HATEOAS, short for Hypermedia as the Engine of Application State, is one of the defining constraints of the REST architectural style as described by Roy Fielding in Chapter 5 of his 2000 dissertation. It is the fourth and most distinctive part of REST’s uniform interface, which Fielding lists as “identification of resources; manipulation of resources through representations; self-descriptive messages; and, hypermedia as the engine of application state.”
The idea is that a client should interact with an application entirely through links and controls supplied dynamically in the server’s responses, rather than through endpoint structures hard-coded into the client. Fielding frames the application as a state machine: “The model application is therefore an engine that moves from one state to the next by examining and choosing from among the alternative state transitions in the current set of representations.” Each representation a client receives contains the hypermedia that tells it which actions are now possible, so the server can change its URL structure and workflows without breaking clients.
Because the control state lives in the representations rather than on the server, HATEOAS reinforces REST’s statelessness and improves scalability and evolvability. Fielding writes that “REST concentrates all of the control state into the representations received in response to interactions,” meaning a client follows links the way a person follows hyperlinks on a web page, with the server guiding the journey one response at a time.
In 2008, Fielding revisited the constraint in a widely cited blog post, “REST APIs must be hypertext-driven,” responding to the many HTTP interfaces being labeled REST that did not satisfy it. He stated bluntly that “if the engine of application state (and hence the API) is not being driven by hypertext, then it cannot be RESTful and cannot be a REST API,” and defined hypertext as “the simultaneous presentation of information and controls such that the information becomes the affordance through which the user (or automaton) obtains choices and selects actions.”
In practice, HATEOAS is the least consistently implemented of REST’s constraints. Many APIs that call themselves RESTful are closer to remote procedure calls over HTTP, with clients constructing URLs from out-of-band documentation rather than following hypermedia links. Standards such as HAL, JSON:API, and Siren emerged to make hypermedia controls easier to express in JSON, but the gap between Fielding’s formal definition and everyday API design remains one of the enduring debates in web integration.