Let's Deep Dive into the API

How online software works

  • Frontend- UI of website or app which we see on our display

  • Backend- Database and server-side code

  • API- It is something that talks between the Frontend and Backend

    Application Programming Interface (API) | by Junaid S. Shaikh | Medium

Examples of online software are all functional App(mobile/desktop), SAAS products ( Canva, Figma )

Understanding API & Working Principal

  • Application programming interface

  • Exchanges data between the "Backend" and "Frontend"

  • Third-party APIs ex-google maps, payment gateways, etc

A comprehensive introduction to understanding what an API is

Here is an example of public API 👉 https://api.coindesk.com/v1/bpi/currentprice.json

Type of APIs

Generally, there are two types of APIs which are in general use

SOAP API

  • Simple object access protocol

  • Protocol old (1990)

  • Uses SOAP Protocol

  • Very secure

  • Need less coding

  • Slow and heavier

  • The cache is not possible

Exposing SOAP services as RESTful APIs with Apigee

REST API

  • Representational State Transfer

  • New and used these days

  • Uses HTTP protocol

  • less secure

  • Requires a bit more coding

  • Faster and lighter

  • Cache is possible

API contains a few components as follows:

[1] An Endpoint

Simply put, an endpoint is one end of a communication channel. When an API interacts with another system, the touchpoints of this communication are considered endpoints. For APIs, an endpoint can include a URL of a server or service.

What are endpoints in API? – goodcopybadcopy.net

[2] A Method

an API method embodies a method request and a method response. You set up an API method to define what a client should or must do to submit a request to access the service at the backend and to define the responses that the client receives in return. It simply means performing a particular operation on the API link. Example: POST, PUT, DELETE etc.

[3] Header

HTTP Headers are an important part of the API request and response as they represent the meta-data associated with the API request and response. Headers carry information for The request and Response Body. Request Authorization.

[4] Body

A request body is data sent by the client to your API. A response body is data your API sends to the client. Your API almost always has to send a response body.

TestLink REST API Guide - TestingDocs.com

[5] Parameter

Parameters define variable elements of a URL path, query parameters, headers, or a request body. You can create parameters for Paths and Path operations in your API definition.

[6] Status code

Status and error codes indicate a code number in the response header that indicates the general classification of the response — for example, 404(not found), 502(Bad Gateway) etc.

HTTP-Status Code - Online Marketing Glossar der OSG

API Methods

[1] GET

For fetching/accessing the data.

[2] POST

For feeding/inserting data in the database.

[3] PUT

For updating the data in the database. It will overwrite the data if data is already present in the database.

[4] PATCH

For updating the data in the database. It will add additional data to existing content.

[5] DELETE

For deleting the data present in the database.

Status code

Http Status Codes Table | Decoration Examples

  • 1xx: Informational

Communicates transfer protocol-level information.

  • 2xx: Success

Indicates that the client’s request was accepted successfully

  • 3xx: Redirection

Indicates that the client must take some additional action in order to complete their request.

  • 4xx: Client Error

This category of error status codes points the finger at clients.

  • 5xx: Server Error

The server takes responsibility for these error status codes.

How APIs are made on the backend

API can be created in many languages like javascript, Golang, Python, etc but the concept stays the same

[1] Route

It specifies how API looks like or we can say, It defines the path for hitting the exact data point

[2] Controller

It consists of all the functions which we need to perform or we can say it defines actions

[3] Models

Models define what kind of data and in which format we require data

How to keep API secure

REST API is not as secure as SOAP , so we need to secure it. There are multiple ways to do that:

[1] HTTP(S)

[2] Password hash

[3] API key in URL- NEVER!

[4] OAuth

[5] Timestamp and parameter validation

1-HTTPS

Always choose HTTPS. That is achieved by using SSL (Secure Sockets Layer). Its installation establishes authenticated and encrypted connections between the browser and the client. Your website contains a certificate in the web browser.

2-Password hash

Always hash all passwords. Hashing a password means applying a one-way encryption algorithm that will produce a cryptographic string. One-way encryption can’t be decrypted, making it impossible to infer the original password from the hashed string.

Windows Password: Where it's Stored And How to Access or Recover It

3-API key in URL(BIGGEST MISTAKE IN LIFE!!)

If you are using an API key, never expose it on the URL. This applies to any passwords, usernames, and session tokens as well. Neither of them should be displayed in the parameters of the API. And when speaking about an API key, those are used between applications for recognizing each other

4-OAuth

OAuth (Open Authorization) is an open standard protocol for authorization of an application for using user information, in general, it allows third-party application access to user-related info like name, DOB, email, or other required data from an application like Facebook, Google, etc. without giving the third party app the user password

Inside OAuth 2.0: Secure Authorization and Why Your App Should Have It ...

5-Timestamp and parameter validation

Adding a timestamp to the request headers is a great way to provide security. The server will be able to control whether the request was sent within a reasonable timeframe (1–2min). You can also include parameter validation. If there are strong validation checks on the first step, the request can be rejected as soon as the validation fails.