APIs: Unraveled...!!
APIs are constantly working in the background to give you richer digital experiences. Thanks to APIs, we are able to purchase our movie ticket online or finding a great deal for our travel plan. Let's unravel this mechanism behind it.
What is API?
API stands for “Application Programming Interfaces”, which are end-to-end software interfaces in simpler terms, a set of instructions for communication between client and server. APIs provide a secure and consistent way for applications to work with each other and deliver the information or functionality requested without user intervention. Only certain parts of the system or service are visible to the end user, while the system’s internal workings are hidden.
Types of APIs
Depending on the kind of API a designer is creating and its intended use, He/She can select from a variety of protocols and standards when creating a new API. Achieving the desired outcome depends on choosing the right kind of API.
1. Open APIs:
AKA public APIs or external APIs which are open to any developer and other users with less restrictions and low authentication. These may restrict the assets/data they share. Generally, limited number of calls can be made on daily basis.
2. Close APIs:
AKA private APIs or internal APIs which are meant for public use by third parties. They are made available to only certain group of peoples within the organization. Used for product testing and development purposes. May eventually go public.
3. Partner APIs:
The partner API is a way to facilitate enterprise collaboration and is only accessible to selected and authorised business developers or API users.
4. Composite APIs:
This type of API combines multiple API requests into single API request. This API reduces the data usage and decrease the response round-trip time from server.
Types of API Architectures
The rules for what data an API can exchange with clients and how it communicates the data form the architecture of an API. SOAP, REST, GraphQL, RPC are various architecture available for API creation, but our main focus is on REST and SOAP. Let dive into more detail.
1. REST
REST stand for Representational State Transfer, it consists of instructions for scalable, lightweight, and user-friendly APIs. Data is transferred from a server to a client who requests it via a REST API, that adheres to REST standards. One of the most widely used industry standard. Utilizes JSON to encode information.
2. SOAP
SOAP stand for Simple Object Access Protocol, its specification is very specific about the format and content requirements for messages. Because of the strict requirements, SOAP APIs are more secure than REST APIs, but they are also generally more difficult to build and require more code. Utilizes XML to encode information.
Structure of APIs
1. Method
An API consists of different kinds of methods which based on the method call and response. Commonly used are GET, POST, PUT, DELTE and PATCH.
2. Endpoint
Endpoint directs where a particular entry point is located and provides medium how they can be accessed via the API call/request.
3. Path
The location or resource that a client is attempting to access or modify through an API is referred to as the path of the API.
4. Parameter
In order to filter the required information, a user must provide the options known as API parameters in the call to the API.
5. Body
When user create or update resources, typically employ the POST, PUT, and PATCH methods along with an API request body. The resource that is being created or modified is shown in the request body.
6. Status Codes
This interim response generated by the server whether the specific API call/request is successfully accepted or not. Commonly generated code 200 (Successful), 403 (Forbidden), 503 (Service Unavailable) etc.
Types of Status Codes
1xx - The server has acknowledged the request.
2xx - The server has completed the request.
3xx - The server has redirected the request.
4xx - The API request failed due to client error.
5xx - The API request failed due to server error.
API Protection
Implementing techniques and practices to reduce API vulnerabilities and security risks is part of API protection. Content validation, access control, monitoring & tracking, and identity-based security are among the security challenges of API Protection.
- Never expose sensitive information in URLs like usernames, passwords, API key, etc.
- Preform security analysis to minimize the risk of attacks SQL injection, DDoS, MITM, etc.
- Always use HTTPS to secure your endpoints. This will prevent the loss API keys, tokens etc. For more information check this blog on HTTP vs HTTPS.
- Add mechanisms of OAuth and Timestamp for authentication of API request and mitigate chance of brute force.
