REST API and RESTful Services: What You Need to Know

Of the various API standards on offer, REST has become the dominant option, thanks to its compact nature and how easy it is to work with the data it delivers.

What is an API?

APIs are essential to unlocking the value of data. They sit between two systems, one of which holds data, the other of which wants to use it. The API is the standard by which they communicate.

Without an API – which consists of a well-documented gateway that receives incoming requests, gathers the necessary resources to satisfy those requests, and responds – external developers would need to have intimate knowledge of every system with which they wanted to interact. This would not only be an insupportable burden: it could also be a security risk for those that hold valuable data, as they’d need to lay bare the inner workings of their systems.

Providing an API means no external process will ever be able to directly interact with data it doesn’t own – or with the system that hosts it. Further, those that do own the data remain free to continue developing their own systems without considering the impact this will have on external users. So long as their work doesn’t break the connection with their own API gateway, which is the interface that receives and interprets calls from the outside world, they only need concern themselves with satisfying their own business needs.

As Codeacademy explains, using an API “means that the code on the client side can be changed at any time without affecting the operation of the server, and the code on the server side can be changed without affecting the operation of the client.”

APIs have got smarter over time and, in the process, they’ve become the primary means by which disparate systems overcome incompatibilities. APIs are used to post updates to social media, share data between wearables and smartphones or, at the enterprise level, share financial, medical and other business data.

However, while data ‘owners’ can define the underpinnings of their published API according to their own needs, it’s important that they use established standards so that each interaction is predictable.

One of the earliest standards was SOAP – Simple Object Access Protocol – which remains in use today as a process for exchanging tagged data. It’s also widely used in messaging and email. However, the data parsed by SOAP can only be formatted as XML, and can be bulky, as it is surrounded by a lot of supplementary information. An alternative, REST, was developed in part to address these issues.

According to the Kafka website, 80% of all Fortune 100 companies use Kafka. One of the biggest reasons for this is that it fits in well with mission-critical applications that require the use of APIs in cloud agnostic environments. Find out how in this free download.

What is REST API?

REST – Representational State Transfer – was developed with scalability in mind, allows data to be cached, can handle a wider variety of data types and has multiple characteristics that simplify its use. For example, with REST, data is separated from any presentational information so its use can more easily be determined by the system that requested it. As Oracle explains: “Resources are decoupled from their representation so that their content can be accessed in a variety of formats, such as HTML, XML, plain text, PDF, JPEG, JSON, and others.”

Moreover, data handling requests (called ‘calls’) are complete in their own right and contain everything the API gateway needs to know to deliver a valid response. As such, they don’t rely on preceding requests having ‘warned’ the gateway to access a particular resource or get into a particular ‘state’ in preparation for an incoming read or write operation. This adds a high degree of certainty to any process built around a REST API, as it can reasonably be expected to deliver a valid response time after time.

Because the data that a REST API passes is more compact than the XML on which SOAP relies, it is ideal for use in mobile applications, and, because REST is ‘stateless’, requests can be retried again and again if they fail in the first instance.

A range of options is available for securing both REST and SOAP transactions which, when used appropriately, will adequately protect data in transit. Security should be baked in at the application design stage and, says Roy Fielding at Restful API, when using REST, “authentication/authorization should not depend on cookies or sessions. Instead, each API request should come with some sort authentication credentials which must be validated on the server for every request.”

“The first step in securing an API is to ensure that you only accept queries sent over a secure channel, like TLS (formerly known as SSL),” explains Les Hazlewood at Okta. “Communicating with a TLS certificate protects all access credentials and API data in transit using end-to-end encryption.”

API keys, which are commonly applied, don’t satisfy the need for robust security when handling sensitive data. While they’re good for monitoring resource usage, they can be shared – with or without permission – potentially allowing the data to spread further than intended.

More effective solutions include non-sequential unique user IDs, passwords, and tokens, which can be set to expire. These can be combined with geographic restrictions and IP address filtering to further reduce the likelihood of unauthorized access.

What is a RESTful service?

Any service that uses REST is considered RESTful. As Opensource.com explains, RESTful services “dominate in popular sites such as eBay, Facebook, and Twitter” as they “build upon existing infrastructure and protocols… are language and platform neutral” and are well supported.

RESTful services request or post resources directly, in much the same way that a browser can directly access web pages, images, videos, text files and more using a combination of domains, folders, filenames and variables. However, a RESTful service, while commonly deployed to the web, isn’t restricted to that realm. It can equally be used to access data generated by IoT and Smart Home appliances. As this device space grows, REST looks set to become more important than ever.