What is an API call?
Mostly overlooked, API Call is a crucial aspect to understand as it’s the foundation of further detailed API functionalities. Just as we need a switch on the TV or need a keyboard to provide inputs to the laptop/computer, we need API Calls to call out data from another app/software. Created and exchanged in a huge amount, API Call is the most crucial aspect of the API ecosystem. Let’s learn more about it.
API Call Meaning
As we all know, API is the entity required for data exchange between two applications/software. When an API puts forward a request for data/functionality access to other applications/software, it’s known as API Calls.
On a structural level, it’s the message that a certain API forwards to a server to build a connection with the API of other applications/software. It’s like a command or request, made with an invention to reduce the efforts and time consumed to access a piece of particular information.
If you’re trying to understand API Call vs request then they are more or less the same.
Here is a simple example explaining the API Call meaning.
Suppose you searched “best flight tickets to Dubai” on Google.
Upon the receipt of the request, Google will send the API Calls to various service providers to know about their prices and availability. The details will be provided in the form for API only. Google will receive it and display the results to you. All of this happens very quickly.
API Call in Action
When an API Call is generated, an API endpoint is defined for sure. The API endpoint is the source where the API Call will go or the resource that receives the API Calls. Most commonly, API Calls are received by servers or web applications. Hence, they are API endpoints - responsible for accepting the API Calls, processing them, capturing the information, and providing the response/answer/output.
To ensure that API Calls reach the desired API endpoint. To make this happen, each API Call features a URI. This is the industry standard to spot the right destination. Depending upon the situation, URI could be a server, application, email contact, or website.
In the case of web APIs, URI becomes URL. It is used to recognize the assigned internet destination. An ideal and viable URL is one featuring the application layer protocol like HTTP or HTTPS. HTTPS is more secure than HTTP and is mostly used by API security-concerned businesses.
However, HTTP-based API Calls are very common as most web APIs are HTTP-based. HTTP API Calls take the help of standard HTTP verbs that include POST, PUT, and GET. Based upon the HTTP verb used, API Calls decide what kind of info piece or data that API endpoint should proffer.
Examples of API Calls
As APIs are at the backstage of every responsive application, API Calls are everywhere. Let’s have a look at API Calls and how they might look. As Facebook is a well-known platform, we’re going to provide API Call examples in its context.
GET https: //api.facebook.com/1.1/followers/user_id.json
This API Call is enabled to produce any result as only an endpoint is defined. To make it more prompt and result-driven, a wide range of parameters can be added to the request.
Here is a little more complex example.
GET https: //api.facebook.com/1.1/followers/ids.json?cursor=-2&screen_name=smartsandy&count=1000
Now, a lot of actions will take place with this single API Call. For instance, the cursor will be set to -2 which will lead to basic pagination. Secondly, the screen_name parameter will target the user named ‘smartsandy.’
The third parameter, which is count set to 1000 limits, refers to the total number of Facebook user IDs included in a single request. Setting up this limit prevents data overflow.
How To Make API Calls?
Calling is the way to communicate for services; API acts as the mediator that ensures if the call is connected between the services willing and authenticated for it. Making API calls is easy if the strategic approach is followed. Here is what we meant.
- Step. Know the URI of the concerned source
The very first step that one has to take for API Calling is to figure out the URI of the software/program whose data you’re going to extract.
Just as a house has an address, a server/software will have a URI. Hence, you must know it to learn about the destination of your API calls.
Take note of the fact that distinct APIs will have distinct endpoints. Each endpoint will have a distinct end path to follow.
- Step. Attach an HTTP verb to the API call
After fetching the URI details, the next step that you should take up is to comprehend the API request formulation. The process starts with injecting a request verb in the API call being sent out. The most common ones in this row are:
- GET that is useful for resource retrieving
- POST that is used for generating a new resource
- PUT is useful for editing/updating the current resource details
- DELETE to get rid of the unwanted resource
Each verb instructs the API to perform a different action. For instance, if you need to find out the details of the top tools of the Wallarm platform with their current version being “1.0” using the official API, the GET request will look like this:
GET https: //call.example.com/api/top-tools /v1/list.json?api_key=XXXXXXXXX&version=1.0
With this API request verb, it’s possible to find out the list of top "Call" tools with its version as ‘1.0’. If such a list exists, you will see the related details in JSON/XML formatting alongside the code 200 means everything is ok.
In case of the list absence, you will receive the code 404.
If the JSON-based response doesn’t make any sense to you, just try converting it to Excel, and you will be able to see the list of Wallarm tools.
- Step. Add a header to the API calls
A header guides an API about the call initiated and the response that one might expect. Without it, an API call will keep wandering here and there. The three generally-appended header types in the calls/requests are:
It is useful to allow servers to understand the API call in-depth, as it carries the details of the key components like version/release, OS, vendor, app, and so on. With this header, it’s easy for an API to ensure smooth information exchange.
API calls use this header to find out the type of content an API call request is featuring. It tells about the format of the content. Is it JSON or XML? This header is important as its absence will confuse the API so much that it will fail to decipher the request’s meaning and how to make sense of it. So, a response won’t be provided.
Accept header allows API users to define the response format that an API would like to receive. In its absence, the response could be in JSON format while you need it in XML format. Even though you will receive a response, you won’t get it in the desired format. Converting it to the desired format will require more effort.
- Step. Attach an access token/API keys
Access tokens and API keys are used to make API identification easy. They feature unique numbers & letters that help in finding the API call resource. API keys and access tokens are useful to accept or reject the API request as per the permissions provided by the client.
- Step. Wait for a while until a response is generated
Everything is done, and you will get a response soon. Based on the information, the received code could indicate success or failure. The most commonly used codes are 2XX, which refers to success, and 4XX, which refers to error codes. XX means that multiple versions of these codes exist.
Let’s understand them:
- 2XX Codes
Every version of the 2XX code means success only. For instance, 200 OK means the request is fulfilled, while 201 Created means the request is successfully generated on the server. 202 Accepted indicates successful reception of the request. 204 No Content means that even though the request-sender has succeeded, there exists no content to be returned.
- 4XX Codes
As mentioned above, 4XX codes indicate errors. The common version of this code is 400, which signifies a Bad Request. It is received when the call/request has certain errors. The other similar codes are:
401: Unauthorized. It specifies that the client has no right to ask for this resource.
403: Forbidden. It confirms that the request is legit, but the resource it is trying to access is forbidden for the user or everyone at present.
404: Not Found. Most famous of all, Error 404 tells that the resource being requested doesn’t exist.
How to Protect API Calls?
If not handled with due diligence and security, API Calls can be a great threat to the API security and the IT infrastructure it is connected to. Insufficiently handled API Calls are prone to various threats as attackers can use them to carry out:
- Dos or DDoS attack is a type of attack wherein verified or authorized users are restricted to access APIs. To avoid access or make APIs unavailable, threat actors send multiple API Calls to one API. The scenario results in a crowded or unresponsive API.
- Various vulnerability exploits attacks. This attack-type deal is an already-vulnerable API and takes advantage of it. Depending upon the extent of the API exploit, an attacker could ask for sensitive information or prevent access to a particular API.
Hence, it’s very crucial to protect API Calls. The most common API Calls preventive measures, adopted by security experts, are as mentioned below:
- Keep a track of API endpoints and understand where your API Calls are reaching.
- Always verify API clients by using API authentication, implying only verified resources are sending API Calls to you. You can use mutual TLS and public-key cryptography for API Call authentication.
- Take the help of a useful API security platform. Wallarm is a very extensive and feature-rich platform offering multiple security solutions for APIs. Capable of handling the security of all the leading API Calls, including REST API Calls and SOAP API Calls, this platform will help you keep track of API Calls from the creation to the delivery stage.
APIs are of no use without API Calls. So, stop ignoring this vital aspect of the API ecosystem and start comprising it in API security policy. When API Calls are secured, protected and verified results are generated.
Subscribe for the latest news
Our recent webinar with the industry overview and product demo.
Solution brief on protecting apps and APIs with Wallarm.