An API endpoint is the end of an API connection, where an API call is received.
After reading this article you will be able to:
Copy article link
An application programming interface (API) is a way for an application to request a service from another application. APIs enable developers to avoid rebuilding application features that already exist. An API endpoint is the place where those requests (known as API calls) are fulfilled.
If Alice and Bob are talking to each other on the phone, Alice's words travel to Bob and vice versa. Alice directs her words at the "endpoint" of the conversation: Bob.
Alice: "Hello, Bob" ----------> Bob
Similarly, an API integration is like a conversation. But instead of saying "Hello," an API client says something like "I need some data" to the API server — making an API call. The API server endpoint then says "Here is the data" — an API response. And API endpoints are not physical entities like Alice and Bob; they exist in software, not hardware.
APIs are hosted on one or more servers — specialized computers that store data and execute software programs. Each server "serves" data, content, and software functionality to other devices over the Internet. The API endpoint is almost always hosted on a server.
The other end of the API connection is the API client — the entity requesting services from the API. Some call this the API "user," even though most API calls are automated.
To be usable, an API has to have documentation. The documentation indicates, among other things, what types of requests the API will accept, what the API can do, how it formats its responses, and what its endpoints are. Developers can review an API's documentation and incorporate this information as they build their applications.
As an example, see Cloudflare's API documentation, including what the endpoints are, here: https://api.cloudflare.com/
Uniform resource locators (URLs) are used for multiple purposes on the web, including locating webpages. For example, the URL for the American English version of this webpage is https://www.cloudflare.com/learning/security/api/what-is-api-endpoint/. When a user enters that URL into their browser, the browser knows where to find this webpage and can load it.
URLs also indicate API endpoints. When Alice and Bob talk on the phone, Alice calls Bob at Bob's phone number. Similarly, an API endpoint URL is like a phone number for making API calls.
An API server can host one or multiple API endpoints, meaning it will accept and process calls directed at those endpoints' URLs. API clients also need to have a URL so that the API server knows where to send its replies, just as Bob and Alice both need a phone number for phone calls between them to work. Developers set this URL when building their applications.
A URL always includes the application layer protocol, such as HTTP, used to reach it. Most web APIs use HTTP, so that is included in the API endpoint's URL.
A properly designed API does not accept API calls from just anybody. This would leave the API server open to receiving malicious data from attackers. In addition, API usage often costs money, so in those cases the API server has to check if the API call comes from a paying customer.
For these reasons, the API server has to make sure that the API client where the call comes from is known and trusted. It does this via authentication.
Authentication is the process of verifying identity. Just as there are several ways for a human user to authenticate to a system, there are four main ways that API endpoints can enforce authentication:
In many cases, mutual TLS is the most effective authentication method. For one thing, it authenticates both endpoint and client, not just the client, so both sides can be sure they are receiving data from a legitimate source. It also uses private keys, which are never shared between endpoints and therefore cannot be intercepted in transit. On the other hand, API keys, passwords, and tokens can all be duplicated or stolen.
Cloudflare API Shield uses mutual TLS to authenticate API endpoints and clients, helping protect both sides from an attack. API Shield also offers several other API security features, including rate limiting and data loss prevention (DLP) — learn more about API Shield.
About Web Application Security
Learning Center Navigation