Home Topics REST APIs What is a REST API?
Explore IBM's REST API solution Sign up for AI updates
API management UI image

IBM TechXchange Conference 2024 | October 21-24 in Las Vegas

Join the must-attend event for technologists using IBM products and solutions. Explore the growing session catalog of over 1,200 sessions and labs.

Explore and register for TechXchange
What is a REST API?

A REST API (also called a RESTful API or RESTful web API) is an application programming interface (API) that conforms to the design principles of the representational state transfer (REST) architectural style. REST APIs provide a flexible, lightweight way to integrate applications and to connect components in microservices architectures.
 

First, defined in 2000 by computer scientist Dr. Roy Fielding in his doctoral dissertation, REST provides a relatively high level of flexibility, scalability and efficiency for developers. For these reasons, REST APIs have emerged as a common method for connecting components and applications in a microservices architecture.

Debunking the myths of observability

This ebook aims to debunk myths surrounding observability and showcase its role in the digital world.

Related content

Read a guide to intelligent automation

Learn how AI optimizes API-based agents
REST design principles

At the most basic level, an API is a mechanism that enables an application or service to access a resource within another application or service. The application or service that accesses resources is the client, and the application or service that contains the resource is the server. Some APIs, such as SOAP or XML-RPC, impose a strict framework on developers. But developers can develop REST APIs using virtually any programming language and support a variety of data formats. The only requirement is that they align to the following six REST design principles, also known as architectural constraints.

Uniform interface

All API requests for the same resource should look the same, no matter where the request comes from. The REST API should ensure that the same piece of data, such as the name or email address of a user, belongs to only one uniform resource identifier (URI). Resources shouldn’t be too large but should contain every piece of information that the client might need.  

Client-server decoupling

In REST API design, client and server applications must be completely independent of each other. The only information that the client application should know is the URI of the requested resource; it can't interact with the server application in any other ways. Similarly, a server application shouldn't modify the client application other than passing it to the requested data via HTTP.

Statelessness

REST APIs are stateless, meaning that each request needs to include all the information necessary for processing it. In other words, REST APIs do not require any server-side sessions. Server applications aren’t allowed to store any data related to a client request.

Cacheability

When possible, resources should be cacheable on the client or server side. Server responses also need to contain information about whether caching is allowed for the delivered resource. The goal is to improve performance on the client side, while increasing scalability on the server side.

Layered system architecture

In REST APIs, the calls and responses go through different layers. As a rule of thumb, don’t assume that the client, and server applications connect directly to each other. There may be a number of different intermediaries in the communication loop. REST APIs need to be designed so that neither the client nor the server can tell whether it communicates with the end application or an intermediary.

Code on demand (optional)

REST APIs usually send static resources, but in certain cases, responses can also contain executable code (such as Java applets). In these cases, the code should only run on-demand.

How REST APIs work

REST APIs communicate through HTTP requests to perform standard database functions like creating, reading, updating and deleting records (also known as CRUD) within a resource.

For example, a REST API would use a GET request to retrieve a record. A POST request creates a new record. A PUT request updates a record, and a DELETE request deletes one. All HTTP methods can be used in API calls. A well-designed REST API is similar to a website running in a web browser with built-in HTTP functionality.

The state of a resource at any particular instant, or timestamp, is known as the resource representation. This information can be delivered to a client in virtually any format including JavaScript Object Notation (JSON), HTML, XLT, Python, PHP or plain text. JSON is popular because it’s readable by both humans and machines—and it is programming language-agnostic.

Request headers and parameters are also important in REST API calls because they include important identifier information such as metadata, authorizations, uniform resource identifiers (URIs), caching, cookies and more. Request headers and response headers, along with conventional HTTP status codes, are used within well-designed REST APIs.

REST API best practices

Although flexibility is a big advantage of REST API design, that same flexibility makes it easy to design an API that’s broken or performs poorly. For this reason, professional developers share best practices in REST API specifications.

The OpenAPI Specification (OAS) establishes an interface for describing an API in a way that allows any developer or application to discover it and fully understand its parameters and capabilities. This information includes available endpoints, allowed operations on each endpoint, operation parameters, authentication methods and more. The latest version, OAS3, includes with hands-on tools, such as the OpenAPI Generator, for generating API clients and server stubs in different programming languages.

Securing a REST API also starts with industry best practices. Use hashing algorithms for password security and HTTPS for secure data transmission. An authorization framework like OAuth 2.0 can help limit the privileges of third-party applications.

Using a timestamp in the HTTP header, an API can also reject any request that arrives after a certain time period. Parameter validation and JSON Web Tokens are other ways to ensure that only authorized clients can access the API.  

Related solutions
IBM API Connect®

Create, manage, secure, socialize and monetize APIs through their entire lifecycle using a consistent and intuitive experience, award-winning design tools and built-in AI capabilities.

 

Explore API Connect
iPaaS solutions

Deliver connectivity across all your apps and data with flexible tools for application integration, data integration, B2B integration and process automation.

Explore iPaaS solutions
Integration solutions

Connect applications and systems quickly and securely to unlock critical data, automate processes and unleash business potential.

Explore integration solutions
Resources What is an API?

Learn how application programming interfaces, or APIs, simplify software development and innovation by enabling applications to exchange data and functionality easily and securely.

What is API management?

Learn about API management and how a unified API management platform can help your organization scale.

2023 Gartner Critical Capabilities

Read the 2023 Gartner® Critical Capabilities for Full Lifecycle API Management report for more details on why Gartner recognized IBM named a Leader.

Take the next step

Use IBM API Connect to secure and manage enterprise APIs throughout their lifecycles. It helps you and your customers consistently create, manage, secure, socialize and monetize enterprise APIs, and is also available as a highly scalable API management platform on IBM Marketplace and AWS.

Explore API Connect Book a live demo