kintone API設計の十年 — 後方互換性との戦い

Cybozu's business app platform "kintone" has continued evolving the same REST API for over ten years since its 2011 release. Once published, an API supports the operations of tens of thousands of customers, and thoughtless changes are not permitted. This article organizes the design philosophy of evolving the API while preserving backward compatibility.

The basic principles of preserving backward compatibility are: "do not change existing fields," "new fields may be added," and "deletion is a last resort." When kintone adds new fields to response JSON, it does so on the premise that existing clients continue operating by ignoring unknown fields.

kintone's API does not carry explicit major versions in the URL path; it has taken the policy of maintaining one stable contract over the long term. This is the judgment that "increasing versions to v2, v3 fragments client implementations and makes long-term maintenance difficult." New features are handled by adding new endpoints or adding fields to existing endpoints.

Even when truly old APIs need to be deprecated, they are not removed overnight. A notice period of at least one year is set, with announcements in documentation and release notes, and warnings shown in the admin screen to encourage migration. The clearly defined four-stage lifecycle — "public → deprecated → warning → retired" — is a key characteristic.

Rather than handling every industry and every business operation with standard features alone, kintone provides customers with two extension means — "plugins" and "customize." Plugins are reusable JavaScript/CSS packages, and customize is code written into individual apps. Both depend strongly on the API contract, so breaking backward compatibility breaks a massive existing asset all at once.

For example, even when a string field is internally split into "string (single line)" and "string (multiple lines)," the API response adds a new field that distinguishes the two while leaving the meaning of the existing field unchanged. New clients read the new field; old clients continue to operate with only the conventional field.

Relying solely on human attention for backward compatibility is risky. Cybozu has set up contract tests that record past responses and continuously verify whether the current version returns the same response to the same request. Field additions are permitted, but disappearances or type changes of existing fields are immediately detected as test failures.

Public APIs always have rate limits set so that no specific client pressures overall performance. kintone sets an upper limit on per-tenant requests per second and returns 429 (Too Many Requests) when exceeded. Rate limit values themselves are considered part of the public API, and tightening them requires a notice period.

The track record of evolving the API for over a decade without breaking it is itself a culture that prioritizes protecting existing customers' operations over shipping new features quickly. The principles "additions are welcome, do not change, deletion requires a long notice period" are classical, but they remain valid guidelines for platforms operated over the long term.