Published: 05 August 2024
An API endpoint is a digital location where an application programming interface (API) receives API calls, also known as API requests, for resources on its server. API endpoints are components of APIs and are most often in the form of URLs, or uniform resource locators.
An API is an intermediary that enables software applications to communicate with each other to exchange data, features and functionality. It’s a set of protocols and rules that define how an API client—the software making a request—can communicate with a server to access data and functions. By using an API, developers can take advantage of already-existing data and services; and application owners can share or market those same data and services.
Endpoints function a little like phone numbers: just as a user dials a phone number to reach a certain person or business, API clients (the software making an API call) provide an endpoint URL to reach a specific resource. An endpoint URL provides the location of a resource on an API server and helps connect the API client with the resource it is requesting. It essentially tells the server, “the resource that I need is located here.”
API endpoints can enable an API client to request all kinds of data from an API, with use cases ranging from real-time updates from social media software applications to functionalities such as audio or video embedding, retrieving news stories or creating a new post.
Properly formatted and secure API endpoints are a crucial part of how APIs work. APIs simplify the design and development of new applications and services (because they enable developers to build off existing capabilities and services) and the integration and management of existing ones. They also offer significant benefits to developers and organizations at large including improved collaboration, accelerated innovation, increased agility, scalability, security and more. API endpoints enable the resource exchange that makes such integration possible.
For APIs to work as they should, API endpoints must be precise, intuitive, discoverable and authenticated, or else communication between client and server can break down—taking functionality and user satisfaction with it. Simply put, API endpoints enable API clients to successfully locate and access requested resources and functions.
API endpoints are usually found in an API’s documentation, which is where developers put API information such as what type of requests an API will accept and how requests should be formatted. Ideally, this documentation also includes a list of all available API endpoints and a short description of their functionalities.
In a REST API (a software architectural style frequently used for web applications) context, the process looks like this:
The process starts when an API client sends a resource request (API call) to the corresponding API endpoint. Endpoints are accessed by using HTTP request methods such as POST, GET, PUT, PATCH and DELETE. These methods indicate the action that the client is looking to take on the specified resource.
For example, if a client is looking to retrieve a list of Olympic medal totals for a certain year from the hypothetical database Olympicfacts.com, a GET request is sent to the following endpoint URL:
https://api.olympicfacts.com/v1/{year}
This request would return a list of Olympic medal totals by country. (v1 in our hypothetical endpoint indicates the version of the API, a common practice in API versioning.) If the client wanted a total for a specific country in a given year, an identifier would be added to the base URL:
https://api.olympicfacts.com/v1/year/{id}
In this example, the identifier {id} is used to indicate which country the client is looking to receive information about.
In addition, a request might include:
Once the server authenticates the request and validates the input, it retrieves the requested data and returns the response to the client. Many organizations use API gateways to execute these functions and manage API traffic flow.
A REST API (also called a RESTful API or RESTful web API) is an API that conforms to the design principles of the representational state transfer (REST) architectural style.1 GraphQL is an open-source query language and server-side runtime that specifies how clients should interact with APIs.2
GraphQL and REST are both resource-based technologies that support similar data formats (JSON and XML, for example) and enable clients to request data from servers by using HTTP methods. However, they differ in their request requirements and data retrieval, among other differences. We will focus on a key endpoint-related difference.
REST APIs use multiple endpoints and have different endpoints for each resource. When a client requests a resource, the server returns all the data associated with the resource, even if the client only needs a small subset of the data. This is known as overfetching. If a client needs data spread across multiple resources, it needs to make separate API calls to each of those resources to compile the data needed.
GraphQL exposes data models by using a single endpoint and uses a syntax that enables clients to make API requests in a single line, or a few lines, to specify exactly what they need. GraphQL queries can follow references between resources and fulfill complex data retrieval tasks in a single request. This helps eliminate under- and overfetching issues and the need to make multiple API calls.
Neither REST nor GraphQL APIs are inherently superior; they’re different tools that are suited to different tasks.3
Key to any good API design is the testing phase. Modern applications often use APIs to integrate functions from other software, or are built by using microservices architectures (which rely on APIs for communication between disparate services). Testing API endpoints is essential to ensuring reliability.
There are both manual testing options for APIs and testing options that use automation, as well as numerous testing tools and platforms (both open source and propriety) that enterprises can use.
Manual API endpoint testing can be slower and less efficient, but also more precise and customized to specific use cases. Functional testing would be to simply send a request from an application to ensure that the correct response is given. In a social media example, this might mean sending a request for a new post by a particular user and checking to make sure that the returned post is indeed the correct one.
Other types of manual testing involve:
Automated testing done through an API management platform can deliver several advantages:
In general, each should return the intended response, in terms of format, data returned and status code.
Because API endpoints provide a way for both internal and external applications and systems to access and integrate data, they also present a potential entry points for bad actors. Distributed denial of service (DDoS) attacks can use legitimate requests but in absurd quantities to flood a server. Other types of attacks might attempt to use API endpoints to extract more information than the client is authorized to receive or use API endpoints to install malware or malicious code.
There are several ways that an organization can maintain the security of its API endpoints and overall API security, including:
HTTPS (a more secure version of hypertext transfer protocol or HTTP) uses transport layer security (TLS) to encrypt the communications between client and server. This increases the security of data transfers.
Rate limiting is a general term referring to efforts to set maximum quantities of requests, which can help prevent DDoS attacks and maintain system stability. Different limits can also be applied to different API endpoints.
If attacks are generated from a particular location, geofiltering can be used to block or limit access from those locations.
An API gateway is a software layer that acts as an intermediary between client devices and servers. It is a central point that accepts all API calls and routes them to requested services. Many of these security features (in addition to API monitoring and analytics features) can be implemented within an API gateway; and the use of a gateway promotes the consistent application of security protocols across an API environment.
API resources are datasets or objects that APIs provide. Resources vary based on the API in question, but content types include text, tables, source files, audio, video, images, users, products and much more.
An API endpoint is the specific location of those resources on a server. It is a point of contact between an API client and server, where API calls are directed.
Think of a business listing for a store. The listing provides the location of the store (endpoint) and how to contact it to request information such as store hours and product inventory (resources.)
An API key is a method to verify and authenticate the identity and authenticity of a client making an API call. API keys are strings of randomly generated characters issued by an API provider to registered API users. When a client device makes an API call, it includes the API key. The API gateway or API server that receives the call first checks the key to validate the client’s identity before fulfilling the API request. If the key does not match any of the permitted keys, the server declines the API call and issues a rejection message.
Organizations use API keys to authenticate individual clients and projects, track and identify traffic patterns, block unwanted use and more.
API endpoints, as discussed, act as an interface between clients and servers where API clients direct requests for certain data or functions from an API. API keys can be used to improve the security an enterprise’s entire API environment and its API integrations.
