Home Topics API endpoint What is an API endpoint?
Explore IBM's API endpoint solution Subscribe to the Think newsletter
Illustration with collage of pictograms of gear, robotic arm, mobile phone

Published: 05 August 2024
Contributors: Dan Nosowitz, Michael Goodwin
What is an API endpoint?

An API endpoint is a digital location where an application programming interface (API) receives API calls, also known as API requests, for resources on its server. API endpoints are components of APIs and are most often in the form of URLs, or uniform resource locators.

An API is an intermediary that enables software applications to communicate with each other to exchange data, features and functionality. It’s a set of protocols and rules that define how an API client—the software making a request—can communicate with a server to access data and functions. By using an API, developers can take advantage of already-existing data and services; and application owners can share or market those same data and services.  

Endpoints function a little like phone numbers: just as a user dials a phone number to reach a certain person or business, API clients (the software making an API call) provide an endpoint URL to reach a specific resource. An endpoint URL provides the location of a resource on an API server and helps connect the API client with the resource it is requesting. It essentially tells the server, “the resource that I need is located here.”

API endpoints can enable an API client to request all kinds of data from an API, with use cases ranging from real-time updates from social media software applications to functionalities such as audio or video embedding, retrieving news stories or creating a new post.  
IBM named a Leader in the Q3 2024 Forrester Wave for API Management Software

Forrester notes: “IBM well suits a business-led API strategy with an engaging developer portal and digital products that go beyond REST.”
Related content

The key to unlocking your APIs’ full potential: API management
Why are API endpoints important?

Properly formatted and secure API endpoints are a crucial part of how APIs work. APIs simplify the design and development of new applications and services (because they enable developers to build off existing capabilities and services) and the integration and management of existing ones. They also offer significant benefits to developers and organizations at large including improved collaboration, accelerated innovation, increased agility, scalability, security and more. API endpoints enable the resource exchange that makes such integration possible.

For APIs to work as they should, API endpoints must be precise, intuitive, discoverable and authenticated, or else communication between client and server can break down—taking functionality and user satisfaction with it.  Simply put, API endpoints enable API clients to successfully locate and access requested resources and functions.
How do API endpoints work? 

API endpoints are usually found in an API’s documentation, which is where developers put API information such as what type of requests an API will accept and how requests should be formatted. Ideally, this documentation also includes a list of all available API endpoints and a short description of their functionalities.

In a REST API (a software architectural style frequently used for web applications) context, the process looks like this:

The process starts when an API client sends a resource request (API call) to the corresponding API endpoint. Endpoints are accessed by using HTTP request methods such as POST, GET, PUT, PATCH and DELETE. These methods indicate the action that the client is looking to take on the specified resource.

For example, if a client is looking to retrieve a list of Olympic medal totals for a certain year from the hypothetical database Olympicfacts.com, a GET request is sent to the following endpoint URL: 

https://api.olympicfacts.com/v1/{year}

This request would return a list of Olympic medal totals by country. (v1 in our hypothetical endpoint indicates the version of the API, a common practice in API versioning.) If the client wanted a total for a specific country in a given year, an identifier would be added to the base URL: 

https://api.olympicfacts.com/v1/year/{id}

In this example, the identifier {id} is used to indicate which country the client is looking to receive information about.

In addition, a request might include:

  • Headers: Headers can provide additional information about the request, such as an Accept header that specifies accepted media types

  • Parameters: Query parameters can be added to the base URL or in the request body to further filter search criteria or add other specifications.

  • Request body: A request body includes the data needed to create or modify a resource. For example, if the request is to create a new blog (POST request), the content of the new blog would be included in the request body.

Once the server authenticates the request and validates the input, it retrieves the requested data and returns the response to the client. Many organizations use API gateways to execute these functions and manage API traffic flow.
What’s the difference between REST API and GraphQL endpoints?

A REST API (also called a RESTful API or RESTful web API) is an API that conforms to the design principles of the representational state transfer (REST) architectural style.GraphQL is an open-source query language and server-side runtime that specifies how clients should interact with APIs.2

GraphQL and REST are both resource-based technologies that support similar data formats (JSON and XML, for example) and enable clients to request data from servers by using HTTP methods. However, they differ in their request requirements and data retrieval, among other differences. We will focus on a key endpoint-related difference.

REST APIs use multiple endpoints and have different endpoints for each resource. When a client requests a resource, the server returns all the data associated with the resource, even if the client only needs a small subset of the data. This is known as overfetching. If a client needs data spread across multiple resources, it needs to make separate API calls to each of those resources to compile the data needed.

GraphQL exposes data models by using a single endpoint and uses a syntax that enables clients to make API requests in a single line, or a few lines, to specify exactly what they need. GraphQL queries can follow references between resources and fulfill complex data retrieval tasks in a single request. This helps eliminate under- and overfetching issues and the need to make multiple API calls.

Neither REST nor GraphQL APIs are inherently superior; they’re different tools that are suited to different tasks.3
How is API testing done? 

Key to any good API design is the testing phase. Modern applications often use APIs to integrate functions from other software, or are built by using microservices architectures (which rely on APIs for communication between disparate services). Testing API endpoints is essential to ensuring reliability.

There are both manual testing options for APIs and testing options that use automation, as well as numerous testing tools and platforms (both open source and propriety) that enterprises can use.

Manual API endpoint testing can be slower and less efficient, but also more precise and customized to specific use cases. Functional testing would be to simply send a request from an application to ensure that the correct response is given. In a social media example, this might mean sending a request for a new post by a particular user and checking to make sure that the returned post is indeed the correct one.

Other types of manual testing involve: 

  • sending many requests all at once to see how the server handles request load

  • checking to see that the API properly integrates with other services

  • determining the speed and response time of a given request

  • intentionally supplying an invalid request to check that the correct error message is returned

Automated testing done through an API management platform can deliver several advantages:

  • reduces the possibility of human error

  • is more efficient in checking the validity of multiple API endpoints

  • can improve testing speed and potentially reduce costs in the long run once automated testing systems are established (saving on employee time, for example)

  • Aligns testing along uniform protocols, standards and permissions

In general, each should return the intended response, in terms of format, data returned and status code.
How to secure API endpoints

Because API endpoints provide a way for both internal and external applications and systems to access and integrate data, they also present a potential entry points for bad actors. Distributed denial of service (DDoS) attacks can use legitimate requests but in absurd quantities to flood a server. Other types of attacks might attempt to use API endpoints to extract more information than the client is authorized to receive or use API endpoints to install malware or malicious code.

There are several ways that an organization can maintain the security of its API endpoints and overall API security, including:

 
Authentication mechanisms

Authentication methods such as API key authentication and OAuth make sure that only authorized users are able to access data.
HTTPS

HTTPS (a more secure version of hypertext transfer protocol or HTTP) uses transport layer security (TLS) to encrypt the communications between client and server. This increases the security of data transfers.

 
Rate limiting

Rate limiting is a general term referring to efforts to set maximum quantities of requests, which can help prevent DDoS attacks and maintain system stability. Different limits can also be applied to different API endpoints.
Geofiltering

If attacks are generated from a particular location, geofiltering can be used to block or limit access from those locations.
API gateways

An API gateway is a software layer that acts as an intermediary between client devices and servers. It is a central point that accepts all API calls and routes them to requested services. Many of these security features (in addition to API monitoring and analytics features) can be implemented within an API gateway; and the use of a gateway promotes the consistent application of security protocols across an API environment.
What is the difference between a resource and an API endpoint?

API resources are datasets or objects that APIs provide. Resources vary based on the API in question, but content types include text, tables, source files, audio, video, images, users, products and much more.

An API endpoint is the specific location of those resources on a server. It is a point of contact between an API client and server, where API calls are directed.

Think of a business listing for a store. The listing provides the location of the store (endpoint) and how to contact it to request information such as store hours and product inventory (resources.)
What is the difference between an API key and an API endpoint?

An API key is a method to verify and authenticate the identity and authenticity of a client making an API call. API keys are strings of randomly generated characters issued by an API provider to registered API users. When a client device makes an API call, it includes the API key. The API gateway or API server that receives the call first checks the key to validate the client’s identity before fulfilling the API request. If the key does not match any of the permitted keys, the server declines the API call and issues a rejection message.

Organizations use API keys to authenticate individual clients and projects, track and identify traffic patterns, block unwanted use and more.

API endpoints, as discussed, act as an interface between clients and servers where API clients direct requests for certain data or functions from an API. API keys can be used to improve the security an enterprise’s entire API environment and its API integrations.
Related solutions
IBM API Connect

IBM® API Connect® is a full lifecycle API management solution that uses an intuitive experience to help consistently create, manage, secure, socialize and monetize APIs, which promotes digital transformation on premises and across clouds.

 Explore IBM API Connect Try IBM API Connect for free
API gateway tools from IBM API Connect

API gateway, based on IBM DataPower®, is an enterprise gateway designed to securely expose data and business applications wherever they reside, on premises and across clouds. It provides a comprehensive set of policies for security, traffic management, mediation, accelerations and support for non-HTTP protocols.

 Explore API gateway tools from IBM API Connect Request a live demo
IBM Cloud Pak for Integration

IBM Cloud Pak® for Integration is a hybrid integration platform that applies the functionality of closed-loop AI automation to support multiple styles of integration. The platform provides a comprehensive set of integration tools within a single, unified experience to connect applications and data across any cloud or on-premises environment.

 Explore IBM Cloud Pak for Integration
IBM iPaaS solutions

IBM iPaaS solutions provide an intuitive and modular approach to seamlessly integrating and connecting all your applications and data no matter where they reside.

 Explore IBM iPaaS solutions
Resources The key to unlocking your APIs’ full potential: API management

Gain insights into the key challenges that drive the need for API management, and understand the key capabilities inherent in an effective API management solution.

 IBM named a Leader in the 2024 Forrester Wave for API Management Software

IBM API Connect received the highest score possible in 17 out of the 24 criteria.

 SDK vs. API: What’s the difference?

Learn about software development kits (SDKs) and APIs and how they improve both software development cycles and the end-user experience (UX).

 What is iPaaS?

Integration platform as a service (iPaaS) is a suite of self-service, cloud-based tools and solutions used to integrate data from multiple applications that are hosted in different IT environments.

What is middleware?

Middleware is software that enables one or more kinds of communication or connectivity between applications or components in a distributed network.

 What is a REST API?

A REST API (also called a RESTful API or RESTful web API) is an API that conforms to the design principles of the representational state transfer (REST) architectural style.

Take the next step

Use IBM API Connect to secure and manage enterprise APIs throughout their lifecycles. It helps you and your customers consistently create, manage, secure, socialize and monetize enterprise APIs, and is also available as a highly scalable API management platform on IBM Marketplace and AWS.

 Explore API Connect Book a live demo
Footnotes

1 What is a REST API?”, IBM.com

2 What is GraphQL?”, Chrystal China, Michael Goodwin, 8 December 2023

3 GraphQL vs. REST API: What’s the difference?”, Chrystal China, 29 March 2024