APIs
Resources
An API: a contract that lets systems talk to each other (w/o learning each other's inner working) It defines
-
what you can ask for
-
how you ask
-
what you get back
PARADIGMS¶
An API paradigm:
-
defines the interface exposing backend data of a service to other applications.
-
a pattern for how requests & responses are shaped.
Standards
-
Request-Response APIs (popular paradigms are REST / RPC / GraphQL)
-
Event-Driven (popular paradigms are WebHooks / WebSockets)
Request-Response APIs¶
These expose an interface through an HTTP-based web server. APIs define a set of endpoints. Clients make HTTP requests to those endpoints ⟶ server responds as JSON
REST¶
REST APIs exposes data as resources. You interact using CRUD verbs.
REST API rules:
2 URLs per resource:
-
/users: the collection -
/users/U123: the specific element
CRUD methods
-
Create:
POST -
Read:
GET -
Update:
PUT(replace),PATCH(edit) -
Delete:
DELETE
Errors
-
2XX: success
-
3XX: resource has moved
-
4XX: client-side error
-
5XX: server-side errors
SECURITY¶
Since APIs are exposed to the internet, anyone can try to call them. Security questions to answer:
-
Who is calling me?
-
Are they allowed to do this?
Authentication vs Authorization¶
Authentication = who are you?
Examples:
-
API keys
-
Tokens
-
OAuth
Authorization = what are you allowed to do?
Examples:
-
Read-only vs write access
-
Admin vs user
HTTPS¶
Sam
HTTPS is mandatory for modern APIs:
-
Encrypts data in transit
-
Prevents eavesdropping
-
Verifies the server identity
CORS¶
CORS are a browser safety rule to protect users.
Browsers block requests when:
-
A web page tries to call a different domain
-
The server doesn’t allow the requests
That’s why:
-
Curl works
-
Server-to-server calls work
-
Browsers sometimes fail