An application programming interface (API) is a way for one piece of software to use the functions of another piece of software.
An application programming interface (API) is a set of rules that enables a software program to transmit data to another software program.
APIs enable developers to avoid redundant work; instead of building and rebuilding existing application functions, developers can incorporate existing ones into their new applications by formatting requests as the API requires.
An API is an “interface,” meaning a way for one thing to interact with another. As a real-world example, an ATM has an interface — a screen and several buttons — allowing customers to interact with their bank and request services like cash. Similarly, an API is how one piece of software interacts with another program to obtain needed services.
Imagine Jennifer builds a website that helps commuters check highway traffic before they leave for work. Jennifer could spend much time and money setting up a complex highway tracking system to provide this information to her website’s users. But these capabilities already exist, as outside parties have created such systems. Instead of reinventing the wheel this way, Jennifer’s website uses an API offered by an external highway tracking service. Now Jennifer can focus on building other aspects of the website.
What is an API call?
An API call, also known as an API request, is a message directed at an API that triggers the API’s use. Referring to the example, Jennifer constructs her website so that when it loads, it automatically generates an API call to the highway tracking service. The response comes back to the website from that service and enables it to display the latest highway traffic information.
API calls have to be formatted following the API’s requirements to work. The API’s requirements are called its “schema.” The schema also describes the types of responses to each request.
Suppose a commuter uses Jennifer’s website to check traffic on Highway 192. The website sends an API call to provide this information — a message that reads “Highway 192.” The highway tracking service’s API server receives this message and replies with travel times on Highway 192. Imagine the API’s schema in this way:
| API request | API response |
|---|---|
| “Highway 192” | Travel times on Highway 192 |
| “Highway 217” | Travel times on Highway 217 |
| “Highway 225” | Travel times on Highway 225 |
(This is a simplified example — real-world API requests, responses, and schemas are more complex.)
Suppose Jennifer’s website sends an API request for “Highway ASDFGHJ.” This is not a valid request because it does not conform to the API’s schema, which only allows for actual names of highways. The server cannot provide a usable response to such a request.
What is an API endpoint?
An endpoint is the end of a communications channel. An API endpoint is the place where an API response originates from.
In the example, the client of the API connection is Jennifer’s website, and the endpoint is the server that hosts the API. Jennifer’s API calls have to go to a particular URL (a URL is a web address, like www.cloudflare.com/learning) that the API server is responsible for to get a response.
What is API integration?
API integration is the combination of two or more applications using APIs. API integration enables one application to benefit from the capabilities of another application, just as combining a sales team and a marketing team in one office enables those two teams to work together and benefit from each other’s efforts. API integrations are also commonly used to synchronize data between two applications or databases.
What is a web API?
Anything that involves computer code can have an API, from operating systems to software libraries. A web API is specifically for use by web applications that are accessed over the Internet.
Web APIs are incredibly important for the modern Internet. Almost all user-facing applications rely on APIs to function (not just Jennifer’s website!). Entire software development philosophies rely on using APIs — one such philosophy is JAMstack, with JAM standing for JavaScript, APIs, and markup. Another example is microservices architecture, which uses APIs to call the different functions that make up an application. Even applications built without these approaches usually rely on APIs.
What are SOAP APIs and REST APIs?
SOAP APIs and REST APIs describe different categories of APIs.
SOAP (Simple Object Access Protocol) is a type of protocol. SOAP APIs are APIs that only use the SOAP protocol.
REST (Representational State Transfer) is an architectural style for web services. A REST API is any API built using REST architecture. Unlike SOAP APIs, REST APIs work with any protocol. Most APIs today are REST APIs.
Do APIs introduce security risks?
Just as allowing a person to use an application introduces the risk that the person will abuse the application, an API introduces the risk that an API client will abuse the service. Additionally, web API calls travel over the Internet and can be intercepted, spoofed, or modified just like any other data transfer over a network.
API security is the practice of protecting APIs from attacks and abuse. Given the importance of APIs to the modern Internet, API security is a core component of web application security. Crucial API security measures include:
- Rate limiting: Clients who make too many API requests can slow down or crash the API for other clients. Rate limiting limits how many API requests can come from a given API endpoint within a specific timeframe.
- DDoS protection: Like rate limiting, distributed denial-of-service (DDoS) protection stops DDoS attacks, which aim to exhaust or overwhelm an API with many requests sent simultaneously.
- Authentication: It is vital to authenticate API endpoints and clients to ensure that API requests come from legitimate sources, not attackers. Mutual TLS (mTLS) is one of the most effective forms of API authentication.
- Schema validation: If an API request does not conform to the API’s schema, the API may react unexpectedly — by revealing confidential data, for instance. Schema validation enables an API to drop such requests.
