Let's Deep Dive into the API
How online software works
Frontend- UI of website or app which we see on our display
Backend- Database and server-side code
API- It is something that talks between the Frontend and Backend
Examples of online software are all functional App(mobile/desktop), SAAS products ( Canva, Figma )
Understanding API & Working Principal
Application programming interface
Exchanges data between the "Backend" and "Frontend"
Third-party APIs ex-google maps, payment gateways, etc
Here is an example of public API 👉 https://api.coindesk.com/v1/bpi/currentprice.json
Type of APIs
Generally, there are two types of APIs which are in general use
SOAP API
Simple object access protocol
Protocol old (1990)
Uses SOAP Protocol
Very secure
Need less coding
Slow and heavier
The cache is not possible
REST API
Representational State Transfer
New and used these days
Uses HTTP protocol
less secure
Requires a bit more coding
Faster and lighter
Cache is possible
API contains a few components as follows:
[1] An Endpoint
Simply put, an endpoint is one end of a communication channel. When an API interacts with another system, the touchpoints of this communication are considered endpoints. For APIs, an endpoint can include a URL of a server or service.
[2] A Method
an API method embodies a method request and a method response. You set up an API method to define what a client should or must do to submit a request to access the service at the backend and to define the responses that the client receives in return. It simply means performing a particular operation on the API link. Example: POST, PUT, DELETE etc.
[3] Header
HTTP Headers are an important part of the API request and response as they represent the meta-data associated with the API request and response. Headers carry information for The request and Response Body. Request Authorization.
[4] Body
A request body is data sent by the client to your API. A response body is data your API sends to the client. Your API almost always has to send a response body.
[5] Parameter
Parameters define variable elements of a URL path, query parameters, headers, or a request body. You can create parameters for Paths and Path operations in your API definition.
[6] Status code
Status and error codes indicate a code number in the response header that indicates the general classification of the response — for example, 404(not found), 502(Bad Gateway) etc.
API Methods
[1] GET
For fetching/accessing the data.
[2] POST
For feeding/inserting data in the database.
[3] PUT
For updating the data in the database. It will overwrite the data if data is already present in the database.
[4] PATCH
For updating the data in the database. It will add additional data to existing content.
[5] DELETE
For deleting the data present in the database.
Status code
- 1xx: Informational
Communicates transfer protocol-level information.
- 2xx: Success
Indicates that the client’s request was accepted successfully
- 3xx: Redirection
Indicates that the client must take some additional action in order to complete their request.
- 4xx: Client Error
This category of error status codes points the finger at clients.
- 5xx: Server Error
The server takes responsibility for these error status codes.
How APIs are made on the backend
API can be created in many languages like javascript, Golang, Python, etc but the concept stays the same
[1] Route
It specifies how API looks like or we can say, It defines the path for hitting the exact data point
[2] Controller
It consists of all the functions which we need to perform or we can say it defines actions
[3] Models
Models define what kind of data and in which format we require data
How to keep API secure
REST API is not as secure as SOAP , so we need to secure it. There are multiple ways to do that:
[1] HTTP(S)
[2] Password hash
[3] API key in URL- NEVER!
[4] OAuth
[5] Timestamp and parameter validation
1-HTTPS
Always choose HTTPS. That is achieved by using SSL (Secure Sockets Layer). Its installation establishes authenticated and encrypted connections between the browser and the client. Your website contains a certificate in the web browser.
2-Password hash
Always hash all passwords. Hashing a password means applying a one-way encryption algorithm that will produce a cryptographic string. One-way encryption can’t be decrypted, making it impossible to infer the original password from the hashed string.
3-API key in URL(BIGGEST MISTAKE IN LIFE!!)
If you are using an API key, never expose it on the URL. This applies to any passwords, usernames, and session tokens as well. Neither of them should be displayed in the parameters of the API. And when speaking about an API key, those are used between applications for recognizing each other
4-OAuth
OAuth (Open Authorization) is an open standard protocol for authorization of an application for using user information, in general, it allows third-party application access to user-related info like name, DOB, email, or other required data from an application like Facebook, Google, etc. without giving the third party app the user password
5-Timestamp and parameter validation
Adding a timestamp to the request headers is a great way to provide security. The server will be able to control whether the request was sent within a reasonable timeframe (1–2min). You can also include parameter validation. If there are strong validation checks on the first step, the request can be rejected as soon as the validation fails.