The Hypermedia as the Engine of Application State (HATEOS) style is yet another approach for providing efficient web APIs. It is, however, completely different from the other two styles we've presented. With this approach, clients can dynamically navigate to a resource by traversing various hypermedia links, which are provided in the HTTP responses.

The advantage of this style is that the server doesn't drive the application state anymore; instead, it is the hypermedia links that are returned by the server that oversee this.

Additionally, compared to the other styles, API changes are handled much better since clients don't hardcode URIs to actions (RPC-style) or resources (REST-style) anymore. Instead, they can work with hypermedia links that have been returned by a server for every response that is received after a request is made. This is an interesting concept in the way that it allows for more flexible and evolvable web APIs.

The following diagram shows an example of how to apply the HATEOAS-style to the Tic-Tac-Toe application:

An example of the JSON representation of this diagram is as follows:

    { 
      "_links": { 
        "self": { "href": "/gameinvitations" }, 
        "next": { "href": "/gameinvitations?page=2" }, 
        "find": { 
          "href": "/gameinvitations{?Id}", 
          "templated": "true" 
        } 
      }, 
      "_embedded": { 
        "gameinvitations": [ 
          { 
            "_links": { 
              "self": { "href": "/gameinvitations/f1eaf6ac-c998-40da-
                8eb5-198eaa2cc96f" }, 
              "confirm": { "href": "/gameinvitations/f1eaf6ac-c998-
                40da-8eb5-198eaa2cc96f/confirm" } 
            }, 
            "isConfirmed": "false", 
            "confirmDate": "null", 
            "emailTo": { 
              "self": { "href": "/user/1" } 
            }, 
            "invitedBy": { "self": ""{"href":"/user/2"}" } 
          } 
        ] 
      } 
    } 

HATEOAS provides some powerful features, all of which allow us to evolve components independently. Clients can be completely decoupled from the business workflows running on the server, which manage interaction by using links and other hypermedia artifacts, such as forms.

Whatever style you use, whether that be RPC, RESTful, or HATEOAS, according to what works best for what scenario and however elegant it is as a solution, it won't be very useful unless your APIs are secure. In the next section, you'll learn about the basics of security for your web APIs.