Can’t wait to build your API? Do you want to integrate an existing API into your future IT project?
First of all, learn about the API and its use!
Find out about existing APIs
Analyze an existing API in relation to your need
For the realization of your IT projects, the knowledge of the tools is essential to carry out these projects. The API is one of those tools !
Ask yourself the following questions:
- Does the API already exist? If so, great, but your project is not yet finished, you need to find out about the rights to use the API!
- API does not exist? You can try to see if some needs are provided by an API. Here again, you need to find out about the rights to use the API!
- There is nothing on the web? Create one.
Learn about API usage rights
Have you found an API for your IT project? Great !
Start by looking at the usage rights of this API. Indeed, the API may have usage restrictions in terms of using the API in the context of a commercial project, in terms of copyright, etc.
For example, the ArcGIS REST API is free to use.
Some APIs require licenses to use them. These licenses can be free or paid .
Other APIs require authentication (user/password) in order to access them.
The use of the API is another important point. An API exposes potentially critical and/or confidential information. This information can be exploited and manipulated very easily. Thus, do not give confidential information that could be used fraudulently (such as bank details, for example).
Distinguish between public API and private API
Do you want to use the Gmail API in your IT project? No problem, this API is open to communities of developers outside the Google company. It is a public API . This type of API is also called “Open API” .
Be aware that to be public , an API must meet certain constraints, particularly in terms of security.
Otherwise, we speak of a private API , that is to say an API that can only be consumed within the sphere of the company that developed it.
Use an API safely
Check the source of the API to avoid unpleasant surprises
Found your API? Great!
But are you sure you checked where it came from ?
Do you want to create an online store? You have found a great API that allows you to manage online payment, but have you thought about checking its reliability?
Indeed, it is possible that an API, although very attractive, is a scam! In the case of your online store, this can have catastrophic consequences if the bank details of your users are copied at the time of payment! You will be held responsible!
So keep your eyes peeled before using an API!
Prefer certified or secure APIs. If necessary, buy an API if you don’t have time to create one!
You may have noticed that all of the sample URLs actually use the HTTPS protocol . It is strongly recommended to use only this protocol to correspond with the API.
For example, the company CDiscount provides an API to register on its marketplace . This API is reliable and secure because it is used by the company itself.
Test the API in Postman
Found your API? Have you checked its provenance and its reliability?
Top ! You should now test the API before using it in your computer program.
All you have to do is install the Postman software and configure it, Then, I suggest you familiarize yourself with Postman through the some example.
Now you have the tools to use an API securely. Let’s continue with authentication!
Authenticate your API
What is Authentication?
You gain a better understanding of how APIs work. You know :
- who are the client and the server;
- that they communicate using the HTTP protocol;
- and that they use specific data formats to understand each other.
Being able to talk is great, but how does the waiter know the customer is who he claims to be?
Have you ever registered on a website? Yes ? You then filled in a form with a few personal questions, user name , password , which become your identifiers. When you return to the site, you may be recognized by these identifiers .
This is a technical process called ” authentication” !
More concretely, when you authenticate with a server, you prove your identity by giving it information that only you know. Once the server knows who you are, it can trust you and give you access to resources in your account.
It’s the same process for customers using APIs. If you are authenticated on the API, then you can use it! There are different authentication techniques:
- basic authentication ;
- key authentication ;
- Open authentication ( OAuth ).
Authenticate API Basically
Basic authentication is the simplest authentication! It requires a username and password.
- the client takes these two identifiers and transforms them into a single value, which it passes in the HTTP request;
- upon receipt of the HTTP request, the server compares the unique value and the identifiers it has recorded. If the username and password match those of a user in the list, the server executes the user query . Otherwise, it returns a special status code (401) to tell the client that authentication failed and the request could not be executed.
Authenticate the API with a key
Although basic authentication is a valid system, the login used to access the API is the same as the user account. By analogy, it’s a bit like a hotel giving you the key to the whole building rather than your room!
For the API it’s the same thing, it’s better that the client doesn’t have the same permissions as the account owner. Otherwise, anyone who retrieves your credentials could modify your account! This is not desirable!
To solve this problem, there is a technique: access the API with a unique key ! The key is usually a series of letters and numbers different from your account password. This gives the key to the customer, just like a hotel gives you the key to your room. Technically:
- the client authenticates using the API key . The latter can be passed as a URL parameter: https://exemple.com?api_key=my_secret_key ;
- the server knows that it can give it access to the resources. But more!
Indeed, the server also has the option of limiting access to certain administrative functions, such as changing passwords or deleting accounts. But the role of the key can be to prevent the user from having to give their password: API authentication keys can therefore be used to limit control or to protect the user’s passwords .
Authenticating by API key is nice, but isn’t there another more secure authentication system? Well if: open authorization or ” Open Authorization “, more commonly known as OAuth .
Authenticate the API with OAuth2
Working with API keys is not necessarily easy every day (typing errors, the user must obtain the key from the server, then give it to the client)! Want another solution? OAuth2 .
No, it is not the name of a robot in StarWars, but simply that of a authorization delegation protocol !
Despite this name which may seem pompous, it is the most used technique on the web today.
For example, when you use a Twitter client on a smartphone or on a computer, each time you want to post a message, the application does not ask you for your password! The app in question simply needed you to allow it at some point. Thus, your identifiers are not transmitted with each request. It’s simple, isn’t it?
Discover other APIs
On the API market, there are not only REST APIs: the SOAP API is also an API widely used on the web.
What is SOAP?
SOAP is not a style of architecture, it is a communication protocol based exclusively on XML to allow applications to exchange information via HTTP. It is the acronym for ” S imple O bject A ccess P rotocol”.
This protocol thus allows access to web services and the interoperability of applications across the web.
Compared to REST, SOAP is slower and requires more internet throughput , as messages are more verbose than REST.
In summary, if you want to publish a complex API to the outside, SOAP will be more useful, but if you want to learn API implementation quickly, then REST is for you!
You will understand, using an API is good, knowing it is better!
Here are a few tips :
- avoid using an insecure public API;
- prefer a REST API, or even RESTFUL!
- Use an API favoring the JSON exchange format.
Have Question ? ask here