Application Programming Interfaces (APIs) have become a key component of software interaction and integration over the internet in the last decade. APIs serve as the bridge that allows applications to communicate effectively with each other using a set of predefined rules.
APIs work when an application needs to connect with another. This connection starts in the form of one application initializing an interaction; this interaction comes in the form of an API request. The receiving application then responds with an API Response after a specific program is run. The entire process is called an API transaction, which can take place with or without web access. APIs make it possible for various applications to interact with one another over the internet seamlessly; be it your mobile phone with the Twitter server or your games console with the server of a game you are cross-platform playing on.
Think of APIs as a translator helping two people speaking different languages communicate effectively.
There are various ways to classify APIs under the term “types”. The first way is generally based on their intended scope of use. These are often called the four main types of APIs and they are:
Open/public APIs: As the name implies, an open or a public API is an API made publicly available to just about anyone who wants to use them. Open APIs are made to allow them to be freely shared over the internet. Public APIs require little or no Identity Access Management and monetization only occurs if the developer of the API assigns a per-call cost charge on using the API. Open APIs are the least secure type of APIs.
Partner APIs: Partner APIs are license-based APIs used mainly to facilitate communication between applications on a business-to-business level. Partner APIs are built specifically for use by business partners who pay on a subscription basis to facilitate communication between various enterprise-level applications. As partner APIs require stronger authorization mechanisms, authentication mechanisms, and overall security measures, they are much more secure than public APIs.
Private APIs: Private APIs are also called internal APIs hosted in-house and used by developers or personnel within an organization to foster communication between applications. Private APIs are not to be shared with personnel outside an organization and often are not the most secure APIs due to a lack of proper authentication and authorization for users. Private APIs usually rely on the overall security posture of the organization they are found in and rarely have their security. However, companies are adopting stronger security policies to protect private APIs.
Composite APIs: Composite APIs combine API requests sequentially into a single API call. Composite APIs make it possible for a client to make several API calls using a chain of calls and receive one response in return rather than several responses. Overall help with speed and efficiency when making complex API calls between a client and a server.
APIs can also be classified based on the type of protocols they use. This classification of APIs based on protocols is often called Web Service APIs or API architectural styles and they are:
REST: REST or Representational State Transfer or RESTful API is an API architectural style that accesses and uses data using HTTP requests. REST API is the most commonly used API architectural style, comprising over 70% of all public APIs. They are used mainly with client/server interactions with web applications, returning requests to web resources using formatted languages such as JSON, XML, or HTML.
REST APIs are uniform, stateless, and cacheable; meaning the overall architecture is simplified, each request sent contains all of the information necessary to understand and complete the request and the response data is reusable for future requests. REST APIs use SSL and HTTPS to securely transfer API requests between client and server.
The typical REST API request header comprises a URI, the HTTP method, headers, and a response.
SOAP: SOAP or Simple Object Access Protocol API protocol is a well outlined, highly structured, and strictly regulated API type that uses a messaging format to exchange information in XML format. Both public and private APIs make use of SOAP with it’s over 20 distinct methods which can be used in any programming language that supports web services. SOAP has no architectural pattern, thereby making it impossible to be used alongside the rest API.
In terms of security, SOAP utilizes SSL (Secure Socket Layer) and WS-security. The anatomy of a SOAP API message comprises an Envelope, a header, a body, and a fault which is used for error handling.
RPC: The Remote Procedure Call or RPC is the earliest and the most basic type of API. It is a client-server architecture used for building distributed applications. RPC allows a means to run locally initiated workloads remotely, connecting users to services running on external networks easily. RPC has multi-threading, which allows users to make multiple API calls simultaneously albeit with synchronous responses.
To support API calls on services between external networks, RPC relies on an Interface Definition Language (IDL) which serves as a communicative link between servers located on different external networks built using different programming languages. RPC also supports JSON and XML, localizing both JSON-RPC and XML-RPC.
GraphQL: GraphQL is a developer-friendly, fast and flexible open-source data query language and server-side runtime for application programming interfaces (APIs). GraphQL can be deployed in an integrated development environment (IDE), when done so it is known as GraphiQL.
GraphQL allows developers to construct requests that can pull data from multiple sources using a single API call while also allowing for flexibility to add or remove fields without affecting already existing queries. GraphQL also allows developers to create a schema which basically is a structure that describes all possible data that can be queried. As a query comes in, GraphQL compares it in the schema and validates the query before executing it.
Being open source, GraphQL offers better features and flexibility than REST API and continues to grow in popularity, allowing for developers to add to the already existing codebase. GraphQL does present some additional security challenges, so developers should understand those vulnerabilities.
APIs can also be classified based on category. Category here basically means what type of software the APIs fall under. This represents a much broader scope of API types with categories ranging from Dictionary, Weather, Sports, News, Food & Restaurant, IP Geolocation, Machine Learning, Travel, Music, Anime & Manga, and Video Games APIs to Shipping, Blogging, Chat, Data, Text Summarization, Streaming, Facial Recognition, Finance, and Cloud APIs.
APIs are the very backbone of how applications communicate over the internet. As their popularity, importance, and usage over the past decade have increased drastically, so has their focus on targeted attacks. Over the past 12 months, companies have recorded a 681% increase in API attack traffic, with 95% of those companies also having an API security incident within that same time frame.
API security has increasingly become an important aspect of the entire security posture of most companies as there has been a realization that traditional security solutions are often ineffective to guard against API attacks. Instead, there has been a focus shift to accommodate better API security practices to ensure that APIs remain as safe as possible.
About the author
Musa is a certified Cybersecurity Analyst and Technical writer. He has experience working as a Security Operations Center (SOC) Analyst and Cyber Threat Intelligence Analyst (CTI) with a history of writing relevant cybersecurity content for organizations and spreading best security practices. He is a regular writer at Bora.
His other interests are Aviation, History, DevOps with Web3 and DevSecOps. In his free time, he enjoys burying himself in a book, watching anime, aviation documentaries and sports, and playing video games.