What is a Web API?
A web API is a programmatic interface consisting of one or more endpoints to a defined request–response message system, typically expressed in JSON or XML, which are publicly exposed via the web — most commonly by means of an HTTP-based web server. In other words, a web API is what most people think of when they hear “API.” It’s a collection of endpoints. Endpoints consist of resource paths, the operations that can be performed on these resources, and the definition of the resource data (in JSON, XML, or another format).
The term is useful to differentiate web APIs from other APIs, such as those exposed by the operating system or by libraries to applications running on the same machine. But we all understand “APIs” to mean HTTP-based (web) APIs when we talk about the enterprise digital transformation and API security.
What are the most common types of APIs and API terms?
It is helpful for security teams to be familiar with the following terms that refer to different usage models and technology approaches for API implementations. Web APIs are defined as being based on HTTP, and the four main types of web APIs seen today are RESTful, SOAP, GraphQL, and gRPC. The following data defines these common types, among others.
API Usage Model Description
Public API
An API that is made available and shared freely with all developers via the internet.
External API
Often used interchangeably with public API, an external API is an API exposed over the internet.
Private API
An API that is implemented with a protected data center or cloud environment for use by trusted developers. Internal API Often used interchangeably with private API.
Third-Party API
Provides programmatic access to specialized functionality and/or data from a third-party source for use in an application.
Partner API
A type of third-party API that is made available selectively to authorized business partners.
Authenticated API
An API that is only accessible to developers who have been granted (or threat actors who have gained unauthorized access to) credentials.
Unauthenticated API
An API that can be accessed programmatically without the need for specific credentials.
HTTP API
An API that uses the hypertext transfer protocol as a communication protocol for API calls.
RESTful API
Dating back to Roy Fielding’s doctoral thesis in 2000, representational state transfer (RESTful) is the most common type of web API, typically using JSON (JavaScript object notation) for the data. RESTful APIs are easy to consume by modern front-end frameworks (e.g., React and React Native) and facilitate web and mobile application development. They became the de facto standard for any web API, including those used for business-to-business.
GraphQL
GraphQL APIs are the new, Facebook-developed standard that provides database access over a single POST endpoint (typically /graphql). GraphQL APIs solve a common RESTful API problem — that of requiring multiple calls to populate a single UI page — while introducing other additional problems.
SOAP
SOAP uses the verbose eXtensible Markup Language (XML) for remote procedure calls (RPCs). It can still be found in legacy APIs.
XML-RPC
XML-RPC is a method of making procedure calls over the internet that uses a combination of XML for encoding and HTTP as a communications protocol.
gRPC
gRPC APIs are a Google-developed, high-performance binary protocol over HTTP/2.0, which are used mostly for east-west communication.
OpenAPI
OpenAPI is a description and documentation specification for APIs. In its older versions, OpenAPI was known as Swagger, and the terms are still often confused.
As technology continues to evolve, web APIs will play an even more crucial role. By staying updated on the latest trends and best practices, developers can harness the power of APIs to build the future of digital experiences.
