Application Programming Interface

API - "APIs are mechanisms that enable two software components to communicate with each other using a set of definitions and protocols. For example, the weather bureau’s software system contains daily weather data. The weather app on your phone “talks” to this system via APIs and shows you daily weather updates on your phone." https://aws.amazon.com/what-is/api/

In simple terms - "you tell a program that you don't own to run"

Advantages:

• Use the program - don't write it
• Platform independent
• Upgrade safe

• I - Interface, from where you telling the program to run
• Ex: app
• P - what task that is being done/what does the program do
• example: search, send message, etc.
• A - what software has the program being run
• WhatsApp, WAZE

Web Service - API that uses the internet

XML, JSON format

RES, SOAP, RPC

HTTP Request (and response) contains:

• Start line
• Method
• API Program folder - optional
• Parameters - optional
• HTTP Version
• Header
• Blank line
• Body

	Request	Response
Start Line	Method API Program folder - optional Parameters - optional HTTP Version	HTTP Version Status Code
Headers	General-header: These header fields have general applicability for both request and response messages. Client Request-header: These header fields have applicability only for request messages. Entity-header: These header fields define meta information about the entity-body or, if no body is present, about the resource identified by the request.	Server Response-header: These header fields have applicability only for response messages.
Blank line	Divider b/w headers and body
Body	Contain: image, data, video, etc. See Header field Content-type

 

HTTP Codes

• 1xx - Informational
• 2xx - Success
• 3xx - Redirection
• 4xx - Client Error
• https://www.restapitutorial.com/httpstatuscodes.html

Idempotent - safe to repeat, POST is the only idempotent method

HTTP

• Stateless
• Scalable
• Resilient

XML, JSON - formats of transferring data over HHTP

XML - eXtnesible Markup Language

• HTTP Header line: Content-Type: application/xml
• HTTP Body: XML

HTML vs XML

• Both have tags
• XML is extensible - can add your own tags, tags are used to describe data
• HTML - tags are pre-set, can't add
• XML was created by W3C - https://www.w3.org/XML/
• XSD - XML Schema definition, i.e. can drive your won XML format

JSON - part of Java script that transfers data

• HTTP Header: Content-Type: application/json
• HTTP Body: JSON. Uses key/Value
• Created by Douglas Crockford - https://www.json.org/json-en.html

History:

• 1980 - SUN RPC
• 1998 - XML-RPC
• 1999 - SOAP
• 2000 - REST

SOAP vs REST

• SOAP is a Protocol. REST is an Architectural Style

SOAP - Simple Object Access Protocol

• A way to access a web service using pre-defined rules
• SOAP always uses Web, HTTP

Uses WSDL  - Web Service Description Language (XML)

• Start Line: POST WSDL HTTP Version
• Hader Line: Context-Type: text/xml
• Blank line
• Body: XML envelope formed using WSDL

Created by W3C - thus use of XML

NOTE: Method is never used and is defaulted to POST

REST - REpresentational State Transfer

No rules (unlike SOAP)

• Start Line - Method is used in Start Line, ex:
• GET - Read
• POST - Create
• PUT - Update (delete and replace)
• DELETE - Delete
• This is the key differentiator from SOAP. With SOAP need to follow WSDL, etc.
• Header Line - All
• Blank Line
• Body - JSON, XML, Image, etc.
• Created by Roy Fielding

Stateful vs Stateless

• SOAP can be both stateful and stateless, depending on how it's implemented
• Relies in HTTP for state Handling 
• REST is stateless
• Each message needs to contain all parameters needed for the program to run

	SOAP	REST
Protocol vs. Architectural Style	Protocol - strict set of rules for structuring messages (XML)	Architectural Style - uses web standards and HTTP methods (such as GET, POST, PUT, DELETE) for communication. Does not mandate strict message format like SOAP
Message Format	Typically XML-based, verbose	Formats vary: JSON, XML, HTML, plain text. JSON is the most common
Statefulness	Can be both stateful and stateless. can be both stateful and stateless	Stateless. Each message needs to contain all parameters needed for the program to run
Standards	Has a set of standardized protocols and specifications - WSDL	Does not have a single set of standards. Uses web standards like HTTP, can have various authentication and security mechanisms.
Performance	Messages tend to be larger due to XML formatting resulting  more b/width use	Messages are more lightweight - more efficient in performance
Ease of Use	More complex due to the strict standards and the XML message format; often requires specialized libraries or toolkits	Easier to use and understand; uses simpler data formats like JSON

 Authentication vs. Authorization

Name	Authentication	Authorization	Example
No Auth	N	N	Google search
Basic Auth	Y	N	email acct
Bearer Token	N	Y	Token-based authentication mechanism. Bearer keyword a token - proof of the client's identity and permissions
OAuth (auth on the originating app)	Y	Y	WAZE app - authorize app to use your location only, not photos, etc.
2FA	Y	N

Common Application Types:

• Native
• Built directly on the OS
• Accesses OS APIs
• Fastest performing
• Costly to build
• Web
• Runs within a browser
• Uses HTML - looks like a webpage
• Google, YouTube, Wikipedia
• Least costly
• Hybrid
• 1 - Has both capabilities - w/in a browser or OS calls directly
• 2 - Accesses APIs via middleware

OAuth - Open Authorization

• RFC Note 6749 - https://www.rfc-editor.org/rfc/rfc6749
• Allows 3rd party limited access to a web (HTTPS) service
• Introduces authorization layer - 3rd party gets an access token (not username/pwd)

Protocol Flow

• Client->Resource Owner: Authorization Request
• Resource Owner->Client: Authorization Grant

• Client->Auth Server: Authorization Grant
• Auth Server->Client: Access Token

• Client->Resource Server: Access Token
• Resource Server->Client: Protected Resource 

Authorization Grant Types

• Authorization Code - request authorization from Auth Server (most used)
• Implicit
• Resource Owner
• Client Credentials

Access Token vs Refresh Token

• Refresh Token is used to acquire a new Access Token

Client Registration

• See https://www.rfc-editor.org/rfc/rfc6749#section-2

Authorization Code Grant

• See https://www.rfc-editor.org/rfc/rfc6749#section-4.1

 

OpenID Connect

• A way for the client to obtain info about the Resource Owner
• Not part of RFC Note 6749

Protocol Flow

• Client->Resource Owner: Authorization Request
• Resource Owner->Client: Authorization Grant

• Client->Auth Server: Authorization Grant
• Auth Server->Client: Access Token + ID Token

• Client->Resource Server: Access Token + ID Token
• Resource Server->Client: Protected Resource

ID Token is usually JWT. See https://jwt.io/

Other Authentication Methods

• Basic - Username/pwd (encrypted, base 64) over the internet; security concern
• Digest - using a digest; need secret key to decode the digest; can be sent over HTTP
• Bearer Token - using an API using a token; token needs to be kept secured; need to use HTTPS; see RFC 6750 and https://httpbin.org/; https://pipedream.com/requestbin

Experiment

• https://docs.aws.amazon.com/apigateway/latest/developerguide/welcome.html
• Export Swagger file and import into Postman

Web Hooks

• Reverse API - an API event that results in an event directed into Owner/Client. Ex: suspicious logon - security SMS sent