What is an API? A Deep Dive into Application Programming Interfaces

In an era where everything is interconnected, almost no application operates in "isolation." Behind actions that seem incredibly simple – booking a ride, online payments, logging in with Google/Facebook - is an entire network of software systems silently communicating with each other. The "common language" that facilitates this communication is the API. This article will explain what an API is through everyday examples and real-world JSON samples, helping you clearly understand how software talks to each other.

Key Takeaways

Core Concept: Understand that an API acts as a secure intermediary protocol for independent software systems to communicate and exchange data.
Technical Structure: Master the 4 essential components of an API Request (Endpoint, Method, Headers, Payload) and common Response formats (JSON, HTTP Status Codes) to build accurate systems.
Diverse API Architectures: Distinguish between the advantages of REST (Stateless, scalable), GraphQL (Optimized data querying), and WebSocket (Real-time, low latency) to choose the right solution for practical problems.
System Security: Gain a deep awareness of separating Authentication (AuthN) and Authorization (AuthZ), while seriously implementing Rate Limiting and strictly avoiding "hardcoding" API Keys to prevent cyber attacks.
APIs in the AI Era: Understand how to integrate LLMs (OpenAI, Anthropic, DeepSeek) via APIs, along with major challenges like multi-provider management, token cost control, and context data security.
FAQ Resolution: Quickly grasp fundamental concepts such as the difference between API and UI, the importance of API Endpoints, and centralized security strategies through an API Gateway.

What is an API?

Definition

API (Application Programming Interface) is a set of rules and protocols that allow two independent software applications to communicate and exchange data securely. Instead of building every feature from scratch, developers use APIs to "borrow" data or functionality from another system.

Example

To visualize this architecture, imagine you are dining at a restaurant:

Client (Customer): That’s you. You know what you want to eat (send a request), but you don't cook it yourself.
Server/Database (Kitchen): The place where ingredients are stored and the preparation process happens (data processing). The kitchen is separate from the dining area.
API (Waiter): Standing in the middle, taking your order, bringing it to the kitchen, and then returning the finished dish to you.

BlockNote image

API Client-Server operational model diagram

Technical Perspective

Unlike a UI (User Interface) where humans interact directly, an API is a Machine-to-Machine bridge.

Example: When you shop on Shopee and choose to pay with MoMo, Shopee's source code does not contain MoMo's core banking logic. Instead, Shopee's server calls an API to send the amount and order ID to MoMo's server. MoMo processes the transaction and responds with the result to Shopee through a pre-agreed structure. These two platforms are written in two different programming languages but still understand each other thanks to the API communication contract.

Client - Server Communication Flow with API

Structure of a Request

For the system to understand the requirement, an outgoing API Request must have a standard structure. A standard call includes 4 main components:

Endpoint (Path): The URL destination where the API listens for requests (e.g., https://api.weather.com/v1/hanoi).
HTTP Method (Action Method): Specifies the type of operation (CRUD) that the Client wants the Server to perform:

1. GET (Read): Retrieve data.

2. POST (Create): Send new data to the system.

3. PUT (Update): Update existing data entirely.

4. DELETE (Delete): Remove data.

Headers (Metadata): Contains information about the data format (such as Content-Type: application/json) or authentication keys.
Body / Payload (Carried Data): Detailed information that the Client wants to send to the Server (usually used in POST/PUT commands).

Returned Data (Response)

BlockNote image

Example JSON response from an API request

When the Server finishes processing, it returns a Response. The most popular format today is JSON (JavaScript Object Notation) - lightweight and easy to read for both machines and humans.

{
  "status": "success",
  "data": {
    "city": "Hanoi",
    "temperature": 28,
    "humidity": 75,
    "condition": "Cloudy"
  },
  "message": "Weather data retrieved successfully."
}

Accompanying the data block above is always an HTTP Status Code to report the system status:

200 OK: Request successful, data has been returned.
404 Not Found: Endpoint or requested resource not found.
500 Internal Server Error: Error originating from the server side (Server crash or logic code error).

Classification of Popular API Architectures Today

REST API Architecture

REST (Representational State Transfer) is the most popular architecture on the web today. The core characteristic of REST is Statelessness. This means the server does not store any Client session data between requests.

Each request carries enough independent information for the Server to process it, making the system easily scalable when traffic spikes.

GraphQL Architecture

Although REST is very powerful, it suffers from Over-fetching (loading excessive data). When you only need to get a user's "name," a REST API might return their "age, address, transaction history" as well. GraphQL was created to solve this problem, allowing the Client to query exactly the data fields they need through a single Endpoint.

WebSocket Architecture

WebSocket provides continuous two-way communication between Client and Server, which is extremely suitable for applications requiring low latency. Instead of creating a completely separate HTTP request every time new data is needed, WebSocket establishes a single, long-lived connection and keeps it “open” for both sides to send and receive data at any time.

This significantly reduces HTTP overhead (repeated headers, connection handshakes) and allows the server to actively “push” data to the client as soon as there is a change, rather than waiting for the client to ask. Thanks to this, use cases like real-time chat, notifications, stock tickers, and monitoring dashboards can update almost instantly without burning too many system resources.

Criteria	REST API	GraphQL	WebSocket
Protocol	HTTP	HTTP	TCP/WebSocket Protocol
Data Flow	One-way (Request-Response)	One-way (Flexible Querying)	Two-way (Real-time)
Return Format	Fixed by Endpoint	Custom based on Client query	Continuous via Stream
Real-world Use-case	E-commerce, CMS	Complex Social Networks	Chat Apps, Stock Tickers

API Security: Lessons for Every Developer

Authentication and Authorization

These are two concepts often confused by developers, yet they are the life-or-death barriers of system architecture:

Authentication (AuthN - Who are you?): The process of verifying the identity of the request sender via API Keys or the JWT (JSON Web Tokens) security standard.
Authorization (AuthZ - What can you do?): The process of checking whether that user has permission to access a specific Endpoint (e.g., a regular User cannot call a DELETE command to wipe the database).

Note: Absolutely do not hardcode API Keys into the source code and commit them to public repositories like GitHub. Automated scan bots can scrape your Key within seconds, leading to system takeover or exhausting the business's Cloud budget.

Traffic Management (Rate Limiting)

If an API is unprotected, it can easily become a target for DDoS attacks. System architects often place an API Gateway in front to handle Rate Limiting and Throttling.

Example*: *Restricting a maximum of 100 requests/minute per IP. This not only protects the server from crashing but also prevents the risk of massive Cloud bills at the end of the month due to request spamming.

API in the AI Era: How LLMs “Communicate”

The current explosion of GenAI (Generative AI) primarily operates around LLM APIs (Large Language Model APIs). Instead of investing in expensive local GPU systems, businesses call APIs from OpenAI, Anthropic, or DeepSeek. This solution saves tens of thousands of dollars in hardware costs and scales easily.

However, the problem of integrating AI via API introduces 3 major challenges for engineers:

Multi-provider Management: Each LLM has a different API standard and Rate Limit, requiring an Orchestration layer in the middle.
Token Costs: Without designing a good caching flow, continuous API calls will consume large amounts of money paid for input/output Tokens.
Data Security: The risk of leaking Context Data (internal conversation context) when sending raw company information via public APIs is significant.

BlockNote image

API in the AI Era

Frequently Asked Questions about API

What is an API in the software field?

API (Application Programming Interface) is a set of protocols and rules that allow software applications to "communicate" and exchange data with each other without needing to know the internal structure details of each system.

How is an API different from a UI (User Interface)?

A UI is the interface for humans to interact with computers (like buttons, screens), while an API is the interface for computer programs to interact with each other, helping automate system data transmission.

Why use APIs in application development?

APIs help developers save time by leveraging existing services (like maps, payments), while ensuring security and data control through defined connection points (endpoints).

What are the main differences between REST, GraphQL, and WebSocket?

REST uses stateless HTTP for discrete requests; GraphQL optimizes data by allowing the client to query exactly what is needed; WebSocket supports real-time two-way connections for continuous interactive applications.

Why should you not put API Keys directly in the source code?

Exposing API Keys in the source code (hardcoding) on public platforms like GitHub makes the system vulnerable to attacks, leading to data loss and unintended Cloud costs due to malicious actors gaining access.

How to ensure safety when calling multiple LLM APIs simultaneously?

For security, businesses should use an API Gateway as an intermediary to manage authentication, implement Rate Limiting, and centrally encrypt API Keys (using standards like AES-256-GCM) before sending requests to AI providers.

What is an API Endpoint and why is it important?

An API Endpoint is a specific "address" on the server where the API receives requests and returns data. This is the most critical component for establishing security barriers, monitoring performance, and managing access permissions for users.

Read more:

In summary, APIs are the backbone of the modern Internet, connecting independent systems into a seamless whole. Understanding the Request/Response mechanism, mastering HTTP statuses, and designing standard REST/WebSocket architectures helps engineers build flexible, high-speed software.