameter (has a built-in limit of 1.000)
- `restGetSortField`: returns the sort field name from the `_sort` query parameter
- `restGetSortFields`: returns the sort fields array, parsed from the `_sort` query parameter
- `restGetSortDirection`: returns the sort direction from the `_sort` query parameter
- `restGetFields`: returns the value of `_fields` query parameter

Let's see the returned values if we would look at this url: `http://api.example.com/my-service/get-pages/?_page=1&_perPage=10&_sort=+Title&_fields=id,title,author,slug`

The returned values would be as following:

- `restGetPage`: 1
- `restGetPerPage`: 10
- `restGetSortField`: Title
- `restGetSortDirection`: 1 (if we would have '-' in front of the field name, the function would return -1)
- `restGetSortFields`: \['Title' => 1\]
- `restGetFields`: id,title,author,slug

Return values
-------------

[](#return-values)

The component returns a JSON response, like the one below:

```
{
    "data": "this is my result"
}
```

Your result is always encapsulated within the `data` property.

In case of an error, the `data` property is omitted, and you will get a response containing errors, like this one:

```
{
    "errorReport": {
        "message": "This is an error.",
        "description": "Some custom error description."
    }
}
```

You can also add additional error entries:

```
{
    "errorReport": {
        "message": "This is an error.",
        "description": "Some custom error description.",
        "errors": [
            {
                "message": "This is an additional error message.",
                "field": "This is a custom error field."
            },
            {
                "message": "Another error",
                "code": "23a33"
            }
        ]
    }
}
```

### Throwing errors

[](#throwing-errors)

When you need to throw an error, the best way is using the RestErrorException class.

```
class FooService
{
    public function testError()
    {
        $error = new \Webiny\Component\Rest\RestErrorException("This is an error.", "Some custom error description.");
        $error->addError(['message'=>'This is an additional error message.', 'field'=>'This is a custom error field.']);
        $error->addError(['message'=>'Another error', 'code'=>'23a33']);

        throw $error;
    }
}
```

Debugging
---------

[](#debugging)

The component will return additional debug information in the response header and in the `debug` part of the response body. The additional headers are as following:

- `X-Webiny-Rest-Class`: name of the used API class (useful to know which class was used based on the version)
- `X-Webiny-Rest-ClassVersion`: actual API version
- `X-Webiny-Rest-Method`: which HTTP request method was used
- `X-Webiny-Rest-RateControl-Limit`: the limit of rate control (also present in the production mode)
- `X-Webiny-Rest-RateControl-Remaining`: the remaining number of requests, until the limit is reached (also present in the production mode)
- `X-Webiny-Rest-RateControl-Reset`: unix timestamp with the date when the rate control limit will be refreshed
- `X-Webiny-Rest-RequestedRole`: present only if the method required some specific role

Here is typical example output:

```
X-Webiny-Rest-Class:TestRestApiServiceNew
X-Webiny-Rest-ClassVersion:2.0
X-Webiny-Rest-Method:GET
X-Webiny-Rest-RateControl-Limit:10
X-Webiny-Rest-RateControl-Remaining:8
X-Webiny-Rest-RateControl-Reset:1408414512
X-Webiny-Rest-RequestedRole:SECRET_ROLE
```

Compiler cache
--------------

[](#compiler-cache)

The component reads the api classes and creates an array that contains different information about the api services contained within that class. Based on the component environment, that array will be saved. If the environment is `development`the cached array will be stored in memory inside a static array. If the environment is `production` the array will be written to the disk, using the `CompilePath`.

If you wish to create your own compiler cache class, and write, for example to a Redis database, you just need to create a class and implement `\Webiny\Component\Rest\Compiler\CacheDrivers\CacheDriverInterface` and define the path to the class inside your Rest component config, like this:

```
Rest:
    ExampleApi:
        CompilerCacheDriver: '\Vendor\Namespace\Class'
```

Resources
---------

[](#resources)

To run unit tests, you need to use the following command:

```
$ cd path/to/Webiny/Component/Rest/
$ composer.phar install
$ phpunit

```

Make sure that you update the configuration files inside `Test/Mocks/` folder.

###  Health Score

31

—

LowBetter than 68% of packages

Maintenance20

Infrequent updates — may be unmaintained

Popularity10

Limited adoption so far

Community10

Small or concentrated contributor base

Maturity73

Established project with proven stability

 Bus Factor1

Top contributor holds 100% of commits — single point of failure

How is this calculated?**Maintenance (25%)** — Last commit recency, latest release date, and issue-to-star ratio. Uses a 2-year decay window.

**Popularity (30%)** — Total and monthly downloads, GitHub stars, and forks. Logarithmic scaling prevents top-heavy scores.

**Community (15%)** — Contributors, dependents, forks, watchers, and maintainers. Measures real ecosystem engagement.

**Maturity (30%)** — Project age, version count, PHP version support, and release stability.

###  Release Activity

Cadence

Every ~52 days

Recently: every ~5 days

Total

22

Last Release

3153d ago

PHP version history (3 changes)v1.0.0PHP >=5.4.0

v1.2.1PHP >=5.5.9

1.5.x-devPHP ^7

### Community

Maintainers

![](https://www.gravatar.com/avatar/4440afa738ed146b05c06073a90345e0464c4f4d042b039532d881ca24859d77?d=identicon)[SvenAlHamad](/maintainers/SvenAlHamad)

---

Top Contributors

[![SvenAlHamad](https://avatars.githubusercontent.com/u/3808420?v=4)](https://github.com/SvenAlHamad "SvenAlHamad (20 commits)")

---

Tags

apirest

###  Code Quality

TestsPHPUnit

### Embed Badge

![Health badge](/badges/webiny-rest/health.svg)

```
[![Health](https://phpackages.com/badges/webiny-rest/health.svg)](https://phpackages.com/packages/webiny-rest)
```

###  Alternatives

[xendit/xendit-php

Xendit PHP SDK

189730.6k6](/packages/xendit-xendit-php)[angelleye/paypal-php-library

PHP wrapper for PayPal APIs

243440.9k](/packages/angelleye-paypal-php-library)[infobip/infobip-api-php-client

PHP library for consuming Infobip's API

921.8M10](/packages/infobip-infobip-api-php-client)[onesignal/onesignal-php-api

A powerful way to send personalized messages at scale and build effective customer engagement strategies. Learn more at onesignal.com

34170.2k2](/packages/onesignal-onesignal-php-api)[mediamonks/rest-api-bundle

MediaMonks Rest API Symfony Bundle

1656.2k1](/packages/mediamonks-rest-api-bundle)[phrest/api

REST API Package for Phalcon PHP

304.2k](/packages/phrest-api)

PHPackages © 2026

[Directory](/)[Categories](/categories)[Trending](/trending)[Changelog](/changelog)[Analyze](/analyze)