Examine APIs and Web Services
Learning Objectives
After completing this unit, you’ll be able to:
- Define APIs and web services and explain their differences.
- Describe common HTTP methods (GET, POST, DELETE, PATCH, PUT) and their purposes.
- Identify the characteristics of secure and unsecured APIs.
APIs and Web Services: How Do They Relate?
APIs and web services play a central role in IT integration strategies. They help organizations address the growing demands for connectivity, speed, and flexibility in an era of rapid digital disruption. In earlier units, you learned how APIs connect systems to share data, and how API-led connectivity organizes these APIs into reusable layers. Now, take a closer look at APIs and web services themselves, their differences, and how they work together to build scalable, secure integrations.
What Is a Web Service?
A web service is a specific type of API that uses standardized communication protocols, such as HTTP or SOAP, to exchange data over the internet. Web services are particularly useful for enabling applications written in different programming languages or running on different platforms to work together. For example, a web service might allow a legacy airline booking system to exchange data with a modern passenger notification app.
While all web services are APIs, not all APIs are web services. Web services rely exclusively on web protocols, whereas APIs can use a broader range of protocols and architectures.
Comparing APIs and Web Services
API |
Web Service |
|
|---|---|---|
Definition |
A set of rules defining how software components communicate. |
A specific type of API that enables communication between systems over a network. |
Communication |
Can use various protocols such as HTTP, TCP/IP, WebSockets, JMS, and more. |
Typically uses web-based protocols like HTTP, but some web services (e.g., SOAP) can also operate over other protocols such as JMS, FTP, and SMTP. |
Flexibility |
Broader; not limited to network-based interactions (e.g., local system APIs, OS-level APIs). |
Limited to network-based interactions, typically over the web (e.g., HTTP, SOAP). |
Examples |
REST APIs, library APIs, database APIs. |
SOAP web services, RESTful web services, XML-RPC services. |
API or Web Service for MUA?
Suppose MUA needs to exchange flight schedules with its airline partners. If the systems use SOAP web services, the data exchange would rely on strict protocols for encoding and communicating requests. REST APIs, on the other hand, might offer simpler and faster communication for retrieving the same flight schedule data.
HTTP Methods: The Building Blocks of APIs
APIs often use HTTP methods to perform specific actions. These methods define how a client interacts with a resource:
-
GET: Retrieve data.
-
POST: Create a new resource.
-
PUT: Update an existing resource.
-
PATCH: Update part of a resource.
-
DELETE: Remove a resource.
Imagine an endpoint like https://api.muleunited.com/flights -
-
GET:
https://api.muleunited.com/flightsretrieves a list of flights.
-
POST:
https://api.muleunited.com/flightscreates a new flight entry in the system.
-
PUT:
https://api.muleunited.com/flights/123updates details for the flight with ID 123.
-
PATCH:
https://api.muleunited.com/flights/123updates only part of the flight information, such as the gate number or departure time.
-
DELETE:
https://api.muleunited.com/flights/123removes the flight with ID 123.
By combining methods and endpoints, APIs provide flexible, predictable communication for developers.
Secure versus Unsecured APIs
APIs can either be secure or unsecured, depending on how they handle authentication, authorization, and encryption.
-
Secure APIs: Protect sensitive information, such as passenger details or payment data. Mule United Airport, for instance, uses OAuth 2.0 to ensure that only authorized staff can update flight schedules or send notifications.
-
Unsecured APIs: Suitable for non-sensitive operations, such as sharing public information like airport maps or weather updates.
Using an unsecured API for sensitive data can lead to breaches, compromising passenger privacy and business operations. Here’s how to safeguard APIs.
-
Authentication: Require users to verify their identity with tokens, keys, or credentials.
-
Authorization: Limit access based on user roles and permissions.
-
Encryption: Use HTTPS to protect data as it travels between systems.
Secure Mule United Airport’s Integrations
At MUA, Systems Architect Alex faced the challenge of integrating APIs for a new passenger notification system. The goal was to ensure passengers received real-time updates on flight schedules, gate changes, and other critical information, while maintaining high security and reliability.
Choose APIs Over Web Services
Alex’s first task was to decide whether to use APIs or web services to access flight data. By reviewing the systems in place, Alex discovered that most data sources exposed REST APIs, which offered greater flexibility, scalability, and performance compared to SOAP-based web services. REST APIs were also easier to implement with MUA’s existing infrastructure, making them the clear choice for this project.
Use HTTP Methods for Core Operations
Once the decision was made, Alex examined the API endpoints and HTTP methods required for the notification system. Each method was assigned to a specific operation:
-
GET was used to retrieve real-time flight schedules and passenger information.
-
POST enabled staff to send emergency notifications, such as delays or cancellations, directly to passengers.
-
PUT allowed the system to dynamically update the entire notification record.
-
PATCH was used to make partial updates, such as changing only a gate number or departure time without altering the full record.
-
DELETE was used to remove notifications that were no longer active or applicable.
These methods, combined with well-defined endpoints, ensured efficient and predictable interactions between the notification system and the underlying data sources.
Implement Secure API Practices
Security was a priority for Alex. Without robust safeguards, the system could be vulnerable to unauthorized access or data breaches. To mitigate these risks, Alex implemented several key measures.
-
OAuth 2.0 Authentication: This protocol ensured that users logged in with secure tokens before accessing sensitive information, limiting access to authorized personnel.
-
HTTPS Encryption: All API communications were encrypted in transit, protecting passenger data from interception or tampering.
-
Role-Based Authorization: API endpoints were configured to enforce role-based permissions, ensuring that staff only accessed data relevant to their responsibilities.
-
Error Handling and Logging: Alex also set up error responses and detailed logs for debugging and monitoring, providing visibility into API usage and potential issues.
The Result
With the integrations complete, MUA successfully launched a reliable, secure passenger notification system. Passengers received timely updates on gate changes and delays, reducing uncertainty and improving their overall travel experience. Airport staff benefited from streamlined workflows, allowing them to focus on delivering exceptional service.
By leveraging secure REST APIs and implementing best practices, Alex ensured that MUA’s new system met the demands of both passengers and regulatory standards, solidifying the airport’s commitment to efficiency and innovation.
Now that you know the key differences between APIs and web services, the role of HTTP methods, and how to secure integrations, you’re ready to put this knowledge into practice. In the next unit, you learn how to perform API calls, and how to send requests, interpret responses, and interact directly with APIs using tools like Postman.