Hubbry Logo
Web APIWeb APIMain
Open search
Web API
Community hub
Web API
logo
8 pages, 0 posts
0 subscribers
Be the first to start a discussion here.
Be the first to start a discussion here.
Web API
Web API
Web API
View on Wikipedia
from Wikipedia
Screenshot of web API documentation written by NASA

A web API is an application programming interface (API) for either a web server or a web browser. As a web development concept, it can be related to a web application's client side (including any web frameworks being used). A server-side web API consists of one or more publicly exposed endpoints to a defined request–response message system, typically expressed in JSON or XML by means of an HTTP-based web server.

A server API (SAPI) is not considered a server-side web API, unless it is publicly accessible by a remote web application.

Screenshot of a public web API documentation page published by NASA

A web API is an application programming interface (API) that is designed to be accessed over the World Wide Web. It may be implemented on either the web server or the web browser side.

In the context of web development, web APIs commonly interact with the client-side of a web application (including those built using various web frameworks). A server-side web API typically exposes one or more public endpoints that accept and return standard request–response messages, most often formatted in JSON or XML, and communicated via the HTTP protocol.

A server API (SAPI) is not necessarily considered a web API unless it is publicly reachable by a remote client over HTTP or a related web transport mechanism.

Client side

[edit]

A client-side web API is a programmatic interface to extend functionality within a web browser or other HTTP client. Originally these were most commonly in the form of native plug-in browser extensions however most newer ones target standardized JavaScript bindings.

The Mozilla Foundation created their WebAPI specification which is designed to help replace native mobile applications with HTML5 applications.[1][2]

Google created their Native Client architecture which is designed to help replace insecure native plug-ins with secure native sandboxed extensions and applications. They have also made this portable by employing a modified LLVM AOT compiler.

Server side

[edit]

A server-side web API consists of one or more publicly exposed endpoints to a defined request–response message system, typically expressed in JSON or XML. The web API is exposed most commonly by means of an HTTP-based web server.

Mashups are web applications which combine the use of multiple server-side web APIs.[3][4][5] Webhooks are server-side web APIs that take input as a Uniform Resource Identifier (URI) that is designed to be used like a remote named pipe or a type of callback such that the server acts as a client to dereference the provided URI and trigger an event on another server which handles this event thus providing a type of peer-to-peer IPC.

Endpoints

[edit]

Endpoints are important aspects of interacting with server-side web APIs, as they specify where resources lie that can be accessed by third party software. Usually the access is via a URI to which HTTP requests are posted, and from which the response is thus expected. Web APIs may be public or private, the latter of which requires an access token.[6]

Endpoints need to be static, otherwise the correct functioning of software that interacts with them cannot be guaranteed. If the location of a resource changes (and with it the endpoint) then previously written software will break, as the required resource can no longer be found at the same place. As API providers still want to update their web APIs, many have introduced a versioning system in the URI that points to an endpoint.

Resources versus services

[edit]

Web 2.0 Web APIs often use machine-based interactions such as REST and SOAP. RESTful web APIs use HTTP methods to access resources via URL-encoded parameters, and use JSON or XML to transmit data. By contrast, SOAP protocols are standardized by the W3C and mandate the use of XML as the payload format, typically over HTTP. Furthermore, SOAP-based Web APIs use XML validation to ensure structural message integrity, by leveraging the XML schemas provisioned with WSDL documents. A WSDL document accurately defines the XML messages and transport bindings of a Web service.

Documentation

[edit]

Server-side web APIs are interfaces for the outside world to interact with the business logic. For many companies this internal business logic and the intellectual property associated with it are what distinguishes them from other companies, and potentially what gives them a competitive edge. They do not want this information to be exposed. However, in order to provide a web API of high quality, there needs to be a sufficient level of documentation. One API provider that not only provides documentation, but also links to it in its error messages is Twilio.[7]

However, there are now directories of popular documented server-side web APIs.[8]

Growth and impact

[edit]

The number of available web APIs has grown consistently over the past years, as businesses realize the growth opportunities associated with running an open platform, that any developer can interact with. ProgrammableWeb tracks over 24000 Web APIs that were available in 2022, up from 105 in 2005.

Web APIs have become ubiquitous. There are few major software applications/services that do not offer some form of web API. One of the most common forms of interacting with these web APIs is via embedding external resources, such as tweets, Facebook comments, YouTube videos, etc. In fact there are very successful companies, such as Disqus, whose main service is to provide embeddable tools, such as a feature-rich comment system.[9] Any website of the TOP 100 Alexa Internet ranked websites uses APIs and/or provides its own APIs, which is a very distinct indicator for the prodigious scale and impact of web APIs as a whole.[10]

As the number of available web APIs has grown, open source tools have been developed to provide more sophisticated search and discovery. APIs.json provides a machine-readable description of an API and its operations, and the related project APIs.io offers a searchable public listing of APIs based on the APIs.json metadata format.[11][12]

Business

[edit]

Commercial

[edit]

Many companies and organizations rely heavily on their Web API infrastructure to serve their core business clients. In 2014 Netflix received around 5 billion API requests, most of them within their private API.[13]

Governmental

[edit]

Many governments collect a lot of data, and some governments are now opening up access to this data. The interfaces through which this data is typically made accessible are web APIs. Web APIs allow for data, such as "budget, public works, crime, legal, and other agency data"[14] to be accessed by any developer in a convenient manner.

Example

[edit]

An example of a popular web API is the Astronomy Picture of the Day API operated by the American space agency NASA. It is a server-side API used to retrieve photographs of space or other images of interest to astronomers, and metadata about the images.

According to the API documentation,[15] the API has one endpoint: 

https://api.nasa.gov/planetary/apod[permanent dead link]

The documentation states that this endpoint accepts GET requests. It requires one piece of information from the user, an API key, and accepts several other optional pieces of information. Such pieces of information are known as parameters. The parameters for this API are written in a format known as a query string, which is separated by a question mark character (?) from the endpoint. An ampersand (&) separates the parameters in the query string from each other. Together, the endpoint and the query string form a URL that determines how the API will respond. This URL is also known as a query or an API call.

In the below example, two parameters are transmitted (or passed) to the API via the query string. The first is the required API key and the second is an optional parameter — the date of the photograph requested. 

https://api.nasa.gov/planetary/apod?api_key=DEMO_KEY&date=1996-12-03

Visiting the above URL in a web browser will initiate a GET request, calling the API and showing the user a result, known as a return value or as a return. This API returns JSON, a type of data format intended to be understood by computers, but which is somewhat easy for a human to read as well. In this case, the JSON contains information about a photograph of a white dwarf star: 

{
  "date":"1996-12-03",
  "explanation":"Like a butterfly,\r a white dwarf star begins its life\r by casting off a cocoon that enclosed its former self. In this\r analogy, however, the Sun would be\r a caterpillar\r and the ejected shell of gas would become the prettiest of all!\r The above cocoon, the planetary nebula\r designated NGC 2440, contains one of the hottest white dwarf stars known.\r The white dwarf can be seen as the bright dot near the photo's\r center. Our Sun will eventually become a \"white dwarf butterfly\",\r but not for another 5 billion years. The above false color image recently entered the public domain\r and was post-processed by F. Hamilton.\r",
  "hdurl":"https://apod.nasa.gov/apod/image/9612/ngc2440_hst2_big.jpg",
  "media_type":"image",
  "service_version":"v1",
  "title":"Cocoon of a New White Dwarf\r\nCredit:",
  "url":"https://apod.nasa.gov/apod/image/9612/ngc2440_hst2.jpg"
}

The above API return has been reformatted so that names of JSON data items, known as keys, appear at the start of each line. The last of these keys, named url, indicates a URL which points to a photograph: 

https://apod.nasa.gov/apod/image/9612/ngc2440_hst2.jpg

Following the above URL, a web browser user would see this photo:

Cocoon of a New White Dwarf

Although this API can be called by an end user with a web browser (as in this example) it is intended to be called automatically by software or by computer programmers while writing software. JSON is intended to be parsed by a computer program, which would extract the URL of the photograph and the other metadata. The resulting photo could be embedded in a website, automatically sent via text message, or used for any other purpose envisioned by a software developer.

See also

[edit]

References

[edit]

Further reading

[edit]
Revisions and contributorsEdit on WikipediaRead on Wikipedia

Web API

View on Grokipedia
from Grokipedia
A Web API is an application programming interface (API) for either a or a , enabling communication between software applications over the web, typically using HTTP. Browser Web APIs consist of interfaces that allow developers to interact with browser functionality, device hardware, or external services, such as retrieving geolocation data or fetching network resources, without low-level implementation. Web APIs are integral to modern web development, supporting standards from organizations like the (W3C). Key browser examples include the Fetch API, a modern replacement for to handle HTTP requests and responses; the Geolocation API, for accessing user location coordinates with permission; and the Document Object Model (DOM) API, for representing and manipulating web page structure and content. Server-side Web APIs expose data and services over HTTP, often following architectural styles like , to facilitate client-server interactions in distributed systems. This dual application underscores Web APIs' role in bridging frontend and backend development for seamless web ecosystem integration.

Fundamentals

Definition and Scope

A Web API is a set of protocols and definitions that enable the building and consumption of web-based services, typically transmitted over HTTP or to facilitate machine-to-machine communication between applications. These interfaces expose data and functionality from a server to clients, such as other servers, mobile apps, or web browsers, allowing seamless integration without direct access to the underlying . Unlike local function calls, Web APIs operate remotely across networks, leveraging uniform resource identifiers (URIs) to address specific resources or endpoints. Key characteristics of Web APIs, particularly those following principles, include , where each request from a client must contain all necessary information for the server to process it independently, without relying on stored session data from prior interactions. They utilize standard web protocols like HTTP for request-response cycles, supporting formats such as or XML for data exchange. Web APIs can adopt resource-oriented designs, treating data as addressable entities manipulated via standardized operations, or action-oriented approaches that invoke specific procedures, providing flexibility for various use cases. Web APIs differ from general APIs in their web-specific constraints, such as reliance on URI addressing and HTTP methods for invocation, whereas general APIs encompass local libraries or operating system interfaces that do not require network transport. In contrast to broader web services, which may include more structured protocols like for enterprise interoperability, Web APIs emphasize lightweight, HTTP-centric communication often aligned with modern architectural styles. HTTP serves as the foundational protocol, enabling scalable, platform-agnostic interactions. The scope of Web APIs extends to public (open) APIs available to external developers for broad integration, private (internal) APIs used within an to connect systems, and partner APIs shared selectively with business collaborators for ecosystem expansion. They play a central role in architectures by enabling loosely coupled services to communicate efficiently, often through composite APIs that aggregate multiple backend functions, and in environments where they support scalable, on-demand resource access across distributed systems.

History and Evolution

The development of Web APIs originated in the late 1990s as precursors to modern web services, driven by the need for over the internet. , first specified in June 1998 by of UserLand Software, introduced a lightweight protocol for remote procedure calls using XML payloads transported via HTTP, enabling simple client-server interactions without complex . This was soon followed by (Simple Object Access Protocol), initially proposed in a 1998 Microsoft whitepaper and formalized in version 1.1 in May 2000 through collaboration among , DevelopMentor, and UserLand, which extended with support for richer data types, error handling, and WS-* standards for enterprise interoperability. These early protocols emphasized structured messaging but were often verbose and tightly coupled to XML, setting the stage for more flexible paradigms. A transformative milestone occurred in May 2000 when outlined the architectural style in his doctoral dissertation, promoting stateless, resource-oriented designs that leverage HTTP's uniform interface for scalability and simplicity. REST gained traction in the mid-2000s through high-profile implementations, such as Twitter's public API launched in September 2006, which facilitated real-time data access for developers building social applications, and Facebook's Platform API introduced in May 2007, enabling third-party integrations that powered the social graph's expansion. These services highlighted REST's advantages in web-scale environments, shifting focus from SOAP's rigidity to lightweight, HTTP-native APIs. The marked a period of refinement and diversification, with emerging as the dominant data interchange format by the early decade, supplanting XML due to its human-readable syntax and native support in , as popularized by Douglas Crockford's 2001 specification. Standardization accelerated with the , initially released as Swagger 2.0 in September 2014 and rebranded under the OpenAPI Initiative in November 2015, providing a vendor-neutral format for describing ful APIs to automate documentation and client generation. Alternative protocols proliferated, including , open-sourced by in September 2015 to allow clients precise data querying and reduce over-fetching in , and , announced by in February 2015, which adapted high-performance RPC for web use via and . Into the 2020s, Web APIs integrated with emerging paradigms like , where AWS API Gateway's launch in July 2015 exemplified API-first design by decoupling backend logic into scalable, event-triggered functions, influencing platforms like Azure Functions (2016) and Cloud Functions (2018). , standardized by the W3C in December 2019, enhanced client-side API consumption by enabling near-native performance for modules in browsers, supporting complex interactions in applications like real-time analytics and as of 2025. Overall, usage evolved from SOAP's enterprise dominance to and GraphQL's prevalence in mobile, IoT, and ecosystems, prioritizing efficiency and developer velocity. As of 2025, notable trends include the acceleration of API-first development approaches, up 12% year-over-year, alongside greater emphasis on AI integration for automated API generation and robust security governance to address evolving cyber threats.

Architectural Styles

RESTful Design

Representational State Transfer (REST) is an architectural style for designing networked applications, emphasizing a set of constraints that promote scalability, simplicity, and evolvability in distributed systems. Introduced by Roy Fielding in his 2000 doctoral dissertation, REST defines six core constraints: client-server separation, statelessness, cacheability, a uniform interface, a layered system, and an optional code-on-demand capability. The client-server constraint separates user interface concerns from data storage, allowing the components to evolve independently while enabling portability of the user interface across different platforms. Statelessness requires that each client request contain all necessary information for the server to process it, without relying on stored session state on the server, which enhances visibility, reliability, and scalability by allowing servers to handle more concurrent requests efficiently. Cacheability mandates that responses indicate whether they can be cached, reducing network latency and server load by enabling intermediaries to reuse data, though it introduces a trade-off with potential staleness. The layered system constraint structures the architecture into hierarchical layers, constraining component behavior to interactions within or adjacent layers, which bounds complexity and supports load balancing across multiple servers. Code-on-demand, while optional, allows servers to extend client functionality by transferring executable code, such as JavaScript, to the client for on-the-fly execution. Central to REST is the uniform interface constraint, which simplifies and decouples the architecture by providing a generic interface between components, comprising four sub-constraints: identification of resources, manipulation of resources through representations, self-descriptive messages, and . Resources in REST are abstract entities identified by Uniform Resource Identifiers (URIs), such as /users/123 for a specific user, allowing logical mapping of and functionality without exposing details. Manipulation occurs through transferable representations of resources, typically in formats like or XML, where clients send or receive these representations to create, read, update, or delete (CRUD) resources via standardized protocols like HTTP. Self-descriptive messages include sufficient metadata, such as content-type headers, to enable processing without additional context. ensures discoverability by embedding hyperlinks in responses that guide clients to related resources and possible state transitions, decoupling the client from specific URI structures and promoting long-term evolvability. In designing RESTful Web APIs, best practices focus on leveraging HTTP methods to align with CRUD operations while ensuring idempotency and efficient data handling. GET requests retrieve and must be safe and idempotent, meaning multiple identical requests yield the same result without side effects; PUT updates or creates a resource at a specific URI and is idempotent; POST creates new resources and is not idempotent; DELETE removes resources and is idempotent; and PATCH partially updates resources, often non-idempotent unless carefully designed. Idempotency is crucial for reliability in unreliable networks, as it allows clients to retry requests without unintended changes, with methods like GET, PUT, and DELETE inherently supporting this property per HTTP semantics. To avoid over-fetching, APIs should implement using query parameters like ?page=1&limit=10 and filtering via parameters such as ?status=active, optimizing bandwidth and response times for large datasets. RESTful design offers advantages in , simplicity, and over procedure-oriented styles like RPC. By enforcing and caching, REST enables systems to handle massive scales, as demonstrated by the web's growth from 100,000 daily requests in to over million by 1999, through efficient and intermediary support. Its interface and resource-based approach simplify development by standardizing interactions, reducing compared to RPC's tight coupling and language-specific procedures, which can hinder evolvability. is enhanced by reliance on standard protocols like HTTP and media types, allowing seamless integration across heterogeneous systems without custom bindings, unlike RPC's potential for reduced portability.

Alternative Approaches

SOAP (Simple Object Access Protocol) is a messaging protocol for exchanging structured information in web services, fundamentally based on XML to define an envelope for messages that includes headers for metadata and a body for the payload. Developed as a W3C recommendation, SOAP Version 1.2 provides an extensible framework supporting distributed processing across intermediaries, making it suitable for complex enterprise integrations where strict standards are required. It relies on WSDL (Web Services Description Language), an XML-based format for describing service interfaces, operations, and endpoints, enabling automated client generation and discovery. SOAP emphasizes built-in standards like WS-Security from OASIS, which adds mechanisms for message integrity, confidentiality, and authentication through XML signatures and encryption, ideal for regulated industries such as finance and healthcare. However, its XML verbosity increases payload size and processing overhead compared to lighter alternatives, often leading to slower performance in high-volume scenarios. GraphQL, introduced by in 2015 as an open-source for APIs, allows clients to specify exactly the data they need in a single request, addressing REST's issues of over-fetching (receiving unnecessary data) and under-fetching (requiring multiple requests for related data). It features a schema-first using a strongly typed GraphQL Schema Definition Language (SDL) to define types, queries, mutations, and subscriptions, which serves as a between client and server. Resolvers—functions attached to schema fields—handle data fetching and , enabling flexible integration with various backends without exposing underlying storage details. Unlike REST's resource-oriented endpoints, uses a single endpoint for all operations, promoting efficiency in applications with complex, relational data needs, such as feeds or catalogs. Other notable alternatives include , a high-performance RPC framework developed by that uses for efficient binary serialization and for transport, enabling fast, streamed communication in and mobile backends. WebSockets, standardized in RFC 6455 by the IETF, provide full-duplex, bidirectional communication over a persistent connection, ideal for real-time applications like chat or live updates where polling would be inefficient. Event-driven APIs often employ webhooks, HTTP callbacks that notify subscribers of events via POST requests to predefined endpoints, as formalized in the W3C specification for publish-subscribe patterns. Choosing alternatives to REST depends on specific requirements: SOAP excels in environments demanding robust security and formal contracts, such as legacy enterprise systems, despite its overhead. suits complex queries in client-driven UIs to minimize bandwidth and latency, though it requires careful resolver optimization to avoid query problems. is preferred for internal, high-throughput services due to its speed and , but its binary format limits browser compatibility without proxies. WebSockets and webhooks enable real-time or asynchronous interactions, trading REST's simplicity for responsiveness in dynamic scenarios like notifications or collaborative tools.

Core Components

Endpoints and Resources

In Web APIs, particularly those following RESTful principles, an endpoint refers to a specific that serves as the point of interaction between a client and the server, enabling the client to access particular functionality or . Endpoints act as addresses where requests are routed and processed, typically combining a base with a path that identifies the target resource or operation, such as https://api.example.com/v1/users. This routing mechanism allows servers to direct incoming HTTP requests to the appropriate handlers based on the endpoint's path and method. Resources form the core conceptual units in Web APIs, representing abstract entities or data objects that can be manipulated, such as a with attributes like name and email. A is essentially an identifiable item with associated , relationships to other resources, and a defined set of operations that can be performed on it, often serialized in formats like . Resources can be individual items, like a single user at /users/123, or collections of homogeneous items, such as a list of users at /users, which are typically represented as arrays to denote multiple instances of the same type. Effective design of endpoints emphasizes hierarchical URI structures to reflect natural relationships between resources, using plural nouns for collections and path parameters for specific items, as in /users/{id}/posts to access posts belonging to a particular user. Best practices recommend avoiding verbs in URI paths, instead relying on HTTP methods to indicate actions, which promotes uniformity and leverages the semantics of the protocol—for instance, using /orders rather than /create-order or /get-orders. This noun-based, hierarchical approach ensures URIs are intuitive, scalable, and aligned with . The lifecycle of a resource in a Web API is typically managed through standard operations that correspond to creation, retrieval, update, and deletion, often mapped to HTTP methods in RESTful designs. Creation involves sending a request to add a new resource to a collection, such as posting data to /users to generate a new user entry. Retrieval fetches existing resources, either individually or in bulk; updating modifies attributes of an existing resource, like patching details at /users/{id}; and deletion removes a resource entirely, as with a request to /users/{id}. These operations collectively enable the full management of resources while maintaining stateless interactions.

HTTP Methods and Protocols

Web APIs primarily rely on the Hypertext Transfer Protocol (HTTP) and its secure variant, , for client-server communication, enabling standardized request-response interactions over the . HTTP methods define the intended action on resources, such as retrieving, creating, updating, or deleting , while ensuring consistent in distributed systems. These methods are integral to RESTful architectures, where they map to CRUD operations: GET for reading , for creating new resources, PUT or PATCH for updating existing ones, and DELETE for removal. The GET method retrieves a representation of a without modifying it, making it safe and idempotent—repeated invocations yield the same result without side effects. In contrast, POST creates a new by submitting data in the request body, but it is neither safe nor idempotent, as multiple identical requests may result in duplicate resources. PUT replaces an entire with the provided representation or creates it if absent, ensuring idempotency since repeated requests produce the same outcome. PATCH, an extension for partial updates, applies modifications to a but is generally not idempotent unless the patch is designed to be, as semantics depend on the specific patch format like . DELETE removes a and is idempotent; subsequent requests on a non-existent simply confirm its absence without . HTTP operates over versions that have evolved to address performance limitations. HTTP/1.1, defined in RFC 7230, uses text-based messaging with persistent connections but suffers from , where a single slow request delays others on the same connection. HTTP/2 introduces binary framing, multiplexing multiple request-response streams over a single TCP connection, and header compression via HPACK to reduce overhead, significantly improving efficiency for APIs with multiple concurrent calls. extends HTTP by layering (TLS) for encryption, authentication, and integrity, mandated for secure APIs to protect sensitive data in transit. HTTP/3, built on over UDP, eliminates TCP's at the transport level and enables faster connection establishment through 0-RTT handshakes, enhancing API performance in high-latency networks. Responses in Web APIs include HTTP status codes to indicate the outcome of a request, categorized into classes for quick interpretation. 2xx codes signal success: 200 OK for successful GET or PUT requests, and 201 Created for successful POST operations that generate a new resource. 4xx codes denote client errors, such as 404 Not Found when a requested resource does not exist, or 400 Bad Request for malformed inputs. 5xx codes indicate server errors, like 500 Internal Server Error for unexpected failures or 503 Service Unavailable during overloads; APIs may also use custom codes within these ranges for domain-specific meanings, though standardization is recommended. HTTP headers provide metadata for requests and responses, influencing API behavior and security. The Content-Type header specifies the of the body, such as application/ for JSON payloads or application/xml for XML. Authorization headers carry credentials for , often using schemes like Bearer tokens for . Rate limiting is commonly implemented via custom headers like RateLimit-Limit (maximum requests allowed), RateLimit-Remaining (requests left in the window), and RateLimit-Reset (time until reset), helping APIs prevent abuse and manage load. Data formats in request and response bodies serialize structured information for exchange. , a lightweight text-based format, dominates Web APIs due to its human-readability, ease of parsing in , and support for nested objects and arrays, typically indicated by Content-Type: application/json. XML offers a more verbose, schema-validatable alternative with tags for hierarchical data, used in legacy systems via Content-Type: application/xml. (Protobuf), a binary format from , provide compact, efficient serialization for high-performance APIs, especially in contexts, reducing bandwidth compared to text formats while requiring predefined schemas. These formats ensure interoperability, with preferred for its simplicity in most RESTful Web APIs.

Server-Side Development

Implementing APIs

Implementing server-side Web APIs involves selecting appropriate frameworks and languages, defining data structures and endpoints, integrating data storage solutions, conducting thorough testing, and deploying to scalable environments. This process ensures the API is robust, maintainable, and performant for handling client requests over HTTP. Popular frameworks for building Web APIs include Node.js with Express, which provides a minimalist and flexible environment for creating RESTful services using JavaScript, enabling rapid development of asynchronous, event-driven applications. In Python, Django REST Framework extends the Django web framework to facilitate API creation with built-in support for serialization, authentication, and ORM for database interactions, making it suitable for complex, data-heavy APIs. Flask, another Python option, offers a lightweight microframework for simpler APIs, allowing developers to define routes and handle requests with minimal boilerplate while integrating extensions for advanced features like database connectivity. For Java-based development, Spring Boot simplifies the creation of production-ready REST APIs through auto-configuration, embedded servers, and robust support for dependency injection and data access layers. Serverless architectures further streamline implementation; AWS Lambda allows running API code without provisioning servers, automatically scaling based on demand and integrating seamlessly with other AWS services for event-driven APIs. Similarly, Vercel Functions enable serverless deployment of API endpoints with automatic scaling, edge caching, and support for multiple runtimes like Node.js, ideal for frontend-centric applications. The development process begins with defining schemas to outline the structure of data exchanged via the , often using tools like JSON Schema or OpenAPI specifications to ensure consistency and validation. Next, developers implement routes and endpoints to map HTTP methods to specific functions, such as creating a GET endpoint for retrieving resources or a POST endpoint for creating new ones, typically following principles for stateless operations. Database integration follows, connecting the to persistent storage; SQL databases like provide structured, relational data handling with compliance for transactional integrity, while NoSQL options such as offer schema flexibility and horizontal scaling for unstructured or . Frameworks like Django and include built-in ORMs (Object-Relational Mappers) to abstract database queries, facilitating seamless integration regardless of the underlying SQL or system. For example, in , libraries like enable easy interaction with by defining models that mirror the 's data schemas. Testing is essential to verify API functionality and reliability. Unit tests focus on individual endpoints, using frameworks like Jest in Node.js environments to assert expected responses and mock external dependencies such as databases to isolate components and ensure predictable outcomes. Integration tests evaluate how endpoints interact with databases and other services, often employing tools like Postman to simulate real-world requests, validate response codes, and check data flow across the system. Mocking dependencies during these tests, via libraries in Jest or Postman's mock servers, prevents reliance on live external resources, allowing repeatable and efficient validation of API behavior under various conditions. Deployment involves hosting the API on cloud platforms for accessibility and scalability. AWS API Gateway serves as a fully managed service to create, publish, and secure APIs at scale, handling traffic management, authorization, and integration with backend services like . Google Cloud Endpoints provides similar capabilities for deploying and managing APIs on Google Cloud, offering monitoring, logging, and service management for OpenAPI-defined services. For containerized deployments, Docker packages the API into portable images, ensuring consistency across environments, while orchestrates these containers for automated scaling, load balancing, and self-healing in production clusters.

Security and Authentication

Security in Web APIs is paramount to protect sensitive data and resources from unauthorized access, ensuring , , and . verifies the identity of clients or users requesting access, while determines what actions they can perform. These mechanisms are essential in preventing breaches, as APIs often serve as gateways to backend systems and handle high volumes of traffic.

Authentication Methods

API keys provide a simple mechanism for authenticating client applications to Web APIs, typically passed in HTTP headers or query parameters to identify and authorize requests. They are generated by the API provider and restricted to specific endpoints or operations, but they lack user-specific context and are vulnerable if exposed. Best practices include generating strong, unique keys with sufficient , storing them securely outside code repositories, and rotating them regularly to mitigate compromise risks. OAuth 2.0 is a widely adopted framework that enables third-party applications to obtain limited access to HTTP services on behalf of resource owners without sharing credentials. It supports multiple grant types, including the authorization code flow for web applications, which involves redirecting users to an server for before exchanging a code for an , and the client credentials flow for machine-to-machine communication where clients authenticate directly using their credentials. These flows ensure secure token issuance while supporting scopes to define access permissions. As of 2025, OAuth 2.1 is in draft form (draft-ietf-oauth-v2-1), consolidating best current practices and mandating enhancements like PKCE for all client types, removal of the implicit and resource owner password credentials grant types, and other security improvements. JSON Web Tokens (JWTs) offer a stateless method, encoding claims such as user identity and expiration in a compact, signed format that can be verified by the API server without database lookups. Defined as a URL-safe means for transferring claims between parties, JWTs are often used as bearer tokens in 2.0, with signatures ensuring tamper resistance. However, they must be transmitted over secure channels to prevent interception.

Authorization

Once authenticated, authorization enforces policies on what resources or actions are permitted. (RBAC) assigns permissions to roles within an organization, granting users access based on their assigned roles rather than individual identities, aligning security with organizational structure. This model supports hierarchical inheritance for role efficiency. (ABAC) provides finer-grained control by evaluating attributes of users, resources, actions, and environment against policy rules to make access decisions dynamically. Unlike RBAC's static roles, ABAC accommodates complex scenarios like time-based or location-based restrictions. In OAuth 2.0, scopes act as a form of attribute-based authorization, limiting token permissions to specific resources or operations.

Common Threats and Mitigations

Web APIs face significant threats outlined in the API Security Top 10, including broken (API2:2023), where weak credential handling or improper session management allows unauthorized access. Mitigation involves , secure token storage, and regular credential rotation. Injection attacks, such as SQL or command injection through unvalidated inputs (related to API8:2023 Security Misconfiguration), can be countered with rigorous input validation, parameterized queries, and output encoding. Cross-Site Scripting (XSS) risks arise if APIs inadvertently expose user inputs in responses that clients render, potentially leading to script injection; defenses include headers and sanitization, though APIs should minimize outputs. Unrestricted resource consumption (API4:2023) enables denial-of-service attacks, addressed by to cap requests per client and input validation to reject malformed payloads. (CORS) policies must be strictly configured to prevent unauthorized domain access, specifying allowed origins and methods via HTTP headers.

Best Practices

Enforcing (TLS) for all communications is mandatory to encrypt data in transit and prevent man-in-the-middle attacks, as specified in OAuth 2.0 bearer token usage. Tokens should include expiration times—typically minutes to hours for access tokens—to limit damage from theft, with refresh tokens enabling renewal without re-authentication. Comprehensive and auditing of access, including attempts and decisions, facilitate detection and compliance, while avoiding sensitive data like full tokens. Modern APIs increasingly adopt zero-trust models, assuming no implicit trust and requiring continuous verification of identity, device posture, and context for every request, as outlined in NIST SP 800-228 (2025). HTTP headers, such as , are commonly used to convey credentials securely.

Client-Side Integration

Consuming Web APIs

Consuming Web APIs involves clients initiating HTTP requests to interact with server-provided resources, typically following patterns defined by the API's endpoints and protocols. Clients in this context include browser-based applications using JavaScript and mobile applications on Android and iOS platforms. In browser environments, the native Fetch API enables asynchronous resource fetching, serving as a modern replacement for older XMLHttpRequest methods by returning promises for handling responses. However, due to browsers' same-origin policy, which restricts JavaScript from making requests to a different domain, scheme, or port than the one serving the web page, Cross-Origin Resource Sharing (CORS) is required to enable such access. CORS is an HTTP-header based mechanism that allows servers to indicate which origins are permitted to access their resources. For simple requests, the server includes headers like Access-Control-Allow-Origin in the response; for potentially complex requests (e.g., those with custom headers or non-standard methods), the browser sends a preflight OPTIONS request to check permissions before the actual request. Developers must ensure the API server is configured with appropriate CORS headers to avoid blocked requests. Third-party libraries like Axios simplify this process with promise-based HTTP requests that work across browsers and offer features such as automatic JSON parsing and request interception. For mobile development, Android applications often employ Retrofit, a type-safe HTTP client that converts endpoints into or Kotlin interfaces, streamlining the declaration of network calls with built-in support for converters like for handling. On , Apple's URLSession framework provides a robust for creating tasks to download or upload data, supporting configurations for , timeouts, and background operations via delegates or completion handlers. providers frequently supply dedicated SDKs to abstract these complexities; for instance, Stripe's SDKs handle payment processing requests across languages like , , and Swift, encapsulating and error retries. Request construction requires assembling URLs, query parameters, headers, and bodies to form valid HTTP messages that align with the API's specifications. URLs are built by appending paths to base endpoints and adding query parameters for filtering or pagination, such as ?limit=10&offset=0 to retrieve paginated data, ensuring parameters are URL-encoded to handle special characters. Headers convey metadata like Content-Type: application/json for request bodies or Authorization: Bearer <token> for access control, while bodies carry payload data in formats like JSON for POST or PUT methods, serialized appropriately to match the API's expected schema. Asynchronous operations are managed through mechanisms like promises in JavaScript, where fetch() returns a Promise that resolves with the response, allowing chaining with .then() for success handling or .catch() for failures, or callbacks in older APIs for event-driven completion notifications. Integration patterns optimize data flow and performance during API consumption. Polling involves clients periodically querying an endpoint for updates, suitable for simple, low-frequency checks but inefficient for real-time needs due to repeated requests and potential . In contrast, webhooks enable servers to push notifications to a client-specified upon events, reducing latency and bandwidth by delivering data only when changes occur, as implemented in services like Stripe for payment confirmations. Caching responses enhances efficiency by storing HTTP replies with headers like Cache-Control: max-age=3600, allowing clients to reuse data without refetching, provided the cache respects expiration and validation directives to maintain freshness.

Error Handling and Responses

Web API clients must effectively process responses to ensure robust integration, distinguishing between successful data retrieval and error conditions to maintain application reliability. Successful responses typically include HTTP status codes in the 2xx range, accompanied by payloads in structured formats such as , which encapsulate the requested data for easy parsing and utilization by the client. For instance, a GET request might return a JSON object with fields like user details or resource lists, allowing the client to deserialize the content into native objects for further processing. Error responses, conversely, employ standardized formats to convey issues machine-readably, with RFC 7807 defining the "Problem Details for HTTP APIs" schema as a recommended structure for HTTP error payloads in or XML. This format includes elements such as "type" (a URI identifying the problem), "" (a brief summary), "status" (the HTTP status code), "detail" (a human-readable explanation), and optional "instance" (the request URI), enabling clients to programmatically handle and display errors without custom logic. Adoption of RFC 7807 promotes across APIs by avoiding error schemas, as evidenced in frameworks like , which natively support Problem Details for consistent error reporting. Error types in Web APIs are categorized primarily through HTTP status codes, where 4xx codes signal client-side issues—such as 400 Bad Request for malformed inputs or 404 Not Found for unavailable resources—indicating problems resolvable by the client without server intervention. Server-side errors, denoted by 5xx codes like 500 Internal Server Error or 503 Service Unavailable, reflect issues on the API provider's end, such as internal failures or temporary overloads, often prompting clients to retry later. Beyond standard codes, APIs may incorporate custom error codes and descriptive messages within the response body to aid debugging, such as application-specific enums for validation failures, enhancing traceability without altering HTTP semantics. Effective handling strategies enable clients to recover from errors gracefully and maintain operational continuity. Retry logic, particularly with , is a core technique where failed requests are reattempted after progressively longer delays—starting with a base interval and multiplying by a factor (e.g., 2) per attempt—to mitigate transient issues like network glitches without overwhelming the server. This approach, often capped at a maximum number of retries (e.g., 3–5), is implemented in libraries like for .NET, balancing resilience against potential thundering herd problems. Graceful degradation allows applications to fall back to alternative behaviors, such as displaying cached data or simplified views, when responses fail, ensuring core functionality persists even under partial service disruptions. Logging errors systematically captures response details, including status codes, payloads, and timestamps, to facilitate post-mortem and monitoring; tools like structured in client-side frameworks record these events without exposing sensitive , aiding in root-cause identification for recurring issues. For responses in non-JSON formats, such as XML or , clients employ format-specific parsers—e.g., XML DOM parsers or manipulation—to extract relevant information, often determined via the Content-Type header to avoid deserialization failures. Performance considerations in error handling focus on preventing cascading failures in distributed environments. Timeout settings define the maximum duration for awaiting a response, configured based on the API's expected latency, often in the range of 10 to 30 seconds for web services—to avoid indefinite hangs, configurable via client libraries like HttpClient in or fetch options in , with adjustments based on expected latency. Circuit breakers enhance by monitoring error rates and temporarily halting requests to failing endpoints after a threshold (e.g., 5 consecutive failures), transitioning to an "open" state for a cooldown period before probing recovery, as implemented in patterns from Azure for resilient . These mechanisms collectively ensure clients remain responsive, minimizing downtime from API interactions.

Documentation and Maintenance

API Documentation Practices

API documentation serves as the primary interface between developers and Web APIs, providing essential details on endpoints, parameters, formats, and usage guidelines to facilitate integration and reduce development friction. Effective documentation enhances API adoption by enabling users to understand and test functionalities without direct access to , often through machine-readable specifications that support automated tooling. Standards and tools have evolved to standardize this process, ensuring consistency across diverse API ecosystems. The (OAS), formerly known as the Swagger Specification, is a widely adopted standard for describing RESTful APIs using or formats. It defines comprehensive elements such as paths, operations, for data models, security schemes, and examples, allowing for both human-readable and machine-interpretable . , released in 2017, introduced improved support for validation and better handling of multiple servers, while , finalized in 2021, aligns more closely with 2020-12 and adds features like webhooks and enhanced discriminators for polymorphic . A minor update, released on October 24, 2024, clarifies required fields and schema interpretation, improves vocabulary integration, and refines flows. Alternatives include RAML (RESTful Modeling Language), a -based DSL developed by for designing APIs with reusable data types and traits, and API Blueprint, a Markdown-like format focused on readability and collaboration during the phase. These standards promote interoperability by enabling the generation of client SDKs, server stubs, and interactive from a single source file. Tools for creating and rendering API documentation leverage these standards to streamline workflows. Swagger UI, an open-source tool, generates interactive web-based documentation from OpenAPI specifications, allowing users to visualize and test API endpoints directly in the browser with real-time examples. Redoc, another renderer, produces clean, three-panel layouts for OpenAPI docs, emphasizing searchability and mobile responsiveness for better developer experience. Auto-generation tools integrate documentation into the development process; for instance, in Java's framework, annotations like @Operation and @ApiModel can produce OpenAPI specs at build time, while Node.js's uses libraries like swagger-jsdoc to extract comments from code into / outputs. These tools reduce manual effort and ensure documentation reflects the latest state when tied to pipelines. Best practices for API documentation emphasize clarity, completeness, and usability to support diverse audiences. Documentation should include concrete code examples in multiple languages (e.g., , fetch), detailed error codes with descriptions (such as HTTP 4xx/5xx status mappings to domain-specific messages), and authentication details like OAuth 2.0 flows or placements, often referencing security schemes defined in the spec. Incorporating versioning information within docs—such as sections or endpoint notices—helps users track changes without disrupting ongoing integrations. User-friendly formats like Postman collections export specs into interactive workspaces for testing, enabling teams to share pre-configured requests and environments. Semantic versioning in documentation paths (e.g., /v1/users) aids discoverability, while embedding interactive sandboxes allows immediate experimentation. Challenges in API documentation maintenance include keeping specs synchronized with evolving codebases, as manual updates often lag behind changes, leading to outdated or misleading information. Automated synchronization via code annotations and build-time generation mitigates this, but requires disciplined developer practices. Additionally, providing interactive testing environments demands balancing security—such as in sandboxes—with , ensuring docs remain performant and inclusive for global users.

Versioning and Scalability

Web APIs evolve over time to accommodate new features, performance improvements, and changing requirements, necessitating robust versioning strategies to maintain compatibility with existing clients. Common approaches include URI versioning, where the version is embedded in the endpoint path, such as /v1/users for the initial version and /v2/users for subsequent updates, allowing clear separation of API iterations. Header-based versioning uses custom HTTP headers, like Accept: application/vnd.api.v1+json, to specify the desired version without altering the URI, which preserves cleaner URLs and supports multiple versions on the same endpoint. An alternative is schema evolution without explicit versioning, particularly in APIs, where new fields are added to the schema while deprecating old ones, enabling backward-compatible changes without disrupting clients that ignore unknown fields. Deprecation processes ensure a smooth transition during API evolution by providing advance notice and support for migration. Best practices involve issuing sunset notices through API documentation and alerts to consumers, typically with a of at least six months before removal, allowing time for updates. Migration guides should detail changes, such as renamed fields or altered behaviors, and include code samples for transitioning to the new version. rules, like avoiding breaking changes in minor updates and using additive-only modifications (e.g., adding optional parameters), help minimize disruptions while adhering to semantic versioning principles, where major version increments signal potential incompatibilities. Scalability techniques are essential for handling increased traffic and ensuring reliable performance in Web APIs. Load balancing distributes incoming requests across multiple server instances to prevent overload on any single node, often implemented using tools like or cloud services such as AWS Elastic Load Balancing. Horizontal scaling extends this by deploying additional API instances in a architecture, where independent services can be replicated across containers or virtual machines to match demand spikes, facilitated by orchestration platforms like . Caching reduces backend load by storing frequently accessed responses; for instance, serves as an in-memory cache for dynamic API data, enabling sub-millisecond retrievals and supporting patterns like cache-aside where misses trigger database queries. Content Delivery Networks (CDNs) optimize delivery of static or cacheable API responses by serving them from edge servers closer to users, decreasing latency for global audiences. Rate limiting and quotas enforce usage controls, such as allowing 1000 requests per hour per client via algorithms, to protect against abuse and ensure fair . Monitoring provides visibility into API health and performance, enabling proactive scalability decisions. Tools like Prometheus collect metrics such as request latency, error rates, and throughput in a time-series database, supporting alerting for anomalies like high CPU usage. API gateways, such as Amazon API Gateway or Azure API Management, centralize traffic management by routing requests, applying policies, and aggregating logs for comprehensive observability across distributed systems. These practices collectively allow Web APIs to scale from thousands to millions of requests per day while evolving without service interruptions, with version changes briefly documented to aid consumer transitions.

Impact and Applications

Economic and Technological Growth

The rise of the API economy since the 2010s has profoundly influenced technological growth by enabling modular, scalable software architectures that underpin modern digital infrastructures. The number of publicly available web APIs exceeded 24,000 by 2022, with significant growth continuing into the 2020s as tracked by various sources before the ProgrammableWeb directory's closure in 2022, which facilitated the shift toward microservices, cloud computing, and Internet of Things (IoT) integrations. Platforms such as Amazon Web Services (AWS) have harnessed APIs to deliver flexible cloud resources, allowing developers to provision computing power on demand and driving innovations in infrastructure-as-a-service models. Similarly, Stripe's robust payment APIs have streamlined e-commerce by providing seamless integration for transaction processing, reducing development time for online businesses. In the realm of artificial intelligence and machine learning, APIs like OpenAI's have democratized access to advanced models, enabling developers to incorporate generative capabilities into applications without building complex systems from scratch, thus accelerating AI adoption across industries. As of 2025, 82% of organizations have adopted an API-first approach, with 46% planning increased investment, reflecting accelerated integration of AI and asynchronous APIs (Postman State of the API Report 2025). Market projections highlight the economic momentum of Web APIs, with the API management sector anticipated to reach USD 8.86 billion in 2025 and expand to USD 19.28 billion by 2030 at a (CAGR) of 16.83%, fueled by widespread migrations and API-first strategies. This growth underscores APIs' central role in , where they power app economies by connecting disparate services and enabling rapid feature development; for instance, APIs are projected to contribute $14.2 trillion to the global economy by 2027, representing a $3.3 trillion increase from 2023 levels, according to a 2023 report. Key innovations have further propelled this expansion, including API marketplaces like RapidAPI and APILayer, which serve as centralized hubs for discovering, testing, and subscribing to thousands of APIs, fostering a collaborative that lowers barriers for developers and promotes . The inherent of Web APIs allows for the creation of dynamic mashups, where multiple APIs are orchestrated to build hybrid applications that deliver tailored functionalities, such as combining mapping and payment services for location-based commerce. In , APIs integrate deeply with continuous integration/continuous deployment () pipelines, automating workflows for , deployment, and monitoring, which reduces release cycles and improves software reliability in fast-paced environments. Despite these advances, challenges such as API sprawl—characterized by the unmanaged proliferation of s leading to fragmented landscapes—pose risks to , , and operational efficiency in large organizations. Robust governance, which encompasses policies for consistent design, enforcement, and lifecycle management, is crucial to counteract these issues and align strategies with business objectives. Standardization initiatives like AsyncAPI address specific gaps by offering a YAML/JSON specification for event-driven s, enabling standardized documentation, validation, and that simplify governance in asynchronous systems.

Industry and Governmental Use

Web APIs play a pivotal role in commercial applications, enabling companies to monetize their services through flexible pricing models. For instance, employs a model for its communication APIs, offering free trials and limited usage without requiring a , while charging usage-based fees such as $0.0083 per SMS message for higher volumes. Similarly, , a Twilio service, offers a 60-day free trial allowing 100 emails per day, transitioning to paid plans starting at $19.95 per month for 50,000 emails, which supports scalable email delivery for businesses. These models allow developers to experiment at no cost before committing to paid tiers, fostering widespread adoption. Partnerships further amplify commercial value, as seen with the Platform API, which integrates into applications for location services and generates revenue through a pay-as-you-go model with free usage caps (such as 10,000 monthly requests for core APIs) and volume discounts for higher usage. Companies like and leverage this API for navigation and mapping features, creating symbiotic ecosystems where API providers earn from usage while partners enhance their offerings without building core infrastructure from scratch. In broader SaaS ecosystems, Web APIs facilitate seamless integrations, such as connecting tools to , enabling and richer functionalities that drive and user retention. Governmental applications of Web APIs promote transparency and public service efficiency through initiatives. In the United States, api.data.gov serves as a free management service for federal agencies, fulfilling obligations under the Open Government Data Act by providing APIs for accessing public datasets on topics like and demographics. The European Union's Public Sector Information (PSI) Directive mandates the reuse of government-held data via APIs, ensuring transparency and fair while encouraging in services built on . In the , APIs, including the Content API, enable developers to integrate government data into applications, supporting services like notifications and access, with standards outlined in official technical guidelines to ensure consistency and security. The API Catalogue further lists sector APIs to promote discoverability and reuse across organizations. Regulations governing Web APIs emphasize data protection, particularly for those handling personal information. Under the General Data Protection Regulation (GDPR), APIs processing EU citizens' data must obtain explicit consent, enable data removal requests, implement strict access controls like and audits, and notify breaches promptly, applying regardless of the developer's location. California's Consumer Privacy Act (CCPA) requires APIs serving California residents to provide and deletion mechanisms for , targeting businesses with significant revenue or data volume, and imposes penalties for non-compliance. These laws necessitate API designs that prioritize privacy by default, such as data minimization and secure . Case studies illustrate the transformative impact of Web APIs in regulated sectors. In , Plaid's API connects financial applications to bank accounts, enabling secure data access and transactions; for example, Chime used it to increase account funding by 300%, while Affirm integrates it for instant loan verifications, streamlining banking services without direct institution partnerships. In healthcare, the (FHIR) standard defines APIs for exchanging patient data across systems, promoting interoperability; it supports sharing between providers, insurers, and apps, reducing fragmentation and improving care coordination as outlined in HL7 specifications.

Practical Examples

REST API Example

A simple RESTful Web API example can illustrate the core concepts through a basic user management system that supports (CRUD) operations on user resources. This scenario uses an in-memory to simulate a database, allowing clients to retrieve all users, create a new user, fetch a specific user by ID, update user details, and delete a user. Such an adheres to principles by treating users as resources identified by URIs and using standard HTTP methods for operations. On the server side, with the Express framework provides a way to define routes for these operations. The following code snippet sets up the , using Express Router to handle requests at /users and returning responses where appropriate. Note that UUIDs are generated for unique user IDs, and the server listens on port 5000. Server Setup (index.js):

javascript

import express from 'express'; import bodyParser from 'body-parser'; import userRoutes from './routes/users.js'; const app = express(); const PORT = 5000; app.use(bodyParser.json()); app.use('/users', userRoutes); app.listen(PORT, () => console.log(`Server running on port: http://[localhost](/page/Localhost):${PORT}`));

import express from 'express'; import bodyParser from 'body-parser'; import userRoutes from './routes/users.js'; const app = express(); const PORT = 5000; app.use(bodyParser.json()); app.use('/users', userRoutes); app.listen(PORT, () => console.log(`Server running on port: http://[localhost](/page/Localhost):${PORT}`));

User Routes (routes/users.js):

javascript

import express from 'express'; import { v4 as uuidv4 } from 'uuid'; const router = express.Router(); let users = []; // In-memory mock database // GET /users - Retrieve all users router.get('/', (req, res) => { res.status(200).json(users); }); // POST /users - Create a new user router.post('/', (req, res) => { const user = req.body; const newUser = { ...user, id: uuidv4() }; users.push(newUser); res.status(201).json(newUser); }); // GET /users/:id - Retrieve a specific user router.get('/:id', (req, res) => { const { id } = req.params; const foundUser = users.find(user => user.id === id); if (!foundUser) { return res.status(404).json({ error: 'User not found' }); } res.status([200](/page/200)).json(foundUser); }); // PATCH /users/:id - Update a user router.patch('/:id', (req, res) => { const { id } = req.params; const updates = req.body; const userIndex = users.findIndex(user => user.id === id); if (userIndex === -1) { return res.status(404).json({ error: 'User not found' }); } users[userIndex] = { ...users[userIndex], ...updates }; res.status([200](/page/200)).json(users[userIndex]); }); // DELETE /users/:id - Delete a user router.delete('/:id', (req, res) => { const { id } = req.params; const userIndex = users.findIndex(user => user.id === id); if (userIndex === -1) { return res.status(404).json({ error: 'User not found' }); } users.splice(userIndex, 1); res.status(204).send(); }); export default router;

import express from 'express'; import { v4 as uuidv4 } from 'uuid'; const router = express.Router(); let users = []; // In-memory mock database // GET /users - Retrieve all users router.get('/', (req, res) => { res.status(200).json(users); }); // POST /users - Create a new user router.post('/', (req, res) => { const user = req.body; const newUser = { ...user, id: uuidv4() }; users.push(newUser); res.status(201).json(newUser); }); // GET /users/:id - Retrieve a specific user router.get('/:id', (req, res) => { const { id } = req.params; const foundUser = users.find(user => user.id === id); if (!foundUser) { return res.status(404).json({ error: 'User not found' }); } res.status([200](/page/200)).json(foundUser); }); // PATCH /users/:id - Update a user router.patch('/:id', (req, res) => { const { id } = req.params; const updates = req.body; const userIndex = users.findIndex(user => user.id === id); if (userIndex === -1) { return res.status(404).json({ error: 'User not found' }); } users[userIndex] = { ...users[userIndex], ...updates }; res.status([200](/page/200)).json(users[userIndex]); }); // DELETE /users/:id - Delete a user router.delete('/:id', (req, res) => { const { id } = req.params; const userIndex = users.findIndex(user => user.id === id); if (userIndex === -1) { return res.status(404).json({ error: 'User not found' }); } users.splice(userIndex, 1); res.status(204).send(); }); export default router;

This implementation applies principles by mapping HTTP methods to CRUD actions: GET for reading, POST for creating, PATCH for partial updates, and DELETE for removal, ensuring a uniform interface and stateless interactions. Basic error handling is included via HTTP status codes, such as 404 for non-existent resources, to provide clear feedback without disrupting the client-server separation. Clients can interact with this API using tools like curl for command-line requests or JavaScript's Fetch API for web-based calls. For instance, creating a user via curl sends a POST request with JSON payload, expecting a 201 response with the new user object. Example Client Interactions:
  • Create a user (curl):

    curl -X POST http://localhost:5000/users \ -H "Content-Type: application/json" \ -d '{"first_name": "John", "last_name": "Doe", "email": "[email protected]"}'

    curl -X POST http://localhost:5000/users \ -H "Content-Type: application/json" \ -d '{"first_name": "John", "last_name": "Doe", "email": "[email protected]"}'

    Expected response (JSON):

    json

    { "first_name": "John", "last_name": "Doe", "email": "[email protected]", "id": "123e4567-e89b-12d3-a456-426614174000" }

    { "first_name": "John", "last_name": "Doe", "email": "[email protected]", "id": "123e4567-e89b-12d3-a456-426614174000" }

  • Retrieve all users (curl):

    curl http://localhost:5000/users

    curl http://localhost:5000/users

    Expected response (JSON array of users).
  • Retrieve a user by ID (JavaScript Fetch):

    javascript

    fetch('http://localhost:5000/users/123e4567-e89b-12d3-a456-426614174000') .then(response => { if (!response.ok) { throw new Error(`HTTP error! status: ${response.status}`); } return response.json(); }) .then(user => console.log(user)) .catch(error => console.error('Error:', error));

    fetch('http://localhost:5000/users/123e4567-e89b-12d3-a456-426614174000') .then(response => { if (!response.ok) { throw new Error(`HTTP error! status: ${response.status}`); } return response.json(); }) .then(user => console.log(user)) .catch(error => console.error('Error:', error));

    Expected response: The user object or a 404 error JSON.
  • Delete a user (curl):

    curl -X DELETE http://[localhost](/page/Localhost):5000/users/123e4567-e89b-12d3-a456-426614174000

    curl -X DELETE http://[localhost](/page/Localhost):5000/users/123e4567-e89b-12d3-a456-426614174000

    Expected response: 204 No Content on success, or 404 error.
These interactions demonstrate how clients can manipulate resources predictably, with responses formatted in for easy parsing across platforms. Key takeaways from this example include the emphasis on resource-oriented design, where endpoints like /users/:id uniquely identify entities, and the use of HTTP status codes (e.g., 200 for success, 201 for creation, 404 for not found) to handle basic errors explicitly. This structure promotes scalability and maintainability, as each operation is self-contained and follows REST's constraints for cacheability and layered systems. In practice, replace the in-memory storage with a persistent database for production use.

GraphQL API Example

A practical example of a Web involves querying user data along with their associated posts, enabling clients to specify exactly which fields to retrieve for flexibility. In this scenario, a server maintains a simple in-memory data store of users and posts, where each user can have multiple posts, and clients can request subsets of fields like user name and post titles without receiving unnecessary data. On the server side, using with Apollo Server, the GraphQL schema is defined using the GraphQL Schema Definition Language (SDL). The schema includes types for User and Post, along with a query to fetch a user by ID and a to create a post.

graphql

type User { id: ID! name: String! posts: [Post!]! } type Post { id: ID! title: String! content: String } type Query { user(id: ID!): User } type Mutation { createPost(title: String!, content: String, userId: ID!): Post! }

type User { id: ID! name: String! posts: [Post!]! } type Post { id: ID! title: String! content: String } type Query { user(id: ID!): User } type Mutation { createPost(title: String!, content: String, userId: ID!): Post! }

Resolvers implement the logic to fetch data, resolving the User type's posts field by filtering posts associated with the user. Apollo Server handles the execution.

javascript

import { ApolloServer } from '@apollo/server'; import { startStandaloneServer } from '@apollo/server/standalone'; // In-memory mock data let users = [{ id: '1', name: 'Alice' }]; let posts = [{ id: '1', title: 'First Post', content: 'Hello', userId: '1' }]; const typeDefs = `#graphql type User { id: ID! name: String! posts: [Post!]! } type Post { id: ID! title: String! content: String } type Query { user(id: ID!): User } type Mutation { createPost(title: String!, content: String, userId: ID!): Post! } `; const resolvers = { Query: { user: (parent, { id }) => users.find(user => user.id === id), }, User: { posts: (user) => posts.filter(post => post.userId === user.id), }, Mutation: { createPost: (parent, { title, content, userId }) => { const newPost = { id: String(posts.length + 1), title, content, userId }; posts.push(newPost); return newPost; }, }, }; const server = new ApolloServer({ typeDefs, resolvers }); (async () => { const { url } = await startStandaloneServer(server, { listen: { port: 4000 }, }); console.log(`Server ready at: ${url}`); })();

import { ApolloServer } from '@apollo/server'; import { startStandaloneServer } from '@apollo/server/standalone'; // In-memory mock data let users = [{ id: '1', name: 'Alice' }]; let posts = [{ id: '1', title: 'First Post', content: 'Hello', userId: '1' }]; const typeDefs = `#graphql type User { id: ID! name: String! posts: [Post!]! } type Post { id: ID! title: String! content: String } type Query { user(id: ID!): User } type Mutation { createPost(title: String!, content: String, userId: ID!): Post! } `; const resolvers = { Query: { user: (parent, { id }) => users.find(user => user.id === id), }, User: { posts: (user) => posts.filter(post => post.userId === user.id), }, Mutation: { createPost: (parent, { title, content, userId }) => { const newPost = { id: String(posts.length + 1), title, content, userId }; posts.push(newPost); return newPost; }, }, }; const server = new ApolloServer({ typeDefs, resolvers }); (async () => { const { url } = await startStandaloneServer(server, { listen: { port: 4000 }, }); console.log(`Server ready at: ${url}`); })();

For the client, a GraphQL query uses declarative syntax to specify the desired structure, such as fetching a user's name and only the titles of their posts. This can be executed via tools like , an in-browser IDE bundled with Apollo Server, or Apollo Studio for remote exploration.

graphql

query GetUserWithPosts($userId: ID!) { user(id: $userId) { name posts { title } } }

query GetUserWithPosts($userId: ID!) { user(id: $userId) { name posts { title } } }

With variables { "userId": "1" }, the response might be {"data": {"user": {"name": "Alice", "posts": [{"title": "First Post"}]}}}, demonstrating precise . Key takeaways from this example include GraphQL's ability to reduce over-fetching by allowing clients to request only required fields, unlike fixed-response endpoints, which can minimize bandwidth usage. Additionally, GraphQL's built-in enables clients to query the itself for available types and fields, facilitating self-documenting APIs and tool integration.

References

  1. https://developer.mozilla.org/en-US/docs/Web/API
  2. https://developer.mozilla.org/en-US/docs/Web/API/Fetch_API
  3. https://developer.mozilla.org/en-US/docs/Web/API/Geolocation
  4. https://developer.mozilla.org/en-US/docs/Web/API/Document
  5. https://learn.microsoft.com/en-us/azure/architecture/best-practices/api-design
  6. https://aws.amazon.com/what-is/api/
  7. https://www.ibm.com/topics/api
  8. https://restfulapi.net/
  9. https://blog.postman.com/intro-to-apis-history-of-apis/
  10. https://www.w3.org/2019/12/pressrelease-wasm-rec.html
  11. https://www.postman.com/state-of-api/2025/
  12. https://www.ics.uci.edu/~fielding/pubs/dissertation/rest_arch_style.htm#sec_5_1
  13. https://www.ics.uci.edu/~fielding/pubs/dissertation/rest_arch_style.htm#sec_5_1_3
  14. https://www.ics.uci.edu/~fielding/pubs/dissertation/rest_arch_style.htm#sec_5_1_4
  15. https://www.ics.uci.edu/~fielding/pubs/dissertation/rest_arch_style.htm#sec_5_1_6
  16. https://www.ics.uci.edu/~fielding/pubs/dissertation/rest_arch_style.htm#sec_5_1_7
  17. https://www.ics.uci.edu/~fielding/pubs/dissertation/rest_arch_style.htm#sec_5_2_1_1
  18. https://www.ics.uci.edu/~fielding/pubs/dissertation/rest_arch_style.htm#sec_5_2_1_2
  19. https://www.ics.uci.edu/~fielding/pubs/dissertation/rest_arch_style.htm#sec_5_2_1_3
  20. https://www.ics.uci.edu/~fielding/pubs/dissertation/rest_arch_style.htm#sec_5_2_1_4
  21. https://www.rfc-editor.org/rfc/rfc9110.html#section-9.2
  22. https://www.rfc-editor.org/rfc/rfc9110.html#section-9.1
  23. https://learn.microsoft.com/en-us/azure/architecture/best-practices/api-design#pagination
  24. https://www.ics.uci.edu/~fielding/pubs/dissertation/fielding_dissertation.pdf
  25. https://www.ics.uci.edu/~fielding/pubs/dissertation/rest_arch_style.htm#sec_5_3
  26. https://www.ics.uci.edu/~fielding/pubs/dissertation/rest_arch_style.htm#sec_5_3_2
  27. https://www.w3.org/TR/soap12-part1/
  28. https://www.w3.org/TR/2007/REC-wsdl20-20070626/
  29. https://docs.oasis-open.org/wss-m/wss/v1.1.1/os/wss-SOAPMessageSecurity-v1.1.1-os.html
  30. https://engineering.fb.com/2015/09/14/core-infra/graphql-a-data-query-language/
  31. https://grpc.io/docs/what-is-grpc/introduction/
  32. https://datatracker.ietf.org/doc/html/rfc6455
  33. https://www.w3.org/TR/websub/
  34. https://www.cloudflare.com/learning/security/api/what-is-api-endpoint/
  35. https://restful-api-design.readthedocs.io/en/latest/resources.html
  36. https://restfulapi.net/resource-naming/
  37. https://blog.stoplight.io/crud-api-design
  38. https://learn.microsoft.com/en-us/aspnet/web-api/overview/older-versions/creating-a-web-api-that-supports-crud-operations
  39. https://developer.mozilla.org/en-US/docs/Web/HTTP/Reference/Methods
  40. https://docs.aws.amazon.com/lambda/
  41. https://vercel.com/docs/functions
  42. https://medium.com/api-dev-tips/rest-api-design-endpoints-resources-and-data-patterns-0938df6263cd
  43. https://www.browserstack.com/guide/api-database
  44. https://blog.postman.com/end-to-end-testing-best-practices-postman-mock-servers/
  45. https://owasp.org/API-Security/
  46. https://docs.cloud.google.com/docs/authentication/api-keys-best-practices
  47. https://www.legitsecurity.com/aspm-knowledge-base/api-key-security-best-practices
  48. https://datatracker.ietf.org/doc/html/rfc6749
  49. https://datatracker.ietf.org/doc/draft-ietf-oauth-v2-1/14/
  50. https://datatracker.ietf.org/doc/html/rfc7519
  51. https://csrc.nist.gov/projects/role-based-access-control
  52. https://csrc.nist.gov/pubs/sp/800/162/upd2/final
  53. https://owasp.org/API-Security/editions/2023/en/0x11-t10/
  54. https://auth0.com/docs/secure/tokens/token-best-practices
  55. https://csrc.nist.gov/pubs/sp/800/228/final
  56. https://developer.mozilla.org/en-US/docs/Web/HTTP/CORS
  57. https://axios-http.com/docs/intro
  58. https://square.github.io/retrofit/
  59. https://developer.apple.com/documentation/foundation/urlsession
  60. https://docs.stripe.com/sdks
  61. https://web.dev/articles/http-cache
  62. https://www.baeldung.com/rest-api-error-handling-best-practices
  63. https://datatracker.ietf.org/doc/html/rfc7807
  64. https://learn.microsoft.com/en-us/aspnet/core/fundamentals/error-handling-api?view=aspnetcore-9.0
  65. https://datatracker.ietf.org/doc/html/rfc7231
  66. https://developer.mozilla.org/en-US/docs/Web/HTTP/Reference/Status
  67. https://docs.aws.amazon.com/prescriptive-guidance/latest/cloud-design-patterns/retry-backoff.html
  68. https://learn.microsoft.com/en-us/dotnet/architecture/microservices/implement-resilient-applications/implement-http-call-retries-exponential-backoff-polly
  69. https://docs.aws.amazon.com/wellarchitected/latest/reliability-pillar/rel_mitigate_interaction_failure_graceful_degradation.html
  70. https://blog.postman.com/best-practices-for-api-error-handling/
  71. https://www.ibm.com/docs/en/app-connect/12.0.x?topic=apis-handling-non-json-data-in-rest-api
  72. https://stackoverflow.com/questions/69373738/what-is-the-standard-acceptable-request-response-timeout-for-api-server-and-why
  73. https://learn.microsoft.com/en-us/azure/architecture/patterns/circuit-breaker
  74. https://www.openapis.org/blog/2024/10/24/openapi-specification-3-1-1-released
  75. https://www.getambassador.io/blog/api-versioning-best-practices
  76. https://redocly.com/blog/api-versioning-best-practices
  77. https://swagger.io/blog/api-strategy/best-practices-for-deprecating-apis/
  78. https://zuplo.com/learning-center/deprecating-rest-apis
  79. https://liblab.com/blog/api-versioning-best-practices
  80. https://www.mulesoft.com/api-university/best-practices-building-secure-and-scalable-api
  81. https://www.liquidweb.com/blog/microservices-scalability/
  82. https://redis.io/learn/howtos/solutions/microservices/api-gateway-caching
  83. https://www.akamai.com/blog/developers/how-cdn-can-make-your-apis-more-powerful
  84. https://developers.cloudflare.com/waf/rate-limiting-rules/best-practices/
  85. https://prometheus.io/
  86. https://aws.amazon.com/api-gateway/
  87. https://www.mulesoft.com/resources/api/programmableweb-shutdown
  88. https://www.mordorintelligence.com/industry-reports/api-management-market
  89. https://konghq.com/blog/enterprise/the-economic-impact-of-apis
  90. https://apidog.com/blog/api-marketplace/
  91. https://overctrl.com/the-rise-of-the-composable-web-apis-headless-and-the-fragmentation-of-the-monolith/
  92. https://www.xmatters.com/blog/apis-impact-on-devops-exploring-apis-continuous-evolution
  93. https://www.cncf.io/blog/2023/03/20/managing-api-sprawl-the-case-for-standards-and-consistency-in-api-operations/
  94. https://www.postman.com/api-platform/api-governance/
  95. https://www.asyncapi.com/docs
  96. https://www.twilio.com/en-us/pricing
  97. https://sendgrid.com/en-us/pricing
  98. https://mapsplatform.google.com/pricing/
  99. https://mapsplatform.google.com/resources/customer-stories/
  100. https://www.cloudblue.com/blog/api-integration-scaling-saas/
  101. https://api.data.gov/
  102. https://digital-strategy.ec.europa.eu/en/policies/open-data
  103. https://www.gov.uk/guidance/gds-api-technical-and-data-standards
  104. https://www.api.gov.uk/
  105. https://nordicapis.com/10-data-regulations-all-api-developers-should-know-about/
  106. https://oag.ca.gov/privacy/ccpa
  107. https://plaid.com/customer-stories/
  108. https://www.hl7.org/fhir/
  109. https://www.freecodecamp.org/news/create-crud-api-project/
  110. https://www.ics.uci.edu/~fielding/pubs/dissertation/rest_arch_style.htm
  111. https://graphql.org/learn/queries/
  112. https://www.apollographql.com/docs/apollo-server/getting-started
Add your contribution
Related Hubs
User Avatar
No comments yet.