A web API is a programmatic interface consisting of one or more endpoints to a defined request–response message system, typically expressed in JSON or XML, which are publicly exposed via the web — most commonly by means of an HTTP-based web server. In other words, a web API is what most people think of when they hear “API.” It’s a collection of endpoints. Endpoints consist of resource paths, the operations that can be performed on these resources, and the definition of the resource data (in JSON, XML, or another format).
The term is useful to differentiate web APIs from other APIs, such as those exposed by the operating system or by libraries to applications running on the same machine. But we all understand “APIs” to mean HTTP-based (web) APIs when we talk about the enterprise digital transformation and API security.
It is helpful for security teams to be familiar with the following terms that refer to different usage models and technology approaches for API implementations. Web APIs are defined as being based on HTTP, and the four main types of web APIs seen today are RESTful, SOAP, GraphQL, and gRPC. The following data defines these common types, among others.
API Usage Model Description
An API that is made available and shared freely with all developers via the internet.
Often used interchangeably with public API, an external API is an API exposed over the internet.
An API that is implemented with a protected data center or cloud environment for use by trusted developers. Internal API Often used interchangeably with private API.
Provides programmatic access to specialized functionality and/or data from a third-party source for use in an application.
A type of third-party API that is made available selectively to authorized business partners.
An API that is only accessible to developers who have been granted (or threat actors who have gained unauthorized access to) credentials.
An API that can be accessed programmatically without the need for specific credentials.
An API that uses the hypertext transfer protocol as a communication protocol for API calls.
Dating back to Roy Fielding’s doctoral thesis in 2000, representational state transfer (RESTful) is the most common type of web API, typically using JSON (JavaScript object notation) for the data. RESTful APIs are easy to consume by modern front-end frameworks (e.g., React and React Native) and facilitate web and mobile application development. They became the de facto standard for any web API, including those used for business-to-business.
GraphQL APIs are the new, Facebook-developed standard that provides database access over a single POST endpoint (typically /graphql). GraphQL APIs solve a common RESTful API problem — that of requiring multiple calls to populate a single UI page — while introducing other additional problems.
SOAP uses the verbose eXtensible Markup Language (XML) for remote procedure calls (RPCs). It can still be found in legacy APIs.
XML-RPC is a method of making procedure calls over the internet that uses a combination of XML for encoding and HTTP as a communications protocol.
gRPC APIs are a Google-developed, high-performance binary protocol over HTTP/2.0, which are used mostly for east-west communication.
OpenAPI is a description and documentation specification for APIs. In its older versions, OpenAPI was known as Swagger, and the terms are still often confused.
As technology continues to evolve, web APIs will play an even more crucial role. By staying updated on the latest trends and best practices, developers can harness the power of APIs to build the future of digital experiences.
Stay safe online! Learn how to spot and avoid phishing attempts with our 10-point guide.
Kickstart your AI career with our comprehensive guide to 19 Must-Know Terms For Every Aspiring…
Are you confident that your online accounts are safe from brute force attacks? Learn about…
ChatGPT can be beneficial in customer support, virtual assistance, and much more....
Discover 7 powerful AI tools that can supercharge your productivity. While ChatGPT is impressive, these…
What is Cyber Security? Cyber security encompasses three areas: Confidentiality, Integrity, and Availability (aka C.I.A)