What is an API call?

An API call, or API request, allows one application to request data or services from another application. Most web applications regularly make API calls.

Learning Objectives

After reading this article you will be able to:

  • Define API call
  • Understand how API calls are used
  • Learn how attackers can use API calls

Related Content


Want to keep learning?

Subscribe to theNET, Cloudflare's monthly recap of the Internet's most popular insights!

Refer to Cloudflare's Privacy Policy to learn how we collect and process your personal data.

Copy article link

What is an API call?

Application programming interfaces (APIs) are a way for one program to interact with another. API calls are the medium by which they interact. An API call, or API request, is a message sent to a server asking an API to provide a service or information.

If Jan is hosting a lot of guests for dinner, she might call a catering company and ask that they prepare food for the party. This saves her a great deal of time and effort preparing food herself. Similarly, one application can "call" another for needed data or functionality. This ensures developers do not have to spend time and effort building application capabilities that can be integrated via API.

Because APIs are integrated into almost all web applications today, API calls take place behind the scenes all the time. Suppose someone searches for bus tickets on a travel website. The travel website sends an API call to the various bus companies' servers and receives back information about what rides are available and how much they cost. From the user's perspective, this process should be almost instantaneous.

Where does an API call go?

API calls travel from a client to an API endpoint. API endpoints are the places that an API calls go to — most often, a web application and a server. A mobile client, for example, generates an API call that goes to the API endpoint, a server. The server receives the API call, processes it, executes the request, and sends a response.

When Jan (from the analogy above) calls the catering company, she does so by dialing a phone number. Similarly, API calls are directed at a uniform resource identifier (URI).

A URI is a standardized way to identify a resource, just as a phone number identifies a phone line. The identified resource could be a website, an application, a server, an email contact, or even a real-world item.

For web APIs, typically the URI is a uniform resource locator (URL). A URL is a type of URI for identifying Internet locations like a website or a server. A URL has to include the application layer protocol, such as HTTP, used to reach it. Webpage addresses are written as URLs, like "https://www.cloudflare.com/learning." API endpoints are URLs too.

Most web APIs use HTTP, so that is included in the API endpoint's URL. For example, the basic Cloudflare API endpoint is "https://api.cloudflare.com/client/v4/" (learn more). HTTP-based API calls use HTTP verbs (types of requests) like GET, POST, and PUT to denote what service or resource they need from the API endpoint.

How can API calls be used for an attack?

Like anything exposed to the Internet, APIs are vulnerable to attacks from a variety of sources. Attackers can use API calls in several ways to attack an API, including:

  • Denial-of-service (DoS) and distributed denial-of-service (DDoS) attacks: This type of attack denies service to other users of the API. Attackers can flood an API with API calls, or structure their API calls in such a way that they tie up the server for a long time.
  • Vulnerability exploits: Attackers can try sending API calls that take advantage of a flaw in the API to trick the server into revealing data it should not, perform in a way it is not designed for, or give them unauthorized access.

These attacks and others can negatively impact an organization that provides API services.

How to secure APIs from invalid API calls

The following strategies can help keep APIs secure.

  • Understand and track API endpoints: Maintain an updated list of all API endpoints in production.
  • Verify API clients: Authentication ensures that API calls come from a legitimate client. There are several ways to do this, but one of the most effective is mutual TLS, an authentication method in which each API endpoint verifies the other using public key cryptography.
  • Validate API schema: An API's schema is like its rules for usage. If an API call does not follow the schema, it may be a malicious attempt to exploit the API. API schema validation helps identify and block invalid API calls.
  • Use DDoS mitigation: A DDoS mitigation provider blocks or absorbs excessive requests so that a server does not become overwhelmed. Cloudflare is one such provider.

Read in more depth about API security. Or, read about Cloudflare API Shield, which protects APIs from a wide range of attacks.