3_Comprehensive API Notes

API

  • API (Application Programming Interface) is a set of rules and protocols for software applications to communicate.
  • It defines the structure of requests and responses for seamless interaction between systems.
  • Key aspects:
    • Interface for communication: Enables data/service requests and exchange.
    • Standardized requests/responses: Follows formats like JSON or XML.

Types of APIs

  • Based on Availability (Access):
    • Open APIs (Public APIs):
      • Available to developers/public with minimal restrictions.
      • Example: Google Maps API.
    • Partner APIs:
      • Shared with specific partners; require authentication.
      • Example: PayPal API for merchants.
    • Internal APIs (Private APIs):
      • Used within an organization for internal systems.
      • Example: API for a company's HR system.
    • Composite APIs:
      • Combine multiple API calls into a single request for improved efficiency.
  • Based on Functionality:
    • Web APIs:
      • Accessible over the web via HTTP(S).
      • Includes REST, SOAP, and GraphQL APIs.
    • Database APIs:
      • Provide access to databases, enabling CRUD operations.
      • Example: MySQL API.
    • Operating System APIs:
      • Allow software to interact with OS features.
      • Example: Windows API, Android API.
    • Remote APIs:
      • Enable interaction between applications on different systems.
      • Example: RPC (Remote Procedure Call).
  • Based on Architecture
    • RESTful APIs (Representational State Transfer):
      • Use standard HTTP methods (GET, POST, PUT, DELETE) and are stateless.
      • Example: Twitter API.
    • SOAP APIs (Simple Object Access Protocol):
      • Use XML-based messaging and are highly secure.
      • Example: Payment processing APIs.
    • GraphQL APIs:
      • Allow clients to request only the needed data, making them more flexible than REST.
      • Example: GitHub GraphQL API.
    • gRPC APIs:
      • Use protocol buffers for efficient communication and are ideal for microservices.
      • Example: Kubernetes API.

RESTful API

  • A web service following REST (Representational State Transfer) architecture principles.
  • Enables clients (web browsers, mobile apps) to interact with a server using standard HTTP methods.
  • REST Principles:
    • Client-Server: Separation of concerns between client and server.
    • Stateless: Each request is independent; no client state is stored on the server.
    • Cacheable: Responses can be cached for better performance.
    • Uniform Interface: Consistent API structure using standard HTTP methods.
    • Layered System: API can have multiple layers for security, caching, etc.
    • Code on Demand: Server can send executable code to clients (optional).
  • Key Characteristics:
    • Stateless: Each request from a client contains all necessary information, and the server does not store client state between requests.
    • Uses Standard HTTP Methods:
      • GET: Retrieve data
      • POST: Create new data
      • PUT: Update existing data
      • DELETE: Remove data
    • Resource-Based: Data represented as resources (e.g., users, products) accessed using URLs (e.g., /users/1).
    • Uses JSON or XML: Most REST APIs use JSON for request and response formatting because it's lightweight and easy to parse.
    • Layered Architecture: The API can have multiple layers (e.g., security, caching) that operate independently.

SOAP API

  • SOAP (Simple Object Access Protocol) is a protocol for exchanging structured information in web services.
  • SOAP is a strict messaging protocol that follows a well-defined standard using XML, unlike REST, which is an architectural style
  • Key Characteristics of SOAP API:
    • Uses XML for messaging: Requests and responses are formatted in XML.
    • Protocol-based: Follows strict rules (e.g., WSDL, XML Schema).
    • Supports ACID transactions: Ensures reliability in enterprise systems.
    • Works over multiple transport protocols: HTTP, SMTP, TCP, etc.
    • Built-in security (WS-Security): Supports encryption, authentication, and authorization.

SOAP vs. REST

FeatureSOAPREST
Protocol/StyleStrict protocolArchitectural style
Data FormatXML onlyJSON, XML, text, etc.
TransportHTTP, SMTP, TCPHTTP only
PerformanceSlower (XML overhead)Faster (lightweight JSON)
SecurityWS-Security (built-in)OAuth, JWT (custom security)
Use CaseBanking, enterprise appsWeb, mobile apps, public APIs

GraphQL API

  • A modern API technology allowing clients to request exactly the data they need.
  • Provides a single endpoint where clients can query and retrieve only the necessary data, unlike REST, which requires multiple endpoints for different resources.
  • Key Features of GraphQL API
    • Single Endpoint: No need for multiple REST routes (/users, /posts).
    • Client-Defined Queries: Clients specify what fields they need, reducing over-fetching.
    • Strongly Typed Schema: Defines data structures and relationships in a schema.
    • Efficient Data Fetching: One request can retrieve related data (users & posts together).
    • Real-Time Capabilities: Supports subscriptions for real-time updates.

Same-Origin Policy (SOP)

  • A security mechanism in web browsers preventing malicious websites from accessing sensitive data from another site.
  • Restricts web pages from making requests to a different domain than the one that served the original web page.
  • What Defines an "Origin"?
    • Protocol (HTTP, HTTPS)
    • Host (Domain) (example.com, api.example.com)
    • Port (80, 443, 3000, etc.)
  • How SOP Affects Web Applications
    • Blocked by SOP (Without CORS or Other Workarounds)
      • JavaScript on https://example.com cannot fetch https://api.anotherdomain.com/data
      • An attacker cannot read data from https://bank.com if the user is logged in there.
    • Allowed Under SOP
      • Web pages can freely access resources from the same origin.
      • Cookies and authentication headers are only sent to the same origin by default.

CORS (Cross-Origin Resource Sharing)

  • A security feature allowing web servers to control which domains can access their resources.
  • Bypasses the default Same-Origin Policy (SOP) restrictions in web browsers, enabling safe cross-origin requests.
  • Why Is CORS Needed?
    • By default, the Same-Origin Policy (SOP) blocks JavaScript from making API calls to a different origin (different domain, protocol, or port).
    • However, many web apps need to interact with APIs hosted on different domains.
    • CORS allows this safely by specifying which origins can access the server.

Authentication

  • The process of verifying the identity of a user, system, or entity.
  • Confirms that a user is who they say they are when they log into a system in the context of web applications.
  • Types of Authentication
    • Password-based Authentication: Using a username and password combination to authenticate.
    • Two-Factor Authentication (2FA): A second verification step, often something you know (password) + something you have (phone or app).
    • Biometric Authentication: Using fingerprints, face recognition, or other biological identifiers.
    • Token-based Authentication: Involves using a secure token (like JWT) instead of traditional session cookies.

SSO (Single Sign-On)

  • An authentication process that allows a user to access multiple applications with one set of login credentials (such as a username and password).
  • Users can seamlessly access all authorized applications without needing to log in again to each one individually once authenticated through SSO.
  • SSO lets users log in once and get access to many different systems or services without having to enter their credentials repeatedly, in simpler terms.