What is an API?

An application programming interface (API) is a way for one piece of software to use the functions of another piece of software.

Learning Objectives

After reading this article you will be able to:

  • Define 'API'
  • Explain API calls, API endpoints, API schema, and API integration
  • Describe web APIs, SOAP APIs, and REST APIs
  • Understand API security protections

Related Content


Want to keep learning?

Subscribe to theNET, Cloudflare's monthly recap of the Internet's most popular insights!

Refer to Cloudflare's Privacy Policy to learn how we collect and process your personal data.

Copy article link

What is an application programming interface (API)?

An application programming interface (API) is a set of rules that enables a software program to transmit data to another software program.

APIs enable developers to avoid redundant work; instead of building and rebuilding application functions that already exist, developers can incorporate existing ones into their new applications by formatting requests as the API requires.

An API is an "interface," meaning a way for one thing to interact with another. As a real-world example, an ATM has an interface — a screen and several buttons — allowing customers to interact with their bank and request services, like getting cash. Similarly, an API is how one piece of software interacts with another program to obtain needed services.

Imagine Jennifer builds a website that helps commuters check highway traffic before they leave for work. Jennifer could spend a lot of time and money setting up a complex highway tracking system to provide this information to her website's users. But these capabilities already exist, as outside parties have created such systems. Instead of reinventing the wheel in this way, Jennifer's website uses an API that is offered by an external highway tracking service. Now Jennifer can focus on building other aspects of the website.

What is an API call?

An API call, also known as an API request, is a message directed at an API that triggers the API's use.

Referring back to the example, Jennifer constructs her website in such a way that when it loads, it automatically generates an API call to the highway tracking service. The response comes back to the website from that service and enables it to display the latest highway traffic information.

API calls have to be formatted in accordance with the API's requirements in order to work. The API's requirements are called its "schema." The schema also describes the types of responses that are provided to each request.

Suppose a commuter uses Jennifer's website to check traffic on Highway 192. The website sends an API call to provide this information — a message that reads "Highway 192." The highway tracking service's API server receives this message and replies with travel times on Highway 192. Imagine the API's schema in this way:

API request API response
"Highway 192" Travel times on Highway 192
"Highway 217" Travel times on Highway 217
"Highway 225" Travel times on Highway 225

(Note that this is a highly simplified example — real-world API requests, responses, and schemas are more complex.)

Now suppose that Jennifer's website sends an API request for "Highway ASDFGHJ." This is not a valid request because it does not conform to the API's schema, which only allows for actual names of highways. The server will not be able to provide a usable response to such a request.

What is an API endpoint?

An endpoint is the end of a communications channel. An API endpoint is the place where an API response originates from.

In the example, the client of the API connection is Jennifer's website, and the endpoint is the server that hosts the API. Jennifer's API calls have to go to a certain URL (a URL is a web address, like www.cloudflare.com/learning) that the API server is responsible for in order to get a response.

What is API integration?

API integration is the combination of two or more applications using APIs. API integration is what enables one application to benefit from the capabilities of another application, just as combining a sales team and a marketing team in one office enables those two teams to work together and benefit from each other's efforts. API integrations are also commonly used to synchronize data between two applications or databases.

What is a web API?

Anything that involves computer code can have an API, from operating systems to software libraries. A web API is specifically for use by web applications that are accessed over the Internet.

Web APIs are incredibly important for the modern Internet. Almost all user-facing applications rely on APIs to function (not just Jennifer's website!). Entire software development philosophies rely on the use of APIs — one such philosophy is JAMstack, with JAM standing for JavaScript, APIs, markup. Another example is microservices architecture, which uses APIs in order to call the different functions that make up an application. Even applications built without these approaches usually rely on APIs.

What are SOAP APIs and REST APIs?

SOAP APIs and REST APIs describe different categories of APIs.

SOAP (Simple Object Access Protocol) is a type of protocol. SOAP APIs are APIs that only use the SOAP protocol.

REST (REpresentational State Transfer) is an architectural style for web services. A REST API is any API built using REST architecture. Unlike SOAP APIs, REST APIs work with any protocol. Most APIs today are REST APIs.

Do APIs introduce security risks?

Just as allowing a person to use an application introduces the risk that the person will abuse the application, an API introduces the risk that an API client will abuse the service. Additionally, web API calls travel over the Internet and can be intercepted, spoofed, or modified just like any other data transfer over a network.

API security is the practice of protecting APIs from attacks and abuse. Given the importance of APIs to the modern Internet, API security is a core component of web application security. Crucial API security measures include:

  • Rate limiting: Clients who make too many API requests can slow down or crash the API for other clients. Rate limiting puts a cap on how many API requests can come from a given API endpoint within a certain timeframe.
  • DDoS protection: Similar to rate limiting, distributed denial-of-service (DDoS) protection stops DDoS attacks, which aim to exhaust or overwhelm an API with a large amount of requests sent all at once.
  • Authentication: It is important to authenticate API endpoints and clients in order to make sure that API requests come from legitimate sources and not from attackers. Mutual TLS (mTLS) is one of the most effective forms of API authentication.
  • Schema validation: If an API request does not conform to the API's schema, the API may react in unexpected ways — by revealing confidential data, for instance. Schema validation enables an API to drop such requests.

Cloudflare API Gateway includes these and other security features to protect against API threats. To read about API security in more depth, see What is API security?