An API call, or API request, allows one application to request data or services from another application. Most web applications regularly make API calls.
Application programming interfaces (APIs) are a way for one program to interact with another. API calls are the medium by which they interact. An API call, or API request, is a message sent to a server asking an API to provide a service or information.
If Jan is hosting a lot of guests for dinner, she might call a catering company and ask that they prepare food for the party. This saves her a great deal of time and effort preparing food herself. Similarly, one application can "call" another for needed data or functionality. This ensures developers do not have to spend time and effort building application capabilities that can be integrated via API.
Because APIs are integrated into almost all web applications today, API calls take place behind the scenes all the time. Suppose someone searches for bus tickets on a travel website. The travel website sends an API call to the various bus companies' servers and receives back information about what rides are available and how much they cost. From the user's perspective, this process should be almost instantaneous.
API calls travel from a client to an API endpoint. API endpoints are the places that an API calls go to — most often, a web application and a server. A mobile client, for example, generates an API call that goes to the API endpoint, a server. The server receives the API call, processes it, executes the request, and sends a response.
When Jan (from the analogy above) calls the catering company, she does so by dialing a phone number. Similarly, API calls are directed at a uniform resource identifier (URI).
A URI is a standardized way to identify a resource, just as a phone number identifies a phone line. The identified resource could be a website, an application, a server, an email contact, or even a real-world item.
For web APIs, typically the URI is a uniform resource locator (URL). A URL is a type of URI for identifying Internet locations like a website or a server. A URL has to include the application layer protocol, such as HTTP, used to reach it. Webpage addresses are written as URLs, like "https://www.cloudflare.com/learning." API endpoints are URLs too.
Most web APIs use HTTP, so that is included in the API endpoint's URL. For example, the basic Cloudflare API endpoint is "https://api.cloudflare.com/client/v4/" (learn more). HTTP-based API calls use HTTP verbs (types of requests) like
PUT to denote what service or resource they need from the API endpoint.
Like anything exposed to the Internet, APIs are vulnerable to attacks from a variety of sources. Attackers can use API calls in several ways to attack an API, including:
These attacks and others can negatively impact an organization that provides API services.
The following strategies can help keep APIs secure.