APIs and Data Exchange Formats
Table of Contents
What Is an API?
An API (Application Programming Interface) is a set of rules, protocols, and tools that allows different software applications to communicate with each other. APIs define the methods and data formats that programs can use to request and exchange information, acting as a contract between a service provider and a service consumer.
Think of an API as a waiter in a restaurant: you (the client) make a request from the menu, the waiter (the API) takes your request to the kitchen (the server), and brings back what you ordered. You do not need to know how the kitchen works — you just need to know how to place the order correctly.
APIs come in several forms: Web APIs (HTTP-based, the most common today), Library/SDK APIs (functions exposed by a code library), Operating System APIs (system calls for file I/O, networking, etc.), and Hardware APIs (interfaces for interacting with physical devices). This article focuses primarily on web APIs, which power the modern internet.
REST Architecture
REST (Representational State Transfer) is an architectural style for designing networked applications, introduced by Roy Fielding in his 2000 doctoral dissertation. RESTful APIs are the dominant style for web APIs due to their simplicity, scalability, and alignment with HTTP.
A RESTful API adheres to these core principles:
- Client-Server: The client and server are separated, allowing them to evolve independently. The client handles the UI; the server handles data storage and business logic.
- Stateless: Each request contains all the information needed to process it. The server does not store client context between requests.
- Cacheable: Responses must explicitly indicate whether they can be cached, improving performance and reducing server load.
- Uniform Interface: Resources are identified by URIs (e.g.,
/api/users/123), manipulated through standard HTTP methods, and represented in standard formats (JSON, XML). - Layered System: The architecture can include intermediaries (load balancers, proxies, gateways) without the client knowing.
Resources in REST are nouns, not verbs. You use /api/users (not /api/getUsers), and the HTTP method determines the action. This uniformity makes REST APIs predictable and self-documenting.
HTTP Methods
HTTP methods (also called verbs) define the type of action to perform on a resource. In REST APIs, each method maps to a specific CRUD (Create, Read, Update, Delete) operation:
| Method | CRUD Operation | Idempotent? | Safe? | Example |
|---|---|---|---|---|
| GET | Read | Yes | Yes | GET /api/users/123 — Retrieve user 123 |
| POST | Create | No | No | POST /api/users — Create a new user |
| PUT | Update (replace) | Yes | No | PUT /api/users/123 — Replace user 123 entirely |
| PATCH | Update (partial) | No | No | PATCH /api/users/123 — Update specific fields |
| DELETE | Delete | Yes | No | DELETE /api/users/123 — Remove user 123 |
| HEAD | Read (headers only) | Yes | Yes | HEAD /api/users/123 — Check if resource exists |
| OPTIONS | Discover | Yes | Yes | OPTIONS /api/users — List allowed methods |
Idempotent means calling the same request multiple times produces the same result as calling it once. Safe means the method does not modify the resource. GET and HEAD are both safe and idempotent, making them ideal for caching and retries.
Request and Response Structure
An HTTP request to a REST API consists of several components:
HTTP Request:
POST /api/users HTTP/1.1
Host: api.example.com
Content-Type: application/json
Authorization: Bearer eyJhbGciOiJIUzI1NiIs...
Accept: application/json
{
"name": "Alice Smith",
"email": "alice@example.com",
"role": "admin"
}
HTTP Response:
HTTP/1.1 201 Created
Content-Type: application/json
Location: /api/users/123
Cache-Control: no-cache
{
"id": 123,
"name": "Alice Smith",
"email": "alice@example.com",
"role": "admin",
"created_at": "2024-06-15T10:30:00Z"
}
Key components of a request include the method, URL/path, headers (metadata like content type, authentication), optional query parameters (e.g., ?page=2&limit=20), and the request body (for POST, PUT, PATCH). Responses include a status code, headers, and a response body.
HTTP Status Codes
HTTP status codes are three-digit numbers that indicate the result of a request. They are grouped into five categories by their first digit:
| Code | Name | Category | Meaning |
|---|---|---|---|
| 200 | OK | 2xx Success | Request succeeded. Response body contains the result. |
| 201 | Created | 2xx Success | Resource created. Location header usually contains the new URI. |
| 204 | No Content | 2xx Success | Request succeeded but no response body (common for DELETE). |
| 301 | Moved Permanently | 3xx Redirect | Resource has permanently moved to a new URL. |
| 304 | Not Modified | 3xx Redirect | Cached version is still valid (conditional request). |
| 400 | Bad Request | 4xx Client Error | Malformed syntax, invalid data, or missing required fields. |
| 401 | Unauthorized | 4xx Client Error | Authentication required or token is invalid/expired. |
| 403 | Forbidden | 4xx Client Error | Authenticated but lacking permission for this action. |
| 404 | Not Found | 4xx Client Error | Resource does not exist at the specified URI. |
| 405 | Method Not Allowed | 4xx Client Error | HTTP method is not supported for this endpoint. |
| 409 | Conflict | 4xx Client Error | Request conflicts with current state (e.g., duplicate entry). |
| 422 | Unprocessable Entity | 4xx Client Error | Syntax is correct but semantically invalid (validation error). |
| 429 | Too Many Requests | 4xx Client Error | Rate limit exceeded. Retry after the specified time. |
| 500 | Internal Server Error | 5xx Server Error | Unexpected server-side error. The client did nothing wrong. |
| 502 | Bad Gateway | 5xx Server Error | Upstream server returned an invalid response. |
| 503 | Service Unavailable | 5xx Server Error | Server is temporarily overloaded or under maintenance. |
| 504 | Gateway Timeout | 5xx Server Error | Upstream server did not respond in time. |
A well-designed API returns the appropriate status code for every scenario. Avoid returning 200 for everything with an error message in the body — use proper 4xx and 5xx codes so clients can handle errors programmatically.
Data Exchange Formats Compared
While JSON dominates modern APIs, several data formats are in active use. The choice depends on performance requirements, ecosystem support, and use case:
| Format | Type | Size | Parse Speed | Human Readable | Primary Use |
|---|---|---|---|---|---|
| JSON | Text | Medium | Fast | Yes | REST APIs, config files, web apps |
| XML | Text | Large | Moderate | Yes | SOAP APIs, documents, enterprise systems |
| Protocol Buffers | Binary | Small | Very Fast | No | gRPC, high-performance microservices |
| MessagePack | Binary | Small | Very Fast | No | Real-time apps, IoT, gaming |
| YAML | Text | Medium | Slow | Yes | Config files (Docker, Kubernetes, CI/CD) |
| CSV | Text | Small | Fast | Yes | Tabular data, spreadsheets, data exports |
| GraphQL | Text (JSON) | Variable | Fast | Yes | Flexible queries, avoiding over-fetching |
Protocol Buffers (protobuf) are Google's binary serialization format. They require a .proto schema definition file and generate code in multiple languages. Protobuf is significantly smaller and faster than JSON, making it ideal for internal microservice communication where every millisecond counts.
API Authentication Methods
Most APIs require authentication to identify the caller and enforce access control. The most common methods are:
| Method | How It Works | Best For | Security Level |
|---|---|---|---|
| API Key | A unique string passed in a header or query parameter | Simple server-to-server calls | Basic (key can be leaked) |
| OAuth 2.0 | Token-based authorization with access/refresh tokens | User-facing apps, third-party integrations | High (industry standard) |
| JWT (JSON Web Token) | Signed token containing claims, passed in Authorization header | Stateless authentication, microservices | High (when properly implemented) |
| Basic Auth | Base64-encoded username:password in header | Internal tools, simple setups | Low (credentials in every request) |
| mTLS | Mutual TLS — both client and server present certificates | Zero-trust environments, service mesh | Very High |
The Authorization header is the standard way to send credentials: Authorization: Bearer <token> for OAuth/JWT, or Authorization: Basic <base64> for Basic Auth. Never embed API keys in URLs (they appear in server logs) — always use headers.
Rate Limiting and Best Practices
Rate limiting protects APIs from abuse, ensures fair usage, and maintains service stability. When a client exceeds the allowed number of requests, the API returns a 429 Too Many Requests status code.
Common rate limiting strategies:
- Fixed Window: Allow N requests per time window (e.g., 100 requests per minute). Simple but can cause burst traffic at window boundaries.
- Sliding Window: A rolling time window that smooths out traffic spikes. More predictable than fixed window.
- Token Bucket: Tokens are added at a fixed rate; each request consumes a token. Allows controlled bursts while maintaining an average rate.
- Leaky Bucket: Requests are queued and processed at a constant rate, smoothing out bursts entirely.
APIs communicate rate limit status through response headers:
X-RateLimit-Limit: 100 # Maximum requests per window
X-RateLimit-Remaining: 47 # Requests left in current window
X-RateLimit-Reset: 1718459200 # Unix timestamp when the window resets
Retry-After: 30 # Seconds to wait (sent with 429 response)
API design best practices:
- Use plural nouns for resource names (
/users, not/user). - Version your API in the URL (
/api/v1/users) or via header. - Return consistent error formats with a machine-readable error code and human-readable message.
- Support pagination for list endpoints (
?page=1&limit=20). - Use HATEOAS links to guide clients through available actions.
- Document your API with OpenAPI/Swagger specifications.
- Implement proper CORS headers for browser-based clients.
Understanding APIs and data exchange formats is essential for modern development. Whether you are consuming third-party APIs or building your own, following these standards ensures interoperability, security, and a good developer experience. Use our API Tester tool to test HTTP requests and inspect responses.