Cyber Monday Sale! Get over 30% off when you subscribe to an annual subscription plan!

API Terminology Glossary

A comprehensive guide to API-related terms and definitions

  • API (Application Programming Interface)

    A collection of protocols, instructions, and definitions designed for building and connecting software components, establishing a contract between two software systems. It primarily hides internal complexity through abstraction.[1, 2]

  • Web Service

    A specific subset of APIs that delivers a contract exclusively over a network, relying on standardized network protocols such as HTTP or SOAP. All Web Services are APIs, but not all APIs are Web Services .

  • Data Format (Serialization Format)

    The syntax, encoding, and media type used for storing or transmitting data, standardized on the web using media type identifiers like application/json.[8]

  • JSON (JavaScript Object Notation)

    A lightweight, human-readable data format commonly used in RESTful APIs.[8]

  • XML (Extensible Markup Language)

    A structured, verbose format required by protocols like SOAP for encoding messages.[3, 4]

  • Schema

    Defines the structure and constraints of the data being exchanged, often formalized using standards like JSON Schema.[8]

  • API Economy

    A paradigm describing the exchange of value between organizations enabled by APIs, allowing businesses to integrate external functionalities.[9]

  • API Lifecycle

    A structured approach for managing APIs from initial concept through retirement, often segmented into Creation, Control, and Consumption stages.[9]

  • API Portal

    A central bridge between the API provider and the consumer, offering centralized information, documentation, and educational content to developers.[9]

  • REST (Representational State Transfer)

    An architectural style defining constraints for structuring web services, interacting with resources via unique identifiers (URIs) and standardized HTTP methods.[1, 10]

  • Statelessness (REST Constraint)

    A core REST principle where no client context or session state is stored on the server between requests; every request must contain all necessary information for the server to process it.[1, 10]

  • Cacheability (REST Constraint)

    The principle that clients must be able to cache responses to improve performance, requiring the API response to explicitly state whether its data can be cached.[1, 10]

  • Uniform Interface (REST Constraint)

    Consistent rules and conventions used for how clients interact with server resources, simplifying the overall system architecture.[10]

  • CRUD/CRUDL (Create, Read, Update, Delete/List)

    The four basic operations resource-oriented APIs are generally expected to perform, mapping to HTTP methods like POST, GET, PUT/PATCH, and DELETE.[1, 11]

  • SOAP (Simple Object Access Protocol)

    An older, operation-centric protocol for exchanging structured information via messages over a network, relying heavily on XML for encoding.[3]

  • GraphQL

    A modern, client-driven architectural style that functions as both a query language and a runtime environment, allowing the client to specify the precise data fields required, often using a single URL endpoint.[4]

  • RPC (Remote Procedure Call)

    A foundational paradigm where a client executes a procedure that runs in a separate address space, typically on a remote server, optimized for executing defined commands.[11, 5]

  • gRPC (Google Remote Procedure Call)

    A highly efficient, modern evolution of RPC designed for performance, relying on Protocol Buffers for binary encoding and leveraging HTTP/2 for transport.[3, 5, 6]

  • Protocol Buffers (Protobuf)

    A highly efficient binary encoding format used by gRPC, designed for superior speed and size optimization over JSON and XML.[3, 5]

  • OpenAPI Specification (OAS)

    The leading machine-readable API description format (formerly Swagger Specification) for REST APIs, defining all endpoints, parameters, authentication, and metadata.[12]

  • Swagger UI

    An open-source tool that renders the OAS definition as interactive documentation, allowing developers to test API calls directly within a web browser.[12]

  • Endpoint

    The dedicated URL, a specific location that provides access to the resource the client wishes to manipulate.[13]

  • HTTP Methods (Verbs)

    Define the intended action the client wishes to perform on the targeted resource (e.g., GET, POST, PUT, DELETE).[11]

  • API Headers

    Components of requests and responses that provide additional context and metadata, such as Authorization, Content-Type, and Accept.[13]

  • HTTP Status Codes

    Standardized three-digit integers returned by the server, communicating the outcome of the request (e.g., 200 OK, 404 Not Found, 500 Internal Server Error).[14, 15]

  • Authentication (AuthN)

    The prerequisite security step of confirming the identity of the user, device, or system attempting to access the API (verifying who they are).[6]

  • Authorization (AuthZ)

    The process of granting a verified identity specific permissions to access a resource or execute an operation (determining what they can do).[13]

  • API Key

    A unique identifier used to authenticate the calling application or developer to the API, offering a basic level of security.[9]

  • OAuth 2.0

    The industry standard authorization framework for securing APIs, designed for granting secure, delegated access to resources using tokens.[16]

  • Access Token

    A short-lived credential issued by an Authorization Server that represents the authorization to access protected resources on behalf of the user.[6]

  • Refresh Token

    A separate, long-lived credential used to obtain new Access Tokens without forcing the user to re-authenticate.[6, 7]

  • Grant Types (OAuth Flows)

    The methods used by a client to obtain an Access Token from the identity provider, tailored based on client type and security requirements (e.g., Authorization Code flow).[7, 17]

  • JSON Web Token (JWT)

    A compact, URL-safe data structure often used as the format for Access Tokens, containing self-describing, verifiable Claims signed by the issuer.[16]

  • OpenID Connect (OIDC)

    An identity layer built on top of the OAuth 2.0 framework, adding essential authentication capabilities and issuing an ID Token to confirm the end-user's identity.[6]

  • Scopes

    Used in OAuth 2.0 and OIDC to limit the access granted, defining the specific permissions the Access Token allows (e.g., read_profile).[6]

  • Broken Object Level Authorization (BOLA)

    A critical API vulnerability occurring when a user is poorly authorized, allowing them to access resources belonging to other users by altering an identifier in the request.[18]

  • API Fuzz Testing (Fuzzing)

    A dynamic testing technique that involves submitting malformed or random data inputs to the API to identify defects, vulnerabilities, or unexpected behavior.[18]

  • API Gateway

    A specialized server acting as a central intermediary and single entry point between client applications and backend services, handling routing, security, rate limiting, and caching.[9, 13]

  • Load Balancer

    A device that distributes network traffic across multiple servers based on established algorithms to optimize performance and guarantee reliability.[19, 20]

  • Microservices

    An architectural style where an application is decomposed into small, independently deployable services that communicate via APIs.[10]

  • Service Mesh

    A dedicated infrastructure layer that manages service-to-service communication ('east-west' traffic), typically using proxies to handle security, communication, and telemetry.[21, 22]

  • Serverless Computing

    An architecture where the cloud provider manages the infrastructure, abstracting away server management from the developer.[23]

  • Function-as-a-Service (FaaS)

    An event-driven serverless model enabling developers to deploy small, self-contained code snippets that execute only in response to specific events or API calls.[23, 24]

  • Latency

    The time a specific action takes to complete, measured in milliseconds, representing the delay incurred during communication.[14]

  • CDN (Content Delivery Network)

    A geographically distributed network of servers used to cache API responses and web content closer to the consumer to reduce latency.[14]

  • DNS (Domain Name Service)

    The hierarchical system that translates human-readable domain names into numerical IP addresses required to locate the API.[14]

  • Rate Limiting

    Defines the maximum number of API calls an application or user is permitted to make within a defined time frame to protect backend resources .

  • Throttling

    The operational process triggered when a Rate Limit is exceeded, blocking subsequent requests and returning a 429 Too Many Requests status code .

  • Versioning

    A core practice for managing API evolution and ensuring backward compatibility by allowing existing clients to continue functioning while new features are introduced.[10]

  • API Architect

    Responsible for high-level project management and strategic direction of the API infrastructure, guiding architectural decisions.[1]

  • API Program Leader

    Holds responsibility for the overall success, governance, and monetization strategy of the organization's entire portfolio of APIs.[1]

  • Inter-Process Communication (IPC)

    Mechanisms that facilitate the sharing of data and synchronization between running software processes within a single computer system.[25, 26]

  • Shared Memory (IPC)

    The fastest IPC method, involving the allocation of a common memory space accessible by multiple processes, requiring explicit synchronization primitives.[25]

  • Message Passing (IPC)

    A simpler IPC method where processes communicate by sending and receiving messages through the operating system kernel, incurring higher overhead due to kernel involvement.[25]

  • API-First

    A modern development methodology that prioritizes designing and defining the API contract before any backend code is written, focusing on consumer experience.[27]