API Calls Exercises in R: 17 Real-World Practice Problems

ex_1_1 <- request("https://jsonplaceholder.typicode.com/posts/1")
ex_1_1
#> <httr2_request>
#> GET https://jsonplaceholder.typicode.com/posts/1
#> Body: empty

Explanation: request() builds a lazy request object: no network traffic happens until you call req_perform() on it. This separation lets you compose, inspect, and unit-test requests safely. The printed representation shows method (default GET), URL, and body status, which is the fastest way to confirm you assembled the request correctly before sending it. The same object can be modified later with req_url_path_append() or req_method() rather than building a new request from scratch.

ex_1_2 <- request("https://jsonplaceholder.typicode.com/posts/1") |>
  req_user_agent("r-statistics-tutorial/1.0 (selva@example.com)")
ex_1_2
#> <httr2_request>
#> GET https://jsonplaceholder.typicode.com/posts/1
#> Headers:
#> * User-Agent: 'r-statistics-tutorial/1.0 (selva@example.com)'
#> Body: empty

Explanation: A descriptive User-Agent is the polite-internet default: it tells the server who is calling so the operator can contact you if your script misbehaves. req_user_agent() is a thin wrapper around req_headers() that targets the User-Agent slot specifically, so subsequent req_headers() calls do not overwrite it accidentally. Generic agents like the default httr2/x.y.z libcurl/... are commonly throttled or 403'd by anti-bot middleware, so set this once at the top of your script.

ex_1_3 <- request("https://api.agify.io") |>
  req_url_query(name = "selva", country_id = "IN")

ex_1_3 |> req_dry_run()
#> GET /?name=selva&country_id=IN HTTP/1.1
#> host: api.agify.io
#> user-agent: httr2/1.0.0 r-curl/5.2.0 libcurl/8.4.0
#> accept: */*
#> accept-encoding: deflate, gzip

Explanation: req_url_query() is preferable to hand-building a query string because it URL-encodes values for you (spaces, ampersands, unicode) and de-duplicates keys. req_dry_run() prints the exact HTTP message that would be sent without performing the request, which is invaluable when debugging mysterious 400 responses or auth failures. The header user-agent in your output may differ depending on installed httr2 and curl versions; only the request line and host need to match.

ex_1_4 <- request("https://httpbin.org/anything") |>
  req_method("POST") |>
  req_body_json(list(team = "data", priority = 1))
ex_1_4
#> <httr2_request>
#> POST https://httpbin.org/anything
#> Body: json encoded data

Explanation: req_body_json() does two jobs at once: it serializes the R list to JSON with jsonlite::toJSON() AND sets the Content-Type: application/json header. If you skip the latter, many APIs will silently reject the body or treat it as form data. Note that calling req_body_json() also implicitly sets the method to POST, so the explicit req_method("POST") here is redundant but documentary. Use req_dry_run() to see the serialized JSON in the body.

resp <- request("https://jsonplaceholder.typicode.com/posts/1") |>
  req_perform()

parsed <- resp |> resp_body_json()
ex_2_1 <- parsed$title
ex_2_1
#> [1] "sunt aut facere repellat provident occaecati excepturi optio reprehenderit"

Explanation: req_perform() is the verb that finally sends bytes over the network and returns an httr2_response object. resp_body_json() parses the body as JSON using jsonlite under the hood and returns a nested R list (not a tibble) by default, because JSON is fundamentally heterogeneous. To get a data frame for arrays of records, pass simplifyVector = TRUE or use jsonlite::fromJSON() on resp_body_string(). Pulling a single field is just list extraction.

resp <- request("https://jsonplaceholder.typicode.com/posts") |>
  req_url_query(userId = 1) |>
  req_perform()

ex_2_2 <- resp |>
  resp_body_string() |>
  fromJSON() |>
  as_tibble()
ex_2_2
#> # A tibble: 10 x 4
#>   userId    id title                                                       body
#>    <int> <int> <chr>                                                       <chr>
#> 1      1     1 sunt aut facere repellat provident occaecati excepturi opt~ quia~
#> 2      1     2 qui est esse                                                est ~
#> ...

Explanation: resp_body_json() returns a list-of-lists for an array; jsonlite::fromJSON() on the raw string auto-simplifies a JSON array of flat objects into a data frame in one shot, which is usually what you want for "table-shaped" responses. If the records had nested objects (e.g., address with sub-fields), you would call fromJSON(..., flatten = TRUE) or use tidyr::unnest_wider() on the list-column. Always inspect with glimpse() before assuming column types.

ex_2_3 <- fromJSON(nested_json, flatten = TRUE) |>
  as_tibble() |>
  select(id, name, address.city, company.name)
ex_2_3
#> # A tibble: 3 x 4
#>      id name        address.city  company.name
#>   <int> <chr>       <chr>         <chr>
#> 1     1 Leanne      Gwenborough   Romaguera-Crona
#> 2     2 Ervin       Wisokyburgh   Deckow-Crist
#> 3     3 Clementine  McKenziehaven Romaguera-Jacobson

Explanation: flatten = TRUE collapses nested objects into dotted column names (address.city), which keeps the result rectangular and dplyr-friendly. Without flatten, you would get list-columns for address and company that need a second pass with tidyr::unnest_wider(). The dotted names contain periods, so wrap them in backticks if you need to reference them in mutate() or filter(). For deeply nested or irregular JSON, prefer tibblify or stepwise unnest_* over a single flat dump.

resp <- request("https://jsonplaceholder.typicode.com/posts/1") |>
  req_perform()

ex_2_4 <- list(
  status       = resp_status(resp),
  content_type = resp_content_type(resp),
  server       = resp_header(resp, "server")
)
ex_2_4
#> $status
#> [1] 200
#> $content_type
#> [1] "application/json"
#> $server
#> [1] "cloudflare"

Explanation: Treat the response metadata as first-class data: status code drives retry logic, content type tells you which parser to call (resp_body_json() vs resp_body_html() vs resp_body_raw()), and headers carry rate-limit, caching, and pagination hints. resp_header() is case-insensitive on header names per RFC 7230, so "Server" and "server" both work. By default httr2 raises an error on 4xx/5xx; if you need to inspect failures without throwing, wrap req_perform() in req_error(is_error = ~ FALSE).

payload <- list(name = "Selva", role = "instructor", years = 12)

resp <- request("https://httpbin.org/post") |>
  req_body_json(payload) |>
  req_perform()

ex_3_1 <- resp |> resp_body_json() |> _$json
ex_3_1
#> $name
#> [1] "Selva"
#> $role
#> [1] "instructor"
#> $years
#> [1] 12

Explanation: httpbin.org/post is a reflection endpoint: it returns a JSON object containing what you sent. The json element is parsed from your raw body, which is the cleanest way to confirm req_body_json() serialized your list as intended (numeric stayed numeric, strings stayed strings, no accidental array-wrapping of scalars). The new pipe placeholder _$json is a 4.2+ idiom; on older R use [["json"]] after the pipe or store the parsed body first.

resp <- request("https://httpbin.org/post") |>
  req_body_form(username = "selva", topic = "httr2") |>
  req_perform()

ex_3_2 <- resp |>
  resp_body_json() |>
  pluck("form") |>
  as_tibble()
ex_3_2
#> # A tibble: 1 x 2
#>   topic username
#>   <chr> <chr>
#> 1 httr2 selva

Explanation: req_body_form() sets Content-Type: application/x-www-form-urlencoded and URL-encodes the values for you. This is the body format that traditional HTML form submissions and many SOAP-era REST endpoints expect; if you send JSON instead, the server will not parse the fields and they will appear in data rather than form. purrr::pluck() is a safe deep-extract that returns NULL rather than erroring on a missing element, which makes it a safer pick than $ chains.

resp <- request("https://jsonplaceholder.typicode.com/posts/7") |>
  req_method("DELETE") |>
  req_perform()

ex_3_3 <- resp_status(resp)
ex_3_3
#> [1] 200

Explanation: REST conventions allow DELETE to return 200 OK (with a body), 202 Accepted (queued), or 204 No Content (success, empty body); a robust client treats any 2xx as success. jsonplaceholder returns 200 with an empty JSON body for DELETE, which is convenient for sandboxes but uncommon in production. Always assert on the status range rather than equality: status >= 200 && status < 300. If the server returns 4xx, httr2 raises by default so this code never reaches the status check on failure.

token <- Sys.getenv("GITHUB_PAT", unset = "demo-token")

ex_4_1 <- request("https://api.github.com/user") |>
  req_auth_bearer_token(token)

ex_4_1 |> req_dry_run()
#> GET /user HTTP/1.1
#> host: api.github.com
#> user-agent: httr2/1.0.0 r-curl/5.2.0 libcurl/8.4.0
#> accept: */*
#> accept-encoding: deflate, gzip
#> authorization: Bearer demo-token

Explanation: req_auth_bearer_token() formats the header as Authorization: Bearer <token>, matching the OAuth 2.0 bearer-token spec used by GitHub, Stripe, Slack, and most modern APIs. The token is automatically redacted by httr2's logging, so it will not appear in last_response()$cache$status traces. Keeping tokens in .Renviron (gitignored) means Sys.getenv() works in CI, on your laptop, and inside Docker without touching code, which satisfies the "never commit secrets" rule auditors check first.

resp <- request("https://httpbin.org/basic-auth/selva/letmein") |>
  req_auth_basic("selva", "letmein") |>
  req_perform()

ex_4_2 <- resp |> resp_body_json() |> pluck("user")
ex_4_2
#> [1] "selva"

Explanation: Basic auth base64-encodes username:password into the Authorization: Basic <b64> header. It is NOT encryption, so basic auth is only safe over HTTPS. httpbin.org/basic-auth/<u>/<p> returns 200 with {"authenticated": true, "user": "<u>"} when the credentials match, and 401 otherwise (httr2 raises on the 401). Modern internal services have largely moved to bearer tokens or mTLS; if you maintain basic-auth integrations, document them as legacy and migrate when feasible.

key <- Sys.getenv("NEWS_API_KEY", unset = "demo-key")

ex_4_3 <- request("https://api.example.com/news") |>
  req_url_query(apikey = key, .redact = "apikey")
ex_4_3
#> <httr2_request>
#> GET https://api.example.com/news?apikey=<REDACTED>
#> Body: empty

Explanation: The .redact argument tells httr2 to mask the named parameter whenever the request is printed, dry-run, or written to a log via req_verbose(). The real value still travels on the wire, but it will not leak into terminal screenshots, knitr documents, or shared .R history files. Always prefer header-based auth (Bearer, Basic) when the API supports it; query-string keys end up in proxy logs, browser history, and Referer headers. If you must use query keys, redact + rotate them on a schedule.

resp <- request("https://httpbin.org/status/200") |>
  req_retry(max_tries = 3, backoff = ~ 2) |>
  req_perform()

ex_5_1 <- resp_status(resp)
ex_5_1
#> [1] 200

Explanation: req_retry() only retries on transient failures by default: 5xx responses and curl-level network errors. It honors the server's Retry-After header automatically, which is the right default for rate-limited APIs (Stripe, GitHub). The backoff argument accepts a function or a one-sided formula of attempt; ~ 2 means a constant 2-second wait, while ~ 2 ^ .x gives exponential backoff (2, 4, 8 seconds). Never set max_tries higher than 5: if 5 retries do not succeed, the upstream is genuinely down and your job should fail loudly so on-call gets paged.

req <- request("https://api.agify.io") |>
  req_url_query(name = "selva") |>
  req_throttle(rate = 10 / 60)

ex_5_2 <- replicate(3, resp_status(req_perform(req)))
ex_5_2
#> [1] 200 200 200

Explanation: req_throttle() enforces a maximum request rate across all uses of a given realm (default: the URL host), sleeping inside req_perform() if you would otherwise exceed it. Expressing the rate as 10 / 60 makes the unit explicit (10 per 60 seconds). The throttle persists across calls within the same R session, which means a loop of req_perform() is automatically rate-limit-safe without you writing Sys.sleep() glue. Combine with req_retry() to handle 429 responses gracefully if you do hit the cap.

req <- request("https://jsonplaceholder.typicode.com/posts") |>
  req_url_query(`_limit` = 30)

resps <- req_perform_iterative(
  req,
  next_req = iterate_with_offset("_page", start = 1, offset = 1),
  max_reqs = 4
)

ex_5_3 <- resps |>
  resps_data(\(resp) {
    resp |> resp_body_string() |> fromJSON() |> as_tibble()
  }) |>
  select(id, userId, title)
ex_5_3
#> # A tibble: 100 x 3
#>      id userId title
#>   <int>  <int> <chr>
#> 1     1      1 sunt aut facere repellat provident occaecati excepturi optio re~
#> ...

Explanation: req_perform_iterative() is the idiomatic httr2 pagination helper: it calls a next_req function to derive the next page request from the current response, stopping when the function returns NULL or max_reqs is reached. iterate_with_offset() covers the common ?page=N or ?offset=N pattern; use iterate_with_link_url() for APIs that return a Link header (GitHub, GitLab). Always set max_reqs so a runaway pagination bug cannot exhaust your rate limit; resps_data() collects the parsed bodies into one object via row-binding.