An application program interface (API) is code that allows two software programs to communicate with each other. An API defines the correct way for a developer to request services from an operating system (OS) or other application, and expose data within different contexts and across multiple channels. In the early days of Web 2.0, the concept of integrating data and applications from different sources was called a mashup.
Any data can be shared with an application program interface. APIs are implemented by function calls composed of verbs and nouns; the required syntax is described in the documentation of the application being called. For example, on a real estate website, one API might publish available real estate properties by geography, while a second API provides the visitor with current interest rates and third API offers a mortgage calculator.
The web, software designed to exchange information via the internet and cloud computing have all combined to increase the interest in APIs in general, and services in particular.
How do APIs work?
APIs are made up of two related elements. The first is a specification that describes how information is exchanged between programs, done in the form of a request for processing and a return of the necessary data. The second is a software interface written to that specification and published in some way for use.
The software that wants to access the features and capabilities of the API is said to "call" it, and the software that creates the API is said to "publish" it.
APIs authorize and grant access to data that is requested by users and other applications. Access is authenticated to a service or portion of functionality, against predefined roles that govern who or what service can access specific actions or data. APIs also provide an audit trail that details system access: who or what, and when.
Applications that call APIs were traditionally written in specific programming languages. Web APIs can be called through any programming language, but can also be accessed by webpages created in HTML or application generator tools.
The most common architectures for APIs are representational state transfer (REST) and Simple Object Access Protocol (SOAP), which defines a standard communication protocol specification for XML-based message exchange. SOAP requires less low-level infrastructure-related code than does REST, but REST APIs are easier to scale and redeploy, simpler to implement and integrate with websites and services. The current industry trend is largely to use REST APIs, particularly for web interactions.
Why APIs are important for business
APIs have steadily improved the quality and delivery of software and services. Software that was custom-developed for a specific purpose is now often written to reference APIs that provide broadly useful features. This reduces development time and cost, and mitigates the risk of errors.
The growing number of web services exposed through APIs by cloud providers also has encouraged the creation of cloud-specific applications, internet of things (IoT) efforts and apps to support mobile devices and users.
APIs add a digital layer to present a company's data and enterprise assets through APIs, with requisite governance and security, and this can enhance customer, employee and partner interactions. Greater functionality and scope of services increase the value delivered to users and improves the customer experience -- for example, the aforementioned website that anticipates a customer's needs as they relate to searching for real estate.
APIs also create new monetization opportunities for businesses, such as productization of data with customized packages and plans for new or existing business partners.
What are the benefits of using APIs?
APIs are essentially a set of rules. They can improve an organization's internal development processes by standardizing how developers write application code -- using the same rules and formats makes code more streamlined and transparent. Standardization also facilitates collaboration between developers as they build software components with the intent to integrate with APIs. This, in turn, can support feature development and reduce time to market.
Public and partner APIs enable organizations to:
- securely control and manage how users and systems access specific data and service functionality;
- allow third parties to leverage their data (even in a limited sense), which increases a company's brand exposure;
- grow their customer database and even increase their conversion rate by aligning their services with other trusted brands; and
- monetize their APIs so that they become a distinct line of revenue. This is a common tactic for online payment gateways -- companies that use PayPal's APIs, for example, are willing to pay for the ability to use a trusted payment system.
Because APIs are driven by standardization, API development can be complex and costly to integrate with the systems and data they represent. Certain types of functionality or actions may be better addressed through a complementary processes of robotic process automation (RPA).
Types of APIs
There are four basic types of APIs: private, public, partner and composite.
- Private APIs, or internal APIs, are published internally for use by the company's developers to improve its own products and services. Private APIs are not exposed to third parties.
- Public APIs, or open APIs, are published publicly and can be used by any third party. There are no restrictions on these APIs.
- Partner APIs can only be used by specific parties with whom the company agrees to share data. Partner APIs are used within business relationships, often to integrate software between partnering companies.
- Composite APIs combine multiple APIs to address related or interdependent tasks, and often improve speed and performance compared with individual APIs.
APIs may be further classified as local, web or program APIs.
- Local APIs offer OS or middleware services to application programs. Microsoft's .NET APIs, the TAPI (Telephony API) for voice applications, and database access APIs are examples of the local API form.
- Web APIs are designed to represent widely used resources such as HTML pages and are accessed using a simple HTTP protocol. Any web URL activates a web API. Web APIs are often called RESTful because the publisher of REST interfaces doesn't save any data internally between requests. As such, requests from many users can be intermingled as they would be on the internet.
- Program APIs are based on remote procedure call (RPC) technology that makes a remote program component appear to be local to the rest of the software. Service oriented architecture (SOA) APIs, such as Microsoft's WS-series of APIs, are program APIs.
Why API design matters
Good API design is critical for successful API use, and software architects spend considerable time reviewing all the possible applications of an API and the most logical way for it to be used.
The data structures and parameter values are of particular importance because they must match between the caller of an API and its publisher.
Strong security is an important aspect of API design. Exploitation of misconfigured APIs is a common practice for cyber attackers. APIs are a gateway that present an organization's systems and data to internal and external users -- any compromise can create broad and serious security problems.
What are examples of APIs?
Operating systems and middleware tools expose their features through collections of APIs usually called "toolkits." Two different sets of tools that support the same API specifications are interchangeable to programmers, which is the basis for compatibility and interoperability claims. Microsoft's .NET API specifications are the basis for an open source Linux equivalent middleware package now supported by Microsoft, for example.
Many software products and tools deliver functionality via APIs, from DevOps tools such as Docker, Jenkins and GitlLab to enterprise platforms such as Microsoft Sharepoint. Social media in particular takes advantage of open APIs to facilitate third-party functionality, such as the ability to create news feeds and share photos.
The internet is currently the primary driver for APIs, and companies such as Facebook, Google and Yahoo publish APIs to encourage third-party developers to build on their capabilities. These APIs have given us everything from new internet features that browse the sites of other services, to mobile device apps that offer easy access to web resources. New features, such as content delivery, augmented reality and novel applications of wearable technology, are created in large part though these APIs.
The ubiquity of the internet, expanded use of cloud computing and a shift from monolithic applications to microservices have all contributed to a broad embrace of APIs.
REST and the web. Web APIs can be called through any programming language, but can also be accessed by webpages created in HTML or application generator tools. The increased role of the internet and the cloud in our lives and business activities has vastly expanded the use of APIs and the use of simple programming tools, or even no programming at all, for API access.
APIs and the cloud. Cloud computing introduces new capabilities to divide software into reusable components, connect components to requests and scale the number of copies of software as demand changes.
These cloud capabilities have shifted the focus of APIs from simple RPC-programmer-centric models to RESTful web-centric models, and even to what is called "functional programming" or "lambda models" of services that can be instantly scaled as needed in the cloud.
APIs as services. The trend to think of APIs as representing general resources has changed. Whereas APIs are expected to be used as a general tool by many applications and users, they are said to be services, and will normally require more controlled development and deployment.
SOA and microservices are examples of service APIs. Services are the hottest trend in APIs, to the point where it's possible that all APIs in the future will be seen as representing services.
API publishing and management
The company that publishes the API controls its use, from security to reliability to charging for use. It also controls the addition of functions, either by the company or developed by third parties. That means the company must uphold API performance under its terms of service, as it would with any application or service.
API testing. Like all software, APIs must be tested. This validates the published APIs against the specifications that users of those APIs employ to format their requests. API testing also ensures that:
- application endpoints and data sharing functions work as expected;
- partners' data feeds send the data you expect, how, when and where you expect it;
- junk data does not enter your database and create application problems or data corruption; and
- an application functions across all platforms, including desktop, web or mobile.
API testing is usually done as part of application lifecycle management (ALM), both for the software that publishes the APIs and for all the software that uses them. APIs also have to be tested in their published form to ensure that they can be accessed properly.
API management. API management refers to the set of activities associated with publishing the API for use, making it possible for users to find it and its specifications and regulate access to the API based on owner-defined permissions or policies.
API management has become prevalent as businesses increasingly depend upon APIs, adopt more of them and deal with the administrative complexities that APIs introduce. API management needs may differ from organization to organization, but typically encompass some basic functions, including security, governance, analytics and version control.
APIs require strong documentation, increased levels of security, comprehensive testing, routine versioning and high reliability. To address these stringent requirements, organizations use API management software, either as a combined platform or through individual tools. These typically involve several core components: an API developer portal, API lifecycle management, an API policy manager, API analytics and an API gateway.