What is an API? Five Things You Need to Know

APIs are the primary means by which applications, firmware and online processes share data. They make life easier for developers and underpin many of the services we rely on every day, from social networks to online banks.

What is an API?

An API or Application Programming Interface sets out the kind of demands that one system can make of another. This includes the format in which those demands should be made. It could, for example, be used to determine how a human resources platform puts in a request for salary data from an accounting system. Equally, it could control how wearables share workout data with smartphones or writes it to the cloud.

How API’s make easy work of integrations

Unless they’re produced by the same developer, there’s no reason why any two systems should be coded to be compatible. But by making various data points accessible in response to an API call, the accounting system in our above example can surface tagged but otherwise plain-language data for use in third-party processes without itself understanding how those processes work.

This saves the developers of either system coding import or export tools for every conceivable third-party service. Instead, they can focus on optimising their own platform. An API allows developers to expose a subset of their data and leave third parties to work out how they want to use it.

“It can be helpful to think of the API as a way for different apps to talk to one another,” says Mailchimp. But it’s equally important to remember that these ‘apps’ aren’t restricted to traditional software. APIs can also be used to interrogate hardware to return. For example, the state of an IoT device, whether a Wi-Fi-connected lightbulb is on or off or the temperature detected by a thermostat.

According to the Kafka website, 80% of all Fortune 100 companies use Kafka. One of the biggest reasons for this is that it fits in well with mission-critical applications that require the use of APIs in cloud agnostic environments. Find out how in this free download.

What is an API key?

Some data is sensitive. Other data is valuable. Systems that provide an API interface frequently want to restrict access in such scenarios to either authorised or paying users. There are several means by which they can do this, including passwords and filtering on attributes like location or a device’s MAC address. However, using an API key is among the most common.

“An API key can act as a secret authentication token as well as a unique identifier,” notes Last Call. “Typically, the key will come with a set of access rights for the API that it is associated with.”

How API keys restrict access

A key is a unique code that identifies a particular project or application, which must be supplied as part of the API call. Doing so allows the service to track which user or which process is accessing the API interface, so it can detect and prevent abuse, or accurately bill for its data.

For example, a weather service that makes its data available via an API may have implemented a tiered pricing structure. A free tier allowing one call every hour, two paid tiers allowing one call every minute and an unlimited number of calls. By assigning API keys to its subscribers the weather provider can cap the number of valid updates provided in each instance in accordance with the subscriber’s chosen tier.

Why API keys aren’t used specifically for security

API keys are not a security tool in their own right. A subscriber in our example weather service’s ‘unlimited’ plan, could share her key with a non-paying user. The non-paying user would enjoy the same benefits unless the weather service itself had implemented additional validation and security protocols. Keys are therefore best thought of as a means of tracking resource use and, if applicable, using this to administer a granular pricing model.

What is an API call?

An API call is a line of code that bundles the API key (if applicable) with the location of the data the project wants to retrieve and any applicable variables. It can look much like a web address, as used in a browser.

The structure of an API call

The call itself consists of several parts. The most important is the endpoint. This is the location of the resource being requested, plus any relevant variables like the key and the fields required. If properly structured, this will be sufficient for the API gateway to return a human-readable, tagged array drawn from the API owner’s data.

How API calls can be used

APIs can also be used to send data, as well as retrieve it, in which case the variables that comprise the API call will be received by the API gateway and handed off to an internal system for storage or manipulation. As well as the endpoint, an API call may therefore specify:

• whether it is a request for data
• a submission of new data
• an amendment to data already in place.

What is an API gateway?

The first device to encounter an incoming API call is the API gateway which, as described by RedHat, “sits between a client and a collection of backend services”. It interprets the contents of the call, identifies the resources required to satisfy it, and delivers a response. This response could be a batch of data, a confirmation that incoming data has been received or an error message. API errors can occur if the limits of an API key have been exceeded or the user is not authorised amongst other scenarios.

How does an API Gateway work?

The gateway acts as a junction between external user calls and the internal system of the API owner. It, therefore, provides a consistent interface and a predictable endpoint for external users, even if the back end, which manages the data being requested or written, changes over time. This gives developers the ability to maintain their core services in whichever manner best fits their operating model. Thus, updated documentation need only be provided to end-users if the parameters expected by the gateway change.

What is API testing?

It’s important to ensure that every part of a system is thoroughly tested and verified, and that ongoing changes are subjected to similar scrutiny. This is as true for an API as it is for the visible interface and the hidden back-end. Without adequate testing, there’s no certainty that requests will be correctly answered. Additionally, incoming data received by the API may not be accurately parsed and acted upon.

As explained by SmartBear, API testing “generally consists of… requests to a single or sometimes multiple API endpoints [to] validate the response” and emphasizes “testing of business logic, data responses and security, and performance bottlenecks”.

These latter points are particularly pertinent. Even if the data handling is accurate, undetected performance issues could cause a service to loop or stall as they consume excessive resources in responding to a call. This can put all internal and external processes that rely on an API at risk.