Depending on how you categorize them, APIs come in several different types, each with its own scope, benefits, and target audience. This makes them uniquely suited for different purposes.
API stands for Application Programming Interface. An API includes a collection of actions (or requests and responses) that developers can use. It also explains its functions, such as a “Save as” feature. Additionally, the API provides the necessary information for developers to structure these requests and responses properly.
It sounds complicated, but breaking all of it down can help. So, what are the different types of APIs available? Let’s take a look at how they differ.
Four Types of APIs by Audience
APIs come in various forms, giving developers the flexibility to choose the type that best suits their needs. One common way to categorize them is by their intended audience, which results in three primary categories: Open APIs, Partner APIs, and Internal APIs. Additionally, there is a bonus category, Composite APIs, which doesn’t neatly fit into any of these groups.
However, this isn’t the only way to categorize APIs. They can also be sorted by business use, industry vertical, technical type, or protocol/style (such as SOAP, REST, Async, GraphQL, etc.). Let’s start by looking at the types of APIs by audience.
YouTube link: https://youtu.be/DSHRDCQ8Vpw
Public APIs
Public APIs, also known as external or open APIs, are available to developers and other users with minimal restrictions. They may require registration, an API Key, or OAuth.
Some Public APIs are completely open. It’s important to note that while the terms “public” and “open” are often used interchangeably, not all public APIs are open. Furthermore, “Open API” and “OpenAPI” are distinct concepts.
When categorized by intended audience, public APIs are designed for external users to access data or services.
Public API Examples and Use Cases
The field of science often showcases a lot of free, open exchange of information via APIs. For instance, NASA’s open API portal allows developers to subscribe to its data, such as the popular Astronomy Picture of the Day API. Another API provides access to NASA technology project data in a machine-readable format.
Many contact tracing efforts during the Covid-19 pandemic also leveraged public APIs. Additionally, one country in the Asia Pacific uses APIs to enable fast, secure data-sharing, exemplifying how a single platform can support a mix of public, private (or internal/external), and partner APIs:
“The new data-sharing platform supports multiple data-sharing scenarios, including teams inside and outside the government. By opening up data to citizens and civic organizations through a public-facing API portal, the organization is leading the way in engaging and involving citizens in decision-making processes. Each use case has its own governance and security framework based on the audience and the type of data being shared.
For example, an API that enables data-sharing between multiple government agencies will have significantly more stringent and complex governance and security requirements than an API used by only one team in a single government department.”
Which leads us to the next type of API…
How Do Internal APIs Work?
Internal APIs, also known as private APIs, are concealed from external users and are only accessible by internal systems. These APIs are intended for use within the company, facilitating better productivity and reuse of services across internal development teams.
Nowadays, nearly every enterprise utilizes internal APIs. Many start by building an API on top of an internal database. A robust governance process includes exposing these APIs to an internal API developer portal connected to the internal IAM systems to authenticate and grant users access to the appropriate APIs.
The distinction between internal/external and private/public APIs can pose security challenges. This is why adopting a zero-trust approach—treating all APIs as if they could be exposed—is a more robust strategy for API security.
”Arun Dorairajan, Senior Solution Architect at Axway, notes that internal APIs tend to have a greater chance of being misconfigured inappropriately by internal teams. Threat defense cannot be limited to the enterprise’s perimeter: treat even internal APIs as if they were exposed externally, using rate limiting, throttling, and other methods to monitor their use.”
Beyond the security implications, this approach will also prepare your enterprise for the eventual external exposure of your APIs when it’s time to participate in a broader ecosystem.
Examples of Internal/Private APIs
Jeff Bezos set a precedent at Amazon with the API mandate, requiring that all capabilities be designed and exposed as APIs. Following this model, internal APIs enable different parts of an enterprise’s system to communicate and share data securely. Examples include:
- User Authentication APIs: These handle user logins and verify user identities within the company’s ecosystem, ensuring that only authorized personnel can access specific resources or perform certain actions.
- Data Retrieval APIs: These collect data from various databases or internal systems upon request. Similar to a librarian fetching specific books, these APIs pull the right data when needed, making it accessible for analysis or use in other applications.
- Workflow Automation APIs: These handle repetitive tasks or processes within the company’s workflow, such as automatically generating reports, scheduling tasks, or triggering actions based on certain conditions.
- Notification/Alerting APIs: These deliver real-time updates on system status, user actions, or other important events based on predefined triggers, keeping everyone informed.
For example, Robert W. Baird & Co., a Wisconsin-based investment bank and financial services company, uses APIs to provide ready access to their underlying data, delivering analytical insights to their customers.
“By improving the efficiency and effectiveness of our API development and management process, we’re cutting the time it takes from ideation to service deployment — helping us to bring value-added services to our customers faster than ever,” explains Jim Cornelius, Vice President, Solution Architect at Robert W. Baird & Co.
What Are Partner APIs?
Partner APIs are APIs exposed to strategic business partners. They are not publicly available and require specific entitlements to access. Unlike open APIs, partner APIs are more visible and are used to communicate beyond the company’s boundaries.
These APIs are typically exposed on a public API developer portal that developers can access in self-service mode. While open/public APIs are completely open, accessing partner APIs involves an onboarding process with a specific validation workflow.
Examples of Partner APIs
Partner APIs encompass a wide range of services, such as identity verification, payment processing, and data syndication integration. For instance, an e-commerce platform might provide an API for partners to embed product listings or checkout functionality directly into their websites or applications.
Healthcare Partner APIs
Fast Healthcare Interoperability Resources (FHIR®) APIs are a prime example of partner APIs. FHIR® is a modern standard for exchanging healthcare information electronically. Managing patient care involves a complex network of providers, payers, insurers, and more.
One U.S. health insurance company publishes FHIR® APIs via an open portal. Developers can use self-service to automatically register user accounts and healthcare apps, enabling the company to provide secure access to member data without increasing the workload for its lean IT team.
“If an app requests all non-pharmacy-related claims for one of our members, gathering that data requires complex integrations with multiple external systems, each with their own OAuth implementations and client-side encryption keys,” explains a spokesperson.
Using an API platform, the insurer makes this integration logic transparent to its IT team, and leverages and access management capabilities for the new open API platform via the cloud.
Partner APIs in Logistics and Supply Chain Management
APL Logistics, a globally recognized leader in logistics and supply chain management based in Singapore, utilizes APIs to streamline the movement of goods and services worldwide for its customers.
In a recent keynote, Hakan Yaren, CIO at APL Logistics, explained how this technology simplifies complex partnerships, enhancing efficiency and collaboration.
“Our biggest success comes from our ability to shake hands with other providers,” explains Yaren. “In any given scenario, our customers will have hundreds of carriers, they’ll have suppliers, their factories, their customers… As a logistics provider, if we can connect the dots faster for them, that means revenue for both us and our customers.”
Connecting with Partners via APIs in the Open Banking Ecosystem
Open banking APIs are a prime example of how third-party software providers and banks can collaborate to create new, customer-centric financial applications and services.
With open banking partner APIs, banks can harness the customer experience capabilities of emerging fintech startups. For instance, they might use a fintech’s partner API to integrate new services into their own customer-facing apps.
In the following video, Commerzbank’s Katharina Haack explains how the German bank transformed its operations with APIs, achieving a milestone of 1 billion calls per month and unlocking new possibilities for business growth.
YouTube Link: https://youtu.be/2gFX9D2oLMw
Why You Might Need a Composite API
Composite APIs combine multiple data or service APIs, allowing developers to access several endpoints with a single call. They are built using the API orchestration capabilities of an API creation tool.
These APIs are particularly useful in a microservices architecture, where information from multiple services is needed to perform a single task.
Data and Service APIs
Beyond the categories of internal, partner, and open/external APIs, there are additional ways to classify APIs:
- Data APIs: Provide CRUD access to underlying data sets from various databases or SaaS cloud providers. These APIs are essential for accessing fundamental data from SaaS applications, using SaaS connectors or internal data stores. An example is legacy portals where login and password are saved in the web.config file.
- Internal Service APIs: Expose internal services, reflecting parts of internal processes or complex actions.
- External Service APIs: Third-party services that can be embedded into the company’s existing services to add value.
- User Experience APIs: Leverage composite APIs to help app developers deliver the right experience for each device type (desktop, mobile, tablet, VPA, IoT).
As you can see, there are many options available, and we’ll undoubtedly see more in the future.
Consider the explosion of artificial intelligence APIs in 2023: Treblle’s Anatomy of an API report recently found that AI APIs experienced a remarkable 96% growth compared to 2022, and this trend is unlikely to slow down soon.
Axway Catalyst Emmanuel Methivier predicts that the battle for generative and conversational AI will be won on the API front.
“2024 will probably see the emergence of a new approach to interaction between information systems, thanks to the arrival of a new consumer: the AI-powered assistant. The progress and democratization of generative AI tools will create new uses.‘’
Different Patterns and Styles: API Protocols
A protocol defines rules for API calls, specifying the accepted data types and commands. Let’s explore the significant protocol types for APIs:
YouTube Link: https://youtu.be/B8pY1xyWseg
REST API
REST (Representational State Transfer) is a widely-used web services API. Essential for modern web applications like Netflix, Uber, and Amazon, a RESTful API must adhere to the following principles:
- Stateless: REST APIs are stateless, following a Client-Server Architecture.
- Uniform Interface: Communication between client and server occurs via HTTP using URIs, CRUD operations, and JSON conventions.
- Client-Server: The client and server operate independently, with changes on one not affecting the other.
- Cache: Clients should cache responses to improve user experience by making them faster and more efficient.
- Layered: REST APIs support a layered architecture, with loosely coupled layers that allow for encapsulation.
REST APIs leverage the standards powering the World Wide Web and are simpler than traditional SOAP-based web services, facilitating a loosely coupled, maintainable, and updatable architecture.
SOAP API
SOAP (Simple Object Access Protocol) is a well-established protocol, similar to REST as a type of Web API. Developed in the late 1990s, SOAP standardized how applications use network connections to manage services. However, its strict rules and heavy standards make it resource-intensive. Today, most developers prefer REST over SOAP for new projects, except in certain on-premises scenarios.
RPC API
RPC (Remote Procedure Call) is one of the oldest and simplest API types, enabling the client to execute code on a server. XML-RPC and JSON-RPC use XML and JSON, respectively, for encoding calls. Although similar to REST, RPC APIs are tightly coupled, making them difficult to maintain or update. Changes require understanding the documentation of various RPCs to determine their impact.
gRPC API
gRPC APIs are based on RPC technology but use HTTP/2 for better performance, supporting features like bidirectional streaming and multiplexing. They leverage Protocol Buffers (Protobuf) for compact and efficient binary data serialization, reducing bandwidth usage. gRPC supports multiple programming languages, making it ideal for building distributed systems and microservices architectures.
GraphQL API
GraphQL is a query language that allows clients to interact with data stored on a server or database flexibly. Unlike REST APIs with predefined endpoints, GraphQL lets clients request precisely the data they need in a single query. This reduces over-fetching and under-fetching issues. GraphQL is well-suited for applications with complex data requirements, like social networks and e-commerce platforms. However, it’s essential to implement proper access control to prevent unauthorized data access.
Event-Driven APIs (Asynchronous APIs)
Event-driven or asynchronous APIs transmit information in near real-time, making them suitable for scenarios like stock market trackers and IoT devices. Unlike REST architecture, which requires constant requests, event-driven architecture (EDA) allows sources to send responses only when information is new or has changed. Common patterns include Webhooks, Websockets, and streaming.
APIs: Digital Building Blocks for Your Business
APIs are critical for modern digital solutions, enabling companies to build new products and services quickly by recombining existing APIs. They provide a flexible foundation for innovation without requiring extensive code changes, serving as gateways between systems to enhance digital experiences.
In a recent demo of Axway’s Amplify Platform, Arun Dorairajan, Senior Solution Architect at Axway, demonstrated the importance of universal API management. This approach allows teams to work with all types of APIs, regardless of pattern, style, deployment, or vendor gateway.
YouTube Link: https://youtu.be/iooav-0mDhY
APIs enable seamless integration of new applications with existing software, fostering innovation and expanding digital experiences for clients. With the right business vision, APIs can drive extraordinary results.
About DT Asia
DT Asia began in 2007 with a clear mission to build the market entry for various pioneering IT security solutions from the US, Europe and Israel.
Today, DT Asia is a regional, value-added distributor of cybersecurity solutions providing cutting-edge technologies to key government organisations and top private sector clients including global banks and Fortune 500 companies. We have offices and partners around the Asia Pacific to better understand the markets and deliver localised solutions.
How we help
If you need to know more about types of APIs, you’re in the right place, we’re here to help! DTA is Axway’s distributor, especially in Singapore and Asia, our technicians have deep experience on the product and relevant technologies you can always trust, we provide this product’s turnkey solutions, including consultation, deployment, and maintenance service.
