--- title: HTTP vs WebSockets, API Gateway Stages, and Versioning Strategies That Survive Deprecation description: API Gateway REST APIs cap integration timeouts at 29 seconds; WebSocket APIs bill per message and connection minutes—your May 2026 API design should bake those numbers into SLO tables before picking protocols. url: https://www.factualminds.com/blog/aws-http-websocket-api-versioning/ datePublished: 2026-05-08T00:00:00.000Z dateModified: 2026-05-08T00:00:00.000Z author: palaniappan-p category: Cloud Architecture tags: aws-api-gateway, websockets, rest-api, aws-appsync, api-design --- # HTTP vs WebSockets, API Gateway Stages, and Versioning Strategies That Survive Deprecation > API Gateway REST APIs cap integration timeouts at 29 seconds; WebSocket APIs bill per message and connection minutes—your May 2026 API design should bake those numbers into SLO tables before picking protocols. On **May 8, 2026**, **Amazon API Gateway** still differentiates **REST**, **HTTP**, and **WebSocket** APIs with different billing and timeout surfaces. The number that still shocks architecture reviews: **REST APIs integrate with a maximum 29-second timeout** for many synchronous integrations—long-running work must go [async](/blog/aws-event-driven-async-messaging-boundaries/) or move execution to a service that tolerates longer compute windows with different controls. For pattern coverage beyond this note, see our existing [API Gateway REST/HTTP/WebSocket patterns](/blog/aws-api-gateway-patterns-rest-http-websocket/) article; this field note focuses on **decision tension** and **versioning that survives deprecation**. > **Reproduce this** — Versioning checklist template: [`examples/architecture-blog-2026/api-design/versioning-conventions.md`](https://www.factualminds.com/examples/architecture-blog-2026/api-design/versioning-conventions.md) ## HTTP (request/response) when it wins Default for CRUD JSON, cache-friendly GETs, and stateless authentication (JWT/OAuth). Pair with: - **AWS WAF** on regional APIs or CloudFront distributions ([WAF beyond basics](/blog/how-to-configure-aws-waf-api-protection-beyond-basics/)). - **IAM/authorizers** aligned to least privilege ([IAM best practices](/blog/aws-iam-best-practices-least-privilege-access-control/)). ## WebSockets when they win Choose WebSockets when: - The server must **push** many small updates (tick data, collaborative editing). - You accept **stateful connection** troubleshooting (stale connections, proxy idle timeouts). Costs accrue per **message** and **connection-minute**—model them before broadcasting chat-scale fan-out. Avoid WebSockets when mobile networks and corporate proxies make long-lived ports flaky without a fallback polling path. ## AppSync (GraphQL + subscriptions) When your clients need flexible reads and **subscription** channels with managed auth integration, **AWS AppSync** often beats hand-rolled GraphQL on Lambda—evaluate resolver heat and caching separately from REST gateway pricing. ## Versioning strategies (opinionated) Pick one _primary_ signal: 1. **URL prefix** (`/v2026-05/...`) — blunt, CDN-friendly, easy WAF paths. 2. **Header contract** (`Accept` vendor MIME) — avoids URL churn; demands consistent observability tags. 3. **Stage-based** (`prod`, `canary`) — operational, not semantic versioning alone—pair with semantic headers or URLs so customers know what they parse. > **Opinionated take** — Public third-party APIs should ship **URL major versions** _and_ publish **Sunset** headers ([RFC 8594](https://www.rfc-editor.org/rfc/rfc8594)) even if you love headers internally. External developers grep paths, not MIME types, at 2 AM. ## What broke: the “silent deprecation” An internal team deleted a **stage** believing it unused. Mobile clients still referenced the stage URL embedded in a legacy binary. Error budgets burned before anyone correlated **403/404** spikes with an infrastructure changefront. Fix: **deprecation registers** + synthetic clients + minimum **N+2 release** overlap before decommission. For service decomposition context, contrast with [microservices vs monolith on AWS](/blog/microservices-vs-monolith-on-aws-architecture-decision-guide/). ## What This Post Doesn’t Cover - **VPC Lattice** service networking vs API Gateway—different abstraction (service mesh vs edge HTTP). - **Istio/Envoy** on EKS — see service mesh articles if east-west mTLS dominates. ## If You Only Do One Thing Attach **per-route CloudWatch metrics** (4xx/5xx, integration latency) to **the same dashboard** as **client release versions** parsed from headers you already log. ## What to Do This Week 1. Inventory all `execute-api` stage URLs in mobile binaries and partner PDFs; anything not in Terraform gets a ticket. 2. Confirm every >10s synchronous integration has an **SQS/Step Functions** exit before API Gateway timeout cliffs. 3. Add WAF rate-based rules to public WebSocket **$connect** routes if you have not already—credential stuffing loves connect storms. When ingress tuning intersects Lambda cold paths, cross-read [ingress and cold-start field notes](/blog/aws-ingress-scale-and-cold-start/). ## FAQ ### When should we avoid WebSockets on API Gateway? When traffic is mostly cacheable request/response, when clients cannot maintain long-lived connections (corporate proxies), or when ops cannot afford connection-state debugging at scale. Server-Sent Events or plain HTTP/2 multiplexing sometimes cover “push” requirements with simpler infrastructure. ### What versioning style hurts caching the most? Pure header-only versioning without stable URLs complicates edge caching and WAF rule expression unless you standardize on `Accept`/`Content-Type` conventions everywhere. If CloudFront caches responses, prefer URL prefixes or agreed cache keys that include the version signal. ### Is AppSync always better than API Gateway for GraphQL? No—AppSync shines when subscriptions, auth integrations, and managed resolvers match your access patterns. If you only expose REST and rarely need GraphQL, API Gateway HTTP APIs keep the surface smaller. Pick after measuring resolver complexity and authZ story, not banner color. ### What breaks canary deployments on API Gateway? Clients hardcode stage URLs without traffic shifting awareness; Lambda provisioned concurrency mismatches between canary and production aliases; IAM policies scoped to old stage ARNs after cutover. Treat stages as infrastructure with the same Terraform discipline as databases. ### Why do microservices multiply versioning pain? Each service exposes its own lifecycle. Central gateway or BFF layers help only when you invest in schema governance—see microservices vs monolith trade-offs for AWS. --- *Source: https://www.factualminds.com/blog/aws-http-websocket-api-versioning/*