What is an API (Application Programming Interface)? | Definition from TechTarget (2024)

How do APIs work? APIs are made up of the following two related elements:

• A specification that describes how information is exchanged between programs -- in the form of a request for processing -- and a return of the necessary data.
• A software interface written to that specification and published in some way for use.

This architecture is typically described in client-server terms. The application sending a request is the client, and the application sending the response is the server. The API bridges the connection between them.

The client that wants to access the features and capabilities of the API is said to call it, and the server that creates the API is said to publish it.

APIs authorize and grant access to data that users and other applications request. Access is authenticated to a service or portion of functionality using predefined roles that govern who or what service can access specific actions and data. APIs also provide an audit trail that details who and what had system access and when it happened.

Applications that call APIs were traditionally written in specific programming languages. Web APIs can be called through any programming language, but webpages created in Hypertext Markup Language (HTML) or application generator tools can also access them.

The most common architectures for APIs are Representational State Transfer (REST) and Simple Object Access Protocol (SOAP), which defines a standard communication protocol specification for a message exchange based on Extensible Markup Language or XML. SOAP requires less low-level infrastructure-related code than REST. However, REST APIs are easier to scale and redeploy, and simpler to implement and integrate with websites and services. REST APIs are most often used today, particularly for web interactions.

WebSocket APIs are another form of API. They use JavaScript Object Notation objects to transfer data. WebSocket APIs also provide callback functions to enable two-way communication between clients and servers. These are commonly written in JavaScript, Python, C#, Go, Ruby and other languages.

Remote Procedure Call (RPC) APIs enable clients to call other processes on remote systems as if the process were a local system. RPC APIs are typically written in C++, Java, Python, Go, Ruby and .NET.

Why APIs are important for business

APIs have improved the quality and delivery of software and services. Custom software that was developed for a specific purpose is often written to reference APIs that provide features that are useful in a variety of contexts. This reduces development time, cost and the risk of errors.

The growing number of web services that cloud providers expose through APIs also has encouraged the creation of cloud-specific applications, IoT efforts and apps to support mobile devices and users.

APIs add a digital layer through which a company's data and enterprise assets are presented with requisite governance and security. This approach enhances customer, employee and partner interactions. Greater functionality and scope of services increase the value delivered to users and improve the customer experience.

APIs enable developers to save time creating an application by integrating data, services and other capabilities from other applications, so the developer does not need to create them from scratch. APIs also create new monetization opportunities for businesses, such as the productization of data with customized packages and plans for business partners.

What are the benefits of using APIs?

APIs are a set of rules. They standardize how developers write application code, improving an organization's internal software development processes.

Using the same rules and formats streamlines code, making it more transparent. Standardization also facilitates collaboration among developers as they build software components with the intent to integrate with APIs. This, in turn, facilitates feature development and reduces time to market.

Public APIs and ones shared with partners enable an organization to do the following:

• Securely control and manage how users and systems access data and service functionality.
• Allow third parties to use its data -- even in a limited sense -- which increases a company's brand exposure.
• Grow its customer database and increase its conversion rate by aligning its services with other trusted brands.
• Monetize its APIs so that they become a line of revenue. This is a common tactic for online payment gateways. For example, companies that use PayPal's APIs are willing to pay to use a trusted payment system.
• APIs separate the requesting application from the responding service, providing additional security between client and servers.

Challenges of using APIs

There are also challenges and limitations associated with APIs, including the following:

• API development can be complex and costly to integrate with the systems and data they represent. Certain types of functionality might be better addressed through an approach such as robotic process automation.
• Because they're driven by standardization, APIs are also vulnerable to cyberattacks related to data exposure, user authentication, object-level and function-level authorization, mass assignment and injection attacks.
• APIs are frequently updated, making it difficult to keep API documentation up to date. Proper API lifecycle management and deprecation of old APIs can help mitigate this challenge.
• Compatibility and integration issues, as some APIs use different data formats, can make it difficult to share data, slowing down response times.
• APIs must be tested to ensure they perform as needed. The best approach is to codify testing practices.

Types of APIs

There are four types of APIs:

• Private APIs, or internal APIs, are published internally for use by a company's developers to improve its own products and services. Private APIs aren't exposed to third parties.
• Public APIs, or open APIs, are published publicly for anyone to use. There are no restrictions on these APIs.
• Partner APIs can only be used by specific parties with which a company agrees to share data. These APIs are often used in business relationships to integrate software between partnering companies.
• Composite APIs combine multiple APIs to address related or interdependent tasks. They often improve speed and performance compared with individual APIs.

APIs are also classified based on their scope and nature of interactions.

• Local APIs offer OS or middleware services to applications. Examples of local APIs include Microsoft's .NET APIs, the telephony API for voice applications and database access APIs.
• Web APIs are designed to represent resources such as HTML pages and are accessed using a simple Hypertext Transfer Protocol, or HTTP. Any web URL activates a web API. Web APIs are often called RESTful APIs because the publisher of REST interfaces doesn't save any data internally between requests. As such, requests from many users can be intermingled as they would be on the internet.
• Remote APIs interact through a communication network to manipulate resources outside of the computer making the request. This is a broader category that includes but isn't limited to web APIs. Remote APIs don't need to be designed based on web standards, though many are. The Java Database Connectivity API and the Java Remote Method Invocation API are two examples of remote APIs.
• Program APIs are based on RPC technology that makes a remote program component appear to be local to the rest of the software. Service-oriented architecture (SOA) APIs, such as Microsoft's Web Services series of APIs, are program APIs.

Why API design matters

Good API design is critical for successful API use. Software architects spend considerable time reviewing all the possible applications of an API and the most logical way for it to be used.

The data structures and parameter values are of particular importance, as they must match between the caller of an API and its publisher.

Strong API security is also an important aspect of their design. Exploitation of misconfigured APIs is a common practice for cyber attackers. An API is a gateway that presents an organization's systems and data to internal and external users. Any compromise can create broad and serious security problems.

If an organization is planning to sell its API as a form of monetization, then it's important that it works as intended, so it can get in front of as many people as possible.

How to create an API

Developers must follow these steps to create an API:

1. Planning. Developers define the purpose, scope and functionality of the API. Clear documentation is important to align development efforts with business and user needs. An API specification such as OpenAPI is a standard format that can help provide a blueprint.
2. Building. Developers begin building the API based on previously outlined specifications. This process involves creating architecture, writing code to handle requests and responses and integrating third-party services or back-end systems.
3. Testing. This stage focuses on validating functionality, performance and API security.
4. Documenting. This stage focuses on creating clear explanations of endpoints, request parameters, response formats and error codes. Good documentation helps improve third-party developer user experiences. Documentation should be kept clear and current.
5. Publishing. Developers publish the API to a developer portal or API marketplace where third parties can find and use it. Continuous monitoring and updates help ensure the API continues to be used.
6. Discontinuing. An API is removed from service when its support and development -- including bug fixes -- stop. It might be replaced with a newer version of the API or a new API product.

What are examples of APIs?

Operating systems and middleware tools expose their features through collections of APIs usually called toolkits. Two different sets of tools that support the same API specifications are interchangeable to programmers and are the basis for compatibility and interoperability claims. Microsoft's .NET API specifications are the basis for an open source Linux equivalent middleware package now supported by Microsoft, for example.

Many software products and tools deliver functionality via APIs, from DevOps tools such as Docker, GitLab and Jenkins to enterprise platforms such as Microsoft SharePoint. Social media, in particular, takes advantage of open APIs to facilitate third-party functionality, such as the ability to create news feeds and share photos.

The internet is the primary driver for APIs. Companies such as Meta, Google and Yahoo publish APIs to encourage third-party developers to build on their capabilities. These APIs have provided everything from new internet features that browse the sites of other services, to mobile device apps that offer easy access to web application resources. New features, such as content delivery, augmented reality and novel applications of wearable technology, are created in large part though these APIs.

Another example of an API is WeatherKit, also called WeatherKit REST API. This Apple web service can be used to provide weather data to applications and services. A third-party weather app, for example, could use WeatherKit to retrieve weather data from Apple and provide it on its own app. WeatherKit is available for iOS, macOS, tvOS and watchOS apps.

API trends

The ubiquity of the internet, expanded use of cloud computing and a shift from monolithic applications to microservices have all contributed to increased API use. Trends around APIs include the following:

REST and the web. Web API calls can come from any programming language, but they can also be made by webpages created in HTML or application generator tools. The increased role of the internet and the cloud in daily life and business activities has expanded the use of APIs and simple programming tools, or even no programming at all, for API access.

Both REST and SOAP can invoke and connect to, manage and interact with cloud services. REST is increasingly preferred for web APIs because it uses less bandwidth and offers more options for programming languages such as JavaScript and Python. Large websites, such as Amazon, Google, LinkedIn and Twitter, use RESTful APIs.

APIs and the cloud. Cloud computing introduces new capabilities to divide software into reusable components, connect components to requests and scale the number of copies of software as demand changes.

These cloud capabilities have shifted the focus of APIs from simple RPC-based programmer-centric models to RESTful web-centric models, and even to what's called functional programming or lambda models of services that can be instantly scaled as needed in the cloud.

APIs as services. The trend of thinking of APIs as representing general resources has changed. Many applications use APIs as a general tool, but they're also considered services and normally require more controlled development and deployment. Some organizations also choose to monetize their APIs so that other organizations can use them for a fee.

SOA and microservices are examples of service APIs. Services are the hottest trend in APIs, to the point where it's possible that all APIs in the future will represent services.

Artificial intelligence in APIs. AI and machine learning are increasingly being used to automatically generate documentation and monitor API usage trends.

OpenAPI is also becoming a best practice to follow when developing standard APIs. OpenAPI is a specification that defines and documents RESTful APIs. It describes API functionalities, operations, responses as well as details for HTTP-based APIs.

Automation has also become an important role for the design of APIs, as it helps streamline API development and testing. Automation tools are also used to check for adherence to governance and standard policies.

API publishing and management

The company that publishes the API controls all aspects of its design and use, including security, reliability and charging for use. It also controls the addition of functions, whether they're developed by the publisher or third parties. That means the company must uphold API performance under its terms of service, as it would with any application or service.

The following are key aspects of API management and publishing:

API testing. Like all software, APIs must be tested. This validates the published API against the specifications that users employ to format their requests. API testing also ensures the following:

• Application endpoints and data-sharing functions work as expected.
• Partners' data feeds send the expected data, how, when and where it's expected.
• Junk data doesn't enter a database and create application problems or data corruption issues.
• An application functions across all platforms, including desktop, web and mobile.

API testing is usually done as part of application lifecycle management, both for the software that publishes the API and for all the software that uses it. APIs also must be tested in their published form to ensure they can be accessed properly.

API management. API management refers to the set of activities associated with publishing an API for use. Management enables users to find the API and its specifications and regulate access to it based on owner-defined permissions or policies.

API management has become prevalent as businesses increasingly depend on APIs, adopt more of them and deal with the administrative complexities they introduce. Organizations have different management needs, but they typically encompass basic functions, including security, governance, analytics and version control.

APIs require strong documentation, advanced levels of security, comprehensive testing, routine versioning and high reliability. To address these requirements, organizations use API management software, either as a combined platform or with individual tools. These tools typically involve several core components: a developer portal, lifecycle management, a policy manager, analytics, an API store and an API gateway.

API endpoints and security. API endpoints are the points where the client and server communicate, and where the API receives resource requests. They're typically a URL exposed by the server that enables other systems to connect to the endpoints. They function as entry points into the corporate network. Endpoints are where a developer's code interacts with an organization's code and data.

API endpoints are attractive targets to attackers and must be protected. Some security measures are as follows:

• Use rate limiting to discourage bots and distributed denial of service threats.
• Validate input to ensure correct data is coming in and to prevent injection attacks.
• Store passwords as asymmetric hashed values.

Find out how to build an enterprise API strategy with this comprehensive guide.