REST is misunderstood. Most 'REST' APIs are really RPC-over-HTTP. True REST is more disciplined. Here's what matters in practice.
Resources not RPC
URLs identify things (users, orders), not actions. POST /users creates. DELETE /users/42 removes. Not /createUser.
Resources not RPC
URLs identify things (users, orders), not actions. POST /users creates. DELETE /users/42 removes. Not /createUser.
HTTP semantics
GET = safe + idempotent. PUT = idempotent replace. POST = create + non-idempotent. DELETE = idempotent removal. Follow them.
Versioning strategy
URL path (/v1/) is pragmatic. Accept header (application/vnd.myapp.v1+json) is purer. Pick one, stick with it.
Cursor pagination
Offset pagination breaks under insertions. Cursor pagination gives stable results. Return next_cursor with page.
RFC 9457 Problem Details
Standard error format. {type, title, status, detail, instance}. Machine-parseable. Better than custom error shapes.