Introducing the API Security Workshop Learn More  

What is an API Call? 

Property 1=What is an API call

Application programming interfaces (APIs) are a set of rules and protocols that allow software programs to communicate with each other. APIs are especially useful when writing programs that need to access data from another program, such as a mobile app that needs access to the data stored by a database or web app. So, with that in mind, an API call is a request made by one program to another for access to its functionality or data.

What types of API Calls are most common?

The most common types of APIs are REST APIs which use HTTP-based API call methods. The most common methods are GET,POST, PUT, DELETE, and BATCH. We’ll cover those below. But keep in mind that there are other types of APIs including SOAP, GraphQL, XML, FORMS, and more.

GET/POST Calls: Normally used for retrieving records to the calling application from an access point provided by the API provider. These calls retrieve or update/create a record and return a status code along with a response header and body which contains the payload. GET/POST calls can be used to get data from the internet and/or change what is displayed on a website; for example, you may have a messaging app that lets you search for a friend's location based on the city they live in and then click on the friend's profile picture to see where they are located on a map. In this case the "GET" call would be used for searching for that friend and the API would return their city name and the country they are located in in the response payload. GET calls can also be used by applications to do things like check your account balance, pay bills online, or get updates on the weather in your local area. 

PUT/DELETE Calls: These methods are used for updating or deleting records using the API. The request must contain the appropriate HTTP headers (usually authentication, at a minimum)  as well as the body of the request that contains the necessary information for the update or deletion to occur. Similar to GET/POST calls, these also return a status code and potentially a body with the response payload. PUT/DELETE calls are also sometimes called "application-to-application" (A2A) or "self-service" calls because they allow one application to communicate with another. For example, say you are using the Pinterest app on your phone and you want to create a board for your favorite recipes. Clicking to create the board would cause your Pinterest mobile app to make a  PUT call to POST the board to Pinterest's API. Or say you are watching a video on YouTube and you tap the screen to pause the video. The platform might send a GET call to check your channel subscriptions to see what other videos you might like to watch next. 

BATCH Calls: These are used for submitting multiple requests at once to an API endpoint. Each BATCH must consist of a valid header as well as an array of body data. Batches may be repeated several times to gather more data over a period of time. Batch calls are great for issuing multiple requests in one go. They are useful for things like uploading large volumes of data or taking many actions in a short period of time. For instance, a developer might set up an automated job that runs every hour to fetch new content from a website or add new products to an online store using a BATCH call. If you want to issue multiple requests at once, a batch call, which is similar to the GET/POST calls mentioned previously, is most efficient.


How to protect API Calls

Protecting API calls can be tricky because a lot of popular websites and apps have millions of users accessing them simultaneously, so it's easy to get confused with where requests are coming from. Furthermore, there are so many new threats created every day that it's tough to keep up with them all. However, there are a few things you can do to make sure your API calls are safe and secure. 

Developers will use APIs to cross connect microservices and applications in order to exchange data. The first thing an organization can do to make this process more secure is have an accurate inventory of the APIs available to the development teams. Oftentimes a duplicate API will be created because the existing one is unknown to the development team. This unnecessarily increases the attack surface of the organization. Another common threat is excessive data exposure, where developers keep adding new data types to a single API, in an attempt to re-use existing tooling. The risk here is that all data types for a given record may be exposed by the API, even if they are not needed for by the requesting client. This data could be harvested by an attacker. Finally, business logic should be built into the API code to make sure it cannot be abused. 

Sounds like quite a feat, yea? Well luckily for you, Noname can help resolve all of these issues. And not just for REST APIs. We protect a myriad of API types including SOAP, GraphQL, XML, FORMS, gRPC, and more. You can learn more about how we inventory and secure your API estate here.